summaryrefslogtreecommitdiffstats
path: root/upstream/fedora-rawhide/man5/crypttab.5
diff options
context:
space:
mode:
Diffstat (limited to 'upstream/fedora-rawhide/man5/crypttab.5')
-rw-r--r--upstream/fedora-rawhide/man5/crypttab.589
1 files changed, 67 insertions, 22 deletions
diff --git a/upstream/fedora-rawhide/man5/crypttab.5 b/upstream/fedora-rawhide/man5/crypttab.5
index 1a621795..5ae5aaf9 100644
--- a/upstream/fedora-rawhide/man5/crypttab.5
+++ b/upstream/fedora-rawhide/man5/crypttab.5
@@ -1,5 +1,5 @@
'\" t
-.TH "CRYPTTAB" "5" "" "systemd 255" "crypttab"
+.TH "CRYPTTAB" "5" "" "systemd 256~rc3" "crypttab"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -170,8 +170,8 @@ file system socket in place of a key file in the third field\&. For details see
.sp -1
.IP " 4." 4.2
.\}
-The key may be acquired via a PKCS#11 compatible hardware security token or smartcard\&. In this case an encrypted key is stored on disk/removable media, acquired via
-\fBAF_UNIX\fR, or stored in the LUKS2 JSON token metadata header\&. The encrypted key is then decrypted by the PKCS#11 token with an RSA key stored on it, and then used to unlock the encrypted volume\&. Use the
+The key may be acquired via a PKCS#11 compatible hardware security token or smartcard\&. In this case a saved key used in unlock process is stored on disk/removable media, acquired via
+\fBAF_UNIX\fR, or stored in the LUKS2 JSON token metadata header\&. For RSA, the saved key is an encrypted volume key\&. The encrypted volume key is then decrypted by the PKCS#11 token with an RSA private key stored on it, and used to unlock the encrypted volume\&. For elliptic\-curve (EC) cryptography, the saved key is the public key generated in enrollment process\&. The public key is then used to derive a shared secret with a private key stored in the PKCS#11 token\&. The derived shared secret is then used to unlock the volume\&. Use the
\fBpkcs11\-uri=\fR
option described below to use this mechanism\&.
.RE
@@ -206,7 +206,7 @@ option described below to use this mechanism\&.
.PP
For the latter five mechanisms the source for the key material used for unlocking the volume is primarily configured in the third field of each
/etc/crypttab
-line, but may also configured in
+line, but may also be configured in
/etc/cryptsetup\-keys\&.d/
and
/run/cryptsetup\-keys\&.d/
@@ -305,6 +305,32 @@ for key files on external devices\&.
Added in version 243\&.
.RE
.PP
+\fBlink\-volume\-key=\fR
+.RS 4
+Specifies the kernel keyring and key description (see
+\fBkeyrings\fR(7)) where LUKS2 volume key gets linked during device activation\&. The kernel keyring description and key description must be separated by
+"::"\&.
+.sp
+The kernel keyring part can be a string description or a predefined kernel keyring prefixed with
+"@"
+(e\&.g\&.: to use
+"@s"
+session or
+"@u"
+user keyring directly)\&. The type prefix text in the kernel keyring description is not required\&. The specified kernel keyring must already exist at the time of device activation\&.
+.sp
+The key part is a string description optionally prefixed by a
+"%key_type:"\&. If no type is specified, the
+"user"
+type key is linked by default\&. See
+\fBkeyctl\fR(1)
+for more information on key descriptions (KEY IDENTIFIERS section)\&.
+.sp
+Note that the linked volume key is not cleaned up automatically when the device is detached\&.
+.sp
+Added in version 256\&.
+.RE
+.PP
\fBluks\fR
.RS 4
Force LUKS mode\&. When this mode is used, the following options are ignored since they are provided by the LUKS header on the device:
@@ -360,7 +386,9 @@ Added in version 186\&.
This device will not be a hard dependency of
cryptsetup\&.target\&. It\*(Aqll still be pulled in and started, but the system will not wait for the device to show up and be unlocked, and boot will not fail if this is unsuccessful\&. Note that other units that depend on the unlocked device may still fail\&. In particular, if the device is used for a mount point, the mount point itself also needs to have the
\fBnofail\fR
-option, or the boot will fail if the device is not unlocked successfully\&.
+option, or the boot will fail if the device is not unlocked successfully\&. If a keyfile and/or a
+\fBheader\fR
+are specified, the dependencies on their respective directories will also not be fatal, so that umounting said directories will not cause the generated cryptset unit to be deactivated\&.
.sp
Added in version 186\&.
.RE
@@ -467,11 +495,23 @@ Added in version 240\&.
The encrypted block device will be used as a swap device, and will be formatted accordingly after setting up the encrypted block device, with
\fBmkswap\fR(8)\&. This option implies
\fBplain\fR\&.
+.if n \{\
.sp
-WARNING: Using the
+.\}
+.RS 4
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+.ps +1
+\fBWarning\fR
+.ps -1
+.br
+Using the
\fBswap\fR
option will destroy the contents of the named partition during every boot, so make sure the underlying block device is specified correctly\&.
-.sp
+.sp .5v
+.RE
Added in version 186\&.
.RE
.PP
@@ -569,11 +609,23 @@ or
"btrfs"\&. If no argument is specified defaults to
"ext4"\&. This option implies
\fBplain\fR\&.
+.if n \{\
.sp
-WARNING: Using the
+.\}
+.RS 4
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+.ps +1
+\fBWarning\fR
+.ps -1
+.br
+Using the
\fBtmp\fR
option will destroy the contents of the named partition during every boot, so make sure the underlying block device is specified correctly\&.
-.sp
+.sp .5v
+.RE
Added in version 186\&.
.RE
.PP
@@ -616,17 +668,17 @@ Takes either the special value
"auto"
or an
\m[blue]\fBRFC7512 PKCS#11 URI\fR\m[]\&\s-2\u[2]\d\s+2
-pointing to a private RSA key which is used to decrypt the encrypted key specified in the third column of the line\&. This is useful for unlocking encrypted volumes through PKCS#11 compatible security tokens or smartcards\&. See below for an example how to set up this mechanism for unlocking a LUKS2 volume with a YubiKey security token\&.
+pointing to a private key which is used to decrypt the encrypted key specified in the third column of the line\&. This is useful for unlocking encrypted volumes through PKCS#11 compatible security tokens or smartcards\&. See below for an example how to set up this mechanism for unlocking a LUKS2 volume with a YubiKey security token\&.
.sp
If specified as
"auto"
the volume must be of type LUKS2 and must carry PKCS#11 security token metadata in its LUKS2 JSON token section\&. In this mode the URI and the encrypted key are automatically read from the LUKS2 JSON token header\&. Use
\fBsystemd-cryptenroll\fR(1)
-as simple tool for enrolling PKCS#11 security tokens or smartcards in a way compatible with
+as a simple tool for enrolling PKCS#11 security tokens or smartcards in a way compatible with
"auto"\&. In this mode the third column of the line should remain empty (that is, specified as
"\-")\&.
.sp
-The specified URI can refer directly to a private RSA key stored on a token or alternatively just to a slot or token, in which case a search for a suitable private RSA key will be performed\&. In this case if multiple suitable objects are found the token is refused\&. The encrypted key configured in the third column of the line is passed as is (i\&.e\&. in binary form, unprocessed) to RSA decryption\&. The resulting decrypted key is then Base64 encoded before it is used to unlock the LUKS volume\&.
+The specified URI can refer directly to a private key stored on a token or alternatively just to a slot or token, in which case a search for a suitable private key will be performed\&. In this case if multiple suitable objects are found the token is refused\&. The keyfile configured in the third column of the line is used as is (i\&.e\&. in binary form, unprocessed)\&. The resulting decrypted key (for RSA) or derived shared secret (for ECC) is then Base64 encoded before it is used to unlock the LUKS volume\&.
.sp
Use
\fBsystemd\-cryptenroll \-\-pkcs11\-token\-uri=list\fR
@@ -852,7 +904,7 @@ stream socket in the file system, the key is acquired by connecting to the socke
\fBAF_UNIX\fR
socket name in the abstract namespace, see
\fBunix\fR(7)
-for details\&. The source socket name is chosen according the following format:
+for details\&. The source socket name is chosen according to the following format:
.sp
.if n \{\
.RS 4
@@ -910,7 +962,7 @@ external /dev/sda3 keyfile:LABEL=keydev keyfile\-timeout=10s,cipher=xcha
.PP
\fBExample\ \&2.\ \&Yubikey\-based PKCS#11 Volume Unlocking Example\fR
.PP
-The PKCS#11 logic allows hooking up any compatible security token that is capable of storing RSA decryption keys for unlocking an encrypted volume\&. Here\*(Aqs an example how to set up a Yubikey security token for this purpose on a LUKS2 volume, using
+The PKCS#11 logic allows hooking up any compatible security token that is capable of storing RSA or EC cryptographic keys for unlocking an encrypted volume\&. Here\*(Aqs an example how to set up a Yubikey security token for this purpose on a LUKS2 volume, using
\fBykmap\fR(1)
from the yubikey\-manager project to initialize the token and
\fBsystemd-cryptenroll\fR(1)
@@ -1088,14 +1140,7 @@ sudo update\-initramfs \-u
.\}
.SH "SEE ALSO"
.PP
-\fBsystemd\fR(1),
-\fBsystemd-cryptsetup@.service\fR(8),
-\fBsystemd-cryptsetup-generator\fR(8),
-\fBsystemd-cryptenroll\fR(1),
-\fBfstab\fR(5),
-\fBcryptsetup\fR(8),
-\fBmkswap\fR(8),
-\fBmke2fs\fR(8)
+\fBsystemd\fR(1), \fBsystemd-cryptsetup@.service\fR(8), \fBsystemd-cryptsetup-generator\fR(8), \fBsystemd-cryptenroll\fR(1), \fBfstab\fR(5), \fBcryptsetup\fR(8), \fBmkswap\fR(8), \fBmke2fs\fR(8)
.SH "NOTES"
.IP " 1." 4
Veracrypt Personal Iterations Multiplier
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-10 14:52:14 +0000