Welcome to the Linux Foundation Forum!

Chapter 2 - Encrypting disks - mounting at boot (crypttab syntax)

The crypttab man page is not very helpful when it comes to specifying options (4th column). You can't leave column 3 blank, which means one has to set a password (or key file) or use the filler "none" or "-". Here is an example:

$ sudo cat /etc/crypttab 
[sudo] password for heiko: 
# /etc/crypttab: mappings for encrypted partitions.
#
# Each mapped device will be created in /dev/mapper, so your /etc/fstab
# should use the /dev/mapper/<name> paths for encrypted devices.
#
# See crypttab(5) for the supported syntax.
#
# <name>               <device>                            <password> <options>
secret                 /dev/disk/by-partlabel/secretdrive   none    noauto

Perhaps it would be helpful to add the example:

secret /dev/disk/by-partlabel/secretdrive none noauto

to the material.

Comments

  • Hi @heiko_s , thanks for the suggestion. I just saw the man page for crypttab(5) and it doesn't specify what you found. It just says the following:

    "The third field specifies the encryption password. If the field is not present or the password is set to none, the password has to be manually entered during system boot. Otherwise the field is interpreted as a path to a file containing the encryption password".

    And yes, if you specify options, you need to put 'none' or the password, because if not, the fourth field will be taken as the third, and it won't work. This applies to other config files as well, for example to /etc/passwd; in this case the "comment" filed is not empty or ignored, because if you do that, the data in the fields will be miss understood.

    Many regards,
    Luis.

  • coop
    coop Posts: 915

    IMHO, putting a password in a plain text file is rather poor procedure. Plus if the partition is automatically loaded at boot why encrypt it (yes I can think of reasons, but they all seem poor to me.)

  • Hi @coop , I agree. Perhaps that feature was introduced in the time it was implemented (meaning many time ago), because currently it's not a good idea to store a password in a plain text file, even if it has read permissions to root only. That's why the password was moved from /etc/passwd to /etc/shadow, and it's encrypted.

    Many regards,
    Luis.

  • heiko_s
    heiko_s Posts: 99

    For clarification, I wasn't suggesting to put a password in the crypttab file and totally agree with coop.

    The crypttab man page I was quoting above is from a Ubuntu 18.04 server.

    On a CentOS 8 machine it reads:
    "The third field specifies the encryption password. If the field is not
    present or the password is set to "none" or "-", the password has to be
    manually entered during system boot. Otherwise, the field is
    interpreted as an absolute path to a file containing the encryption
    password. For swap encryption, /dev/urandom or the hardware device
    /dev/hw_random can be used as the password file; using /dev/random may
    prevent boot completion if the system does not have enough entropy to
    generate a truly random encryption key."

    Quite a difference. I could give more examples:

    OpenSUSE 15 (Leap) mentions passwords, like above.

    Debian stable (10.6) does not mention passwords.

    It seems like all Debian-based distros do not relate to password entries inside crypttab, which makes sense but causes problems if one doesn't know what to fill in instead of the password.

    That's why I suggest to give an example using a "-" or "none" as placeholder.

  • coop
    coop Posts: 915

    Keep in mind man pages are maintained in various ways and the information you are regurgitating probably is coming from different package versions, and may or may not indicate actual differences in software. On RHEL 8 the man page for crypttab is actually owned by systemd for example. There is also more than one man page at times. As Luis says, this particular point may have been relevant 15 years ago. Leave it alone. (It is like getting obsessed over why we have to have dump frequency numbers in /etc/fstab when dump is essentially obsolete.) There are other places where you need to put "none" in /etc/fstab and in mount options also for obsolete reasons.
    ("none" or anything else, try putting your name in)

  • heiko_s
    heiko_s Posts: 99

    Thanks coop. I didn't know that man pages could be owned by different entities, though I suspected something like that when I saw the differences for crypttab. My whole intention of this thread was to give an example of how it works, since I was a little dumbfounded at first when I couldn't get it to work.

Categories

Upcoming Training