Crypttab
crypttab is a configuration file on Linux systems, located at /etc/crypttab. It contains a table of encrypted partitions to be setup during boot.
Format
The format of every line is
[Volume] [Encrypted Device] [Key] [Options]
A typical crypttab can look like this:
home /dev/sda3 /etc/home-luks.key # encrypted home filesystem. encrypted partition referred to with its kernel name. no special options given. swap0 UUID=7f70192f-2bb6-4224-a692-25f310d2fb26 /dev/urandom swap # create an encrypted swap on a partition specified with a UUID]. backup UUID=0b7cad77-d74e-455f-a866-cb6826274109 -
Volume
This is the label the encrypted partition will be mapped to, where it will act as a normal, unencrypted block device. It will become available at /dev/mapper/<volume name>.
Encrypted Device
This should refer to the block device you want to be setup. It can be a UUID or path to a block device.
Key
The given keyfile will be used to unlock the partition. "-" or "none" can be given, which will cause the keyfile to be searched for in /etc/cryptsetup-keys.d and /run/cryptsetup-keys.d. If it is not found, it will request a password instead.
Options
Given options will change how cryptsetup(8) sets up the block device. Here are some common options:
- header= - Specify header in a separate file or device.
- noauto - Do not automatically unlock on boot.
- readonly - Setup encrypted device as read-only.
- nofail - The device won't be a hard dependency; it will be unlocked asynchronously, and the system will continue booting if unlocking fails.
- swap - The device will be made ready to be used as swap. This will destroy all data on the block device.
- tmp= - Similar to the swap option, the device will be made ready to be used as a temporary filesystem. A filesystem can be given, otherwise defaults to ext4. This will destroy all data on the block device.