man-pages/man8/systemd-cryptsetup-generator.8.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of SYSTEMD-CRYPTSETUP-GENERATOR</TITLE>
</HEAD><BODY>
<H1>SYSTEMD-CRYPTSETUP-GENERATOR</H1>
Section: systemd-cryptsetup-generator (8)<BR>Updated: <BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>





















<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>

systemd-cryptsetup-generator - Unit generator for /etc/crypttab
<A NAME="lbAC">&nbsp;</A>
<H2>SYNOPSIS</H2>

<P>

/lib/systemd/system-generators/systemd-cryptsetup-generator
<A NAME="lbAD">&nbsp;</A>
<H2>DESCRIPTION</H2>

<P>

systemd-cryptsetup-generator
is a generator that translates
/etc/crypttab
into native systemd units early at boot and when configuration of the system manager is reloaded. This will create
<B><A HREF="mailto:systemd-cryptsetup@.service">systemd-cryptsetup@.service</A></B>(8)
units as necessary.
<P>

systemd-cryptsetup-generator
implements
<B><A HREF="/cgi-bin/man/man2html?7+systemd.generator">systemd.generator</A></B>(7).
<A NAME="lbAE">&nbsp;</A>
<H2>KERNEL COMMAND LINE</H2>

<P>

systemd-cryptsetup-generator
understands the following kernel command line parameters:
<P>

<I>luks=</I>, <I>rd.luks=</I>
<DL COMPACT><DT id="1"><DD>
Takes a boolean argument. Defaults to
&quot;yes&quot;. If
&quot;no&quot;, disables the generator entirely.
<I>rd.luks=</I>
is honored only by initial RAM disk (initrd) while
<I>luks=</I>
is honored by both the main system and the initrd.
</DL>

<P>

<I>luks.crypttab=</I>, <I>rd.luks.crypttab=</I>
<DL COMPACT><DT id="2"><DD>
Takes a boolean argument. Defaults to
&quot;yes&quot;. If
&quot;no&quot;, causes the generator to ignore any devices configured in
/etc/crypttab
(<I>luks.uuid=</I>
will still work however).
<I>rd.luks.crypttab=</I>
is honored only by initial RAM disk (initrd) while
<I>luks.crypttab=</I>
is honored by both the main system and the initrd.
</DL>

<P>

<I>luks.uuid=</I>, <I>rd.luks.uuid=</I>
<DL COMPACT><DT id="3"><DD>
Takes a LUKS superblock UUID as argument. This will activate the specified device as part of the boot process as if it was listed in
/etc/crypttab. This option may be specified more than once in order to set up multiple devices.
<I>rd.luks.uuid=</I>
is honored only by initial RAM disk (initrd) while
<I>luks.uuid=</I>
is honored by both the main system and the initrd.
<P>
If /etc/crypttab contains entries with the same UUID, then the name, keyfile and options specified there will be used. Otherwise, the device will have the name
&quot;luks-UUID&quot;.
<P>
If /etc/crypttab exists, only those UUIDs specified on the kernel command line will be activated in the initrd or the real root.
</DL>

<P>

<I>luks.name=</I>, <I>rd.luks.name=</I>
<DL COMPACT><DT id="4"><DD>
Takes a LUKS super block UUID followed by an
&quot;=&quot;
and a name. This implies
<I>rd.luks.uuid=</I>
or
<I>luks.uuid=</I>
and will additionally make the LUKS device given by the UUID appear under the provided name.
<P>
<I>rd.luks.name=</I>
is honored only by initial RAM disk (initrd) while
<I>luks.name=</I>
is honored by both the main system and the initrd.
</DL>

<P>

<I>luks.options=</I>, <I>rd.luks.options=</I>
<DL COMPACT><DT id="5"><DD>
Takes a LUKS super block UUID followed by an
&quot;=&quot;
and a string of options separated by commas as argument. This will override the options for the given UUID.
<P>
If only a list of options, without an UUID, is specified, they apply to any UUIDs not specified elsewhere, and without an entry in
/etc/crypttab.
<P>
<I>rd.luks.options=</I>
is honored only by initial RAM disk (initrd) while
<I>luks.options=</I>
is honored by both the main system and the initrd.
</DL>

<P>

<I>luks.key=</I>, <I>rd.luks.key=</I>
<DL COMPACT><DT id="6"><DD>
Takes a password file name as argument or a LUKS super block UUID followed by a
&quot;=&quot;
and a password file name.
<P>
For those entries specified with
<I>rd.luks.uuid=</I>
or
<I>luks.uuid=</I>, the password file will be set to the one specified by
<I>rd.luks.key=</I>
or
<I>luks.key=</I>
of the corresponding UUID, or the password file that was specified without a UUID.
<P>
It is also possible to specify an external device which should be mounted before we attempt to unlock the LUKS device. systemd-cryptsetup will use password file stored on that device. Device containing password file is specified by appending colon and a device identifier to the password file path. For example,
<I>rd.luks.uuid=</I>b40f1abf-2a53-400a-889a-2eccc27eaa40
<I>rd.luks.key=</I>b40f1abf-2a53-400a-889a-2eccc27eaa40=/keyfile:LABEL=keydev. Hence, in this case, we will attempt to mount file system residing on the block device with label
&quot;keydev&quot;. This syntax is for now only supported on a per-device basis, i.e. you have to specify LUKS device UUID.
<P>
<I>rd.luks.key=</I>
is honored only by initial RAM disk (initrd) while
<I>luks.key=</I>
is honored by both the main system and the initrd.
</DL>

<A NAME="lbAF">&nbsp;</A>
<H2>SEE ALSO</H2>

<P>

<B><A HREF="/cgi-bin/man/man2html?1+systemd">systemd</A></B>(1),
<B><A HREF="/cgi-bin/man/man2html?5+crypttab">crypttab</A></B>(5),
<B><A HREF="mailto:systemd-cryptsetup@.service">systemd-cryptsetup@.service</A></B>(8),
<B><A HREF="/cgi-bin/man/man2html?8+cryptsetup">cryptsetup</A></B>(8),
<B><A HREF="/cgi-bin/man/man2html?8+systemd-fstab-generator">systemd-fstab-generator</A></B>(8)
<P>

<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="7"><A HREF="#lbAB">NAME</A><DD>
<DT id="8"><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT id="9"><A HREF="#lbAD">DESCRIPTION</A><DD>
<DT id="10"><A HREF="#lbAE">KERNEL COMMAND LINE</A><DD>
<DT id="11"><A HREF="#lbAF">SEE ALSO</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:06:16 GMT, March 31, 2021
</BODY>
</HTML>