fstab & crypttab

By admin, 28 April, 2025

fstab: The file fstab contains descriptive information about the various file systems. fstab is only read by programs, and not written; it is the duty of the system administrator to properly create and maintain this file.

  • auto - file system will mount automatically at boot, or when the command 'mount -a' is issued.
  • noauto - the filesystem is mounted only when you tell it to.
  • exec - allow the execution binaries that are on that partition (default).
  • noexec - do not allow binaries to be executed on the filesystem.
  • ro - mount the filesystem read only.
  • rw - mount the filesystem read-write.
  • sync - I/O should be done synchronously.
  • async - I/O should be done asynchronously.
  • flush - specific option for FAT to flush data more often, thus making copy dialogs or progress bars to stays up until things are on the disk.
  • user - permit any user to mount the filesystem (implies noexec,nosuid,nodev unless overridden).
  • nouser - only allow root to mount the filesystem (default).
  • defaults - default mount settings (equivalent to rw,suid,dev,exec,auto,nouser,async).
  • suid - allow the operation of suid, and sgid bits. They are mostly used to allow users on a computer system to execute binary executables with temporarily elevated privileges in order to perform a specific task.
  • nosuid - block the operation of suid, and sgid bits.
  • noatime - do not update inode access times on the filesystem. Can help performance.
  • nodiratime - do not update directory inode access times on the filesystem. Can help performance. You do not need to enable this flag if you have already enabled noatime.
  • relatime - update inode access times relative to modify or change time. Access time is only updated if the previous access time was earlier than the current modify or change time (similar to noatime, but doesn't break mutt or other applications that need to know if a file has been read since the last time it was modified). Can help performance.

crypttab: The /etc/crypttab file describes encrypted block devices that are set up during system boot.

cipher=

Encryption algorithm (ignored for LUKS and TCRYPT devices). See cryptsetup -c.

size=

Encryption key size (ignored for LUKS and TCRYPT devices). See cryptsetup -s.

sector-size=

Sector size. See cryptsetup for possible values and the default value of this option.

hash=

Hash algorithm (ignored for LUKS and TCRYPT devices). See cryptsetup -h.

offset=

Start offset (ignored for LUKS and TCRYPT devices). Uses cryptsetup -o.

skip=

Skip sectors at the beginning (ignored for LUKS and TCRYPT devices). Uses cryptsetup -p.

keyfile-offset=

Specifies the number of bytes to skip at the start of the key file.

keyfile-size=

Specifies the maximum number of bytes to read from the key file. The default is to read the whole file up to the compiled-in maximum, that can be queried with cryptsetup --help. This option is ignored for plain dm-crypt devices, as the key file size is then given by the encryption key size (option size).

keyslot=

Key slot (ignored for non-LUKS devices). See cryptsetup -S.

header=

Detached header file (ignored for plain dm-crypt devices). See cryptsetup --header.

verify

Verify password. Uses cryptsetup -y.

readonly, read-only

Set up a read-only mapping.

tries=

Try to unlock the device

discard

Allow using of discards (TRIM) requests for device.

Starting with Debian 10 (Buster), this option is added per default to new dm-crypt devices by the Debian Installer. If you don't care about leaking access patterns (filesystem type, used space) and don't have hidden truecrypt volumes inside this volume, then it should be safe to enable this option. See the following warning for further information.

WARNING: Assess the specific security risks carefully before enabling this option. For example, allowing discards on encrypted devices may lead to the leak of information about the ciphertext device (filesystem type, used space etc.) if the discarded blocks can be located easily on the device later.

luks

Force LUKS mode. When this mode is used, the following options are ignored since they are provided by the LUKS header on the device: cipher=, hash=, size=

plain

Force plain encryption mode.

tcrypt

Use TrueCrypt encryption mode. When this mode is used, the following options are ignored since they are provided by the TrueCrypt header on the device or do not apply: cipher=, hash=, keyfile-offset=, keyfile-size=, size=

veracrypt, tcrypt-veracrypt

Use VeraCrypt extension to TrueCrypt device. Only useful in conjunction with tcrypt option (ignored for non-TrueCrypt devices).

tcrypthidden, tcrypt-hidden

Use hidden TCRYPT header (ignored for non-TCRYPT devices).

swap

Run mkswap on the created device.

This option is ignored for initramfs devices.

tmp=

Run mkfs with filesystem type

This option is ignored for initramfs devices.

check=

Check the content of the target device by a suitable program; if the check fails, the device is removed. If a program is provided as an argument, it is run, giving the decrypted volume (target device) as first argument, and the value of the checkargs option as second argument. Cryptdisks/cryptroot searches for the given program in /lib/cryptsetup/checks/ first, but full path to program is supported as well.

Default is set in /etc/default/cryptdisks (blkid).

This option is specific to the Debian crypttab format. It's not supported by systemd.

checkargs=

Give

This option is specific to the Debian crypttab format. It's not supported by systemd.

initramfs

The initramfs hook processes the root device, any resume devices and any devices with the initramfs option set. These devices are processed within the initramfs stage of boot. As an example, that allows the use of remote unlocking using dropbear.

This option is specific to the Debian crypttab format. It's not supported by systemd.

noearly

The cryptsetup init scripts are invoked twice during the boot process - once before lvm, raid, etc. are started and once again after that. Sometimes you need to start your encrypted disks in a special order. With this option the device is ignored during the first invocation of the cryptsetup init scripts.

This option is ignored for initramfs devices and specific to the Debian crypttab format. It's not supported by systemd.

noauto

Entirely ignore the device at the boot process. It's still possible to map the device manually using cryptdisks_start.

This option is ignored for initramfs devices and specific to the Debian crypttab format. It's not supported by systemd.

loud

Be loud. Print warnings if a device does not exist. This option overwrites the option loud.

This option is ignored for initramfs devices and specific to the Debian crypttab format. It's not supported by systemd.

quiet

Be quiet. Don't print warnings if a device does not exist. This option overwrites the option loud.

This option is ignored for initramfs devices and specific to the Debian crypttab format. It's not supported by systemd.

keyscript=

The executable at the indicated path is executed with the value of the third field as only argument. The keyscript output is passed to cryptsetup as decyption key. When used in initramfs, the executable either needs to be self-contained (i.e. does'nt rely on any external program which is not present in the initramfs environment) or the dependencies have to added to the initramfs image by other means.

LIMITATIONS: All binaries and files on which the keyscript depends must be available at the time of execution. Special care needs to be taken for encrypted filesystems like /usr or /var. As an example, unlocking encrypted /usr must not depend on binaries from /usr/(s)bin.

This option is specific to the Debian crypttab format. It's not supported by systemd.

WARNING: With systemd as init system, this option might be ignored. At the time this is written (December 2016), the systemd cryptsetup helper doesn't support the keyscript option to /etc/crypttab. For the time being, the only option to use keyscripts along with systemd is to force processing of the corresponding crypto devices in the initramfs. See the 'initramfs' option for further information.

All fields of the appropriate crypttab entry are available to the keyscript as exported environment variables:

CRYPTTAB_NAME

The target name

CRYPTTAB_SOURCE

The source device

CRYPTTAB_KEY

The key file

CRYPTTAB_OPTIONS

A list of exported crypttab options

CRYPTTAB_OPTION_

The value of the appropriate crypttab option, with value set to 'yes' in case the option is merely a flag. For option aliases, such as 'readonly' and 'read-only', the variable name refers to the first alternative listed (thus 'CRYPTTAB_OPTION_readonly' in that case). If the crypttab option name contains '-' characters, then they are replaced with '_' in the exported variable name. For instance, the value of the 'CRYPTTAB_OPTION_keyfile_offset' environment variable is set to the value of the 'keyfile-offset' crypttab option.

CRYPTTAB_TRIED

Number of previous tries since start of cryptdisks (counts until maximum number of tries is reached).

Affiliates | Club Cards | Privacy Policy | Refund Policy | Terms of Use | Hiring!

Copyright © Pars Enterprise LTD №10852239 Registered in England & Wales by Its Respective Founder & Director, All rights reserved.
2nd Floor, College House, 17 King Edwards Road, Ruislip, London HA4 7AE

DMCA.com Protection Status

                 

USDT ERC20-Compatible Web3 Technology Seamlessly

USDC-BTC-BCH-LTC-ETH-XAUT-SOL-TRX-TRC20-BNB-Dash-Doge


Pars Enterprise®, as well as any other Pars Enterprise service or product names or logos displayed on the Pars Enterprise website, are registered trademarks or trademarks of Pars Enterprise, LTD. (also referred to as ParsEnterprise). The names and logos of third party products and companies shown on the website and used in the materials are the property of their respective owners and may also be trademarks. When you use the Pars Enterprise website, you agree to be bound by the Terms of Use.