community.general.crypttab module – Encrypted Linux block devices

Note

This module is part of the community.general collection (version 10.7.5).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.crypttab.

Synopsis

  • Control Linux encrypted block devices that are set up during system boot in /etc/crypttab.

Parameters

Parameter

Comments

backing_device

string

Path to the underlying block device or file, or the UUID of a block-device prefixed with UUID=.

name

string / required

Name of the encrypted block device as it appears in the /etc/crypttab file, or optionally prefixed with /dev/mapper/, as it appears in the filesystem. /dev/mapper/ is stripped from name.

opts

string

A comma-delimited list of options. See crypttab(5) for details.

password

path

Encryption password, the path to a file containing the password, or - or unset if the password should be entered at boot.

path

path

Path to file to use instead of /etc/crypttab.

This might be useful in a chroot environment.

Default: "/etc/crypttab"

state

string / required

Use present to add a line to /etc/crypttab or update its definition if already present.

Use absent to remove a line with matching name.

Use opts_present to add options to those already present; options with different values are updated.

Use opts_absent to remove options from the existing set.

Choices:

  • "absent"

  • "opts_absent"

  • "opts_present"

  • "present"

Attributes

Attribute

Support

Description

check_mode

Support: full

Can run in check_mode and return changed status prediction without modifying target.

diff_mode

Support: none

Will return details on what has changed (or possibly needs changing in check_mode), when in diff mode.

Examples

- name: Set the options explicitly a device which must already exist
  community.general.crypttab:
    name: luks-home
    state: present
    opts: discard,cipher=aes-cbc-essiv:sha256

- name: Add the 'discard' option to any existing options for all devices
  community.general.crypttab:
    name: '{{ item.device }}'
    state: opts_present
    opts: discard
  loop: '{{ ansible_mounts }}'
  when: "'/dev/mapper/luks-' in item.device"

- name: Add entry to /etc/crypttab for luks-home with password file
  community.general.crypttab:
    name: luks-home
    backing_device: UUID=123e4567-e89b-12d3-a456-426614174000
    password: /root/keys/luks-home.key
    opts: discard,cipher=aes-cbc-essiv:sha256
    state: present

Authors

  • Steve (@groks)