path: root/templates/man5/crypttab.5.pot

# SOME DESCRIPTIVE TITLE
# Copyright (C) YEAR Free Software Foundation, Inc.
# This file is distributed under the same license as the PACKAGE package.
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
#
#, fuzzy
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"POT-Creation-Date: 2024-06-01 05:46+0200\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"Language: \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"

#. type: TH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron
#, no-wrap
msgid "CRYPTTAB"
msgstr ""

#. type: TH
#: archlinux fedora-40 mageia-cauldron
#, no-wrap
msgid "systemd 255"
msgstr ""

#. type: TH
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid "crypttab"
msgstr ""

#.  -----------------------------------------------------------------
#.  * MAIN CONTENT STARTS HERE *
#.  -----------------------------------------------------------------
#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron
#, no-wrap
msgid "NAME"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "crypttab - Configuration for encrypted block devices"
msgstr ""

#. type: SH
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid "SYNOPSIS"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "/etc/crypttab"
msgstr ""

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron
#, no-wrap
msgid "DESCRIPTION"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"The /etc/crypttab file describes encrypted block devices that are set up "
"during system boot\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Empty lines and lines starting with the \"#\" character are ignored\\&. Each "
"of the remaining lines describes one encrypted block device\\&. Fields are "
"delimited by white space\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "Each line is in the form"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid "I<volume-name> I<encrypted-device> I<key-file> I<options>\n"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "The first two fields are mandatory, the remaining two are optional\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Setting up encrypted block devices using this file supports four encryption "
"modes: LUKS, TrueCrypt, BitLocker and plain\\&. See B<cryptsetup>(8)  for "
"more information about each mode\\&. When no mode is specified in the "
"options field and the block device contains a LUKS signature, it is opened "
"as a LUKS device; otherwise, it is assumed to be in raw dm-crypt (plain "
"mode) format\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "The four fields of /etc/crypttab are defined as follows:"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"The first field contains the name of the resulting volume with decrypted "
"data; its block device is set up below /dev/mapper/\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"The second field contains a path to the underlying block device or file, or "
"a specification of a block device via \"UUID=\" followed by the UUID\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"The third field specifies an absolute path to a file with the encryption "
"key\\&. Optionally, the path may be followed by \":\" and an /etc/fstab "
"style device specification (e\\&.g\\&. starting with \"LABEL=\" or similar); "
"in which case the path is taken relative to the specified device\\*(Aqs file "
"system root\\&. If the field is not present or is \"none\" or \"-\", a key "
"file named after the volume to unlock (i\\&.e\\&. the first column of the "
"line), suffixed with \\&.key is automatically loaded from the /etc/"
"cryptsetup-keys\\&.d/ and /run/cryptsetup-keys\\&.d/ directories, if "
"present\\&. Otherwise, the password has to be manually entered during system "
"boot\\&. For swap encryption, /dev/urandom may be used as key file, "
"resulting in a randomized key\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"If the specified key file path refers to an B<AF_UNIX> stream socket in the "
"file system, the key is acquired by connecting to the socket and reading it "
"from the connection\\&. This allows the implementation of a service to "
"provide key information dynamically, at the moment when it is needed\\&. For "
"details see below\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"The fourth field, if present, is a comma-delimited list of options\\&. The "
"supported options are listed below\\&."
msgstr ""

#. type: SH
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid "KEY ACQUISITION"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Six different mechanisms for acquiring the decryption key or passphrase "
"unlocking the encrypted volume are supported\\&. Specifically:"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Most prominently, the user may be queried interactively during volume "
"activation (i\\&.e\\&. typically at boot), asking them to type in the "
"necessary passphrases\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"The (unencrypted) key may be read from a file on disk, possibly on removable "
"media\\&. The third field of each line encodes the location, for details see "
"above\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"The (unencrypted) key may be requested from another service, by specifying "
"an B<AF_UNIX> file system socket in place of a key file in the third "
"field\\&. For details see above and below\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 mageia-cauldron
msgid ""
"The key may be acquired via a PKCS#11 compatible hardware security token or "
"smartcard\\&. In this case an encrypted key is stored on disk/removable "
"media, acquired via B<AF_UNIX>, or stored in the LUKS2 JSON token metadata "
"header\\&. The encrypted key is then decrypted by the PKCS#11 token with an "
"RSA key stored on it, and then used to unlock the encrypted volume\\&. Use "
"the B<pkcs11-uri=> option described below to use this mechanism\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Similarly, the key may be acquired via a FIDO2 compatible hardware security "
"token (which must implement the \"hmac-secret\" extension)\\&. In this case "
"a key generated randomly during enrollment is stored on disk/removable "
"media, acquired via B<AF_UNIX>, or stored in the LUKS2 JSON token metadata "
"header\\&. The random key is hashed via a keyed hash function (HMAC) on the "
"FIDO2 token, using a secret key stored on the token that never leaves it\\&. "
"The resulting hash value is then used as key to unlock the encrypted "
"volume\\&. Use the B<fido2-device=> option described below to use this "
"mechanism\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Similarly, the key may be acquired via a TPM2 security chip\\&. In this case "
"a (during enrollment) randomly generated key \\(em encrypted by an "
"asymmetric key derived from the TPM2 chip\\*(Aqs seed key \\(em is stored on "
"disk/removable media, acquired via B<AF_UNIX>, or stored in the LUKS2 JSON "
"token metadata header\\&. Use the B<tpm2-device=> option described below to "
"use this mechanism\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-rawhide mageia-cauldron
msgid ""
"For the latter five mechanisms the source for the key material used for "
"unlocking the volume is primarily configured in the third field of each /etc/"
"crypttab line, but may also be configured in /etc/cryptsetup-keys\\&.d/ and /"
"run/cryptsetup-keys\\&.d/ (see above) or in the LUKS2 JSON token header (in "
"case of the latter three)\\&. Use the B<systemd-cryptenroll>(1)  tool to "
"enroll PKCS#11, FIDO2 and TPM2 devices in LUKS2 volumes\\&."
msgstr ""

#. type: SH
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid "SUPPORTED OPTIONS"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "The following options may be used in the fourth field of each line:"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<cipher=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Specifies the cipher to use\\&. See B<cryptsetup>(8)  for possible values "
"and the default value of this option\\&. A cipher with unpredictable IV "
"values, such as \"aes-cbc-essiv:sha256\", is recommended\\&. Embedded commas "
"in the cipher specification need to be escaped by preceding them with a "
"backslash, see example below\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "Added in version 186\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<discard>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Allow discard requests to be passed through the encrypted block device\\&. "
"This improves performance on SSD storage but has security implications\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "Added in version 207\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<hash=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Specifies the hash to use for password hashing\\&. See B<cryptsetup>(8)  for "
"possible values and the default value of this option\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<header=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Use a detached (separated) metadata device or file where the header "
"containing the master key(s) is stored\\&. This option is only relevant for "
"LUKS and TrueCrypt/VeraCrypt devices\\&. See B<cryptsetup>(8)  for possible "
"values and the default value of this option\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Optionally, the path may be followed by \":\" and an /etc/fstab device "
"specification (e\\&.g\\&. starting with \"UUID=\" or similar); in which "
"case, the path is relative to the device file system root\\&. The device "
"gets mounted automatically for LUKS device activation duration only\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "Added in version 219\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<keyfile-offset=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Specifies the number of bytes to skip at the start of the key file\\&. See "
"B<cryptsetup>(8)  for possible values and the default value of this "
"option\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "Added in version 187\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<keyfile-size=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Specifies the maximum number of bytes to read from the key file\\&. See "
"B<cryptsetup>(8)  for possible values and the default value of this "
"option\\&. This option is ignored in plain encryption mode, as the key file "
"size is then given by the key size\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "Added in version 188\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<keyfile-erase>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"If enabled, the specified key file is erased after the volume is activated "
"or when activation fails\\&. This is in particular useful when the key file "
"is only acquired transiently before activation (e\\&.g\\&. via a file in /"
"run/, generated by a service running before activation), and shall be "
"removed after use\\&. Defaults to off\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "Added in version 246\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<key-slot=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Specifies the key slot to compare the passphrase or key against\\&. If the "
"key slot does not match the given passphrase or key, but another would, the "
"setup of the device will fail regardless\\&. This option implies B<luks>\\&. "
"See B<cryptsetup>(8)  for possible values\\&. The default is to try all key "
"slots in sequential order\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "Added in version 209\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<keyfile-timeout=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Specifies the timeout for the device on which the key file resides or the "
"device used as the key file, and falls back to a password if it could not be "
"accessed\\&. See B<systemd-cryptsetup-generator>(8)  for key files on "
"external devices\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "Added in version 243\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<luks>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Force LUKS mode\\&. When this mode is used, the following options are "
"ignored since they are provided by the LUKS header on the device: "
"B<cipher=>, B<hash=>, B<size=>\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<bitlk>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Decrypt BitLocker drive\\&. Encryption parameters are deduced by cryptsetup "
"from BitLocker header\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<_netdev>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Marks this cryptsetup device as requiring network\\&. It will be started "
"after the network is available, similarly to B<systemd.mount>(5)  units "
"marked with B<_netdev>\\&. The service unit to set up this device will be "
"ordered between remote-fs-pre\\&.target and remote-cryptsetup\\&.target, "
"instead of cryptsetup-pre\\&.target and cryptsetup\\&.target\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Hint: if this device is used for a mount point that is specified in "
"B<fstab>(5), the B<_netdev> option should also be used for the mount "
"point\\&. Otherwise, a dependency loop might be created where the mount "
"point will be pulled in by local-fs\\&.target, while the service to "
"configure the network is usually only started I<after> the local file system "
"has been mounted\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "Added in version 235\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<noauto>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"This device will not be added to cryptsetup\\&.target\\&. This means that it "
"will not be automatically unlocked on boot, unless something else pulls it "
"in\\&. In particular, if the device is used for a mount point, it\\*(Aqll be "
"unlocked automatically during boot, unless the mount point itself is also "
"disabled with B<noauto>\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<nofail>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 mageia-cauldron
msgid ""
"This device will not be a hard dependency of cryptsetup\\&.target\\&. "
"It\\*(Aqll still be pulled in and started, but the system will not wait for "
"the device to show up and be unlocked, and boot will not fail if this is "
"unsuccessful\\&. Note that other units that depend on the unlocked device "
"may still fail\\&. In particular, if the device is used for a mount point, "
"the mount point itself also needs to have the B<nofail> option, or the boot "
"will fail if the device is not unlocked successfully\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<offset=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Start offset in the backend device, in 512-byte sectors\\&. This option is "
"only relevant for plain devices\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "Added in version 220\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<plain>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron
msgid "Force plain encryption mode\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<read-only>, B<readonly>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "Set up the encrypted block device in read-only mode\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<same-cpu-crypt>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Perform encryption using the same CPU that IO was submitted on\\&. The "
"default is to use an unbound workqueue so that encryption work is "
"automatically balanced between available CPUs\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "This requires kernel 4\\&.0 or newer\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "Added in version 242\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<submit-from-crypt-cpus>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Disable offloading writes to a separate thread after encryption\\&. There "
"are some situations where offloading write requests from the encryption "
"threads to a dedicated thread degrades performance significantly\\&. The "
"default is to offload write requests to a dedicated thread because it "
"benefits the CFQ scheduler to have writes submitted using the same "
"context\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<no-read-workqueue>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Bypass dm-crypt internal workqueue and process read requests "
"synchronously\\&. The default is to queue these requests and process them "
"asynchronously\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "This requires kernel 5\\&.9 or newer\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "Added in version 248\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<no-write-workqueue>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Bypass dm-crypt internal workqueue and process write requests "
"synchronously\\&. The default is to queue these requests and process them "
"asynchronously\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<skip=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"How many 512-byte sectors of the encrypted data to skip at the beginning\\&. "
"This is different from the B<offset=> option with respect to the sector "
"numbers used in initialization vector (IV) calculation\\&. Using B<offset=> "
"will shift the IV calculation by the same negative amount\\&. Hence, if "
"B<offset=>I<n> is given, sector I<n> will get a sector number of 0 for the "
"IV calculation\\&. Using B<skip=> causes sector I<n> to also be the first "
"sector of the mapped device, but with its number for IV generation being "
"I<n>\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "This option is only relevant for plain devices\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<size=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Specifies the key size in bits\\&. See B<cryptsetup>(8)  for possible values "
"and the default value of this option\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<sector-size=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Specifies the sector size in bytes\\&. See B<cryptsetup>(8)  for possible "
"values and the default value of this option\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "Added in version 240\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<swap>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"The encrypted block device will be used as a swap device, and will be "
"formatted accordingly after setting up the encrypted block device, with "
"B<mkswap>(8)\\&. This option implies B<plain>\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 mageia-cauldron
msgid ""
"WARNING: Using the B<swap> option will destroy the contents of the named "
"partition during every boot, so make sure the underlying block device is "
"specified correctly\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<tcrypt>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Use TrueCrypt encryption mode\\&. When this mode is used, the following "
"options are ignored since they are provided by the TrueCrypt header on the "
"device or do not apply: B<cipher=>, B<hash=>, B<keyfile-offset=>, B<keyfile-"
"size=>, B<size=>\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"When this mode is used, the passphrase is read from the key file given in "
"the third field\\&. Only the first line of this file is read, excluding the "
"new line character\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Note that the TrueCrypt format uses both passphrase and key files to derive "
"a password for the volume\\&. Therefore, the passphrase and all key files "
"need to be provided\\&. Use B<tcrypt-keyfile=> to provide the absolute path "
"to all key files\\&. When using an empty passphrase in combination with one "
"or more key files, use \"/dev/null\" as the password file in the third "
"field\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "Added in version 206\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<tcrypt-hidden>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "Use the hidden TrueCrypt volume\\&. This option implies B<tcrypt>\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"This will map the hidden volume that is inside of the volume provided in the "
"second field\\&. Please note that there is no protection for the hidden "
"volume if the outer volume is mounted instead\\&. See B<cryptsetup>(8)  for "
"more information on this limitation\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<tcrypt-keyfile=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Specifies the absolute path to a key file to use for a TrueCrypt volume\\&. "
"This implies B<tcrypt> and can be used more than once to provide several key "
"files\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"See the entry for B<tcrypt> on the behavior of the passphrase and key files "
"when using TrueCrypt encryption mode\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<tcrypt-system>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Use TrueCrypt in system encryption mode\\&. This option implies B<tcrypt>\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<tcrypt-veracrypt>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Check for a VeraCrypt volume\\&. VeraCrypt is a fork of TrueCrypt that is "
"mostly compatible, but uses different, stronger key derivation algorithms "
"that cannot be detected without this flag\\&. Enabling this option could "
"substantially slow down unlocking, because VeraCrypt\\*(Aqs key derivation "
"takes much longer than TrueCrypt\\*(Aqs\\&. This option implies B<tcrypt>\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "Added in version 232\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<veracrypt-pim=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Specifies a custom Personal Iteration Multiplier (PIM) value, which can "
"range from 0\\&.\\&.2147468 for standard veracrypt volumes and 0\\&."
"\\&.65535 for veracrypt system volumes\\&. A value of 0 will imply the "
"VeraCrypt default\\&. This option is only effective when B<tcrypt-veracrypt> "
"is set\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Note that VeraCrypt enforces a minimal allowed PIM value depending on the "
"password strength and the hash algorithm used for key derivation, however "
"B<veracrypt-pim=> is not checked against these bounds\\&. See "
"\\m[blue]B<Veracrypt Personal Iterations "
"Multiplier>\\m[]\\&\\s-2\\u[1]\\d\\s+2 documentation for more information\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "Added in version 254\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<timeout=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Specifies the timeout for querying for a password\\&. If no unit is "
"specified, seconds is used\\&. Supported units are s, ms, us, min, h, d\\&. "
"A timeout of 0 waits indefinitely (which is the default)\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<tmp=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"The encrypted block device will be prepared for using it as /tmp/; it will "
"be formatted using B<mkfs>(8)\\&. Takes a file system type as argument, such "
"as \"ext4\", \"xfs\" or \"btrfs\"\\&. If no argument is specified defaults "
"to \"ext4\"\\&. This option implies B<plain>\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 mageia-cauldron
msgid ""
"WARNING: Using the B<tmp> option will destroy the contents of the named "
"partition during every boot, so make sure the underlying block device is "
"specified correctly\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<tries=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Specifies the maximum number of times the user is queried for a password\\&. "
"The default is 3\\&. If set to 0, the user is queried for a password "
"indefinitely\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<headless=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Takes a boolean argument, defaults to false\\&. If true, never query "
"interactively for the password/PIN\\&. Useful for headless systems\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "Added in version 249\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<verify>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"If the encryption password is read from console, it has to be entered twice "
"to prevent typos\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<password-echo=yes|no|masked>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Controls whether to echo passwords or security token PINs that are read from "
"console\\&. Takes a boolean or the special string \"masked\"\\&. The default "
"is B<password-echo=masked>\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"If enabled, the typed characters are echoed literally\\&. If disabled, the "
"typed characters are not echoed in any form, the user will not get feedback "
"on their input\\&. If set to \"masked\", an asterisk (\"*\") is echoed for "
"each character typed\\&. Regardless of which mode is chosen, if the user "
"hits the tabulator key (\"↹\") at any time, or the backspace key (\"⌫\") "
"before any other data has been entered, then echo is turned off\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<pkcs11-uri=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 mageia-cauldron
msgid ""
"Takes either the special value \"auto\" or an \\m[blue]B<RFC7512 PKCS#11 "
"URI>\\m[]\\&\\s-2\\u[2]\\d\\s+2 pointing to a private RSA key which is used "
"to decrypt the encrypted key specified in the third column of the line\\&. "
"This is useful for unlocking encrypted volumes through PKCS#11 compatible "
"security tokens or smartcards\\&. See below for an example how to set up "
"this mechanism for unlocking a LUKS2 volume with a YubiKey security token\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 mageia-cauldron
msgid ""
"If specified as \"auto\" the volume must be of type LUKS2 and must carry "
"PKCS#11 security token metadata in its LUKS2 JSON token section\\&. In this "
"mode the URI and the encrypted key are automatically read from the LUKS2 "
"JSON token header\\&. Use B<systemd-cryptenroll>(1)  as simple tool for "
"enrolling PKCS#11 security tokens or smartcards in a way compatible with "
"\"auto\"\\&. In this mode the third column of the line should remain empty "
"(that is, specified as \"-\")\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 mageia-cauldron
msgid ""
"The specified URI can refer directly to a private RSA key stored on a token "
"or alternatively just to a slot or token, in which case a search for a "
"suitable private RSA key will be performed\\&. In this case if multiple "
"suitable objects are found the token is refused\\&. The encrypted key "
"configured in the third column of the line is passed as is (i\\&.e\\&. in "
"binary form, unprocessed) to RSA decryption\\&. The resulting decrypted key "
"is then Base64 encoded before it is used to unlock the LUKS volume\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Use B<systemd-cryptenroll --pkcs11-token-uri=list> to list all suitable "
"PKCS#11 security tokens currently plugged in, along with their URIs\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Note that many newer security tokens that may be used as PKCS#11 security "
"token typically also implement the newer and simpler FIDO2 standard\\&. "
"Consider using B<fido2-device=> (described below) to enroll it via FIDO2 "
"instead\\&. Note that a security token enrolled via PKCS#11 cannot be used "
"to unlock the volume via FIDO2, unless also enrolled via FIDO2, and vice "
"versa\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "Added in version 245\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<fido2-device=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Takes either the special value \"auto\" or the path to a \"hidraw\" device "
"node (e\\&.g\\&.  /dev/hidraw1) referring to a FIDO2 security token that "
"implements the \"hmac-secret\" extension (most current hardware security "
"tokens do)\\&. See below for an example how to set up this mechanism for "
"unlocking an encrypted volume with a FIDO2 security token\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"If specified as \"auto\" the FIDO2 token device is automatically discovered, "
"as it is plugged in\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"FIDO2 volume unlocking requires a client ID hash (CID) to be configured via "
"B<fido2-cid=> (see below) and a key to pass to the security token\\*(Aqs "
"HMAC functionality (configured in the line\\*(Aqs third column) to "
"operate\\&. If not configured and the volume is of type LUKS2, the CID and "
"the key are read from LUKS2 JSON token metadata instead\\&. Use B<systemd-"
"cryptenroll>(1)  as simple tool for enrolling FIDO2 security tokens, "
"compatible with this automatic mode, which is only available for LUKS2 "
"volumes\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Use B<systemd-cryptenroll --fido2-device=list> to list all suitable FIDO2 "
"security tokens currently plugged in, along with their device nodes\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"This option implements the following mechanism: the configured key is hashed "
"via they HMAC keyed hash function the FIDO2 device implements, keyed by a "
"secret key embedded on the device\\&. The resulting hash value is Base64 "
"encoded and used to unlock the LUKS2 volume\\&. As it should not be possible "
"to extract the secret from the hardware token, it should not be possible to "
"retrieve the hashed key given the configured key \\(em without possessing "
"the hardware token\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Note that many security tokens that implement FIDO2 also implement PKCS#11, "
"suitable for unlocking volumes via the B<pkcs11-uri=> option described "
"above\\&. Typically the newer, simpler FIDO2 standard is preferable\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<fido2-cid=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Takes a Base64 encoded FIDO2 client ID to use for the FIDO2 unlock "
"operation\\&. If specified, but B<fido2-device=> is not, B<fido2-"
"device=auto> is implied\\&. If B<fido2-device=> is used but B<fido2-cid=> is "
"not, the volume must be of LUKS2 type, and the CID is read from the LUKS2 "
"JSON token header\\&. Use B<systemd-cryptenroll>(1)  for enrolling a FIDO2 "
"token in the LUKS2 header compatible with this automatic mode\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<fido2-rp=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Takes a string, configuring the FIDO2 Relying Party (rp) for the FIDO2 "
"unlock operation\\&. If not specified \"io\\&.systemd\\&.cryptsetup\" is "
"used, except if the LUKS2 JSON token header contains a different value\\&. "
"It should normally not be necessary to override this\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<tpm2-device=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Takes either the special value \"auto\" or the path to a device node (e\\&."
"g\\&.  /dev/tpmrm0) referring to a TPM2 security chip\\&. See below for an "
"example how to set up this mechanism for unlocking an encrypted volume with "
"a TPM2 chip\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Use B<tpm2-pcrs=> (see below) to configure the set of TPM2 PCRs to bind the "
"volume unlocking to\\&. Use B<systemd-cryptenroll>(1)  as simple tool for "
"enrolling TPM2 security chips in LUKS2 volumes\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"If specified as \"auto\" the TPM2 device is automatically discovered\\&. Use "
"B<systemd-cryptenroll --tpm2-device=list> to list all suitable TPM2 devices "
"currently available, along with their device nodes\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"This option implements the following mechanism: when enrolling a TPM2 device "
"via B<systemd-cryptenroll> on a LUKS2 volume, a randomized key unlocking the "
"volume is generated on the host and loaded into the TPM2 chip where it is "
"encrypted with an asymmetric \"primary\" key pair derived from the "
"TPM2\\*(Aqs internal \"seed\" key\\&. Neither the seed key nor the primary "
"key are permitted to ever leave the TPM2 chip \\(em however, the now "
"encrypted randomized key may\\&. It is saved in the LUKS2 volume JSON token "
"header\\&. When unlocking the encrypted volume, the primary key pair is "
"generated on the TPM2 chip again (which works as long as the chip\\*(Aqs "
"seed key is correctly maintained by the TPM2 chip), which is then used to "
"decrypt (on the TPM2 chip) the encrypted key from the LUKS2 volume JSON "
"token header saved there during enrollment\\&. The resulting decrypted key "
"is then used to unlock the volume\\&. When the randomized key is encrypted "
"the current values of the selected PCRs (see below) are included in the "
"operation, so that different PCR state results in different encrypted keys "
"and the decrypted key can only be recovered if the same PCR state is "
"reproduced\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<tpm2-pcrs=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Takes a \"+\" separated list of numeric TPM2 PCR (i\\&.e\\&. \"Platform "
"Configuration Register\") indexes to bind the TPM2 volume unlocking to\\&. "
"This option is only useful when TPM2 enrollment metadata is not available in "
"the LUKS2 JSON token header already, the way B<systemd-cryptenroll> writes "
"it there\\&. If not used (and no metadata in the LUKS2 JSON token header "
"defines it), defaults to a list of a single entry: PCR 7\\&. Assign an empty "
"string to encode a policy that binds the key to no PCRs, making the key "
"accessible to local programs regardless of the current PCR state\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<tpm2-pin=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Takes a boolean argument, defaults to \"false\"\\&. Controls whether TPM2 "
"volume unlocking is bound to a PIN in addition to PCRs\\&. Similarly, this "
"option is only useful when TPM2 enrollment metadata is not available\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "Added in version 251\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<tpm2-signature=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Takes an absolute path to a TPM2 PCR JSON signature file, as produced by the "
"B<systemd-measure>(1)  tool\\&. This permits locking LUKS2 volumes to any "
"PCR values for which a valid signature matching a public key specified at "
"key enrollment time can be provided\\&. See B<systemd-cryptenroll>(1)  for "
"details on enrolling TPM2 PCR public keys\\&. If this option is not "
"specified but it is attempted to unlock a LUKS2 volume with a signed TPM2 "
"PCR enrollment a suitable signature file tpm2-pcr-signature\\&.json is "
"searched for in /etc/systemd/, /run/systemd/, /usr/lib/systemd/ (in this "
"order)\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "Added in version 252\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<tpm2-pcrlock=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Takes an absolute path to a TPM2 pcrlock policy file, as produced by the "
"B<systemd-pcrlock>(1)  tool\\&. This permits locking LUKS2 volumes to a "
"local policy of allowed PCR values with variants\\&. See B<systemd-"
"cryptenroll>(1)  for details on enrolling TPM2 pcrlock policies\\&. If this "
"option is not specified but it is attempted to unlock a LUKS2 volume with a "
"TPM2 pcrlock enrollment a suitable signature file pcrlock\\&.json is "
"searched for in /run/systemd/ and /var/lib/systemd/ (in this order)\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "Added in version 255\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<tpm2-measure-pcr=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Controls whether to measure the volume key of the encrypted volume to a TPM2 "
"PCR\\&. If set to \"no\" (which is the default) no PCR extension is done\\&. "
"If set to \"yes\" the volume key is measured into PCR 15\\&. If set to a "
"decimal integer in the range 0\\&...23 the volume key is measured into the "
"specified PCR\\&. The volume key is measured along with the activated volume "
"name and its UUID\\&. This functionality is particularly useful for the "
"encrypted volume backing the root file system, as it then allows later TPM "
"objects to be securely bound to the root file system and hence the specific "
"installation\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "Added in version 253\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<tpm2-measure-bank=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Selects one or more TPM2 PCR banks to measure the volume key into, as "
"configured with B<tpm2-measure-pcr=> above\\&. Multiple banks may be "
"specified, separated by a colon character\\&. If not specified automatically "
"determines available and used banks\\&. Expects a message digest name (e\\&."
"g\\&.  \"sha1\", \"sha256\", \\&...) as argument, to identify the bank\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<token-timeout=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Specifies how long to wait at most for configured security devices (i\\&."
"e\\&. FIDO2, PKCS#11, TPM2) to show up\\&. Takes a time value in seconds "
"(but other time units may be specified too, see B<systemd.time>(7)  for "
"supported formats)\\&. Defaults to 30s\\&. Once the specified timeout "
"elapsed authentication via password is attempted\\&. Note that this timeout "
"applies to waiting for the security device to show up \\(em it does not "
"apply to the PIN prompt for the device (should one be needed) or similar\\&. "
"Pass 0 to turn off the time-out and wait forever\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "Added in version 250\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<try-empty-password=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Takes a boolean argument\\&. If enabled, right before asking the user for a "
"password it is first attempted to unlock the volume with an empty "
"password\\&. This is useful for systems that are initialized with an "
"encrypted volume with only an empty password set, which shall be replaced "
"with a suitable password during first boot, but after activation\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<x-systemd\\&.device-timeout=>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Specifies how long systemd should wait for a block device to show up before "
"giving up on the entry\\&. The argument is a time in seconds or explicitly "
"specified units of \"s\", \"min\", \"h\", \"ms\"\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "Added in version 216\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<x-initrd\\&.attach>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Setup this encrypted block device in the initrd, similarly to B<systemd."
"mount>(5)  units marked with B<x-initrd\\&.mount>\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Although it\\*(Aqs not necessary to mark the mount entry for the root file "
"system with B<x-initrd\\&.mount>, B<x-initrd\\&.attach> is still recommended "
"with the encrypted block device containing the root file system as otherwise "
"systemd will attempt to detach the device during the regular system shutdown "
"while it\\*(Aqs still in use\\&. With this option the device will still be "
"detached but later after the root file system is unmounted\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"All other encrypted block devices that contain file systems mounted in the "
"initrd should use this option\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"At early boot and when the system manager configuration is reloaded, this "
"file is translated into native systemd units by B<systemd-cryptsetup-"
"generator>(8)\\&."
msgstr ""

#. type: SH
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid "AF_UNIX KEY FILES"
msgstr ""

#. type: Plain text
#: archlinux fedora-rawhide mageia-cauldron
msgid ""
"If the key file path (as specified in the third column of /etc/crypttab "
"entries, see above) refers to an B<AF_UNIX> stream socket in the file "
"system, the key is acquired by connecting to the socket and reading the key "
"from the connection\\&. The connection is made from an B<AF_UNIX> socket "
"name in the abstract namespace, see B<unix>(7)  for details\\&. The source "
"socket name is chosen according to the following format:"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid "B<NUL> I<RANDOM> /cryptsetup/ I<VOLUME>\n"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"In other words: a B<NUL> byte (as required for abstract namespace sockets), "
"followed by a random string (consisting of alphanumeric characters only), "
"followed by the literal string \"/cryptsetup/\", followed by the name of the "
"volume to acquire they key for\\&. For example, for the volume \"myvol\":"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid "\\e0d7067f78d9827418/cryptsetup/myvol\n"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Services listening on the B<AF_UNIX> stream socket may query the source "
"socket name with B<getpeername>(2), and use this to determine which key to "
"send, allowing a single listening socket to serve keys for multiple "
"volumes\\&. If the PKCS#11 logic is used (see above), the socket source name "
"is picked in similar fashion, except that the literal string \"/cryptsetup-"
"pkcs11/\" is used\\&. And similarly for FIDO2 (\"/cryptsetup-fido2/\") and "
"TPM2 (\"/cryptsetup-tpm2/\")\\&. A different path component is used so that "
"services providing key material know that the secret key was not requested "
"directly, but instead an encrypted key that will be decrypted via the "
"PKCS#11/FIDO2/TPM2 logic to acquire the final secret key\\&."
msgstr ""

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron
#, no-wrap
msgid "EXAMPLES"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<Example\\ \\&1.\\ \\&/etc/crypttab example>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"Set up four encrypted block devices\\&. One using LUKS for normal storage, "
"another one for usage as a swap device and two TrueCrypt volumes\\&. For the "
"fourth device, the option string is interpreted as two options "
"\"cipher=xchacha12,aes-adiantum-plain64\", \"keyfile-timeout=10s\"\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid ""
"luks       UUID=2505567a-9e27-4efe-a4d5-15ad146c258b\n"
"swap       /dev/sda7       /dev/urandom       swap\n"
"truecrypt  /dev/sda2       /etc/container_password  tcrypt\n"
"hidden     /mnt/tc_hidden  /dev/null    tcrypt-hidden,tcrypt-keyfile=/etc/keyfile\n"
"external   /dev/sda3       keyfile:LABEL=keydev keyfile-timeout=10s,cipher=xchacha12\\e,aes-adiantum-plain64\n"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<Example\\ \\&2.\\ \\&Yubikey-based PKCS#11 Volume Unlocking Example>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 mageia-cauldron
msgid ""
"The PKCS#11 logic allows hooking up any compatible security token that is "
"capable of storing RSA decryption keys for unlocking an encrypted volume\\&. "
"Here\\*(Aqs an example how to set up a Yubikey security token for this "
"purpose on a LUKS2 volume, using B<ykmap>(1)  from the yubikey-manager "
"project to initialize the token and B<systemd-cryptenroll>(1)  to add it in "
"the LUKS2 volume:"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid "# SPDX-License-Identifier: MIT-0\n"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid ""
"# Destroy any old key on the Yubikey (careful!)\n"
"ykman piv reset\n"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid ""
"# Generate a new private/public key pair on the device, store the public key in\n"
"# \\*(Aqpubkey\\&.pem\\*(Aq\\&.\n"
"ykman piv generate-key -a RSA2048 9d pubkey\\&.pem\n"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid ""
"# Create a self-signed certificate from this public key, and store it on the\n"
"# device\\&. The \"subject\" should be an arbitrary user-chosen string to identify\n"
"# the token with\\&.\n"
"ykman piv generate-certificate --subject \"Knobelei\" 9d pubkey\\&.pem\n"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid ""
"# We don\\*(Aqt need the public key anymore, let\\*(Aqs remove it\\&. Since it is not\n"
"# security sensitive we just do a regular \"rm\" here\\&.\n"
"rm pubkey\\&.pem\n"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid ""
"# Enroll the freshly initialized security token in the LUKS2 volume\\&. Replace\n"
"# /dev/sdXn by the partition to use (e\\&.g\\&. /dev/sda1)\\&.\n"
"sudo systemd-cryptenroll --pkcs11-token-uri=auto /dev/sdXn\n"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid ""
"# Test: Let\\*(Aqs run systemd-cryptsetup to test if this all worked\\&.\n"
"sudo systemd-cryptsetup attach mytest /dev/sdXn - pkcs11-uri=auto\n"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid ""
"# If that worked, let\\*(Aqs now add the same line persistently to /etc/crypttab,\n"
"# for the future\\&. We don\\*(Aqt want to use the (unstable) /dev/sdX name, so let\\*(Aqs\n"
"# figure out a stable link:\n"
"udevadm info -q -r symlink /dev/sdXn\n"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid ""
"# Now add the line using the by-uuid symlink to /etc/crypttab:\n"
"sudo bash -c \\*(Aqecho \"mytest /dev/disk/by-uuid/\\&.\\&.\\&. - pkcs11-uri=auto\" E<gt>E<gt>/etc/crypttab\\*(Aq\n"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid ""
"# Depending on your distribution and encryption setup, you may need to manually\n"
"# regenerate your initramfs to be able to use a Yubikey / PKCS#11 token to\n"
"# unlock the partition during early boot\\&.\n"
"# More information at https://unix\\&.stackexchange\\&.com/a/705809\\&.\n"
"# On Fedora based systems:\n"
"sudo dracut --force\n"
"# On Debian based systems:\n"
"sudo update-initramfs -u\n"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "A few notes on the above:"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "We use RSA2048, which is the longest key size current Yubikeys support"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"We use Yubikey key slot 9d, since that\\*(Aqs apparently the keyslot to use "
"for decryption purposes, see \\m[blue]B<Yubico PIV certificate "
"slots>\\m[]\\&\\s-2\\u[3]\\d\\s+2\\&."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<Example\\ \\&3.\\ \\&FIDO2 Volume Unlocking Example>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"The FIDO2 logic allows using any compatible FIDO2 security token that "
"implements the \"hmac-secret\" extension for unlocking an encrypted "
"volume\\&. Here\\*(Aqs an example how to set up a FIDO2 security token for "
"this purpose for a LUKS2 volume, using B<systemd-cryptenroll>(1):"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid ""
"# Enroll the security token in the LUKS2 volume\\&. Replace /dev/sdXn by the\n"
"# partition to use (e\\&.g\\&. /dev/sda1)\\&.\n"
"sudo systemd-cryptenroll --fido2-device=auto /dev/sdXn\n"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid ""
"# Test: Let\\*(Aqs run systemd-cryptsetup to test if this worked\\&.\n"
"sudo systemd-cryptsetup attach mytest /dev/sdXn - fido2-device=auto\n"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid ""
"# Now add the line using the by-uuid symlink to /etc/crypttab:\n"
"sudo bash -c \\*(Aqecho \"mytest /dev/disk/by-uuid/\\&.\\&.\\&. - fido2-device=auto\" E<gt>E<gt>/etc/crypttab\\*(Aq\n"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid ""
"# Depending on your distribution and encryption setup, you may need to manually\n"
"# regenerate your initramfs to be able to use a FIDO2 device to unlock the\n"
"# partition during early boot\\&.\n"
"# More information at https://unix\\&.stackexchange\\&.com/a/705809\\&.\n"
"# On Fedora based systems:\n"
"sudo dracut --force\n"
"# On Debian based systems:\n"
"sudo update-initramfs -u\n"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "B<Example\\ \\&4.\\ \\&TPM2 Volume Unlocking Example>"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"The TPM2 logic allows using any TPM2 chip supported by the Linux kernel for "
"unlocking an encrypted volume\\&. Here\\*(Aqs an example how to set up a "
"TPM2 chip for this purpose for a LUKS2 volume, using B<systemd-"
"cryptenroll>(1):"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid ""
"# Enroll the TPM2 security chip in the LUKS2 volume, and bind it to PCR 7\n"
"# only\\&. Replace /dev/sdXn by the partition to use (e\\&.g\\&. /dev/sda1)\\&.\n"
"sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/sdXn\n"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid ""
"# Test: Let\\*(Aqs run systemd-cryptsetup to test if this worked\\&.\n"
"sudo systemd-cryptsetup attach mytest /dev/sdXn - tpm2-device=auto\n"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid ""
"# Now add the line using the by-uuid symlink to /etc/crypttab:\n"
"sudo bash -c \\*(Aqecho \"mytest /dev/disk/by-uuid/\\&.\\&.\\&. - tpm2-device=auto\" E<gt>E<gt>/etc/crypttab\\*(Aq\n"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid ""
"# And now let\\*(Aqs check that automatic unlocking works:\n"
"sudo systemd-cryptsetup detach mytest\n"
"sudo systemctl daemon-reload\n"
"sudo systemctl start cryptsetup\\&.target\n"
"systemctl is-active systemd-cryptsetup@mytest\\&.service\n"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid ""
"# Once we have the device which will be unlocked automatically, we can use it\\&.\n"
"# Usually we would create a file system and add it to /etc/fstab:\n"
"sudo mkfs\\&.ext4 /dev/mapper/mytest\n"
"# This prints a \\*(AqFilesystem UUID\\*(Aq, which we can use as a stable name:\n"
"sudo bash -c \\*(Aqecho \"/dev/disk/by-uuid/\\&.\\&.\\&. /var/mytest ext4 defaults,x-systemd\\&.mkdir 0 2\" E<gt>E<gt>/etc/fstab\\*(Aq\n"
"# And now let\\*(Aqs check that the mounting works:\n"
"sudo systemctl daemon-reload\n"
"sudo systemctl start /var/mytest\n"
"systemctl status /var/mytest\n"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid ""
"# Depending on your distribution and encryption setup, you may need to manually\n"
"# regenerate your initramfs to be able to use a TPM2 security chip to unlock\n"
"# the partition during early boot\\&.\n"
"# More information at https://unix\\&.stackexchange\\&.com/a/705809\\&.\n"
"# On Fedora based systems:\n"
"sudo dracut --force\n"
"# On Debian based systems:\n"
"sudo update-initramfs -u\n"
msgstr ""

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron
#, no-wrap
msgid "SEE ALSO"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"B<systemd>(1), B<systemd-cryptsetup@.service>(8), B<systemd-cryptsetup-"
"generator>(8), B<systemd-cryptenroll>(1), B<fstab>(5), B<cryptsetup>(8), "
"B<mkswap>(8), B<mke2fs>(8)"
msgstr ""

#. type: SH
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid "NOTES"
msgstr ""

#. type: IP
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid " 1."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "Veracrypt Personal Iterations Multiplier"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"\\%https://www.veracrypt.fr/en/"
"Personal%20Iterations%20Multiplier%20%28PIM%29.html"
msgstr ""

#. type: IP
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid " 2."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "RFC7512 PKCS#11 URI"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "\\%https://tools.ietf.org/html/rfc7512"
msgstr ""

#. type: IP
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid " 3."
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid "Yubico PIV certificate slots"
msgstr ""

#. type: Plain text
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"\\%https://developers.yubico.com/PIV/Introduction/Certificate_slots.html"
msgstr ""

#. type: TH
#: debian-bookworm
#, no-wrap
msgid "2023-12-18"
msgstr ""

#. type: TH
#: debian-bookworm
#, no-wrap
msgid "cryptsetup 2:2\\&.6\\&.1-4~deb1"
msgstr ""

#. type: TH
#: debian-bookworm debian-unstable
#, no-wrap
msgid "cryptsetup manual"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "crypttab - static information about encrypted filesystems"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"The file /etc/crypttab contains descriptive information about encrypted "
"devices\\&. crypttab is only read by programs (e\\&.g\\&. "
"B<cryptdisks_start> and B<cryptdisks_stop>), and not written; it is the duty "
"of the system administrator to properly create and maintain this file\\&. "
"crypttab entries are treated sequentially, so their order matters "
"(dependencies need to listed first)\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Each encrypted device is described on a separate line\\&. Fields on each "
"line are separated by tabs or spaces\\&. Lines starting with \\*(Aq#\\*(Aq "
"are comments, and blank lines are ignored\\&. Octal sequences \\e0I<num> "
"within a field are decoded, which can be used for values containing spaces "
"or special characters\\&. A backslash which doesn\\*(Aqt start an octal "
"sequence yields undefined behavior\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"The first field, I<target>, describes the mapped device name\\&. It must be "
"a plain filename without any directory components\\&. A mapped device which "
"encrypts/decrypts data to/from the I<source device> will be created at /dev/"
"mapper/target by B<cryptsetup>\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"The second field, I<source device>, describes either the block special "
"device or file that contains the encrypted data\\&. Instead of giving the "
"I<source device> explicitly, the UUID (resp\\&. LABEL, PARTUUID and "
"PARTLABEL) is supported as well, using \\(lqUUID=E<lt>uuidE<gt>\\(rq "
"(resp\\&. \\(lqLABEL=E<lt>labelE<gt>\\(rq, "
"\\(lqPARTUUID=E<lt>partuuidE<gt>\\(rq and "
"\\(lqPARTLABEL=E<lt>partlabelE<gt>\\(rq)\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"The third field, I<key file>, describes the file to use as a key for "
"decrypting the data of the I<source device>\\&. In case of a I<keyscript>, "
"the value of this field is given as argument to the keyscript\\&. Note that "
"the I<entire> key file will be used as the passphrase; the passphrase must "
"I<not> be followed by a newline character\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"It can also be a device name (e\\&.g\\&. /dev/urandom), note however that "
"LUKS requires a persistent key and therefore does I<not> support random data "
"keys\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"If the I<key file> is the string I<none>, a passphrase will be read "
"interactively from the console\\&. In this case, the options check, "
"checkargs and tries may be useful\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"The fourth field, I<options>, is an optional comma-separated list of options "
"and/or flags describing the device type (I<luks>, I<tcrypt>, I<bitlk>, "
"I<fvault2>, or I<plain> which is also the default) and cryptsetup options "
"associated with the encryption process\\&. The supported options are "
"described below\\&. For plain dm-crypt devices the I<cipher>, I<hash> and "
"I<size> options are required\\&. Some options can be changed on active "
"mappings using B<cryptsetup refresh [E<lt>optionsE<gt>] E<lt>nameE<gt>>\\&. "
"Furthermore some options can be permanently written into metadata of LUKS2 "
"headers using cryptsetup\\*(Aqs I<--persistent> flag\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Note that the first three fields are required and that a missing field will "
"lead to unspecified behaviour\\&."
msgstr ""

#. type: SH
#: debian-bookworm debian-unstable
#, no-wrap
msgid "ON DIFFERENT CRYPTTAB FORMATS"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Please note that there are several independent cryptsetup wrappers with "
"their own I<crypttab> format\\&. This manpage covers Debian\\*(Aqs "
"implementation for I<initramfs> scripts and I<SysVinit> init scripts\\&. "
"I<systemd> brings its own I<crypttab> implementation\\&. We try to cover the "
"differences between the I<systemd> and our implementation in this manpage, "
"but if in doubt, better check the I<systemd> B<crypttab>(5) manpage, e\\&."
"g\\&. online at \\m[blue]B<\\%https://www.freedesktop.org/software/systemd/"
"man/crypttab.html>\\m[]\\&."
msgstr ""

#. type: SH
#: debian-bookworm debian-unstable
#, no-wrap
msgid "OPTIONS"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<cipher>=E<lt>cipherE<gt>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Encryption algorithm (ignored for LUKS and TCRYPT devices)\\&. See "
"B<cryptsetup -c>\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<size>=E<lt>sizeE<gt>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Encryption key size (ignored for LUKS and TCRYPT devices)\\&. See "
"B<cryptsetup -s>\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<sector-size>=E<lt>bytesE<gt>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Sector size\\&. See B<cryptsetup>(8)  for possible values and the default "
"value of this option\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<hash>=E<lt>hashE<gt>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Hash algorithm (ignored for LUKS and TCRYPT devices)\\&. See B<cryptsetup -"
"h>\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<offset>=E<lt>offsetE<gt>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Start offset (ignored for LUKS and TCRYPT devices)\\&. Uses B<cryptsetup -"
"o>\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<skip>=E<lt>skipE<gt>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Skip sectors at the beginning (ignored for LUKS and TCRYPT devices)\\&. Uses "
"B<cryptsetup -p>\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<keyfile-offset>=E<lt>keyfile-offsetE<gt>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "Specifies the number of bytes to skip at the start of the key file\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<keyfile-size>=E<lt>keyfile-sizeE<gt>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Specifies the maximum number of bytes to read from the key file\\&. The "
"default is to read the whole file up to the compiled-in maximum, that can be "
"queried with B<cryptsetup --help>\\&. This option is ignored for plain dm-"
"crypt devices, as the key file size is then given by the encryption key size "
"(option I<size>)\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<keyslot>=E<lt>slotE<gt>, I<key-slot>=E<lt>slotE<gt>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "Key slot (ignored for non-LUKS devices)\\&. See B<cryptsetup -S>\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<header>=E<lt>pathE<gt>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Detached header file (ignored for plain dm-crypt devices)\\&. See "
"B<cryptsetup --header>\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<verify>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "Verify password\\&. Uses B<cryptsetup -y>\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<readonly>, I<read-only>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "Set up a read-only mapping\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<tries>=E<lt>numE<gt>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Try to unlock the device E<lt>numE<gt> before failing\\&. It\\*(Aqs "
"particularly useful when using a passphrase or a I<keyscript> that asks for "
"interactive input\\&. If you want to disable retries, pass "
"\\(lqtries=1\\(rq\\&. Default is \\(lq3\\(rq\\&. Setting \\(lqtries=0\\(rq "
"means infinitive retries\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<discard>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "Allow using of discards (TRIM) requests for device\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Starting with Debian 10 (Buster), this option is added per default to new dm-"
"crypt devices by the Debian Installer\\&. If you don\\*(Aqt care about "
"leaking access patterns (filesystem type, used space) and don\\*(Aqt have "
"hidden truecrypt volumes inside this volume, then it should be safe to "
"enable this option\\&. See the following warning for further information\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"B<WARNING>: Assess the specific security risks carefully before enabling "
"this option\\&. For example, allowing discards on encrypted devices may lead "
"to the leak of information about the ciphertext device (filesystem type, "
"used space etc\\&.) if the discarded blocks can be located easily on the "
"device later\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<luks>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Force LUKS mode\\&. When this mode is used, the following options are "
"ignored since they are provided by the LUKS header on the device: "
"I<cipher=>, I<hash=>, I<size=>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<plain>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<bitlk>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Force BITLK (Windows BitLocker-compatible) mode\\&. WARNING: I<crypttab> "
"support is currently experimental\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<fvault2>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Force Apple\\*(Aqs FileVault2 mode\\&. Only the (legacy) FileVault2 format "
"based on Core Storage and HFS+ filesystem (introduced in MacOS X 10\\&.7 "
"Lion) is currently supported; the new version of FileVault based on the APFS "
"filesystem used in recent macOS versions is not supported\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<tcrypt>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Use TrueCrypt encryption mode\\&. When this mode is used, the following "
"options are ignored since they are provided by the TrueCrypt header on the "
"device or do not apply: I<cipher=>, I<hash=>, I<keyfile-offset=>, I<keyfile-"
"size=>, I<size=>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<veracrypt>, I<tcrypt-veracrypt>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Use VeraCrypt extension to TrueCrypt device\\&. Only useful in conjunction "
"with I<tcrypt> option (ignored for non-TrueCrypt devices)\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<tcrypthidden>, I<tcrypt-hidden>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "Use hidden TCRYPT header (ignored for non-TCRYPT devices)\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<same-cpu-crypt>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "Perform encryption using the same cpu that IO was submitted on\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<submit-from-crypt-cpus>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "Disable offloading writes to a separate thread after encryption\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<no-read-workqueue>, I<no-write-workqueue>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Bypass dm-crypt internal workqueue and process read or write requests "
"synchronously\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<swap>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "Run B<mkswap> on the created device\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "This option is ignored for I<initramfs> devices\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<tmp>[=E<lt>tmpfsE<gt>]"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Run B<mkfs> with filesystem type E<lt>tmpfsE<gt> (or ext4 if omitted) on the "
"created device\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<check>[=E<lt>checkE<gt>]"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Check the content of the target device by a suitable program; if the check "
"fails, the device is closed immediately\\&. The program is being run with "
"decrypted volume (target device) as first positional argument and, if the "
"I<checkargs> option is used, its value as second argument\\&. See the "
"CHECKSCRIPTS section for more information\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"The program is either specified by full path or relative to /lib/cryptsetup/"
"checks/\\&. If omitted, then the value of $CRYPTDISKS_CHECK set in /etc/"
"default/cryptdisks is used (blkid by default)\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"This option is specific to the Debian I<crypttab> format\\&. It\\*(Aqs not "
"supported by I<systemd>\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<checkargs>=E<lt>argumentsE<gt>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Give E<lt>argumentsE<gt> as the second argument to the check script\\&. See "
"the CHECKSCRIPTS section for more information\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<initramfs>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"The initramfs hook processes the root device, any resume devices and any "
"devices with the I<initramfs> option set\\&. These devices are processed "
"within the initramfs stage of boot\\&. As an example, that allows the use of "
"remote unlocking using dropbear\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<noearly>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"The cryptsetup init scripts are invoked twice during the boot process - once "
"before lvm, raid, etc\\&. are started and once again after that\\&. "
"Sometimes you need to start your encrypted disks in a special order\\&. With "
"this option the device is ignored during the first invocation of the "
"cryptsetup init scripts\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"This option is ignored for I<initramfs> devices and specific to the Debian "
"I<crypttab> format\\&. It\\*(Aqs not supported by I<systemd>\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<noauto>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Entirely ignore the device at the boot process\\&. It\\*(Aqs still possible "
"to map the device manually using cryptdisks_start\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<loud>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Be loud\\&. Print warnings if a device does not exist\\&. This option "
"overrides the option I<quiet>\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<quiet>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Be quiet\\&. Don\\*(Aqt print warnings if a device does not exist\\&. This "
"option overrides the option I<loud>\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<keyscript>=E<lt>pathE<gt>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"The executable at the indicated path is executed with the value of the "
"I<third field> as only argument\\&. The keyscript\\*(Aqs standard output is "
"passed to cryptsetup as decyption key\\&. Its exit status is currently "
"ignored, but no assumption should be made in that regard\\&. When used in "
"initramfs, the executable either needs to be self-contained (i\\&.e\\&. "
"doesn\\*(Aqt rely on any external program which is not present in the "
"initramfs environment) or the dependencies have to added to the initramfs "
"image by other means\\&. The program is either specified by full path or "
"relative to /lib/cryptsetup/scripts/\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"LIMITATIONS: All binaries and files on which the keyscript depends must be "
"available at the time of execution\\&. Special care needs to be taken for "
"encrypted filesystems like /usr or /var\\&. As an example, unlocking "
"encrypted /usr must not depend on binaries from /usr/(s)bin\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"WARNING: With systemd as init system, this option might be ignored\\&. At "
"the time this is written (December 2016), the systemd cryptsetup helper "
"doesn\\*(Aqt support the keyscript option to /etc/crypttab\\&. For the time "
"being, the only option to use keyscripts along with systemd is to force "
"processing of the corresponding crypto devices in the initramfs\\&. See the "
"\\*(Aqinitramfs\\*(Aq option for further information\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"All fields of the appropriate crypttab entry are available to the keyscript "
"as exported environment variables:"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "CRYPTTAB_NAME, _CRYPTTAB_NAME"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "The target name (after resp\\&. before octal sequence decoding)\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "CRYPTTAB_SOURCE, _CRYPTTAB_SOURCE"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"The source device (after resp\\&. before octal sequence decoding and device "
"resolution)\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "CRYPTTAB_KEY, _CRYPTTAB_KEY"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"The value of the third field (after resp\\&. before octal sequence "
"decoding)\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "CRYPTTAB_OPTIONS, _CRYPTTAB_OPTIONS"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"A list of exported crypttab options (after resp\\&. before octal sequence "
"decoding)\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "CRYPTTAB_OPTION_E<lt>optionE<gt>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"The value of the appropriate crypttab option, with value set to "
"\\*(Aqyes\\*(Aq in case the option is merely a flag\\&. For option aliases, "
"such as \\*(Aqreadonly\\*(Aq and \\*(Aqread-only\\*(Aq, the variable name "
"refers to the first alternative listed (thus "
"\\*(AqCRYPTTAB_OPTION_readonly\\*(Aq in that case)\\&. If the crypttab "
"option name contains \\*(Aq-\\*(Aq characters, then they are replaced with "
"\\*(Aq_\\*(Aq in the exported variable name\\&. For instance, the value of "
"the \\*(AqCRYPTTAB_OPTION_keyfile_offset\\*(Aq environment variable is set "
"to the value of the \\*(Aqkeyfile-offset\\*(Aq crypttab option\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "CRYPTTAB_TRIED"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Number of previous tries since start of cryptdisks (counts until maximum "
"number of tries is reached)\\&."
msgstr ""

#. type: SH
#: debian-bookworm debian-unstable
#, no-wrap
msgid "CHECKSCRIPTS"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<blkid>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Checks for any known filesystem\\&. Supports a filesystem type as argument "
"via E<lt>checkargsE<gt>:"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"no checkargs - succeeds if any valid filesystem is found on the device\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "\"none\" - succeeds if no valid filesystem is found on the device\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"\"ext4\" [or another filesystem type like xfs, swap, crypto_LUKS, \\&.\\&."
"\\&.] - succeeds if ext4 filesystem is found on the device\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<un_blkid>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Checks for no known filesystem\\&. Supports a filesystem type as argument "
"via E<lt>checkargsE<gt>:"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"no checkargs - succeeds if no valid filesystem is found on the device\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"\"ext4\" [or another filesystem type like xfs, swap, crypto_LUKS, \\&.\\&."
"\\&.] - succeeds if no ext4 filesystem is found on the device\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
#, no-wrap
msgid ""
"# Encrypted swap device\n"
"cswap /dev/sda6 /dev/urandom plain,cipher=aes-xts-plain64,size=256,hash=sha1,swap\n"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
#, no-wrap
msgid ""
"# Encrypted LUKS disk with interactive password, identified by its UUID, discard enabled\n"
"cdisk0 UUID=12345678-9abc-def012345-6789abcdef01 none luks,discard\n"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
#, no-wrap
msgid ""
"# Encrypted TCRYPT disk with interactive password, discard enabled\n"
"tdisk0 /dev/sr0 none tcrypt,discard\n"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
#, no-wrap
msgid ""
"# Encrypted ext4 disk with interactive password, discard enabled\n"
"# - retry 5 times if the check fails\n"
"cdisk1 /dev/sda2 none plain,cipher=aes-xts-plain64,size=256,hash=sha1,check,checkargs=ext4,tries=5,discard\n"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
#, no-wrap
msgid ""
"# Encrypted disk with interactive password, discard enabled\n"
"# - use a nondefault check script\n"
"# - no retries\n"
"cdisk2 /dev/sdc1 none plain,cipher=aes-xts-plain64,size=256,hash=sha1,check=customscript,tries=1,discard\n"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
#, no-wrap
msgid ""
"# Encrypted disk with interactive password, discard enabled\n"
"# - Twofish as the cipher, RIPEMD-160 as the hash\n"
"cdisk3 /dev/sda3 none plain,cipher=twofish,size=256,hash=ripemd160,discard\n"
msgstr ""

#. type: SH
#: debian-bookworm debian-unstable
#, no-wrap
msgid "ENVIRONMENT"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<CRYPTDISKS_ENABLE>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Set to I<yes> to run cryptdisks initscripts at startup\\&. Set to I<no> to "
"disable cryptdisks initscripts\\&. Default is I<yes>\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<CRYPTDISKS_MOUNT>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Specifies the mountpoints that are mounted before cryptdisks is invoked\\&. "
"Takes mountpoints configured in /etc/fstab as arguments\\&. Separate "
"mountpoints by space\\&. This is useful for keys on removable devices, such "
"as cdrom, usbstick, flashcard, etc\\&. Default is unset\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid "I<CRYPTDISKS_CHECK>"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"Specifies the default checkscript to be run against the target device, after "
"cryptdisks has been invoked\\&. The target device is passed as the first and "
"only argument to the checkscript\\&. Takes effect if the I<check> option is "
"given in crypttab with no value\\&. See documentation for I<check> option "
"above for more information\\&."
msgstr ""

#. type: SH
#: debian-bookworm debian-unstable
#, no-wrap
msgid "KNOWN UPGRADE ISSUES"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"The upstream defaults for encryption cipher, hash and keysize have changed "
"several times in the past, and they\\*(Aqre expected to change again in "
"future, for example if security issues arise\\&. On LUKS devices, the used "
"settings are stored in the LUKS header, and thus don\\*(Aqt need to be "
"configured in /etc/crypttab\\&. For plain dm-crypt devices, no information "
"about used cipher, hash and keysize are available at all\\&. Therefore we "
"strongly suggest to configure the cipher, hash and keysize in /etc/crypttab "
"for plain dm-crypt devices, even if they match the current default\\&."
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"B<cryptsetup>(8), B<cryptdisks_start>(8), B<cryptdisks_stop>(8), /usr/share/"
"doc/cryptsetup-initramfs/README\\&.initramfs\\&.gz"
msgstr ""

#. type: SH
#: debian-bookworm debian-unstable
#, no-wrap
msgid "AUTHOR"
msgstr ""

#. type: Plain text
#: debian-bookworm debian-unstable
msgid ""
"This manual page was originally written by Bastian Kleineidam "
"E<lt>calvin@debian\\&.orgE<gt> for the Debian distribution of cryptsetup\\&. "
"It has been further improved by Michael Gebetsroither E<lt>michael\\&."
"geb@gmx\\&.atE<gt>, David Härdeman E<lt>david@hardeman\\&.nuE<gt> and Jonas "
"Meurer E<lt>jonas@freesources\\&.orgE<gt>\\&."
msgstr ""

#. type: TH
#: debian-unstable
#, no-wrap
msgid "2024-04-14"
msgstr ""

#. type: TH
#: debian-unstable
#, no-wrap
msgid "cryptsetup 2:2\\&.7\\&.2-2"
msgstr ""

#. type: Plain text
#: fedora-40
msgid ""
"For the latter five mechanisms the source for the key material used for "
"unlocking the volume is primarily configured in the third field of each /etc/"
"crypttab line, but may also configured in /etc/cryptsetup-keys\\&.d/ and /"
"run/cryptsetup-keys\\&.d/ (see above) or in the LUKS2 JSON token header (in "
"case of the latter three)\\&. Use the B<systemd-cryptenroll>(1)  tool to "
"enroll PKCS#11, FIDO2 and TPM2 devices in LUKS2 volumes\\&."
msgstr ""

#. type: Plain text
#: fedora-40
msgid ""
"If the key file path (as specified in the third column of /etc/crypttab "
"entries, see above) refers to an B<AF_UNIX> stream socket in the file "
"system, the key is acquired by connecting to the socket and reading the key "
"from the connection\\&. The connection is made from an B<AF_UNIX> socket "
"name in the abstract namespace, see B<unix>(7)  for details\\&. The source "
"socket name is chosen according the following format:"
msgstr ""

#. type: TH
#: fedora-rawhide
#, no-wrap
msgid "systemd 256~rc3"
msgstr ""

#. type: Plain text
#: fedora-rawhide
msgid ""
"The key may be acquired via a PKCS#11 compatible hardware security token or "
"smartcard\\&. In this case a saved key used in unlock process is stored on "
"disk/removable media, acquired via B<AF_UNIX>, or stored in the LUKS2 JSON "
"token metadata header\\&. For RSA, the saved key is an encrypted volume "
"key\\&. The encrypted volume key is then decrypted by the PKCS#11 token with "
"an RSA private key stored on it, and used to unlock the encrypted volume\\&. "
"For elliptic-curve (EC) cryptography, the saved key is the public key "
"generated in enrollment process\\&. The public key is then used to derive a "
"shared secret with a private key stored in the PKCS#11 token\\&. The derived "
"shared secret is then used to unlock the volume\\&. Use the B<pkcs11-uri=> "
"option described below to use this mechanism\\&."
msgstr ""

#. type: Plain text
#: fedora-rawhide
msgid "B<link-volume-key=>"
msgstr ""

#. type: Plain text
#: fedora-rawhide
msgid ""
"Specifies the kernel keyring and key description (see B<keyrings>(7)) where "
"LUKS2 volume key gets linked during device activation\\&. The kernel keyring "
"description and key description must be separated by \"::\"\\&."
msgstr ""

#. type: Plain text
#: fedora-rawhide
msgid ""
"The kernel keyring part can be a string description or a predefined kernel "
"keyring prefixed with \"@\" (e\\&.g\\&.: to use \"@s\" session or \"@u\" "
"user keyring directly)\\&. The type prefix text in the kernel keyring "
"description is not required\\&. The specified kernel keyring must already "
"exist at the time of device activation\\&."
msgstr ""

#. type: Plain text
#: fedora-rawhide
msgid ""
"The key part is a string description optionally prefixed by a \"%key_type:"
"\"\\&. If no type is specified, the \"user\" type key is linked by "
"default\\&. See B<keyctl>(1)  for more information on key descriptions (KEY "
"IDENTIFIERS section)\\&."
msgstr ""

#. type: Plain text
#: fedora-rawhide
msgid ""
"Note that the linked volume key is not cleaned up automatically when the "
"device is detached\\&."
msgstr ""

#. type: Plain text
#: fedora-rawhide
msgid "Added in version 256\\&."
msgstr ""

#. type: Plain text
#: fedora-rawhide
msgid ""
"This device will not be a hard dependency of cryptsetup\\&.target\\&. "
"It\\*(Aqll still be pulled in and started, but the system will not wait for "
"the device to show up and be unlocked, and boot will not fail if this is "
"unsuccessful\\&. Note that other units that depend on the unlocked device "
"may still fail\\&. In particular, if the device is used for a mount point, "
"the mount point itself also needs to have the B<nofail> option, or the boot "
"will fail if the device is not unlocked successfully\\&. If a keyfile and/or "
"a B<header> are specified, the dependencies on their respective directories "
"will also not be fatal, so that umounting said directories will not cause "
"the generated cryptset unit to be deactivated\\&."
msgstr ""

#. type: Plain text
#: fedora-rawhide
msgid "B<Warning>"
msgstr ""

#. type: Plain text
#: fedora-rawhide
msgid ""
"Using the B<swap> option will destroy the contents of the named partition "
"during every boot, so make sure the underlying block device is specified "
"correctly\\&."
msgstr ""

#. type: Plain text
#: fedora-rawhide
msgid ""
"Using the B<tmp> option will destroy the contents of the named partition "
"during every boot, so make sure the underlying block device is specified "
"correctly\\&."
msgstr ""

#. type: Plain text
#: fedora-rawhide
msgid ""
"Takes either the special value \"auto\" or an \\m[blue]B<RFC7512 PKCS#11 "
"URI>\\m[]\\&\\s-2\\u[2]\\d\\s+2 pointing to a private key which is used to "
"decrypt the encrypted key specified in the third column of the line\\&. This "
"is useful for unlocking encrypted volumes through PKCS#11 compatible "
"security tokens or smartcards\\&. See below for an example how to set up "
"this mechanism for unlocking a LUKS2 volume with a YubiKey security token\\&."
msgstr ""

#. type: Plain text
#: fedora-rawhide
msgid ""
"If specified as \"auto\" the volume must be of type LUKS2 and must carry "
"PKCS#11 security token metadata in its LUKS2 JSON token section\\&. In this "
"mode the URI and the encrypted key are automatically read from the LUKS2 "
"JSON token header\\&. Use B<systemd-cryptenroll>(1)  as a simple tool for "
"enrolling PKCS#11 security tokens or smartcards in a way compatible with "
"\"auto\"\\&. In this mode the third column of the line should remain empty "
"(that is, specified as \"-\")\\&."
msgstr ""

#. type: Plain text
#: fedora-rawhide
msgid ""
"The specified URI can refer directly to a private key stored on a token or "
"alternatively just to a slot or token, in which case a search for a suitable "
"private key will be performed\\&. In this case if multiple suitable objects "
"are found the token is refused\\&. The keyfile configured in the third "
"column of the line is used as is (i\\&.e\\&. in binary form, "
"unprocessed)\\&. The resulting decrypted key (for RSA) or derived shared "
"secret (for ECC) is then Base64 encoded before it is used to unlock the LUKS "
"volume\\&."
msgstr ""

#. type: Plain text
#: fedora-rawhide
msgid ""
"The PKCS#11 logic allows hooking up any compatible security token that is "
"capable of storing RSA or EC cryptographic keys for unlocking an encrypted "
"volume\\&. Here\\*(Aqs an example how to set up a Yubikey security token for "
"this purpose on a LUKS2 volume, using B<ykmap>(1)  from the yubikey-manager "
"project to initialize the token and B<systemd-cryptenroll>(1)  to add it in "
"the LUKS2 volume:"
msgstr ""