diff options
Diffstat (limited to 'templates/man5/crypttab.5.pot')
| -rw-r--r-- | templates/man5/crypttab.5.pot | 2692 |
1 files changed, 2692 insertions, 0 deletions
diff --git a/templates/man5/crypttab.5.pot b/templates/man5/crypttab.5.pot new file mode 100644 index 00000000..97d641e2 --- /dev/null +++ b/templates/man5/crypttab.5.pot @@ -0,0 +1,2692 @@ +# SOME DESCRIPTIVE TITLE +# Copyright (C) YEAR Free Software Foundation, Inc. +# This file is distributed under the same license as the PACKAGE package. +# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2024-03-01 16:54+0100\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" +"Language-Team: LANGUAGE <LL@li.org>\n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. type: TH +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron +#, no-wrap +msgid "CRYPTTAB" +msgstr "" + +#. type: TH +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "systemd 255" +msgstr "" + +#. type: TH +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "crypttab" +msgstr "" + +#. ----------------------------------------------------------------- +#. * MAIN CONTENT STARTS HERE * +#. ----------------------------------------------------------------- +#. type: SH +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron +#, no-wrap +msgid "NAME" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "crypttab - Configuration for encrypted block devices" +msgstr "" + +#. type: SH +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "SYNOPSIS" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "/etc/crypttab" +msgstr "" + +#. type: SH +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron +#, no-wrap +msgid "DESCRIPTION" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"The /etc/crypttab file describes encrypted block devices that are set up " +"during system boot\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Empty lines and lines starting with the \"#\" character are ignored\\&. Each " +"of the remaining lines describes one encrypted block device\\&. Fields are " +"delimited by white space\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "Each line is in the form" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "I<volume-name> I<encrypted-device> I<key-file> I<options>\n" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "The first two fields are mandatory, the remaining two are optional\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Setting up encrypted block devices using this file supports four encryption " +"modes: LUKS, TrueCrypt, BitLocker and plain\\&. See B<cryptsetup>(8) for " +"more information about each mode\\&. When no mode is specified in the " +"options field and the block device contains a LUKS signature, it is opened " +"as a LUKS device; otherwise, it is assumed to be in raw dm-crypt (plain " +"mode) format\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "The four fields of /etc/crypttab are defined as follows:" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"The first field contains the name of the resulting volume with decrypted " +"data; its block device is set up below /dev/mapper/\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"The second field contains a path to the underlying block device or file, or " +"a specification of a block device via \"UUID=\" followed by the UUID\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"The third field specifies an absolute path to a file with the encryption " +"key\\&. Optionally, the path may be followed by \":\" and an /etc/fstab " +"style device specification (e\\&.g\\&. starting with \"LABEL=\" or similar); " +"in which case the path is taken relative to the specified device\\*(Aqs file " +"system root\\&. If the field is not present or is \"none\" or \"-\", a key " +"file named after the volume to unlock (i\\&.e\\&. the first column of the " +"line), suffixed with \\&.key is automatically loaded from the /etc/" +"cryptsetup-keys\\&.d/ and /run/cryptsetup-keys\\&.d/ directories, if " +"present\\&. Otherwise, the password has to be manually entered during system " +"boot\\&. For swap encryption, /dev/urandom may be used as key file, " +"resulting in a randomized key\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"If the specified key file path refers to an B<AF_UNIX> stream socket in the " +"file system, the key is acquired by connecting to the socket and reading it " +"from the connection\\&. This allows the implementation of a service to " +"provide key information dynamically, at the moment when it is needed\\&. For " +"details see below\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"The fourth field, if present, is a comma-delimited list of options\\&. The " +"supported options are listed below\\&." +msgstr "" + +#. type: SH +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "KEY ACQUISITION" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Six different mechanisms for acquiring the decryption key or passphrase " +"unlocking the encrypted volume are supported\\&. Specifically:" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Most prominently, the user may be queried interactively during volume " +"activation (i\\&.e\\&. typically at boot), asking them to type in the " +"necessary passphrases\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"The (unencrypted) key may be read from a file on disk, possibly on removable " +"media\\&. The third field of each line encodes the location, for details see " +"above\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"The (unencrypted) key may be requested from another service, by specifying " +"an B<AF_UNIX> file system socket in place of a key file in the third " +"field\\&. For details see above and below\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"The key may be acquired via a PKCS#11 compatible hardware security token or " +"smartcard\\&. In this case an encrypted key is stored on disk/removable " +"media, acquired via B<AF_UNIX>, or stored in the LUKS2 JSON token metadata " +"header\\&. The encrypted key is then decrypted by the PKCS#11 token with an " +"RSA key stored on it, and then used to unlock the encrypted volume\\&. Use " +"the B<pkcs11-uri=> option described below to use this mechanism\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Similarly, the key may be acquired via a FIDO2 compatible hardware security " +"token (which must implement the \"hmac-secret\" extension)\\&. In this case " +"a key generated randomly during enrollment is stored on disk/removable " +"media, acquired via B<AF_UNIX>, or stored in the LUKS2 JSON token metadata " +"header\\&. The random key is hashed via a keyed hash function (HMAC) on the " +"FIDO2 token, using a secret key stored on the token that never leaves it\\&. " +"The resulting hash value is then used as key to unlock the encrypted " +"volume\\&. Use the B<fido2-device=> option described below to use this " +"mechanism\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Similarly, the key may be acquired via a TPM2 security chip\\&. In this case " +"a (during enrollment) randomly generated key \\(em encrypted by an " +"asymmetric key derived from the TPM2 chip\\*(Aqs seed key \\(em is stored on " +"disk/removable media, acquired via B<AF_UNIX>, or stored in the LUKS2 JSON " +"token metadata header\\&. Use the B<tpm2-device=> option described below to " +"use this mechanism\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"For the latter five mechanisms the source for the key material used for " +"unlocking the volume is primarily configured in the third field of each /etc/" +"crypttab line, but may also configured in /etc/cryptsetup-keys\\&.d/ and /" +"run/cryptsetup-keys\\&.d/ (see above) or in the LUKS2 JSON token header (in " +"case of the latter three)\\&. Use the B<systemd-cryptenroll>(1) tool to " +"enroll PKCS#11, FIDO2 and TPM2 devices in LUKS2 volumes\\&." +msgstr "" + +#. type: SH +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "SUPPORTED OPTIONS" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "The following options may be used in the fourth field of each line:" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<cipher=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Specifies the cipher to use\\&. See B<cryptsetup>(8) for possible values " +"and the default value of this option\\&. A cipher with unpredictable IV " +"values, such as \"aes-cbc-essiv:sha256\", is recommended\\&. Embedded commas " +"in the cipher specification need to be escaped by preceding them with a " +"backslash, see example below\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "Added in version 186\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<discard>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Allow discard requests to be passed through the encrypted block device\\&. " +"This improves performance on SSD storage but has security implications\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "Added in version 207\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<hash=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Specifies the hash to use for password hashing\\&. See B<cryptsetup>(8) for " +"possible values and the default value of this option\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<header=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Use a detached (separated) metadata device or file where the header " +"containing the master key(s) is stored\\&. This option is only relevant for " +"LUKS and TrueCrypt/VeraCrypt devices\\&. See B<cryptsetup>(8) for possible " +"values and the default value of this option\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Optionally, the path may be followed by \":\" and an /etc/fstab device " +"specification (e\\&.g\\&. starting with \"UUID=\" or similar); in which " +"case, the path is relative to the device file system root\\&. The device " +"gets mounted automatically for LUKS device activation duration only\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "Added in version 219\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<keyfile-offset=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Specifies the number of bytes to skip at the start of the key file\\&. See " +"B<cryptsetup>(8) for possible values and the default value of this " +"option\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "Added in version 187\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<keyfile-size=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Specifies the maximum number of bytes to read from the key file\\&. See " +"B<cryptsetup>(8) for possible values and the default value of this " +"option\\&. This option is ignored in plain encryption mode, as the key file " +"size is then given by the key size\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "Added in version 188\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<keyfile-erase>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"If enabled, the specified key file is erased after the volume is activated " +"or when activation fails\\&. This is in particular useful when the key file " +"is only acquired transiently before activation (e\\&.g\\&. via a file in /" +"run/, generated by a service running before activation), and shall be " +"removed after use\\&. Defaults to off\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "Added in version 246\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<key-slot=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Specifies the key slot to compare the passphrase or key against\\&. If the " +"key slot does not match the given passphrase or key, but another would, the " +"setup of the device will fail regardless\\&. This option implies B<luks>\\&. " +"See B<cryptsetup>(8) for possible values\\&. The default is to try all key " +"slots in sequential order\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "Added in version 209\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<keyfile-timeout=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Specifies the timeout for the device on which the key file resides or the " +"device used as the key file, and falls back to a password if it could not be " +"accessed\\&. See B<systemd-cryptsetup-generator>(8) for key files on " +"external devices\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "Added in version 243\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<luks>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Force LUKS mode\\&. When this mode is used, the following options are " +"ignored since they are provided by the LUKS header on the device: " +"B<cipher=>, B<hash=>, B<size=>\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<bitlk>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Decrypt BitLocker drive\\&. Encryption parameters are deduced by cryptsetup " +"from BitLocker header\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<_netdev>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Marks this cryptsetup device as requiring network\\&. It will be started " +"after the network is available, similarly to B<systemd.mount>(5) units " +"marked with B<_netdev>\\&. The service unit to set up this device will be " +"ordered between remote-fs-pre\\&.target and remote-cryptsetup\\&.target, " +"instead of cryptsetup-pre\\&.target and cryptsetup\\&.target\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Hint: if this device is used for a mount point that is specified in " +"B<fstab>(5), the B<_netdev> option should also be used for the mount " +"point\\&. Otherwise, a dependency loop might be created where the mount " +"point will be pulled in by local-fs\\&.target, while the service to " +"configure the network is usually only started I<after> the local file system " +"has been mounted\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "Added in version 235\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<noauto>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"This device will not be added to cryptsetup\\&.target\\&. This means that it " +"will not be automatically unlocked on boot, unless something else pulls it " +"in\\&. In particular, if the device is used for a mount point, it\\*(Aqll be " +"unlocked automatically during boot, unless the mount point itself is also " +"disabled with B<noauto>\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<nofail>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"This device will not be a hard dependency of cryptsetup\\&.target\\&. " +"It\\*(Aqll still be pulled in and started, but the system will not wait for " +"the device to show up and be unlocked, and boot will not fail if this is " +"unsuccessful\\&. Note that other units that depend on the unlocked device " +"may still fail\\&. In particular, if the device is used for a mount point, " +"the mount point itself also needs to have the B<nofail> option, or the boot " +"will fail if the device is not unlocked successfully\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<offset=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Start offset in the backend device, in 512-byte sectors\\&. This option is " +"only relevant for plain devices\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "Added in version 220\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<plain>" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron +msgid "Force plain encryption mode\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<read-only>, B<readonly>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "Set up the encrypted block device in read-only mode\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<same-cpu-crypt>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Perform encryption using the same CPU that IO was submitted on\\&. The " +"default is to use an unbound workqueue so that encryption work is " +"automatically balanced between available CPUs\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "This requires kernel 4\\&.0 or newer\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "Added in version 242\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<submit-from-crypt-cpus>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Disable offloading writes to a separate thread after encryption\\&. There " +"are some situations where offloading write requests from the encryption " +"threads to a dedicated thread degrades performance significantly\\&. The " +"default is to offload write requests to a dedicated thread because it " +"benefits the CFQ scheduler to have writes submitted using the same " +"context\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<no-read-workqueue>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Bypass dm-crypt internal workqueue and process read requests " +"synchronously\\&. The default is to queue these requests and process them " +"asynchronously\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "This requires kernel 5\\&.9 or newer\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "Added in version 248\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<no-write-workqueue>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Bypass dm-crypt internal workqueue and process write requests " +"synchronously\\&. The default is to queue these requests and process them " +"asynchronously\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<skip=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"How many 512-byte sectors of the encrypted data to skip at the beginning\\&. " +"This is different from the B<offset=> option with respect to the sector " +"numbers used in initialization vector (IV) calculation\\&. Using B<offset=> " +"will shift the IV calculation by the same negative amount\\&. Hence, if " +"B<offset=>I<n> is given, sector I<n> will get a sector number of 0 for the " +"IV calculation\\&. Using B<skip=> causes sector I<n> to also be the first " +"sector of the mapped device, but with its number for IV generation being " +"I<n>\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "This option is only relevant for plain devices\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<size=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Specifies the key size in bits\\&. See B<cryptsetup>(8) for possible values " +"and the default value of this option\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<sector-size=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Specifies the sector size in bytes\\&. See B<cryptsetup>(8) for possible " +"values and the default value of this option\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "Added in version 240\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<swap>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"The encrypted block device will be used as a swap device, and will be " +"formatted accordingly after setting up the encrypted block device, with " +"B<mkswap>(8)\\&. This option implies B<plain>\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"WARNING: Using the B<swap> option will destroy the contents of the named " +"partition during every boot, so make sure the underlying block device is " +"specified correctly\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<tcrypt>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Use TrueCrypt encryption mode\\&. When this mode is used, the following " +"options are ignored since they are provided by the TrueCrypt header on the " +"device or do not apply: B<cipher=>, B<hash=>, B<keyfile-offset=>, B<keyfile-" +"size=>, B<size=>\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"When this mode is used, the passphrase is read from the key file given in " +"the third field\\&. Only the first line of this file is read, excluding the " +"new line character\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Note that the TrueCrypt format uses both passphrase and key files to derive " +"a password for the volume\\&. Therefore, the passphrase and all key files " +"need to be provided\\&. Use B<tcrypt-keyfile=> to provide the absolute path " +"to all key files\\&. When using an empty passphrase in combination with one " +"or more key files, use \"/dev/null\" as the password file in the third " +"field\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "Added in version 206\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<tcrypt-hidden>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "Use the hidden TrueCrypt volume\\&. This option implies B<tcrypt>\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"This will map the hidden volume that is inside of the volume provided in the " +"second field\\&. Please note that there is no protection for the hidden " +"volume if the outer volume is mounted instead\\&. See B<cryptsetup>(8) for " +"more information on this limitation\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<tcrypt-keyfile=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Specifies the absolute path to a key file to use for a TrueCrypt volume\\&. " +"This implies B<tcrypt> and can be used more than once to provide several key " +"files\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"See the entry for B<tcrypt> on the behavior of the passphrase and key files " +"when using TrueCrypt encryption mode\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<tcrypt-system>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Use TrueCrypt in system encryption mode\\&. This option implies B<tcrypt>\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<tcrypt-veracrypt>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Check for a VeraCrypt volume\\&. VeraCrypt is a fork of TrueCrypt that is " +"mostly compatible, but uses different, stronger key derivation algorithms " +"that cannot be detected without this flag\\&. Enabling this option could " +"substantially slow down unlocking, because VeraCrypt\\*(Aqs key derivation " +"takes much longer than TrueCrypt\\*(Aqs\\&. This option implies B<tcrypt>\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "Added in version 232\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<veracrypt-pim=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Specifies a custom Personal Iteration Multiplier (PIM) value, which can " +"range from 0\\&.\\&.2147468 for standard veracrypt volumes and 0\\&." +"\\&.65535 for veracrypt system volumes\\&. A value of 0 will imply the " +"VeraCrypt default\\&. This option is only effective when B<tcrypt-veracrypt> " +"is set\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Note that VeraCrypt enforces a minimal allowed PIM value depending on the " +"password strength and the hash algorithm used for key derivation, however " +"B<veracrypt-pim=> is not checked against these bounds\\&. See " +"\\m[blue]B<Veracrypt Personal Iterations " +"Multiplier>\\m[]\\&\\s-2\\u[1]\\d\\s+2 documentation for more information\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "Added in version 254\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<timeout=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Specifies the timeout for querying for a password\\&. If no unit is " +"specified, seconds is used\\&. Supported units are s, ms, us, min, h, d\\&. " +"A timeout of 0 waits indefinitely (which is the default)\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<tmp=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"The encrypted block device will be prepared for using it as /tmp/; it will " +"be formatted using B<mkfs>(8)\\&. Takes a file system type as argument, such " +"as \"ext4\", \"xfs\" or \"btrfs\"\\&. If no argument is specified defaults " +"to \"ext4\"\\&. This option implies B<plain>\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"WARNING: Using the B<tmp> option will destroy the contents of the named " +"partition during every boot, so make sure the underlying block device is " +"specified correctly\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<tries=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Specifies the maximum number of times the user is queried for a password\\&. " +"The default is 3\\&. If set to 0, the user is queried for a password " +"indefinitely\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<headless=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Takes a boolean argument, defaults to false\\&. If true, never query " +"interactively for the password/PIN\\&. Useful for headless systems\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "Added in version 249\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<verify>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"If the encryption password is read from console, it has to be entered twice " +"to prevent typos\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<password-echo=yes|no|masked>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Controls whether to echo passwords or security token PINs that are read from " +"console\\&. Takes a boolean or the special string \"masked\"\\&. The default " +"is B<password-echo=masked>\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"If enabled, the typed characters are echoed literally\\&. If disabled, the " +"typed characters are not echoed in any form, the user will not get feedback " +"on their input\\&. If set to \"masked\", an asterisk (\"*\") is echoed for " +"each character typed\\&. Regardless of which mode is chosen, if the user " +"hits the tabulator key (\"↹\") at any time, or the backspace key (\"⌫\") " +"before any other data has been entered, then echo is turned off\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<pkcs11-uri=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Takes either the special value \"auto\" or an \\m[blue]B<RFC7512 PKCS#11 " +"URI>\\m[]\\&\\s-2\\u[2]\\d\\s+2 pointing to a private RSA key which is used " +"to decrypt the encrypted key specified in the third column of the line\\&. " +"This is useful for unlocking encrypted volumes through PKCS#11 compatible " +"security tokens or smartcards\\&. See below for an example how to set up " +"this mechanism for unlocking a LUKS2 volume with a YubiKey security token\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"If specified as \"auto\" the volume must be of type LUKS2 and must carry " +"PKCS#11 security token metadata in its LUKS2 JSON token section\\&. In this " +"mode the URI and the encrypted key are automatically read from the LUKS2 " +"JSON token header\\&. Use B<systemd-cryptenroll>(1) as simple tool for " +"enrolling PKCS#11 security tokens or smartcards in a way compatible with " +"\"auto\"\\&. In this mode the third column of the line should remain empty " +"(that is, specified as \"-\")\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"The specified URI can refer directly to a private RSA key stored on a token " +"or alternatively just to a slot or token, in which case a search for a " +"suitable private RSA key will be performed\\&. In this case if multiple " +"suitable objects are found the token is refused\\&. The encrypted key " +"configured in the third column of the line is passed as is (i\\&.e\\&. in " +"binary form, unprocessed) to RSA decryption\\&. The resulting decrypted key " +"is then Base64 encoded before it is used to unlock the LUKS volume\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Use B<systemd-cryptenroll --pkcs11-token-uri=list> to list all suitable " +"PKCS#11 security tokens currently plugged in, along with their URIs\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Note that many newer security tokens that may be used as PKCS#11 security " +"token typically also implement the newer and simpler FIDO2 standard\\&. " +"Consider using B<fido2-device=> (described below) to enroll it via FIDO2 " +"instead\\&. Note that a security token enrolled via PKCS#11 cannot be used " +"to unlock the volume via FIDO2, unless also enrolled via FIDO2, and vice " +"versa\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "Added in version 245\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<fido2-device=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Takes either the special value \"auto\" or the path to a \"hidraw\" device " +"node (e\\&.g\\&. /dev/hidraw1) referring to a FIDO2 security token that " +"implements the \"hmac-secret\" extension (most current hardware security " +"tokens do)\\&. See below for an example how to set up this mechanism for " +"unlocking an encrypted volume with a FIDO2 security token\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"If specified as \"auto\" the FIDO2 token device is automatically discovered, " +"as it is plugged in\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"FIDO2 volume unlocking requires a client ID hash (CID) to be configured via " +"B<fido2-cid=> (see below) and a key to pass to the security token\\*(Aqs " +"HMAC functionality (configured in the line\\*(Aqs third column) to " +"operate\\&. If not configured and the volume is of type LUKS2, the CID and " +"the key are read from LUKS2 JSON token metadata instead\\&. Use B<systemd-" +"cryptenroll>(1) as simple tool for enrolling FIDO2 security tokens, " +"compatible with this automatic mode, which is only available for LUKS2 " +"volumes\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Use B<systemd-cryptenroll --fido2-device=list> to list all suitable FIDO2 " +"security tokens currently plugged in, along with their device nodes\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"This option implements the following mechanism: the configured key is hashed " +"via they HMAC keyed hash function the FIDO2 device implements, keyed by a " +"secret key embedded on the device\\&. The resulting hash value is Base64 " +"encoded and used to unlock the LUKS2 volume\\&. As it should not be possible " +"to extract the secret from the hardware token, it should not be possible to " +"retrieve the hashed key given the configured key \\(em without possessing " +"the hardware token\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Note that many security tokens that implement FIDO2 also implement PKCS#11, " +"suitable for unlocking volumes via the B<pkcs11-uri=> option described " +"above\\&. Typically the newer, simpler FIDO2 standard is preferable\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<fido2-cid=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Takes a Base64 encoded FIDO2 client ID to use for the FIDO2 unlock " +"operation\\&. If specified, but B<fido2-device=> is not, B<fido2-" +"device=auto> is implied\\&. If B<fido2-device=> is used but B<fido2-cid=> is " +"not, the volume must be of LUKS2 type, and the CID is read from the LUKS2 " +"JSON token header\\&. Use B<systemd-cryptenroll>(1) for enrolling a FIDO2 " +"token in the LUKS2 header compatible with this automatic mode\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<fido2-rp=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Takes a string, configuring the FIDO2 Relying Party (rp) for the FIDO2 " +"unlock operation\\&. If not specified \"io\\&.systemd\\&.cryptsetup\" is " +"used, except if the LUKS2 JSON token header contains a different value\\&. " +"It should normally not be necessary to override this\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<tpm2-device=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Takes either the special value \"auto\" or the path to a device node (e\\&." +"g\\&. /dev/tpmrm0) referring to a TPM2 security chip\\&. See below for an " +"example how to set up this mechanism for unlocking an encrypted volume with " +"a TPM2 chip\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Use B<tpm2-pcrs=> (see below) to configure the set of TPM2 PCRs to bind the " +"volume unlocking to\\&. Use B<systemd-cryptenroll>(1) as simple tool for " +"enrolling TPM2 security chips in LUKS2 volumes\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"If specified as \"auto\" the TPM2 device is automatically discovered\\&. Use " +"B<systemd-cryptenroll --tpm2-device=list> to list all suitable TPM2 devices " +"currently available, along with their device nodes\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"This option implements the following mechanism: when enrolling a TPM2 device " +"via B<systemd-cryptenroll> on a LUKS2 volume, a randomized key unlocking the " +"volume is generated on the host and loaded into the TPM2 chip where it is " +"encrypted with an asymmetric \"primary\" key pair derived from the " +"TPM2\\*(Aqs internal \"seed\" key\\&. Neither the seed key nor the primary " +"key are permitted to ever leave the TPM2 chip \\(em however, the now " +"encrypted randomized key may\\&. It is saved in the LUKS2 volume JSON token " +"header\\&. When unlocking the encrypted volume, the primary key pair is " +"generated on the TPM2 chip again (which works as long as the chip\\*(Aqs " +"seed key is correctly maintained by the TPM2 chip), which is then used to " +"decrypt (on the TPM2 chip) the encrypted key from the LUKS2 volume JSON " +"token header saved there during enrollment\\&. The resulting decrypted key " +"is then used to unlock the volume\\&. When the randomized key is encrypted " +"the current values of the selected PCRs (see below) are included in the " +"operation, so that different PCR state results in different encrypted keys " +"and the decrypted key can only be recovered if the same PCR state is " +"reproduced\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<tpm2-pcrs=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Takes a \"+\" separated list of numeric TPM2 PCR (i\\&.e\\&. \"Platform " +"Configuration Register\") indexes to bind the TPM2 volume unlocking to\\&. " +"This option is only useful when TPM2 enrollment metadata is not available in " +"the LUKS2 JSON token header already, the way B<systemd-cryptenroll> writes " +"it there\\&. If not used (and no metadata in the LUKS2 JSON token header " +"defines it), defaults to a list of a single entry: PCR 7\\&. Assign an empty " +"string to encode a policy that binds the key to no PCRs, making the key " +"accessible to local programs regardless of the current PCR state\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<tpm2-pin=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Takes a boolean argument, defaults to \"false\"\\&. Controls whether TPM2 " +"volume unlocking is bound to a PIN in addition to PCRs\\&. Similarly, this " +"option is only useful when TPM2 enrollment metadata is not available\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "Added in version 251\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<tpm2-signature=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Takes an absolute path to a TPM2 PCR JSON signature file, as produced by the " +"B<systemd-measure>(1) tool\\&. This permits locking LUKS2 volumes to any " +"PCR values for which a valid signature matching a public key specified at " +"key enrollment time can be provided\\&. See B<systemd-cryptenroll>(1) for " +"details on enrolling TPM2 PCR public keys\\&. If this option is not " +"specified but it is attempted to unlock a LUKS2 volume with a signed TPM2 " +"PCR enrollment a suitable signature file tpm2-pcr-signature\\&.json is " +"searched for in /etc/systemd/, /run/systemd/, /usr/lib/systemd/ (in this " +"order)\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "Added in version 252\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<tpm2-pcrlock=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Takes an absolute path to a TPM2 pcrlock policy file, as produced by the " +"B<systemd-pcrlock>(1) tool\\&. This permits locking LUKS2 volumes to a " +"local policy of allowed PCR values with variants\\&. See B<systemd-" +"cryptenroll>(1) for details on enrolling TPM2 pcrlock policies\\&. If this " +"option is not specified but it is attempted to unlock a LUKS2 volume with a " +"TPM2 pcrlock enrollment a suitable signature file pcrlock\\&.json is " +"searched for in /run/systemd/ and /var/lib/systemd/ (in this order)\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "Added in version 255\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<tpm2-measure-pcr=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Controls whether to measure the volume key of the encrypted volume to a TPM2 " +"PCR\\&. If set to \"no\" (which is the default) no PCR extension is done\\&. " +"If set to \"yes\" the volume key is measured into PCR 15\\&. If set to a " +"decimal integer in the range 0\\&...23 the volume key is measured into the " +"specified PCR\\&. The volume key is measured along with the activated volume " +"name and its UUID\\&. This functionality is particularly useful for the " +"encrypted volume backing the root file system, as it then allows later TPM " +"objects to be securely bound to the root file system and hence the specific " +"installation\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "Added in version 253\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<tpm2-measure-bank=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Selects one or more TPM2 PCR banks to measure the volume key into, as " +"configured with B<tpm2-measure-pcr=> above\\&. Multiple banks may be " +"specified, separated by a colon character\\&. If not specified automatically " +"determines available and used banks\\&. Expects a message digest name (e\\&." +"g\\&. \"sha1\", \"sha256\", \\&...) as argument, to identify the bank\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<token-timeout=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Specifies how long to wait at most for configured security devices (i\\&." +"e\\&. FIDO2, PKCS#11, TPM2) to show up\\&. Takes a time value in seconds " +"(but other time units may be specified too, see B<systemd.time>(7) for " +"supported formats)\\&. Defaults to 30s\\&. Once the specified timeout " +"elapsed authentication via password is attempted\\&. Note that this timeout " +"applies to waiting for the security device to show up \\(em it does not " +"apply to the PIN prompt for the device (should one be needed) or similar\\&. " +"Pass 0 to turn off the time-out and wait forever\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "Added in version 250\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<try-empty-password=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Takes a boolean argument\\&. If enabled, right before asking the user for a " +"password it is first attempted to unlock the volume with an empty " +"password\\&. This is useful for systems that are initialized with an " +"encrypted volume with only an empty password set, which shall be replaced " +"with a suitable password during first boot, but after activation\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<x-systemd\\&.device-timeout=>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Specifies how long systemd should wait for a block device to show up before " +"giving up on the entry\\&. The argument is a time in seconds or explicitly " +"specified units of \"s\", \"min\", \"h\", \"ms\"\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "Added in version 216\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<x-initrd\\&.attach>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Setup this encrypted block device in the initrd, similarly to B<systemd." +"mount>(5) units marked with B<x-initrd\\&.mount>\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Although it\\*(Aqs not necessary to mark the mount entry for the root file " +"system with B<x-initrd\\&.mount>, B<x-initrd\\&.attach> is still recommended " +"with the encrypted block device containing the root file system as otherwise " +"systemd will attempt to detach the device during the regular system shutdown " +"while it\\*(Aqs still in use\\&. With this option the device will still be " +"detached but later after the root file system is unmounted\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"All other encrypted block devices that contain file systems mounted in the " +"initrd should use this option\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"At early boot and when the system manager configuration is reloaded, this " +"file is translated into native systemd units by B<systemd-cryptsetup-" +"generator>(8)\\&." +msgstr "" + +#. type: SH +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "AF_UNIX KEY FILES" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"If the key file path (as specified in the third column of /etc/crypttab " +"entries, see above) refers to an B<AF_UNIX> stream socket in the file " +"system, the key is acquired by connecting to the socket and reading the key " +"from the connection\\&. The connection is made from an B<AF_UNIX> socket " +"name in the abstract namespace, see B<unix>(7) for details\\&. The source " +"socket name is chosen according the following format:" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "B<NUL> I<RANDOM> /cryptsetup/ I<VOLUME>\n" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"In other words: a B<NUL> byte (as required for abstract namespace sockets), " +"followed by a random string (consisting of alphanumeric characters only), " +"followed by the literal string \"/cryptsetup/\", followed by the name of the " +"volume to acquire they key for\\&. For example, for the volume \"myvol\":" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "\\e0d7067f78d9827418/cryptsetup/myvol\n" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Services listening on the B<AF_UNIX> stream socket may query the source " +"socket name with B<getpeername>(2), and use this to determine which key to " +"send, allowing a single listening socket to serve keys for multiple " +"volumes\\&. If the PKCS#11 logic is used (see above), the socket source name " +"is picked in similar fashion, except that the literal string \"/cryptsetup-" +"pkcs11/\" is used\\&. And similarly for FIDO2 (\"/cryptsetup-fido2/\") and " +"TPM2 (\"/cryptsetup-tpm2/\")\\&. A different path component is used so that " +"services providing key material know that the secret key was not requested " +"directly, but instead an encrypted key that will be decrypted via the " +"PKCS#11/FIDO2/TPM2 logic to acquire the final secret key\\&." +msgstr "" + +#. type: SH +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron +#, no-wrap +msgid "EXAMPLES" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<Example\\ \\&1.\\ \\&/etc/crypttab example>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"Set up four encrypted block devices\\&. One using LUKS for normal storage, " +"another one for usage as a swap device and two TrueCrypt volumes\\&. For the " +"fourth device, the option string is interpreted as two options " +"\"cipher=xchacha12,aes-adiantum-plain64\", \"keyfile-timeout=10s\"\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "" +"luks UUID=2505567a-9e27-4efe-a4d5-15ad146c258b\n" +"swap /dev/sda7 /dev/urandom swap\n" +"truecrypt /dev/sda2 /etc/container_password tcrypt\n" +"hidden /mnt/tc_hidden /dev/null tcrypt-hidden,tcrypt-keyfile=/etc/keyfile\n" +"external /dev/sda3 keyfile:LABEL=keydev keyfile-timeout=10s,cipher=xchacha12\\e,aes-adiantum-plain64\n" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<Example\\ \\&2.\\ \\&Yubikey-based PKCS#11 Volume Unlocking Example>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"The PKCS#11 logic allows hooking up any compatible security token that is " +"capable of storing RSA decryption keys for unlocking an encrypted volume\\&. " +"Here\\*(Aqs an example how to set up a Yubikey security token for this " +"purpose on a LUKS2 volume, using B<ykmap>(1) from the yubikey-manager " +"project to initialize the token and B<systemd-cryptenroll>(1) to add it in " +"the LUKS2 volume:" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "# SPDX-License-Identifier: MIT-0\n" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "" +"# Destroy any old key on the Yubikey (careful!)\n" +"ykman piv reset\n" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "" +"# Generate a new private/public key pair on the device, store the public key in\n" +"# \\*(Aqpubkey\\&.pem\\*(Aq\\&.\n" +"ykman piv generate-key -a RSA2048 9d pubkey\\&.pem\n" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "" +"# Create a self-signed certificate from this public key, and store it on the\n" +"# device\\&. The \"subject\" should be an arbitrary user-chosen string to identify\n" +"# the token with\\&.\n" +"ykman piv generate-certificate --subject \"Knobelei\" 9d pubkey\\&.pem\n" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "" +"# We don\\*(Aqt need the public key anymore, let\\*(Aqs remove it\\&. Since it is not\n" +"# security sensitive we just do a regular \"rm\" here\\&.\n" +"rm pubkey\\&.pem\n" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "" +"# Enroll the freshly initialized security token in the LUKS2 volume\\&. Replace\n" +"# /dev/sdXn by the partition to use (e\\&.g\\&. /dev/sda1)\\&.\n" +"sudo systemd-cryptenroll --pkcs11-token-uri=auto /dev/sdXn\n" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "" +"# Test: Let\\*(Aqs run systemd-cryptsetup to test if this all worked\\&.\n" +"sudo systemd-cryptsetup attach mytest /dev/sdXn - pkcs11-uri=auto\n" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "" +"# If that worked, let\\*(Aqs now add the same line persistently to /etc/crypttab,\n" +"# for the future\\&. We don\\*(Aqt want to use the (unstable) /dev/sdX name, so let\\*(Aqs\n" +"# figure out a stable link:\n" +"udevadm info -q -r symlink /dev/sdXn\n" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "" +"# Now add the line using the by-uuid symlink to /etc/crypttab:\n" +"sudo bash -c \\*(Aqecho \"mytest /dev/disk/by-uuid/\\&.\\&.\\&. - pkcs11-uri=auto\" E<gt>E<gt>/etc/crypttab\\*(Aq\n" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "" +"# Depending on your distribution and encryption setup, you may need to manually\n" +"# regenerate your initramfs to be able to use a Yubikey / PKCS#11 token to\n" +"# unlock the partition during early boot\\&.\n" +"# More information at https://unix\\&.stackexchange\\&.com/a/705809\\&.\n" +"# On Fedora based systems:\n" +"sudo dracut --force\n" +"# On Debian based systems:\n" +"sudo update-initramfs -u\n" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "A few notes on the above:" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "We use RSA2048, which is the longest key size current Yubikeys support" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"We use Yubikey key slot 9d, since that\\*(Aqs apparently the keyslot to use " +"for decryption purposes, see \\m[blue]B<Yubico PIV certificate " +"slots>\\m[]\\&\\s-2\\u[3]\\d\\s+2\\&." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<Example\\ \\&3.\\ \\&FIDO2 Volume Unlocking Example>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"The FIDO2 logic allows using any compatible FIDO2 security token that " +"implements the \"hmac-secret\" extension for unlocking an encrypted " +"volume\\&. Here\\*(Aqs an example how to set up a FIDO2 security token for " +"this purpose for a LUKS2 volume, using B<systemd-cryptenroll>(1):" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "" +"# Enroll the security token in the LUKS2 volume\\&. Replace /dev/sdXn by the\n" +"# partition to use (e\\&.g\\&. /dev/sda1)\\&.\n" +"sudo systemd-cryptenroll --fido2-device=auto /dev/sdXn\n" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "" +"# Test: Let\\*(Aqs run systemd-cryptsetup to test if this worked\\&.\n" +"sudo systemd-cryptsetup attach mytest /dev/sdXn - fido2-device=auto\n" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "" +"# Now add the line using the by-uuid symlink to /etc/crypttab:\n" +"sudo bash -c \\*(Aqecho \"mytest /dev/disk/by-uuid/\\&.\\&.\\&. - fido2-device=auto\" E<gt>E<gt>/etc/crypttab\\*(Aq\n" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "" +"# Depending on your distribution and encryption setup, you may need to manually\n" +"# regenerate your initramfs to be able to use a FIDO2 device to unlock the\n" +"# partition during early boot\\&.\n" +"# More information at https://unix\\&.stackexchange\\&.com/a/705809\\&.\n" +"# On Fedora based systems:\n" +"sudo dracut --force\n" +"# On Debian based systems:\n" +"sudo update-initramfs -u\n" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "B<Example\\ \\&4.\\ \\&TPM2 Volume Unlocking Example>" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"The TPM2 logic allows using any TPM2 chip supported by the Linux kernel for " +"unlocking an encrypted volume\\&. Here\\*(Aqs an example how to set up a " +"TPM2 chip for this purpose for a LUKS2 volume, using B<systemd-" +"cryptenroll>(1):" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "" +"# Enroll the TPM2 security chip in the LUKS2 volume, and bind it to PCR 7\n" +"# only\\&. Replace /dev/sdXn by the partition to use (e\\&.g\\&. /dev/sda1)\\&.\n" +"sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/sdXn\n" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "" +"# Test: Let\\*(Aqs run systemd-cryptsetup to test if this worked\\&.\n" +"sudo systemd-cryptsetup attach mytest /dev/sdXn - tpm2-device=auto\n" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "" +"# Now add the line using the by-uuid symlink to /etc/crypttab:\n" +"sudo bash -c \\*(Aqecho \"mytest /dev/disk/by-uuid/\\&.\\&.\\&. - tpm2-device=auto\" E<gt>E<gt>/etc/crypttab\\*(Aq\n" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "" +"# And now let\\*(Aqs check that automatic unlocking works:\n" +"sudo systemd-cryptsetup detach mytest\n" +"sudo systemctl daemon-reload\n" +"sudo systemctl start cryptsetup\\&.target\n" +"systemctl is-active systemd-cryptsetup@mytest\\&.service\n" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "" +"# Once we have the device which will be unlocked automatically, we can use it\\&.\n" +"# Usually we would create a file system and add it to /etc/fstab:\n" +"sudo mkfs\\&.ext4 /dev/mapper/mytest\n" +"# This prints a \\*(AqFilesystem UUID\\*(Aq, which we can use as a stable name:\n" +"sudo bash -c \\*(Aqecho \"/dev/disk/by-uuid/\\&.\\&.\\&. /var/mytest ext4 defaults,x-systemd\\&.mkdir 0 2\" E<gt>E<gt>/etc/fstab\\*(Aq\n" +"# And now let\\*(Aqs check that the mounting works:\n" +"sudo systemctl daemon-reload\n" +"sudo systemctl start /var/mytest\n" +"systemctl status /var/mytest\n" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "" +"# Depending on your distribution and encryption setup, you may need to manually\n" +"# regenerate your initramfs to be able to use a TPM2 security chip to unlock\n" +"# the partition during early boot\\&.\n" +"# More information at https://unix\\&.stackexchange\\&.com/a/705809\\&.\n" +"# On Fedora based systems:\n" +"sudo dracut --force\n" +"# On Debian based systems:\n" +"sudo update-initramfs -u\n" +msgstr "" + +#. type: SH +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron +#, no-wrap +msgid "SEE ALSO" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"B<systemd>(1), B<systemd-cryptsetup@.service>(8), B<systemd-cryptsetup-" +"generator>(8), B<systemd-cryptenroll>(1), B<fstab>(5), B<cryptsetup>(8), " +"B<mkswap>(8), B<mke2fs>(8)" +msgstr "" + +#. type: SH +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "NOTES" +msgstr "" + +#. type: IP +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid " 1." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "Veracrypt Personal Iterations Multiplier" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"\\%https://www.veracrypt.fr/en/" +"Personal%20Iterations%20Multiplier%20%28PIM%29.html" +msgstr "" + +#. type: IP +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid " 2." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "RFC7512 PKCS#11 URI" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "\\%https://tools.ietf.org/html/rfc7512" +msgstr "" + +#. type: IP +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid " 3." +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "Yubico PIV certificate slots" +msgstr "" + +#. type: Plain text +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"\\%https://developers.yubico.com/PIV/Introduction/Certificate_slots.html" +msgstr "" + +#. type: TH +#: debian-bookworm +#, no-wrap +msgid "2023-12-18" +msgstr "" + +#. type: TH +#: debian-bookworm +#, no-wrap +msgid "cryptsetup 2:2\\&.6\\&.1-4~deb1" +msgstr "" + +#. type: TH +#: debian-bookworm debian-unstable +#, no-wrap +msgid "cryptsetup manual" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "crypttab - static information about encrypted filesystems" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"The file /etc/crypttab contains descriptive information about encrypted " +"devices\\&. crypttab is only read by programs (e\\&.g\\&. " +"B<cryptdisks_start> and B<cryptdisks_stop>), and not written; it is the duty " +"of the system administrator to properly create and maintain this file\\&. " +"crypttab entries are treated sequentially, so their order matters " +"(dependencies need to listed first)\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Each encrypted device is described on a separate line\\&. Fields on each " +"line are separated by tabs or spaces\\&. Lines starting with \\*(Aq#\\*(Aq " +"are comments, and blank lines are ignored\\&. Octal sequences \\e0I<num> " +"within a field are decoded, which can be used for values containing spaces " +"or special characters\\&. A backslash which doesn\\*(Aqt start an octal " +"sequence yields undefined behavior\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"The first field, I<target>, describes the mapped device name\\&. It must be " +"a plain filename without any directory components\\&. A mapped device which " +"encrypts/decrypts data to/from the I<source device> will be created at /dev/" +"mapper/target by B<cryptsetup>\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"The second field, I<source device>, describes either the block special " +"device or file that contains the encrypted data\\&. Instead of giving the " +"I<source device> explicitly, the UUID (resp\\&. LABEL, PARTUUID and " +"PARTLABEL) is supported as well, using \\(lqUUID=E<lt>uuidE<gt>\\(rq " +"(resp\\&. \\(lqLABEL=E<lt>labelE<gt>\\(rq, " +"\\(lqPARTUUID=E<lt>partuuidE<gt>\\(rq and " +"\\(lqPARTLABEL=E<lt>partlabelE<gt>\\(rq)\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"The third field, I<key file>, describes the file to use as a key for " +"decrypting the data of the I<source device>\\&. In case of a I<keyscript>, " +"the value of this field is given as argument to the keyscript\\&. Note that " +"the I<entire> key file will be used as the passphrase; the passphrase must " +"I<not> be followed by a newline character\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"It can also be a device name (e\\&.g\\&. /dev/urandom), note however that " +"LUKS requires a persistent key and therefore does I<not> support random data " +"keys\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"If the I<key file> is the string I<none>, a passphrase will be read " +"interactively from the console\\&. In this case, the options check, " +"checkargs and tries may be useful\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"The fourth field, I<options>, is an optional comma-separated list of options " +"and/or flags describing the device type (I<luks>, I<tcrypt>, I<bitlk>, " +"I<fvault2>, or I<plain> which is also the default) and cryptsetup options " +"associated with the encryption process\\&. The supported options are " +"described below\\&. For plain dm-crypt devices the I<cipher>, I<hash> and " +"I<size> options are required\\&. Some options can be changed on active " +"mappings using B<cryptsetup refresh [E<lt>optionsE<gt>] E<lt>nameE<gt>>\\&. " +"Furthermore some options can be permanently written into metadata of LUKS2 " +"headers using cryptsetup\\*(Aqs I<--persistent> flag\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Note that the first three fields are required and that a missing field will " +"lead to unspecified behaviour\\&." +msgstr "" + +#. type: SH +#: debian-bookworm debian-unstable +#, no-wrap +msgid "ON DIFFERENT CRYPTTAB FORMATS" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Please note that there are several independent cryptsetup wrappers with " +"their own I<crypttab> format\\&. This manpage covers Debian\\*(Aqs " +"implementation for I<initramfs> scripts and I<SysVinit> init scripts\\&. " +"I<systemd> brings its own I<crypttab> implementation\\&. We try to cover the " +"differences between the I<systemd> and our implementation in this manpage, " +"but if in doubt, better check the I<systemd> B<crypttab>(5) manpage, e\\&." +"g\\&. online at \\m[blue]B<\\%https://www.freedesktop.org/software/systemd/" +"man/crypttab.html>\\m[]\\&." +msgstr "" + +#. type: SH +#: debian-bookworm debian-unstable +#, no-wrap +msgid "OPTIONS" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<cipher>=E<lt>cipherE<gt>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Encryption algorithm (ignored for LUKS and TCRYPT devices)\\&. See " +"B<cryptsetup -c>\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<size>=E<lt>sizeE<gt>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Encryption key size (ignored for LUKS and TCRYPT devices)\\&. See " +"B<cryptsetup -s>\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<sector-size>=E<lt>bytesE<gt>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Sector size\\&. See B<cryptsetup>(8) for possible values and the default " +"value of this option\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<hash>=E<lt>hashE<gt>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Hash algorithm (ignored for LUKS and TCRYPT devices)\\&. See B<cryptsetup -" +"h>\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<offset>=E<lt>offsetE<gt>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Start offset (ignored for LUKS and TCRYPT devices)\\&. Uses B<cryptsetup -" +"o>\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<skip>=E<lt>skipE<gt>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Skip sectors at the beginning (ignored for LUKS and TCRYPT devices)\\&. Uses " +"B<cryptsetup -p>\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<keyfile-offset>=E<lt>keyfile-offsetE<gt>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "Specifies the number of bytes to skip at the start of the key file\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<keyfile-size>=E<lt>keyfile-sizeE<gt>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Specifies the maximum number of bytes to read from the key file\\&. The " +"default is to read the whole file up to the compiled-in maximum, that can be " +"queried with B<cryptsetup --help>\\&. This option is ignored for plain dm-" +"crypt devices, as the key file size is then given by the encryption key size " +"(option I<size>)\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<keyslot>=E<lt>slotE<gt>, I<key-slot>=E<lt>slotE<gt>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "Key slot (ignored for non-LUKS devices)\\&. See B<cryptsetup -S>\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<header>=E<lt>pathE<gt>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Detached header file (ignored for plain dm-crypt devices)\\&. See " +"B<cryptsetup --header>\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<verify>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "Verify password\\&. Uses B<cryptsetup -y>\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<readonly>, I<read-only>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "Set up a read-only mapping\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<tries>=E<lt>numE<gt>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Try to unlock the device E<lt>numE<gt> before failing\\&. It\\*(Aqs " +"particularly useful when using a passphrase or a I<keyscript> that asks for " +"interactive input\\&. If you want to disable retries, pass " +"\\(lqtries=1\\(rq\\&. Default is \\(lq3\\(rq\\&. Setting \\(lqtries=0\\(rq " +"means infinitive retries\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<discard>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "Allow using of discards (TRIM) requests for device\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Starting with Debian 10 (Buster), this option is added per default to new dm-" +"crypt devices by the Debian Installer\\&. If you don\\*(Aqt care about " +"leaking access patterns (filesystem type, used space) and don\\*(Aqt have " +"hidden truecrypt volumes inside this volume, then it should be safe to " +"enable this option\\&. See the following warning for further information\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"B<WARNING>: Assess the specific security risks carefully before enabling " +"this option\\&. For example, allowing discards on encrypted devices may lead " +"to the leak of information about the ciphertext device (filesystem type, " +"used space etc\\&.) if the discarded blocks can be located easily on the " +"device later\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<luks>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Force LUKS mode\\&. When this mode is used, the following options are " +"ignored since they are provided by the LUKS header on the device: " +"I<cipher=>, I<hash=>, I<size=>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<plain>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<bitlk>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Force BITLK (Windows BitLocker-compatible) mode\\&. WARNING: I<crypttab> " +"support is currently experimental\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<fvault2>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Force Apple\\*(Aqs FileVault2 mode\\&. Only the (legacy) FileVault2 format " +"based on Core Storage and HFS+ filesystem (introduced in MacOS X 10\\&.7 " +"Lion) is currently supported; the new version of FileVault based on the APFS " +"filesystem used in recent macOS versions is not supported\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<tcrypt>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Use TrueCrypt encryption mode\\&. When this mode is used, the following " +"options are ignored since they are provided by the TrueCrypt header on the " +"device or do not apply: I<cipher=>, I<hash=>, I<keyfile-offset=>, I<keyfile-" +"size=>, I<size=>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<veracrypt>, I<tcrypt-veracrypt>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Use VeraCrypt extension to TrueCrypt device\\&. Only useful in conjunction " +"with I<tcrypt> option (ignored for non-TrueCrypt devices)\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<tcrypthidden>, I<tcrypt-hidden>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "Use hidden TCRYPT header (ignored for non-TCRYPT devices)\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<same-cpu-crypt>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "Perform encryption using the same cpu that IO was submitted on\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<submit-from-crypt-cpus>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "Disable offloading writes to a separate thread after encryption\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<no-read-workqueue>, I<no-write-workqueue>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Bypass dm-crypt internal workqueue and process read or write requests " +"synchronously\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<swap>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "Run B<mkswap> on the created device\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "This option is ignored for I<initramfs> devices\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<tmp>[=E<lt>tmpfsE<gt>]" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Run B<mkfs> with filesystem type E<lt>tmpfsE<gt> (or ext4 if omitted) on the " +"created device\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<check>[=E<lt>checkE<gt>]" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Check the content of the target device by a suitable program; if the check " +"fails, the device is closed immediately\\&. The program is being run with " +"decrypted volume (target device) as first positional argument and, if the " +"I<checkargs> option is used, its value as second argument\\&. See the " +"CHECKSCRIPTS section for more information\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"The program is either specified by full path or relative to /lib/cryptsetup/" +"checks/\\&. If omitted, then the value of $CRYPTDISKS_CHECK set in /etc/" +"default/cryptdisks is used (blkid by default)\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"This option is specific to the Debian I<crypttab> format\\&. It\\*(Aqs not " +"supported by I<systemd>\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<checkargs>=E<lt>argumentsE<gt>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Give E<lt>argumentsE<gt> as the second argument to the check script\\&. See " +"the CHECKSCRIPTS section for more information\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<initramfs>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"The initramfs hook processes the root device, any resume devices and any " +"devices with the I<initramfs> option set\\&. These devices are processed " +"within the initramfs stage of boot\\&. As an example, that allows the use of " +"remote unlocking using dropbear\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<noearly>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"The cryptsetup init scripts are invoked twice during the boot process - once " +"before lvm, raid, etc\\&. are started and once again after that\\&. " +"Sometimes you need to start your encrypted disks in a special order\\&. With " +"this option the device is ignored during the first invocation of the " +"cryptsetup init scripts\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"This option is ignored for I<initramfs> devices and specific to the Debian " +"I<crypttab> format\\&. It\\*(Aqs not supported by I<systemd>\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<noauto>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Entirely ignore the device at the boot process\\&. It\\*(Aqs still possible " +"to map the device manually using cryptdisks_start\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<loud>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Be loud\\&. Print warnings if a device does not exist\\&. This option " +"overrides the option I<quiet>\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<quiet>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Be quiet\\&. Don\\*(Aqt print warnings if a device does not exist\\&. This " +"option overrides the option I<loud>\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<keyscript>=E<lt>pathE<gt>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"The executable at the indicated path is executed with the value of the " +"I<third field> as only argument\\&. The keyscript\\*(Aqs standard output is " +"passed to cryptsetup as decyption key\\&. Its exit status is currently " +"ignored, but no assumption should be made in that regard\\&. When used in " +"initramfs, the executable either needs to be self-contained (i\\&.e\\&. " +"doesn\\*(Aqt rely on any external program which is not present in the " +"initramfs environment) or the dependencies have to added to the initramfs " +"image by other means\\&. The program is either specified by full path or " +"relative to /lib/cryptsetup/scripts/\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"LIMITATIONS: All binaries and files on which the keyscript depends must be " +"available at the time of execution\\&. Special care needs to be taken for " +"encrypted filesystems like /usr or /var\\&. As an example, unlocking " +"encrypted /usr must not depend on binaries from /usr/(s)bin\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"WARNING: With systemd as init system, this option might be ignored\\&. At " +"the time this is written (December 2016), the systemd cryptsetup helper " +"doesn\\*(Aqt support the keyscript option to /etc/crypttab\\&. For the time " +"being, the only option to use keyscripts along with systemd is to force " +"processing of the corresponding crypto devices in the initramfs\\&. See the " +"\\*(Aqinitramfs\\*(Aq option for further information\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"All fields of the appropriate crypttab entry are available to the keyscript " +"as exported environment variables:" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "CRYPTTAB_NAME, _CRYPTTAB_NAME" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "The target name (after resp\\&. before octal sequence decoding)\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "CRYPTTAB_SOURCE, _CRYPTTAB_SOURCE" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"The source device (after resp\\&. before octal sequence decoding and device " +"resolution)\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "CRYPTTAB_KEY, _CRYPTTAB_KEY" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"The value of the third field (after resp\\&. before octal sequence " +"decoding)\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "CRYPTTAB_OPTIONS, _CRYPTTAB_OPTIONS" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"A list of exported crypttab options (after resp\\&. before octal sequence " +"decoding)\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "CRYPTTAB_OPTION_E<lt>optionE<gt>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"The value of the appropriate crypttab option, with value set to " +"\\*(Aqyes\\*(Aq in case the option is merely a flag\\&. For option aliases, " +"such as \\*(Aqreadonly\\*(Aq and \\*(Aqread-only\\*(Aq, the variable name " +"refers to the first alternative listed (thus " +"\\*(AqCRYPTTAB_OPTION_readonly\\*(Aq in that case)\\&. If the crypttab " +"option name contains \\*(Aq-\\*(Aq characters, then they are replaced with " +"\\*(Aq_\\*(Aq in the exported variable name\\&. For instance, the value of " +"the \\*(AqCRYPTTAB_OPTION_keyfile_offset\\*(Aq environment variable is set " +"to the value of the \\*(Aqkeyfile-offset\\*(Aq crypttab option\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "CRYPTTAB_TRIED" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Number of previous tries since start of cryptdisks (counts until maximum " +"number of tries is reached)\\&." +msgstr "" + +#. type: SH +#: debian-bookworm debian-unstable +#, no-wrap +msgid "CHECKSCRIPTS" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<blkid>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Checks for any known filesystem\\&. Supports a filesystem type as argument " +"via E<lt>checkargsE<gt>:" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"no checkargs - succeeds if any valid filesystem is found on the device\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "\"none\" - succeeds if no valid filesystem is found on the device\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"\"ext4\" [or another filesystem type like xfs, swap, crypto_LUKS, \\&.\\&." +"\\&.] - succeeds if ext4 filesystem is found on the device\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<un_blkid>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Checks for no known filesystem\\&. Supports a filesystem type as argument " +"via E<lt>checkargsE<gt>:" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"no checkargs - succeeds if no valid filesystem is found on the device\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"\"ext4\" [or another filesystem type like xfs, swap, crypto_LUKS, \\&.\\&." +"\\&.] - succeeds if no ext4 filesystem is found on the device\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +#, no-wrap +msgid "" +"# Encrypted swap device\n" +"cswap /dev/sda6 /dev/urandom plain,cipher=aes-xts-plain64,size=256,hash=sha1,swap\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +#, no-wrap +msgid "" +"# Encrypted LUKS disk with interactive password, identified by its UUID, discard enabled\n" +"cdisk0 UUID=12345678-9abc-def012345-6789abcdef01 none luks,discard\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +#, no-wrap +msgid "" +"# Encrypted TCRYPT disk with interactive password, discard enabled\n" +"tdisk0 /dev/sr0 none tcrypt,discard\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +#, no-wrap +msgid "" +"# Encrypted ext4 disk with interactive password, discard enabled\n" +"# - retry 5 times if the check fails\n" +"cdisk1 /dev/sda2 none plain,cipher=aes-xts-plain64,size=256,hash=sha1,check,checkargs=ext4,tries=5,discard\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +#, no-wrap +msgid "" +"# Encrypted disk with interactive password, discard enabled\n" +"# - use a nondefault check script\n" +"# - no retries\n" +"cdisk2 /dev/sdc1 none plain,cipher=aes-xts-plain64,size=256,hash=sha1,check=customscript,tries=1,discard\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +#, no-wrap +msgid "" +"# Encrypted disk with interactive password, discard enabled\n" +"# - Twofish as the cipher, RIPEMD-160 as the hash\n" +"cdisk3 /dev/sda3 none plain,cipher=twofish,size=256,hash=ripemd160,discard\n" +msgstr "" + +#. type: SH +#: debian-bookworm debian-unstable +#, no-wrap +msgid "ENVIRONMENT" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<CRYPTDISKS_ENABLE>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Set to I<yes> to run cryptdisks initscripts at startup\\&. Set to I<no> to " +"disable cryptdisks initscripts\\&. Default is I<yes>\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<CRYPTDISKS_MOUNT>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Specifies the mountpoints that are mounted before cryptdisks is invoked\\&. " +"Takes mountpoints configured in /etc/fstab as arguments\\&. Separate " +"mountpoints by space\\&. This is useful for keys on removable devices, such " +"as cdrom, usbstick, flashcard, etc\\&. Default is unset\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "I<CRYPTDISKS_CHECK>" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"Specifies the default checkscript to be run against the target device, after " +"cryptdisks has been invoked\\&. The target device is passed as the first and " +"only argument to the checkscript\\&. Takes effect if the I<check> option is " +"given in crypttab with no value\\&. See documentation for I<check> option " +"above for more information\\&." +msgstr "" + +#. type: SH +#: debian-bookworm debian-unstable +#, no-wrap +msgid "KNOWN UPGRADE ISSUES" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"The upstream defaults for encryption cipher, hash and keysize have changed " +"several times in the past, and they\\*(Aqre expected to change again in " +"future, for example if security issues arise\\&. On LUKS devices, the used " +"settings are stored in the LUKS header, and thus don\\*(Aqt need to be " +"configured in /etc/crypttab\\&. For plain dm-crypt devices, no information " +"about used cipher, hash and keysize are available at all\\&. Therefore we " +"strongly suggest to configure the cipher, hash and keysize in /etc/crypttab " +"for plain dm-crypt devices, even if they match the current default\\&." +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"B<cryptsetup>(8), B<cryptdisks_start>(8), B<cryptdisks_stop>(8), /usr/share/" +"doc/cryptsetup-initramfs/README\\&.initramfs\\&.gz" +msgstr "" + +#. type: SH +#: debian-bookworm debian-unstable +#, no-wrap +msgid "AUTHOR" +msgstr "" + +#. type: Plain text +#: debian-bookworm debian-unstable +msgid "" +"This manual page was originally written by Bastian Kleineidam " +"E<lt>calvin@debian\\&.orgE<gt> for the Debian distribution of cryptsetup\\&. " +"It has been further improved by Michael Gebetsroither E<lt>michael\\&." +"geb@gmx\\&.atE<gt>, David Härdeman E<lt>david@hardeman\\&.nuE<gt> and Jonas " +"Meurer E<lt>jonas@freesources\\&.orgE<gt>\\&." +msgstr "" + +#. type: TH +#: debian-unstable +#, no-wrap +msgid "2024-02-26" +msgstr "" + +#. type: TH +#: debian-unstable +#, no-wrap +msgid "cryptsetup 2:2\\&.7\\&.0-1" +msgstr "" |