/usr/lib/systemd/system-generators/systemd-cryptsetup-generator
systemd-cryptsetup-generator is a generator that translates /etc/crypttab into native systemd units early at boot and when configuration of the system manager is reloaded. This will create systemd-cryptsetup@.service(8) units as necessary.
systemd-cryptsetup-generator implements systemd.generator(7).
systemd-cryptsetup-generator understands the following kernel command line parameters:
luks=, rd.luks=
luks.crypttab=, rd.luks.crypttab=
luks.uuid=, rd.luks.uuid=
If /etc/crypttab contains entries with the same UUID, then the name, keyfile and options specified there will be used. Otherwise, the device will have the name "luks-UUID".
If /etc/crypttab exists, only those UUIDs specified on the kernel command line will be activated in the initrd or the real root.
luks.name=, rd.luks.name=
This parameter is the analogue of the first crypttab(5) field volume-name.
rd.luks.name= is honored only by initial RAM disk (initrd) while luks.name= is honored by both the main system and the initrd.
luks.data=, rd.luks.data=
For those entries specified with rd.luks.uuid= or luks.uuid=, the data device will be set to the one specified by rd.luks.data= or luks.data= of the corresponding UUID.
LUKS data device parameter is useful for specifying encrypted data devices with detached headers specified in luks.options entry containing "header=" argument. For example, rd.luks.uuid=b40f1abf-2a53-400a-889a-2eccc27eaa40 rd.luks.options=b40f1abf-2a53-400a-889a-2eccc27eaa40=header=/path/to/luks.hdr rd.luks.data=b40f1abf-2a53-400a-889a-2eccc27eaa40=/dev/sdx. Hence, in this case, we will attempt to unlock LUKS device assembled from data device "/dev/sdx" and LUKS header (metadata) put in "/path/to/luks.hdr" file. This syntax is for now only supported on a per-device basis, i.e. you have to specify LUKS device UUID.
This parameter is the analogue of the second crypttab(5) field encrypted-device.
rd.luks.data= is honored only by initial RAM disk (initrd) while luks.data= is honored by both the main system and the initrd.
luks.key=, rd.luks.key=
For those entries specified with rd.luks.uuid= or luks.uuid=, the password file will be set to the one specified by rd.luks.key= or luks.key= of the corresponding UUID, or the password file that was specified without a UUID.
It is also possible to specify an external device which should be mounted before we attempt to unlock the LUKS device. systemd-cryptsetup will use password file stored on that device. Device containing password file is specified by appending colon and a device identifier to the password file path. For example, rd.luks.uuid=b40f1abf-2a53-400a-889a-2eccc27eaa40 rd.luks.key=b40f1abf-2a53-400a-889a-2eccc27eaa40=/keyfile:LABEL=keydev. Hence, in this case, we will attempt to mount file system residing on the block device with label "keydev". This syntax is for now only supported on a per-device basis, i.e. you have to specify LUKS device UUID.
This parameter is the analogue of the third crypttab(5) field key-file.
rd.luks.key= is honored only by initial RAM disk (initrd) while luks.key= is honored by both the main system and the initrd.
luks.options=, rd.luks.options=
If only a list of options, without an UUID, is specified, they apply to any UUIDs not specified elsewhere, and without an entry in /etc/crypttab.
This parameter is the analogue of the fourth crypttab(5) field options.
It is possible to specify an external device which should be mounted before we attempt to unlock the LUKS device. systemd-cryptsetup will assemble LUKS device by combining data device specified in luks.data with detached LUKS header found in "header=" argument. For example, rd.luks.uuid=b40f1abf-2a53-400a-889a-2eccc27eaa40 rd.luks.options=b40f1abf-2a53-400a-889a-2eccc27eaa40=header=/luks.hdr:LABEL=hdrdev rd.luks.data=b40f1abf-2a53-400a-889a-2eccc27eaa40=/dev/sdx. Hence, in this case, we will attempt to mount file system residing on the block device with label "hdrdev", and look for "luks.hdr" on that file system. Said header will be used to unlock (decrypt) encrypted data stored on /dev/sdx. This syntax is for now only supported on a per-device basis, i.e. you have to specify LUKS device UUID.
rd.luks.options= is honored only by initial RAM disk (initrd) while luks.options= is honored by both the main system and the initrd.
systemd(1), crypttab(5), systemd-cryptsetup@.service(8), systemd-cryptenroll(1), cryptsetup(8), systemd-fstab-generator(8)