diff --git a/man/crypttab.xml b/man/crypttab.xml
index 49896a45ba2..ac7d55271ca 100644
--- a/man/crypttab.xml
+++ b/man/crypttab.xml
@@ -69,8 +69,7 @@
Empty lines and lines starting with the #
character are ignored. Each of the remaining lines describes one
- encrypted block device, fields on the line are delimited by white
- space.
+ encrypted block device. Fields are delimited by white space.
Each line is in the formnameencrypted-devicepasswordoptions
The first two fields are mandatory, the remaining two are
@@ -108,14 +107,6 @@
-
-
-
- Allow discard requests to be passed through
- the encrypted block device. This improves performance on SSD
- storage but has security implications.
-
-
@@ -127,6 +118,14 @@
recommended.
+
+
+
+ Allow discard requests to be passed through the encrypted block
+ device. This improves performance on SSD storage but has security implications.
+
+
+
@@ -148,30 +147,6 @@
option.
-
-
-
- Start offset in the backend device, in 512-byte sectors.
- This option is only relevant for plain devices.
-
-
-
-
-
-
- How many 512-byte sectors of the encrypted data to skip
- at the beginning. This is different from the
- option with respect to the sector numbers used in initialization vector
- (IV) calculation. Using will shift the IV
- calculation by the same negative amount. Hence, if is given,
- sector n will get a sector number of 0 for the IV calculation.
- Using causes sector n to also be the first
- sector of the mapped device, but with its number for IV generation being n.
-
- This option is only relevant for plain devices.
-
-
-
@@ -216,6 +191,19 @@
.
+
+
+
+ Marks this cryptsetup device as requiring network. It will be
+ started after the network is available, similarly to
+ systemd.mount5
+ units marked with . The service unit to set up this device
+ will be ordered between remote-cryptsetup-pre.target and
+ remote-cryptsetup.target, instead of
+ cryptsetup-pre.target and
+ cryptsetup.target.
+
+
@@ -231,6 +219,13 @@
does not show up.
+
+
+
+ Start offset in the backend device, in 512-byte sectors. This
+ option is only relevant for plain devices.
+
+
@@ -244,6 +239,23 @@
mode.
+
+
+
+ How many 512-byte sectors of the encrypted data to skip at the
+ beginning. This is different from the option with respect
+ to the sector numbers used in initialization vector (IV) calculation. Using
+ will shift the IV calculation by the same negative
+ amount. Hence, if is given,
+ sector n will get a sector number of 0 for the IV
+ calculation. Using causes sector
+ n to also be the first sector of the mapped device, but
+ with its number for IV generation being n.
+
+ This option is only relevant for plain devices.
+
+
+
@@ -349,19 +361,6 @@
indefinitely (which is the default).
-
-
-
- Specifies how long systemd should wait for a
- device to show up before giving up on the entry. The argument
- is a time in seconds or explicitly specified units of
- s,
- min,
- h,
- ms.
-
-
-
@@ -393,6 +392,19 @@
typos.
+
+
+
+ Specifies how long systemd should wait for a device to show up
+ before giving up on the entry. The argument is a time in seconds or explicitly
+ specified units of
+ s,
+ min,
+ h,
+ ms.
+
+
+
At early boot and when the system manager configuration is
diff --git a/man/systemd.mount.xml b/man/systemd.mount.xml
index 1bed7d17f16..3d3a0a7cc72 100644
--- a/man/systemd.mount.xml
+++ b/man/systemd.mount.xml
@@ -298,6 +298,23 @@
details.
+
+
+
+
+ Normally the file system type is used to determine if a
+ mount is a "network mount", i.e. if it should only be started after the
+ network is available. Using this option overrides this detection and
+ specifies that the mount requires network.
+
+ Network mount units are ordered between remote-fs-pre.target
+ and remote-fs.target, instead of
+ local-fs-pre.target and local-fs.target.
+ They also pull in network-online.target and are ordered after
+ it and network.target.
+
+
+
diff --git a/man/systemd.special.xml b/man/systemd.special.xml
index 9c916bee6f3..2993d67c766 100644
--- a/man/systemd.special.xml
+++ b/man/systemd.special.xml
@@ -82,6 +82,8 @@
poweroff.target,
printer.target,
reboot.target,
+ remote-cryptsetup-pre.target,
+ remote-cryptsetup.target,
remote-fs-pre.target,
remote-fs.target,
rescue.target,
@@ -477,6 +479,27 @@
this target unit, for compatibility with SysV.
+
+ remote-cryptsetup-pre.target
+
+ This target unit is automatically ordered before all cryptsetup devices
+ marked with the . It can be used to execute additional
+ units before such devices are set up.
+
+ It is ordered after network.target and
+ network-online.target, and also pulls the latter in as a
+ Wants= dependency.
+
+
+
+ remote-cryptsetup.target
+
+ Similar to cryptsetup.target, but for encrypted
+ devices which are accessed over the network. It is used for
+ crypttab8
+ entries marked with .
+
+ remote-fs.target
diff --git a/src/cryptsetup/cryptsetup-generator.c b/src/cryptsetup/cryptsetup-generator.c
index 613b018ce6e..11d98926580 100644
--- a/src/cryptsetup/cryptsetup-generator.c
+++ b/src/cryptsetup/cryptsetup-generator.c
@@ -62,7 +62,7 @@ static int create_disk(
*filtered = NULL;
_cleanup_fclose_ FILE *f = NULL;
const char *dmname;
- bool noauto, nofail, tmp, swap;
+ bool noauto, nofail, tmp, swap, netdev;
int r;
assert(name);
@@ -72,6 +72,7 @@ static int create_disk(
nofail = fstab_test_yes_no_option(options, "nofail\0" "fail\0");
tmp = fstab_test_option(options, "tmp\0");
swap = fstab_test_option(options, "swap\0");
+ netdev = fstab_test_option(options, "_netdev\0");
if (tmp && swap) {
log_error("Device '%s' cannot be both 'tmp' and 'swap'. Ignoring.", name);
@@ -102,20 +103,22 @@ static int create_disk(
if (!f)
return log_error_errno(errno, "Failed to create unit file %s: %m", p);
- fputs_unlocked("# Automatically generated by systemd-cryptsetup-generator\n\n"
- "[Unit]\n"
- "Description=Cryptography Setup for %I\n"
- "Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n"
- "SourcePath=/etc/crypttab\n"
- "DefaultDependencies=no\n"
- "Conflicts=umount.target\n"
- "IgnoreOnIsolate=true\n"
- "After=cryptsetup-pre.target\n",
- f);
+ fprintf(f,
+ "# Automatically generated by systemd-cryptsetup-generator\n\n"
+ "[Unit]\n"
+ "Description=Cryptography Setup for %%I\n"
+ "Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n"
+ "SourcePath=/etc/crypttab\n"
+ "DefaultDependencies=no\n"
+ "Conflicts=umount.target\n"
+ "IgnoreOnIsolate=true\n"
+ "After=%s\n",
+ netdev ? "remote-cryptsetup-pre.target" : "cryptsetup-pre.target");
if (!nofail)
fprintf(f,
- "Before=cryptsetup.target\n");
+ "Before=%s\n",
+ netdev ? "remote-cryptsetup.target" : "cryptsetup.target");
if (password) {
if (STR_IN_SET(password, "/dev/urandom", "/dev/random", "/dev/hw_random"))
@@ -191,7 +194,8 @@ static int create_disk(
if (r < 0)
return r;
- r = generator_add_symlink(arg_dest, "cryptsetup.target",
+ r = generator_add_symlink(arg_dest,
+ netdev ? "remote-cryptsetup.target" : "cryptsetup.target",
nofail ? "wants" : "requires", n);
if (r < 0)
return r;
diff --git a/units/cryptsetup-pre.target b/units/cryptsetup-pre.target
index 65353419fc7..6cb28a61ae6 100644
--- a/units/cryptsetup-pre.target
+++ b/units/cryptsetup-pre.target
@@ -6,6 +6,7 @@
# (at your option) any later version.
[Unit]
-Description=Encrypted Volumes (Pre)
+Description=Local Encrypted Volumes (Pre)
Documentation=man:systemd.special(7)
RefuseManualStart=yes
+Before=cryptsetup.target
diff --git a/units/cryptsetup.target b/units/cryptsetup.target
index 25d3e33f6a5..10b17fd3876 100644
--- a/units/cryptsetup.target
+++ b/units/cryptsetup.target
@@ -6,5 +6,5 @@
# (at your option) any later version.
[Unit]
-Description=Encrypted Volumes
+Description=Local Encrypted Volumes
Documentation=man:systemd.special(7)
diff --git a/units/meson.build b/units/meson.build
index be32a39e5f2..2024d0bfa1a 100644
--- a/units/meson.build
+++ b/units/meson.build
@@ -48,6 +48,9 @@ units = [
['proc-sys-fs-binfmt_misc.mount', 'ENABLE_BINFMT'],
['reboot.target', '',
'runlevel6.target ctrl-alt-del.target'],
+ ['remote-cryptsetup-pre.target', 'HAVE_LIBCRYPTSETUP'],
+ ['remote-cryptsetup.target', 'HAVE_LIBCRYPTSETUP',
+ join_paths(pkgsysconfdir, 'system/multi-user.target.wants/')],
['remote-fs-pre.target', ''],
['remote-fs.target', '',
join_paths(pkgsysconfdir, 'system/multi-user.target.wants/')],
diff --git a/units/remote-cryptsetup-pre.target b/units/remote-cryptsetup-pre.target
new file mode 100644
index 00000000000..a375e618892
--- /dev/null
+++ b/units/remote-cryptsetup-pre.target
@@ -0,0 +1,15 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Remote Encrypted Volumes (Pre)
+Documentation=man:systemd.special(7)
+RefuseManualStart=yes
+Before=remote-cryptsetup.target
+
+After=network.target network-online.target
+Wants=network-online.target
diff --git a/units/remote-cryptsetup.target b/units/remote-cryptsetup.target
new file mode 100644
index 00000000000..60943bd1cbc
--- /dev/null
+++ b/units/remote-cryptsetup.target
@@ -0,0 +1,10 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Remote Encrypted Volumes
+Documentation=man:systemd.special(7)