Путеводитель по Руководству Linux

  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |



   crypttab    ( 5 )

конфигурация для зашифрованных блочных устройств (Configuration for encrypted block devices)

Имя (Name)

crypttab - Configuration for encrypted block devices


Синопсис (Synopsis)

/etc/crypttab


Описание (Description)

The /etc/crypttab file describes encrypted block devices that are set up during system boot.

Empty lines and lines starting with the "#" character are ignored. Each of the remaining lines describes one encrypted block device. Fields are delimited by white space.

Each line is in the form

volume-name encrypted-device key-file options

The first two fields are mandatory, the remaining two are optional.

Setting up encrypted block devices using this file supports four encryption modes: LUKS, TrueCrypt, BitLocker and plain. See cryptsetup(8) for more information about each mode. When no mode is specified in the options field and the block device contains a LUKS signature, it is opened as a LUKS device; otherwise, it is assumed to be in raw dm-crypt (plain mode) format.

The four fields of /etc/crypttab are defined as follows:

1. The first field contains the name of the resulting volume with decrypted data; its block device is set up below /dev/mapper/.

2. The second field contains a path to the underlying block device or file, or a specification of a block device via "UUID=" followed by the UUID.

3. The third field specifies an absolute path to a file with the encryption key. Optionally, the path may be followed by ":" and an /etc/fstab style device specification (e.g. starting with "LABEL=" or similar); in which case the path is taken relative to the specified device's file system root. If the field is not present or is "none" or "-", a key file named after the volume to unlock (i.e. the first column of the line), suffixed with .key is automatically loaded from the /etc/cryptsetup-keys.d/ and /run/cryptsetup-keys.d/ directories, if present. Otherwise, the password has to be manually entered during system boot. For swap encryption, /dev/urandom may be used as key file, resulting in a randomized key.

If the specified key file path refers to an AF_UNIX stream socket in the file system, the key is acquired by connecting to the socket and reading it from the connection. This allows the implementation of a service to provide key information dynamically, at the moment when it is needed. For details see below.

4. The fourth field, if present, is a comma-delimited list of options. The supported options are listed below.