LINUX disk encryption-CRYPTO (2)

Name/etc/crypttab-encrypted block device table The fourth field, if present, is a comma-delimited list of options. the following options are recognized: cipher = cipher Specifies the cipher to use; see cryptsetup (8) for possible values and the default value of this option. A cipher with unpredictable IV values, such as aes-cbc-essiv: sha256, is recommended. size = size Specifies the key size in bits; see cryptsetup (8) for possible values and the default value of this option. hash = hash Specifies the hash to use for password hashing; see cryptsetup (8) for possible values and the default value of this option. verify If the encryption password is read from console, it has to be entered twice (to prevent typos ). swap The encrypted block device will be used as a swap partition, and will be formatted as a swap partition after setting up the encrypted block device. the underlying block device will be formatted again as an unencrypted swap partition after destroying the encrypted block device. (This allows sharing a single swap partition between operating system installations, with some of them encrypting the swap partitions and some of them not .) WARNING: Using the swap option will destroy the contents of the named partition during every boot, so make sure the underlying block device is specified correctly. tmp The encrypted block device will be prepared for using it as tmp partition: it will be formatted using mke2fs and its root directory will be set to mode 01777. the warning about the swap option applies here as well. no options can be specified for LUKS encrypted partitions. name cryptsetup-setup cryptographic volumes for dm-crypt (including LUKS extension) Options-hash,-h specifies hash to use for password hashing. this option is only relevant for the "create" action. the hash string is passed to libgcrypt, so all hashes accepted by gcrypt are supported. -cipher,-c set cipher specification string. usually, this is "aes-cbc-plain ". for pre-2.6.10 kernels, use "aes-plain" as they don't understand the new cipher spec strings. to use ESSIV, use "aes-cbc-essiv: sha256 ″. -verify-passphrase,-y query for passwords twice. useful, when creating a (regular) mapping for the first time, or when running luksFormat. -key-file,-d use file as key material. with LUKS, key material supplied in key files via-d are always used for existing passphrases. if you want to set a new key via a key file, you have to use a positional arg to luksFormat or luksAddKey. -key-size,-s set key size in bits. usually, this is 128,192 or 256. can be used for create or luksFormat, all other LUKS actions will ignore this flag, as the key-size is specified by the partition header. -size,-B force the size of the underlaying device in sectors. -offset,-o start offset in the backend device. -skip,-p how many sectors of the encrypted data to skip at the beginning. this is different from the-offset options with respect to IV calculations. using-offset will shift the IV calculcation by the same negative amount. hence, if-offset n, sector n will be the first sector on the mapping with IV 0. using-skip wocould have resulted in sector n being the first sector also, but with IV n. -readonly setup a read-only mapping. -iter-time,-I The number of microseconds to spend with PBKDF2 password processing. this options is only relevant to LUKS key setting operations as luksFormat or luksAddKey. -batch-mode,-q Do not ask for confirmation. this option is only relevant for luksFormat. -timeout,-t The number of seconds to wait before timeout. this option is relevant evertime a password is asked, like create, luksOpen, luksFormat or luksAddKey. -align-payload = value Align payload at a boundary of value 512-byte sectors. this option is relevant for luksFormat. if your block device lives on a RAID it is useful to align the filesystem at full stripe boundaries so it can take advantage of the RAID's geometry. see for instance the sunit and swidth options in the mkfs. xfs manual page. by default the payload is aligned at an 8 sector (4096 byte) boundary. -version Show the version.