After you encrypt a partition with LUKS, the volume stays locked until something runs cryptsetup open. For a data disk you want every boot, that unlock step belongs in /etc/crypttab, and the mount belongs in /etc/fstab.
This guide follows the same sequence for both unlock styles: wire crypttab and fstab, test on a running system without rebooting, then reboot once to confirm boot behavior. You can stop at a passphrase prompt (none in crypttab) or use a keyfile for unattended auto-mount. Day-to-day cryptsetup syntax lives in the cryptsetup command cheat sheet.
/etc/crypttab plus /etc/fstab on a partition that is not your root filesystem. It does not cover encrypting the disk your system already boots from; that path needs initramfs, bootloader, and often migration (encrypt an existing root volume with LUKS).
Examples use the LUKS2 volume on /dev/sdc1 (mapper name secure_data, ext4 label secure-data) from the encrypt walkthrough. Substitute your device names, UUIDs, and mount point in every command.
Tested on: Ubuntu 26.04 LTS (Resolute Raccoon); kernel 7.0.0-27-generic; cryptsetup 2.8.4.
What you need on your system
Before editing crypttab or fstab, collect these on your host:
| You need | How to find it | Example in this guide |
|---|---|---|
| LUKS partition — block device with the header, not the mapper | lsblk -f; sudo blkid |
/dev/sdc1 |
| LUKS UUID — goes in crypttab field 2 | sudo cryptsetup luksUUID /dev/sdc1 |
5f452b2f-3b11-4494-890b-d6c3e509c0ef |
| Mapper name — first crypttab field | you choose (letters, numbers, underscore) | secure_data |
| Filesystem UUID — goes in fstab, not crypttab | sudo blkid /dev/mapper/secure_data after unlock |
9fe05bbb-e530-48ed-a8f7-461febc7329f |
| Mount point | you choose | /mnt/secure-data |
| Keyfile path (optional) | you choose; mode 600, owned by root |
/etc/luks/secure-data.key |
| Passphrase or key file | set at luksFormat / luksAddKey |
(not stored in this article) |
Also confirm:
- Manual unlock and mount work before you edit boot config.
- If the LUKS header UUID changes after a restore, update crypttab to match.
- Take a LUKS header backup before risky header or key-slot work.
Quick reference
| Goal | crypttab fields | fstab |
|---|---|---|
| Prompt for passphrase at boot | secure_data UUID=<luks-uuid> none luks |
UUID=<fs-uuid> /mnt/secure-data ext4 defaults,noatime 0 2 |
| Unlock with keyfile | secure_data UUID=<luks-uuid> /etc/luks/secure-data.key luks |
same fstab line |
| Optional removable disk | secure_data UUID=<luks-uuid> none luks,nofail |
UUID=<fs-uuid> /mnt/secure-data ext4 defaults,noatime,nofail,x-systemd.automount 0 2 |
| Unlock only after normal boot | omit initramfs; use the standard crypttab line |
same fstab line |
| Manual unlock only | (no crypttab line) | optional fstab nofail if you mount by hand |
Get identifiers from the lab volume:
- LUKS UUID (crypttab):
sudo blkid /dev/sdc1 - Filesystem UUID (fstab):
sudo blkid /dev/mapper/secure_dataafter unlock
Wiring rules:
- crypttab unlock runs first and creates
/dev/mapper/name. - fstab mounts the filesystem inside that mapper once it exists.
- Do not put the LUKS UUID in fstab or the ext4 UUID in crypttab—that is the most common mistake.
- For each path below: configure both files → test without reboot → confirm with reboot.
Identify the LUKS partition
With the volume locked, the lsblk command shows crypto_LUKS on the partition and no mapper child yet:
lsblk -f /dev/sdc1Sample output:
NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS
sdc1 crypto_LUKS 2 5f452b2f-3b11-4494-890b-d6c3e509c0efThat UUID is the LUKS container ID for crypttab—not the ext4 filesystem UUID you will put in fstab.
Confirm the header when in doubt:
sudo cryptsetup luksDump /dev/sdc1 | head -8Sample output:
LUKS header information
Version: 2
Epoch: 52
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 5f452b2f-3b11-4494-890b-d6c3e509c0ef
Label: (no label)
Subsystem: (no subsystem)From that header dump:
UUIDmust matchlsblk -fandblkidon/dev/sdc1—that value goes in crypttab field 2.Version: 2confirms LUKS2.
If luksDump reports not a valid LUKS device, recheck the partition with lsblk -f—you may have targeted an unencrypted or wrong /dev/sdX node.
Unlock once so you can see the mapper and filesystem layer:
sudo cryptsetup open /dev/sdc1 secure_dataA successful unlock prints nothing; /dev/mapper/secure_data appears when the passphrase is accepted.
lsblk -f /dev/sdc1 /dev/mapper/secure_dataSample output:
NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS
sdc1 crypto_LUKS 2 5f452b2f-3b11-4494-890b-d6c3e509c0ef
└─secure_data ext4 1.0 secure-data 9fe05bbb-e530-48ed-a8f7-461febc7329f
secure_data ext4 1.0 secure-data 9fe05bbb-e530-48ed-a8f7-461febc7329fThe ext4 UUID on secure_data is what belongs in fstab—not the crypto_LUKS UUID on sdc1.
Close the mapper when you finish inspecting: sudo cryptsetup close secure_data.
UUID vs PARTUUID vs device path in crypttab
The second crypttab field names the block device that holds the LUKS header. Three forms are valid; only one belongs in production config.
| Form | Example | Stable when… |
|---|---|---|
UUID= |
UUID=5f452b2f-3b11-4494-890b-d6c3e509c0ef |
Preferred. Names the LUKS container. Survives reboots, cable swaps, and /dev/sdX reordering. |
PARTUUID= |
PARTUUID=b2ec5a76-8585-4e6b-9926-3ca5094fcea1 |
You must bind unlock to a specific GPT partition slot. This is the partition-table ID, not the LUKS header UUID. |
| Device path | /dev/sdc1 |
Avoid. Enumeration can change; crypttab may target the wrong disk after hardware changes. |
Collect the values on your host:
sudo blkid -o value -s UUID /dev/sdc1Sample output:
5f452b2f-3b11-4494-890b-d6c3e509c0efThat line is the LUKS UUID for crypttab field 2.
PARTUUID comes from the GPT partition table—a different identifier used only in special layouts:
sudo blkid -o value -s PARTUUID /dev/sdc1Sample output:
b2ec5a76-8585-4e6b-9926-3ca5094fcea1Use in crypttab:
- Prefer
UUID=from thecrypto_LUKSline (blkidorluksDump). - Reserve
PARTUUID=only when the GPT partition slot is fixed but the LUKS header UUID is unknown (uncommon for data disks). - Never copy the ext4 filesystem UUID into crypttab—that belongs in fstab only.
Manual unlock and mount (baseline)
Before editing boot config, prove the mapper and mount path work by hand. Mounting an unlocked LUKS mapper follows the same mount command workflow as any other block device. If you closed the mapper after the identify step, run cryptsetup open again. The sudo command prefix is required for cryptsetup and mount operations:
sudo cryptsetup open /dev/sdc1 secure_dataEnter the passphrase when prompted; a successful open prints nothing.
sudo mkdir -p /mnt/secure-data
sudo mount /dev/mapper/secure_data /mnt/secure-datamount also exits quietly when the mapper path is correct.
Confirm the mount path:
mount | grep secure_dataSample output:
/dev/mapper/secure_data on /mnt/secure-data type ext4 (rw,relatime)That mount line is what you want fstab to reproduce after boot unlock.
When this host will not boot, you can open and unlock the LUKS disk on another Linux machine with the same mapper name and mount steps.
Close when finished testing:
sudo umount /mnt/secure-data
sudo cryptsetup close secure_dataAfter close, lsblk -f /dev/sdc1 shows only crypto_LUKS again—the mapper is gone until the next unlock.
The mapper name you choose here (secure_data) must match the first field in /etc/crypttab.
Install cryptsetup tools
On Ubuntu and Debian, install the base package (skip if cryptsetup is already present):
sudo apt install -y cryptsetupapt may report the package is already installed—that is fine.
If this host also unlocks LUKS volumes during initramfs (root, resume, or crypttab entries with the initramfs option), install the initramfs integration package:
sudo apt install -y cryptsetup-initramfsConfirm the initramfs hook package is installed with the dpkg command:
dpkg -l cryptsetup-initramfs | awk '/^ii/{print $2, $3}'Sample output:
cryptsetup-initramfs 2:2.8.4-1ubuntu4That ii package line confirms the initramfs hook is present.
Package roles on a secondary data disk:
cryptsetup— enough for normal boot; systemd reads/etc/crypttabfrom the real root.cryptsetup-initramfs— only when root, resume, or crypttab entries use theinitramfsoption.
On Fedora and other distros, install the equivalent packages locally—the apt command examples here map to your package manager.
Boot unlock and auto-mount
Both paths use the same wiring: crypttab unlocks LUKS and creates /dev/mapper/name; fstab mounts the ext4 filesystem inside that mapper. The only difference is the third crypttab field—none waits for you at boot, a keyfile path unlocks silently.
| Path | crypttab key field | Boot behavior | Best for |
|---|---|---|---|
| Passphrase | none |
Plymouth or text console prompts for passphrase | Workstations, laptops |
| Keyfile automount | /etc/luks/secure-data.key |
Unlock and mount with no prompt | Servers in locked rooms |
For each path: configure both files → test without reboot → reboot to confirm.
Passphrase prompt at boot
On Ubuntu and Debian with systemd, a secondary data disk usually unlocks after the root filesystem is up—not in initramfs unless you add the initramfs crypttab option. Boot order:
systemd-cryptsetup@secure_data.servicereads your crypttab line.- With key path
none, boot prompts for the passphrase (Plymouth on desktop Ubuntu, or plain text on serial/server consoles). - Unlock creates
/dev/mapper/secure_data. - fstab mounts the ext4 filesystem on that mapper.
crypttab entry
Edit /etc/crypttab (root) and add one line:
secure_data UUID=5f452b2f-3b11-4494-890b-d6c3e509c0ef none luks| Field | Meaning |
|---|---|
secure_data |
Mapper name (/dev/mapper/secure_data) |
UUID=… |
LUKS container UUID from blkid |
none |
No keyfile—boot prompts for passphrase |
luks |
Treat device as LUKS |
crypttab options differ by volume type:
- Root volume — often adds
initramfsso unlock happens before pivot root. - Secondary data disk — plain
luksis enough unless you deliberately want the prompt during initramfs.
fstab entry
Mount the filesystem UUID inside the mapper, not the LUKS UUID:
sudo blkid /dev/mapper/secure_dataSample output:
/dev/mapper/secure_data: LABEL="secure-data" UUID="9fe05bbb-e530-48ed-a8f7-461febc7329f" BLOCK_SIZE="4096" TYPE="ext4"Copy the UUID= value from that line into fstab—not the LUKS UUID from /dev/sdc1.
Add to /etc/fstab:
UUID=9fe05bbb-e530-48ed-a8f7-461febc7329f /mnt/secure-data ext4 defaults,noatime 0 2Create the mount point once: sudo mkdir -p /mnt/secure-data.
Confirm crypttab names the mapper and LUKS UUID with grep:
grep secure_data /etc/crypttabSample output:
secure_data UUID=5f452b2f-3b11-4494-890b-d6c3e509c0ef none luksConfirm fstab references the ext4 UUID inside the mapper—not the LUKS UUID:
grep 9fe05bbb-e530-48ed-a8f7-461febc7329f /etc/fstabSample output:
UUID=9fe05bbb-e530-48ed-a8f7-461febc7329f /mnt/secure-data ext4 defaults,noatime 0 2Test without a reboot
Close the mapper so the test starts from a locked volume:
sudo umount /mnt/secure-data 2>/dev/null || true
sudo cryptsetup close secure_dataOn systemd hosts, reload units and start the cryptsetup service—the same path boot uses (systemctl):
sudo systemctl daemon-reload
sudo systemctl start systemd-cryptsetup@secure_data.serviceType the LUKS passphrase when prompted. Then mount and verify:
sudo mount /mnt/secure-data
findmnt /mnt/secure-dataSample output:
TARGET SOURCE FSTYPE OPTIONS
/mnt/secure-data /dev/mapper/secure_data ext4 rw,noatimeOn Debian systems without systemd cryptsetup units, use sudo cryptdisks_start secure_data instead, then sudo mount /mnt/secure-data.
If unlock fails, check systemctl status 'systemd-cryptsetup@secure_data.service' before you reboot.
Confirm with a reboot
When the no-reboot test passes, reboot once to confirm boot behavior:
sudo rebootWith none as the key path, boot waits until you enter the LUKS passphrase.
On Ubuntu 26.04 with a desktop Plymouth boot, the prompt is graphical and names the crypttab mapper—here secure_data on partition primary. The exact wording can differ (Please enter passphrase for disk … vs Please unlock disk … on text consoles). After you type the passphrase, systemd unlocks the mapper and fstab mounts /mnt/secure-data.
After login, confirm the mount:
findmnt /mnt/secure-data
cat /mnt/secure-data/lab-check.txtKeyfile automount (no boot prompt)
Keyfiles suit secondary data disks on servers in a locked datacenter. They are not a substitute for protecting the root filesystem and physical access controls.
On workstations with TPM2 or a FIDO2 security key, systemd-cryptenroll for LUKS2 is often a stronger unattended-unlock path than a static file on disk.
Create and register the keyfile
Create a random keyfile, then set root-only ownership with chown and mode 600:
sudo mkdir -p /etc/luks
sudo dd if=/dev/urandom of=/etc/luks/secure-data.key bs=512 count=4 status=none
sudo chown root:root /etc/luks/secure-data.key
sudo chmod 600 /etc/luks/secure-data.keyThe keyfile is 2048 bytes of random data on disk—never store your only copy inside the encrypted volume.
Check ownership and mode before you register the key:
sudo ls -l /etc/luks/secure-data.keySample output:
-rw------- 1 root root 2048 Jul 5 19:46 /etc/luks/secure-data.keyroot:root ownership and mode 600 are required before you add the key to a LUKS slot.
Register the keyfile—luksAddKey prompts for an existing passphrase and prints nothing on success:
sudo cryptsetup luksAddKey /dev/sdc1 /etc/luks/secure-data.keyA second active slot should appear in the header dump:
sudo cryptsetup luksDump /dev/sdc1 | sed -n '/Keyslots:/,/Tokens:/p' | head -20Sample output:
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
...
2: luks2
Key: 512 bits
Priority: normalTwo luks2 entries mean both passphrase and keyfile can unlock the volume. Slot numbers need not be consecutive—slot 2 is common when slot 1 was used earlier.
After adding keys:
- Take a fresh header backup before you retire old slots (change LUKS passphrase or key slots).
- Do not keep your only keyfile copy on the encrypted volume it unlocks.
- Keep a recovery passphrase in another LUKS slot.
crypttab and fstab
Point crypttab at the keyfile instead of none:
secure_data UUID=5f452b2f-3b11-4494-890b-d6c3e509c0ef /etc/luks/secure-data.key luksKeep the same fstab line as the passphrase path.
Keyfile placement:
- Secondary data disk (normal path) — store the key on the root filesystem (for example
/etc/luks/secure-data.key); initramfs copy not required. - Early-boot unlock — add
initramfsto crypttab options, setKEYFILE_PATTERNin/etc/cryptsetup-initramfs/conf-hook, runsudo update-initramfs -u, and treat the generated initramfs as sensitive.
Test without a reboot
Close any open mapper, then prove the keyfile unlocks the volume:
sudo umount /mnt/secure-data 2>/dev/null || true
sudo cryptsetup close secure_data 2>/dev/null || true
sudo cryptsetup open --key-file /etc/luks/secure-data.key /dev/sdc1 secure_data
sudo mount /dev/mapper/secure_data /mnt/secure-data
cat /mnt/secure-data/lab-check.txtSample output:
luks lab fileUnmount and close again, then exercise the crypttab line the way boot will:
sudo umount /mnt/secure-data
sudo cryptsetup close secure_data
sudo systemctl daemon-reload
sudo systemctl start systemd-cryptsetup@secure_data.service
sudo mount /mnt/secure-data
findmnt /mnt/secure-dataNo passphrase prompt should appear—the keyfile in crypttab handles unlock.
Confirm with a reboot
Reboot once. Boot should continue without a LUKS prompt; fstab mounts /mnt/secure-data after unlock:
sudo rebootAfter login:
findmnt /mnt/secure-data
cat /mnt/secure-data/lab-check.txt
mount | grep secure_dataSample output:
TARGET SOURCE FSTYPE OPTIONS
/mnt/secure-data /dev/mapper/secure_data ext4 rw,noatime
luks lab file
/dev/mapper/secure_data on /mnt/secure-data type ext4 (rw,noatime)That triple check—findmnt, file readback, and mount—confirms auto-mount survived a full boot cycle.
crypttab options: nofail, timeouts, and discard
The fourth crypttab field accepts comma-separated flags. These matter most on systemd-based distros and SSD-backed LUKS volumes.
| Option | Effect |
|---|---|
nofail |
Boot continues if the device is absent or unlock fails. Use for USB or hot-plug data disks; pair with nofail on the matching fstab line. |
x-systemd.device-timeout=30s |
Wait up to 30 seconds for the backing block device before giving up (works with nofail on slow SAN or NVMe enclosures). |
discard |
Pass TRIM/discard through the dm-crypt mapping. Helps SSD longevity; assess whether your threat model tolerates discard-related leakage (see man 5 crypttab). |
Examples:
secure_data UUID=5f452b2f-3b11-4494-890b-d6c3e509c0ef none luks,nofail,x-systemd.device-timeout=30s
secure_data UUID=5f452b2f-3b11-4494-890b-d6c3e509c0ef /etc/luks/secure-data.key luks,discardFor optional data disks, x-systemd.automount on the fstab line mounts on first access instead of blocking boot:
UUID=9fe05bbb-e530-48ed-a8f7-461febc7329f /mnt/secure-data ext4 defaults,noatime,nofail,x-systemd.automount 0 2For a disk that must block boot until unlocked, omit nofail so a failed unlock surfaces immediately at the boot prompt.
About noearly:
- Debian crypttab/init-script option for older or non-systemd flows.
- Ignored for initramfs devices; not supported by systemd.
- For a normal secondary data disk, omit
initramfsinstead of relying onnoearly.
When to update initramfs
For a normal secondary data disk that unlocks after the root filesystem is mounted, editing /etc/crypttab is usually enough. Systemd reads /etc/crypttab during boot and creates the matching [email protected].
Run sudo update-initramfs -u when:
- the LUKS device is needed in early boot, such as root, resume, or a device marked with the
initramfsoption; - you intentionally want this data disk unlocked in the initramfs stage;
- you changed a keyfile that must be copied into the initramfs;
- you changed cryptsetup initramfs hook settings.
For the plain secondary-data-disk examples in this guide, use the Test without a reboot steps in each path above before you run Confirm with a reboot.
When early-boot unlock or initramfs keyfiles apply, regenerate the initramfs:
sudo update-initramfs -uSample output:
update-initramfs: Generating /boot/initrd.img-7.0.0-27-genericRegenerate only when an item in the list above applies—secondary data disks without the initramfs option do not need this for every crypttab edit.
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
Boot stops at a passphrase prompt (Plymouth GUI or Please unlock disk … on text console) |
none in crypttab requires interactive passphrase |
Type the LUKS passphrase at the prompt, switch crypttab to a keyfile path, or add nofail for optional disks |
Endless passphrase prompts or device not found |
Wrong LUKS UUID in crypttab—ext4 UUID, PARTUUID, or stale value from a cloned disk | Run sudo blkid /dev/sdc1; fix the UUID= field; if the entry uses initramfs, run update-initramfs -u; reboot |
| New crypttab line ignored at early boot | Stale initramfs for a device marked initramfs |
Run sudo update-initramfs -u and reboot; secondary disks without initramfs are handled by systemd from the real root |
mount: unknown filesystem type 'crypto_LUKS' |
fstab points at the LUKS partition UUID, not the filesystem inside the mapper | Use sudo blkid /dev/mapper/secure_data for the ext4 UUID on the fstab line |
| Mount succeeds but expected files are missing | fstab points to the wrong filesystem UUID, or you mounted a different mapper/device | Check findmnt /mnt/secure-data, blkid, and lsblk -f; fix fstab to use the filesystem UUID inside the intended mapper |
| Keyfile unlock works manually but fails at boot | Wrong key path, permissions, or keyfile not in initramfs when initramfs is set |
Use an absolute keyfile path with chown root:root and chmod 600; if early boot unlock is required, set KEYFILE_PATTERN in /etc/cryptsetup-initramfs/conf-hook and run update-initramfs -u |
| Dropped to initramfs emergency shell | fstab mount ran before crypttab unlock, or a required volume failed without nofail |
From the shell: cryptsetup open /dev/sdc1 secure_data, then exit; add nofail to both crypttab and fstab for optional disks |
/dev/mapper/secure_data missing after boot |
cryptsetup not installed; generator did not start units |
Install cryptsetup; check systemctl status 'systemd-cryptsetup@secure_data.service' |
cryptdisks_start reports not found in crypttab |
No matching line in /etc/crypttab yet |
Add the crypttab line first, or test with sudo cryptsetup open using the same UUID and key path |
References
Summary
- Collect the LUKS UUID (
blkidon the encrypted partition) and the ext4 UUID (blkidon/dev/mapper/nameafter unlock). - Add
/etc/crypttabwith mapper name,UUID=<luks-uuid>, key path (nonefor a passphrase prompt or a keyfile for auto-mount), and options (luks, plusnofailordiscardwhen needed—omitinitramfsfor a normal secondary data disk). - Add
/etc/fstabwith the filesystem UUID on the mount point—not the LUKS UUID. - Test without a reboot (
systemctl start [email protected]orcryptdisks_start, thenmount). - Confirm with a reboot—passphrase path shows a boot prompt; keyfile path mounts silently.
- Run
update-initramfs -uonly when early-boot unlock or initramfs keyfiles are required.

