Generating crypttab entries for encrypted volumes

Edit online

Use the zkey crypttab command to generate crypttab entries using the plain or LUKS2 dm-crypt mode for volumes that are associated with secure keys contained in the secure key repository.

Specify the --volumes option to limit the list of volumes where crypttab entries are generated for. You can use wildcards. If wildcards are used you must quote the value. The device-mapper name of an associated volume can be omitted. If it is specified, then only those volumes with a matching volume name and device-mapper name are selected. Specify the --volume-type option to generate crypttab entries for the specified volume type only.

The options that you specify with the zkey crypttab command are used to generate the crypttab entries with the options at the desired places. For LUKS2 volumes, a passphrase is required. You are prompted for the passphrase during system startup when crypttab is evaluated, unless option --key-file is specified. Option --tries specifies how often a passphrase can be re-entered. When option --key-file is specified, the passphrase is read from the specified file. You can specify options --keyfile-offset and --keyfile-size to control which part of the key file is used as passphrase. These options are passed to the generated crypttab entries and are only available if zkey has been compiled with LUKS2 support enabled.

Examples:

- for volume type LUKS2

# zkey crypttab
# zkey crypttab --volumes /dev/mapper/disk1
# zkey crypttab --volume-type luks2

enc-disk1       /dev/mapper/disk1

Note: To use automated opening of the encrypted volume with a key file during system startup, you must adapt the generated crypttab entry. Follow the instructions from step 6 in Creating a volume for pervasive encryption.

- for volume type PLAIN

# zkey crypttab --volume-type plain

enc-disk2       /dev/mapper/disk2       /etc/zkey/repository/secure_xtskey2.skey \
                plain,cipher=paes-xts-plain64,size=2176,hash=plain

- for LUKS2 disk1 with options:

# zkey crypttab --volumes /dev/mapper/disk1 --key-file /etc/luks-keys/all_disks.key 

enc-disk1       /dev/mapper/disk1      /etc/luks-keys/all_disks.key    luks

# zkey crypttab --volumes /dev/mapper/disk1 --key-file /etc/luks-keys/all_disks.key \ 
--keyfile-offset 27  --keyfile-size 8  --tries 3

enc-disk1       /dev/mapper/disk1      /etc/luks-keys/all_disks.key    luks,\ 
                keyfile-offset=27,keyfile-size=8,tries=3