Chapter 2 - Encrypting disks - mounting at boot (crypttab syntax)

heiko_s

The crypttab man page is not very helpful when it comes to specifying options (4th column). You can't leave column 3 blank, which means one has to set a password (or key file) or use the filler "none" or "-". Here is an example:

$ sudo cat /etc/crypttab 
[sudo] password for heiko: 
# /etc/crypttab: mappings for encrypted partitions.
#
# Each mapped device will be created in /dev/mapper, so your /etc/fstab
# should use the /dev/mapper/<name> paths for encrypted devices.
#
# See crypttab(5) for the supported syntax.
#
# <name>               <device>                            <password> <options>
secret                 /dev/disk/by-partlabel/secretdrive   none    noauto

Perhaps it would be helpful to add the example:

secret /dev/disk/by-partlabel/secretdrive none noauto

to the material.

luisviveropena

Hi @heiko_s , thanks for the suggestion. I just saw the man page for crypttab(5) and it doesn't specify what you found. It just says the following:

"The third field specifies the encryption password. If the field is not present or the password is set to none, the password has to be manually entered during system boot. Otherwise the field is interpreted as a path to a file containing the encryption password".

And yes, if you specify options, you need to put 'none' or the password, because if not, the fourth field will be taken as the third, and it won't work. This applies to other config files as well, for example to /etc/passwd; in this case the "comment" filed is not empty or ignored, because if you do that, the data in the fields will be miss understood.

Many regards,
Luis.

coop

IMHO, putting a password in a plain text file is rather poor procedure. Plus if the partition is automatically loaded at boot why encrypt it (yes I can think of reasons, but they all seem poor to me.)

luisviveropena

Hi @coop , I agree. Perhaps that feature was introduced in the time it was implemented (meaning many time ago), because currently it's not a good idea to store a password in a plain text file, even if it has read permissions to root only. That's why the password was moved from /etc/passwd to /etc/shadow, and it's encrypted.

Many regards,
Luis.

heiko_s

For clarification, I wasn't suggesting to put a password in the crypttab file and totally agree with coop.

The crypttab man page I was quoting above is from a Ubuntu 18.04 server.

On a CentOS 8 machine it reads:
"The third field specifies the encryption password. If the field is not
present or the password is set to "none" or "-", the password has to be
manually entered during system boot. Otherwise, the field is
interpreted as an absolute path to a file containing the encryption
password. For swap encryption, /dev/urandom or the hardware device
/dev/hw_random can be used as the password file; using /dev/random may
prevent boot completion if the system does not have enough entropy to
generate a truly random encryption key."

Quite a difference. I could give more examples:

OpenSUSE 15 (Leap) mentions passwords, like above.

Debian stable (10.6) does not mention passwords.

It seems like all Debian-based distros do not relate to password entries inside crypttab, which makes sense but causes problems if one doesn't know what to fill in instead of the password.

That's why I suggest to give an example using a "-" or "none" as placeholder.

coop

Keep in mind man pages are maintained in various ways and the information you are regurgitating probably is coming from different package versions, and may or may not indicate actual differences in software. On RHEL 8 the man page for crypttab is actually owned by systemd for example. There is also more than one man page at times. As Luis says, this particular point may have been relevant 15 years ago. Leave it alone. (It is like getting obsessed over why we have to have dump frequency numbers in /etc/fstab when dump is essentially obsolete.) There are other places where you need to put "none" in /etc/fstab and in mount options also for obsolete reasons.
("none" or anything else, try putting your name in)

heiko_s

Thanks coop. I didn't know that man pages could be owned by different entities, though I suspected something like that when I saw the differences for crypttab. My whole intention of this thread was to give an example of how it works, since I was a little dumbfounded at first when I couldn't get it to work.