systemd-cryptsetup@.service, systemd-cryptsetup - Full disk decryption logic
systemd-cryptsetup@.service is a service responsible for setting up encrypted
block devices. It is instantiated for each device that requires decryption for
systemd-cryptsetup@.service will ask for hard disk passwords via
the password agent logic, in order to query the user for the
password using the right mechanism at boot and during runtime.
At early boot and when the system manager configuration is
reloaded, /etc/crypttab is translated into systemd-cryptsetup@.service units
In order to unlock a volume a password or binary key is required.
systemd-cryptsetup@.service tries to acquire a suitable password or binary
key via the following mechanisms, tried in order:
1.If a key file is explicitly configured (via the third
column in /etc/crypttab), a key read from it is used. If a PKCS#11 token is
configured (using the pkcs11-uri= option) the key is decrypted before
2.If no key file is configured explicitly this way, a
key file is automatically loaded from /etc/cryptsetup-keys.d/volume.key
and /run/cryptsetup-keys.d/volume.key, if present. Here too, if a
PKCS#11 token is configured, any key found this way is decrypted before
3.If the try-empty-password option is specified
it is then attempted to unlock the volume with an empty password.
4.The kernel keyring is then checked for a suitable
cached password from previous attempts.
5.Finally, the user is queried for a password, possibly
If no suitable key may be acquired via any of the mechanisms
describes above, volume activation fails.