systemd/man/systemd-cryptsetup@.service.xml

<?xml version="1.0"?>
<!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
<refentry id="systemd-cryptsetup@.service" conditional='HAVE_LIBCRYPTSETUP'>

  <refentryinfo>
    <title>systemd-cryptsetup@.service</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>systemd-cryptsetup@.service</refentrytitle>
    <manvolnum>8</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>systemd-cryptsetup@.service</refname>
    <!-- <refname>system-systemd\x2dcryptsetup.slice</refname> — this causes meson to go haywire because it
         thinks this is a (windows) path. Let's just not create the alias for this name, and only include it
         in the synopsis. -->
    <refname>systemd-cryptsetup</refname>
    <refpurpose>Full disk decryption logic</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para><filename>systemd-cryptsetup@.service</filename></para>
    <para><filename>system-systemd\x2dcryptsetup.slice</filename></para>
    <para><filename>/usr/lib/systemd/systemd-cryptsetup</filename></para>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para><filename>systemd-cryptsetup@.service</filename> is a service responsible for setting up encrypted
    block devices. It is instantiated for each device that requires decryption for access.</para>

    <para><filename>systemd-cryptsetup@.service</filename> instances are part of the
    <filename>system-systemd\x2dcryptsetup.slice</filename> slice, which is destroyed only very late in the
    shutdown procedure. This allows the encrypted devices to remain up until filesystems have been unmounted.
    </para>

    <para><filename>systemd-cryptsetup@.service</filename> will ask
    for hard disk passwords via the <ulink
    url="https://systemd.io/PASSWORD_AGENTS/">password agent logic</ulink>, in
    order to query the user for the password using the right mechanism at boot
    and during runtime.</para>

    <para>At early boot and when the system manager configuration is reloaded, <filename>/etc/crypttab</filename> is
    translated into <filename>systemd-cryptsetup@.service</filename> units by
    <citerefentry><refentrytitle>systemd-cryptsetup-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>

    <para>In order to unlock a volume a password or binary key is
    required. <filename>systemd-cryptsetup@.service</filename> tries to acquire a suitable password or binary
    key via the following mechanisms, tried in order:</para>

    <orderedlist>
      <listitem><para>If a key file is explicitly configured (via the third column in
      <filename>/etc/crypttab</filename>), a key read from it is used. If a PKCS#11 token, FIDO2 token or
      TPM2 device is configured (using the <varname>pkcs11-uri=</varname>, <varname>fido2-device=</varname>,
      <varname>tpm2-device=</varname> options) the key is decrypted before use.</para></listitem>

      <listitem><para>If no key file is configured explicitly this way, a key file is automatically loaded
      from <filename>/etc/cryptsetup-keys.d/<replaceable>volume</replaceable>.key</filename> and
      <filename>/run/cryptsetup-keys.d/<replaceable>volume</replaceable>.key</filename>, if present. Here
      too, if a PKCS#11/FIDO2/TPM2 token/device is configured, any key found this way is decrypted before
      use.</para></listitem>

      <listitem><para>If the <varname>try-empty-password</varname> option is specified it is then attempted
      to unlock the volume with an empty password.</para></listitem>

      <listitem><para>The kernel keyring is then checked for a suitable cached password from previous
      attempts.</para></listitem>

      <listitem><para>Finally, the user is queried for a password, possibly multiple times, unless
      the <varname>headless</varname> option is set.</para></listitem>
    </orderedlist>

    <para>If no suitable key may be acquired via any of the mechanisms describes above, volume activation fails.</para>
  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-cryptsetup-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-cryptenroll</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
     </para>
  </refsect1>

</refentry>
man: document systemd-cryptsetup 2012-06-27 14:19:35 +04:00			`<?xml version="1.0"?>`
			`<!---nxml--->`
man: use same header for all files The "include" files had type "book" for some raeason. I don't think this is meaningful. Let's just use the same everywhere. $ perl -i -0pe 's^..DOCTYPE (book\|refentry) PUBLIC "-//OASIS//DTD DocBook XML V4.[25]//EN"\s+"http^<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"\n "http^gms' man/*.xml 2019-03-14 16:40:58 +03:00			`<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"`
			`"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">`
license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 07:23:58 +03:00			`<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->`
build-sys: create Makefile-man.am automatically man rules were repeating the same information in too many places, which was error prone. Those rules can be easily generated from .xml files. For efficiency and because python is not a required dependency, Makefile-man.am is only regenerated when requested with make update-man-list If no metadata in man/.xml changed, this file should not change. So only when a new man page or a new alias is added, this file should show up in 'git diff'. The change should then be committed. If the support for building from git without python was dropped, we could drop Makefile-man.am from version control. This would also increase the partial build time (since more stuff would be rebuild whenever sources in man/.xml would be modified), so it would probably wouldn't be worth it. 2013-02-03 07:47:47 +04:00			`<refentry id="systemd-cryptsetup@.service" conditional='HAVE_LIBCRYPTSETUP'>`
man: document systemd-cryptsetup 2012-06-27 14:19:35 +04:00
Reindent man pages to 2ch 2015-02-04 05:14:13 +03:00			`<refentryinfo>`
			`<title>systemd-cryptsetup@.service</title>`
			`<productname>systemd</productname>`
			`</refentryinfo>`
man: document systemd-cryptsetup 2012-06-27 14:19:35 +04:00
Reindent man pages to 2ch 2015-02-04 05:14:13 +03:00			`<refmeta>`
			`<refentrytitle>systemd-cryptsetup@.service</refentrytitle>`
			`<manvolnum>8</manvolnum>`
			`</refmeta>`
man: document systemd-cryptsetup 2012-06-27 14:19:35 +04:00
Reindent man pages to 2ch 2015-02-04 05:14:13 +03:00			`<refnamediv>`
			`<refname>systemd-cryptsetup@.service</refname>`
man: document system-systemd\x2dcryptsetup.slice As discussed in https://github.com/systemd/systemd/pull/14235/commits/1dc85eff1d0dff18aaeaae530c91bf53f34b726e#r606821495, follow-up for commit 1dc85eff1d0dff18aaeaae530c91bf53f34b726e. 2021-04-09 10:27:42 +03:00			`<!-- <refname>system-systemd\x2dcryptsetup.slice</refname> — this causes meson to go haywire because it`
			`thinks this is a (windows) path. Let's just not create the alias for this name, and only include it`
			`in the synopsis. -->`
Reindent man pages to 2ch 2015-02-04 05:14:13 +03:00			`<refname>systemd-cryptsetup</refname>`
			`<refpurpose>Full disk decryption logic</refpurpose>`
			`</refnamediv>`
man: document systemd-cryptsetup 2012-06-27 14:19:35 +04:00
Reindent man pages to 2ch 2015-02-04 05:14:13 +03:00			`<refsynopsisdiv>`
			`<para><filename>systemd-cryptsetup@.service</filename></para>`
man: document system-systemd\x2dcryptsetup.slice As discussed in https://github.com/systemd/systemd/pull/14235/commits/1dc85eff1d0dff18aaeaae530c91bf53f34b726e#r606821495, follow-up for commit 1dc85eff1d0dff18aaeaae530c91bf53f34b726e. 2021-04-09 10:27:42 +03:00			`<para><filename>system-systemd\x2dcryptsetup.slice</filename></para>`
man: revert dynamic paths for split-usr setups This did not really work out as we had hoped. Trying to do this upstream introduced several problems that probably makes it better suited as a downstream patch after all. At any rate, it is not releaseable in the current state, so we at least need to revert this before the release. * by adjusting the path to binaries, but not do the same thing to the search path we end up with inconsistent man-pages. Adjusting the search path too would be quite messy, and it is not at all obvious that this is worth the effort, but at any rate it would have to be done before we could ship this. * this means that distributed man-pages does not make sense as they depend on config options, and for better or worse we are still distributing man pages, so that is something that definitely needs sorting out before we could ship with this patch. * we have long held that split-usr is only minimally supported in order to boot, and something we hope will eventually go away. So before we start adding even more magic/effort in order to make this work nicely, we should probably question if it makes sense at all. 2015-06-18 20:47:44 +03:00			`<para><filename>/usr/lib/systemd/systemd-cryptsetup</filename></para>`
Reindent man pages to 2ch 2015-02-04 05:14:13 +03:00			`</refsynopsisdiv>`
man: document systemd-cryptsetup 2012-06-27 14:19:35 +04:00
Reindent man pages to 2ch 2015-02-04 05:14:13 +03:00			`<refsect1>`
			`<title>Description</title>`
man: document systemd-cryptsetup 2012-06-27 14:19:35 +04:00
man: document system-systemd\x2dcryptsetup.slice As discussed in https://github.com/systemd/systemd/pull/14235/commits/1dc85eff1d0dff18aaeaae530c91bf53f34b726e#r606821495, follow-up for commit 1dc85eff1d0dff18aaeaae530c91bf53f34b726e. 2021-04-09 10:27:42 +03:00			`<para><filename>systemd-cryptsetup@.service</filename> is a service responsible for setting up encrypted`
			`block devices. It is instantiated for each device that requires decryption for access.</para>`

			`<para><filename>systemd-cryptsetup@.service</filename> instances are part of the`
			`<filename>system-systemd\x2dcryptsetup.slice</filename> slice, which is destroyed only very late in the`
			`shutdown procedure. This allows the encrypted devices to remain up until filesystems have been unmounted.`
			`</para>`
man: document systemd-cryptsetup 2012-06-27 14:19:35 +04:00
Reindent man pages to 2ch 2015-02-04 05:14:13 +03:00			`<para><filename>systemd-cryptsetup@.service</filename> will ask`
			`for hard disk passwords via the <ulink`
docs: update old documentation links 2020-09-29 16:10:08 +03:00			`url="https://systemd.io/PASSWORD_AGENTS/">password agent logic</ulink>, in`
			`order to query the user for the password using the right mechanism at boot`
			`and during runtime.</para>`
man: document systemd-cryptsetup-generator 2012-06-27 16:51:47 +04:00
man: drop superfluous 'this' in man page 2016-12-16 15:01:03 +03:00			`<para>At early boot and when the system manager configuration is reloaded, <filename>/etc/crypttab</filename> is`
			`translated into <filename>systemd-cryptsetup@.service</filename> units by`
Reindent man pages to 2ch 2015-02-04 05:14:13 +03:00			`<citerefentry><refentrytitle>systemd-cryptsetup-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>`
man: document the newly acquired cryptsetup features 2020-04-30 00:10:22 +03:00
			`<para>In order to unlock a volume a password or binary key is`
			`required. <filename>systemd-cryptsetup@.service</filename> tries to acquire a suitable password or binary`
			`key via the following mechanisms, tried in order:</para>`

			`<orderedlist>`
			`<listitem><para>If a key file is explicitly configured (via the third column in`
man: document new features 2020-12-07 19:18:52 +03:00			`<filename>/etc/crypttab</filename>), a key read from it is used. If a PKCS#11 token, FIDO2 token or`
			`TPM2 device is configured (using the <varname>pkcs11-uri=</varname>, <varname>fido2-device=</varname>,`
			`<varname>tpm2-device=</varname> options) the key is decrypted before use.</para></listitem>`
man: document the newly acquired cryptsetup features 2020-04-30 00:10:22 +03:00
			`<listitem><para>If no key file is configured explicitly this way, a key file is automatically loaded`
			`from <filename>/etc/cryptsetup-keys.d/<replaceable>volume</replaceable>.key</filename> and`
			`<filename>/run/cryptsetup-keys.d/<replaceable>volume</replaceable>.key</filename>, if present. Here`
man: document new features 2020-12-07 19:18:52 +03:00			`too, if a PKCS#11/FIDO2/TPM2 token/device is configured, any key found this way is decrypted before`
man: document the newly acquired cryptsetup features 2020-04-30 00:10:22 +03:00			`use.</para></listitem>`

			`<listitem><para>If the <varname>try-empty-password</varname> option is specified it is then attempted`
			`to unlock the volume with an empty password.</para></listitem>`

			`<listitem><para>The kernel keyring is then checked for a suitable cached password from previous`
			`attempts.</para></listitem>`

cryptsetup: add 'headless' parameter to skip password/pin query On headless setups, in case other methods fail, asking for a password/pin is not useful as there are no users on the terminal, and generates unwanted noise. Add a parameter to /etc/crypttab to skip it. 2021-04-09 22:43:10 +03:00			`<listitem><para>Finally, the user is queried for a password, possibly multiple times, unless`
			`the <varname>headless</varname> option is set.</para></listitem>`
man: document the newly acquired cryptsetup features 2020-04-30 00:10:22 +03:00			`</orderedlist>`

			`<para>If no suitable key may be acquired via any of the mechanisms describes above, volume activation fails.</para>`
Reindent man pages to 2ch 2015-02-04 05:14:13 +03:00			`</refsect1>`
man: document systemd-cryptsetup 2012-06-27 14:19:35 +04:00
Reindent man pages to 2ch 2015-02-04 05:14:13 +03:00			`<refsect1>`
			`<title>See Also</title>`
			`<para>`
			`<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,`
			`<citerefentry><refentrytitle>systemd-cryptsetup-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>,`
			`<citerefentry><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum></citerefentry>,`
man: document new features 2020-12-07 19:18:52 +03:00			`<citerefentry><refentrytitle>systemd-cryptenroll</refentrytitle><manvolnum>1</manvolnum></citerefentry>,`
man: fix a bunch of links All hail linkchecker! 2015-03-14 05:22:39 +03:00			`<citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>`
Reindent man pages to 2ch 2015-02-04 05:14:13 +03:00			`</para>`
			`</refsect1>`
man: document systemd-cryptsetup 2012-06-27 14:19:35 +04:00
			`</refentry>`