community.general.crypttab module – Encrypted Linux block devices

Note

This module is part of the community.general collection (version 9.4.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.crypttab.

Synopsis

  • Control Linux encrypted block devices that are set up during system boot in /etc/crypttab.

Parameters

Parameter

Comments

backing_device

string

Path to the underlying block device or file, or the UUID of a block-device prefixed with UUID=.

name

string / required

Name of the encrypted block device as it appears in the /etc/crypttab file, or optionally prefixed with /dev/mapper/, as it appears in the filesystem. /dev/mapper/ will be stripped from name.

opts

string

A comma-delimited list of options. See crypttab(5) for details.

password

path

Encryption password, the path to a file containing the password, or - or unset if the password should be entered at boot.

path

path

Path to file to use instead of /etc/crypttab.

This might be useful in a chroot environment.

Default: "/etc/crypttab"

state

string / required

Use present to add a line to /etc/crypttab or update its definition if already present.

Use absent to remove a line with matching name.

Use opts_present to add options to those already present; options with different values will be updated.

Use opts_absent to remove options from the existing set.

Choices:

  • "absent"

  • "opts_absent"

  • "opts_present"

  • "present"

Attributes

Attribute

Support

Description

check_mode

Support: full

Can run in check_mode and return changed status prediction without modifying target.

diff_mode

Support: none

Will return details on what has changed (or possibly needs changing in check_mode), when in diff mode.

Examples

- name: Set the options explicitly a device which must already exist
  community.general.crypttab:
    name: luks-home
    state: present
    opts: discard,cipher=aes-cbc-essiv:sha256

- name: Add the 'discard' option to any existing options for all devices
  community.general.crypttab:
    name: '{{ item.device }}'
    state: opts_present
    opts: discard
  loop: '{{ ansible_mounts }}'
  when: "'/dev/mapper/luks-' in {{ item.device }}"

Authors

  • Steve (@groks)