about summary refs log tree commit diff
path: root/etc/conf.d/dmcrypt
blob: 96c523e0f954cc7a6afaf63e86b044fb3a58b607 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
# /etc/conf.d/dmcrypt

# For people who run dmcrypt on top of some other layer (like raid),
# use rc_need to specify that requirement.  See the runscript(8) man
# page for more information.

#--------------------
# Instructions
#--------------------

# Note regarding the syntax of this file.  This file is *almost* bash,
# but each line is evaluated separately.  Separate swaps/targets can be
# specified.  The init-script which reads this file assumes that a
# swap= or target= line starts a new section, similar to lilo or grub
# configuration.

# Note when using gpg keys and /usr on a separate partition, you will
# have to copy /usr/bin/gpg to /bin/gpg so that it will work properly
# and ensure that gpg has been compiled statically.
# See http://bugs.gentoo.org/90482 for more information.

# Note that the init-script which reads this file detects whether your
# partition is LUKS or not. No mkfs is run unless you specify a makefs
# option.

# Global options:
#----------------

# How long to wait for each timeout (in seconds).
dmcrypt_key_timeout=1

# Max number of checks to perform (see dmcrypt_key_timeout).
#dmcrypt_max_timeout=300

# Number of password retries.
dmcrypt_retries=5

# Arguments:
#-----------
# target=<name>                      == Mapping name for partition.
# swap=<name>                        == Mapping name for swap partition.
# source='<dev>'                     == Real device for partition.
#                                    Note: You can (and should) specify a tag like UUID
#                                    for blkid (see -t option).  This is safer than using
#                                    the full path to the device.
# key='</path/to/keyfile>[:<mode>]'  == Fullpath from / or from inside removable media.
# remdev='<dev>'                     == Device that will be assigned to removable media.
# gpg_options='<opts>'               == Default are --quiet --decrypt
# options='<opts>'                   == cryptsetup, for LUKS you can only use --readonly
# loop_file='<file>'                 == Loopback file.
#                                    Note: If you omit $source, then a free loopback will
#                                    be looked up automatically.
# pre_mount='cmds'                   == commands to execute before mounting partition.
# post_mount='cmds'                  == commands to execute after mounting partition.
# wait=5                             == wait given amount of seconds for source to appear
#-----------
# Supported Modes
# gpg					== decrypt and pipe key into cryptsetup.
#						Note: new-line character must not be part of key.
#						Command to erase \n char: 'cat key | tr -d '\n' > cleanKey'

#--------------------
# dm-crypt examples
#--------------------

## swap
# Swap partitions. These should come first so that no keys make their
# way into unencrypted swap.
# If no options are given, they will default to: -c aes -h sha1 -d /dev/urandom
# If no makefs is given then mkswap will be assumed
#swap=crypt-swap
#source='/dev/hda2'

## /home with passphrase
#target=crypt-home
#source='/dev/hda5'

## /home with regular keyfile
#target=crypt-home
#source='/dev/hda5'
#key='/full/path/to/homekey'

## /home with gpg protected key
#target=crypt-home
#source='/dev/hda5'
#key='/full/path/to/homekey:gpg'

## /home with regular keyfile on removable media(such as usb-stick)
#target=crypt-home
#source='/dev/hda5'
#key='/full/path/to/homekey'
#remdev='/dev/sda1'

## /home with gpg protected key on removable media(such as usb-stick)
#target=crypt-home
#source='/dev/hda5'
#key='/full/path/to/homekey:gpg'
#remdev='/dev/sda1'

## /tmp with regular keyfile
#target=crypt-tmp
#source='/dev/hda6'
#key='/full/path/to/tmpkey'
#pre_mount='/sbin/mkreiserfs -f -f ${dev}'
#post_mount='chown root:root ${mount_point}; chmod 1777 ${mount_point}'

## Loopback file example
#target='crypt-loop-home'
#source='/dev/loop0'
#loop_file='/mnt/crypt/home'

# The file must be terminated by a newline.  Or leave this comment last.

Consider giving Nix/NixOS a try! <3