integritytab(5) — Linux manual page


INTEGRITYTAB(5)               integritytab               INTEGRITYTAB(5)

NAME         top

       integritytab - Configuration for integrity block devices

SYNOPSIS         top


DESCRIPTION         top

       The /etc/integritytab file describes integrity protected block
       devices that are set up during system boot.

       Empty lines and lines starting with the "#" character are
       ignored. Each of the remaining lines describes one verity
       integrity protected block device. Fields are delimited by white

       Each line is in the form

           volume-name block-device
               [keyfile|-] [options|-]

       The first two fields are mandatory, the remaining two are
       optional and only required if user specified non-default options
       during integrity format.

       The first field contains the name of the resulting integrity
       volume; its block device is set up below /dev/mapper/.

       The second field contains a path to the underlying block device,
       or a specification of a block device via "UUID=" followed by the
       UUID, "PARTUUID=" followed by the partition UUID, "LABEL="
       followed by the label, "PARTLABEL=" followed by the partition

       The third field if present contains an absolute filename path to
       a key file or a "-" to specify none. When the filename is
       present, the "integrity-algorithm" defaults to "hmac-sha256" with
       the key length derived from the number of bytes in the key file.
       At this time the only supported integrity algorithm when using
       key file is hmac-sha256. The maximum size of the key file is 4096

       The fourth field, if present, is a comma-delimited list of
       options or a "-" to specify none. The following options are

           Allow the use of discard (TRIM) requests for the device. This
           option is available since the Linux kernel version 5.7.

           Added in version 250.

           Enable journaled, bitmapped or direct (passthrough) mode.
           Journaled mode is the default when this option is not
           specified. It provides safety against crashes, but can be
           slow because all data has to be written twice. Bitmap mode is
           more efficient since it requires only a single write, but it
           is less reliable because if data corruption happens when the
           machine crashes, it might not be detected. Direct mode
           disables the journal and the bitmap. Corresponds to the
           "direct writes" mode documented in the dm-integrity
           documentation[1]. Note that without a journal, if there is a
           crash, it is possible that the integrity tags and data will
           not match. If used, the journal-* options below will have no
           effect if passed.

           Added in version 254.

           Journal watermark in percent. When the journal percentage
           exceeds this watermark, the journal flush will be started.
           Setting a value of "0%" uses default value.

           Added in version 250.

           Commit time in milliseconds. When this time passes (and no
           explicit flush operation was issued), the journal is written.
           Setting a value of zero uses default value.

           Added in version 250.

           Specify a separate block device that contains existing data.
           The second field specified in the integritytab for block
           device then will contain calculated integrity tags and
           journal for data-device, but not the end user data.

           Added in version 250.

           The algorithm used for integrity checking. The default is
           crc32c. Must match option used during format.

           Added in version 250.

       At early boot and when the system manager configuration is
       reloaded, this file is translated into native systemd units by

EXAMPLES         top

       Example 1. /etc/integritytab

       Set up two integrity protected block devices.

           home PARTUUID=4973d0b8-1b15-c449-96ec-94bab7f6a7b8 - journal-commit-time=10,allow-discards,journal-watermark=55%
           data PARTUUID=5d4b1808-be76-774d-88af-03c4c3a41761 - allow-discards

       Example 2. /etc/integritytab

       Set up 1 integrity protected block device using defaults

           home PARTUUID=4973d0b8-1b15-c449-96ec-94bab7f6a7b8

       Example 3. /etc/integritytab

       Set up 1 integrity device using existing data block device which
       contains user data

           home PARTUUID=4973d0b8-1b15-c449-96ec-94bab7f6a7b8 - data-device=/dev/disk/by-uuid/9276d9c0-d4e3-4297-b4ff-3307cd0d092f

       Example 4. /etc/integritytab

       Set up 1 integrity device using a HMAC key file using defaults

           home PARTUUID=4973d0b8-1b15-c449-96ec-94bab7f6a7b8 /etc/hmac.key

SEE ALSO         top

       systemd(1), systemd-integritysetup@.service(8),
       systemd-integritysetup-generator(8), integritysetup(8)

NOTES         top

        1. the dm-integrity documentation

COLOPHON         top

       This page is part of the systemd (systemd system and service
       manager) project.  Information about the project can be found at
       ⟨⟩.  If you have
       a bug report for this manual page, see
       This page was obtained from the project's upstream Git repository
       ⟨⟩ on 2024-06-14.  (At that
       time, the date of the most recent commit that was found in the
       repository was 2024-06-13.)  If you discover any rendering
       problems in this HTML version of the page, or you believe there
       is a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to

systemd 257~devel                                        INTEGRITYTAB(5)

Pages that refer to this page: systemd.directives(7)systemd.index(7)systemd-integritysetup@.service(8)