cryptdisks_start

cryptdisks_start [DEVICE]

DEVICE
    Specifies a particular encrypted device name as defined in `/etc/crypttab` to activate. If omitted, `cryptdisks_start` attempts to activate all entries listed in `crypttab`.

The `cryptdisks_start` command is a crucial script or utility primarily used on Linux systems (especially Debian/Ubuntu derivatives) to manage and activate encrypted block devices during system startup or on demand. It plays a vital role in enabling access to data on encrypted partitions or full disks that use LUKS (Linux Unified Key Setup).

It primarily works by reading the configuration from the `/etc/crypttab` file. This file specifies details for each encrypted volume, including the device name, the underlying physical device, the key material (e.g., a passphrase, a keyfile, or `none` for interactive prompt), and various options to be passed to the underlying `cryptsetup` utility.

For each specified encrypted device, `cryptdisks_start` invokes the `cryptsetup` utility to decrypt the volume and create a corresponding unencrypted device mapper entry (e.g., `/dev/mapper/myencryptedvolume`). This process ensures that filesystems residing on encrypted volumes, such as root (`/`), swap, or home directories, are accessible to the operating system after decryption.

The command is typically invoked automatically during the system's boot sequence by `systemd` units or older `init` scripts, especially within the `initramfs` environment, to enable access to encrypted root filesystems.

Incorrect entries in `/etc/crypttab` can lead to system boot failures or inaccessible partitions.
The command relies heavily on the correct functioning and presence of the `cryptsetup` utility.
Using incorrect passphrases or keyfiles will prevent decryption and volume activation.
For interactive password prompts during early boot, user intervention is required, which can halt the boot process.

This file is central to `cryptdisks_start`'s operation. It lists encrypted devices to be activated, their underlying block devices, the key material (e.g., `none` for password prompt, a path to a keyfile), and various options passed directly to `cryptsetup`. Each line represents one encrypted volume.

`cryptdisks_start` is frequently run during the early stages of the boot process, often from within the `initramfs`. This is crucial for systems with an encrypted root filesystem, as it allows the root volume to be decrypted and mounted before the main operating system fully loads. It can also be used to activate other encrypted volumes later in the boot process or on demand.

Initially part of early `init` scripts and `sysvinit` configurations for managing encrypted volumes, `cryptdisks_start` evolved alongside the adoption of LUKS for disk encryption. Its primary function remains consistent: to automate the activation of encrypted devices during system startup. With the transition to `systemd`, its invocation methods adapted to `systemd` service units, but the underlying logic and reliance on `/etc/crypttab` and `cryptsetup` persist. It is often included in the `initramfs` to handle encrypted root filesystems.

cryptsetup(8), crypttab(5), systemd-cryptsetup-generator(8), lsblk(8), dmsetup(8)