The following options may be used in the fourth field of each
line:
cipher=
Specifies the cipher to use. See cryptsetup(8) for possible
values and the default value of this option. A cipher with
unpredictable IV values, such as "aes-cbc-essiv:sha256", is
recommended. Embedded commas in the cipher specification need
to be escaped by preceding them with a backslash, see example
below.
discard
Allow discard requests to be passed through the encrypted
block device. This improves performance on SSD storage but
has security implications.
hash=
Specifies the hash to use for password hashing. See
cryptsetup(8) for possible values and the default value of
this option.
header=
Use a detached (separated) metadata device or file where the
LUKS header is stored. This option is only relevant for LUKS
devices. See cryptsetup(8) for possible values and the
default value of this option.
Optionally, the path may be followed by ":" and an /etc/fstab
device specification (e.g. starting with "UUID=" or similar);
in which case, the path is relative to the device file system
root. The device gets mounted automatically for LUKS device
activation duration only.
keyfile-offset=
Specifies the number of bytes to skip at the start of the key
file. See cryptsetup(8) for possible values and the default
value of this option.
keyfile-size=
Specifies the maximum number of bytes to read from the key
file. See cryptsetup(8) for possible values and the default
value of this option. This option is ignored in plain
encryption mode, as the key file size is then given by the
key size.
keyfile-erase
If enabled, the specified key file is erased after the volume
is activated or when activation fails. This is in particular
useful when the key file is only acquired transiently before
activation (e.g. via a file in /run/, generated by a service
running before activation), and shall be removed after use.
Defaults to off.
key-slot=
Specifies the key slot to compare the passphrase or key
against. If the key slot does not match the given passphrase
or key, but another would, the setup of the device will fail
regardless. This option implies luks. See cryptsetup(8) for
possible values. The default is to try all key slots in
sequential order.
keyfile-timeout=
Specifies the timeout for the device on which the key file
resides and falls back to a password if it could not be
mounted. See systemd-cryptsetup-generator(8) for key files on
external devices.
luks
Force LUKS mode. When this mode is used, the following
options are ignored since they are provided by the LUKS
header on the device: cipher=, hash=, size=.
bitlk
Decrypt BitLocker drive. Encryption parameters are deduced by
cryptsetup from BitLocker header.
_netdev
Marks this cryptsetup device as requiring network. It will be
started after the network is available, similarly to
systemd.mount(5) units marked with _netdev. The service unit
to set up this device will be ordered between
remote-fs-pre.target and remote-cryptsetup.target, instead of
cryptsetup-pre.target and cryptsetup.target.
Hint: if this device is used for a mount point that is
specified in fstab(5), the _netdev option should also be used
for the mount point. Otherwise, a dependency loop might be
created where the mount point will be pulled in by
local-fs.target, while the service to configure the network
is usually only started after the local file system has been
mounted.
noauto
This device will not be added to cryptsetup.target. This
means that it will not be automatically unlocked on boot,
unless something else pulls it in. In particular, if the
device is used for a mount point, it'll be unlocked
automatically during boot, unless the mount point itself is
also disabled with noauto.
nofail
This device will not be a hard dependency of
cryptsetup.target. It'll still be pulled in and started, but
the system will not wait for the device to show up and be
unlocked, and boot will not fail if this is unsuccessful.
Note that other units that depend on the unlocked device may
still fail. In particular, if the device is used for a mount
point, the mount point itself also needs to have the nofail
option, or the boot will fail if the device is not unlocked
successfully.
offset=
Start offset in the backend device, in 512-byte sectors. This
option is only relevant for plain devices.
plain
Force plain encryption mode.
read-only, readonly
Set up the encrypted block device in read-only mode.
same-cpu-crypt
Perform encryption using the same CPU that IO was submitted
on. The default is to use an unbound workqueue so that
encryption work is automatically balanced between available
CPUs.
This requires kernel 4.0 or newer.
submit-from-crypt-cpus
Disable offloading writes to a separate thread after
encryption. There are some situations where offloading write
requests from the encryption threads to a dedicated thread
degrades performance significantly. The default is to offload
write requests to a dedicated thread because it benefits the
CFQ scheduler to have writes submitted using the same
context.
This requires kernel 4.0 or newer.
no-read-workqueue
Bypass dm-crypt internal workqueue and process read requests
synchronously. The default is to queue these requests and
process them asynchronously.
This requires kernel 5.9 or newer.
no-write-workqueue
Bypass dm-crypt internal workqueue and process write requests
synchronously. The default is to queue these requests and
process them asynchronously.
This requires kernel 5.9 or newer.
skip=
How many 512-byte sectors of the encrypted data to skip at
the beginning. This is different from the offset= option with
respect to the sector numbers used in initialization vector
(IV) calculation. Using offset= will shift the IV calculation
by the same negative amount. Hence, if offset=n is given,
sector n will get a sector number of 0 for the IV
calculation. Using skip= causes sector n to also be the first
sector of the mapped device, but with its number for IV
generation being n.
This option is only relevant for plain devices.
size=
Specifies the key size in bits. See cryptsetup(8) for
possible values and the default value of this option.
sector-size=
Specifies the sector size in bytes. See cryptsetup(8) for
possible values and the default value of this option.
swap
The encrypted block device will be used as a swap device, and
will be formatted accordingly after setting up the encrypted
block device, with mkswap(8). This option implies plain.
WARNING: Using the swap option will destroy the contents of
the named partition during every boot, so make sure the
underlying block device is specified correctly.
tcrypt
Use TrueCrypt encryption mode. When this mode is used, the
following options are ignored since they are provided by the
TrueCrypt header on the device or do not apply: cipher=,
hash=, keyfile-offset=, keyfile-size=, size=.
When this mode is used, the passphrase is read from the key
file given in the third field. Only the first line of this
file is read, excluding the new line character.
Note that the TrueCrypt format uses both passphrase and key
files to derive a password for the volume. Therefore, the
passphrase and all key files need to be provided. Use
tcrypt-keyfile= to provide the absolute path to all key
files. When using an empty passphrase in combination with one
or more key files, use "/dev/null" as the password file in
the third field.
tcrypt-hidden
Use the hidden TrueCrypt volume. This option implies tcrypt.
This will map the hidden volume that is inside of the volume
provided in the second field. Please note that there is no
protection for the hidden volume if the outer volume is
mounted instead. See cryptsetup(8) for more information on
this limitation.
tcrypt-keyfile=
Specifies the absolute path to a key file to use for a
TrueCrypt volume. This implies tcrypt and can be used more
than once to provide several key files.
See the entry for tcrypt on the behavior of the passphrase
and key files when using TrueCrypt encryption mode.
tcrypt-system
Use TrueCrypt in system encryption mode. This option implies
tcrypt.
tcrypt-veracrypt
Check for a VeraCrypt volume. VeraCrypt is a fork of
TrueCrypt that is mostly compatible, but uses different,
stronger key derivation algorithms that cannot be detected
without this flag. Enabling this option could substantially
slow down unlocking, because VeraCrypt's key derivation takes
much longer than TrueCrypt's. This option implies tcrypt.
timeout=
Specifies the timeout for querying for a password. If no unit
is specified, seconds is used. Supported units are s, ms, us,
min, h, d. A timeout of 0 waits indefinitely (which is the
default).
tmp=
The encrypted block device will be prepared for using it as
/tmp/; it will be formatted using mkfs(8). Takes a file
system type as argument, such as "ext4", "xfs" or "btrfs". If
no argument is specified defaults to "ext4". This option
implies plain.
WARNING: Using the tmp option will destroy the contents of
the named partition during every boot, so make sure the
underlying block device is specified correctly.
tries=
Specifies the maximum number of times the user is queried for
a password. The default is 3. If set to 0, the user is
queried for a password indefinitely.
headless=
Takes a boolean argument, defaults to false. If true, never
query interactively for the password/PIN. Useful for headless
systems.
verify
If the encryption password is read from console, it has to be
entered twice to prevent typos.
password-echo=yes|no|masked
Controls whether to echo passwords or security token PINs
that are read from console. Takes a boolean or the special
string "masked". The default is password-echo=masked.
If enabled, the typed characters are echoed literally. If
disabled, the typed characters are not echoed in any form,
the user will not get feedback on their input. If set to
"masked", an asterisk ("*") is echoed for each character
typed. Regardless of which mode is chosen, if the user hits
the tabulator key ("↹") at any time, or the backspace key
("⌫") before any other data has been entered, then echo is
turned off.
pkcs11-uri=
Takes either the special value "auto" or an RFC7512 PKCS#11
URI
If specified as "auto" the volume must be of type LUKS2 and
must carry PKCS#11 security token metadata in its LUKS2 JSON
token section. In this mode the URI and the encrypted key are
automatically read from the LUKS2 JSON token header. Use
systemd-cryptenroll(1) as simple tool for enrolling PKCS#11
security tokens or smartcards in a way compatible with
"auto". In this mode the third column of the line should
remain empty (that is, specified as "-").
The specified URI can refer directly to a private RSA key
stored on a token or alternatively just to a slot or token,
in which case a search for a suitable private RSA key will be
performed. In this case if multiple suitable objects are
found the token is refused. The encrypted key configured in
the third column of the line is passed as is (i.e. in binary
form, unprocessed) to RSA decryption. The resulting decrypted
key is then Base64 encoded before it is used to unlock the
LUKS volume.
Use systemd-cryptenroll --pkcs11-token-uri=list to list all
suitable PKCS#11 security tokens currently plugged in, along
with their URIs.
Note that many newer security tokens that may be used as
PKCS#11 security token typically also implement the newer and
simpler FIDO2 standard. Consider using fido2-device=
(described below) to enroll it via FIDO2 instead. Note that a
security token enrolled via PKCS#11 cannot be used to unlock
the volume via FIDO2, unless also enrolled via FIDO2, and
vice versa.
fido2-device=
Takes either the special value "auto" or the path to a
"hidraw" device node (e.g. /dev/hidraw1) referring to a
FIDO2 security token that implements the "hmac-secret"
extension (most current hardware security tokens do). See
below for an example how to set up this mechanism for
unlocking an encrypted volume with a FIDO2 security token.
If specified as "auto" the FIDO2 token device is
automatically discovered, as it is plugged in.
FIDO2 volume unlocking requires a client ID hash (CID) to be
configured via fido2-cid= (see below) and a key to pass to
the security token's HMAC functionality (configured in the
line's third column) to operate. If not configured and the
volume is of type LUKS2, the CID and the key are read from
LUKS2 JSON token metadata instead. Use systemd-cryptenroll(1)
as simple tool for enrolling FIDO2 security tokens,
compatible with this automatic mode, which is only available
for LUKS2 volumes.
Use systemd-cryptenroll --fido2-device=list to list all
suitable FIDO2 security tokens currently plugged in, along
with their device nodes.
This option implements the following mechanism: the
configured key is hashed via they HMAC keyed hash function
the FIDO2 device implements, keyed by a secret key embedded
on the device. The resulting hash value is Base64 encoded and
used to unlock the LUKS2 volume. As it should not be possible
to extract the secret from the hardware token, it should not
be possible to retrieve the hashed key given the configured
key — without possessing the hardware token.
Note that many security tokens that implement FIDO2 also
implement PKCS#11, suitable for unlocking volumes via the
pkcs11-uri= option described above. Typically the newer,
simpler FIDO2 standard is preferable.
fido2-cid=
Takes a Base64 encoded FIDO2 client ID to use for the FIDO2
unlock operation. If specified, but fido2-device= is not,
fido2-device=auto is implied. If fido2-device= is used but
fido2-cid= is not, the volume must be of LUKS2 type, and the
CID is read from the LUKS2 JSON token header. Use
systemd-cryptenroll(1) for enrolling a FIDO2 token in the
LUKS2 header compatible with this automatic mode.
fido2-rp=
Takes a string, configuring the FIDO2 Relying Party (rp) for
the FIDO2 unlock operation. If not specified
"io.systemd.cryptsetup" is used, except if the LUKS2 JSON
token header contains a different value. It should normally
not be necessary to override this.
tpm2-device=
Takes either the special value "auto" or the path to a device
node (e.g. /dev/tpmrm0) referring to a TPM2 security chip.
See below for an example how to set up this mechanism for
unlocking an encrypted volume with a TPM2 chip.
Use tpm2-pcrs= (see below) to configure the set of TPM2 PCRs
to bind the volume unlocking to. Use systemd-cryptenroll(1)
as simple tool for enrolling TPM2 security chips in LUKS2
volumes.
If specified as "auto" the TPM2 device is automatically
discovered. Use systemd-cryptenroll --tpm2-device=list to
list all suitable TPM2 devices currently available, along
with their device nodes.
This option implements the following mechanism: when
enrolling a TPM2 device via systemd-cryptenroll on a LUKS2
volume, a randomized key unlocking the volume is generated on
the host and loaded into the TPM2 chip where it is encrypted
with an asymmetric "primary" key pair derived from the TPM2's
internal "seed" key. Neither the seed key nor the primary key
are permitted to ever leave the TPM2 chip — however, the now
encrypted randomized key may. It is saved in the LUKS2 volume
JSON token header. When unlocking the encrypted volume, the
primary key pair is generated on the TPM2 chip again (which
works as long as the chip's seed key is correctly maintained
by the TPM2 chip), which is then used to decrypt (on the TPM2
chip) the encrypted key from the LUKS2 volume JSON token
header saved there during enrollment. The resulting decrypted
key is then used to unlock the volume. When the randomized
key is encrypted the current values of the selected PCRs (see
below) are included in the operation, so that different PCR
state results in different encrypted keys and the decrypted
key can only be recovered if the same PCR state is
reproduced.
tpm2-pcrs=
Takes a "+" separated list of numeric TPM2 PCR (i.e.
"Platform Configuration Register") indexes to bind the TPM2
volume unlocking to. This option is only useful when TPM2
enrollment metadata is not available in the LUKS2 JSON token
header already, the way systemd-cryptenroll writes it there.
If not used (and no metadata in the LUKS2 JSON token header
defines it), defaults to a list of a single entry: PCR 7.
Assign an empty string to encode a policy that binds the key
to no PCRs, making the key accessible to local programs
regardless of the current PCR state.
try-empty-password=
Takes a boolean argument. If enabled, right before asking the
user for a password it is first attempted to unlock the
volume with an empty password. This is useful for systems
that are initialized with an encrypted volume with only an
empty password set, which shall be replaced with a suitable
password during first boot, but after activation.
x-systemd.device-timeout=
Specifies how long systemd should wait for a device to show
up before giving up on the entry. The argument is a time in
seconds or explicitly specified units of "s", "min", "h",
"ms".
x-initrd.attach
Setup this encrypted block device in the initramfs, similarly
to systemd.mount(5) units marked with x-initrd.mount.
Although it's not necessary to mark the mount entry for the
root file system with x-initrd.mount, x-initrd.attach is
still recommended with the encrypted block device containing
the root file system as otherwise systemd will attempt to
detach the device during the regular system shutdown while
it's still in use. With this option the device will still be
detached but later after the root file system is unmounted.
All other encrypted block devices that contain file systems
mounted in the initramfs should use this option.
At early boot and when the system manager configuration is
reloaded, this file is translated into native systemd units by
systemd-cryptsetup-generator(8).
