# phpman > man > systemd-cryptsetup(8)

SYSTEMD-CRYPTSETUP@[.SERVICE(8)](https://www.chedong.com/phpMan.php/man/.SERVICE/8/markdown)       systemd-cryptsetup@.service      SYSTEMD-CRYPTSETUP@[.SERVICE(8)](https://www.chedong.com/phpMan.php/man/.SERVICE/8/markdown)



## NAME
       systemd-cryptsetup@.service, systemd-cryptsetup - Full disk decryption logic

## SYNOPSIS
       systemd-cryptsetup@.service

       system-systemd\x2dcryptsetup.slice

       /lib/systemd/systemd-cryptsetup

## DESCRIPTION
       systemd-cryptsetup@.service is a service responsible for setting up encrypted block devices.
       It is instantiated for each device that requires decryption for access.

       systemd-cryptsetup@.service instances are part of the system-systemd\x2dcryptsetup.slice
       slice, which is destroyed only very late in the shutdown procedure. This allows the encrypted
       devices to remain up until filesystems have been unmounted.

       systemd-cryptsetup@.service will ask for hard disk passwords via the **password** **agent** **logic**[1],
       in order to query the user for the password using the right mechanism at boot and during
       runtime.

       At early boot and when the system manager configuration is reloaded, /etc/crypttab is
       translated into systemd-cryptsetup@.service units by [**systemd-cryptsetup-generator**(8)](https://www.chedong.com/phpMan.php/man/systemd-cryptsetup-generator/8/markdown).

       In order to unlock a volume a password or binary key is required.
       systemd-cryptsetup@.service tries to acquire a suitable password or binary key via the
       following mechanisms, tried in order:

        1. If a key file is explicitly configured (via the third column in /etc/crypttab), a key
           read from it is used. If a PKCS#11 token, FIDO2 token or TPM2 device is configured (using
           the _pkcs11-uri=_, _fido2-device=_, _tpm2-device=_ options) the key is decrypted before use.

        2. If no key file is configured explicitly this way, a key file is automatically loaded from
           /etc/cryptsetup-keys.d/_volume_.key and /run/cryptsetup-keys.d/_volume_.key, if present. Here
           too, if a PKCS#11/FIDO2/TPM2 token/device is configured, any key found this way is
           decrypted before use.

        3. If the _try-empty-password_ option is specified it is then attempted to unlock the volume
           with an empty password.

        4. The kernel keyring is then checked for a suitable cached password from previous attempts.

        5. Finally, the user is queried for a password, possibly multiple times, unless the _headless_
           option is set.

       If no suitable key may be acquired via any of the mechanisms describes above, volume
       activation fails.

## SEE ALSO
       [**systemd**(1)](https://www.chedong.com/phpMan.php/man/systemd/1/markdown), [**systemd-cryptsetup-generator**(8)](https://www.chedong.com/phpMan.php/man/systemd-cryptsetup-generator/8/markdown), [**crypttab**(5)](https://www.chedong.com/phpMan.php/man/crypttab/5/markdown), [**systemd-cryptenroll**(1)](https://www.chedong.com/phpMan.php/man/systemd-cryptenroll/1/markdown),
       [**cryptsetup**(8)](https://www.chedong.com/phpMan.php/man/cryptsetup/8/markdown)

## NOTES
        1. password agent logic
           <https://systemd.io/PASSWORD_AGENTS/>



systemd 249                                                           SYSTEMD-CRYPTSETUP@[.SERVICE(8)](https://www.chedong.com/phpMan.php/man/.SERVICE/8/markdown)