blob: 642ff087078b04ab22ce5cfc29ffaed558474b58 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
# /etc/conf.d/dmcrypt
# For people who run dmcrypt on top of some other layer (like raid),
# use rc_need to specify that requirement. See the runscript(8) man
# page for more information.
#--------------------
# Instructions
#--------------------
# Note regarding the syntax of this file. This file is *almost* bash,
# but each line is evaluated separately. Separate swaps/targets can be
# specified. The init-script which reads this file assumes that a
# swap= or target= line starts a new section, similar to lilo or grub
# configuration.
# Note when using gpg keys and /usr on a separate partition, you will
# have to copy /usr/bin/gpg to /bin/gpg so that it will work properly
# and ensure that gpg has been compiled statically.
# See http://bugs.gentoo.org/90482 for more information.
# Note that the init-script which reads this file detects whether your
# partition is LUKS or not. No mkfs is run unless you specify a makefs
# option.
# Global options:
#----------------
# How long to wait for each timeout (in seconds).
dmcrypt_key_timeout=1
# Max number of checks to perform (see dmcrypt_key_timeout).
#dmcrypt_max_timeout=300
# Number of password retries.
dmcrypt_retries=5
# Arguments:
#-----------
# target=<name> == Mapping name for partition.
# swap=<name> == Mapping name for swap partition.
# source='<dev>' == Real device for partition.
# Note: You can (and should) specify a tag like UUID
# for blkid (see -t option). This is safer than using
# the full path to the device.
# key='</path/to/keyfile>[:<mode>]' == Fullpath from / or from inside removable media.
# remdev='<dev>' == Device that will be assigned to removable media.
# gpg_options='<opts>' == Default are --quiet --decrypt
# options='<opts>' == cryptsetup, for LUKS you can only use --readonly
# loop_file='<file>' == Loopback file.
# Note: If you omit $source, then a free loopback will
# be looked up automatically.
# pre_mount='cmds' == commands to execute before mounting partition.
# post_mount='cmds' == commands to execute after mounting partition.
#-----------
# Supported Modes
# gpg == decrypt and pipe key into cryptsetup.
# Note: new-line character must not be part of key.
# Command to erase \n char: 'cat key | tr -d '\n' > cleanKey'
#--------------------
# dm-crypt examples
#--------------------
## swap
# Swap partitions. These should come first so that no keys make their
# way into unencrypted swap.
# If no options are given, they will default to: -c aes -h sha1 -d /dev/urandom
# If no makefs is given then mkswap will be assumed
#swap=crypt-swap
#source='/dev/hda2'
## /home with passphrase
#target=crypt-home
#source='/dev/hda5'
## /home with regular keyfile
#target=crypt-home
#source='/dev/hda5'
#key='/full/path/to/homekey'
## /home with gpg protected key
#target=crypt-home
#source='/dev/hda5'
#key='/full/path/to/homekey:gpg'
## /home with regular keyfile on removable media(such as usb-stick)
#target=crypt-home
#source='/dev/hda5'
#key='/full/path/to/homekey'
#remdev='/dev/sda1'
## /home with gpg protected key on removable media(such as usb-stick)
#target=crypt-home
#source='/dev/hda5'
#key='/full/path/to/homekey:gpg'
#remdev='/dev/sda1'
## /tmp with regular keyfile
#target=crypt-tmp
#source='/dev/hda6'
#key='/full/path/to/tmpkey'
#pre_mount='/sbin/mkreiserfs -f -f ${dev}'
#post_mount='chown root:root ${mount_point}; chmod 1777 ${mount_point}'
## Loopback file example
#target='crypt-loop-home'
#source='/dev/loop0'
#loop_file='/mnt/crypt/home'
# The file must be terminated by a newline. Or leave this comment last.
|