Name
[email protected], systemd-cryptsetup - Full disk decryption logicSynopsis
system-systemd\ex2dcryptsetup.slice
/lib/systemd/systemd-cryptsetup
Description
[email protected] is a service responsible for setting up encrypted block devices. It is instantiated for each device that requires decryption for access.
[email protected] instances are part of the system-systemd\ex2dcryptsetup.slice slice, which is destroyed only very late in the shutdown procedure. This allows the encrypted devices to remain up until filesystems have been unmounted.
[email protected] will ask for hard disk passwords via the \m[blue]password agent logic\m[]\&\s-2\u[1]\d\s+2, in order to query the user for the password using the right mechanism at boot and during runtime.
At early boot and when the system manager configuration is reloaded, /etc/crypttab is translated into [email protected] units by systemd-cryptsetup-generator(8).
In order to unlock a volume a password or binary key is required. [email protected] tries to acquire a suitable password or binary key via the following mechanisms, tried in order: \h'-04' 1.\h'+01'\c
If a key file is explicitly configured (via the third column in /etc/crypttab), a key read from it is used. If a PKCS#11 token, FIDO2 token or TPM2 device is configured (using the pkcs11-uri=, fido2-device=, tpm2-device= options) the key is decrypted before use. \h'-04' 2.\h'+01'\c
If no key file is configured explicitly this way, a key file is automatically loaded from /etc/cryptsetup-keys.d/volume.key and /run/cryptsetup-keys.d/volume.key, if present. Here too, if a PKCS#11/FIDO2/TPM2 token/device is configured, any key found this way is decrypted before use. \h'-04' 3.\h'+01'\c
If the try-empty-password option is specified it is then attempted to unlock the volume with an empty password. \h'-04' 4.\h'+01'\c
The kernel keyring is then checked for a suitable cached password from previous attempts. \h'-04' 5.\h'+01'\c
Finally, the user is queried for a password, possibly multiple times, unless the headless option is set.
If no suitable key may be acquired via any of the mechanisms describes above, volume activation fails.
See Also
systemd(1), systemd-cryptsetup-generator(8), crypttab(5), systemd-cryptenroll(1), cryptsetup(8)
Notes
password agent logic \%https://systemd.io/PASSWORD_AGENTS/