crypttab - Linux

Overview

crypttab is a configuration file used by the Linux kernel’s dm-crypt module to specify how block devices should be unlocked using cryptographic keys. It allows for easy management and control of encrypted devices, ensuring secure data storage and protection.

Syntax

/etc/crypttab:
<device_name> <keyfile> <options> ... <cipher_spec> <hash_spec> [<hash_iters>]

Options/Flags

• keyfile: Path to the file containing the encryption key.
• options: Additional options for device handling, such as:
  • nofail: Continue booting even if the device cannot be unlocked.
  • noauto: Prevent automatic unlocking during boot.
• cipher_spec: Encryption cipher, e.g., aes-cbc-essiv:sha256.
• hash_spec: Hash function, e.g., sha256.
• hash_iters: Number of hash iterations (optional).

Examples

Basic Example:

/dev/mapper/disk1 /mykeyfile aes-cbc-essiv:sha256 nofail

Complex Example:

/dev/sda2 /mykeyfile aes-xts-plain64:sha512 noauto hash=sha256,65536

Common Issues

• Errors during boot: Ensure the keyfile is accessible and the specified device exists.
• Data corruption: Verify the integrity of the encrypted device and the keyfile.
• Incorrect passphrase: Double-check the passphrase used to generate the encryption key.

Integration

• cryptmount: Used to mount encrypted devices using crypttab.
• luksOpen: Provides an interface for managing LUKS (Linux Unified Key Setup) encrypted devices.
• dmsetup: Low-level device mapper utility used for device management.

Related Commands

• cryptsetup: Manages encrypted devices and key management.
• lsblk: Lists block devices and their attributes.
• mkinitcpio: Generates custom initial RAM disk images, including support for encrypted root filesystems.