/etc/crypttab

From NovaOrdis Knowledge Base
Revision as of 09:53, 24 December 2018 by Ovidiu (talk | contribs) (→‎Internal)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Internal

Overview

/etc/crypttab describes encrypted block devices that are setup during system boot. Empty lines and lines starting with the "#" character are ignored. Each of the remaining lines describes one encrypted block device, fields on the line are delimited by white space. The first two fields are mandatory, the remaining two are optional.

The first field contains the name the encrypted device will be exposed under /dev/mapper. The second field contains the path to the underlying block device of file, or a specification of a block device with "UUID=...". The third field contains the encryption password. If the field is not present or the password is set to "none" or "-", the password has to be manually entered during system boot. Otherwise, the field is interpreted as an absolute path to a file containing the encryption password. The fourth field, if present, is a comma-delimited list of options. Interesting options:

  • timeout= specifies the timeout for querying for a password. If no unit is specified, seconds is implied. Supported units are s, ms, us, min, h, d. A timeout of 0 waits indefinitely. The default is about 10 seconds to start typing. In case the timeout is not honored if the encrypted filesystem is supposed to be mounted at boot and systemd takes over. For a solution for this problem see /etc/fstab: /dev/mapper/cr_myprivate /myprivate xfs nofail,x-systemd.device-timeout=15 0 2.

More details about options can be obtained with:

man crypttab

Example

#
# /etc/crypttab example
#

rackstationb /dev/sdb - timeout=0