From 22b1bbe06b6885bbade70da47d542976ae2d6055 Mon Sep 17 00:00:00 2001 From: Nikita Ermakov Date: Sun, 14 Apr 2024 17:36:42 -0500 Subject: [PATCH] Add crypttab.5 manpage --- Makefile | 1 + crypttab.5 | 179 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 180 insertions(+) create mode 100644 crypttab.5 diff --git a/Makefile b/Makefile index 0aa219af..c63a1a04 100644 --- a/Makefile +++ b/Makefile @@ -27,6 +27,7 @@ install: install -m644 halt.8 ${DESTDIR}/${PREFIX}/share/man/man8 install -m644 modules-load.8 ${DESTDIR}/${PREFIX}/share/man/man8 install -m644 vlogger.8 ${DESTDIR}/${PREFIX}/share/man/man8 + install -m644 crypttab.5 ${DESTDIR}/${PREFIX}/share/man/man5 ln -sf halt.8 ${DESTDIR}/${PREFIX}/share/man/man8/poweroff.8 ln -sf halt.8 ${DESTDIR}/${PREFIX}/share/man/man8/reboot.8 install -d ${DESTDIR}/etc/sv diff --git a/crypttab.5 b/crypttab.5 new file mode 100644 index 00000000..70376d95 --- /dev/null +++ b/crypttab.5 @@ -0,0 +1,179 @@ +.TH CRYPTTAB 5 +.SH NAME +crypttab \- Configuration for encrypted block devices +.SH "SYNOPSIS" +.PP +\fI/etc/crypttab\fR +.SH "DESCRIPTION" +.PP +The file \fBcrypttab\fR contains information about encrypted block devices +that are getting setup during boot process. +.PP +Each line describes one encrypted block device and can have up to 4 fields but +not less than 2 fields. Fields on each line separated by tabs or spaces. +Lines starting with '#' are comments and blank lines are ignored. +.PP +The first two fields are mandatory, the remaining two are optional. Each line +has a form of: +.sp +.RS 4 +.NF +\fIvolume\-name\fR \fIencrypted\-device\fR \fIkey\-file\fR \fIoptions\fR +.RE +.sp +.nr step 0 1 +.nr PI 3n +The four fields are: +.IP \n+[step] +The first field describes the name of the volume with decrypted data in +\fI/dev/mapper\fR. +.IP \n+[step] +The second field describes the encrypted block device or file. It can be in a +form of a filename, UUID=\& or PARTUUID=\&. +.IP \n+[step] +The third field, if present, describes an absolute path to a file with the +encryption key. If the field is empty a passphrase will be read interactively +from the console. +.IP \n+[step] +The fourth field, if present, is a comma\-delimited list of options. See +\fBSUPPORTED OPTIONS\fR\&. +.SH SUPPORTED OPTIONS +.PP +\fBcipher=\fR +.RS 4 +Specify encryption algorithm to use. See \fBcryptsetup\fR(8)\& and +\fBcryptsetup \-c\fR\& for details. \fBcryptsetup \-\-help\fR\& has details about +defaults. +.RE +.PP +\fBdiscard\fR +.RS 4 +Allow to use of discard (TRIM) requests for the device. Can have a negative +security impact, please refer to \fBcryptsetup\-open(8)\fR. +.sp +Needs kernel 3.1 or later. +.RE +.PP +\fBhash=\fR +.RS 4 +Use as the passphrase hash. For more details refer to +\fBcryptsetup\-open(8)\fR.\& +.RE +.PP +\fBheader=\fR +.RS 4 +Use detached header metadata device or file. For more details refer to +\fBcryprsetup\-open(8)\fR. +.RE +.PP +\fBkeyfile\-offset=\fR +.RS 4 +Skip bytes at the beginning of the key file. +For more details refer to \fBcryptsetup\-open\fR(8). +.RE +.PP +\fBkeyfile\-size=\fR +.RS 4 +Read a maximum of bytes from the key file. The default is to read the +whole file. +For more details refer to \fBcryptsetup\-open(8)\fR. +.RE +.PP +\fBkeyslot=\fR<0\-N>, \fBkey\-slot=\fR<0\-N> +.RS 4 +Select a specific key\-slot to compare the passphrase against. +For more details refer to \fBcryptsetup\-open\fR(8).\& +.RE +.PP +\fBoffset=\fR +.RS 4 +Start offset in the backend device in 512\-byte sectors. +.RE +.PP +\fBread\-only\fR, \fBreadonly\fR +.RS 4 +Set up readonly mapping. +.RE +.PP +\fBskip=\fR +.RS 4 +How many 512\-byte sectors of the encrypted data to skip at the beginning. For +details refer to \fBcryptsetup\-open(8)\fR.\& +.RE +.PP +\fBsize=\fR +.RS 4 +Set the size of the device in sectors in 512\-bytes. This option is compatible +only with \fIplain\fR device type. +.RE +.PP +\fBluks\fR +.RS 4 +Force LUKS mode. The following options are ignored: \fBcipher=\fR, +\fBhash=\fR, \fBsize=\fR, \fBoffset=\fR, \fBskip=\fR, \fBverify\fR. +.RE +.PP +\fBswap\fR +.RS 4 +Force swap mode. The following options are ignored: \fBkeyslot=\fR, +\fBkey\-slot=\fR, \fBkeyfile\-size=\fR, \fBkeyfile\-offset=\fR, \fBheader=\fR. +For more details refer to \fBcryptsetup\-open(8)\fR section \fBPLAIN\fR. +.RE +.PP +\fBtries=\fR +.RS 4 +How many tries the user will have to input the correct passphrase. +.RE +.PP +\fBverify\fR +.RS 4 +When interactively asking for a passphrase, ask for it twice and complain if +both inputs do not match. +.RE +.PP +\fBperf\-same_cpu_crypt\fR +.RS 4 +Perform encryption using the same CPU that IO was submitted on. +.sp +Needs kernel 4.0 or later. +.RE +.PP +\fBperf\-submit_from_crypt_cpus\fR +.RS 4 +Disable offloading writes to a separate thread after encryption. +.sp +Needs kernel 4.0 or later. +.RE +.PP +\fBperf\-no_read_workqueue\fR +.RS 4 +Bypass dm\-crypt internal workqueue and process read requests +synchronously. +.sp +Needs kernel 5.9 or later. +.RE +.PP +\fBperf\-no_write_workqueue\fR +.RS 4 +Bypass dm\-crypt internal workqueue and process write requests +synchronously. +.sp +Needs kernel 5.9 or later. +.RE +.SH "EXAMPLES" +.PP +.RS 4 +.nf +# Encrypted LUKS with interactive password +luks UUID=2505567a\-9e27\-4efe\-a4d5\-15ad146c258b +# Encrypted swap +swap /dev/sda7 /dev/urandom swap +# Encrypted LUKS with a key from a file +storage /dev/nvme1n1p1 /disk.key discard,luks +.RE +.SH "SEE ALSO" +.PP +\fBfstab\fR(5), +\fBcryptsetup\fR(8), +\fBmkswap\fR(8), +\fBmke2fs\fR(8)