crypttab

View current crypttab

$ cat /etc/crypttab

$ luks_root UUID=[device-uuid] none luks

$ luks_data UUID=[device-uuid] /root/keyfile luks

$ luks_ssd UUID=[device-uuid] none luks,discard

$ cryptswap /dev/sdX /dev/urandom swap,cipher=aes-xts-plain64,size=256

/etc/crypttab

/etc/crypttab defines encrypted block devices to be unlocked at boot by systemd-cryptsetup or cryptsetup. Each line describes one encrypted device: its mapped name, source device, key material, and options.
The file works alongside /etc/fstab: crypttab unlocks encrypted devices, then fstab mounts the resulting mapped devices. For LUKS devices, the system prompts for a password at boot unless a keyfile is specified.
UUID-based device identification is recommended over device paths for reliability across hardware changes.

luks

Device is LUKS encrypted (auto-detected usually).

Plain dm-crypt (no LUKS header).

Format as encrypted swap (destroys data).

Allow TRIM/discard passthrough (SSD optimization).

Don't unlock at boot.

Don't fail boot if device unavailable.

Password attempts before failing.

Seconds to wait for device.

Encryption cipher (for plain mode).

Key size in bits.

Offset in keyfile.

Bytes to read from keyfile.

Keyfiles should be readable only by root and ideally on an encrypted root partition. The discard option may leak information about filesystem usage. Encrypted swap with random keys loses swap contents on reboot. Test crypttab changes carefully to avoid unbootable systems.

The crypttab format originated in Debian and was later adopted by systemd and other distributions. It was designed to integrate dm-crypt/LUKS encryption with the boot process. The file format has evolved to support LUKS, plain dm-crypt, and various options for key management and performance tuning.

cryptsetup(8), fstab(5), systemd-cryptsetup(8)