mount.crypt(8) pam_mount mount.crypt(8)Name
mount.crypt - mount a dm-crypt encrypted volume
Syntax
mount.crypt [-nrv] [-o options] device directory
Options-o options
Set further mount options. mount.crypt will take out its own options it recognizes and passes any remaining options on to the under-
lying mount program. See below for possible options.
-n Do not update /etc/mtab. Note that this makes it impossible to unmount the volume by naming the container - you will have to pass
the mountpoint to umount.crypt.
-r Set up the loop device (if necessary) and crypto device in read-only mode. (The mount itself will necessarily also be read-only.)
Note that doing a remount using `mount /mnt -o remount,rw` will not make the mount readwrite. The crypto and loop devices will have
to be disassociated first.
-v Turn on debugging and be a bit more verbose.
Mount options
cipher The cryptsetup cipher used for the encrypted volume. This option is mandatory. pmt-ehd(8) defaults to creating volumes with
"aes-cbc-essiv:sha256" as a cipher.
dm-timeout=seconds
Wait at most this many seconds for udev to create /dev/mapper/name after calling cryptsetup(8). The default value is 0 seconds.
fsck Run fsck on the container before mounting it.
fsk_cipher
The OpenSSL cipher used for the filesystem key.
fsk_hash
The OpenSSL hash used for producing key and IV.
fstype The exact type of filesystem in the encrypted container. The default is to let the kernel autodetect.
keyfile
The path to the key file. This option is mandatory for "normal" crypto volumes and should not be used for LUKS volumes.
remount
Causes the filesystem to be remounted with new options. Note that mount.crypt cannot switch the underlying loop device (if applies)
or the crypto device between read-only and read-write once it is created; only the actual filesystem mount can be changed, with lim-
its. If the loop device is read-only, the crypto device will be read-only, and changing the mount to read-write is impossible. Sim-
ilarly, going from rw to ro will only mark the mount read-only, but not the crypto or loop device, thus making it impossible to set
the filesystem the crypto container is located on to read-only.
ro Same as the -r option.
verbose
Same as the -v option.
Obsolete mount options
This section is provided for reference.
loop This option used to set up a loop device, because cryptsetup(8) expects a block device. The option is ignored because mount.crypt
can figure this out on its own.
pam_mount 2008-10-08 mount.crypt(8)
Check Out this Related Man Page
CRYPTTAB(5) Cryptsetup Manual CRYPTTAB(5)NAME
crypttab - static information about crypted filesystems
SYNOPSIS
crypttab
NAME DEVICE KEY OPTIONS
DESCRIPTION
The file /etc/crypttab contains descriptive informations about encrypted volumes. Each volume is described on a separate line; columns on
each line are separated by tabs or spaces. Lines starting with "#" are comments, empty lines are ignored. The order of records in crypttab
is important because the /etc/init.d/boot.crypto script sequentially iterates through crypttab entries. All four columns are mandatory,
missing or excessive columns will lead to unspecified behaviour.
o The first column, NAME specifies the mapped device name. It must be a plain filename without any directories. A mapped device
/dev/mapper/NAME will be created by cryptsetup(8) crypting data from and onto the DEVICE.
To actually mount that device it needs to be listed in /etc/fstab.
o The second column DEVICE specifies the block special device that should hold the encrypted data.
o The third column KEY specifies a file containing the raw binary key to use for decrypting the encrypted data of DEVICE. The key file
can also be a device name (e.g. /dev/urandom, which is useful for encrypted swap devices).
If KEY is the string none, the key data (i.e. a password or passphrase) will be read interactively from the console. In this case the
options precheck, check, checkargs and tries may be useful.
Warning: luks does not support infinite streams (like /dev/urandom), it requires a fixed size key. Typically one uses none for luks.
o The fourth field OPTIONS specifies the cryptsetup options associated with the encryption process. At minimum, the field should contain
the string luks or the cipher, hash and size options.
Options have to be specified in the format: key=value[,key=value ...]
OPTIONS
cipher=<cipher>
Encryption algorithm. See cryptsetup -c.
size=<size>
Encryption key size. See cryptsetup -s.
hash=<hash>
Hash algorithm. See cryptsetup -h.
verify
Verify password. See cryptsetup -y.
readonly
The backing device is read-only (eg: a dvd).
luks
Use device with luks extensions.
swap
Run mkswap on the created device.
tmp
Run mkfs on the created device. The file system to use is specified in /etc/fstab. If /etc/fstab does not list the mapped device, ext2
is used as fallback.
check[=<program>]
Check the content of the mapped device by a suitable program; if the check fails the device is removed. The specified program is run
giving the decrypted volume (/dev/mapper/NAME) as first and the value of the checkargs option as second argument. Cryptdisks searches
for the given program in /lib/cryptsetup/checks/. If no program is specified, vol_id is used.
checkargs=<argument>
Pass <argument> as second argument to the check script
precheck=<program>
Check the source device by suitable program; if the check fails the device is not created; <precheck> is a script to check the source
device. The source device is given as argument to the script. See also the check option.
tries=<num>
Prompt for the passphrase at most <num> times if the entered passphrase was wrong. Defaults is 3. Setting to 0 enabled infinite
retries.
timeout=<sec>
Time out interactive password prompts after <sec> seconds.
loop
Always attach a loop device before mapping the device. Normally a loop device is used automatically only for image files. Useful if the
block size of the physical device does not match the block size of the contained file system. E.g. ext2 on a CD.
noauto
Causes boot.crypto to skip this record during boot. To activate this volume later use: /etc/init.d/boot.crypto start <name>
noearly
boot.crypto is invoked two times. The first time as boot.crypto-early before LVM and MD setup and the second time as boot.crypto after
mounting local filesystems. This option skips the setup of the device in the first invocation. It might be needed for crypto file
container existing on local filesystems other then root.
initrd
tells mkinitrd to activate this device in the initrd already. Only LUKS and no other options are supported. The root partition is
detected automatically by mkinitrd and doesn't need this option explicitly.
pseed=<string>
Set a string that is appended to the passphrase after hashing. Using different seeds for volumes with the same passphrase makes
dictionary attacks harder. Use for compatability with loop-AES.
itercountk=<num>
Encrypts the hashed password <num> thousand times using AES-256. Use for compatability with loop-AES.
keyscript=<path>
Calls <path> and uses the output passphrase or key. If <path> is not absolute /lib/cryptsetup/scripts is prepended. The only argument
passed to the specified program is the value of the key column. keyscript also works in the initrd if the specified program is self
contained. To use the output as raw key specify hash=plain so cryptsetup doesn't hash it's input. Note that use of a keyscript is not
supported by YaST so distribution updates could be problematic when used on mandatory partitions.
loud, ssl, gpg
not supported. Listed here as they are supported by Debian.
CHECKSCRIPTS
check scripts are installed in /lib/cryptsetup/checks/ and are called either before (precheck option) or after (check option) the dm-crypt
target is set up.
vol_id
Checks for any known filesystem. Supports a filesystem type as argument via <checkargs>:
no checkargs
succeeds if any valid filesystem is found on the device.
"none"
succeeds if no valid filesystem is found on the device.
"ext3", "xfs", "swap" etc
succeeds if the given filesystem type is found on the device.
UNLOCKING DEVICES AT BOOT TIME
There are three ways to unlock encrypted partitions during boot
o initrd: the root file system as well as any device listed in crypttab with option initrd are unlocked by the scripts in the initrd
already.
o before mounting local file systems: the init script boot.crypto-early runs before the scripts that fsck and mount additional
filesystems. This is the preferred way to unlock devices as the normal fsck and mount scripts can handle the device later in the boot
process.
o after mounting local file systems: the boot.crypto init script is the traditional way of unlocking crypto devices. It runs after fsck
and mount of local file systems. boot.crypto should only be used for loop mounted images nowadays.
FSCK
fsck is run on unlocked, encrypted devices if the fs_passno value in fstab is non zero.
EXAMPLES
Encrypted swap device
cr_sda6 /dev/sda6 /dev/random swap
Encrypted luks volume with interactive password
cr_sda1 /dev/sda1 none luks
Encrypted luks volume with interactive password, use a custom check script, no retries
cr_sdc1 /dev/sdc1 none luks,check=customscript,checkargs=foo,tries=1
Encrypted volume with interactive password and a cryptoloop compatible twofish256 cipher
cr_sda3 /dev/sda3 none cipher=twofish-cbc-plain,size=256,hash=sha512
SEE ALSO cryptsetup(8), /etc/crypttab, fstab(8)AUTHOR
Manual page converted to asciidoc by Michael Gebetsroither <michael.geb@gmx.at>. Originally written by Bastian Kleineidam
<calvin@debian.org> for the Debian distribution of cryptsetup. Improved by Jonas Meurer <jonas@freesources.org>. Modified for SUSE Linux by
Ludwig Nussel <ludwig.nussel@suse.de>. Parts of this manual were taken and adapted from the fstab(5) manual page.
cryptsetup 02/02/2010 CRYPTTAB(5)