diff --git a/man/crypttab.xml b/man/crypttab.xml
index e4b1e43e42..e933b2db78 100644
--- a/man/crypttab.xml
+++ b/man/crypttab.xml
@@ -431,6 +431,25 @@
+
+
+
+ Setup this encrypted block device in the initramfs, similarly to
+ systemd.mount5
+ units marked with .
+
+ Although it's not necessary to mark the mount entry for the root file system with
+ , is still recommended with
+ the encrypted block device containing the root file system as otherwise systemd will
+ attempt to detach the device during the regular system shutdown while it's still in
+ use. With this option the device will still be detached but later after the root file
+ system is unmounted.
+
+ All other encrypted block devices that contain file systems mounted in the initramfs
+ should use this option.
+
+
+
At early boot and when the system manager configuration is
diff --git a/src/cryptsetup/cryptsetup-generator.c b/src/cryptsetup/cryptsetup-generator.c
index 811a9468c1..82e4314913 100644
--- a/src/cryptsetup/cryptsetup-generator.c
+++ b/src/cryptsetup/cryptsetup-generator.c
@@ -227,7 +227,7 @@ static int create_disk(
*filtered = NULL, *u_escaped = NULL, *filtered_escaped = NULL, *name_escaped = NULL, *header_path = NULL;
_cleanup_fclose_ FILE *f = NULL;
const char *dmname;
- bool noauto, nofail, tmp, swap, netdev;
+ bool noauto, nofail, tmp, swap, netdev, attach_in_initrd;
int r, detached_header, keyfile_can_timeout;
assert(name);
@@ -238,6 +238,7 @@ static int create_disk(
tmp = fstab_test_option(options, "tmp\0");
swap = fstab_test_option(options, "swap\0");
netdev = fstab_test_option(options, "_netdev\0");
+ attach_in_initrd = fstab_test_option(options, "x-initrd.attach\0");
keyfile_can_timeout = fstab_filter_options(options, "keyfile-timeout\0", NULL, &keyfile_timeout_value, NULL);
if (keyfile_can_timeout < 0)
@@ -290,12 +291,15 @@ static int create_disk(
"Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n"
"SourcePath=%s\n"
"DefaultDependencies=no\n"
- "Conflicts=umount.target\n"
"IgnoreOnIsolate=true\n"
"After=%s\n",
arg_crypttab,
netdev ? "remote-fs-pre.target" : "cryptsetup-pre.target");
+ /* If initrd takes care of attaching the disk then it should also detach it during shutdown. */
+ if (!attach_in_initrd)
+ fprintf(f, "Conflicts=umount.target\n");
+
if (password) {
password_escaped = specifier_escape(password);
if (!password_escaped)
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index 8723eb4c01..19f075dfeb 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -228,7 +228,7 @@ static int parse_one_option(const char *option) {
if (r < 0)
return log_error_errno(r, "Failed to parse %s: %m", option);
- } else
+ } else if (!streq(option, "x-initrd.attach"))
log_warning("Encountered unknown /etc/crypttab option '%s', ignoring.", option);
return 0;
diff --git a/units/meson.build b/units/meson.build
index 6a3a0d0dea..9da60a431c 100644
--- a/units/meson.build
+++ b/units/meson.build
@@ -74,6 +74,7 @@ units = [
'sysinit.target.wants/'],
['sysinit.target', ''],
['syslog.socket', ''],
+ ['system-systemd\\x2dcryptsetup.slice', 'HAVE_LIBCRYPTSETUP'],
['system-update.target', ''],
['system-update-pre.target', ''],
['system-update-cleanup.service', ''],
diff --git "a/units/system-systemd\\x2dcryptsetup.slice" "b/units/system-systemd\\x2dcryptsetup.slice"
new file mode 100644
index 0000000000..83310900a7
--- /dev/null
+++ "b/units/system-systemd\\x2dcryptsetup.slice"
@@ -0,0 +1,13 @@
+# SPDX-License-Identifier: LGPL-2.1+
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Cryptsetup Units Slice
+Documentation=man:systemd.special(7)
+DefaultDependencies=no