Chapter 2 - Encrypting disks - mounting at boot (crypttab syntax)
The crypttab man page is not very helpful when it comes to specifying options (4th column). You can't leave column 3 blank, which means one has to set a password (or key file) or use the filler "none" or "-". Here is an example:
$ sudo cat /etc/crypttab [sudo] password for heiko: # /etc/crypttab: mappings for encrypted partitions. # # Each mapped device will be created in /dev/mapper, so your /etc/fstab # should use the /dev/mapper/<name> paths for encrypted devices. # # See crypttab(5) for the supported syntax. # # <name> <device> <password> <options> secret /dev/disk/by-partlabel/secretdrive none noauto
Perhaps it would be helpful to add the example:
secret /dev/disk/by-partlabel/secretdrive none noauto
to the material.
Comments
-
Hi @heiko_s , thanks for the suggestion. I just saw the man page for crypttab(5) and it doesn't specify what you found. It just says the following:
"The third field specifies the encryption password. If the field is not present or the password is set to none, the password has to be manually entered during system boot. Otherwise the field is interpreted as a path to a file containing the encryption password".
And yes, if you specify options, you need to put 'none' or the password, because if not, the fourth field will be taken as the third, and it won't work. This applies to other config files as well, for example to /etc/passwd; in this case the "comment" filed is not empty or ignored, because if you do that, the data in the fields will be miss understood.
Many regards,
Luis.0 -
IMHO, putting a password in a plain text file is rather poor procedure. Plus if the partition is automatically loaded at boot why encrypt it (yes I can think of reasons, but they all seem poor to me.)
2 -
Hi @coop , I agree. Perhaps that feature was introduced in the time it was implemented (meaning many time ago), because currently it's not a good idea to store a password in a plain text file, even if it has read permissions to root only. That's why the password was moved from /etc/passwd to /etc/shadow, and it's encrypted.
Many regards,
Luis.0 -
For clarification, I wasn't suggesting to put a password in the crypttab file and totally agree with coop.
The crypttab man page I was quoting above is from a Ubuntu 18.04 server.
On a CentOS 8 machine it reads:
"The third field specifies the encryption password. If the field is not
present or the password is set to "none" or "-", the password has to be
manually entered during system boot. Otherwise, the field is
interpreted as an absolute path to a file containing the encryption
password. For swap encryption, /dev/urandom or the hardware device
/dev/hw_random can be used as the password file; using /dev/random may
prevent boot completion if the system does not have enough entropy to
generate a truly random encryption key."Quite a difference. I could give more examples:
OpenSUSE 15 (Leap) mentions passwords, like above.
Debian stable (10.6) does not mention passwords.
It seems like all Debian-based distros do not relate to password entries inside crypttab, which makes sense but causes problems if one doesn't know what to fill in instead of the password.
That's why I suggest to give an example using a "-" or "none" as placeholder.
0 -
Keep in mind man pages are maintained in various ways and the information you are regurgitating probably is coming from different package versions, and may or may not indicate actual differences in software. On RHEL 8 the man page for crypttab is actually owned by systemd for example. There is also more than one man page at times. As Luis says, this particular point may have been relevant 15 years ago. Leave it alone. (It is like getting obsessed over why we have to have dump frequency numbers in /etc/fstab when dump is essentially obsolete.) There are other places where you need to put "none" in /etc/fstab and in mount options also for obsolete reasons.
("none" or anything else, try putting your name in)1 -
Thanks coop. I didn't know that man pages could be owned by different entities, though I suspected something like that when I saw the differences for crypttab. My whole intention of this thread was to give an example of how it works, since I was a little dumbfounded at first when I couldn't get it to work.
0
Categories
- All Categories
- 167 LFX Mentorship
- 219 LFX Mentorship: Linux Kernel
- 795 Linux Foundation IT Professional Programs
- 355 Cloud Engineer IT Professional Program
- 179 Advanced Cloud Engineer IT Professional Program
- 82 DevOps Engineer IT Professional Program
- 127 Cloud Native Developer IT Professional Program
- 112 Express Training Courses
- 112 Express Courses - Discussion Forum
- 6.2K Training Courses
- 48 LFC110 Class Forum - Discontinued
- 17 LFC131 Class Forum
- 35 LFD102 Class Forum
- 227 LFD103 Class Forum
- 14 LFD110 Class Forum
- 39 LFD121 Class Forum
- 15 LFD133 Class Forum
- 7 LFD134 Class Forum
- 17 LFD137 Class Forum
- 63 LFD201 Class Forum
- 3 LFD210 Class Forum
- 5 LFD210-CN Class Forum
- 2 LFD213 Class Forum - Discontinued
- 128 LFD232 Class Forum - Discontinued
- 1 LFD233 Class Forum
- 2 LFD237 Class Forum
- 23 LFD254 Class Forum
- 697 LFD259 Class Forum
- 109 LFD272 Class Forum
- 3 LFD272-JP クラス フォーラム
- 10 LFD273 Class Forum
- 152 LFS101 Class Forum
- 1 LFS111 Class Forum
- 1 LFS112 Class Forum
- 1 LFS116 Class Forum
- 1 LFS118 Class Forum
- LFS120 Class Forum
- 7 LFS142 Class Forum
- 7 LFS144 Class Forum
- 3 LFS145 Class Forum
- 1 LFS146 Class Forum
- 3 LFS147 Class Forum
- 1 LFS148 Class Forum
- 15 LFS151 Class Forum
- 1 LFS157 Class Forum
- 33 LFS158 Class Forum
- 8 LFS162 Class Forum
- 1 LFS166 Class Forum
- 1 LFS167 Class Forum
- 3 LFS170 Class Forum
- 2 LFS171 Class Forum
- 1 LFS178 Class Forum
- 1 LFS180 Class Forum
- 1 LFS182 Class Forum
- 1 LFS183 Class Forum
- 29 LFS200 Class Forum
- 736 LFS201 Class Forum - Discontinued
- 2 LFS201-JP クラス フォーラム
- 14 LFS203 Class Forum
- 102 LFS207 Class Forum
- 1 LFS207-DE-Klassenforum
- 1 LFS207-JP クラス フォーラム
- 301 LFS211 Class Forum
- 55 LFS216 Class Forum
- 48 LFS241 Class Forum
- 42 LFS242 Class Forum
- 37 LFS243 Class Forum
- 15 LFS244 Class Forum
- LFS245 Class Forum
- LFS246 Class Forum
- 50 LFS250 Class Forum
- 1 LFS250-JP クラス フォーラム
- LFS251 Class Forum
- 154 LFS253 Class Forum
- LFS254 Class Forum
- LFS255 Class Forum
- 5 LFS256 Class Forum
- 1 LFS257 Class Forum
- 1.3K LFS258 Class Forum
- 10 LFS258-JP クラス フォーラム
- 111 LFS260 Class Forum
- 159 LFS261 Class Forum
- 41 LFS262 Class Forum
- 82 LFS263 Class Forum - Discontinued
- 15 LFS264 Class Forum - Discontinued
- 11 LFS266 Class Forum - Discontinued
- 20 LFS267 Class Forum
- 24 LFS268 Class Forum
- 29 LFS269 Class Forum
- 1 LFS270 Class Forum
- 199 LFS272 Class Forum
- 1 LFS272-JP クラス フォーラム
- LFS274 Class Forum
- 3 LFS281 Class Forum
- 9 LFW111 Class Forum
- 260 LFW211 Class Forum
- 182 LFW212 Class Forum
- 13 SKF100 Class Forum
- 1 SKF200 Class Forum
- 1 SKF201 Class Forum
- 782 Hardware
- 198 Drivers
- 68 I/O Devices
- 37 Monitors
- 96 Multimedia
- 174 Networking
- 91 Printers & Scanners
- 83 Storage
- 743 Linux Distributions
- 80 Debian
- 67 Fedora
- 15 Linux Mint
- 13 Mageia
- 23 openSUSE
- 143 Red Hat Enterprise
- 31 Slackware
- 13 SUSE Enterprise
- 348 Ubuntu
- 461 Linux System Administration
- 39 Cloud Computing
- 70 Command Line/Scripting
- Github systems admin projects
- 90 Linux Security
- 77 Network Management
- 101 System Management
- 46 Web Management
- 64 Mobile Computing
- 17 Android
- 34 Development
- 1.2K New to Linux
- 1K Getting Started with Linux
- 371 Off Topic
- 114 Introductions
- 174 Small Talk
- 19 Study Material
- 507 Programming and Development
- 285 Kernel Development
- 204 Software Development
- 1.8K Software
- 211 Applications
- 180 Command Line
- 3 Compiling/Installing
- 405 Games
- 309 Installation
- 97 All In Program
- 97 All In Forum
Upcoming Training
-
August 20, 2018
Kubernetes Administration (LFS458)
-
August 20, 2018
Linux System Administration (LFS301)
-
August 27, 2018
Open Source Virtualization (LFS462)
-
August 27, 2018
Linux Kernel Debugging and Security (LFD440)