crypttab - static information about crypted filesystems





The file /etc/crypttab contains descriptive informations about encrypted volumes. Each volume is described on a separate line; columns on each line are separated by tabs or spaces. Lines starting with "#" are comments, empty lines are ignored. The order of records in crypttab is important because the /etc/init.d/boot.crypto script sequentially iterates through crypttab entries. All four columns are mandatory, missing or excessive columns will lead to unspecified behaviour.



Encryption algorithm. See cryptsetup -c.


Encryption key size. See cryptsetup -s.


Hash algorithm. See cryptsetup -h.


Verify password. See cryptsetup -y.


The backing device is read-only (eg: a dvd).


Use device with luks extensions.


Run mkswap on the created device.


Run mkfs on the created device. The file system to use is specified in /etc/fstab. If /etc/fstab does not list the mapped device, ext2 is used as fallback.


Check the content of the mapped device by a suitable program; if the check fails the device is removed. The specified program is run giving the decrypted volume (/dev/mapper/NAME) as first and the value of the checkargs option as second argument. Cryptdisks searches for the given program in /lib/cryptsetup/checks/. If no program is specified, vol_id is used.


Pass <argument> as second argument to the check script


Check the source device by suitable program; if the check fails the device is not created; <precheck> is a script to check the source device. The source device is given as argument to the script. See also the check option.


Prompt for the passphrase at most <num> times if the entered passphrase was wrong. Defaults is 3. Setting to 0 enabled infinite retries.


Time out interactive password prompts after <sec> seconds.


Always attach a loop device before mapping the device. Normally a loop device is used automatically only for image files. Useful if the block size of the physical device does not match the block size of the contained file system. E.g. ext2 on a CD.


Causes boot.crypto to skip this record during boot. To activate this volume later use: /etc/init.d/boot.crypto start <name>


boot.crypto is invoked two times. The first time as boot.crypto-early before LVM and MD setup and the second time as boot.crypto after mounting local filesystems. This option skips the setup of the device in the first invocation. It might be needed for crypto file container existing on local filesystems other then root.


tells mkinitrd to activate this device in the initrd already. Only LUKS and no other options are supported. The root partition is detected automatically by mkinitrd and doesn't need this option explicitly.


Set a string that is appended to the passphrase after hashing. Using different seeds for volumes with the same passphrase makes dictionary attacks harder. Use for compatability with loop-AES.


Encrypts the hashed password <num> thousand times using AES-256. Use for compatability with loop-AES.


Calls <path> and uses the output passphrase or key. If <path> is not absolute /lib/cryptsetup/scripts is prepended. The only argument passed to the specified program is the value of the key column. keyscript also works in the initrd if the specified program is self contained. To use the output as raw key specify hash=plain so cryptsetup doesn't hash it's input. Note that use of a keyscript is not supported by YaST so distribution updates could be problematic when used on mandatory partitions.

loud, ssl, gpg

not supported. Listed here as they are supported by Debian.


check scripts are installed in \FC/lib/cryptsetup/checks/\F[] and are called either before (precheck option) or after (check option) the dm-crypt target is set up.


Checks for any known filesystem. Supports a filesystem type as argument via <checkargs>:

no checkargs succeeds if any valid filesystem is found on the device.   
"none" succeeds if no valid filesystem is found on the device.   
"ext3", "xfs", "swap" etc succeeds if the given filesystem type is found on the device.   


Encrypted swap device

cswap /dev/sda6 /dev/random swap

Encrypted luks volume with interactive password

cdisk0 /dev/hda1 none luks

Encrypted luks volume with interactive password, use a custom check script, no retries

cdisk2 /dev/hdc1 none luks,check=customscript,checkargs=foo,tries=1

Encrypted volume with interactive password and a cryptoloop compatible twofish256 cipher

cdisk3 /dev/sda3 none cipher=twofish-cbc-plain,size=256,hash=sha512


cryptsetup(8), /etc/crypttab, fstab(8)


Manual page converted to asciidoc by Michael Gebetsroither <>. Originally written by Bastian Kleineidam <> for the Debian distribution of cryptsetup. Improved by Jonas Meurer <>. Modified for SUSE Linux by Ludwig Nussel <>. Parts of this manual were taken and adapted from the fstab(5) manual page.

openSUSE Logo