1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
|
'\" t
.TH "SYSTEMD\-CRYPTSETUP" "8" "" "systemd 255" "systemd-cryptsetup"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
systemd-cryptsetup, systemd-cryptsetup@.service \- Full disk decryption logic
.SH "SYNOPSIS"
.HP \w'\fBsystemd\-cryptsetup\fR\ 'u
\fBsystemd\-cryptsetup\fR [OPTIONS...] attach VOLUME SOURCE\-DEVICE [KEY\-FILE] [CONFIG]
.HP \w'\fBsystemd\-cryptsetup\fR\ 'u
\fBsystemd\-cryptsetup\fR [OPTIONS...] detach VOLUME
.PP
systemd\-cryptsetup@\&.service
.PP
system\-systemd\ex2dcryptsetup\&.slice
.SH "DESCRIPTION"
.PP
systemd\-cryptsetup
is used to set up (with
\fBattach\fR) and tear down (with
\fBdetach\fR) access to an encrypted block device\&. It is primarily used via
systemd\-cryptsetup@\&.service
during early boot, but may also be be called manually\&. The positional arguments
\fIVOLUME\fR,
\fISOURCE\-DEVICE\fR,
\fIKEY\-FILE\fR, and
\fICRYPTTAB\-OPTIONS\fR
have the same meaning as the fields in
\fBcrypttab\fR(5)\&.
.PP
systemd\-cryptsetup@\&.service
is a service responsible for providing access to encrypted block devices\&. It is instantiated for each device that requires decryption\&.
.PP
systemd\-cryptsetup@\&.service
instances are part of the
system\-systemd\ex2dcryptsetup\&.slice
slice, which is destroyed only very late in the shutdown procedure\&. This allows the encrypted devices to remain up until filesystems have been unmounted\&.
.PP
systemd\-cryptsetup@\&.service
will ask for hard disk passwords via the
\m[blue]\fBpassword agent logic\fR\m[]\&\s-2\u[1]\d\s+2, in order to query the user for the password using the right mechanism at boot and during runtime\&.
.PP
At early boot and when the system manager configuration is reloaded,
/etc/crypttab
is translated into
systemd\-cryptsetup@\&.service
units by
\fBsystemd-cryptsetup-generator\fR(8)\&.
.PP
In order to unlock a volume a password or binary key is required\&.
systemd\-cryptsetup@\&.service
tries to acquire a suitable password or binary key via the following mechanisms, tried in order:
.sp
.RS 4
.ie n \{\
\h'-04' 1.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 1." 4.2
.\}
If a key file is explicitly configured (via the third column in
/etc/crypttab), a key read from it is used\&. If a PKCS#11 token, FIDO2 token or TPM2 device is configured (using the
\fIpkcs11\-uri=\fR,
\fIfido2\-device=\fR,
\fItpm2\-device=\fR
options) the key is decrypted before use\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 2.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 2." 4.2
.\}
If no key file is configured explicitly this way, a key file is automatically loaded from
/etc/cryptsetup\-keys\&.d/\fIvolume\fR\&.key
and
/run/cryptsetup\-keys\&.d/\fIvolume\fR\&.key, if present\&. Here too, if a PKCS#11/FIDO2/TPM2 token/device is configured, any key found this way is decrypted before use\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 3.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 3." 4.2
.\}
If the
\fItry\-empty\-password\fR
option is specified then unlocking the volume with an empty password is attempted\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 4.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 4." 4.2
.\}
The kernel keyring is then checked for a suitable cached password from previous attempts\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 5.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 5." 4.2
.\}
Finally, the user is queried for a password, possibly multiple times, unless the
\fIheadless\fR
option is set\&.
.RE
.PP
If no suitable key may be acquired via any of the mechanisms describes above, volume activation fails\&.
.SH "SEE ALSO"
.PP
\fBsystemd\fR(1),
\fBsystemd-cryptsetup-generator\fR(8),
\fBcrypttab\fR(5),
\fBsystemd-cryptenroll\fR(1),
\fBcryptsetup\fR(8),
\m[blue]\fBTPM2 PCR Measurements Made by systemd\fR\m[]\&\s-2\u[2]\d\s+2
.SH "NOTES"
.IP " 1." 4
password agent logic
.RS 4
\%https://systemd.io/PASSWORD_AGENTS/
.RE
.IP " 2." 4
TPM2 PCR Measurements Made by systemd
.RS 4
\%https://systemd.io/TPM2_PCR_MEASUREMENTS
.RE
|
