Example 2. /etc/crypttab example
Set up four encrypted block devices. One using LUKS for normal
storage, another one for usage as a swap device and two TrueCrypt
volumes. For the fourth device, the option string is interpreted
as two options "cipher=xchacha12,aes-adiantum-plain64",
"keyfile-timeout=10s".
luks UUID=2505567a-9e27-4efe-a4d5-15ad146c258b
swap /dev/sda7 /dev/urandom swap
truecrypt /dev/sda2 /etc/container_password tcrypt
hidden /mnt/tc_hidden /dev/null tcrypt-hidden,tcrypt-keyfile=/etc/keyfile
external /dev/sda3 keyfile:LABEL=keydev keyfile-timeout=10s,cipher=xchacha12\,aes-adiantum-plain64
Example 3. Yubikey-based PKCS#11 Volume Unlocking Example
The PKCS#11 logic allows hooking up any compatible security token
that is capable of storing RSA decryption keys for unlocking an
encrypted volume. Here's an example how to set up a Yubikey
security token for this purpose on a LUKS2 volume, using ykmap(1)
from the yubikey-manager project to initialize the token and
systemd-cryptenroll(1) to add it in the LUKS2 volume:
# Destroy any old key on the Yubikey (careful!)
ykman piv reset
# Generate a new private/public key pair on the device, store the public key in
# 'pubkey.pem'.
ykman piv generate-key -a RSA2048 9d pubkey.pem
# Create a self-signed certificate from this public key, and store it on the
# device. The "subject" should be an arbitrary user-chosen string to identify
# the token with.
ykman piv generate-certificate --subject "Knobelei" 9d pubkey.pem
# We don't need the public key anymore, let's remove it. Since it is not
# security sensitive we just do a regular "rm" here.
rm pubkey.pem
# Enroll the freshly initialized security token in the LUKS2 volume. Replace
# /dev/sdXn by the partition to use (e.g. /dev/sda1).
sudo systemd-cryptenroll --pkcs11-token-uri=auto /dev/sdXn
# Test: Let's run systemd-cryptsetup to test if this all worked.
sudo /usr/lib/systemd/systemd-cryptsetup attach mytest /dev/sdXn - pkcs11-uri=auto
# If that worked, let's now add the same line persistently to /etc/crypttab,
# for the future.
sudo bash -c 'echo "mytest /dev/sdXn - pkcs11-uri=auto" >> /etc/crypttab'
A few notes on the above:
• We use RSA2048, which is the longest key size current
Yubikeys support
• We use Yubikey key slot 9d, since that's apparently the
keyslot to use for decryption purposes, see documentation
Example 4. FIDO2 Volume Unlocking Example
The FIDO2 logic allows using any compatible FIDO2 security token
that implements the "hmac-secret" extension for unlocking an
encrypted volume. Here's an example how to set up a FIDO2
security token for this purpose for a LUKS2 volume, using
systemd-cryptenroll(1):
# Enroll the security token in the LUKS2 volume. Replace /dev/sdXn by the
# partition to use (e.g. /dev/sda1).
sudo systemd-cryptenroll --fido2-device=auto /dev/sdXn
# Test: Let's run systemd-cryptsetup to test if this worked.
sudo /usr/lib/systemd/systemd-cryptsetup attach mytest /dev/sdXn - fido2-device=auto
# If that worked, let's now add the same line persistently to /etc/crypttab,
# for the future.
sudo bash -c 'echo "mytest /dev/sdXn - fido2-device=auto" >> /etc/crypttab'
Example 5. TPM2 Volume Unlocking Example
The TPM2 logic allows using any TPM2 chip supported by the Linux
kernel for unlocking an encrypted volume. Here's an example how
to set up a TPM2 chip for this purpose for a LUKS2 volume, using
systemd-cryptenroll(1):
# Enroll the TPM2 security chip in the LUKS2 volume, and bind it to PCR 7
# only. Replace /dev/sdXn by the partition to use (e.g. /dev/sda1).
sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/sdXn
# Test: Let's run systemd-cryptsetup to test if this worked.
sudo /usr/lib/systemd/systemd-cryptsetup attach mytest /dev/sdXn - tpm2-device=auto
# If that worked, let's now add the same line persistently to /etc/crypttab,
# for the future.
sudo bash -c 'echo "mytest /dev/sdXn - tpm2-device=auto" >> /etc/crypttab'
