systemd-cryptsetup(8) — Linux manual page



NAME         top

       systemd-cryptsetup@.service, systemd-cryptsetup - Full disk
       decryption logic

SYNOPSIS         top



DESCRIPTION         top

       systemd-cryptsetup@.service is a service responsible for setting up
       encrypted block devices. It is instantiated for each device that
       requires decryption for access.

       systemd-cryptsetup@.service will ask for hard disk passwords via the
       password agent logic[1], in order to query the user for the password
       using the right mechanism at boot and during runtime.

       At early boot and when the system manager configuration is reloaded,
       /etc/crypttab is translated into systemd-cryptsetup@.service units by

       In order to unlock a volume a password or binary key is required.
       systemd-cryptsetup@.service tries to acquire a suitable password or
       binary key via the following mechanisms, tried in order:

        1. If a key file is explicitly configured (via the third column in
           /etc/crypttab), a key read from it is used. If a PKCS#11 token is
           configured (using the pkcs11-uri= option) the key is decrypted
           before use.

        2. If no key file is configured explicitly this way, a key file is
           automatically loaded from /etc/cryptsetup-keys.d/volume.key and
           /run/cryptsetup-keys.d/volume.key, if present. Here too, if a
           PKCS#11 token is configured, any key found this way is decrypted
           before use.

        3. If the try-empty-password option is specified it is then
           attempted to unlock the volume with an empty password.

        4. The kernel keyring is then checked for a suitable cached password
           from previous attempts.

        5. Finally, the user is queried for a password, possibly multiple

       If no suitable key may be acquired via any of the mechanisms
       describes above, volume activation fails.

SEE ALSO         top

       systemd(1), systemd-cryptsetup-generator(8), crypttab(5),

NOTES         top

        1. password agent logic

COLOPHON         top

       This page is part of the systemd (systemd system and service manager)
       project.  Information about the project can be found at 
       ⟨⟩.  If you have a bug
       report for this manual page, see
       ⟨⟩.  This
       page was obtained from the project's upstream Git repository
       ⟨⟩ on 2020-11-01.  (At that
       time, the date of the most recent commit that was found in the repos‐
       itory was 2020-11-01.)  If you discover any rendering problems in
       this HTML version of the page, or you believe there is a better or
       more up-to-date source for the page, or you have corrections or im‐
       provements to the information in this COLOPHON (which is not part of
       the original manual page), send a mail to

systemd 247                                   SYSTEMD-CRYPTSETUP@.SERVICE(8)

Pages that refer to this page: 30-systemd-environment-d-generator(7)systemd.index(7)