From 6e41f4dd916293f35d7d35cea7eed1807d7ea771 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 29 Apr 2020 23:10:22 +0200 Subject: man: document the newly acquired cryptsetup features --- man/crypttab.xml | 42 ++++++++++++++++++++++++++++-------------- 1 file changed, 28 insertions(+), 14 deletions(-) (limited to 'man/crypttab.xml') diff --git a/man/crypttab.xml b/man/crypttab.xml index 9b6fffd154..3942fe67f9 100644 --- a/man/crypttab.xml +++ b/man/crypttab.xml @@ -41,7 +41,7 @@ character are ignored. Each of the remaining lines describes one encrypted block device. Fields are delimited by white space. - Each line is in the formname encrypted-device password options + Each line is in the formvolume-name encrypted-device key-file options The first two fields are mandatory, the remaining two are optional. @@ -53,24 +53,20 @@ it is opened as a LUKS device; otherwise, it is assumed to be in raw dm-crypt (plain mode) format. - The first field contains the name of the resulting encrypted - block device; the device is set up within - /dev/mapper/. + The first field contains the name of the resulting encrypted volume; its block device is set up + below /dev/mapper/. The second field contains a path to the underlying block device or file, or a specification of a block device via UUID= followed by the UUID. - The third field specifies the encryption password. If the - field is not present or the password is set to - none or -, the password has - to be manually entered during system boot. Otherwise, the field is - interpreted as an absolute path to a file containing the encryption - password. For swap encryption, /dev/urandom - or the hardware device /dev/hw_random can be - used as the password file; using /dev/random - may prevent boot completion if the system does not have enough - entropy to generate a truly random encryption key. + The third field specifies an absolute path to a file to read the encryption key from. If the field + is not present or set to none or -, a key file named after the + volume to unlock (i.e. the first column of the line), suffixed with .key is + automatically loaded from the /etc/cryptsetup-keys.d/ and + /run/cryptsetup-keys.d/ directories, if present. Otherwise, the password has to be + manually entered during system boot. For swap encryption, /dev/urandom may be used + as key file. The fourth field, if present, is a comma-delimited list of options. The following options are recognized: @@ -138,6 +134,15 @@ size is then given by the key size. + + + + If enabled, the specified key file is erased after the volume is activated or when + activation fails. This is in particular useful when the key file is only acquired transiently before + activation (e.g. via a file in /run/, generated by a service running before + activation), and shall be removed after use. Defaults to off. + + @@ -431,6 +436,15 @@ before it is used to unlock the LUKS volume. + + + + Takes a boolean argument. If enabled, right before asking the user for a password it + is first attempted to unlock the volume with an empty password. This is useful for systems that are + initialized with an encrypted volume with only an empty password set, which shall be replaced with a + suitable password during first boot, but after activation. + + -- cgit v1.2.1