summaryrefslogtreecommitdiffstats
path: root/templates/man5/crypttab.5.pot
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-15 19:43:11 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-15 19:43:11 +0000
commitfc22b3d6507c6745911b9dfcc68f1e665ae13dbc (patch)
treece1e3bce06471410239a6f41282e328770aa404a /templates/man5/crypttab.5.pot
parentInitial commit. (diff)
downloadmanpages-l10n-fc22b3d6507c6745911b9dfcc68f1e665ae13dbc.tar.xz
manpages-l10n-fc22b3d6507c6745911b9dfcc68f1e665ae13dbc.zip
Adding upstream version 4.22.0.upstream/4.22.0
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'templates/man5/crypttab.5.pot')
-rw-r--r--templates/man5/crypttab.5.pot2692
1 files changed, 2692 insertions, 0 deletions
diff --git a/templates/man5/crypttab.5.pot b/templates/man5/crypttab.5.pot
new file mode 100644
index 00000000..97d641e2
--- /dev/null
+++ b/templates/man5/crypttab.5.pot
@@ -0,0 +1,2692 @@
+# SOME DESCRIPTIVE TITLE
+# Copyright (C) YEAR Free Software Foundation, Inc.
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"POT-Creation-Date: 2024-03-01 16:54+0100\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. type: TH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron
+#, no-wrap
+msgid "CRYPTTAB"
+msgstr ""
+
+#. type: TH
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid "systemd 255"
+msgstr ""
+
+#. type: TH
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid "crypttab"
+msgstr ""
+
+#. -----------------------------------------------------------------
+#. * MAIN CONTENT STARTS HERE *
+#. -----------------------------------------------------------------
+#. type: SH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron
+#, no-wrap
+msgid "NAME"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "crypttab - Configuration for encrypted block devices"
+msgstr ""
+
+#. type: SH
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid "SYNOPSIS"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "/etc/crypttab"
+msgstr ""
+
+#. type: SH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron
+#, no-wrap
+msgid "DESCRIPTION"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"The /etc/crypttab file describes encrypted block devices that are set up "
+"during system boot\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Empty lines and lines starting with the \"#\" character are ignored\\&. Each "
+"of the remaining lines describes one encrypted block device\\&. Fields are "
+"delimited by white space\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "Each line is in the form"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid "I<volume-name> I<encrypted-device> I<key-file> I<options>\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "The first two fields are mandatory, the remaining two are optional\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Setting up encrypted block devices using this file supports four encryption "
+"modes: LUKS, TrueCrypt, BitLocker and plain\\&. See B<cryptsetup>(8) for "
+"more information about each mode\\&. When no mode is specified in the "
+"options field and the block device contains a LUKS signature, it is opened "
+"as a LUKS device; otherwise, it is assumed to be in raw dm-crypt (plain "
+"mode) format\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "The four fields of /etc/crypttab are defined as follows:"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"The first field contains the name of the resulting volume with decrypted "
+"data; its block device is set up below /dev/mapper/\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"The second field contains a path to the underlying block device or file, or "
+"a specification of a block device via \"UUID=\" followed by the UUID\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"The third field specifies an absolute path to a file with the encryption "
+"key\\&. Optionally, the path may be followed by \":\" and an /etc/fstab "
+"style device specification (e\\&.g\\&. starting with \"LABEL=\" or similar); "
+"in which case the path is taken relative to the specified device\\*(Aqs file "
+"system root\\&. If the field is not present or is \"none\" or \"-\", a key "
+"file named after the volume to unlock (i\\&.e\\&. the first column of the "
+"line), suffixed with \\&.key is automatically loaded from the /etc/"
+"cryptsetup-keys\\&.d/ and /run/cryptsetup-keys\\&.d/ directories, if "
+"present\\&. Otherwise, the password has to be manually entered during system "
+"boot\\&. For swap encryption, /dev/urandom may be used as key file, "
+"resulting in a randomized key\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"If the specified key file path refers to an B<AF_UNIX> stream socket in the "
+"file system, the key is acquired by connecting to the socket and reading it "
+"from the connection\\&. This allows the implementation of a service to "
+"provide key information dynamically, at the moment when it is needed\\&. For "
+"details see below\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"The fourth field, if present, is a comma-delimited list of options\\&. The "
+"supported options are listed below\\&."
+msgstr ""
+
+#. type: SH
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid "KEY ACQUISITION"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Six different mechanisms for acquiring the decryption key or passphrase "
+"unlocking the encrypted volume are supported\\&. Specifically:"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Most prominently, the user may be queried interactively during volume "
+"activation (i\\&.e\\&. typically at boot), asking them to type in the "
+"necessary passphrases\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"The (unencrypted) key may be read from a file on disk, possibly on removable "
+"media\\&. The third field of each line encodes the location, for details see "
+"above\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"The (unencrypted) key may be requested from another service, by specifying "
+"an B<AF_UNIX> file system socket in place of a key file in the third "
+"field\\&. For details see above and below\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"The key may be acquired via a PKCS#11 compatible hardware security token or "
+"smartcard\\&. In this case an encrypted key is stored on disk/removable "
+"media, acquired via B<AF_UNIX>, or stored in the LUKS2 JSON token metadata "
+"header\\&. The encrypted key is then decrypted by the PKCS#11 token with an "
+"RSA key stored on it, and then used to unlock the encrypted volume\\&. Use "
+"the B<pkcs11-uri=> option described below to use this mechanism\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Similarly, the key may be acquired via a FIDO2 compatible hardware security "
+"token (which must implement the \"hmac-secret\" extension)\\&. In this case "
+"a key generated randomly during enrollment is stored on disk/removable "
+"media, acquired via B<AF_UNIX>, or stored in the LUKS2 JSON token metadata "
+"header\\&. The random key is hashed via a keyed hash function (HMAC) on the "
+"FIDO2 token, using a secret key stored on the token that never leaves it\\&. "
+"The resulting hash value is then used as key to unlock the encrypted "
+"volume\\&. Use the B<fido2-device=> option described below to use this "
+"mechanism\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Similarly, the key may be acquired via a TPM2 security chip\\&. In this case "
+"a (during enrollment) randomly generated key \\(em encrypted by an "
+"asymmetric key derived from the TPM2 chip\\*(Aqs seed key \\(em is stored on "
+"disk/removable media, acquired via B<AF_UNIX>, or stored in the LUKS2 JSON "
+"token metadata header\\&. Use the B<tpm2-device=> option described below to "
+"use this mechanism\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"For the latter five mechanisms the source for the key material used for "
+"unlocking the volume is primarily configured in the third field of each /etc/"
+"crypttab line, but may also configured in /etc/cryptsetup-keys\\&.d/ and /"
+"run/cryptsetup-keys\\&.d/ (see above) or in the LUKS2 JSON token header (in "
+"case of the latter three)\\&. Use the B<systemd-cryptenroll>(1) tool to "
+"enroll PKCS#11, FIDO2 and TPM2 devices in LUKS2 volumes\\&."
+msgstr ""
+
+#. type: SH
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid "SUPPORTED OPTIONS"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "The following options may be used in the fourth field of each line:"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<cipher=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Specifies the cipher to use\\&. See B<cryptsetup>(8) for possible values "
+"and the default value of this option\\&. A cipher with unpredictable IV "
+"values, such as \"aes-cbc-essiv:sha256\", is recommended\\&. Embedded commas "
+"in the cipher specification need to be escaped by preceding them with a "
+"backslash, see example below\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "Added in version 186\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<discard>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Allow discard requests to be passed through the encrypted block device\\&. "
+"This improves performance on SSD storage but has security implications\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "Added in version 207\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<hash=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Specifies the hash to use for password hashing\\&. See B<cryptsetup>(8) for "
+"possible values and the default value of this option\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<header=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Use a detached (separated) metadata device or file where the header "
+"containing the master key(s) is stored\\&. This option is only relevant for "
+"LUKS and TrueCrypt/VeraCrypt devices\\&. See B<cryptsetup>(8) for possible "
+"values and the default value of this option\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Optionally, the path may be followed by \":\" and an /etc/fstab device "
+"specification (e\\&.g\\&. starting with \"UUID=\" or similar); in which "
+"case, the path is relative to the device file system root\\&. The device "
+"gets mounted automatically for LUKS device activation duration only\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "Added in version 219\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<keyfile-offset=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Specifies the number of bytes to skip at the start of the key file\\&. See "
+"B<cryptsetup>(8) for possible values and the default value of this "
+"option\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "Added in version 187\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<keyfile-size=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Specifies the maximum number of bytes to read from the key file\\&. See "
+"B<cryptsetup>(8) for possible values and the default value of this "
+"option\\&. This option is ignored in plain encryption mode, as the key file "
+"size is then given by the key size\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "Added in version 188\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<keyfile-erase>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"If enabled, the specified key file is erased after the volume is activated "
+"or when activation fails\\&. This is in particular useful when the key file "
+"is only acquired transiently before activation (e\\&.g\\&. via a file in /"
+"run/, generated by a service running before activation), and shall be "
+"removed after use\\&. Defaults to off\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "Added in version 246\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<key-slot=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Specifies the key slot to compare the passphrase or key against\\&. If the "
+"key slot does not match the given passphrase or key, but another would, the "
+"setup of the device will fail regardless\\&. This option implies B<luks>\\&. "
+"See B<cryptsetup>(8) for possible values\\&. The default is to try all key "
+"slots in sequential order\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "Added in version 209\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<keyfile-timeout=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Specifies the timeout for the device on which the key file resides or the "
+"device used as the key file, and falls back to a password if it could not be "
+"accessed\\&. See B<systemd-cryptsetup-generator>(8) for key files on "
+"external devices\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "Added in version 243\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<luks>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Force LUKS mode\\&. When this mode is used, the following options are "
+"ignored since they are provided by the LUKS header on the device: "
+"B<cipher=>, B<hash=>, B<size=>\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<bitlk>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Decrypt BitLocker drive\\&. Encryption parameters are deduced by cryptsetup "
+"from BitLocker header\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<_netdev>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Marks this cryptsetup device as requiring network\\&. It will be started "
+"after the network is available, similarly to B<systemd.mount>(5) units "
+"marked with B<_netdev>\\&. The service unit to set up this device will be "
+"ordered between remote-fs-pre\\&.target and remote-cryptsetup\\&.target, "
+"instead of cryptsetup-pre\\&.target and cryptsetup\\&.target\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Hint: if this device is used for a mount point that is specified in "
+"B<fstab>(5), the B<_netdev> option should also be used for the mount "
+"point\\&. Otherwise, a dependency loop might be created where the mount "
+"point will be pulled in by local-fs\\&.target, while the service to "
+"configure the network is usually only started I<after> the local file system "
+"has been mounted\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "Added in version 235\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<noauto>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"This device will not be added to cryptsetup\\&.target\\&. This means that it "
+"will not be automatically unlocked on boot, unless something else pulls it "
+"in\\&. In particular, if the device is used for a mount point, it\\*(Aqll be "
+"unlocked automatically during boot, unless the mount point itself is also "
+"disabled with B<noauto>\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<nofail>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"This device will not be a hard dependency of cryptsetup\\&.target\\&. "
+"It\\*(Aqll still be pulled in and started, but the system will not wait for "
+"the device to show up and be unlocked, and boot will not fail if this is "
+"unsuccessful\\&. Note that other units that depend on the unlocked device "
+"may still fail\\&. In particular, if the device is used for a mount point, "
+"the mount point itself also needs to have the B<nofail> option, or the boot "
+"will fail if the device is not unlocked successfully\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<offset=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Start offset in the backend device, in 512-byte sectors\\&. This option is "
+"only relevant for plain devices\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "Added in version 220\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<plain>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron
+msgid "Force plain encryption mode\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<read-only>, B<readonly>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "Set up the encrypted block device in read-only mode\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<same-cpu-crypt>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Perform encryption using the same CPU that IO was submitted on\\&. The "
+"default is to use an unbound workqueue so that encryption work is "
+"automatically balanced between available CPUs\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "This requires kernel 4\\&.0 or newer\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "Added in version 242\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<submit-from-crypt-cpus>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Disable offloading writes to a separate thread after encryption\\&. There "
+"are some situations where offloading write requests from the encryption "
+"threads to a dedicated thread degrades performance significantly\\&. The "
+"default is to offload write requests to a dedicated thread because it "
+"benefits the CFQ scheduler to have writes submitted using the same "
+"context\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<no-read-workqueue>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Bypass dm-crypt internal workqueue and process read requests "
+"synchronously\\&. The default is to queue these requests and process them "
+"asynchronously\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "This requires kernel 5\\&.9 or newer\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "Added in version 248\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<no-write-workqueue>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Bypass dm-crypt internal workqueue and process write requests "
+"synchronously\\&. The default is to queue these requests and process them "
+"asynchronously\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<skip=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"How many 512-byte sectors of the encrypted data to skip at the beginning\\&. "
+"This is different from the B<offset=> option with respect to the sector "
+"numbers used in initialization vector (IV) calculation\\&. Using B<offset=> "
+"will shift the IV calculation by the same negative amount\\&. Hence, if "
+"B<offset=>I<n> is given, sector I<n> will get a sector number of 0 for the "
+"IV calculation\\&. Using B<skip=> causes sector I<n> to also be the first "
+"sector of the mapped device, but with its number for IV generation being "
+"I<n>\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "This option is only relevant for plain devices\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<size=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Specifies the key size in bits\\&. See B<cryptsetup>(8) for possible values "
+"and the default value of this option\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<sector-size=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Specifies the sector size in bytes\\&. See B<cryptsetup>(8) for possible "
+"values and the default value of this option\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "Added in version 240\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<swap>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"The encrypted block device will be used as a swap device, and will be "
+"formatted accordingly after setting up the encrypted block device, with "
+"B<mkswap>(8)\\&. This option implies B<plain>\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"WARNING: Using the B<swap> option will destroy the contents of the named "
+"partition during every boot, so make sure the underlying block device is "
+"specified correctly\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<tcrypt>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Use TrueCrypt encryption mode\\&. When this mode is used, the following "
+"options are ignored since they are provided by the TrueCrypt header on the "
+"device or do not apply: B<cipher=>, B<hash=>, B<keyfile-offset=>, B<keyfile-"
+"size=>, B<size=>\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"When this mode is used, the passphrase is read from the key file given in "
+"the third field\\&. Only the first line of this file is read, excluding the "
+"new line character\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Note that the TrueCrypt format uses both passphrase and key files to derive "
+"a password for the volume\\&. Therefore, the passphrase and all key files "
+"need to be provided\\&. Use B<tcrypt-keyfile=> to provide the absolute path "
+"to all key files\\&. When using an empty passphrase in combination with one "
+"or more key files, use \"/dev/null\" as the password file in the third "
+"field\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "Added in version 206\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<tcrypt-hidden>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "Use the hidden TrueCrypt volume\\&. This option implies B<tcrypt>\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"This will map the hidden volume that is inside of the volume provided in the "
+"second field\\&. Please note that there is no protection for the hidden "
+"volume if the outer volume is mounted instead\\&. See B<cryptsetup>(8) for "
+"more information on this limitation\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<tcrypt-keyfile=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Specifies the absolute path to a key file to use for a TrueCrypt volume\\&. "
+"This implies B<tcrypt> and can be used more than once to provide several key "
+"files\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"See the entry for B<tcrypt> on the behavior of the passphrase and key files "
+"when using TrueCrypt encryption mode\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<tcrypt-system>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Use TrueCrypt in system encryption mode\\&. This option implies B<tcrypt>\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<tcrypt-veracrypt>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Check for a VeraCrypt volume\\&. VeraCrypt is a fork of TrueCrypt that is "
+"mostly compatible, but uses different, stronger key derivation algorithms "
+"that cannot be detected without this flag\\&. Enabling this option could "
+"substantially slow down unlocking, because VeraCrypt\\*(Aqs key derivation "
+"takes much longer than TrueCrypt\\*(Aqs\\&. This option implies B<tcrypt>\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "Added in version 232\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<veracrypt-pim=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Specifies a custom Personal Iteration Multiplier (PIM) value, which can "
+"range from 0\\&.\\&.2147468 for standard veracrypt volumes and 0\\&."
+"\\&.65535 for veracrypt system volumes\\&. A value of 0 will imply the "
+"VeraCrypt default\\&. This option is only effective when B<tcrypt-veracrypt> "
+"is set\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Note that VeraCrypt enforces a minimal allowed PIM value depending on the "
+"password strength and the hash algorithm used for key derivation, however "
+"B<veracrypt-pim=> is not checked against these bounds\\&. See "
+"\\m[blue]B<Veracrypt Personal Iterations "
+"Multiplier>\\m[]\\&\\s-2\\u[1]\\d\\s+2 documentation for more information\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "Added in version 254\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<timeout=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Specifies the timeout for querying for a password\\&. If no unit is "
+"specified, seconds is used\\&. Supported units are s, ms, us, min, h, d\\&. "
+"A timeout of 0 waits indefinitely (which is the default)\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<tmp=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"The encrypted block device will be prepared for using it as /tmp/; it will "
+"be formatted using B<mkfs>(8)\\&. Takes a file system type as argument, such "
+"as \"ext4\", \"xfs\" or \"btrfs\"\\&. If no argument is specified defaults "
+"to \"ext4\"\\&. This option implies B<plain>\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"WARNING: Using the B<tmp> option will destroy the contents of the named "
+"partition during every boot, so make sure the underlying block device is "
+"specified correctly\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<tries=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Specifies the maximum number of times the user is queried for a password\\&. "
+"The default is 3\\&. If set to 0, the user is queried for a password "
+"indefinitely\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<headless=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Takes a boolean argument, defaults to false\\&. If true, never query "
+"interactively for the password/PIN\\&. Useful for headless systems\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "Added in version 249\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<verify>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"If the encryption password is read from console, it has to be entered twice "
+"to prevent typos\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<password-echo=yes|no|masked>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Controls whether to echo passwords or security token PINs that are read from "
+"console\\&. Takes a boolean or the special string \"masked\"\\&. The default "
+"is B<password-echo=masked>\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"If enabled, the typed characters are echoed literally\\&. If disabled, the "
+"typed characters are not echoed in any form, the user will not get feedback "
+"on their input\\&. If set to \"masked\", an asterisk (\"*\") is echoed for "
+"each character typed\\&. Regardless of which mode is chosen, if the user "
+"hits the tabulator key (\"↹\") at any time, or the backspace key (\"⌫\") "
+"before any other data has been entered, then echo is turned off\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<pkcs11-uri=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Takes either the special value \"auto\" or an \\m[blue]B<RFC7512 PKCS#11 "
+"URI>\\m[]\\&\\s-2\\u[2]\\d\\s+2 pointing to a private RSA key which is used "
+"to decrypt the encrypted key specified in the third column of the line\\&. "
+"This is useful for unlocking encrypted volumes through PKCS#11 compatible "
+"security tokens or smartcards\\&. See below for an example how to set up "
+"this mechanism for unlocking a LUKS2 volume with a YubiKey security token\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"If specified as \"auto\" the volume must be of type LUKS2 and must carry "
+"PKCS#11 security token metadata in its LUKS2 JSON token section\\&. In this "
+"mode the URI and the encrypted key are automatically read from the LUKS2 "
+"JSON token header\\&. Use B<systemd-cryptenroll>(1) as simple tool for "
+"enrolling PKCS#11 security tokens or smartcards in a way compatible with "
+"\"auto\"\\&. In this mode the third column of the line should remain empty "
+"(that is, specified as \"-\")\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"The specified URI can refer directly to a private RSA key stored on a token "
+"or alternatively just to a slot or token, in which case a search for a "
+"suitable private RSA key will be performed\\&. In this case if multiple "
+"suitable objects are found the token is refused\\&. The encrypted key "
+"configured in the third column of the line is passed as is (i\\&.e\\&. in "
+"binary form, unprocessed) to RSA decryption\\&. The resulting decrypted key "
+"is then Base64 encoded before it is used to unlock the LUKS volume\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Use B<systemd-cryptenroll --pkcs11-token-uri=list> to list all suitable "
+"PKCS#11 security tokens currently plugged in, along with their URIs\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Note that many newer security tokens that may be used as PKCS#11 security "
+"token typically also implement the newer and simpler FIDO2 standard\\&. "
+"Consider using B<fido2-device=> (described below) to enroll it via FIDO2 "
+"instead\\&. Note that a security token enrolled via PKCS#11 cannot be used "
+"to unlock the volume via FIDO2, unless also enrolled via FIDO2, and vice "
+"versa\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "Added in version 245\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<fido2-device=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Takes either the special value \"auto\" or the path to a \"hidraw\" device "
+"node (e\\&.g\\&. /dev/hidraw1) referring to a FIDO2 security token that "
+"implements the \"hmac-secret\" extension (most current hardware security "
+"tokens do)\\&. See below for an example how to set up this mechanism for "
+"unlocking an encrypted volume with a FIDO2 security token\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"If specified as \"auto\" the FIDO2 token device is automatically discovered, "
+"as it is plugged in\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"FIDO2 volume unlocking requires a client ID hash (CID) to be configured via "
+"B<fido2-cid=> (see below) and a key to pass to the security token\\*(Aqs "
+"HMAC functionality (configured in the line\\*(Aqs third column) to "
+"operate\\&. If not configured and the volume is of type LUKS2, the CID and "
+"the key are read from LUKS2 JSON token metadata instead\\&. Use B<systemd-"
+"cryptenroll>(1) as simple tool for enrolling FIDO2 security tokens, "
+"compatible with this automatic mode, which is only available for LUKS2 "
+"volumes\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Use B<systemd-cryptenroll --fido2-device=list> to list all suitable FIDO2 "
+"security tokens currently plugged in, along with their device nodes\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"This option implements the following mechanism: the configured key is hashed "
+"via they HMAC keyed hash function the FIDO2 device implements, keyed by a "
+"secret key embedded on the device\\&. The resulting hash value is Base64 "
+"encoded and used to unlock the LUKS2 volume\\&. As it should not be possible "
+"to extract the secret from the hardware token, it should not be possible to "
+"retrieve the hashed key given the configured key \\(em without possessing "
+"the hardware token\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Note that many security tokens that implement FIDO2 also implement PKCS#11, "
+"suitable for unlocking volumes via the B<pkcs11-uri=> option described "
+"above\\&. Typically the newer, simpler FIDO2 standard is preferable\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<fido2-cid=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Takes a Base64 encoded FIDO2 client ID to use for the FIDO2 unlock "
+"operation\\&. If specified, but B<fido2-device=> is not, B<fido2-"
+"device=auto> is implied\\&. If B<fido2-device=> is used but B<fido2-cid=> is "
+"not, the volume must be of LUKS2 type, and the CID is read from the LUKS2 "
+"JSON token header\\&. Use B<systemd-cryptenroll>(1) for enrolling a FIDO2 "
+"token in the LUKS2 header compatible with this automatic mode\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<fido2-rp=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Takes a string, configuring the FIDO2 Relying Party (rp) for the FIDO2 "
+"unlock operation\\&. If not specified \"io\\&.systemd\\&.cryptsetup\" is "
+"used, except if the LUKS2 JSON token header contains a different value\\&. "
+"It should normally not be necessary to override this\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<tpm2-device=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Takes either the special value \"auto\" or the path to a device node (e\\&."
+"g\\&. /dev/tpmrm0) referring to a TPM2 security chip\\&. See below for an "
+"example how to set up this mechanism for unlocking an encrypted volume with "
+"a TPM2 chip\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Use B<tpm2-pcrs=> (see below) to configure the set of TPM2 PCRs to bind the "
+"volume unlocking to\\&. Use B<systemd-cryptenroll>(1) as simple tool for "
+"enrolling TPM2 security chips in LUKS2 volumes\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"If specified as \"auto\" the TPM2 device is automatically discovered\\&. Use "
+"B<systemd-cryptenroll --tpm2-device=list> to list all suitable TPM2 devices "
+"currently available, along with their device nodes\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"This option implements the following mechanism: when enrolling a TPM2 device "
+"via B<systemd-cryptenroll> on a LUKS2 volume, a randomized key unlocking the "
+"volume is generated on the host and loaded into the TPM2 chip where it is "
+"encrypted with an asymmetric \"primary\" key pair derived from the "
+"TPM2\\*(Aqs internal \"seed\" key\\&. Neither the seed key nor the primary "
+"key are permitted to ever leave the TPM2 chip \\(em however, the now "
+"encrypted randomized key may\\&. It is saved in the LUKS2 volume JSON token "
+"header\\&. When unlocking the encrypted volume, the primary key pair is "
+"generated on the TPM2 chip again (which works as long as the chip\\*(Aqs "
+"seed key is correctly maintained by the TPM2 chip), which is then used to "
+"decrypt (on the TPM2 chip) the encrypted key from the LUKS2 volume JSON "
+"token header saved there during enrollment\\&. The resulting decrypted key "
+"is then used to unlock the volume\\&. When the randomized key is encrypted "
+"the current values of the selected PCRs (see below) are included in the "
+"operation, so that different PCR state results in different encrypted keys "
+"and the decrypted key can only be recovered if the same PCR state is "
+"reproduced\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<tpm2-pcrs=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Takes a \"+\" separated list of numeric TPM2 PCR (i\\&.e\\&. \"Platform "
+"Configuration Register\") indexes to bind the TPM2 volume unlocking to\\&. "
+"This option is only useful when TPM2 enrollment metadata is not available in "
+"the LUKS2 JSON token header already, the way B<systemd-cryptenroll> writes "
+"it there\\&. If not used (and no metadata in the LUKS2 JSON token header "
+"defines it), defaults to a list of a single entry: PCR 7\\&. Assign an empty "
+"string to encode a policy that binds the key to no PCRs, making the key "
+"accessible to local programs regardless of the current PCR state\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<tpm2-pin=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Takes a boolean argument, defaults to \"false\"\\&. Controls whether TPM2 "
+"volume unlocking is bound to a PIN in addition to PCRs\\&. Similarly, this "
+"option is only useful when TPM2 enrollment metadata is not available\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "Added in version 251\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<tpm2-signature=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Takes an absolute path to a TPM2 PCR JSON signature file, as produced by the "
+"B<systemd-measure>(1) tool\\&. This permits locking LUKS2 volumes to any "
+"PCR values for which a valid signature matching a public key specified at "
+"key enrollment time can be provided\\&. See B<systemd-cryptenroll>(1) for "
+"details on enrolling TPM2 PCR public keys\\&. If this option is not "
+"specified but it is attempted to unlock a LUKS2 volume with a signed TPM2 "
+"PCR enrollment a suitable signature file tpm2-pcr-signature\\&.json is "
+"searched for in /etc/systemd/, /run/systemd/, /usr/lib/systemd/ (in this "
+"order)\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "Added in version 252\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<tpm2-pcrlock=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Takes an absolute path to a TPM2 pcrlock policy file, as produced by the "
+"B<systemd-pcrlock>(1) tool\\&. This permits locking LUKS2 volumes to a "
+"local policy of allowed PCR values with variants\\&. See B<systemd-"
+"cryptenroll>(1) for details on enrolling TPM2 pcrlock policies\\&. If this "
+"option is not specified but it is attempted to unlock a LUKS2 volume with a "
+"TPM2 pcrlock enrollment a suitable signature file pcrlock\\&.json is "
+"searched for in /run/systemd/ and /var/lib/systemd/ (in this order)\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "Added in version 255\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<tpm2-measure-pcr=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Controls whether to measure the volume key of the encrypted volume to a TPM2 "
+"PCR\\&. If set to \"no\" (which is the default) no PCR extension is done\\&. "
+"If set to \"yes\" the volume key is measured into PCR 15\\&. If set to a "
+"decimal integer in the range 0\\&...23 the volume key is measured into the "
+"specified PCR\\&. The volume key is measured along with the activated volume "
+"name and its UUID\\&. This functionality is particularly useful for the "
+"encrypted volume backing the root file system, as it then allows later TPM "
+"objects to be securely bound to the root file system and hence the specific "
+"installation\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "Added in version 253\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<tpm2-measure-bank=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Selects one or more TPM2 PCR banks to measure the volume key into, as "
+"configured with B<tpm2-measure-pcr=> above\\&. Multiple banks may be "
+"specified, separated by a colon character\\&. If not specified automatically "
+"determines available and used banks\\&. Expects a message digest name (e\\&."
+"g\\&. \"sha1\", \"sha256\", \\&...) as argument, to identify the bank\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<token-timeout=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Specifies how long to wait at most for configured security devices (i\\&."
+"e\\&. FIDO2, PKCS#11, TPM2) to show up\\&. Takes a time value in seconds "
+"(but other time units may be specified too, see B<systemd.time>(7) for "
+"supported formats)\\&. Defaults to 30s\\&. Once the specified timeout "
+"elapsed authentication via password is attempted\\&. Note that this timeout "
+"applies to waiting for the security device to show up \\(em it does not "
+"apply to the PIN prompt for the device (should one be needed) or similar\\&. "
+"Pass 0 to turn off the time-out and wait forever\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "Added in version 250\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<try-empty-password=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Takes a boolean argument\\&. If enabled, right before asking the user for a "
+"password it is first attempted to unlock the volume with an empty "
+"password\\&. This is useful for systems that are initialized with an "
+"encrypted volume with only an empty password set, which shall be replaced "
+"with a suitable password during first boot, but after activation\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<x-systemd\\&.device-timeout=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Specifies how long systemd should wait for a block device to show up before "
+"giving up on the entry\\&. The argument is a time in seconds or explicitly "
+"specified units of \"s\", \"min\", \"h\", \"ms\"\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "Added in version 216\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<x-initrd\\&.attach>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Setup this encrypted block device in the initrd, similarly to B<systemd."
+"mount>(5) units marked with B<x-initrd\\&.mount>\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Although it\\*(Aqs not necessary to mark the mount entry for the root file "
+"system with B<x-initrd\\&.mount>, B<x-initrd\\&.attach> is still recommended "
+"with the encrypted block device containing the root file system as otherwise "
+"systemd will attempt to detach the device during the regular system shutdown "
+"while it\\*(Aqs still in use\\&. With this option the device will still be "
+"detached but later after the root file system is unmounted\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"All other encrypted block devices that contain file systems mounted in the "
+"initrd should use this option\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"At early boot and when the system manager configuration is reloaded, this "
+"file is translated into native systemd units by B<systemd-cryptsetup-"
+"generator>(8)\\&."
+msgstr ""
+
+#. type: SH
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid "AF_UNIX KEY FILES"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"If the key file path (as specified in the third column of /etc/crypttab "
+"entries, see above) refers to an B<AF_UNIX> stream socket in the file "
+"system, the key is acquired by connecting to the socket and reading the key "
+"from the connection\\&. The connection is made from an B<AF_UNIX> socket "
+"name in the abstract namespace, see B<unix>(7) for details\\&. The source "
+"socket name is chosen according the following format:"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid "B<NUL> I<RANDOM> /cryptsetup/ I<VOLUME>\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"In other words: a B<NUL> byte (as required for abstract namespace sockets), "
+"followed by a random string (consisting of alphanumeric characters only), "
+"followed by the literal string \"/cryptsetup/\", followed by the name of the "
+"volume to acquire they key for\\&. For example, for the volume \"myvol\":"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid "\\e0d7067f78d9827418/cryptsetup/myvol\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Services listening on the B<AF_UNIX> stream socket may query the source "
+"socket name with B<getpeername>(2), and use this to determine which key to "
+"send, allowing a single listening socket to serve keys for multiple "
+"volumes\\&. If the PKCS#11 logic is used (see above), the socket source name "
+"is picked in similar fashion, except that the literal string \"/cryptsetup-"
+"pkcs11/\" is used\\&. And similarly for FIDO2 (\"/cryptsetup-fido2/\") and "
+"TPM2 (\"/cryptsetup-tpm2/\")\\&. A different path component is used so that "
+"services providing key material know that the secret key was not requested "
+"directly, but instead an encrypted key that will be decrypted via the "
+"PKCS#11/FIDO2/TPM2 logic to acquire the final secret key\\&."
+msgstr ""
+
+#. type: SH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron
+#, no-wrap
+msgid "EXAMPLES"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<Example\\ \\&1.\\ \\&/etc/crypttab example>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Set up four encrypted block devices\\&. One using LUKS for normal storage, "
+"another one for usage as a swap device and two TrueCrypt volumes\\&. For the "
+"fourth device, the option string is interpreted as two options "
+"\"cipher=xchacha12,aes-adiantum-plain64\", \"keyfile-timeout=10s\"\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid ""
+"luks UUID=2505567a-9e27-4efe-a4d5-15ad146c258b\n"
+"swap /dev/sda7 /dev/urandom swap\n"
+"truecrypt /dev/sda2 /etc/container_password tcrypt\n"
+"hidden /mnt/tc_hidden /dev/null tcrypt-hidden,tcrypt-keyfile=/etc/keyfile\n"
+"external /dev/sda3 keyfile:LABEL=keydev keyfile-timeout=10s,cipher=xchacha12\\e,aes-adiantum-plain64\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<Example\\ \\&2.\\ \\&Yubikey-based PKCS#11 Volume Unlocking Example>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"The PKCS#11 logic allows hooking up any compatible security token that is "
+"capable of storing RSA decryption keys for unlocking an encrypted volume\\&. "
+"Here\\*(Aqs an example how to set up a Yubikey security token for this "
+"purpose on a LUKS2 volume, using B<ykmap>(1) from the yubikey-manager "
+"project to initialize the token and B<systemd-cryptenroll>(1) to add it in "
+"the LUKS2 volume:"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid "# SPDX-License-Identifier: MIT-0\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid ""
+"# Destroy any old key on the Yubikey (careful!)\n"
+"ykman piv reset\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid ""
+"# Generate a new private/public key pair on the device, store the public key in\n"
+"# \\*(Aqpubkey\\&.pem\\*(Aq\\&.\n"
+"ykman piv generate-key -a RSA2048 9d pubkey\\&.pem\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid ""
+"# Create a self-signed certificate from this public key, and store it on the\n"
+"# device\\&. The \"subject\" should be an arbitrary user-chosen string to identify\n"
+"# the token with\\&.\n"
+"ykman piv generate-certificate --subject \"Knobelei\" 9d pubkey\\&.pem\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid ""
+"# We don\\*(Aqt need the public key anymore, let\\*(Aqs remove it\\&. Since it is not\n"
+"# security sensitive we just do a regular \"rm\" here\\&.\n"
+"rm pubkey\\&.pem\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid ""
+"# Enroll the freshly initialized security token in the LUKS2 volume\\&. Replace\n"
+"# /dev/sdXn by the partition to use (e\\&.g\\&. /dev/sda1)\\&.\n"
+"sudo systemd-cryptenroll --pkcs11-token-uri=auto /dev/sdXn\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid ""
+"# Test: Let\\*(Aqs run systemd-cryptsetup to test if this all worked\\&.\n"
+"sudo systemd-cryptsetup attach mytest /dev/sdXn - pkcs11-uri=auto\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid ""
+"# If that worked, let\\*(Aqs now add the same line persistently to /etc/crypttab,\n"
+"# for the future\\&. We don\\*(Aqt want to use the (unstable) /dev/sdX name, so let\\*(Aqs\n"
+"# figure out a stable link:\n"
+"udevadm info -q -r symlink /dev/sdXn\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid ""
+"# Now add the line using the by-uuid symlink to /etc/crypttab:\n"
+"sudo bash -c \\*(Aqecho \"mytest /dev/disk/by-uuid/\\&.\\&.\\&. - pkcs11-uri=auto\" E<gt>E<gt>/etc/crypttab\\*(Aq\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid ""
+"# Depending on your distribution and encryption setup, you may need to manually\n"
+"# regenerate your initramfs to be able to use a Yubikey / PKCS#11 token to\n"
+"# unlock the partition during early boot\\&.\n"
+"# More information at https://unix\\&.stackexchange\\&.com/a/705809\\&.\n"
+"# On Fedora based systems:\n"
+"sudo dracut --force\n"
+"# On Debian based systems:\n"
+"sudo update-initramfs -u\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "A few notes on the above:"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "We use RSA2048, which is the longest key size current Yubikeys support"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"We use Yubikey key slot 9d, since that\\*(Aqs apparently the keyslot to use "
+"for decryption purposes, see \\m[blue]B<Yubico PIV certificate "
+"slots>\\m[]\\&\\s-2\\u[3]\\d\\s+2\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<Example\\ \\&3.\\ \\&FIDO2 Volume Unlocking Example>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"The FIDO2 logic allows using any compatible FIDO2 security token that "
+"implements the \"hmac-secret\" extension for unlocking an encrypted "
+"volume\\&. Here\\*(Aqs an example how to set up a FIDO2 security token for "
+"this purpose for a LUKS2 volume, using B<systemd-cryptenroll>(1):"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid ""
+"# Enroll the security token in the LUKS2 volume\\&. Replace /dev/sdXn by the\n"
+"# partition to use (e\\&.g\\&. /dev/sda1)\\&.\n"
+"sudo systemd-cryptenroll --fido2-device=auto /dev/sdXn\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid ""
+"# Test: Let\\*(Aqs run systemd-cryptsetup to test if this worked\\&.\n"
+"sudo systemd-cryptsetup attach mytest /dev/sdXn - fido2-device=auto\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid ""
+"# Now add the line using the by-uuid symlink to /etc/crypttab:\n"
+"sudo bash -c \\*(Aqecho \"mytest /dev/disk/by-uuid/\\&.\\&.\\&. - fido2-device=auto\" E<gt>E<gt>/etc/crypttab\\*(Aq\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid ""
+"# Depending on your distribution and encryption setup, you may need to manually\n"
+"# regenerate your initramfs to be able to use a FIDO2 device to unlock the\n"
+"# partition during early boot\\&.\n"
+"# More information at https://unix\\&.stackexchange\\&.com/a/705809\\&.\n"
+"# On Fedora based systems:\n"
+"sudo dracut --force\n"
+"# On Debian based systems:\n"
+"sudo update-initramfs -u\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "B<Example\\ \\&4.\\ \\&TPM2 Volume Unlocking Example>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"The TPM2 logic allows using any TPM2 chip supported by the Linux kernel for "
+"unlocking an encrypted volume\\&. Here\\*(Aqs an example how to set up a "
+"TPM2 chip for this purpose for a LUKS2 volume, using B<systemd-"
+"cryptenroll>(1):"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid ""
+"# Enroll the TPM2 security chip in the LUKS2 volume, and bind it to PCR 7\n"
+"# only\\&. Replace /dev/sdXn by the partition to use (e\\&.g\\&. /dev/sda1)\\&.\n"
+"sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/sdXn\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid ""
+"# Test: Let\\*(Aqs run systemd-cryptsetup to test if this worked\\&.\n"
+"sudo systemd-cryptsetup attach mytest /dev/sdXn - tpm2-device=auto\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid ""
+"# Now add the line using the by-uuid symlink to /etc/crypttab:\n"
+"sudo bash -c \\*(Aqecho \"mytest /dev/disk/by-uuid/\\&.\\&.\\&. - tpm2-device=auto\" E<gt>E<gt>/etc/crypttab\\*(Aq\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid ""
+"# And now let\\*(Aqs check that automatic unlocking works:\n"
+"sudo systemd-cryptsetup detach mytest\n"
+"sudo systemctl daemon-reload\n"
+"sudo systemctl start cryptsetup\\&.target\n"
+"systemctl is-active systemd-cryptsetup@mytest\\&.service\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid ""
+"# Once we have the device which will be unlocked automatically, we can use it\\&.\n"
+"# Usually we would create a file system and add it to /etc/fstab:\n"
+"sudo mkfs\\&.ext4 /dev/mapper/mytest\n"
+"# This prints a \\*(AqFilesystem UUID\\*(Aq, which we can use as a stable name:\n"
+"sudo bash -c \\*(Aqecho \"/dev/disk/by-uuid/\\&.\\&.\\&. /var/mytest ext4 defaults,x-systemd\\&.mkdir 0 2\" E<gt>E<gt>/etc/fstab\\*(Aq\n"
+"# And now let\\*(Aqs check that the mounting works:\n"
+"sudo systemctl daemon-reload\n"
+"sudo systemctl start /var/mytest\n"
+"systemctl status /var/mytest\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid ""
+"# Depending on your distribution and encryption setup, you may need to manually\n"
+"# regenerate your initramfs to be able to use a TPM2 security chip to unlock\n"
+"# the partition during early boot\\&.\n"
+"# More information at https://unix\\&.stackexchange\\&.com/a/705809\\&.\n"
+"# On Fedora based systems:\n"
+"sudo dracut --force\n"
+"# On Debian based systems:\n"
+"sudo update-initramfs -u\n"
+msgstr ""
+
+#. type: SH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron
+#, no-wrap
+msgid "SEE ALSO"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"B<systemd>(1), B<systemd-cryptsetup@.service>(8), B<systemd-cryptsetup-"
+"generator>(8), B<systemd-cryptenroll>(1), B<fstab>(5), B<cryptsetup>(8), "
+"B<mkswap>(8), B<mke2fs>(8)"
+msgstr ""
+
+#. type: SH
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid "NOTES"
+msgstr ""
+
+#. type: IP
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid " 1."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "Veracrypt Personal Iterations Multiplier"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"\\%https://www.veracrypt.fr/en/"
+"Personal%20Iterations%20Multiplier%20%28PIM%29.html"
+msgstr ""
+
+#. type: IP
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid " 2."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "RFC7512 PKCS#11 URI"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "\\%https://tools.ietf.org/html/rfc7512"
+msgstr ""
+
+#. type: IP
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid " 3."
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid "Yubico PIV certificate slots"
+msgstr ""
+
+#. type: Plain text
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"\\%https://developers.yubico.com/PIV/Introduction/Certificate_slots.html"
+msgstr ""
+
+#. type: TH
+#: debian-bookworm
+#, no-wrap
+msgid "2023-12-18"
+msgstr ""
+
+#. type: TH
+#: debian-bookworm
+#, no-wrap
+msgid "cryptsetup 2:2\\&.6\\&.1-4~deb1"
+msgstr ""
+
+#. type: TH
+#: debian-bookworm debian-unstable
+#, no-wrap
+msgid "cryptsetup manual"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "crypttab - static information about encrypted filesystems"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"The file /etc/crypttab contains descriptive information about encrypted "
+"devices\\&. crypttab is only read by programs (e\\&.g\\&. "
+"B<cryptdisks_start> and B<cryptdisks_stop>), and not written; it is the duty "
+"of the system administrator to properly create and maintain this file\\&. "
+"crypttab entries are treated sequentially, so their order matters "
+"(dependencies need to listed first)\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Each encrypted device is described on a separate line\\&. Fields on each "
+"line are separated by tabs or spaces\\&. Lines starting with \\*(Aq#\\*(Aq "
+"are comments, and blank lines are ignored\\&. Octal sequences \\e0I<num> "
+"within a field are decoded, which can be used for values containing spaces "
+"or special characters\\&. A backslash which doesn\\*(Aqt start an octal "
+"sequence yields undefined behavior\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"The first field, I<target>, describes the mapped device name\\&. It must be "
+"a plain filename without any directory components\\&. A mapped device which "
+"encrypts/decrypts data to/from the I<source device> will be created at /dev/"
+"mapper/target by B<cryptsetup>\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"The second field, I<source device>, describes either the block special "
+"device or file that contains the encrypted data\\&. Instead of giving the "
+"I<source device> explicitly, the UUID (resp\\&. LABEL, PARTUUID and "
+"PARTLABEL) is supported as well, using \\(lqUUID=E<lt>uuidE<gt>\\(rq "
+"(resp\\&. \\(lqLABEL=E<lt>labelE<gt>\\(rq, "
+"\\(lqPARTUUID=E<lt>partuuidE<gt>\\(rq and "
+"\\(lqPARTLABEL=E<lt>partlabelE<gt>\\(rq)\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"The third field, I<key file>, describes the file to use as a key for "
+"decrypting the data of the I<source device>\\&. In case of a I<keyscript>, "
+"the value of this field is given as argument to the keyscript\\&. Note that "
+"the I<entire> key file will be used as the passphrase; the passphrase must "
+"I<not> be followed by a newline character\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"It can also be a device name (e\\&.g\\&. /dev/urandom), note however that "
+"LUKS requires a persistent key and therefore does I<not> support random data "
+"keys\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"If the I<key file> is the string I<none>, a passphrase will be read "
+"interactively from the console\\&. In this case, the options check, "
+"checkargs and tries may be useful\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"The fourth field, I<options>, is an optional comma-separated list of options "
+"and/or flags describing the device type (I<luks>, I<tcrypt>, I<bitlk>, "
+"I<fvault2>, or I<plain> which is also the default) and cryptsetup options "
+"associated with the encryption process\\&. The supported options are "
+"described below\\&. For plain dm-crypt devices the I<cipher>, I<hash> and "
+"I<size> options are required\\&. Some options can be changed on active "
+"mappings using B<cryptsetup refresh [E<lt>optionsE<gt>] E<lt>nameE<gt>>\\&. "
+"Furthermore some options can be permanently written into metadata of LUKS2 "
+"headers using cryptsetup\\*(Aqs I<--persistent> flag\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Note that the first three fields are required and that a missing field will "
+"lead to unspecified behaviour\\&."
+msgstr ""
+
+#. type: SH
+#: debian-bookworm debian-unstable
+#, no-wrap
+msgid "ON DIFFERENT CRYPTTAB FORMATS"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Please note that there are several independent cryptsetup wrappers with "
+"their own I<crypttab> format\\&. This manpage covers Debian\\*(Aqs "
+"implementation for I<initramfs> scripts and I<SysVinit> init scripts\\&. "
+"I<systemd> brings its own I<crypttab> implementation\\&. We try to cover the "
+"differences between the I<systemd> and our implementation in this manpage, "
+"but if in doubt, better check the I<systemd> B<crypttab>(5) manpage, e\\&."
+"g\\&. online at \\m[blue]B<\\%https://www.freedesktop.org/software/systemd/"
+"man/crypttab.html>\\m[]\\&."
+msgstr ""
+
+#. type: SH
+#: debian-bookworm debian-unstable
+#, no-wrap
+msgid "OPTIONS"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<cipher>=E<lt>cipherE<gt>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Encryption algorithm (ignored for LUKS and TCRYPT devices)\\&. See "
+"B<cryptsetup -c>\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<size>=E<lt>sizeE<gt>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Encryption key size (ignored for LUKS and TCRYPT devices)\\&. See "
+"B<cryptsetup -s>\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<sector-size>=E<lt>bytesE<gt>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Sector size\\&. See B<cryptsetup>(8) for possible values and the default "
+"value of this option\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<hash>=E<lt>hashE<gt>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Hash algorithm (ignored for LUKS and TCRYPT devices)\\&. See B<cryptsetup -"
+"h>\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<offset>=E<lt>offsetE<gt>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Start offset (ignored for LUKS and TCRYPT devices)\\&. Uses B<cryptsetup -"
+"o>\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<skip>=E<lt>skipE<gt>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Skip sectors at the beginning (ignored for LUKS and TCRYPT devices)\\&. Uses "
+"B<cryptsetup -p>\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<keyfile-offset>=E<lt>keyfile-offsetE<gt>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "Specifies the number of bytes to skip at the start of the key file\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<keyfile-size>=E<lt>keyfile-sizeE<gt>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Specifies the maximum number of bytes to read from the key file\\&. The "
+"default is to read the whole file up to the compiled-in maximum, that can be "
+"queried with B<cryptsetup --help>\\&. This option is ignored for plain dm-"
+"crypt devices, as the key file size is then given by the encryption key size "
+"(option I<size>)\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<keyslot>=E<lt>slotE<gt>, I<key-slot>=E<lt>slotE<gt>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "Key slot (ignored for non-LUKS devices)\\&. See B<cryptsetup -S>\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<header>=E<lt>pathE<gt>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Detached header file (ignored for plain dm-crypt devices)\\&. See "
+"B<cryptsetup --header>\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<verify>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "Verify password\\&. Uses B<cryptsetup -y>\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<readonly>, I<read-only>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "Set up a read-only mapping\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<tries>=E<lt>numE<gt>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Try to unlock the device E<lt>numE<gt> before failing\\&. It\\*(Aqs "
+"particularly useful when using a passphrase or a I<keyscript> that asks for "
+"interactive input\\&. If you want to disable retries, pass "
+"\\(lqtries=1\\(rq\\&. Default is \\(lq3\\(rq\\&. Setting \\(lqtries=0\\(rq "
+"means infinitive retries\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<discard>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "Allow using of discards (TRIM) requests for device\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Starting with Debian 10 (Buster), this option is added per default to new dm-"
+"crypt devices by the Debian Installer\\&. If you don\\*(Aqt care about "
+"leaking access patterns (filesystem type, used space) and don\\*(Aqt have "
+"hidden truecrypt volumes inside this volume, then it should be safe to "
+"enable this option\\&. See the following warning for further information\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"B<WARNING>: Assess the specific security risks carefully before enabling "
+"this option\\&. For example, allowing discards on encrypted devices may lead "
+"to the leak of information about the ciphertext device (filesystem type, "
+"used space etc\\&.) if the discarded blocks can be located easily on the "
+"device later\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<luks>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Force LUKS mode\\&. When this mode is used, the following options are "
+"ignored since they are provided by the LUKS header on the device: "
+"I<cipher=>, I<hash=>, I<size=>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<plain>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<bitlk>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Force BITLK (Windows BitLocker-compatible) mode\\&. WARNING: I<crypttab> "
+"support is currently experimental\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<fvault2>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Force Apple\\*(Aqs FileVault2 mode\\&. Only the (legacy) FileVault2 format "
+"based on Core Storage and HFS+ filesystem (introduced in MacOS X 10\\&.7 "
+"Lion) is currently supported; the new version of FileVault based on the APFS "
+"filesystem used in recent macOS versions is not supported\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<tcrypt>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Use TrueCrypt encryption mode\\&. When this mode is used, the following "
+"options are ignored since they are provided by the TrueCrypt header on the "
+"device or do not apply: I<cipher=>, I<hash=>, I<keyfile-offset=>, I<keyfile-"
+"size=>, I<size=>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<veracrypt>, I<tcrypt-veracrypt>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Use VeraCrypt extension to TrueCrypt device\\&. Only useful in conjunction "
+"with I<tcrypt> option (ignored for non-TrueCrypt devices)\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<tcrypthidden>, I<tcrypt-hidden>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "Use hidden TCRYPT header (ignored for non-TCRYPT devices)\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<same-cpu-crypt>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "Perform encryption using the same cpu that IO was submitted on\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<submit-from-crypt-cpus>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "Disable offloading writes to a separate thread after encryption\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<no-read-workqueue>, I<no-write-workqueue>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Bypass dm-crypt internal workqueue and process read or write requests "
+"synchronously\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<swap>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "Run B<mkswap> on the created device\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "This option is ignored for I<initramfs> devices\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<tmp>[=E<lt>tmpfsE<gt>]"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Run B<mkfs> with filesystem type E<lt>tmpfsE<gt> (or ext4 if omitted) on the "
+"created device\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<check>[=E<lt>checkE<gt>]"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Check the content of the target device by a suitable program; if the check "
+"fails, the device is closed immediately\\&. The program is being run with "
+"decrypted volume (target device) as first positional argument and, if the "
+"I<checkargs> option is used, its value as second argument\\&. See the "
+"CHECKSCRIPTS section for more information\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"The program is either specified by full path or relative to /lib/cryptsetup/"
+"checks/\\&. If omitted, then the value of $CRYPTDISKS_CHECK set in /etc/"
+"default/cryptdisks is used (blkid by default)\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"This option is specific to the Debian I<crypttab> format\\&. It\\*(Aqs not "
+"supported by I<systemd>\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<checkargs>=E<lt>argumentsE<gt>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Give E<lt>argumentsE<gt> as the second argument to the check script\\&. See "
+"the CHECKSCRIPTS section for more information\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<initramfs>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"The initramfs hook processes the root device, any resume devices and any "
+"devices with the I<initramfs> option set\\&. These devices are processed "
+"within the initramfs stage of boot\\&. As an example, that allows the use of "
+"remote unlocking using dropbear\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<noearly>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"The cryptsetup init scripts are invoked twice during the boot process - once "
+"before lvm, raid, etc\\&. are started and once again after that\\&. "
+"Sometimes you need to start your encrypted disks in a special order\\&. With "
+"this option the device is ignored during the first invocation of the "
+"cryptsetup init scripts\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"This option is ignored for I<initramfs> devices and specific to the Debian "
+"I<crypttab> format\\&. It\\*(Aqs not supported by I<systemd>\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<noauto>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Entirely ignore the device at the boot process\\&. It\\*(Aqs still possible "
+"to map the device manually using cryptdisks_start\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<loud>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Be loud\\&. Print warnings if a device does not exist\\&. This option "
+"overrides the option I<quiet>\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<quiet>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Be quiet\\&. Don\\*(Aqt print warnings if a device does not exist\\&. This "
+"option overrides the option I<loud>\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<keyscript>=E<lt>pathE<gt>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"The executable at the indicated path is executed with the value of the "
+"I<third field> as only argument\\&. The keyscript\\*(Aqs standard output is "
+"passed to cryptsetup as decyption key\\&. Its exit status is currently "
+"ignored, but no assumption should be made in that regard\\&. When used in "
+"initramfs, the executable either needs to be self-contained (i\\&.e\\&. "
+"doesn\\*(Aqt rely on any external program which is not present in the "
+"initramfs environment) or the dependencies have to added to the initramfs "
+"image by other means\\&. The program is either specified by full path or "
+"relative to /lib/cryptsetup/scripts/\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"LIMITATIONS: All binaries and files on which the keyscript depends must be "
+"available at the time of execution\\&. Special care needs to be taken for "
+"encrypted filesystems like /usr or /var\\&. As an example, unlocking "
+"encrypted /usr must not depend on binaries from /usr/(s)bin\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"WARNING: With systemd as init system, this option might be ignored\\&. At "
+"the time this is written (December 2016), the systemd cryptsetup helper "
+"doesn\\*(Aqt support the keyscript option to /etc/crypttab\\&. For the time "
+"being, the only option to use keyscripts along with systemd is to force "
+"processing of the corresponding crypto devices in the initramfs\\&. See the "
+"\\*(Aqinitramfs\\*(Aq option for further information\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"All fields of the appropriate crypttab entry are available to the keyscript "
+"as exported environment variables:"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "CRYPTTAB_NAME, _CRYPTTAB_NAME"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "The target name (after resp\\&. before octal sequence decoding)\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "CRYPTTAB_SOURCE, _CRYPTTAB_SOURCE"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"The source device (after resp\\&. before octal sequence decoding and device "
+"resolution)\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "CRYPTTAB_KEY, _CRYPTTAB_KEY"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"The value of the third field (after resp\\&. before octal sequence "
+"decoding)\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "CRYPTTAB_OPTIONS, _CRYPTTAB_OPTIONS"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"A list of exported crypttab options (after resp\\&. before octal sequence "
+"decoding)\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "CRYPTTAB_OPTION_E<lt>optionE<gt>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"The value of the appropriate crypttab option, with value set to "
+"\\*(Aqyes\\*(Aq in case the option is merely a flag\\&. For option aliases, "
+"such as \\*(Aqreadonly\\*(Aq and \\*(Aqread-only\\*(Aq, the variable name "
+"refers to the first alternative listed (thus "
+"\\*(AqCRYPTTAB_OPTION_readonly\\*(Aq in that case)\\&. If the crypttab "
+"option name contains \\*(Aq-\\*(Aq characters, then they are replaced with "
+"\\*(Aq_\\*(Aq in the exported variable name\\&. For instance, the value of "
+"the \\*(AqCRYPTTAB_OPTION_keyfile_offset\\*(Aq environment variable is set "
+"to the value of the \\*(Aqkeyfile-offset\\*(Aq crypttab option\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "CRYPTTAB_TRIED"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Number of previous tries since start of cryptdisks (counts until maximum "
+"number of tries is reached)\\&."
+msgstr ""
+
+#. type: SH
+#: debian-bookworm debian-unstable
+#, no-wrap
+msgid "CHECKSCRIPTS"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<blkid>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Checks for any known filesystem\\&. Supports a filesystem type as argument "
+"via E<lt>checkargsE<gt>:"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"no checkargs - succeeds if any valid filesystem is found on the device\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "\"none\" - succeeds if no valid filesystem is found on the device\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"\"ext4\" [or another filesystem type like xfs, swap, crypto_LUKS, \\&.\\&."
+"\\&.] - succeeds if ext4 filesystem is found on the device\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<un_blkid>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Checks for no known filesystem\\&. Supports a filesystem type as argument "
+"via E<lt>checkargsE<gt>:"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"no checkargs - succeeds if no valid filesystem is found on the device\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"\"ext4\" [or another filesystem type like xfs, swap, crypto_LUKS, \\&.\\&."
+"\\&.] - succeeds if no ext4 filesystem is found on the device\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+#, no-wrap
+msgid ""
+"# Encrypted swap device\n"
+"cswap /dev/sda6 /dev/urandom plain,cipher=aes-xts-plain64,size=256,hash=sha1,swap\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+#, no-wrap
+msgid ""
+"# Encrypted LUKS disk with interactive password, identified by its UUID, discard enabled\n"
+"cdisk0 UUID=12345678-9abc-def012345-6789abcdef01 none luks,discard\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+#, no-wrap
+msgid ""
+"# Encrypted TCRYPT disk with interactive password, discard enabled\n"
+"tdisk0 /dev/sr0 none tcrypt,discard\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+#, no-wrap
+msgid ""
+"# Encrypted ext4 disk with interactive password, discard enabled\n"
+"# - retry 5 times if the check fails\n"
+"cdisk1 /dev/sda2 none plain,cipher=aes-xts-plain64,size=256,hash=sha1,check,checkargs=ext4,tries=5,discard\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+#, no-wrap
+msgid ""
+"# Encrypted disk with interactive password, discard enabled\n"
+"# - use a nondefault check script\n"
+"# - no retries\n"
+"cdisk2 /dev/sdc1 none plain,cipher=aes-xts-plain64,size=256,hash=sha1,check=customscript,tries=1,discard\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+#, no-wrap
+msgid ""
+"# Encrypted disk with interactive password, discard enabled\n"
+"# - Twofish as the cipher, RIPEMD-160 as the hash\n"
+"cdisk3 /dev/sda3 none plain,cipher=twofish,size=256,hash=ripemd160,discard\n"
+msgstr ""
+
+#. type: SH
+#: debian-bookworm debian-unstable
+#, no-wrap
+msgid "ENVIRONMENT"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<CRYPTDISKS_ENABLE>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Set to I<yes> to run cryptdisks initscripts at startup\\&. Set to I<no> to "
+"disable cryptdisks initscripts\\&. Default is I<yes>\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<CRYPTDISKS_MOUNT>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Specifies the mountpoints that are mounted before cryptdisks is invoked\\&. "
+"Takes mountpoints configured in /etc/fstab as arguments\\&. Separate "
+"mountpoints by space\\&. This is useful for keys on removable devices, such "
+"as cdrom, usbstick, flashcard, etc\\&. Default is unset\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid "I<CRYPTDISKS_CHECK>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"Specifies the default checkscript to be run against the target device, after "
+"cryptdisks has been invoked\\&. The target device is passed as the first and "
+"only argument to the checkscript\\&. Takes effect if the I<check> option is "
+"given in crypttab with no value\\&. See documentation for I<check> option "
+"above for more information\\&."
+msgstr ""
+
+#. type: SH
+#: debian-bookworm debian-unstable
+#, no-wrap
+msgid "KNOWN UPGRADE ISSUES"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"The upstream defaults for encryption cipher, hash and keysize have changed "
+"several times in the past, and they\\*(Aqre expected to change again in "
+"future, for example if security issues arise\\&. On LUKS devices, the used "
+"settings are stored in the LUKS header, and thus don\\*(Aqt need to be "
+"configured in /etc/crypttab\\&. For plain dm-crypt devices, no information "
+"about used cipher, hash and keysize are available at all\\&. Therefore we "
+"strongly suggest to configure the cipher, hash and keysize in /etc/crypttab "
+"for plain dm-crypt devices, even if they match the current default\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"B<cryptsetup>(8), B<cryptdisks_start>(8), B<cryptdisks_stop>(8), /usr/share/"
+"doc/cryptsetup-initramfs/README\\&.initramfs\\&.gz"
+msgstr ""
+
+#. type: SH
+#: debian-bookworm debian-unstable
+#, no-wrap
+msgid "AUTHOR"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm debian-unstable
+msgid ""
+"This manual page was originally written by Bastian Kleineidam "
+"E<lt>calvin@debian\\&.orgE<gt> for the Debian distribution of cryptsetup\\&. "
+"It has been further improved by Michael Gebetsroither E<lt>michael\\&."
+"geb@gmx\\&.atE<gt>, David Härdeman E<lt>david@hardeman\\&.nuE<gt> and Jonas "
+"Meurer E<lt>jonas@freesources\\&.orgE<gt>\\&."
+msgstr ""
+
+#. type: TH
+#: debian-unstable
+#, no-wrap
+msgid "2024-02-26"
+msgstr ""
+
+#. type: TH
+#: debian-unstable
+#, no-wrap
+msgid "cryptsetup 2:2\\&.7\\&.0-1"
+msgstr ""