crypttab — Configuration for encrypted block devices
/etc/crypttab
The /etc/crypttab file
                describes encrypted block devices that are set up
                during system boot.
Empty lines and lines starting with the # character are ignored. Each of the remaining lines describes one encrypted block device, fields on the line are delimited by white space. The first two fields are mandatory, the remaining two are optional.
The first field contains the name of the
                resulting encrypted block device; the device is set up
                within /dev/mapper/.
The second field contains a path to the
                underlying block device, or a specification of a block
                device via UUID= followed by the
                UUID.  If the block device contains a LUKS signature,
                it is opened as a LUKS encrypted partition; otherwise
                it is assumed to be a raw dm-crypt partition.
The third field specifies the encryption
                password.  If the field is not present or the password
                is set to none, the password has to be manually
                entered during system boot.  Otherwise the field is
                interpreted as a path to a file containing the
                encryption password.  For swap encryption
                /dev/urandom or the hardware
                device /dev/hw_random can be used
                as the password file; using
                /dev/random may prevent boot
                completion if the system does not have enough entropy
                to generate a truly random encryption key.
The fourth field, if present, is a comma-delimited list of options. The following options are recognized:
cipher=¶Specifies the cipher
                                to use; see
                                cryptsetup(8)
                                for possible values and the default
                                value of this option.  A cipher with
                                unpredictable IV values, such as
                                aes-cbc-essiv:sha256,
                                is recommended. 
size=¶Specifies the key size in bits; see cryptsetup(8) for possible values and the default value of this option.
keyfile-size=¶Specifies the maximum number of bytes to read from the keyfile; see cryptsetup(8) for possible values and the default value of this option. This option is ignored in plain encryption mode, as the keyfile-size is then given by the key size.
keyfile-offset=¶Specifies the number of bytes to skip at the start of the keyfile; see cryptsetup(8) for possible values and the default value of this option.
hash=¶Specifies the hash to use for password hashing; see cryptsetup(8) for possible values and the default value of this option.
tries=¶Specifies the maximum number of times the user is queried for a password.
verify¶If the encryption password is read from console, it has to be entered twice (to prevent typos).
read-only, readonly¶Set up the encrypted block device in read-only mode.
allow-discards¶Allow discard requests to be passed through the encrypted block device. This improves performance on SSD storage but has security implications.
luks¶Force LUKS mode.
plain¶Force plain encryption mode.
timeout=¶Specify the timeout for querying for a password. If no unit is specified seconds is used. Supported units are s, ms, us, min, h, d. A timeout of 0 waits indefinitely (which is the default).
noauto¶This device will not be automatically unlocked on boot.
nofail¶The system will not wait for the device to show up and be unlocked at boot, and not fail the boot if it doesn't show up.
swap¶The encrypted block device will be used as a swap partition, and will be formatted as a swap partition after setting up the encrypted block device, with mkswap(8).
WARNING: Using the
                                swap option will
                                destroy the contents of the named
                                partition during every boot, so make
                                sure the underlying block device is
                                specified
                                correctly. 
tmp¶The encrypted block
                                device will be prepared for using it
                                as /tmp
                                partition: it will be formatted using
                                mke2fs(8).
WARNING: Using the
                                tmp option will
                                destroy the contents of the named
                                partition during every boot, so make
                                sure the underlying block device is
                                specified
                                correctly. 
At early boot and when the system manager configuration is reloaded this file is translated into native systemd units by systemd-cryptsetup-generator(8).
Example 1. /etc/crypttab example
Set up two encrypted block devices with LUKS: one normal one for storage, and another one for usage as swap device.
luks-2505567a-9e27-4efe-a4d5-15ad146c258b UUID=2505567a-9e27-4efe-a4d5-15ad146c258b - timeout=0 swap /dev/sda7 /dev/urandom swap