community.general.crypttab module – Encrypted Linux block devices

Note

This module is part of the community.general collection (version 10.7.3).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.crypttab.

Synopsis
Parameters
Attributes
Examples

Synopsis

Control Linux encrypted block devices that are set up during system boot in /etc/crypttab.

Parameters

Parameter	Comments
backing_device string	Path to the underlying block device or file, or the UUID of a block-device prefixed with `UUID=`.
name string / required	Name of the encrypted block device as it appears in the `/etc/crypttab` file, or optionally prefixed with `/dev/mapper/`, as it appears in the filesystem. `/dev/mapper/` is stripped from `name`.
opts string	A comma-delimited list of options. See `crypttab(5)` for details.
password path	Encryption password, the path to a file containing the password, or `-` or unset if the password should be entered at boot.
path path	Path to file to use instead of `/etc/crypttab`. This might be useful in a chroot environment. Default: `"/etc/crypttab"`
state string / required	Use `present` to add a line to `/etc/crypttab` or update its definition if already present. Use `absent` to remove a line with matching `name`. Use `opts_present` to add options to those already present; options with different values are updated. Use `opts_absent` to remove options from the existing set. Choices: `"absent"` `"opts_absent"` `"opts_present"` `"present"`

Attributes

Attribute	Support	Description
check_mode	Support: full	Can run in `check_mode` and return changed status prediction without modifying target.
diff_mode	Support: none	Will return details on what has changed (or possibly needs changing in `check_mode`), when in diff mode.

Examples

- name: Set the options explicitly a device which must already exist
  community.general.crypttab:
    name: luks-home
    state: present
    opts: discard,cipher=aes-cbc-essiv:sha256

- name: Add the 'discard' option to any existing options for all devices
  community.general.crypttab:
    name: '{{ item.device }}'
    state: opts_present
    opts: discard
  loop: '{{ ansible_mounts }}'
  when: "'/dev/mapper/luks-' in item.device"

- name: Add entry to /etc/crypttab for luks-home with password file
  community.general.crypttab:
    name: luks-home
    backing_device: UUID=123e4567-e89b-12d3-a456-426614174000
    password: /root/keys/luks-home.key
    opts: discard,cipher=aes-cbc-essiv:sha256
    state: present

Authors

Steve (@groks)

Collection links

© 2012–2018 Michael DeHaan
© 2018–2025 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/community/general/crypttab_module.html