debian/0000755000000000000000000000000012234764510007172 5ustar debian/libcryptsetup4.symbols0000644000000000000000000000532112234756536013613 0ustar libcryptsetup.so.4 libcryptsetup4 #MINVER# CRYPTSETUP_1.0@CRYPTSETUP_1.0 2:1.4 crypt_activate_by_keyfile@CRYPTSETUP_1.0 2:1.4 crypt_activate_by_keyfile_offset@CRYPTSETUP_1.0 2:1.4.3 crypt_activate_by_passphrase@CRYPTSETUP_1.0 2:1.4 crypt_activate_by_volume_key@CRYPTSETUP_1.0 2:1.4 crypt_benchmark@CRYPTSETUP_1.0 2:1.6 crypt_benchmark_kdf@CRYPTSETUP_1.0 2:1.6 crypt_deactivate@CRYPTSETUP_1.0 2:1.4 crypt_dump@CRYPTSETUP_1.0 2:1.4 crypt_format@CRYPTSETUP_1.0 2:1.4 crypt_free@CRYPTSETUP_1.0 2:1.4 crypt_get_active_device@CRYPTSETUP_1.0 2:1.4 crypt_get_cipher@CRYPTSETUP_1.0 2:1.4 crypt_get_cipher_mode@CRYPTSETUP_1.0 2:1.4 crypt_get_data_offset@CRYPTSETUP_1.0 2:1.4 crypt_get_device_name@CRYPTSETUP_1.0 2:1.4 crypt_get_dir@CRYPTSETUP_1.0 2:1.4 crypt_get_error@CRYPTSETUP_1.0 2:1.4 crypt_get_iv_offset@CRYPTSETUP_1.0 2:1.4 crypt_get_rng_type@CRYPTSETUP_1.0 2:1.4 crypt_get_type@CRYPTSETUP_1.0 2:1.4 crypt_get_uuid@CRYPTSETUP_1.0 2:1.4 crypt_get_verity_info@CRYPTSETUP_1.0 2:1.5 crypt_get_volume_key_size@CRYPTSETUP_1.0 2:1.4 crypt_header_backup@CRYPTSETUP_1.0 2:1.4 crypt_header_restore@CRYPTSETUP_1.0 2:1.4 crypt_init@CRYPTSETUP_1.0 2:1.4 crypt_init_by_name@CRYPTSETUP_1.0 2:1.4 crypt_init_by_name_and_header@CRYPTSETUP_1.0 2:1.4 crypt_keyslot_add_by_keyfile@CRYPTSETUP_1.0 2:1.4 crypt_keyslot_add_by_keyfile_offset@CRYPTSETUP_1.0 2:1.4.3 crypt_keyslot_add_by_passphrase@CRYPTSETUP_1.0 2:1.4 crypt_keyslot_add_by_volume_key@CRYPTSETUP_1.0 2:1.4 crypt_keyslot_area@CRYPTSETUP_1.0 2:1.6 crypt_keyslot_change_by_passphrase@CRYPTSETUP_1.0 2:1.6 crypt_keyslot_destroy@CRYPTSETUP_1.0 2:1.4 crypt_keyslot_max@CRYPTSETUP_1.0 2:1.4 crypt_keyslot_status@CRYPTSETUP_1.0 2:1.4 crypt_last_error@CRYPTSETUP_1.0 2:1.4 crypt_load@CRYPTSETUP_1.0 2:1.4 crypt_log@CRYPTSETUP_1.0 2:1.4 crypt_memory_lock@CRYPTSETUP_1.0 2:1.4 crypt_repair@CRYPTSETUP_1.0 2:1.4.3 crypt_resize@CRYPTSETUP_1.0 2:1.4 crypt_resume_by_keyfile@CRYPTSETUP_1.0 2:1.4 crypt_resume_by_keyfile_offset@CRYPTSETUP_1.0 2:1.4.3 crypt_resume_by_passphrase@CRYPTSETUP_1.0 2:1.4 crypt_set_confirm_callback@CRYPTSETUP_1.0 2:1.4 crypt_set_data_device@CRYPTSETUP_1.0 2:1.4 crypt_set_debug_level@CRYPTSETUP_1.0 2:1.4 crypt_set_iterarion_time@CRYPTSETUP_1.0 2:1.4 crypt_set_iteration_time@CRYPTSETUP_1.0 2:1.4.1 crypt_set_log_callback@CRYPTSETUP_1.0 2:1.4 crypt_set_password_callback@CRYPTSETUP_1.0 2:1.4 crypt_set_password_retry@CRYPTSETUP_1.0 2:1.4 crypt_set_password_verify@CRYPTSETUP_1.0 2:1.4 crypt_set_rng_type@CRYPTSETUP_1.0 2:1.4 crypt_set_timeout@CRYPTSETUP_1.0 2:1.4 crypt_set_uuid@CRYPTSETUP_1.0 2:1.4 crypt_status@CRYPTSETUP_1.0 2:1.4 crypt_suspend@CRYPTSETUP_1.0 2:1.4 crypt_volume_key_get@CRYPTSETUP_1.0 2:1.4 crypt_volume_key_verify@CRYPTSETUP_1.0 2:1.4 debian/README.Debian0000644000000000000000000003114312234756536011246 0ustar Cryptsetup for Debian --------------------- Table of Contents 1. Introduction into Cryptsetup for Debian 2. Encrypted swap partition(s) 3. Insecure mode/owner for keys 4. Cryptsetup and udev 5. Useful keyscripts: askpass and passdev 6. The 'check' option 7. Cryptsetup and Splashy 8. Remotely unlock encrypted rootfs 9. Backup the LUKS header 10. Changing the boot order of cryptdisks init scripts 11. Credits 1. Introduction into Cryptsetup for Debian ------------------------------------------ Cryptsetup is a command-line interface for configuring encrypted block devices via dm-crypt, a kernel device-mapper target. For documentation about the cryptsetup tool, see manpage of cryptsetup(8) and the frequently asked questions at /usr/share/doc/cryptsetup/FAQ.gz. The Debian cryptsetup package provides the initscript /etc/init.d/cryptdisks and a configuration file /etc/crypttab for automatically configuring encrypted devices at boot time. The applications cryptdisks_start and cryptdisks_stop are provided to process crypttab configured devices manually. See the manpages of crypttab(5), cryptdisks_start(8) and cryptdisks_stop(8) for more information. The luksformat script provides a simple interface for creating an encrypted device that follows the LUKS standard and for putting a file system onto the encrypted device. See man luksformat(8) for more information. If you wish to perform a Debian installation to an encrypted root, you might be interested in using a version of Debian Installer with partman-crypto, which will install the system and setup cryptsetup and initramfs-tools. For instructions about how to encrypt your root filesystem and integrate cryptsetup into initramfs on a running system, see /usr/share/doc/cryptsetup/README.initramfs.gz. 2. Encrypted swap partition(s) ------------------------------ An encrypted swap partition prevents spying on plaintext secrets (passwords) that may be written to disk when memory is swapped to disk. To encrypt your swap partitions, you'll first have to deactivate your swap: swapoff -a You'll have to add an entry for every swap partition in /etc/crypttab. Be sure toeplace the source device (here /dev/hda9) with your swap devices: # cswap1 /dev/hda9 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256,hash=sha256 Now you need to change the swap devices in /etc/fstab to the encrypted swap device names (/dev/mapper/cswap1 in this example). # /dev/hda9 none swap sw 0 0 becomes # /dev/mapper/cswap1 none swap sw 0 0 Finally, you need to start the cryptsetup swap devices and reactivate swap: /etc/init.d/cryptdisks start swapon -a That's it! You have a crypted swap device. Note that /dev/urandom provides only pseudo-random entropy. So if you're paranoid rather use /dev/random as source for random data. Be aware though that /dev/random might not provide enough random bytes for your key, causing your system to hang at boot, waiting for more entropy. Moving mouse and keyboard typing might help in this case. Read the crypttab(5) manpage for more information, for example options to use a different encryption algorithm than the default. 3. Insecure mode/owner for keys ------------------------------- Any key that is stored somewhere to be used with cryptsetup should have the mode 400 (-r--------) and root as owner/group. 'chown root.root keyfile' and 'chmod 400 keyfile' will do the trick for you. If a key is stored on a vfat filesystem (very common for removable media), chmod and chown will not work. The vfat filesytem (and several others too) does not support file permissions and ownership. Instead, you should use the uid, gid and umask options in /etc/fstab to ensure secure permissions for the key. As an example, assume that /dev/sdg2 is the removable media containing keyfiles on a vfat filesystem and that it is going to be mounted on /media/flash0. The configuration in /etc/fstab should then be something like this: # /dev/sdg2 /media/flash0 vfat uid=0,gid=0,umask=277 0 0 If you are using udev, it might be a good idea to use the /dev/disk/by-label links instead of /dev/sdg2 as the link will work no matter in which order the media is inserted and detected. 4. Cryptsetup and udev ---------------------- As a workaround for some yet-to-be-fixed race condition in kernel, device-mapper or udev, cryptsetup currently runs udevsettle. This leads to problems if you invoke cryptsetup as part of a udev rule. udevsettle waits until queued kernel/udev events are processed and the 'run programs' have finished. Due to cryptsetup itself being a 'run program' in this case, this ends in a deadlock. Therefore cryptsetup should be detached directly after invocation in this case, so that it runs asynchronously. 5. Useful keyscripts: askpass and passdev ----------------------------------------- The cryptsetup package ships with several keyscripts. Keyscripts may be configured in /etc/crypttab in order to provide the key required to unlock the device. The shipped keyscripts are located at /lib/cryptsetup/scripts. Some keyscripts have an own README file at /usr/share/doc/cryptsetup/. Two special keyscripts, worth being mentioned here, are askpass and passdev. Askpass is located at /lib/cryptsetup/askpass. It's a simple helper program that supports different methods (console, fifo, splashy, ...) to prompt for a passphrase, and prints the result to stdout. The syntax is: /lib/cryptsetup/askpass PROMPT Passdev will wait for a given device to appear, mount it read-only, read the key, and unmount the device. See /usr/share/doc/cryptsetup/README.initramfs.gz for more information about passdev. 6. The 'check' option --------------------- The 'check' option in crypttab allows one to configure checks to be run against the target device after cryptsetup has been invoked. The default check 'blkid' can check for any known filesystem type, as it uses blkid from util-linux. you can check for a particular filesystem by giving for example 'checkargs=ext4' or 'checkargs=swap' as an option in /etc/crypttab. The 'precheck' option is for configuring checks to be run against the source device before cryptsetup has been invoked. They are only available for plain cryptsetup devices. LUKS devices have a hardcoded precheck that uses the 'isLuks' command of cryptsetup. As there is no way to check a device for plain cryptsetup data, you can only check for data that should not be on the device. for example the check could search for common filesystems on the device, and abort if it finds any. As this will never really ensure that no data is lost, the package doesn't provide such a check. Another example for a precheck could be to check the partition table id. For a device that shall be used as swap partition, it could verify that only partitions with type 'swap' (82) are used for encrypted swap. Please send us your checks, if you write new ones. If they are generally useful, we will include them in the package. See man crypttab(5) for more information about the checksystem. 7. Cryptsetup and Splashy ------------------------- Splashy support in cryptsetup is currently somehow limited. Splashy is known to freeze at the password dialog for encrypted non-root filesystems. Only the password dialog for the encrypted root filesystem works. It seems like splashy freezes for any input dialog in initscripts while input dialogs at initramfs stage seem to work. This leads to the assumption that the bug is somewhere in splashy and neither in cryptsetups initscripts nor in askpass. 8. Remotely unlock encrypted rootfs ----------------------------------- Thanks to Chris it's possible to install a dropbear ssh server into the initramfs, connect to this ssh server during execution of initramfs early in the boot process, and unlock encrypted devices - even the root device - before the boot process continues. This way it is possible to use an encrypted root filesystem on headless systems where no physical access is available during boot process. Dropbear 0.52-1 is required for this to work. Thankfully this version configures everything automatically, so all you have to do after installing dropbear on the remote system, is to copy the root ssh keyfile from /etc/initramfs/root/ssh/id_rsa to your local system: $ scp remote.system.com:/etc/initramfs/root/ssh/id_rsa remote_rsa Now the remote system should start dropbear automatically during initramfs excecution at the boot process. You can login into the initramfs via ssh $ ssh -i remote_rsa -l root remote.system.com and echo the passphrase to a fifo file on the remote system: # echo -n "my_secret_passphrase" > /lib/cryptsetup/passfifo That's it. Now that the encrypted root device is unlocked, the remote system should continue with the boot process. /usr/share/doc/cryptsetup/README.remote.gz is a documentation with more details on the setup of an initramfs with suppurt to remotely unlock the encrypted rootfs. 9. Backup the LUKS header ------------------------- WARNING: This information might be outdated. Please read the cryptsetup FAQ at /usr/share/doc/cryptsetup/FAQ.gz for up-to-date information on how to backup the LUKS header. The LUKS header is located at the beginning of every LUKS encrypted device. It stores information such as used cipher, hash, etc. But most importantly, the header contains eight keyslots, which do keep an encrypted version of the LUKS masterkey. the data on an encrypted LUKS partition is encrypted with this masterkey. thus, there's no way to restore the data once the masterkey is lost. For that reason, one might want to backup the LUKS header in order to prevent accidential data loss. On the other hand keeping a backup of the LUKS header isn't recommended for security reasons. The reason is, that LUKS was designed with key revocation in mind. Once the LUKS header is copied to a backup, revoking a (possibly compromised) passphrase or keyfile from the keyslot isn't enough anymore. the revoked passphrase/keyfile can easily be reactived by writing back the header backup to the device. Beginning with version 1.1.0, cryptsetup has support for the commands luksHeaderBackup and luksHeaderRestore. If you want to store a backup of your LUKS header with the mentioned drawbacks in mind, do the following: Prepare a ramdisk to store the backup temporarely. You should do that in order to prevent any hardware caching functions or filesystem jounals to copy the backup around to places you cannot control. If you want to store the backup permanently, write it to a read-only medium like CD immediately from ramdisk, without your burning program writing an intermediate image to some temp dir. To actually backup the header, use the following command: # cryptsetup luksHeaderBackup --header-backup-file That's it. But once again, keep in mind all the security implications when doing LUKS header backups. In general it's better to backup the data from encrypted LUKS devices to another encrypted LUKS device. That way you can manage the keyslots for both original and backup device independently. 10. Changing the boot order of cryptdisks init scripts ----------------------------------------------------- In order to support non-standard setups, it might be necessary to change the order of init scripts in the boot process. Cryptsetup already installs two init scripts, cryptdisks-early and cryptdisks, in order to support some complex setups. For example, both "lvm on luks" and "luks on lvm" are supported that way. If your system isn't supported by the default order of init scripts in the boot process, you need to change the boot process on your own. In some cases it might be enough to change the LSB dependency headers at initscripts, see /etc/init.d/README for more information about that. For more complex setups, more intrusive changes are required. For example, adding a third cryptdisks init script might help. See the log of bugreport #576646[1] and discussion on debian-devel[2] for further information. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=576646 [2] http://lists.debian.org/debian-devel/2010/06/msg00021.html 11. Credits ----------- People who contributed to the Debian cryptsetup package: Jonas Meurer David Härdeman Bastian Kleineidam Michael Gebetsroither -- Jonas Meurer , Thu, 17 Feb 2011 20:54:56 +0100 debian/cryptsetup-udeb.preinst0000644000000000000000000000054012234756536013747 0ustar #! /bin/sh set -e create_crypttab() { if [ ! -f "/etc/crypttab" ]; then cat <<-EOC >/etc/crypttab # EOC fi } case "$1" in install) create_crypttab ;; upgrade) ;; abort-upgrade) ;; *) echo "preinst called with unknown argument '$1'" >&2 exit 1 ;; esac #DEBHELPER# exit 0 debian/cryptdisks-early.init0000644000000000000000000000160012234756536013376 0ustar #! /bin/sh ### BEGIN INIT INFO # Provides: cryptdisks-early # Required-Start: checkroot # Required-Stop: umountroot # Should-Start: udev mdadm-raid # Should-Stop: udev mdadm-raid # X-Start-Before: lvm2 # X-Stop-After: lvm2 umountfs # X-Interactive: true # Default-Start: S # Default-Stop: 0 6 # Short-Description: Setup early encrypted block devices. # Description: ### END INIT INFO set -e if [ -r /lib/cryptsetup/cryptdisks.functions ]; then . /lib/cryptsetup/cryptdisks.functions else exit 0 fi INITSTATE="early" DEFAULT_LOUD="" case "$CRYPTDISKS_ENABLE" in [Nn]*) exit 0 ;; esac case "$1" in start) do_start ;; stop) do_stop ;; restart|reload|force-reload) do_stop do_start ;; force-start) FORCE_START="yes" do_start ;; *) echo "Usage: cryptdisks-early {start|stop|restart|reload|force-reload|force-start}" exit 1 ;; esac debian/source/0000755000000000000000000000000012234756536010503 5ustar debian/source/format0000644000000000000000000000001412234756536011711 0ustar 3.0 (quilt) debian/libcryptsetup4.dirs0000644000000000000000000000000512234756536013056 0ustar /lib debian/README.gnupg0000644000000000000000000000313712234756536011206 0ustar using GnuPG keys for LUKS dm-crypt devices in Debian ---------------------------------------------------- The Debian cryptsetup package provides the keyscript decrypt_gnupg for setups with a GnuPG encrypted LUKS keyfile. The following example assumes that you store the encrypted keyfile in /etc/keys/cryptkey.gpg. LUKS device is /dev/. First, you'll have to create the encrypted keyfile: # dd if=/dev/random bs=1 count=256 | gpg --no-options --no-random-seed-file \ --no-default-keyring --keyring /dev/null --secret-keyring /dev/null \ --trustdb-name /dev/null --symmetric --output /etc/keys/cryptkey.gpg Next the LUKS device needs to be formated with the key. For that, the decrypt_gnupg keyscript can be used: # /lib/cryptsetup/scripts/decrypt_gnupg /etc/keys/crytpkey.gpg | \ cryptsetup --key-file=- luksFormat /dev/ In order to unlock the encrypted LUKS device automatically during boot process, add the following to /etc/crypttab: cdev1 /dev/ /etc/keys/cryptkey.gpg luks,keyscript=decrypt_gnupg encrypted root filesystem with GnuPG key ---------------------------------------- In case that you want to encrypt the root filesystem with a GnuPG encrypted key, the provided initramfs hooks should do all additionally required work for you when the initramfs is created or updated. Be warned though, that the GnuPG key for encrypted root is copied to the initramfs by the initramfs cryptgnupg hook. If you don't want your GnuPG key inside the initramfs, you should take a look at the initramfs cryptgnupg hook, which is located at /usr/share/initramfs-tools/hooks/cryptgnupg. debian/copyright0000644000000000000000000000413412234756536011140 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Contact: Milan Broz Source: http://code.google.com/p/cryptsetup Files: * Copyright: © 2004 Christophe Saout © 2004-2008 Clemens Fruhwirth © 2008-2010 Red Hat, Inc. © 2008-2013 Milan Broz License: GPL-2+ Files: debian/* Copyright: © 2004-2005 Wesley W. Terpstra © 2005-2006 Michael Gebetsroither © 2006-2008 David Härdeman © 2005-2013 Jonas Meurer License: GPL-2+ Files: debian/askpass.c debian/passdev.c Copyright: © 2008 David Härdeman License: GPL-2+ Files: debian/README.openct Copyright: © 2008 Daniel Baumann License: GPL-2+ Files: debian/README.opensc Copyright: © 2008 Benjamin Kiessling License: GPL-2+ Files: debian/README.remote Copyright: © 2009 License: GPL-2+ Files: debian/scripts/cryptdisks_start Copyright: © 2007 Jon Dowland License: GPL-2+ Files: debian/scripts/luksformat Copyright: © 2005 Canonical Ltd. License: GPL-2+ License: GPL-2+ This package is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. . This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this package; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA . On Debian systems, the complete text of the GNU General Public License v2 can be found in `/usr/share/common-licenses/GPL-2'. debian/cryptdisks.bash_completion0000644000000000000000000000063012234756536014471 0ustar # cryptdisks_{start,stop} completion by first row of crypttab # # Copyright 2013 Claudius Hubig , 2-clause BSD _cryptdisks() { local tf; tf=${TABFILE-"/etc/crypttab"}; COMPREPLY=($(egrep -v "^[[:space:]]*(#|$)" "${tf}" | egrep -o "^${COMP_WORDS[COMP_CWORD]}[^[:space:]]*")); return 0; } complete -F _cryptdisks cryptdisks_start; complete -F _cryptdisks cryptdisks_stop; debian/passdev.c0000644000000000000000000001501412234756536011015 0ustar /* * passdev.c - waits for a given device to appear, mounts it and reads a * key from it which is piped to stdout. * * Copyright (C) 2008 David Härdeman * * This package is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This package is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this package; if not, write to the Free Software * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ #define _BSD_SOURCE #include #include #include #include #include #include #include #include #include #include #include static bool do_debug = false; static void debug(const char *fmt, ...) { va_list ap; if (!do_debug) return; va_start(ap, fmt); vfprintf(stderr, fmt, ap); va_end(ap); } static bool do_mount(const char *device, const char *dir) { pid_t pid; int status; char *fstypes[] = { "ext4", "ext3", "ext2", "vfat", "btrfs", "reiserfs", "xfs", "jfs", "ntfs", "iso9660", "udf" }; int fsindex; if (!device || !dir) return false; for (fsindex = 0; fsindex < (sizeof(fstypes) / sizeof(fstypes[0])); fsindex++) { pid = fork(); if (pid < 0) { /* Error */ return false; } else if (pid > 0) { /* We're in the parent process */ do { waitpid(pid, &status, 0); } while (!WIFEXITED(status) && !WIFSIGNALED(status)); if (WIFEXITED(status) && WEXITSTATUS(status) == EXIT_SUCCESS) return true; /* Let's try another fstype */ continue; } else { /* We're in the child process */ debug("Mounting %s at %s\n", device, dir); close(STDIN_FILENO); close(STDOUT_FILENO); close(STDERR_FILENO); open("/dev/null", O_RDONLY, 0); open("/dev/null", O_WRONLY, 0); open("/dev/null", O_WRONLY, 0); execl("/bin/mount", "/bin/mount", "-n", "-t", fstypes[fsindex], /*"ext4,ext3,ext2,vfat,btrfs,reiserfs,xfs,jfs,ntfs,iso9660,udf",*/ "-o", "noatime,nodiratime,nodev,noexec,nosuid,ro", device, dir, (char *)NULL); /* If execl works, we won't end up here */ exit(EXIT_FAILURE); } } /* We've tried all fstypes with no luck */ return false; } int main(int argc, char **argv, char **envp) { char *debugval; char *devpath; char *filepath; struct stat st; char *tmppath; char tpath[] = "/tmp/passdev.XXXXXX"; char *keypath; int fd; size_t toread; size_t bytesread; char *keybuffer; size_t towrite; size_t byteswritten; ssize_t bytes; char *to; int timeout = 0; bool do_timeout = false; /* We only take one argument */ if (argc != 2) { fprintf(stderr, "Incorrect number of arguments\n"); goto error; } /* If DEBUG=1 is in the environment, enable debug messages */ debugval = getenv("DEBUG"); if (debugval && atoi(debugval) > 0) do_debug = true; /* Split string into device and path (and timeout) */ devpath = argv[1]; filepath = strchr(devpath, ':'); if (!filepath || !(*filepath) || !(*(filepath + 1))) { fprintf(stderr, "Invalid key path\n"); goto error; } *filepath = '\0'; filepath++; to = strchr(filepath, ':'); if (to && (*to) && (*(to + 1))) { *to = '\0'; to++; timeout = atoi(to); if (timeout > 0) do_timeout = true; } debug("Path is %p and filepath is %p\n", devpath, filepath); if (do_timeout) debug("Timeout is %i\n",timeout); /* Wait until device is available */ if (access(devpath, F_OK)) { debug("Waiting for %s\n", devpath); while(access(devpath, F_OK)) { sleep(1); if (do_timeout) { if (timeout <= 0) break; timeout--; } } } /* Make sure device is a blockdev */ if (stat(devpath, &st)) { fprintf(stderr, "Unable to stat %s\n", devpath); goto error; } else if (!S_ISBLK(st.st_mode)) { fprintf(stderr, "%s is no block device\n", devpath); goto error; } /* Create a tmp dir where we mount the device */ tmppath = mkdtemp(tpath); if (!tmppath) { fprintf(stderr, "Failed to create temporary directory\n"); goto error; } /* Ok, mount it */ if (!do_mount(devpath, tmppath)) { fprintf(stderr, "Failed to mount %s\n", devpath); goto error_rmdir; } /* Generate the full path to the keyfile */ keypath = malloc(strlen(tmppath) + 1 + strlen(filepath) + 1); if (!keypath) { fprintf(stderr, "Failed to allocate memory\n"); goto error_umount; } sprintf(keypath, "%s/%s", tmppath, filepath); /* Check that the keyfile exists */ if (access(keypath, F_OK)) { fprintf(stderr, "Keyfile doesn't exist\n"); goto error_free; } /* Get the size of the keyfile */ if (stat(keypath, &st)) { fprintf(stderr, "Unable to stat keyfile\n"); goto error_free; } /* Check the size of the keyfile */ if (st.st_size < 0) { fprintf(stderr, "Invalid keyfile size\n"); goto error_free; } toread = (size_t)st.st_size; /* Open the keyfile */ if ((fd = open(keypath, O_RDONLY)) < 0) { fprintf(stderr, "Failed to open keyfile\n"); goto error_free; } /* Allocate a buffer for the keyfile contents */ keybuffer = malloc(toread); if (!keybuffer) { fprintf(stderr, "Failed to allocate memory\n"); goto error_close; exit(EXIT_FAILURE); } /* Read the keyfile */ bytesread = 0; while (bytesread < toread) { bytes = read(fd, keybuffer + bytesread, toread - bytesread); if (bytes <= 0) { fprintf(stderr, "Failed to read entire key\n"); goto error_keybuffer; } bytesread += bytes; } /* Clean up */ close(fd); free(keypath); umount(tmppath); rmdir(tmppath); /* Write result */ byteswritten = 0; towrite = toread; while (byteswritten < towrite) { bytes = write(STDOUT_FILENO, keybuffer + byteswritten, towrite - byteswritten); if (bytes <= 0) { fprintf(stderr, "Failed to write entire key\n"); memset(keybuffer, 0, toread); free(keybuffer); goto error; } byteswritten += bytes; } /* Clean up */ memset(keybuffer, 0, toread); free(keybuffer); /* Done */ exit(EXIT_SUCCESS); /* Error handling */ error_keybuffer: memset(keybuffer, 0, toread); free(keybuffer); error_close: close(fd); error_free: free(keypath); error_umount: umount(tmppath); error_rmdir: rmdir(tmppath); error: exit(EXIT_FAILURE); } debian/README.remote0000644000000000000000000001002512234756536011353 0ustar unlocking rootfs via ssh login in initramfs ------------------------------------------- You can unlock your rootfs on bootup from remote, using ssh to log in to the booting system while it's running with the initramfs mounted. Setup ----- For remote unlocking to work, the following packages have to be installed before building the initramfs: dropbear busybox The file /etc/initramfs-tools/initramfs.conf holds the configuration options used when building the initramfs. It should contain BUSYBOX=y (this is set as the default when the busybox package is installed) to have busybox installed into the initramfs, and should not contain DROPBEAR=n, which would disable installation of dropbear to initramfs. If set to DROPBEAR=y, dropbear will be installed in any case; if DROPBEAR isn't set at all, then dropbear will only be installed in case of an existing cryptroot setup. The host keys used for the initramfs are dropbear_dss_host_key and dropbear_rsa_host_key, both located in/etc/initramfs-tools/etc/dropbear/. If they do not exist when the initramfs is compiled, they will be created automatically. Following are the commands to create them manually: # dropbearkey -t dss -f /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key # dropbearkey -t rsa -f /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key As the initramfs will not be encrypted, publickey authentication is assumed. The key(s) used for that will be taken from /etc/initramfs-tools/root/.ssh/authorized_keys. If this file doesn't exist when the initramfs is compiled, it will be created and /etc/initramfs-tools/root/.ssh/id_rsa.pub will be added to it. If the latter file doesn't exist either, it will be generated automatically - you will find the matching private key which you will later need to log in to the initramfs under /etc/initramfs-tools/root/.ssh/id_rsa (or id_rsa.dropbear in case you need it in dropbear format). Following are the commands to do the respective steps manually: To create a key (in dropbear format): # dropbearkey -t rsa -f /etc/initramfs-tools/root/.ssh/id_rsa.dropbear To convert the key from dropbear format to openssh format: # /usr/lib/dropbear/dropbearconvert dropbear openssh \ /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \ /etc/initramfs-tools/root/.ssh/id_rsa To extract the public key: # dropbearkey -y -f /etc/initramfs-tools/root/.ssh/id_rsa.dropbear | \ grep "^ssh-rsa " > /etc/initramfs-tools/root/.ssh/id_rsa.pub To add the public key to the authorized_keys file: # cat /etc/initramfs-tools/root/.ssh/id_rsa.pub >> /etc/initramfs-tools/root/.ssh/authorized_keys In case you want some interface to get configured using dhcp, setting DEVICE= in /etc/initramfs-tools/initramfs.conf should be sufficient. The initramfs should also honour the ip= kernel parameter. In case you use grub, you probably might want to set it in /boot/grub/menu.lst, either in the '# kopt=' line or appended to specific 'kernel' line(s). The ip= kernel parameter is documented in Documentation/nfsroot.txt in the kernel source tree. Issues ------ Don't forget to run update-initramfs when you changed the config to make it effective! Collecting enough entropy for the ssh daemon sometimes seems to be an issue. Startup of the ssh daemon might be delayed until enough entropy has been retrieved. This is non-blocking for the startup process, so when you are at the console you won't have to wait for the sshd to complete its startup. Unlocking procedure ------------------- To unlock from remote, you could do something like this: # ssh -o "UserKnownHostsFile=~/.ssh/known_hosts.initramfs" \ -i "~/id_rsa.initramfs" root@initramfshost.example.com \ "echo -ne \"secret\" >/lib/cryptsetup/passfifo" This example assumes that you have an extra known_hosts file "~/.ssh/known_hosts.initramfs" which holds the cryptroot system's host-key, that you have a file "~/id_rsa.initramfs" which holds the authorized-key for the cryptroot system, that the cryptroot system's name is "initramfshost.example.com", and that the cryptroot passphrase is "secret" -- , Wed, 30 Sep 2009 debian/doc/0000755000000000000000000000000012234756536007750 5ustar debian/doc/cryptdisks_stop.xml0000644000000000000000000000331212234756536013735 0ustar cryptdisk_stop 8 cryptdisks_stop wrapper around cryptsetup that parses /etc/crypttab. cryptdisks_stop <name> DESCRIPTION cryptdisks_stop is a wrapper around cryptsetup that parses /etc/crypttab just like the initscript /etc/init.d/cryptdisks does and stops the dm-crypt mapping that corresponds to <name>. SEE ALSO cryptdisks_start(8), cryptsetup(8), crypttab(5) AUTHORThis manual page was written by Jonas Meurer <mejo@debian.org> in January 2008. debian/doc/cryptdisks_start.xml0000644000000000000000000000370312234756536014111 0ustar cryptdisks_start 8 cryptdisks_start wrapper around cryptsetup that parses /etc/crypttab. cryptdisks_start <name> DESCRIPTION cryptdisks_start is a wrapper around cryptsetup that parses /etc/crypttab just like the initscript /etc/init.d/cryptdisks does and starts the dm-crypt mapping that corresponds to <name>. Note that this wrapper passes to cryptsetup, so the passphrase in any referenced key file must not be followed by a newline character. SEE ALSO cryptdisks_stop(8), cryptsetup(8), crypttab(5) AUTHORThis manual page was written by Jonas Meurer <mejo@debian.org> in December 2007. debian/doc/crypttab.xml0000644000000000000000000004576512234756536012343 0ustar crypttab 5 crypttab static information about encrypted filesystems DESCRIPTION The file /etc/crypttab contains descriptive information about encrypted filesystems. crypttab is only read by programs (e.g. cryptdisks_start and cryptdisks_stop), and not written; it is the duty of the system administrator to properly create and maintain this file. Each filesystem is described on a separate line; fields on each line are separated by tabs or spaces. Lines starting with # are comments, empty lines are ignored. The order of records in crypttab is important because the init scripts sequentially iterate through crypttab doing their thing. The first field, target, describes the mapped device name. It must be a plain filename without any directory components. A mapped device which encrypts/decrypts data to/from the source device will be created at /dev/mapper/target by cryptsetup. The second field, source device, describes either the block special device or file that contains the encrypted data. Instead of giving the source device explicitly, the UUID is supported as well, using UUID=<luks_uuid>. The third field, key file, describes the file to use as a key for decrypting the data of the source device. Note that the entire key file will be used as the passphrase; the passphrase must not be followed by a newline character. It can also be a device name (e.g. /dev/urandom), note however that LUKS requires a persistent key and therefore does not support random data keys. If the key file is the string none, a passphrase will be read interactively from the console. In this case, the options precheck, check, checkargs and tries may be useful. The fourth field, options, describes the cryptsetup options associated with the encryption process. At minimum, the field should contain either the string luks or the cipher, hash and size options. Options are in the format: key=value [,key=value …]. The supported options are described below. Note that all four fields are mandatory and that a missing field will lead to unspecified behaviour. OPTIONS cipher=<cipher> Encryption algorithm (ignored for LUKS devices). See cryptsetup -c. size=<size> Encryption key size (ignored for LUKS devices). See cryptsetup -s. hash=<hash> Hash algorithm (ignored for LUKS devices). See cryptsetup -h. offset=<offset> Start offset (ignored for LUKS devices). Uses cryptsetup -o. skip=<skip> Skip sectors at the beginning (ignored for LUKS devices). Uses cryptsetup -p. verify Verify password. Uses cryptsetup -y. readonly The backing device is read-only (eg: a dvd). discard Allow using of discards (TRIM) requests for device. WARNING: Assess the specific security risks carefully before enabling this option. For example, allowing discards on encrypted devices may lead to the leak of information about the ciphertext device (filesystem type, used space etc.) if the discarded blocks can be located easily on the device later. Kernel version 3.1 or more recent is required. For older versions is the option ignored. luks Use device with LUKS extensions. swap Run mkswap on the created device. tmp=<tmpfs> Run mkfs with filesystem type <tmpfs> on the created device. Default is ext4. precheck=<precheck> Check the content of the source device by a suitable program; if the check fails, the device is not created. If a program is provided as an argument, it is run, giving the source device as argument. Cryptdisks/cryptroot searches for the given progam in /lib/cryptsetup/checks/ first, but full path to program is supported as well. Prechecks aren't invoked for LUKS devices, as these are checked with isLuks anyway. Default for plain dm-crypt devices is set in /etc/default/cryptdisks, or un_blkid otherwise. Set to /bin/true in order to disable precheck for plain dm-crypt device. check=<check> Check the content of the target device by a suitable program; if the check fails, the device is removed. If a program is provided as an argument, it is run, giving the decrypted volume (target device) as first argument, and the value of the checkargs option as second argument. Cryptdisks/cryptroot searches for the given program in /lib/cryptsetup/checks/ first, but full path to program is supported as well. Default is set in /etc/default/cryptdisks (blkid). checkargs=<arguments> Give <arguments> as the second argument to the check script. See the CHECKSCRIPTS section for more information. tries=<num> The input of the passphrase is tried <num> times in case of failure. If you want to disable retries, pass tries=1. Default is 3. Setting tries=0 will ask for the passphrase until a correct one has been submitted (infinitive retries). noearly The cryptsetup init scripts are invoked twice during the boot process - once before lvm, raid, etc. are started and once again after that. Sometimes you need to start your encrypted disks in a special order. With this option the device is ignored during the first invocation of the cryptsetup init scripts. noauto Entirely ignore the device at the boot process. It's still possible to map the device manually using cryptdisks_start. loud Be loud. Print warnings if a device does not exist. This option overwrites the option quiet. quiet Be quiet. Don't print warnings if a device does not exist. This option overwrites the option loud. keyscript=<path> The executable at the indicated path is executed with the key file from the third field of the crypttab as its only argument and the output is used as the key. This also works with encrypted root filesystems via initramfs if the executable is self-contained (i.e. an executable which does not rely on any external program which is not present in the initramfs environment). LIMITATIONS: All binaries and files on which the keyscript depends must be available at the time of execution. Special care needs to be taken for encrypted filesystems like /usr or /var. As an example, unlocking encrypted /usr must not depend on binaries from /usr/(s)bin. All fields of the appropriate crypttab entry are available to the keyscript as exported environment variables: CRYPTTAB_NAME The target name CRYPTTAB_SOURCE The source device CRYPTTAB_KEY The key file CRYPTTAB_TRIED Number of previous tries since start of cryptdisks (counts until CRYPTTAB_TRIES is reached). CRYPTTAB_OPTIONS A list of exported crypttab options CRYPTTAB_OPTION_<option> The value of the appropriate crypttab option, with value set to 'yes' in case the option is merely a flag. keyslot=<slot> Key slot (ignored for non-LUKS devices). See cryptsetup -S. CHECKSCRIPTS blkid Checks for any known filesystem. Supports a filesystem type as argument via <checkargs>: no checkargs - succeeds if any valid filesystem is found on the device. "none" - succeeds if no valid filesystem is found on the device. "ext4" [or another filesystem type like xfs, swap, crypto_LUKS, ...] - succeeds if ext4 filesystem is found on the device. un_blkid Checks for no known filesystem. Supports a filesystem type as argument via <checkargs>: no checkargs - succeeds if no valid filesystem is found on the device. "ext4" [or another filesystem type like xfs, swap, crypto_LUKS, ...] - succeeds if no ext4 filesystem is found on the device. EXAMPLES # Encrypted swap device cswap /dev/sda6 /dev/urandom cipher=aes-cbc-essiv:sha256,hash=ripemd160,size=256,swap # Encrypted LUKS disk with interactive password, identified by UUID cdisk0 UUID=12345678-9abc-def012345-6789abcdef01 none luks # Encrypted ext4 disk with interactive password # - retry 5 times if the check fails cdisk1 /dev/sda2 none cipher=aes-cbc-essiv:sha256,hash=ripemd160,size=256,checkargs=ext4,tries=5 # Encrypted disk with interactive password # - use a nondefault check script # - no retries cdisk2 /dev/hdc1 none cipher=aes-cbc-essiv:sha256,hash=ripemd160,size=256,check=customscript,tries=1 # Encrypted disk with interactive password # - twofish as the cipher cdisk3 /dev/sda3 none cipher=twofish,hash=ripemd160,size=256 ENVIRONMENT CRYPTDISKS_ENABLE Set to yes to run cryptdisks initscripts at startup. Set to no to disable cryptdisks initscripts. Default is yes. CRYPTDISKS_MOUNT Specifies the mountpoints that are mounted before cryptdisks is invoked. Takes mountpoints configured in /etc/fstab as arguments. Separate mountpoints by space. This is useful for keys on removable devices, such as cdrom, usbstick, flashcard, etc. Default is unset. CRYPTDISKS_CHECK Specifies the default checkscript to be run against the target device, after cryptdisks has been invoked. The target device is passed as the first and only argument to the checkscript. Takes effect if the check option is given in crypttab with no value. See documentation for check option above for more information. CRYPTDISKS_PRECHECK Specifies the default checkscript to be run against the source dm-crypt device, before cryptdisks has been invoked. The source device is given as the first and only argument to the checkscript. Takes effect if the precheck option is given in crypttab with no value. See documentation for precheck option above for more information. KNOWN UPGRADE ISSUES The upstream defaults for encryption cipher, hash and keysize have changed several times in the past, and they're expected to change again in future, for example if security issues arise. On LUKS devices, the used settings are stored in the LUKS header, and thus don't need to be configured in /etc/crypttab. For plain dm-crypt devices, no information about used cipher, hash and keysize are available at all. Therefore we strongly suggest to configure the cipher, hash and keysize in /etc/crypttab for plain dm-crypt devices, even if they match the current default. SEE ALSO cryptsetup(8) cryptdisks_start(8) cryptdisks_stop(8) AUTHOR This manual page was originally written by Bastian Kleineidam calvin@debian.org for the Debian distribution of cryptsetup. It has been further improved by Michael Gebetsroither michael.geb@gmx.at, Jonas Meurer jonas@freesources.org and David Härdeman david@hardeman.nu. debian/doc/manpages.xml0000644000000000000000000000105512234756536012266 0ustar Manual Pages debian/doc/variables.xml.in0000644000000000000000000000065512234756536013055 0ustar VERSION cryptsetup cryptsetup manual DATE debian/cryptsetup.docs0000644000000000000000000000023712234756536012301 0ustar AUTHORS FAQ docs/*ReleaseNotes debian/README.keyctl debian/README.gnupg debian/README.initramfs debian/README.remote debian/README.openct debian/README.opensc debian/cryptsetup.preinst0000644000000000000000000000226212234756536013035 0ustar #! /bin/sh set -e create_crypttab() { if [ ! -f "/etc/crypttab" ]; then cat <<-EOC >/etc/crypttab # EOC fi } # Remove a no-longer used conffile rm_conffile() { PKGNAME="$1" CONFFILE="$2" if [ -e "$CONFFILE" ]; then md5sum="`md5sum \"$CONFFILE\" | sed -e \"s/ .*//\"`" old_md5sum="`dpkg-query -W -f='${Conffiles}' $PKGNAME | sed -n -e \"\\\\' $CONFFILE '{s/ obsolete$//;s/.* //p}\"`" if [ "$md5sum" != "$old_md5sum" ]; then echo "Obsolete conffile $CONFFILE has been modified by you." echo "Saving as $CONFFILE.dpkg-bak ..." mv -f "$CONFFILE" "$CONFFILE".dpkg-bak else echo "Removing obsolete conffile $CONFFILE ..." rm -f "$CONFFILE" fi fi } VERSION_UDEV="2:1.0.6-5" case "$1" in install) create_crypttab if dpkg --compare-versions "$2" le "$VERSION_UDEV"; then rm_conffile cryptsetup "/etc/udev/rules.d/z60_cryptsetup.rules" fi ;; upgrade) if dpkg --compare-versions "$2" le "$VERSION_UDEV"; then rm_conffile cryptsetup "/etc/udev/rules.d/z60_cryptsetup.rules" fi ;; abort-upgrade) ;; *) echo "preinst called with unknown argument '$1'" >&2 exit 1 ;; esac #DEBHELPER# exit 0 debian/cryptsetup.maintscript0000644000000000000000000000025612234762266013704 0ustar mv_conffile /etc/init/cryptdisks-early.conf /etc/init/cryptdisks-udev.conf 2:1.4.3-4 mv_conffile /etc/init/cryptdisks-enable.conf /etc/init/cryptdisks.conf 2:1.6.1-1ubuntu1~ debian/changelog0000644000000000000000000041451312234757711011061 0ustar cryptsetup (2:1.6.1-1ubuntu1) trusty; urgency=low * Merge from debian unstable, remaining changes: - debian/control: + Bump initramfs-tools Suggests to Depends: so system is not potentially rendered unbootable. + Depend on plymouth. - Invert the "busybox | busybox-static" Recommends, as the latter is the one we ship in main as part of the ubuntu-standard task. - Remove hardcoded paths to udevadm (LP: #1184066). - debian/initramfs/cryptroot-hook: + Do not unconditionally include cryptsetup utils in the initramfs. + Do not include any modules or utils in the initramfs, unless rootfs/resume devices are encrypted or CRYPTSETUP is set to 'y' in the initramfs.conf configuration file. - debian/cryptsetup.maintscripts: + Migrate upstart jobs to new names. -- Dmitrijs Ledkovs Fri, 01 Nov 2013 16:48:57 +0000 cryptsetup (2:1.6.1-1) unstable; urgency=low [ Milan Broz ] * new upstream version. (closes: #704827, 707997) - default LUKS encryption mode is XTS (aes-xts-plain64) (closes: #714331) - adds native support for Truecrypt and compatible on-disk format - adds benchmark command - adds cryptsetup-reencrypt, a tool to offline reencrypt LUKS device - adds veritysetup, a tool for dm-verity block device verification module * install docs/examples into docs at cryptsetup-dev package. * fix compilation warnings in askpass.c. [ Steve Langasek ] * fix upstart jobs to not cause boot hangs when actually used in conjunction with startpar. (closes: #694499, #677712). * in connection with the above, make the cryptdisks-early job explicitly wait for 'umountfs' on shutdown just like cryptdisks does; otherwise, the teardown of the cryptdisks upstart job may cause the cryptdisks-early init script run before we're done unmounting filesystems. [ Jonas Meurer ] * minor wording fixes to README.initramfs, suggested by intrigeri and Adam D. Barrett. * add bash-completion script for cryptdisks_{start,stop}. Thanks to Claudius Hubig for providing a patch. (closes: #700777) * support specifying key-slot in crypttab. Thanks to Kevin Locke for the patch. (closes: #704470) * remove evms support code from cryptroot initramfs script. (closes: #713918) * fix location of keyscripts in initramfs documentation. (closes: #697446) * fix a typo in decrypt_ssl script that prevented stdout from beeing redirected to /dev/null. (closes: #700285) * give full path to blkid in crytproot initramfs script. (closes: #697155) * export number of previous tries from cryptroot and cryptdisks to keyscript. Thanks to Laurens Blankers for the idea. Opens the possibility to fallback after a given number of tries for keyscripts. (closes: #438481, #471729, #697455) * improve check for cpu hardware encryption support in initramfs cryptroot hook. (closes: #714326) -- Jonas Meurer Fri, 28 Jun 2013 12:10:41 +0200 cryptsetup (2:1.4.3-4ubuntu4) saucy; urgency=low * debian/initramfs/cryptroot-hook: - Do not unconditionally include cryptsetup utils in the initramfs. - Do not include any modules or utils in the initramfs, unless rootfs/resume devices are encrypted or CRYPTSETUP is set to 'y' in the initramfs.conf configuration file. -- Dmitrijs Ledkovs Mon, 10 Jun 2013 16:25:46 +0100 cryptsetup (2:1.4.3-4ubuntu3) saucy; urgency=low * Remove hardcoded paths to udevadm (LP: #1184066). -- Colin Watson Tue, 28 May 2013 11:27:27 +0100 cryptsetup (2:1.4.3-4ubuntu2) raring; urgency=low * Invert the "busybox | busybox-static" Recommends, as the latter is the one we ship in main as part of the ubuntu-standard task. -- Adam Conrad Fri, 16 Nov 2012 01:14:35 -0700 cryptsetup (2:1.4.3-4ubuntu1) raring; urgency=low * Merge from debian unstable, remaining changes: - debian/control: + Bump initramfs-tools Suggests to Depends: so system is not potentially rendered unbootable. + Depend on plymouth. - init/upstart jobs: + Rename cryptddisks{,-early}.upstart jobs to cryptdisks-{enable,udev}.upstart, as we need both init & upstart jobs for now. + debian/cryptdisks{,-early}.init: Make the 'start' action of the init script a no-op, this should be handled entirely by the upstart job; and fix the LSB header to not declare this should be started in runlevel 'S'. + Do not install start symlinks for init scripts + NB! shutdown is still handled by the SystemV init scripts -- Dmitrijs Ledkovs Tue, 13 Nov 2012 11:17:57 +0000 cryptsetup (2:1.4.3-4) unstable; urgency=medium * change recommends for busybox to busybox | busybox-static. Thanks to Armin Haas for the bugreport. (closes: #692151) -- Jonas Meurer Wed, 07 Nov 2012 16:12:25 +0100 cryptsetup (2:1.4.3-3) unstable; urgency=medium * add recommends for 'kbd, console-setup' to cryptsetup package. Both are necessary to support local keymap in initramfs. Thanks to Raphaël Hertzog for the bugreport. (closes: #689722) * move suggestion for 'initramfs-tools (>= 0.91) | linux-initramfs-tool, busybox' to recommends. Both are required for encrypted root fs. * remove suggestion for udev, most debian systems have it installed anyway. * mention option to use UUID= for source device in crypttab(5). Thanks to Felicitus for the bug report. (closes: #688786) * add a paragraph in README.initramfs: Describe, why renaming the target name is not supported for encrypted root devices. Thanks to Adam Lee for bugreport and proposed workaround for this limitation. (closes: #671037) * fix keyfile permission checks in cryptdisks init scripts to follow symlinks. Thanks to intrigeri for the bugreport. (closes: #691517) * fix owner group check for keyfile in cryptdisks init scripts to really check owner group. * update debconf translations: - brasilian portuguese, thanks to Adriano Rafael Gomes. (closes: #685762) - japanese, thanks to victory. (closes: #690784) * fix typo in manpages: s/passphase/passphrase. Thanks to Milan Broz for the bugreport. (closes: #684086) -- Jonas Meurer Thu, 01 Nov 2012 15:34:09 +0100 cryptsetup (2:1.4.3-2ubuntu1) quantal; urgency=low * Merge from debian unstable (LP: #1015753), remaining changes: - debian/control: + Bump initramfs-tools Suggests to Depends: so system is not potentially rendered unbootable. + Depend on plymouth. - init/upstart jobs: + Add debian/cryptdisks-{enable,udev}.upstart for bootup. + debian/cryptdisks{,-early}.init: Make the 'start' action of the init script a no-op, this should be handled entirely by the upstart job; and fix the LSB header to not declare this should be started in runlevel 'S'. + Do not install start symlinks for init scripts + NB! shutdown is still handled by the SystemV init scripts * Rename cryptddisks{,-early}.upstart jobs back to cryptdisks-{enable,udev}.upstart, as we need both init & upstart jobs for now. * Dropped Changes, included in Debian: - debian/control: + Split up package in cryptsetup and cryptsetup-bin. (LP: #343363). - debian/cryptdisks.functions: + Do not overwrite existing filesystems when creating swap (LP: #474258). + Add aesni module when we have hardware encryption. + Call 'udevadm settle' before 'dmsetup rename' http://pad.lv/874774 + Suppress "Starting init crypto disks" message in "init" phase, to avoid writing over fsck progress text. + new function, crypttab_start_one_disk, to look for the named source device in /etc/crypttab (by device name, UUID, or label) and start it if configured to do so + handle the case where crypttab contains a name for the source device that is not the kernel's preferred name for it (as is the case for LVs). - debian/initramfs/cryptroot-hook: + Quiet warnings from find on arches that don't have all the kernel/{arch,crypto} bits we're testing for. -- Dmitrijs Ledkovs Tue, 21 Aug 2012 11:57:28 +0100 cryptsetup (2:1.4.3-2) unstable; urgency=medium * fix the shared library symbols magic: so far, the symbols file for libcryptsetup4 included just a wildcard for all exported symbols, with libcrypsetup4 (>= 2:1.4) as minimum version. This was wrong. Symbols that were added later need adjusted minimum versions. Thanks for the great help in #debian-mentors. (closes: #677127) * remove emtpy directory /lib from cryptsetup-bin package. * compile askpass and passdev with CFLAGS, CPPFLAGS and LDFLAGS. -- Jonas Meurer Tue, 12 Jun 2012 21:26:18 +0200 cryptsetup (2:1.4.3-1) unstable; urgency=low [ Jonas Meurer ] * mention limitations for keyscripts in crypttab(5) manpage: keyscripts must not depend on binaries/files which are part of the to-be-unlocked device. (closes: #665494) * bump versioned build-dependency on debhelper now that we install upstart initscripts in debian as well. * change versioned breaks/replaces for cryptsetup-bin on cryptsetup to 1.4.3-1~, fixing upgrades in debian. [ Jean-Louis Dupond ] * New upstream version. (closes: #670071) - Fix keyslot removal (closes: #672299) - Add -r to cryptsetup.8 (closes: #674027) * Split up package in cryptsetup and cryptsetup-bin. * I'm now co-maintainer (closes: #600777). * Start cryptdisks-enable upstart job on 'or container', to let us simplify the udevtrigger job. * debian/cryptdisks.functions: handle the case where crypttab contains a name for the source device that is not the kernel's preferred name for it (as is the case for LVs). (Thanks Steve Langasek) * debian/cryptdisks.functions: fix a race condition in some cases by adding and udevadm settle before rename. * debian/cryptdisks.functions: add UUID & LABEL support to do_start. * debian/copyright: really fix lintian warning. * debian/rules: also include upstart files in debian. -- Jonas Meurer Fri, 08 Jun 2012 13:42:51 +0200 cryptsetup (2:1.4.1-3) unstable; urgency=low [ Jonas Meurer ] * finally add back support for configuration of custom rootfs-devices through the boot parameter 'root' to initramfs cryptroot script. Thanks a lot to August Martin for the bugreport as well as continuously debugging and providing patches. (closes: #546610) * use blkid instead of fstype to detect the content of devices in initramfs cryptroot script. Unfortunately fstype doesn't recognize md-raid devices, which leads to errors with encrypted devices on top of software raid. * check whether $NEWROOT already exists before actually invoking cryptsetup in initramfs cryptroot script. (closes: #653241) * fix conditions for prechecks at do_noluks() in cryptdisks.functions. Should prevent data loss with encrypted swap in most cases. (closes: #652497) * change default value for tmpfs and examples from ext2 to ext4. * minor code cleanup. * update debconf translations: - russian, thanks to Yuri Kozlov. (closes: #661303) - spanish, thanks to Camaleón. (closes: #661316) [ Jean-Louis Dupond ] * fix watch file. * always add aesni module to initramfs if we have hardware aes support. (closes: #639832). * debian/copyright: fix lintain warning. * add upstart scripts for ubuntu. * silent warnings on kernels without kernel/{arch,crypto}. * add crypttab_start_one_disk in function script to handle udev startup in ubuntu. * bump standards-version to 3.9.3, no changes needed. -- Jonas Meurer Wed, 11 Apr 2012 23:55:35 +0200 cryptsetup (2:1.4.1-2ubuntu4) precise; urgency=low * Our swap creation can trigger udev change events, which means udev may be holding the device open at the time we try to call 'dmsetup rename' and cause the /subsequent/ events to be missed because of dmsetup creating device nodes by hand. So call 'udevadm settle' before 'dmsetup rename', to ensure blkid is out of the way first. This should ensure swap partitions are found by mountall in a non-racy manner. LP: #874774. -- Steve Langasek Fri, 13 Apr 2012 20:23:21 -0700 cryptsetup (2:1.4.1-2ubuntu3) precise; urgency=low * Start cryptdisks-enable upstart job on 'or container', to let us simplify the udevtrigger job. -- Steve Langasek Wed, 04 Apr 2012 17:02:00 -0700 cryptsetup (2:1.4.1-2ubuntu2) precise; urgency=low * Split up package in cryptsetup and cryptsetup-bin. (LP: #343363). * Do not overwrite existing filesystems when creating swap (LP: #474258). * Add aesni module when we have hardware encryption. -- Jean-Louis Dupond Mon, 12 Mar 2012 10:14:30 +0100 cryptsetup (2:1.4.1-2ubuntu1) precise; urgency=low [ Jean-Louis Dupond ] * Merge from debian unstable (LP: #776264), remaining changes: - debian/cryptdisks.functions: Suppress "Starting init crypto disks" message in "init" phase, to avoid writing over fsck progress text. - debian/cryptroot-hook: Quiet warnings from find on arches that don't have all the kernel/{arch,crypto} bits we're testing for. - debian/control: + Bump initramfs-tools Suggests to Depends: so system is not potentially rendered unbootable. + Depend on plymouth. - Add debian/cryptdisks-{enable,udev}.upstart. - debian/cryptdisks.functions: + new function, crypttab_start_one_disk, to look for the named source device in /etc/crypttab (by device name, UUID, or label) and start it if configured to do so - debian/cryptdisks{,-early}.init: Make the 'start' action of the init script a no-op, this should be handled entirely by the upstart job; and fix the LSB header to not declare this should be started in runlevel 'S' - debian/rules: + Do not install start symlinks for init scripts, and install debian/cryptdisks-{enable,udev}.upstart scripts. [ Steve Langasek ] * debian/cryptdisks.functions: handle the case where crypttab contains a name for the source device that is not the kernel's preferred name for it (as is the case for LVs). -- Jean-Louis Dupond Thu, 08 Mar 2012 07:32:40 +0100 cryptsetup (2:1.4.1-2) unstable; urgency=low * acknowledge NMU. Thanks to Michael Biebl. (closes: #659182) * don't print error for non-encrypted rootfs in initramfs cryptroot hook. Thanks to Jamie Heilman and Christoph Anton Mitterer for bugreports. (closes: #659087, #659106) * use dmsetup splitname to extract VG name from $node in initramfs cryptroot hook. Thanks to Kai Weber for the bugreport, Milan Broz and Claudio Imbrenda for suggestions and patches. (closes: #659235) -- Jonas Meurer Sun, 12 Feb 2012 15:51:11 +0100 cryptsetup (2:1.4.1-1.1) unstable; urgency=low * Non-maintainer upload. * Fix dangling .so symlink. Don't hard code the library version but use readlink instead to determine where the .so symlink should point at. (closes: #659182) -- Michael Biebl Sat, 11 Feb 2012 04:32:01 +0100 cryptsetup (2:1.4.1-1) unstable; urgency=low * new upstream release (1.4.0 + 1.4.1) (closes: #647851) - fixes typo in german translation. (closes: #645528) - remove patches, all incorporated upstream. - soname bump, rename library package to libcryptsetup4 * check for busybox in initramfs cryptroot hook, and install the sed binary in case it's either not installed or not activated. (closes: #591853) * add checks for 'type $KEYSCRIPT' to initscripts cryptdisks.functions, and to cryptroot initramfs script/hook. this adds support for keyscripts inside $PATH. thanks to Ian Jackson for the suggestion. (closes: #597583) * use argument '--sysinit' for vgchange in cryptroot initramfs script. Thanks to Christoph Anton Mitterer for the suggestion. * add option for discard/trim features to crypttab and initramfs scripts. Thanks to intrigeri and Peter Colberg for patches. (closes: #648868) * print $target on error in initramfs hook. Thanks to Daniel Hahler for the bugreport. (closes: #648192) * add a warning about using decrypt_derived keyscript for devices with persistent data. Thanks to Arno Wagner for pointing this out. * remove quotes from resume device candidates at get_resume_devs() in initramfs hook script. Thanks to Johannes Rohr. (closes: #634017) * support custom $TABFILE, thanks to Douglas Huff. (closes: #638317) * fix get_lvm_deps() in initramfs cryptroot hook to add all physical volumes of lvm volume group that contains the rootfs logical volume, even if the rootfs is lv is not spread over all physical volumes. Thanks to Christian Pernegger for bugreport and patch. (closes: #634109) * debian/initramfs/cryptroot-script: Move check for maximum number of tries behind the while loop, to make the warning appear in case that maximum number of tries is reached. Thanks to Chistian Lamparter for bugreport and patch. (closes: #646083) * incorporate changes to package descriptions and debconf templates that suggested by debian-l10n-english people. Special thanks go to Justin B Rye. * acknowledge NMU, thanks a lot to Christian Perrier for his great work on the i18n front. (closes: #633105, #641719, #641839, #641947, #642470, #640056, #642540, #643633, #643962, #644853) * add and update debconf translations: - italian, thanks to Milo Casagrande, Francesca Ciceri. (closes: #656933) - german, thanks to Erik Pfannenstein. (closes: #642147) - spanish, thanks to Camaleón. (closes: #658360) - russian, thanks to Yuri Kuzlov (closes: #654676) * set architecture to linux-any, depends on linux kernel anyway. Thanks to Christoph Egger. (closes: #638257) * small updates to the copyright file. * add targets build-indep and build-arch to debian/rules, thanks to lintian. -- Jonas Meurer Sun, 05 Feb 2012 03:17:59 +0100 cryptsetup (2:1.3.0-3.1) unstable; urgency=low * Non-maintainer upload. * Fix pending l10n issues. Debconf translations: - French (Julien Patriarca). Closes: #633105 - Vietnamese (Hung Tran). Closes: #641719 - Portuguese (Miguel Figueiredo). Closes: #641839 - Russian (Yuri Kozlov). Closes: #641947 - Swedish (Martin Bagge / brother). Closes: #642470,#640056 - Czech (Michal Simunek). Closes: #642540 - Dutch; (Jeroen Schot). Closes: #643633 - Spanish; (Camaleón). Closes: #643962 - Danish (Joe Hansen). Closes: #644853 -- Christian Perrier Sun, 25 Dec 2011 19:00:24 +0100 cryptsetup (2:1.3.0-3) unstable; urgency=low * drop the loopback magick from cryptdisks scripts. Mario 'Bitkoenig' Holbe pointed out, that auto-destruction support was added to the loopback driver with kernel 2.6.25. Given, that even lenny has a more recent kernel, support for kernels < 2.6.25 is not required any more. (closes: #626458) * add debconf question 'prerm/active-mappings' with priority high to prerm maintainer script. will warn about active dm-crypt mappings before the package is removed/purged. (closes: #626641) * add lintian-override for 'cryptsetup: no-debconf-config', as the debconf question in prerm doesn't require a debconf config script. * add debian/patches/03_create_fix_keyfile.patch. (closes: #626738) -- Jonas Meurer Thu, 19 May 2011 20:50:08 +0200 cryptsetup (2:1.3.0-2) unstable; urgency=low * fix changelog of 2:1.3.0-1 release, thanks to Thorsten Glaser for the hint -- Jonas Meurer Thu, 12 May 2011 03:06:46 +0200 cryptsetup (2:1.3.0-1) unstable; urgency=low * new upstream release - automatically allocates loopback device for container files. update the cryptdisks functions to only setup loopback device for kernel < 2.6.35. otherwise, let cryptsetup do the magic itself. - introduces maximum default keyfile size, see --help for value. manually set the keyfile size with --keyfile-size in order to overwrite the limit. - adds luksChangeKey command for changing passphrase/keyfile in one step - adds loopAES compatibility command loopaesOpen - remove d/patches/01_luksAddKey_return_code.patch, incorporated upstream * add gettext support to luksformat script. Thanks to intrigeri for initial patch, and adduser sources for implementation ideas. (closes: #558405) * fix KEYSCRIPT checks in cryptdisks.functions for empty values. * update REAMDE.gnupg and initramfs cryptgnupg hook script: - warn about keys being copied to initramfs. - fix the documentation to provide working examples. * update README.Debian and related documentation: - add a section about the 'special' keyscripts askpass and passdev (closes: #601314) - update several sections, remove reference to lenny * add debian/patches/01_create_fix_size.patch, to fix a regression in 1.2.0 where the size argument was ignored for create command (closes: #624828) * add debian/patches/02_manpage.patch, escapes minus signs in manpage * remove usplash support from cryptroot initramfs script, askpass and keyscripts, add plymouth support to keyscripts. (closes: #620923) * ignore options like cipher, hash, size, etc. for luks commands in cryptdisks. mention this in the crypttab manpage. (closes: #619249) * again check for existance of /lib/cryptsetup/cryptdisks.functions before sourcing it in cryptdisks(-early).init. required if cryptsetup is removed but not purged, where initscripts are still around. (closes: #625468) * bump standards-version to 3.9.2, no changes needed. * debian/libcryptsetup1.symbols: update, 1.3.0 adds new function symbols -- Jonas Meurer Wed, 11 May 2011 14:45:42 +0200 cryptsetup (2:1.2.0-2) unstable; urgency=low * upload to unstable. * fixes a ftbfs due to updated libgpg-error and libgcrypt11 build- dependencies. (closes: #614530) * install cryptkeyctl initramfs hook, needed for keyctl keyscript in initramfs, thanks to Maik Zumstrull (closes: #610750) * use 'egrep -c' instead of wc in cryptdisks_st* scripts, wc might not be available as it's located at /usr/bin. Thanks to Mario 'BitKoenig' Holbe for bugreport and patch. (closes: #611747) * add debian/patches/01_luksAddKey_return_code.patch, fixes the luksAddKey return code when the master key is used. (closes: #610366) * fix luksformat script to invoke usage() with --help. (closes: #612947) * add a paragraph about known upgrade issues to the crypttab manpage. this paragraph strongly suggests to configure cipher, hash and keysize for plain dm-crypt devices. (closes: #612452) * fix examples in crypttab manpage, cipher, hash and keysize should be configured for plain dm-crypt devices. * luksformat: invoke udevadm settle between mkfs.vfat and luksClose, to prevent possible race conditions. This is a workaround. (closes: #601886) * update lintian-overrides for new lintian from experimental. * fix spelling mistake in README.Debian thanks to lintian. * update short and long description for udebs to mention udeb and debian-installer. This satisfies lintian. * fix get_resume_device() in initramfs cryptroot hook script to add source device for decrypt_derived keyscript in case it's not the root device. Thanks to Robert Lange and mahashakti89 for bugreport. (closes: #592430) -- Jonas Meurer Mon, 07 Mar 2011 23:52:13 +0100 cryptsetup (2:1.2.0-1) experimental; urgency=low * new major upstream release (closes: #603804) - adds text version of FAQ - adds new options --use-random and --use-urandom for MK generation - fixes luksRemoveKey to not ask for remaining keyslot passphrase - no longer supports luksDelKey command (replaced by luksKillSlot) - no longer supports reload command, dmsetup reload should be used instead - adds support to change the UUID later (with --uuid cmd option) - adds --dump-master-key option for luksDump command - no luksOpen, luksFormat and create for open devices (closes: #600208) - remove debian/patches/01_manpage.patch, incorporated upstream - and many more changes, see upstream changelog for further information - update debian/libcryptsetup1.symbols * invoke update-initramfs at cryptsetup removal in order to not leave behind a broken initramfs. thanks to ubuntu for the hint. * link dynamically against libgcrypt11 and libgpg-error0 now that the libraries have been moved to /lib. add versioned depends for libcryptsetup1 on (libgcrypt >= 1.4.6-2) and libgpg-error0 (>= 1.10-0.1). * debian/initramfs/cryptroot-script: prereq 'cryptroot-prepare' added in order to support cryptroot to depend on custom initramfs scripts. thanks to Marc Haber for the suggestion. (closes: #601311) * debian/cryptdisks.functions: + fix check for ownership and permissions of $key to work with slighly different output of 'ls -l' with selinux enabled. (closes: #600522) + fix $TRIES implementation to support TRIES=0 again. (closes: #602501) * change 'echo -e' to 'printf' in debian/initramfs/cryptroot-script. thanks to checkbashisms script devscripts for spotting that bashism. * add a libcryptsetup1-udeb library package for debian-installer in order to satisfy cryptsetup-udeb dependencies with dynamically linked binary. Version the build-depends on libgcrypt11-dev to (>= 1.4.6-3), to satisfy udeb library dependencies. * change 'XC-Package-Type: udeb' to 'Package-Type: udeb' in debian/control * add debian/cryptsetup.apport from Ubuntu, install only for dist=Ubuntu. build-depends on dpkg-dev (>= 1.15.1) is required for this to work. -- Jonas Meurer Sun, 16 Jan 2011 01:01:03 +0100 cryptsetup (2:1.1.3-4ubuntu3) precise; urgency=low [ Pali Rohar ] * debian/cryptdisks.functions: Suppress "Starting init crypto disks" message in "init" phase, to avoid writing over fsck progress text. -- Martin Pitt Wed, 26 Oct 2011 09:16:15 +0200 cryptsetup (2:1.1.3-4ubuntu2) oneiric; urgency=low * debian/cryptroot-hook: Quiet warnings from find on arches that don't have all the kernel/{arch,crypto} bits we're testing for. -- Adam Conrad Sat, 01 Oct 2011 00:33:00 -0600 cryptsetup (2:1.1.3-4ubuntu1) natty; urgency=low * Merge from debian unstable (LP: #682177), remaining changes: - debian/control: + Bump initramfs-tools Suggests to Depends: so system is not potentially rendered unbootable. + Depend on plymouth. - Add debian/cryptdisks-{enable,udev}.upstart. - debian/cryptdisks.functions: + new function, crypttab_start_one_disk, to look for the named source device in /etc/crypttab (by device name, UUID, or label) and start it if configured to do so + wrap the call to /lib/cryptsetup/askpass with watershed, to make sure we only ever have one of these running at a time; otherwise multiple invocations could steal each other's input and/or write over each other's output + when called by cryptdisks-enable, check that we don't already have a corresponding cryptdisks-udev job running (probably waiting for a passphrase); if there is, wait until it's finished before continuing. - debian/cryptdisks{,-early}.init: Make the 'start' action of the init script a no-op, this should be handled entirely by the upstart job; and fix the LSB header to not declare this should be started in runlevel 'S' - debian/cryptsetup.postinst: Remove any symlinks from /etc/rcS.d on upgrade. - debian/rules: + Do not install start symlinks for init scripts, and install debian/cryptdisks-{enable,udev}.upstart scripts. + link dynamically against libgcrypt and libgpg-error. - Add debian/cryptsetup.apport: Apport package hook. Install in debian/rules and create dir in debian/cryptsetup.dirs. - debian/cryptsetup.postrm: call update-initramfs on package removal. -- Lorenzo De Liso Sat, 27 Nov 2010 17:37:43 +0100 cryptsetup (2:1.1.3-4) unstable; urgency=high * bump standards-version to 3.9.1, no changes required * add patches/01_manpage_units: mention units (512b sectors) for -o option in man page. (closes: #584174) * move cryptdisks_st* scripts from /usr/sbin to /sbin, add symlinks for compatibility reasons. thanks to Mario 'BitKoenig' Holbe. (closes: #589800) * add decrypt_keyctl keyscript and initramfs hook from Michael Gebetsroither, which supports to cache a passphrase for later use. (closes: #563961) * invoke /sbin/lvm with full path in cryptroot initramfs script. thanks to Bernd Zeimetz. (closes: #597648) * print out a warning at initramfs cryptroot hook in case that detection of canonical device failed. (closes: #594092) * add manpage fixes, thanks to Stephen Gildea for patch. (closes: #598237) * fix depreciated ext2 wrapper checkscript to succeed for ext2, ext3, ext4 and ext4dev filesystems. (closes: #595331) * again remove duplicates from debian/NEWS. * truncate trailing spaces for some variables at initramfs cryptroot hook. * remove volume group -guessing magic from initramfs scripts and hooks, instead activate all available lvm volume groups. thanks to Christoph Anton Mitterer for the suggestion. (closes: #554506, #591626) * remove /etc/bash_completion.d from debian/cryptsetup.dirs * set urgency=high as this upload fixes two release-critical bugs. -- Jonas Meurer Thu, 04 Nov 2010 20:36:45 +0100 cryptsetup (2:1.1.3-3) unstable; urgency=low * fix usage of new variable $DEFAULT_LOUD, and some cosmetical changes. thanks to Mario 'BitKoenig' Holbe. (closes: #589029) -- Jonas Meurer Thu, 22 Jul 2010 12:56:01 +0200 cryptsetup (2:1.1.3-2) unstable; urgency=low * introduce new $INITSTATE 'manual' for cryptdisks_st* scripts. that way, noauto devices are processed again by cryptdisks_st* scripts. (closes: #588697, #588698, #589153, #589798) * introduce new variable $DEFAULT_LOUD. now the 'loud' option in crypttab affects only the device in question. thanks to Mario 'BitKoenig' Holbe. * introduce new crypttab option 'quiet' which overwrites and unsets the 'loud' option. thanks to Mario 'BitKoenig' Holbe. (closes: #589029) -- Jonas Meurer Wed, 21 Jul 2010 10:42:49 +0200 cryptsetup (2:1.1.3-1) unstable; urgency=low * new upstream release: - fix device alignment ioctl calls parameters for archs like ppc64. - fix activate_by_* API calls to handle NULL device name as documented - fix udev support for old libdevmapper with not compatible definition * fix rm_lo_setup() in cryptdisks.functions for failed device setup. thanks to Roger Pettersson. (closes: #581712) * add X-Stop-After headers to cryptdisks(-early) initscripts. this fixes shutdown process for system without encrypted rootfs at least. thanks to Alfredo Finelli. (closes: #575652) * more merges from ubuntu, thanks to and Steve Langasek (closes: #575024): - debian/cryptdisk.functions: initially create the device under a temporary name and rename it only at the end using 'dmsetup rename', to ensure that upstart/mountall doesn't see our device before it's ready to go. LP: #475936. - cryptdisks.functions: do_tmp should mount under /var/run/cryptsetup for changing the permissions of the filesystem root, not directly on /tmp, since mounting on /tmp a) is racy, b) confuses mountall something fierce. LP: #475936. * fix manpage checkscripts documentation. clarify that both cryptdisks and cryptroot invoke checkscripts. thanks Christoph Anton Mitterer. * remove quotes from $KEYSCRIPT invokation, thanks Alexandre Rossi. (closes: #585099) * fix support for commandline options to mkfs in luksformat. thanks to Eduard Bloch again for bugreport and patch. (closes: #585787) * remove duplicates from debian/NEWS, thanks Steve Langasek (closes: 586019) * improve documentation on environment variables in cryptdisks.default and crypttab manpage. thanks Christoph Anton Mitterer. (closes: #585664) * several improvements to (pre)check scripts, inspired by scripts from Christoph Anton Mitterer (closes: #585418, #585496) - checkscripts exit with error 1 if executables aren't available. - ext2, swap and xfs scripts are depreciated and invoke blkid script. - drop filtering of minix filesystem in blkid, util-linux 2.17.2 in debian - remove *vol_id check scripts, vol_id isn't available in debian any longer - don't use sed in *blkid check scripts any longer * fix initramfs/cryptroot-hook to canonicalize $device in get_resume_devices function. this should really weed out all duplicates. (closes: #586122), and catch all udev/device-mapper symlink setups as well (closes: #554506) * bash-completion file now in pck bash-completion (closes: #586299, #586162) * add a paragraph about the boot order of init scripts to README.Debian, describing the current catch-22 situation. (closes: #576646) * initscripts and cryptdisks_st* no longer silently quit in case that include file /lib/cryptsetup/cryptdisks.functions is missing. (closes: #587220) * fix cryptdisks-early LSB headers to restore legacy boot sequence order. mdadm-raid was started before cryptdisks-early. (closes: #587224) * cryptdisks initscript now raises a warning for failed started devices, and cryptdisks-early initscript raises a warning for failed stopped devices. this makes the initscript actions far more transparent to users. same holds for cryptdisks_st*. thanks to Christoph Anton Mitterer. (closes: #587222) * remove lintian overrides init.d-script-should-depend-on-virtual-facility as lintian lintian 2.4.2 has fixed #580082. * bump standards-version to 3.9.0, remove version information from replaces/ provides/conflicts against cryptsetup-luks, change conflicts against hashalot (<= 0.3-1) to breaks hashalot (<< 0.3-1) and add replaces. * fix loads of typos, thanks to Christoph Anton Mitterer. (closes: #588068) * update copyright years and list Milan Broz in debian/copyright -- Jonas Meurer Sat, 10 Jul 2010 14:32:40 +0200 cryptsetup (2:1.1.2-1ubuntu1) maverick; urgency=low * Merge from Debian unstable (LP: #594365). Remaining changes: - debian/control: + Bump initramfs-tools Suggests to Depends: so system is not potentially rendered unbootable. + Depend on plymouth. - Add debian/cryptdisks-{enable,udev}.upstart. - debian/cryptdisks.functions: + new function, crypttab_start_one_disk, to look for the named source device in /etc/crypttab (by device name, UUID, or label) and start it if configured to do so + wrap the call to /lib/cryptsetup/askpass with watershed, to make sure we only ever have one of these running at a time; otherwise multiple invocations could steal each other's input and/or write over each other's output + initially create the device under a temporary name and rename it only at the end using 'dmsetup rename', to ensure that upstart/mountall doesn't see our device before it's ready to go. + do_tmp should mount under /var/run/cryptsetup for changing the permissions of the filesystem root, not directly on /tmp, since mounting on /tmp a) is racy, b) confuses mountall something fierce. + when called by cryptdisks-enable, check that we don't already have a corresponding cryptdisks-udev job running (probably waiting for a passphrase); if there is, wait until it's finished before continuing. - debian/cryptdisks{,-early}.init: Make the 'start' action of the init script a no-op, this should be handled entirely by the upstart job; and fix the LSB header to not declare this should be started in runlevel 'S' - debian/cryptsetup.postinst: Remove any symlinks from /etc/rcS.d on upgrade. - debian/rules: Do not install start symlinks for init scripts, and install debian/cryptdisks-{enable,udev}.upstart scripts. - Add debian/cryptsetup.apport: Apport package hook. Install in debian/rules and create dir in debian/cryptsetup.dirs. - debian/rules: link dynamically against libgcrypt and libgpg-error. - debian/cryptsetup.postrm: call update-initramfs on package removal. * Dropped changes, merged/superseded in Debian: - Add ext4 support to passdev. - cryptroot-hook: don't call copy_modules_dir with empty arguments when archcrypto isn't found - Set USPLASH=y and FRAMEBUFFER=y in the hook config to pull plymouth into the initramfs. - change interaction to use plymouth directly if present, and if not, to fall back to /lib/cryptsetup/askpass as before - cryptdisks.functions: replace 'echo -e' bashism with 'printf'. - debian/initramfs/cryptroot-script: if plymouth is present in the initramfs, use this directly, bypassing the cryptsetup askpass script - debian/initramfs/cryptroot-hook: Properly anchor our regexps when grepping /etc/crypttab so that we don't incorrectly match device names that are substrings of one another. - debian/initramfs/cryptroot-script: Don't leak /conf/conf.d/cryptroot file descriptor to subprocesses. - Fix grammar error in debian/initramfs/cryptroot-script ("setup" -> "set up") - debian/initramfs/cryptroot-script: Fix this to work with current initramfs-tools: + Source /scripts/functions after checking for prerequisites. + prereqs(): Do not assume we are running within initramfs, and calculate relative path correctly. -- Steve Langasek Mon, 14 Jun 2010 21:47:28 -0700 cryptsetup (2:1.1.2-1) unstable; urgency=low * new upstream release, changes include: - Fix luksFormat/luksOpen reading passphrase from stdin and "-" keyfile. (closes: #583397) - Add verbose log level and move unlocking message there. - Remove device even if underlying device disappeared (remove, luksClose). (closes: #554600, #574126) - Fix (deprecated) reload device command to accept new device argument. * merged from ubuntu: - if plymouth is present in the initramfs, use this directly, bypassing the cryptsetup askpass script - start usplash in initramfs, since we need it for fancy passphrase input - Set FRAMEBUFFER=y in cryptroot-conf, to pull plymouth into the initramfs - debian/initramfs/cryptroot-hook: Properly anchor our regexps when grepping /etc/crypttab so that we don't incorrectly match device names that are substrings of one another. - debian/initramfs/cryptroot-script: Don't leak /conf/conf.d/cryptroot file descriptor to subprocesses. * sync list of supported filesystems in passdev.c and cryptpassdev-hook * fix debian/watch file to work with updated code.google.com download page * stop building and shipping static libs (closes: #583387, #583471) * improve documentation on (pre)checks in manpage. (closes: #583568, #583567) * remove xfs and ext2 check scripts documentation from crypttab manpage, blkid script can be used. thanks Christoph Anton Mitterer (closes: #583570) -- Jonas Meurer Tue, 01 Jun 2010 15:37:50 +0200 cryptsetup (2:1.1.1-1) unstable; urgency=low * new upstream release, changes include: - detects and uses device-mapper udev support if available - fix luksOpen reading of passphrase on stdin if "-" keyfile specified - fix isLuks to initialise crypto backend (closes: #578979) - fix luksClose operation for stacked DM devices * remove all patches, they have all been merged upstream * redirect output of copy_exec in add_device() from initramfs cryptroot hook to stderr. fixes verbose run of mkinitramfs. (closes: #574163) * acknowledge NMU. thanks to maximilian attems. (closes: #576488) * change default for random key from /dev/random to /dev/urandom in README.Debian, extend explanation. (closes: #579932) * add comment to crypttab manpage about how to disable (pre)checks. (closes: #574948) * fix cryptdisks.functions to print cryptsource and crypttarget again at the passphrase prompt. (closes: #578428) * reorder build-depends, add pkg-config, change automake1.9 to automake * add new lintian overrides * switch to new dpkg source format "3.0 (quilt)", use upstream bzip tarball * add ${misc:Depends} to depends for libcryptsetup-dev * remove UID checks from initscripts, as these aren't meant to be invoked by users anyway, and the UID checks introduced dependency on /usr filesystem. * use grep -s for /etc/fstab in initramfs/cryptroot-hook. (closes: #580756) * note that fs modules fore passdev devices need to be added to initramfs in README.initramfs (closes: #580898) * merged from ubuntu: - Fix grammar error in debian/initramfs/cryptroot-script (closes: #581973) * add busybox to suggests, thanks to martin michlmayr. (closes: #582914) -- Jonas Meurer Wed, 26 May 2010 23:38:01 +0200 cryptsetup (2:1.1.0-2.1) unstable; urgency=low * Non-maintainer upload. [ Martin Pitt ] * debian/initramfs/cryptroot-script: (closes: #576488) - Source /scripts/functions after checking for prerequisites. - prereqs(): Do not assume we are running within initramfs, and calculate relative path correctly. -- maximilian attems Thu, 08 Apr 2010 01:37:17 +0200 cryptsetup (2:1.1.0-2) unstable; urgency=low * fix version in NEWS.Debian: 2:1.1.0~rc2-1 instead of 2:1.0.7-3. * remove 'NOT RELEASED YET' from 2:1.1.0-1 changelog * capitalize names in changelog * mention the old default plain mode in changelog and NEWS, add a note that debian-installer setups can ignore the warning, and warn for plain dm-crypt mappings in crypttab that don't have set cipher, hash and size. (closes: #573103, #573261) -- Jonas Meurer Tue, 16 Mar 2010 13:44:50 +0100 cryptsetup (2:1.1.0-1) unstable; urgency=low * new upstream stable release (1.1.0), notable changes since rc2: - default key size for LUKS changed from 128 to 256 bits - default plain mode changed from aes-cbc-plain to aes-cbc-essiv:sha256 - key slot and key diggest iteration minimum set to 1000 - convert hash name to lower case in header * update patch 02_manpage * add more supported filesystems to passdev.c, isofs->iso9660. thanks to Christoph Anton Mitterer. (closes: #557405) * update to standards-version 3.8.4, no changes needed * accept spaces in $opts at postinst script. (closes: #559184) * set extended $PATH in cryptdisks.functions. thanks to Christoph Anton Mitterer. (closes: #557329) * fix huge initramfs for archs which don't have kernel/arch directory. thanks to martin michlmayr for bugreport and patch. (closes: #559510) * support commandline options to mkfs in luksformat. thanks to Eduard Bloch for bugreport and patch. (closes: #563975) * extend error messages for evms setup in cryptroot-script * add 03_luksAddKey.patch, to not verify unlocking passphrase in luksAddKey command. (closes: #570418) * add 04_crypto_init.patch, to properly initialise crypto backend in header backup/restore commands. * change build-dependency on cvs to new autopoint package (closes: #572463) * rename decrypt_gpg keyscript to decrypt_gnupg, improve it based on ideas by Christoph Anton Mitterer, mention the keyscript rename in NEWS.Debian. Also, provide a initramfs cryptgnupg hook script. Thanks to Christoph Anton Mitterer for bugreport and ideas. (closes: #560034) * check for root privileges with '/usr/bin/id -u' in init scripts and cryptdisks_{start|stop}. (closes: #563162) -- Jonas Meurer Mon, 08 Mar 2010 14:15:35 +0100 cryptsetup (2:1.1.0~rc2-1ubuntu14) maverick; urgency=low [ David Stansby ] * Fix grammar error in debian/initramfs/cryptroot-script ("setup" -> "set up") (LP: #578896) -- James Westby Mon, 17 May 2010 13:33:40 +0100 cryptsetup (2:1.1.0~rc2-1ubuntu13) lucid; urgency=low * debian/initramfs/cryptroot-script: Don't leak /conf/conf.d/cryptroot file descriptor to subprocesses. -- Colin Watson Mon, 29 Mar 2010 22:18:36 +0100 cryptsetup (2:1.1.0~rc2-1ubuntu12) lucid; urgency=low * debian/initramfs/cryptroot-hook: Properly anchor our regexps when grepping /etc/crypttab so that we don't incorrectly match device names that are substrings of one another. * debian/cryptdisks-{enable,udev}.conf, debian/control: drop 'console output' and add a hard dependency on plymouth instead of watershed, to avoid spitting extra messages to the console. -- Steve Langasek Thu, 18 Feb 2010 06:19:19 -0800 cryptsetup (2:1.1.0~rc2-1ubuntu11) lucid; urgency=low * Set FRAMEBUFFER=y in the file that we actually ship. * debian/cryptsetup.postrm: call update-initramfs on package removal. LP: #468228. -- Steve Langasek Mon, 25 Jan 2010 03:07:52 -0800 cryptsetup (2:1.1.0~rc2-1ubuntu10) lucid; urgency=low * cryptdisks.functions: replace 'echo -e' bashism with 'printf'. * cryptdisks.functions: when called by cryptdisks-enable, check that we don't already have a corresponding cryptdisks-udev job running (probably waiting for a passphrase); if there is, wait until it's finished before continuing. -- Steve Langasek Thu, 21 Jan 2010 14:57:21 +0000 cryptsetup (2:1.1.0~rc2-1ubuntu9) lucid; urgency=low * Set FRAMEBUFFER=y in the hook config as well, to pull plymouth into the initramfs. * cryptdisks.functions, debian/initramfs/cryptroot-script: fix the invocation of plymouth, so that we actually get proper passphrase prompts (once bug #496765 is fixed). -- Steve Langasek Sat, 16 Jan 2010 02:32:41 -0800 cryptsetup (2:1.1.0~rc2-1ubuntu8) lucid; urgency=low * cryptdisks.functions: do_tmp should mount under /var/run/cryptsetup for changing the permissions of the filesystem root, not directly on /tmp, since mounting on /tmp a) is racy, b) confuses mountall something fierce. LP: #475936. -- Steve Langasek Tue, 22 Dec 2009 20:24:28 +0000 cryptsetup (2:1.1.0~rc2-1ubuntu7) lucid; urgency=low * Depend on watershed. -- Steve Langasek Tue, 22 Dec 2009 01:37:36 +0000 cryptsetup (2:1.1.0~rc2-1ubuntu6) lucid; urgency=low [ Steve Langasek ] * Fix the LSB header in the init scripts, now that we don't install to rcS.d. [ Martin Pitt ] * debian/initramfs/cryptroot-script: Fix this to work with current initramfs-tools: - Source /scripts/functions after checking for prerequisites. - prereqs(): Do not assume we are running within initramfs, and calculate relative path correctly. -- Martin Pitt Fri, 18 Dec 2009 17:07:07 +0100 cryptsetup (2:1.1.0~rc2-1ubuntu5) lucid; urgency=low * Rename the upstart job introduced in the previous upload to cryptdisks-udev and restore the previous version of the job as cryptdisks-enable, to run at the end of udev coldplugging as before; this isn't entirely race-free, but should nevertheless give us the two passes needed to cover devices that are decrypted using keys stored on other encrypted disks. LP: #443980. -- Steve Langasek Wed, 16 Dec 2009 06:41:30 +0000 cryptsetup (2:1.1.0~rc2-1ubuntu4) lucid; urgency=low [ Steve Langasek ] * debian/initramfs/cryptroot-script: if plymouth is present in the initramfs, use this directly, bypassing the cryptsetup askpass script; but keep support for these other frontends around on a transitional basis. * debian/cryptdisks.functions: - change interaction to use plymouth directly if present, and if not, to fall back to /lib/cryptsetup/askpass as before - wrap the call to /lib/cryptsetup/askpass with watershed, to make sure we only ever have one of these running at a time; otherwise multiple invocations could steal each other's input and/or write over each other's output - new function, crypttab_start_one_disk, to look for the named source device in /etc/crypttab (by device name, UUID, or label) and start it if configured to do so * debian/cryptdisks-enable.upstart: run the upstart job once for each block device, using the new crypttab_start_one_disk function, triggered by udev; this doesn't eliminate the possibility of a race with gdm when the decrypted volume isn't a 'bootwait' mount point (since gdm kills plymouth), but it does eliminate the race between udev and cryptsetup. LP: #454898. * debian/cryptdisks-enable.upstart: check that the package is installed and exit gracefully if it's not. LP: #435814 * debian/cryptdisk.functions: initially create the device under a temporary name and rename it only at the end using 'dmsetup rename', to ensure that upstart/mountall doesn't see our device before it's ready to go. LP: #475936. [ Colin Watson ] * Add ext4 support to passdev. -- Steve Langasek Tue, 15 Dec 2009 18:05:45 -0800 cryptsetup (2:1.1.0~rc2-1ubuntu3) lucid; urgency=low * cryptroot-hook: Use if [ -n … ] instead of if ! test -z …. -- Loïc Minier Sat, 12 Dec 2009 11:32:52 +0100 cryptsetup (2:1.1.0~rc2-1ubuntu2) lucid; urgency=low * cryptroot-hook: dont call copy_modules_dir with empty arguments when archcrypto isnt found (LP: #495161) -- Oliver Grawert Fri, 11 Dec 2009 14:39:00 +0100 cryptsetup (2:1.1.0~rc2-1ubuntu1) lucid; urgency=low * Merge with Debian testing. Remaining Ubuntu changes: - debian/rules: cryptsetup is linked dynamically against libgcrypt and libgpg-error. - Upstart migration: + Add debian/cryptdisks-enable.upstart. + debian/cryptdisks{,-early}.init: Make the 'start' action of the init script a no-op, this should be handled entirely by the upstart job. (LP #473615) + debian/cryptsetup.postinst: Remove any symlinks from /etc/rcS.d on upgrade. + debian/rules: Do not install start symlinks for those two, and install debian/cryptdisks-enable.upstart scripts. - Add debian/cryptsetup.apport: Apport package hook. Install in debian/rules, and create dir in debian/cryptsetup.dirs. - Start usplash in initramfs, since we need it for fancy passphrase input: + debian/initramfs/cryptroot-conf, debian/initramfs-conf.d: USPLASH=y + debian/control: Bump initramfs-tools Suggests to Depends:. -- Martin Pitt Wed, 11 Nov 2009 15:04:27 +0100 cryptsetup (2:1.1.0~rc2-1) unstable; urgency=low * new upstream release candidate (1.1.0-rc2), highlights include: - new libcryptsetup API (documented in libcryptsetup.h) - luksHeaderBackup and luksHeaderRestore commands (closes: #533643) - use libgcrypt, enables all gcrypt hash algorithms for LUKS through -h luksFormat option (closes: #387159, #537385) - new --master-key-file option for luksFormat and luksAddKey - use dm-uuid for all crypt devices, contains device type and name now (closes: #548988, #549870) - command successful messages moved to verbose level (closes: #541805) - several code changes to improve speed of luksOpen (closes: #536415) - luksSuspend and luksResume commands * remove unneeded patches 03_read_rework and 04_no_stderr_success, update 02_manpage for new upstream release candidate. * update patch to comply with DEP-3 (http://dep.debian.net/deps/dep3/) * fix initramfs/cryptroot-hook to support setups where /dev/mapper/ contains symlinks to devices at /dev/dm-*. the lvm2/device-mapper packages had defaults changed to this temporary. it has been fixed in a subsequent upload of lvm2 in the meantime, but still it's not a bad idea to be prepared for such setups in the future. that way cryproot now supports /dev/dm-* devices as well. (closes: #532579, #544487, #544773) * fix initscript dependencies both for cryptdisks and cryptdisks-early. thanks to Petter Reinholdtsen for bugreport and patch. (closes: #548356) * finally change default behaviour of initscripts/cryptroot-hook to include all available crypto modules into the initramfs. this change should fix any problems with cryto modules missing from the initramfs. announce the change in NEWS.Debian. (closes: #547597) * add error messages to lvm detecting code in initramfs/cryptroot-script in order to make debugging easier. (closes: #541248) * implement detection of devices which are required by decrypt_derived keyscript in initscripts/cryptroot-hook. that way setups where encrypted swap has the key derived from non-root partitions should support suspend/ resume as well. (closes: #475838) * remove outdated documentation from the source package: CryptoRoot.HowTo, CheckSystem.Doc * mention in README.initramfs that busybox is required for cryptroot to work * stop creating /etc/keys in postinst maintainer script. * update build system to include library files again: (closes: #480157) - split into three packages: cryptsetup, libcryptsetup1, libcryptsetup-dev - rename preinst to cryptsetup.preinst, copy code to create /etc/crypttab skeleton into cryptsetup-udeb.preinst. - build with --enable-shared and --enable-static for libcryptsetup.a - create debian/libcryptsetup1.symbols with help of dpkg-gensymbols * add debian/cryptsetup.lintian-override for two false positives * raise build-depends on debhelper and debian/compat for that reason * update README.remote to work with latest dropbear package. thanks to debian@x.ray.net. * make all crypttab fields available to keyscripts as environment variables. thanks to ludwig nussel from suse for idea and implmentation. document this in crypttab(5) manpage. impelement the same environment variables in initramfs cryptroot script. * fix formatting errors in crypttab(5) manpage. -- Jonas Meurer Thu, 15 Oct 2009 19:26:14 +0200 cryptsetup (2:1.0.7-2) unstable; urgency=low * add a paragraph to the cryptsetup manpage that mentions /proc/crypto as source for available crypto ciphers, modes, hashs, keysizes, etc. (closes: #518266) * fix luksformat to check for mkfs.$fs both in /sbin and /usr/sbin. thanks to Jon Dowland. (closes: #539734) * mention era eriksson as author of the typo fixes for manpage (submitted as bug #476624) in changelog of cryptsetup 2:1.0.6-3. (closes: #541344) * bump standards-version to 3.8.3. no changes needed. * add 04_no_stderr_success.patch, which adds an option to suppress success messages to stderr. don't apply the patch as this already has been fixed upstream in another way. next cryptsetup release will print the command successfull message to stdout only if opt_verbose is set. * add checkscripts blkid and un_blkid for the reason that vol_id will be removed from udev soon. advertise the new scripts at all places that mentioned vol_id or un_vol_id before. * add /usr/share/bug/cryptsetup which adds /proc/cmdline, /etc/crypttab, /etc/fstab and output of 'lsmod' to bugs against cryptsetup. * add debian/README.remote, which describes how to setup a cryptroot system with support for remote unlocking via ssh login into the initramfs. Thanks to debian@x.ray.net for writing it down. * update debian/copyright for current format from dep.debian.net/deps/dep5 * add chainiv, cryptomgr and krng to standard list of modules in initramfs cryptroot hook. (closes: #541835) * add a section describing LUKS header backups and related security implications to README.Debian. a tool to automate this task should not be distributed at all. (closes: #432150) -- Jonas Meurer Tue, 01 Sep 2009 12:38:02 +0200 cryptsetup (2:1.0.7-1) unstable; urgency=low * new upstream release, highlights include (diff from ~rc1): - allow removal of last slot in luksRemoveKey and luksKillSlot - eject unsupported --offset and --skip options for luksFormat * make passdev accept a timeout option, thanks to Evgeni Golov for the patch. (closes: #502598) * finally add the cryptsource delay implementation from ubuntu, as it seems to workaround some issues where appearance of the root device takes longer than expected. (closes: #488271) * execute udev_settle before $cryptremove if $cryptcreate fails at setup_mapping() in the initramfs cryptroot script. it seems like a short delay and/or udev_settly is needed in between of 'cryptsetup create' and 'cryptsetup remove'. thanks to Gernot Schilling for the bugreport. (closes: #529527) * talk about /dev/urandom instead of /dev/random in crypttab manpage. (closes: #537344) * check for $IGNORE before check_key() in handle_crypttab_line_start() * rewrite error code handling: - return 1 for errors in handle_crypttab_line_{start|stop} - handle_crypttab_line_... || true needed due to set -e in initscript - check for exit code of handle_crypttab_line_{start Thu, 30 Jul 2009 17:41:16 +0200 cryptsetup (2:1.0.7~rc1-2) unstable; urgency=low * flag the root device with rootdev option at /conf/conf.d/cryptroot in initramfs hook, check for that flag before adding ROOT=$NEWROOT to /conf/param.conf in initramfs script. that should prevent the initramfs script from adding ROOT=$NEWROOT for resume devices. (closes: #535801) -- Jonas Meurer Wed, 15 Jul 2009 11:44:45 +0200 cryptsetup (2:1.0.7~rc1-1) unstable; urgency=low * new upstream release candidate, highlights include: - use better error messages if device doesn't exist or is already used by other mapping (closes: #492926) - check device size when loading LUKS header - add some error hint if dm-crypt mapping failed (key size and kernel version check for XTS and LRW mode for now) (closes: #494584) - display device name when asking for password - retain readahead of underlying device, if devmapper version supports it - set UUID in device-mapper for LUKS devices - define device-mapper crypt UUID maximal length and check for its size - add some checks for error codes, fixes warning: ignoring return value... - update LUKS homepage in manpage to code.google.com/p/cryptsetup * patches/01_fix_make_distclean.patch: removed, incorporated upstream * patches/02_manpage.patch: updated, mostly incorporated upstream * remove invokation of ./setup-gettext.sh from debian/rules. * set $PATH in checks/xfs. Required to make /usr/sbin/xfs_admin work at early boot stage. Thanks to Stefan Bender. (closes: #525118) * update path to docbook-xsl stylesheet in debian/rules to /usr/share/xml/docbook/stylesheet/docbook-xsl/. Add versioned build-depends to docbook-xsl (>= 1.74.3+dfsg) for that reason. * fix bashisms in scripts/decrypt_opensc, thanks to Raphael Geissert. (closes: #530060) * fix UUID and LABEL handling for cryptroot, thanks to Kees Cook and ubuntu. (closes: #522041) * add ROOT=$NEWROOT to /conf/param.conf in cryptroot initramfs script. This is required for lilo to find the correct root device. Thanks to Pyotr Berezhkov and Christian Schaarschmidt. (closes: #511447, #511840) * replace mini autogen.sh with autoreconf in debian/rules. Thanks to Bastian Kleineidam. (closes: #522798) * support escaped newlines in askpass.c, thanks to Kees Cook and ubuntu. (closes: #528133) * use the same passphrase prompt in init script and initramfs script * mention the incoherent behaviour of cryptsetup create/luksOpen with invalid passwords/keys in cryptsetup manpage. (closes: #529359) * bump standards-version to 3.8.2, no changes required. * add 'X-Interactive: true' LSB-header to initscripts. * fix bash_completion script to use 'command ls'. that way it now works with aliased ls as well. thanks to Daniel Dehennin. (closes: #535351) -- Jonas Meurer Sat, 04 Jul 2009 15:52:06 +0200 cryptsetup (2:1.0.6+20090405.svn49-1ubuntu8) lucid; urgency=low [ Steve Langasek ] * Make the 'start' action of the init script a no-op, this should be handled entirely by the upstart job now; and remove any symlinks from /etc/rcS.d on upgrade. LP: #473615. [ Reinhard Tartler ] * Add an apport hook * import the blkid and un_blkid from debian, LP: #446517 * also use this script by default (setting in /etc/default/cryptdisks) -- Steve Langasek Wed, 04 Nov 2009 12:06:47 +0000 cryptsetup (2:1.0.6+20090405.svn49-1ubuntu7) karmic; urgency=low * Reupload previous version, siretart had left changes in bzr which weren't documented in the changelog and caused FTBFS. -- Scott James Remnant Wed, 14 Oct 2009 13:57:59 +0100 cryptsetup (2:1.0.6+20090405.svn49-1ubuntu6) karmic; urgency=low [ Steve Langasek ] * Move the Debian Vcs- fields aside. [ Scott James Remnant ] * debian/cryptdisks-enable.upstart: Don't overcompensate for my idiocy, cryptsetup should not need a controlling terminal, just a terminal is fine. May fix LP: #439138. -- Scott James Remnant Wed, 14 Oct 2009 04:52:16 +0100 cryptsetup (2:1.0.6+20090405.svn49-1ubuntu4) karmic; urgency=low * debian/cryptdisks-enable.upstart: Things that often help include not setting stdin/out to /dev/null, so you can actually type the passphrase. I am an idiot. LP: #430496. -- Scott James Remnant Thu, 17 Sep 2009 17:58:01 +0100 cryptsetup (2:1.0.6+20090405.svn49-1ubuntu3) karmic; urgency=low * debian/cryptdisks-enable.upstart: add upstart job to enable encrypted disks once we've finished probing for udev devices, so that mountall can use them. LP: #430496. -- Scott James Remnant Thu, 17 Sep 2009 00:04:00 +0100 cryptsetup (2:1.0.6+20090405.svn49-1ubuntu2) karmic; urgency=low * debian/initramfs/cryptroot-conf: declare that we want usplash included in the initramfs whenever this package is installed. LP: #427356. -- Steve Langasek Tue, 15 Sep 2009 08:43:15 -0700 cryptsetup (2:1.0.6+20090405.svn49-1ubuntu1) karmic; urgency=low * Merge from debian unstable, remaining changes: - Ubuntu specific: + debian/rules: link dynamically for better security supportability and smaller packages. + debian/control: Depend on initramfs-tools so system is not potentially rendered unbootable. - debian/initramfs/cryptroot-script wait for encrypted device to appear, report with log_*_msg (debian bug 488271). - debian/initramfs/cryptroot-hook: fix support for UUID and LABEL correlation between fstab and crypttab (debian bug 522041). - debian/askpass.c, debian/initramfs/cryptroot-script: using newline escape in passphrase prompt to avoid line-wrapping (debian bug 528133). * Drop 04_fix_udevsettle_call.patch: fixed upstream differently. -- Kees Cook Sun, 10 May 2009 17:29:32 -0700 cryptsetup (2:1.0.6+20090405.svn49-1) unstable; urgency=low * New upstream svn snapshot. Highlights include: - Uses remapping to error target instead of calling udevsettle for temporary crypt device. (closes: #514729, #498964, #521547) - Removes lots of autoconf stuff as it's generated by autogen.sh anyway. - Uses autopoint in build process, thus needs to Build-Depend on cvs. - Fixes signal handler to proper close device. - Wipes start of device before LUKS-formatting. - Allows deletion of key slot with it's own key. (closes: #513596) - Checks device mapper communication and gives proper error message in case the communication fails. (closes: #507727) * Update debian patches accordingly: - Remove obsolete patches 01_gettext_package and 03_check_for_root - Update patch 02_manpage * Add missing newlines to some error messages in passdev.c. Thanks to Christoph Anton Mitterer for bugreport and patch. (closes: #509067) * Move keyscripts in initramfs from /keyscripts to /lib/cryptsetup/scripts for the sake of consistency between initramfs and normal system. Document this change in NEWS.Debian. (closes: #509066) * Fix $LOUD in cryptdisks.init and cryptdisks.functions to take effect. Add LOUD="yes" to cryptdisks_start. (closes: #513149) * cryptdisks_{start,stop}: print error message if no entry is found in crypttab for the given name. * Actually fix watchfile to work with code.google.com. * Update Homepage field to code.google.com URL. (closes: #516236) * Fix location of ltmain.sh, build-depend on versioned libtool. (closes: #521673, #522338) * Some minor changes to make lintian happy: - use set -e instead of /bin/sh -e in preinst. - link to GPL v2 in debian/copyright * Bump standards-version to 3.8.1, no changes needed. * Fix a typo in NEWS.Debian. (closes: #522387) * Taken from ubuntu: - debian/checks/un_vol_id: dynamically build the "unknown volume type" string, to allow for encrypted swap, (closes: #521789, #521469). Fix sed to replace '/' with '\/' instead of '\\/' in device names. - disable error message 'failed to setup lvm device' (LP 151532). -- Jonas Meurer Mon, 06 Apr 2009 08:49:14 +0200 cryptsetup (2:1.0.6-7ubuntu7) jaunty; urgency=low * debian/control: Depend on initramfs-tools so system is not potentially rendered unbootable (LP: #358654). -- Kees Cook Thu, 09 Apr 2009 12:29:31 -0700 cryptsetup (2:1.0.6-7ubuntu6) jaunty; urgency=low * debian/initramfs/cryptroot-script: we don't require vol_id to understand the encrypted device, but we should check the device is fully up first before continuing by calling udevadm settle. LP: #291752. -- Steve Langasek Sat, 07 Mar 2009 21:39:14 -0800 cryptsetup (2:1.0.6-7ubuntu5) jaunty; urgency=low * debian/initramfs/cryptroot-hook: fix support for UUID and LABEL correlation between fstab and crypttab (LP: #287879). -- TJ Mon, 16 Feb 2009 23:00:00 +0000 cryptsetup (2:1.0.6-7ubuntu4) jaunty; urgency=low * debian/askpass.c: also handle newline escape code in console prompt. -- Kees Cook Sun, 15 Feb 2009 08:57:05 -0800 cryptsetup (2:1.0.6-7ubuntu3) jaunty; urgency=low [ https://launchpad.net/~svenkata ] * debian/checks/un_vol_id: dynamically build the "unknown volume type" string, to allow for encrypted swap, LP: #316607 -- Dustin Kirkland Thu, 12 Feb 2009 16:57:30 -0600 cryptsetup (2:1.0.6-7ubuntu2) jaunty; urgency=low * debian/askpass.c: handle newline escape code in password prompt. * debian/initramfs/cryptroot-script: add newline to split cryptroot password prompt onto two lines for readability (LP: #326900). -- Kees Cook Sun, 08 Feb 2009 07:26:01 -0800 cryptsetup (2:1.0.6-7ubuntu1) jaunty; urgency=low * Merge from debian unstable, remaining changes: - debian/initramfs/cryptroot-script: - must source /scripts/functions to get the log_*_msg() functions. - wait for encrypted device to show up (LP 164044, 291752). - disable error message 'failed to setup lvm device' (LP 151532). - debian/rules: - fix location of ltmain.sh (Ubuntu-specific until libtool 2.2.x is in Debian unstable). - link dynamically (LP 62751). - add 04_fix_udevsettle_call.patch: fix path to binary for udevsettle. * Revert versioned build-depency on libdevmapper-dev, since Ubuntu's version is higher now. -- Kees Cook Tue, 06 Jan 2009 13:00:16 -0800 cryptsetup (2:1.0.6-7) unstable; urgency=medium * Add patches/01_gettext_package.patch: Remove -luks from GETTEXT_PACKAGE in configure.in. * Support keyfiles option in bash completion. Thanks to Stefan Goebel for the patch. (closes: #499936) * Update patches/02_manpage.patch: Fix the documnetation of default cipher for LUKS mappings. (closes: #495832) * Update debian/watch file to reflect the move of project home to code.google.com. * Check for $CRYPTDISKS_ENABLE in cryptdisks initscripts instead of cryptdisks.functions. This way, cryptdisks_start/stop work even with $CRYPTDISKS_ENABLE != "yes". Thanks to Pietro Abate. (closes: #506643) * Add force-start to cryptdisks(-early).init in order to support starting noauto devices manually. Thanks to Niccolo Rigacci. (closes: #505779) * Document how to enable remote device unlocking via dropbear ssh server in the initramfs during boot process. Thanks to Chris for the great work. (closes: #465902) * Completely remove support and documentation of the timeout option, document this in NEWS.Debian. (closes: #495509, #474120) * Use exit instead of return in decrypt_ssl keyscript. Thanks to Rene Wagner. (closes: #499704) * Fix initramfs/cryptpassdev-hook to check for passdev instead of mountdev. Thanks to Christoph Anton Mitterer. * cryptdisks.functions: - Search for keyscript in /lib/cryptdisks/scripts. the cryptoroot initramfs script already supports keyscripts without path as argument. Thanks to Christoph Anton Mitterer. * README.initramfs: - Remove the mention of bug #398302 from the section about suspend/resume, as this bug has been fixes for some time now. - Remove step 6 (mkswap) from the section about decrypt_derived, as it was superfluous. Thanks to Helmut Grohe. (closes: #491867) * Fix initramfs/cryptroot-script to use the lvm binary instead of vgchange. Thanks to Marc Haber. (closes: #506536) * Make get_lvm_deps() recursive in initramfs/cryptroot-hook. This is required to detect the dm-crypt device in setups with more than one level of device mapper mappings. For example if LVM is used with snapshots on top of the dm-crypt mapping. Thanks to Christian Jaeger for bugreport and patch, Ben Hutchings and Yves-Alexis Perez for help with debugging. (closes: #507721) * urgency=medium due to several important fixes. -- Jonas Meurer Wed, 17 Dec 2008 21:25:45 +0100 cryptsetup (2:1.0.6-6ubuntu2.1) intrepid-proposed; urgency=low * debian/initramfs/cryptroot-script: do not require that vol_id can parse the encrypted device as valid (LP: #291752). -- Kees Cook Fri, 31 Oct 2008 13:10:06 -0700 cryptsetup (2:1.0.6-6ubuntu2) intrepid; urgency=low * Fixes for (LP: #272301) * debian/initramfs/cryptroot-script: must source /scripts/functions to get the log_*_msg() functions * 04_fix_udevsettle_call.patch: fix path to binary for udevsettle -- Dustin Kirkland Fri, 19 Sep 2008 18:03:28 -0500 cryptsetup (2:1.0.6-6ubuntu1) intrepid; urgency=low * drop almost all ubuntu specific changes from the cryptsetup package, because they have been merged in debian. Thanks a lot! * merge from debian, remaining changes: - remove versioned build-depency on libdevmapper-dev, we are using a rather sophisticated loop for making sure the root filesystem appears. * debian/rules: fix location of ltmain.sh * don't exit usplash anymore in the init script. LP: #110970, #139363 * Disable error message 'failed to setup lvm device'. It is harmless, and caused by the fact that the udev rules provided by lvm2 are setting up the lvm on their own. In debian the scripts here are responsible for this but obviously fail in ubuntu. LP: #151532 -- Reinhard Tartler Sat, 30 Aug 2008 17:52:16 +0200 cryptsetup (2:1.0.6-6) unstable; urgency=high * Don't cat keyfile into pipe for do_noluks(). cryptsetup handles --key-file=- different for luks and plain dm-crypt mappings. This time really (closes: #493848). Thus again upload with urgency=high. -- Jonas Meurer Sat, 09 Aug 2008 13:36:31 +0200 cryptsetup (2:1.0.6-5) unstable; urgency=high * Fix watch file to not report -pre and -rc releases as superior. * Remove the global var $SIZE from cryptdisks.functions again but keep the extended value checks. * Remove the udev rules file also in preinst, code taken from example at http://wiki.debian.org/DpkgConffileHandling. Thanks Marco d'Itri. (closes: #493151) * Remove duplicated configuration of --key-file in $PARAMS at do_noluks(). (closes: #493848). * Invoke mount_fs() and umount_fs() in cryptdisks_start, add log_action_begin_msg() and log_action_end_msg() to both cryptdisk_start and cryptdisks_stop. * Copy fd 3 code from do_start and do_stop to cryptdisks_start and cryptdisks_stop to fix "keyscript | cryptsetup". (closes: #493622) * This upload fixes two RC bugs, thus upload with severity=high. -- Jonas Meurer Wed, 06 Aug 2008 10:19:21 +0200 cryptsetup (2:1.0.6-4) unstable; urgency=medium [ David Härdeman ] * Make sure $IGNORE is reset as necessary, patch by Thomas Luzat (closes: #490199) * Use askpass in init scripts as well (closes: #489033, #477203) [ Jonas Meurer ] * Don't copy_exec libgcc1 in cryptopensc initramfs hook, as it's already copied by copy_exec /usr/sbin/pcscd automaticly. Thanks to Evgeni Golov . (closes: #490300) * Remove the udev rules file again as the relevant rules are now provided by dmsetup package which cryptsetup depends on. * Add splashy support to askpass, thanks to John Hughes for the patch. (closes: #492451) The support is limited to cryptroot though, as splashy freezes for passphrase input dialogs from initscripts. Document that in README.Debian. * Now that askpass is used as keyscript for interactive mode, it's not necessary to set cryptsetup parameter '--tries=$TRIES' and TRIES=1 for interactive mode anymore in cryptdisks.functions. * Implement special treatment for random passphrases now that we use "--key-file=-" for all situations. Only necessary in do_noluks. * Fix the passphrase prompt string in initramfs/cryptroot.script to use $cryptsource instead of $cryptsources. * Major documentation cleanup for lenny: - Rewrite CryptoSwap.HowTo in README.Debian, remove CryptoSwap.HowTo. - Refer to README.initramfs instead of CryptoRoot.HowTo for encrypted root filesystem in README.Debian. - Remove outdated docs CryptoRoot.HowTo, usbcrypto.udev and gen-old-ssl-key as well as the decrypt_old_ssl keyscript. - Remove debian/TODO, didn't have any useful content anyway. - Fix section ''9. The "decrypt_derived" keyscript'': Add swap option to the example line for crypttab and other minor fixes. Thanks to Helmut Grohne . (closes: #491867) * urgency=medium since important (#492451) and security (#477203) bugs get fixed by this upload. -- Jonas Meurer Mon, 28 Jul 2008 00:21:44 +0200 cryptsetup (2:1.0.6-3) unstable; urgency=low [ Jonas Meurer ] * Fix cryptdisks.functions to actually recognize the noauto option. Thanks to Christian Pernegger (closes: #483882) * Update patches/02_manpage.patch: - fixes two more typos, thanks to and Era Eriksson for the patch, and Bruno Barrera Yever for forwarding it to the bts (closes: #476624) - removes a duplicate sentence * Rephrase "Enter password for $crypttarget" to "Enter password to unlock the disk $cryptsource ($crypttarget)" in initramfs/cryptroot.script. * Bump Standards-Version to 3.8.0: - Add a README.source which references /usr/share/doc/quilt/README.source. - Add support for debian build option parallel=n to debian/rules. * Add a udev rules file to ignore temporary-cryptsetup-* devices, as suggested in bug #467200. Thanks to Sam Morris . * Transform debian/copyright into machine-readable code as proposed in http://wiki.debian.org/Proposals/CopyrightFormat. Update and add several copyright notices. * Change reference to docbook xml v4.2 driver file from an online version to a local one in the manpage files, as the build process should not depend on internet access. Add docbook-xml to build-depends. Thanks to Lucas Nussbaum . (closes: #487056) [ David Härdeman ] * Hopefully fix askpass to properly handle console and usplash input (closes: #477203) * Clarify crypttab manpage (closes: #487246) * Make regex work if keyfile has extended attributes, https://launchpad.net/bugs/231339 (closes: #488131) * Support comments in options part of crypttab (closes: #488128) -- Jonas Meurer Mon, 07 Jul 2008 00:30:07 +0200 cryptsetup (2:1.0.6-2ubuntu7) intrepid; urgency=low * reintroduce changes from 2:1.0.6-2ubuntu5 that have been accidentally dropped in version 2:1.0.6-2ubuntu6. -- Reinhard Tartler Fri, 20 Jun 2008 15:15:54 +0200 cryptsetup (2:1.0.6-2ubuntu6) intrepid; urgency=low [ Kjell Braden ] * load scripts/functions for log_{begin,end}_msg * debian/initramfs/cryptroot-script: wait for the cryptsource, not the resulting mapped root device * debian/initramfs/cryptroot-hook: copy binaries to the right directory [ Reinhard Tartler ] * remove versioned build-depency on libdevmapper-dev, we are using a rather sophisticated loop for making sure the root filesystem appears. -- Reinhard Tartler Wed, 18 Jun 2008 00:26:43 +0200 cryptsetup (2:1.0.6-2ubuntu5) intrepid; urgency=low * Okay, I give up. include preprocessed manpages and adapt debian/rules to easily produce those. ATTENTION: on subsequent uploads, make sure that the manpages are available and up-to-date. -- Reinhard Tartler Sun, 15 Jun 2008 13:33:07 +0200 cryptsetup (2:1.0.6-2ubuntu4) intrepid; urgency=low * also use local dtd in debian/doc/variables.xml.in. -- Reinhard Tartler Sun, 15 Jun 2008 12:55:42 +0200 cryptsetup (2:1.0.6-2ubuntu3) intrepid; urgency=low * try harder to fix FTBFS. -- Reinhard Tartler Sun, 15 Jun 2008 11:42:54 +0200 cryptsetup (2:1.0.6-2ubuntu2) intrepid; urgency=low * build docbook documentation using local dtds instead of trying to download them at buildtime. Fixes FTBFS. -- Reinhard Tartler Sun, 15 Jun 2008 11:12:28 +0200 cryptsetup (2:1.0.6-2ubuntu1) intrepid; urgency=low * Merge new debian version. Remaining changes: - Add XSBC-Vcs-Bzr tag to indicate that this package is managed using bzr on launchpad. - debian/rules: cryptsetup is linked dynamically against libgcrypt and libgpg-error. - cryptdisks.functions: stop usplash on user input. LP #62751 - Parse comments in lines not starting with '#', LP #185380 - If the encrypted source device hasn't shown up yet, give it a little while to deal with removable devices. LP #164044 * Depend on race-free version of libdevmapper, thus making udevsettle call from cryptsetup binary unnecessary. Dropping patch debian/patches/06_run_udevsettle.patch * remove patch from LP #73862, loading optimized modules has been solved in debian in another way. * cryptdisk.functions: remove spurious call to load_optimized_module. LP: #239946 * bugfix: make regex work if keyfile has extended attributes. LP: #231339. * remove patch in cryptdisks.functions for rexecing the script itself for ensuring that a tty is always available. (See LP #58794.) According to Scott, this is not necessary anymore. -- Reinhard Tartler Sat, 14 Jun 2008 23:28:51 +0200 cryptsetup (2:1.0.6-2) unstable; urgency=low [ Jonas Meurer ] * Taken from ubuntu: - debian/scripts/luksformat: Use 256 bit key size by default. (LP: #78508) - debian/patches/02_manpage.patch: Clarify default key sizes (128 for luksFormat and 256 for create) in cryptsetup.8. (side-note in LP #78508) * Use 'shred -uz' instead of 'rm -r' to remove a tempfile that contains a key in gen-ssl-key example script. [ David Härdeman ] * Misc bugfixes to askpass, make sure it is installed to the correct location and is built using pedantic mode. * Change the initramfs script to use askpass to prompt for passphrases, this should hopefully fix #382375 and #465902 once it is enabled in the init scripts as well. * Add a keyscript called passdev which allows a keyfile to be retrieved from a device which is first mounted, mainly useful to get keyfiles off USB devices etc. * Unbreak MODULES=dep booting (closes: #478268) * Relax checks for suspend devices a bit (closes: #477658) * Convert man pages to docbook. -- David Härdeman Mon, 26 May 2008 08:12:32 +0200 cryptsetup (2:1.0.6-1ubuntu4) intrepid; urgency=low [ Kjell Braden ] * Fix configuration parsing (LP: #239808) [ Reinhard Tartler ] * cryptroot-script: use 'echo' instead of 'log_begin_msg' (LP: #237723) -- Reinhard Tartler Fri, 13 Jun 2008 21:26:17 +0200 cryptsetup (2:1.0.6-1ubuntu3) intrepid; urgency=low * Parse comments in lines not starting with '#', LP: #185380 * in cryptroot hook, don't rely on 'udevadm settle' to wait long enough for the cryptdevice to appear. Reimplement the busy waiting loop found while waiting for the root file system. Patch based on work by Swâmi Petaramesh. LP: #164044 * debian/crypdisks.functions: call 'env' with full path. LP: #178829. -- Reinhard Tartler Mon, 26 May 2008 22:12:32 +0200 cryptsetup (2:1.0.6-1ubuntu2) intrepid; urgency=low * Simplify the patch in debian/cryptdisks.functions that stops usplash before asking for a passphrase. -- Reinhard Tartler Mon, 26 May 2008 20:18:14 +0200 cryptsetup (2:1.0.6-1ubuntu1) intrepid; urgency=low * Merge new debian version. Remaining changes: - cryptsetup is linked dynamically against libgcrypt and libgpg-error. - stop usplash on user input. LP #62751 - debian/cryptdisks.functions: Always output and read from the console. LP #58794. - Add XSBC-Vcs-Bzr tag to indicate that this package is managed using bzr on launchpad. - debian/initramfs/cryptroot-hook: LP #73862 Added patch to install aes optimized cypher module - try to load optimized cypher module in cryptsetup.functions as well, because cryptroot-hook is only executed when we really have a cryptoroot. * other ubuntu changes have been merged into debian. Please report bugs if you believe some patches have been dropped. * removed 07_typos_fix.patch, has been reviewed and applied upstream. -- Reinhard Tartler Sun, 25 May 2008 22:52:30 +0200 cryptsetup (2:1.0.6-1) unstable; urgency=low [ Jonas Meurer ] * new upstream release - reload option is depreciated and a warning is printed. (closes: #428288) * convert patch system from dpatch to quilt. * enhance the information regarding the default hash setting in NEWS.Debian. Thanks to Ross Boylan . * change author of keyslot patch to Marc Merlin in changelog, thanks to U. Kuehn for raising that issue. * doing some debian/rules redesign and cleanup, speeds up the build process. * ignore devices with the noauto option early enough to prevent any checks on them. Thanks to Joachim Breitner (closes: #464672) * update debian/copyright to actually mention copyright, thanks lintian. * change script=$(basename $req) to script=${req##*/} in initramfs cryptroot script. Thanks to Adeodato Simó . (closes: #466240) * change test ... -a ... to [ ... ] && [ ... ] in the check scripts. * add support for tries option to initramfs scripts. Thanks to Helmut Grohne . (closes: #430158, #469869) Use --tries=1 for cryptsetup in the initramfs script. Document the difference between initscript and initramfs for tries=0 in the crypttab manpage. * add, build and install askpass.c, a helper program by David Härdeman. The idea is to use it for passphrase prompt in the initramfs script. [ David Härdeman ] * Work with LABEL=, UUID= and symlinks in /etc/fstab (closes: #466175) * Improve module loading in initramfs hook so that the newer as well as arch specific crypto drivers are taken into consideration (closes: #464673) * Depend on race-free version of libdevmapper, thus making udevsettle call from cryptsetup binary unnecessary. Also change call to udevsettle in initramfs script (which is still useful as it related to the source device) to optionally use udevadm if present (closes: #456326). -- Jonas Meurer Mon, 31 Mar 2008 15:58:35 +0200 cryptsetup (2:1.0.6~pre1+svn45-1) unstable; urgency=low * New upstream svn snapshot: - Adds typo fixes by Justin Pryzby to cryptsetup.8 manpage. - Mentions luksKillSlot in the manpage. Thanks to Alexander Heinlein . (closes: #459206) - Adds the patch by Marc Merlin to support explicit key slots for luksFormat and luksAddKey. Thanks to U. Kuehn, who figured out that this patch wasn't applied even though changelog said so. - Supports adding new keys to active devices again. Thanks to Tobias Frost for the bugreport. (closes: #460409) * Add support for a custom filesystem for /tmp. Patch provided by Hans-Peter Oeri . * Add X-Start-Before headers to cryptdisks and cryptdisks-early initscripts. Thanks to Petter Reinholdtsen for report and patch. (closes: #458944) * Add support for a noauto option to cryptdisks. Thanks to U Kuehn for the idea. * Add typo fixes by Justin Pryzby to crypttab.5 manpage. (closes: #460994) * Add a cryptdisks_stop script, corresponding to cryptdisks_start. Thanks to Joachim Breitner for the idea. (closes: #459832) * Change log_progress_msg to log_action_msg in cryptdisks.functions. That way a newline is printed after the start of every device. Thanks to Frans Pop for the bugreport. (closes: #461548) * Add bash_completition script provided by Kevin Locke . (closes: #423591) * Fix a spelling error in the package description: linux -> Linux. * Fix bashisms in cryptdisks_{start,stop} found by Raphael Geissert . * Change the default hash in initramfs scripts from sha256 to ripemd160 for consistency with cryptsetup default. Add information about that to NEWS.Debian. Thanks to martin f krafft . (closes: #406317) -- Jonas Meurer Wed, 30 Jan 2008 09:01:52 +0100 cryptsetup (2:1.0.6~pre1-1) unstable; urgency=low [ Jonas Meurer ] * New upstream alpha release 1.0.6~pre1: - [01_crypt_luksFormat_libcryptsetup.dpatch] removed, applied upstream - [02_manpage.dpatch] likewise - [04_fix_unused_or_unitialized_variables.dpatch] likewise - [05_segfault_at_nonexisting_device.dpatch] likewise - [06_run_udevsettle.dpatch] update for new upstream * Disable 03_check_for_root.dpatch. As Ludwig Nussel mentioned on dm-crypt@saout.de, cryptsetup 1.0.5 already prints out meaningfull errors if expected permissions are not available. Therefore the check for uid == 0 is superfluous. * [06_run_udevsettle.dpatch] Run udevsettle after device-mapper device creation. Fixes issues with temporary device files in /dev/mapper. Patch by Reinhard Tartler from Ubuntu. (closes: #444914) * Add support for offset and skip options to cryptdisks/crypttab. Thanks to Marc-Jano Knopp. (closes: #446674) * Update the long description in debian/control. Don't mention kernel 2.6.4 any longer, remove references to /usr/share/doc/cryptsetup/CryptoRoot.HowTo and mkinitrd. * Add noearly option to cryptdisks/crypttab, which causes cryptdisks-early to ignore the entry. Thanks to Joerg Jaspert (closes: #423102) * Change log_progress_msg "$dst (started)" to device_msg "$dst" "started" in cryptdisks.functions. Makes console output of cryptdisks more consistent. * Add cryptdisks_start and patch to cryptdisks.functions by Jon Dowland. Also add a manpage for cryptdisks_start(8). (closes: #447159) * Add load_optimized_module() function to cryptdisks.functions. Initial idea by Reinhard Tartler from Ubuntu, enhanced by David Härdeman. (closes: #445186) * Add support for UUID=.. device strings to initramfs cryptroot-hook. Thanks to Reinhard Tartler from Ubuntu for the patch. (closes: #445189) * Support UUID=... and LABEL=... device strings in /etc/crypttab. Thanks to Martin Pitt from Ubuntu for the patch. (closes: #445189) * Add Vcs-Browser and Vcs-Svn fields to debian/control. * Fix debian/rules to not fail to build if autom4te.cache is left behind from a previous incomplete build. Patch again taken from Ubuntu. * Mention in the crypttab manpage that files are allowed as source. In that case they are mounted as loopback device automatically. Thanks to Michal Cihar (closes: #451909) * At stopping dm-crypt devices really remove the corresponding loopback device if one has been used. Thanks to Rene Pavlik for report and to David Härdeman, who had the idea for the fix. (closes: #451916) * Also remove loopback devices if the cryptsetup device setup fails. * Document a possible deadlock if cryptsetup is invoked as a 'run programm' in a udev role. This i related to the invokation of udevsettle in cryptsetup. Thanks to Dick Middleton for reporting and debugging. (closes: #444914) * Move umount_fs() from handle_crypttab_line() to the end of do_start(). * Bump Standards-Version to 3.7.3.0. No changes needed. * Remove unused litian-override file * Remove --build $(DEB_BUILD_GNU_TYPE) and --host $(DEB_HOST_GNU_TYPE) from invocation of ./configure, as they are already included in $(confflags). -- Jonas Meurer Thu, 06 Dec 2007 15:56:05 +0100 cryptsetup (2:1.0.5-2ubuntu12) hardy; urgency=low * added debian/patches/07_typos_fix.dpatch: fixed typos in man pages. (LP: #164181) -- Bruno Barrera Yever Mon, 07 Apr 2008 18:43:05 -0500 cryptsetup (2:1.0.5-2ubuntu11) hardy; urgency=low * debian/initramfs/cryptroot-script: Do show the disk name after all, since some people use multiple encrypted partitions as LVM PVs. (LP: #201413) -- Martin Pitt Sun, 06 Apr 2008 11:54:41 -0600 cryptsetup (2:1.0.5-2ubuntu10) hardy; urgency=low * debian/initramfs/cryptroot-script: Do not mention the name of the encrypted device. It is just technobabble anyway (sda4_crypt), and there is just one root partition ever, so it is not needed to tell apart different partitions. From a security POV, someone who can change your initramfs to boot a different root partition can just as well change the strings, too. (LP: #201413) -- Martin Pitt Wed, 02 Apr 2008 15:51:53 +0200 cryptsetup (2:1.0.5-2ubuntu9) hardy; urgency=low * debian/scripts/luksformat: Use 256 bit key size by default. (LP: #78508) * debian/patches/02_manpage.dpatch: Clarify default key sizes (128 for luksFormat and 256 for create) in cryptsetup.8. (side-note in LP #78508) -- Martin Pitt Wed, 27 Feb 2008 17:43:46 +0100 cryptsetup (2:1.0.5-2ubuntu8) hardy; urgency=low * Fix -x calls and access() call. -- Scott James Remnant Fri, 14 Dec 2007 16:54:53 +0000 cryptsetup (2:1.0.5-2ubuntu7) hardy; urgency=low * debian/initramfs/cryptroot-script: call udevadm instead of udevsettle * debian/patches/06_call_udevsettle.dpatch: likewise -- Scott James Remnant Fri, 14 Dec 2007 16:11:36 +0000 cryptsetup (2:1.0.5-2ubuntu6) hardy; urgency=low * Make cryptsetup understand devices specified by UUID=... or LABEL= in crypttab. (LP: #153597) -- Andrea Colangelo Mon, 29 Oct 2007 18:22:51 +0100 cryptsetup (2:1.0.5-2ubuntu5) hardy; urgency=low * reenable additional udevsettle calls in cryptroot hook from https://launchpad.net/bugs/85640, LP: #132373. * change maintainer to ubuntu-core-dev. * use Vcs-Bzr instead of XSCB-Vcs-Bzr header in debian/control. -- Reinhard Tartler Thu, 08 Nov 2007 23:52:19 +0100 cryptsetup (2:1.0.5-2ubuntu4) hardy; urgency=low * reapply changes from version 2:1.0.5-2ubuntu2, got dropped with last upload. Sorry, pitti. * convert patch to lib/libdevmapper.c to a dpatch. -- Reinhard Tartler Sun, 04 Nov 2007 21:42:43 +0100 cryptsetup (2:1.0.5-2ubuntu3) hardy; urgency=low * RELIABILY FIX: lib/libdevmapper.c: Ensure that pending device creation events are being processed by calling /sbin/udevsettle. Patch based on OpenSUSE bug #285478, LP: #132373. * Based on the change above, the patch from LP #85640 is no longer needed. dropping the relevant parts. * Fix debian/rules to not fail to build if autom4te.cache is left behind from a previous incomplete build. -- Reinhard Tartler Fri, 02 Nov 2007 20:53:31 +0100 cryptsetup (2:1.0.5-2ubuntu2) gutsy; urgency=low * debian/initramfs/cryptroot-script: - If the supplied password worked, remove the prompt from usplash again, so that the user has some visual feedback that everything is alright. (LP: #151305) - Do not show the UUID device node of the outer physical device. It is scary ("/dev/disk/by-uuid/1234yadayada") and displaying it does not improve security at all: If attackers can tamper with your initramfs, they can also change the prompt, and if the UUID of the physical device changes, then booting will not even get that far. Now it is a much more friendly "Enter passphrase for sda5_crypt:" which is still technical, but it's necessary to point out which device will be unlocked in case there are several. -- Martin Pitt Thu, 11 Oct 2007 19:51:58 +0200 cryptsetup (2:1.0.5-2ubuntu1) gutsy; urgency=low * Merge new debian version. Remaining changes: - cryptsetup is linked dynamically against libgcrypt and libgpg-error. This will break systems where /usr is a separate encrypted filesystem but not have other bad consequences (in particular, systems with encrypted root are still fine). The upsides include better security supportability and smaller packages. - libcryptsetup.so et al removed from the binary packages. They have no stable ABI and are not suitable for use by other packages, and were in violation of library policies etc. They're not needed since the cryptsetup executable statically contains the relevant parts of libcryptsetup. - cryptdisks.functions: remove #!/bin/bash as it isn't a script by itself; it's only sourced by other scripts. This gets rid of the lintian warning `script-not-executable' for this file. - stop usplash on user input. LP #62751 - Always output and read from the console. LP #58794. - Add XSBC-Vcs-Bzr tag to indicate that this package is managed using bzr on launchpad. - Bump libgcrypt11 build-dependency again to 1.2.4-2ubuntu2 to eliminate libnsl linkage; - debian/initramfs/cryptroot-hook: (LP: #73862) Added patch to install aes optimized cypher module - try to load optimized cypher module in cryptsetup.functions as well, because cryptroot-hook is only executed when we really have a cryptoroot. - apply patch from pitti for allowing UUIDs in /etc/crypttab. This allowes crypted PVs! LP: #144390. - remove README.ubuntu, since it contains old and obsolete information. -- Reinhard Tartler Tue, 02 Oct 2007 21:31:28 +0200 cryptsetup (2:1.0.5-2) unstable; urgency=low [ Jonas Meurer ] * Add libselinux1-dev and libsepol1-dev to build-depends. Detected by the build daemon from hell by Steinar H. Gunderson. Thanks to Manoj Srivastava for advice. * Fix the watchfile * Fix cryptopensc-hook to honor key=none. Thanks to Daniel Baumann (closes: #436434) * Remove outdated README.html and example usbcrypto.* scripts from documentation. Add example usbcrypto.udev script. Thanks to Volker Sauer for the update. (closes: #409775) * Document that stdin is read different with '--key-file=-' than without. Thanks to Marc Haber. (closes: #418450) * Document that --timeout is useless in conjunction with --key-file. Thanks Alexander Zangerl. (closes: #421693) * [03_check_for_root.dpatch] Check for UID == 0 before actually doing something. Thanks to Benjamin Seidenberg. (closes: #401766) * [04_fix_unused_or_unitialized_variables.dpatch] Fix some gcc warnings about unused or unitialized variables. Thanks to Ludwig Nussel for the patch. * [05_segfault_at_nonexisting_device.dpatch] Fix segfault when trying to open a non existing device. Thanks to Ludwig Nussel for the patch. (closes: #438198) * Add CFLAGS="$(CFLAGS)" before ./configure invocation in debian/rules. This way CFLAGS are passed to the configure script. Thanks to Gordon Farquharson for the patch. (closes: #438450) * Add a warning about missing hash option in crypttab to initramfs cryptoroot hook. Thanks to Sebastian Leske for the patch. (closes: #438169) * Add support for openct using data objects on a smartcard as key. Thanks to Daniel Baumann for patch and documentation. (closes: #438473) * Polish opensc_decrypt and openct_decrypt. * Add initramfs patch by maximilian attems. Bump depends on initramfs-tools to (>= 0.91). (closes: #441428) * several cleanups to make lintian happy: - remove #!/bin/sh from cryptsetup.functions as it is not executable. - remove unused-override configure-generated-file-in-source config.log. - add some hyphen fixes to patches/02_manpage.dpatch * Filter out the detection of filesystem type 'minix' in checks vol_id and un_vol_id if checking for any valid filesystem. The minix fs signature seems short enough to be detected erroneously by /lib/udev/vol_id. Thanks to Fredrik Olofsson and arno for the bugreport. (closes: #411784) * Add Homepage field to debian/control. -- Jonas Meurer Mon, 24 Sep 2007 15:42:06 +0200 cryptsetup (2:1.0.5-1ubuntu5) UNRELEASED; urgency=low * apply patch from pitti for allowing UUIDs in /etc/crypttab. This allowes crypted PVs! LP: #144390. * remove README.ubuntu, since it contains old and obsolete information. -- Reinhard Tartler Tue, 02 Oct 2007 19:59:24 +0200 cryptsetup (2:1.0.5-1ubuntu4) gutsy; urgency=low [ Stephan Hermann ] * debian/initramfs/cryptroot-hook: (LP: #73862) - Added patch to install aes optimized cypher module [ Reinhard Tartler ] * re-applying old patch to new package version * try to load optimized cypher module in cryptsetup.functions as well, because cryptroot-hook is only executed when we really have a cryptoroot. -- Reinhard Tartler Thu, 27 Sep 2007 19:38:48 +0200 cryptsetup (2:1.0.5-1ubuntu3) gutsy; urgency=low * Bump libgcrypt11 build-dependency again to 1.2.4-2ubuntu2 to eliminate libnsl linkage; should finally produce a usable cryptsetup binary for the udeb. -- Colin Watson Wed, 19 Sep 2007 15:28:52 +0100 cryptsetup (2:1.0.5-1ubuntu2) gutsy; urgency=low * Bump libgcrypt11 build-dependency to 1.2.4-2ubuntu1 and rebuild for proper udeb dependencies. -- Colin Watson Wed, 19 Sep 2007 01:37:02 +0100 cryptsetup (2:1.0.5-1ubuntu1) gutsy; urgency=low * Merge new debian version. Remaining changes: - cryptsetup is linked dynamically against libgcrypt and libgpg-error. This will break systems where /usr is a separate encrypted filesystem but not have other bad consequences (in particular, systems with encrypted root are still fine). The upsides include better security supportability and smaller packages. - libcryptsetup.so et al removed from the binary packages. They have no stable ABI and are not suitable for use by other packages, and were in violation of library policies etc. They're not needed since the cryptsetup executable statically contains the relevant parts of libcryptsetup. - cryptdisks.functions: remove #!/bin/bash as it isn't a script by itself; it's only sourced by other scripts. This gets rid of the lintian warning `script-not-executable' for this file. - stop usplash on user input. LP #62751 - Always output and read from the console. LP #58794. * Add XSBC-Vcs-Bzr tag to indicate that this package is managed using bzr on launchpad. * UVF exception request granted by Scott Kitterman and Chuck Short LP: #138295 -- Reinhard Tartler Sat, 08 Sep 2007 19:04:54 +0200 cryptsetup (2:1.0.5-1) unstable; urgency=low [ Jonas Meurer ] * New upstream release, nearly identical to svn snapshot svn29. * Fix watch file to use cryptsetup instead of cryptsetup-luks. * Add 01_crypt_luksFormat_libcryptsetup.dpatch - rename luksInit to luksFormat in libcryptsetup.h. * Merge some ubuntu changes: - make luksformat check if filesystem is already mounted to prevent a strange error message. - modprobe dm-mod in cryptsetup.functions. - wait for udev to be settled in initramfs script. [ David Härdeman ] * Allow other crypto devices to be setup even if one fails. (closes: #423100) * Remove an incorrect warning in postinst. -- Jonas Meurer Fri, 27 Jul 2007 04:59:33 +0200 cryptsetup (2:1.0.4+svn29-1ubuntu6) gutsy; urgency=low * Add notes by Ilkka Tuohela in a new file debian/README.ubuntu -- Reinhard Tartler Sat, 08 Sep 2007 18:43:56 +0200 cryptsetup (2:1.0.4+svn29-1ubuntu5) gutsy; urgency=low * cryptsetup is linked dynamically against libgcrypt and libgpg-error. This will break systems where /usr is a separate encrypted filesystem but not have other bad consequences (in particular, systems with encrypted root are still fine). The upsides include better security supportability and smaller packages. * libcryptsetup.so et al removed from the binary packages. They have no stable ABI and are not suitable for use by other packages, and were in violation of library policies etc. They're not needed since the cryptsetup executable statically contains the relevant parts of libcryptsetup. * cryptdisks.functions: remove #!/bin/bash as it isn't a script by itself; it's only sourced by other scripts. This gets rid of the lintian warning `script-not-executable' for this file. -- Ian Jackson Fri, 31 Aug 2007 12:05:33 +0100 cryptsetup (2:1.0.4+svn29-1ubuntu4) gutsy; urgency=low * s/$CRYPTCMD/cryptsetup/ in debian/cryptdisks.functions (LP: #115617) -- Reinhard Tartler Tue, 29 May 2007 17:04:05 +0200 cryptsetup (2:1.0.4+svn29-1ubuntu3) gutsy; urgency=low * make luksformat check if filesystem is already mounted to prevent a strange error message. thanks to mvo for the patch (LP: #116633) * remove file debian/initramfs-cryptroot-script from source. it is not installed anywhere, and a leftover from the last merge. * add missing hunk of cryptsetup.functions compared to debian package. * reapply http://librarian.launchpad.net/7329604/bug85640.debdiff to debian/initramfs/cryptroot-script, since stgraber's patch has been lost in the last merge. (LP: #85640) -- Reinhard Tartler Tue, 29 May 2007 15:02:57 +0200 cryptsetup (2:1.0.4+svn29-1ubuntu2) gutsy; urgency=low * modprobe dm-mod from cryptsetup.functions. (LP: #64625, #91405) -- Reinhard Tartler Tue, 29 May 2007 13:31:39 +0200 cryptsetup (2:1.0.4+svn29-1ubuntu1) gutsy; urgency=low * Merge from Debian unstable. Remaining Ubuntu changes: - stop usplash on user input. Ubuntu: #62751 - Always output and read from the console. Ubuntu: #58794. - Wait for Udev to be ready to avoid partition non-detection. (LP: #85640) * Modify Maintainer value to match Debian-Maintainer-Field Spec -- Andrea Veri Sun, 6 May 2007 22:33:25 +0200 cryptsetup (2:1.0.4+svn29-1) unstable; urgency=low * New upstream svn snapshot with several bugfixes - remove 01_tries_fix.dpatch, added upstream -- Jonas Meurer Wed, 02 May 2007 02:48:37 +0200 cryptsetup (2:1.0.4+svn26-3) unstable; urgency=low * Add cryptdevice name to prompt before actually starting it. Thanks to Joerg Jaspert. (closes: #421803) -- Jonas Meurer Wed, 02 May 2007 01:05:22 +0200 cryptsetup (2:1.0.4+svn26-2) unstable; urgency=low [ David Härdeman ] * Fix typo in crypttab(5), the ext checkscript is called ext2, not ext3. (closes: #410390) * Use the initramfs-tools keymap support instead of our own (requires initramfs-tools >= 0.87) * Add support for usplash password prompt (closes: #397981) * Remove the "ssl" and "gpg" options which are supported by keyscripts since October 2006 (see NEWS for details). * Spring cleaning of cryptdisks.functions, now supports multiple tries for keyscripts and uses lsb logging. (closes: #420105, #383808) [ Jonas Meurer ] * Add 01_tries_fix.dpatch, makes the --tries commandline option work again. (closes: #414326, #412064) * Document the un_vol_id check script, remove the swap check script from documentation. The swap check indeed is rather useless, thanks to Frank Engler . The script itself is kept for compability issues. (closes: #406837) * Add smartcard keyscript and initramfs-tools hooks/scripts. This adds support for disk encryption with smartcards, even for root disks. Thanks a lot to Gerald Turner for the patch and a smartcard reader for testing this. (closes: #416528) * update copyright file: change "program" to "package", and mention GPL version 2. add a full disclaimer. * Add "--showkeys" to the dmsetup invocation in decrypt_derived script. (closes: #420399) * Fixes in cryptdisks.functions: - Don't suppress error messages at mount and unmount and don't break if 'mount $point' fails. - Fix handling of checks and prechecks, the vars somehow where mixed - Really use $CHECKARGS if it's defined - Rename "stopped" to "stopping" for devices which are shutdown at 'cryptdisks stop' (show a difference to already stopped devices). -- Jonas Meurer Sat, 28 Apr 2007 20:45:50 +0200 cryptsetup (2:1.0.4+svn26-1ubuntu2) feisty; urgency=low * Wait for Udev to be ready to avoid partition non-detection. (LP: #85640) -- Stéphane Graber Thu, 14 Apr 2007 10:03:41 +0200 cryptsetup (2:1.0.4+svn26-1ubuntu1) feisty; urgency=low * merge debian changes. Remaining ubuntu changes: - stop usplash on user input. Ubuntu: #62751 - Always output and read from the console. Ubuntu: #58794. -- Reinhard Tartler Sat, 3 Feb 2007 21:30:03 +0100 cryptsetup (2:1.0.4+svn26-1) unstable; urgency=high [ Jonas Meurer ] * New upstream svn snapshot 1.0.4+svn26 - contains a slightly modified patch by Rob Walker to fix a sector size error. (closes: #403075) - fixes a LUKS header corruption on arm, which downgrades bug #403426 from critical to important. - prevents password retrying with I/O errors. * handle chainmode/essiv "plain" correctly in initramfs hook. Thanks to Leonard Norrgard. (closes: #402417) * remove 'rm -rf m4' from a clean target in debian/rules. * urgency=high to get this into etch. [ David Härdeman ] * Document the difference in default hash functions between the initramfs scripts and the plain cryptsetup binary. (closes: #398429) * Verify symlinks for source devices when initramfs is generated and correct if necessary. (closes: #405301) -- Jonas Meurer Tue, 9 Jan 2007 21:53:06 +0100 cryptsetup (2:1.0.4+svn16-2) unstable; urgency=high [ David Härdeman ] * Add cbc to standard list of modules. Thanks to Michael Olbrich . (closes: #401370) * Fix support for crypto-on-evms. Thanks to Enrico Gatto . (closes: #402417) [ Jonas Meurer ] * urgency=high to get this into etch. -- Jonas Meurer Thu, 14 Dec 2006 01:41:40 +0100 cryptsetup (2:1.0.4+svn16-1) unstable; urgency=medium [ David Härdeman ] * Support adding separate blockcipher modules to initramfs image (necessary for kernels >= 2.6.19) * Hashing was previously not done correctly when decrypt_derived was used [ Jonas Meurer ] * Add new upstream patch 02_luks_var_keysize.dpatch. Cryptsetup no longer segfaults with unsupported keysize. (closes: #381973) * Urgency medium as we really want these fixes in etch. -- Jonas Meurer Tue, 28 Nov 2006 18:17:12 +0100 cryptsetup (2:1.0.4-8ubuntu2) feisty; urgency=low * fix and improve initramfs hook: terminate usplash if running, since adequate secure text input is not possible with usplash ATM * usplash support: Terminate usplash before asking a password. Closes https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/62751 -- Reinhard Tartler Wed, 24 Jan 2007 22:43:28 +0100 cryptsetup (2:1.0.4-8ubuntu1) feisty; urgency=low * merge debian changes, remaining patches: - Always output and read from the console. Ubuntu: #58794. * other changes have been merged or do noy apply anymore * read password via usplash if available in initramfs for rootfs. based on a patch from Swen Thümmler (Thanks for that!) Ubuntu #62751 * read password from initscript via usplash if running. should fix the rest of Ubuntu #62751. Only problem with that patch: It asks only once for the password! improvements welcome! -- Reinhard Tartler Sun, 19 Nov 2006 20:04:19 +0100 cryptsetup (2:1.0.4-8) unstable; urgency=high [ Jonas Meurer ] * Add 'set -e' and 'if ...; then ... fi' to cryptdisks-early as well. [ David Härdeman ] * Make sure that a failed modprobe does not break with 'set -e'. (closes: #398799) -- Jonas Meurer Thu, 16 Nov 2006 16:59:35 +0100 cryptsetup (2:1.0.4-7) unstable; urgency=low [ David Härdeman ] * Do not try to configure resume devices which we cant get the key for and also try harder to find resume devices. (closes: #397887, #397888) * Kill some more bashisms. * Only try three times per crypto device in initramfs scripts to avoid unbootable systems if a swap partition can't be setup. * Added decrypt_derived keyscript and improved documentation of latest changes, see README.initramfs for details. -- Jonas Meurer Tue, 14 Nov 2006 16:27:51 +0100 cryptsetup (2:1.0.4-6) unstable; urgency=high [ David Härdeman ] * Improve LVM dependency checks in initramfs hook. Thanks to Loïc Minier for the patch. (closes: #397633, #397651) -- Jonas Meurer Thu, 9 Nov 2006 13:55:48 +0100 cryptsetup (2:1.0.4-5) unstable; urgency=high [ David Härdeman ] * Make sure that duplicate entries in initramfs do not block the boot (closes: #397454) * Do not check for the presence of a key if the keyscript option is set (closes: #397450) -- Jonas Meurer Tue, 7 Nov 2006 18:03:41 +0100 cryptsetup (2:1.0.4-4) unstable; urgency=high [ David Härdeman ] * Readd and document the kernel boot argument "cryptopts" due to user demand * Implement support for multiple device setup in initramfs. (closes: #394136, #382280) * Remove bashisms. (closes: #396092) * Fix FTBFS by altering dpatch so that it is applied to Makefile.in.in before configure is executed. (closes: #396126) [ Jonas Meurer ] * Only warn for insecure keyfile mode/owner. Add some information about insecure keys in README.Debian. (closes: #395357, #394134) -- Jonas Meurer Fri, 3 Nov 2006 02:22:49 +0100 cryptsetup (2:1.0.4-3) unstable; urgency=medium [ Jonas Meurer ] * Suggest dosfstools. Needed for the default settings in luksformat. Thanks to Loïc Minier . (closes: #393473) * Suggest initramfs-tools (>= 0.60) | linux-initramfs-tool as well. * Still urgency=medium for the same reasons [ David Härdeman ] * Change the previous fix for #388871 to use the original patch from Loïc Minier . This also removes the bogus UTF8 char. (closes: #393895) -- Jonas Meurer Wed, 18 Oct 2006 23:03:47 +0200 cryptsetup (2:1.0.4-2) unstable; urgency=medium [ Jonas Meurer ] * Fix postinst, use 'elif [ -z $foo] || [ -z $bar ]; then ...' * Fix a typo in cryptdisks.functions, change $opt to $opts for more consistency with the postinst script. * Fix mount_fs() in cryptdisks.functions to actually do what we want it to do. Up to now, the initscript stopped if a mountpoint failed to mount. * urgency=medium to get cryptsetup 1.0.4 into etch -- Jonas Meurer Tue, 17 Oct 2006 16:16:02 +0200 cryptsetup (2:1.0.4-1) unstable; urgency=low [ David Härdeman ] * Always update the current initramfs when a new version is installed * Move the double-ssl decryption into a keyscript and change the ssl option to use that script instead * Move the gpg key decryption into a keyscript and change the gpg option to use that script instead * Clean up cryptdisks.functions * Let initramfs-tools know that we need busybox in the initramfs image * Fix bogus error message from initramfs hook, based on patch by Loïc Minier . (closes: #388871) * Remove the undocumented kernel boot argument "cryptopts" * Always add some crypto modules/tools to the initramfs image unless MODULES=dep. (closes: #389835) * Update README.initramfs. * Add checks and warnings that the ssl and gpg options are going away in favour of the keyscript option * Fix the decrypt_ssl script (closes: #390514) [ Jonas Meurer ] * New upstream release. - [01_terminal_output.dpatch] removed, finally went upstream - [02_docs_tries.dpatch] removed, went upstream - [03_fix_build_error.dpatch] renamed to 01_fix_build_error.dpatch * Fix SYNOPSIS in crypttab(5) manpage to show all arguments as mandatory. Thanks to Michael Steinfurth. * Check in postinst for entries with missing arguments in /etc/crypttab. Warn is one is found. Thanks to Michael Steinfurth (closes: #388083) * Fix pretest for encrypted swap. Allow unencrypted swap on the source device. Thanks to Dennis Furey. (closes: #387158) * Fix posttest for encrypted swap. Don't skip if a swap filesystem is found on the target device. Thanks to Sam Couter. (closes: #385317) * Use 'set -e' and 'if [ -r ]; then ...; fi' in init script. Thanks to Goswin Brederlow. (closes: #390354) * change '... > &2' to ... >&2' in cryptdisks.functions -- Jonas Meurer Mon, 16 Oct 2006 19:22:41 +0200 cryptsetup (2:1.0.4~rc2-1) unstable; urgency=low [ Jonas Meurer ] * Add some more german translations to de.po. * Add a note to NEWS.Debian where the fix for #376393 is explained. thanks to Robert Bihlmeyer for the report. (closes: #379719) * Allow swap filesystems to be overwritten when the swap flag is set. thanks to Raphaël Quinet for the report. (closes: #379771) * Update to upstream 1.0.4-rc2. (closes: #378422, #379726, closes: #379723) * removed patches 03-05, merged upstream. * [01_terminal_output.dpatch] updated for new upstream. * [02_docs_tries.dpatch] updated for new upstream, to fix luksDelKey documentation and to give more information about the keysize. (closes: #379084) [ David Härdeman ] * Make sure that README.initramfs is included in the package (closes #380048) * Replace panic calls in cryptsetup script with exit 1 to match the behaviour of other scripts. The regular initramfs script will panic later when root isn't detected anyway * Make all four fields in crypttab mandatory (closes: #370180, #376941) * Add UTF8 keyboard input support to initramfs image (closes: #379737) * Add a keyscript option (closes: #370302, #375913) * [03_fix_build_error.dpatch] patch po/Makefile with more recent gettext implementation. -- Jonas Meurer Mon, 4 Sep 2006 03:55:35 +0200 cryptsetup (2:1.0.3-3ubuntu3) edgy; urgency=low * Always output and read from the console. Ubuntu: #58794. -- Scott James Remnant Thu, 21 Sep 2006 03:05:18 +0100 cryptsetup (2:1.0.3-3ubuntu2) edgy; urgency=low * Load the dm-crypt module on startup. Ubuntu: #53475. -- Scott James Remnant Wed, 23 Aug 2006 11:53:49 +0200 cryptsetup (2:1.0.3-3ubuntu1) edgy; urgency=low * Sync with Debian: Remaining Ubuntu Changes + debian/cryptdisks.functions: - Tell usplash to quit if we ask for a passphrase -- Sebastian Dröge Tue, 11 Jul 2006 20:03:27 +0200 cryptsetup (2:1.0.3-3) unstable; urgency=low [ Jonas Meurer ] * revert the change that for swap devices the vol_id check is run by default. if the swap partition is encrypted with a random key, the check will always fail. thanks to Mika Bostrom (closes: #371135, #371160, #377434) * fix the vol_id checkscript to do what it's expected to do. * add the un_vol_id checkscript, which does the reverse of vol_id. * use 'check=un_vol_id, checkargs=swap' for swap devices per default. * added do_close function to cryptdisks.functions, as do_swap needs to use it. up to now, 'cryptsetup remove' was invoked regardless whether the device contains a LUKS partition or not. this is fixed now too. * allow custom check scripts. check only if $CHECK exists in /lib/cryptsetup/checks/ and use the given value as full path otherwise. * make precheck for no_luks mandatory, fail if any known filesystem is found. * update crypttab manpage to reflect the checksystem changes. added an own section for check scripts. update the CheckSystem documentation. * update and simplify the gen-ssl-key script, thanks to Markus Nass * move gen-ssl-key, decrypt_ssl and luksformat to debian/scripts in the source. * add new directory /lib/cryptsetup/scripts/ for key decryption scripts like decrypt_ssl and decrypt_gpg. * add 05_fix_pointer_and_int_comparison.dpatch, fixes compiler warnings on 64bit architectures. Thanks to David Härdeman for the patch. * revert the order of do_start and do_stop at 'cryptdisks restart'. thanks to Hans Peter Wiedau for pointing out that silly typo. (closes: #377591) [ David Härdeman ] * Support root-on-crypto-on-lvm in the initramfs scripts without having to change the root variable (closes: #371846) * If possible, load correct keymap in the initramfs image before any password prompts (closes: #376393) -- Jonas Meurer Mon, 10 Jul 2006 20:01:02 +0200 cryptsetup (2:1.0.3-2) unstable; urgency=low [ David Härdeman ] * Add patch by Arjan Oosting (closes: #369575) * add new check 'vol_id', which uses /lib/udev/vol_id from udev and supports checks for any known filesystem type. implement a new option checkargs in cryptdisks for that. suggest udev. closes one half of #370302. thanks to Markus Nass and Darvid Härdeman for the suggestion. * always check for a swap partition before running mkswap * updated README.Debian, Checksystem.Doc and crypttab.5.txt accordingly. * drop usage of strings from swap check, as it is in /usr/bin. thanks to Markus Nass. -- Jonas Meurer Mon, 5 Jun 2006 18:27:07 +0200 cryptsetup (2:1.0.3-1) unstable; urgency=low [ Jonas Meurer ] * new upstream release, 1.0.3 final - Add alignPayload patch by Peter Palfrader (closes: #358388) - meaningful exitcodes and password retrying by Johannes Weißl (closes: #359277) * add 01_terminal_timeout.dpatch from Andres Salomon . - gets rid of getpass(), which is obsolete according to manpage - restores the terminal state before doing the timeout (closes: #364153) * add 02_docs_tries.dpatch, to describe --tries in the cryptsetup manpage. * add 03_stdin_input.dpatch from David Härdeman , fixes input from stdin, accepts input with more than 32 characters (closes: #364529, #365333) * add 04_status_exit_codes.dpatch from David Härdeman , fixes the exit codes of 'cryptsetup status' * provide a cryptsetup-udeb package (closes: #358422) * remove debian/luksformat.8 in clean target (closes: #358386) * fix update-rc.d arguments to start cryptdisks in rc0 and rc6. it is not really started [but stopped], but still the links need to be named S48cryptdisks. otherwise it will be invoked before umountfs. * add initramfs cryptroot functionality, thanks to David Härdeman for the patch (closes: #358452) * rename /lib/cryptsetup/init_functions to cryptdisks.functions * move most of /etc/init.d/cryptdisks to cryptdisks.functions. /etc/init.d/cryptdisks now does not much more than importing cryptdisks.functions. required for running two seperate cryptdisks initscripts. * split the cryptdisks initscript into cryptdisks-early and cryptdisks. actually both scripts do the same except having slightly different output. the early script is run before lvm/evms/... are started, and the other one after they are started. (closes: #363007) * add support for mount to cryptdisks. this makes it possible to use keyfiles from removable media. see the crypttab.5 manpage for more information. * use upstream cryptsetup tries option instead of the shell code in cryptdisks. rename cryptdisks 'retry' option to 'tries'. * document the fact, that the default settings in /etc/default/cryptdisks take only effect if the relevant option is set without a value in crypttab. add the environment section to crypttab.5.txt (closes: #364203) * update the TODO list. * update crypdisks.default * run do_swap and do_tmp. Thanks to Riku Voipio (closes: #365633) * bump Standards-Version to 3.7.2.0, no changes needed [ David Härdeman ] * add lvm capabilities to initramfs scripts (closes: #362564) * add cryptsetup.postinst which executes update-initramfs when cryptsetup is first installed (not on upgrades) -- Jonas Meurer Sat, 13 May 2006 19:45:08 +0200 cryptsetup (2:1.0.2+1.0.3-rc3-1) unstable; urgency=low [ Jonas Meurer ] * new upstream release candidate: - fixes sector size of the temporary mapping (closes: #355156) - more verbose error logging (closes: #353755, #356288, #258376) - upstream accepted my patches to the manpage * fixed spelling error in README.Debian * removed debian/cryptsetup.sgml, outdated * ran ispell against doc files in debian/, fixed many typos * change /usr/share/cryptsetup to /lib/cryptsetup in crypttab.5.txt (closes: #354910) * add --build (and maybe even --host) to configure flags, for cross-compiling * remove debian/luksformat.8 in clean target * fix bashism in cryptdisks. thanks to Michal Politowski (closes: #356484) * add support for openssl encrypted keys, based on a patch by General Stone (closes: #350615) * add some code to support gnupg encrypted keys, some parts are missing. -- Jonas Meurer Fri, 17 Mar 2006 00:42:41 +0100 cryptsetup (2:1.0.2+1.0.3-rc2-1) unstable; urgency=low [ Jonas Meurer ] * new upstream version 1.0.3-rc2, fixing issues with devmapper * new upstream version 1.0.3-rc1, doesn't use essiv per default * new upstream version (1.0.2) released - add --timeout option for interactive usage - add --batch-mode option to suppress input verifications * install local cryptsetup.8 copy instead of the upstream manpage - mention --readonly as possible option to luksOpen (closes: #353753) - mention --batch-mode, --timeout, --version - transform remaining option hyphens from '-' to '\-' * merged ubuntu patches: - modify cryptdisks init script to use lsb functions - add luksformat and a manpage * removed postinst and postrm, empty scripts * added a README.Debian and a TODO * added a NEWS file for Debian, and explain both the upstream transition from plain cryptsetup to cryptsetup-luks, and the check options for crypttab. * install manpages using dh_installman, not with install * updated CryptoRoot.HowTo, mention /etc/mkinitrd/modules and different linux-image versions. (closes: #344867) * removed needless debian/hack * added debian/watch * bumped debhelper compat level to 5, add versioned depends on debhelper (>> 5.0.0) * update debian/cryptsetup.8 to mention batch-mode and timeout * updated cryptdisks - modify init script to use lsb functions, at least where possible - updated comments for cryptdisks.default - moved option parsing and setup of loopback devices to seperate functions. added a new include file /lib/cryptsetup/init_functions with functions parse_opts, lo_setup, check_key, do_luks, do_noluks, do_swap, do_tmp - always check for the source device exists before running cryptsetup - hardcode precheck for LUKS to use 'cryptsetup isLuks'. this is much safer than allowing other random prechecks, as it manifests that the source device actually is a LUKS partition. - don't remove the LUKS device when postcheck fails, as the supplied password/key is correct anyway. - use the new 'timeout' commandline option of cryptsetup instead of an external wrapper - be silent for not existing devices per default. Implement the loud option for crypttab to warn if a device does not exist. - remerge postchecks and prechecks into checks. - don't disable swap & luks combination, instead disable luks with /dev/random, /dev/urandom or /dev/hwrandom as key. - run parse_opts before check_key, to know whether we use luks or not [ Michael Gebetsroither ] * converted crypttab.sgml to asciidoc * added dependencies for asciidoc to manpage conversion * added developer documentation for a robust checksystem into cryptdisks -- Jonas Meurer Sun, 26 Feb 2006 20:04:49 +0100 cryptsetup (2:1.0.1-16) unstable; urgency=low [ Jonas Meurer ] * already fixed in 2:1.0.1-14: binaries xor and delay from usbcrypto.mkinitrd don't exist in debian. replaces with a perl script and /bin/sleep. thanks to wesley terpstra for the help. (closes: #324353) * clean cryptdisks from bashisms (closes: #350360) * check for /usr/bin/timeout before using it in cryptdisks. First, it's only available when /usr is mounted, and that is not definitive when cryptdisks is run at boot time. Second, timeout is a non-essential debian package, and not neccecarily installed. The usage of /usr/bin/timeout in any case is only a temporary workaround. * move /usr/share/cryptsetup to /lib/cryptsetup, as the checks need to be available at boot time, before local filesystems (like i.e. /usr) are mounted. * replace RETRY=`expr $RETRY - 1` with RETRY=$(($RETRY-1)), as expr is in /usr/bin. * install init.d script and default file with dh_installinit (closes: #350548) * don't build-depend on cvs -- Jonas Meurer Mon, 30 Jan 2006 17:54:50 +0100 cryptsetup (2:1.0.1-15) unstable; urgency=low [ Jonas Meurer ] * rebuilt with -sa, to include the sources into upload -- Jonas Meurer Fri, 27 Jan 2006 18:18:46 +0100 cryptsetup (2:1.0.1-14) unstable; urgency=low [ Jonas Meurer ] * added a configurable timeout option for interactive password prompt. set the default timeout to 180 seconds in /etc/default/cryptdisks, and documented the crypttab option in the crypttab manpage. (closes: #328961) * fixed the default "precheck" and "postcheck" options, currently no useful precheck exists, so no default here. * removed the dummy cryptsetup-luks package, ftpmaster complains about it. [ Michael Gebetsroither ] * make small fixes to CryptoSwap.HowTo * added postcheck for swap (closes: #342079) -- Jonas Meurer Fri, 27 Jan 2006 12:59:10 +0100 cryptsetup (2:1.0.1-13) unstable; urgency=low * split the "check" in a "precheck" and a "postcheck" option - adds the possibility to check the source device before creating the decrypted target device, useful for things like swap. -- Jonas Meurer Sun, 22 Jan 2006 21:24:06 +0100 cryptsetup (2:1.0.1-12) unstable; urgency=low * correctly parse options in cryptdisks (closes: #304399) * remove the moduledir /usr/lib/cryptsetup from the deb, it's empty anyway (closes: #334648) * replace /usr/local/bin/delay with /bin/sleep in usbcrypto.mkinitrd * cosmetical changes to /etc/crypttab * add "check" and "retry" options to cryptdisks script, thanks to A Mennucc . (closes: #290626) -- Jonas Meurer Sun, 22 Jan 2006 19:46:18 +0100 cryptsetup (2:1.0.1-11) unstable; urgency=low * include sources although the debian revision is not -1 -- Jonas Meurer Sun, 22 Jan 2006 16:35:12 +0100 cryptsetup (2:1.0.1-10) unstable; urgency=low * introduce an epoch to make upgrade happen -- Jonas Meurer Sun, 22 Jan 2006 09:02:47 +0100 cryptsetup (1.0.1-9) unstable; urgency=low * rename the package to cryptsetup, provide a dummy cryptsetup-luks package * initial upload to debian -- Jonas Meurer Sun, 22 Jan 2006 08:06:25 +0100 cryptsetup-luks (1.0.1-8) unstable; urgency=low * use upstream tarball as orig.tar.gz and keep debian changes in diff.gz * change to use dpatch * adjust build environment to work with upstream sources, and without autogen.sh * merge fixes for debian scripts from cryptsetup. * keep cryptsetup manpage untouched, as merging cryptsetup and cryptsetup-luks manpages is rather complex. * set mandir to /usr/share/man for configure * add a lintian-override file -- Jonas Meurer Sun, 22 Jan 2006 06:48:30 +0100 cryptsetup-luks (1.0.1-7) unstable; urgency=high * make cryptsetup create work again (patch for lib/libdevmapper.c) -- Michael Gebetsroither Sat, 21 Jan 2006 14:39:36 +0100 cryptsetup-luks (1.0.1-6) unstable; urgency=low * recompile for new libdevmapper -- Michael Gebetsroither Tue, 10 Jan 2006 15:10:17 +0100 cryptsetup-luks (1.0.1-5) unstable; urgency=low * improved documentation for /etc/crypttab -- Michael Gebetsroither Mon, 7 Nov 2005 17:05:20 +0100 cryptsetup-luks (1.0.1-4) unstable; urgency=low * added luks option for /etc/crypttab (thx to Fabian Thorns for the initial patch) -- Michael Gebetsroither Thu, 3 Nov 2005 19:22:59 +0100 cryptsetup-luks (1.0.1-3) unstable; urgency=low * completly switched to luks upstream -- Michael Gebetsroither Thu, 11 Aug 2005 22:14:16 +0200 cryptsetup-luks (1.0.1-2) unstable; urgency=low * fixed build dependencies -- Michael Gebetsroither Mon, 20 Jun 2005 22:30:38 +0200 cryptsetup-luks (1.0.1-1) unstable; urgency=low * synced with luks upstream -- Michael Gebetsroither Mon, 20 Jun 2005 16:22:53 +0200 cryptsetup-luks (1.0-5) unstable; urgency=low * fixed a small typo in the manpage -- Michael Gebetsroither Sat, 23 Apr 2005 11:06:31 +0200 cryptsetup-luks (1.0-4) unstable; urgency=low * cleand source-tree for submitting a wishlist report into debian BTS -- Michael Gebetsroither Tue, 19 Apr 2005 18:44:13 +0200 cryptsetup-luks (1.0-3) unstable; urgency=low * updatet dependencies (libdevmapper1.00 => libdevmapper1.01) -- Michael Gebetsroither Tue, 19 Apr 2005 13:51:10 +0200 cryptsetup-luks (1.0-2) unstable; urgency=low * replaced original debian cryptsetup manpage with manpage from cryptsetup-luks -- Michael Gebetsroither Sun, 3 Apr 2005 13:33:55 +0200 cryptsetup-luks (1.0-1) unstable; urgency=low * new upstream release -- Michael Gebetsroither Sat, 2 Apr 2005 23:29:43 +0200 cryptsetup-luks (0.993-3) unstable; urgency=low * fixed dependencis -- Michael Gebetsroither Sun, 13 Feb 2005 01:28:11 +0100 cryptsetup-luks (0.993-2) unstable; urgency=low * fixed a few source problems * fixed post/pre install scripts -- Michael Gebetsroither Sat, 12 Feb 2005 16:18:07 +0100 cryptsetup-luks (0.993-1) unstable; urgency=low * synced with luks upstream -- Michael Gebetsroither Sat, 12 Feb 2005 15:50:21 +0100 cryptsetup-luks (0.992-5) unstable; urgency=low * fixed a few problems in den debian source package -- Michael Gebetsroither Sat, 12 Feb 2005 04:22:30 +0100 cryptsetup-luks (0.992-4) unstable; urgency=low * debianized the package * cleand up build system -- Michael Gebetsroither Sat, 12 Feb 2005 00:12:43 +0100 cryptsetup-luks (0.992-3) unstable; urgency=low * Fixed typo -- Michael Gebetsroither Fri, 11 Feb 2005 18:38:42 +0100 cryptsetup-luks (0.992-2) unstable; urgency=low * Added note within description -- Michael Gebetsroither Fri, 11 Feb 2005 18:21:03 +0100 cryptsetup-luks (0.992-1) unstable; urgency=low * "integrated LUKS" support (very messy hack) -- Michael Gebetsroither Thu, 10 Feb 2005 18:16:21 +0100 debian/cryptdisks.upstart0000644000000000000000000000275712234756536013041 0ustar # cryptdisks - enable encrypted block devices # # Sweep up any devices in /etc/crypttab that have not yet been started at # the end of udev coldplugging; this partly duplicates the cryptdisks-udev # job, but is necessary because: # - some devices may not be registered as ID_FS_USAGE=crypto by udev (e.g., # random-encrypted devices), but we don't want to call the upstart job # for every single block device # - some devices can only be decrypted after other devices are decrypted and # mounted first, so we need a two-pass system (like # /etc/init.d/cryptdisks{,-early} previously) # # This job currently still does not guarantee a race-free startup; instances # of cryptdisks-udev may be started in parallel with this job. description "enable remaining boot-time encrypted block devices" start on stopped udevtrigger or container # Currently stopping is a no-op, so we can stop this anywhere during the # shutdown sequence. We let the cryptdisks-early init script take care of # device teardown instead; it happens that the distinction between the # 'cryptdisks' and 'cryptdisks-early' jobs is irrelevant on shutdown because # the only sequencing difference is lvm2, which has no init script that's # called on shutdown. stop on unmounted-remote-filesystems task pre-start script if [ -r /lib/cryptsetup/cryptdisks.functions ]; then . /lib/cryptsetup/cryptdisks.functions else exit 0 fi case "$CRYPTDISKS_ENABLE" in [Nn]*) exit 1 ;; esac INITSTATE="init" do_start end script debian/cryptsetup.lintian-overrides0000644000000000000000000000026412234756536015007 0ustar cryptsetup: init.d-script-possible-missing-stop etc/init.d/cryptdisks 1 cryptsetup: init.d-script-possible-missing-stop etc/init.d/cryptdisks-early 1 cryptsetup: no-debconf-config debian/cryptsetup.dirs0000644000000000000000000000050212234756536012305 0ustar /etc/bash_completion.d /etc/default /etc/init.d /lib/cryptsetup/checks /lib/cryptsetup/scripts /sbin /usr/share/bug /usr/share/initramfs-tools/hooks /usr/share/initramfs-tools/scripts/local-top /usr/share/initramfs-tools/scripts/local-bottom /usr/share/initramfs-tools/conf-hooks.d /usr/share/man/man5 /usr/share/man/man8 debian/control0000644000000000000000000001064112234756536010610 0ustar Source: cryptsetup Section: admin Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Debian Cryptsetup Team Uploaders: Jonas Meurer Build-Depends: libgcrypt11-dev (>= 1.4.6-3), libdevmapper-dev (>= 2:1.02.24-4), libpopt-dev, uuid-dev, libselinux1-dev, libsepol1-dev, libtool (>= 2.2), autoconf, automake, pkg-config, autopoint, gettext, debhelper (>= 9.20120410~), xsltproc, docbook-xml, docbook-xsl (>= 1.74.3+dfsg), dpkg-dev (>= 1.15.1), po-debconf Standards-Version: 3.9.3 Homepage: http://code.google.com/p/cryptsetup/ X-Debian-Vcs-Browser: http://svn.debian.org/wsvn/pkg-cryptsetup/cryptsetup/trunk X-Debian-Vcs-Svn: svn://svn.debian.org/svn/pkg-cryptsetup/cryptsetup/trunk Vcs-Bzr: https://code.launchpad.net/~ubuntu-core-dev/cryptsetup/ubuntu Package: cryptsetup Architecture: linux-any Depends: ${shlibs:Depends}, ${misc:Depends}, dmsetup, initramfs-tools (>= 0.91) | linux-initramfs-tool, plymouth, cryptsetup-bin Recommends: kbd, console-setup, busybox-static | busybox Suggests: dosfstools, liblocale-gettext-perl Provides: cryptsetup-luks Conflicts: cryptsetup-luks Replaces: cryptsetup-luks, hashalot (<< 0.3-2) Breaks: hashalot (<< 0.3-2) Description: disk encryption support - startup scripts Cryptsetup provides an interface for configuring encryption on block devices (such as /home or swap partitions), using the Linux kernel device mapper target dm-crypt. It features integrated Linux Unified Key Setup (LUKS) support. . Cryptsetup is backwards compatible with the on-disk format of cryptoloop, but also supports more secure formats. This package includes support for automatically configuring encrypted devices at boot time via the config file /etc/crypttab. Additional features are cryptoroot support through initramfs-tools and several supported ways to read a passphrase or key. Package: cryptsetup-bin Architecture: linux-any Depends: ${shlibs:Depends}, ${misc:Depends} Breaks: cryptsetup (<< 2:1.4.1-2ubuntu2~) Replaces: cryptsetup (<< 2:1.4.1-2ubuntu2~) Description: disk encryption support - command line tools Cryptsetup provides an interface for configuring encryption on block devices (such as /home or swap partitions), using the Linux kernel device mapper target dm-crypt. It features integrated Linux Unified Key Setup (LUKS) support. . This package provides cryptsetup, cryptsetup-reencrypt and luksformat. Package: libcryptsetup4 Section: libs Architecture: linux-any Depends: ${shlibs:Depends}, ${misc:Depends}, libgpg-error0 (>= 1.10-0.1), libgcrypt11 (>= 1.4.6-2) Description: disk encryption support - shared library Cryptsetup provides an interface for configuring encryption on block devices (such as /home or swap partitions), using the Linux kernel device mapper target dm-crypt. It features integrated Linux Unified Key Setup (LUKS) support. . This package provides the libcryptsetup shared library. Package: libcryptsetup-dev Section: libdevel Architecture: linux-any Depends: ${misc:Depends}, libcryptsetup4 (= ${binary:Version}) Description: disk encryption support - development files Cryptsetup provides an interface for configuring encryption on block devices (such as /home or swap partitions), using the Linux kernel device mapper target dm-crypt. It features integrated Linux Unified Key Setup (LUKS) support. . This package provides the libcryptsetup development files. Package: cryptsetup-udeb Section: debian-installer Package-Type: udeb Architecture: linux-any Depends: ${shlibs:Depends}, ${misc:Depends}, dmsetup-udeb Description: disk encryption support - commandline tools (udeb) Cryptsetup provides an interface for configuring encryption on block devices (such as /home or swap partitions), using the Linux kernel device mapper target dm-crypt. It features integrated Linux Unified Key Setup (LUKS) support. . This udeb package provides cryptsetup for the Debian Installer. Package: libcryptsetup4-udeb Section: debian-installer Package-Type: udeb Architecture: linux-any Depends: ${shlibs:Depends}, ${misc:Depends} Description: disk encryption support - shared library (udeb) Cryptsetup provides an interface for configuring encryption on block devices (such as /home or swap partitions), using the Linux kernel device mapper target dm-crypt. It features integrated Linux Unified Key Setup (LUKS) support. . This udeb package provides libcryptsetup for the Debian Installer. debian/cryptsetup.reportbug-script0000644000000000000000000000045112234756536014662 0ustar #!/bin/sh exec >&3 echo "-- /proc/cmdline" cat /proc/cmdline echo if [ -r /etc/crypttab ]; then echo "-- /etc/crypttab" cat /etc/crypttab echo fi if [ -r /etc/fstab ]; then echo "-- /etc/fstab" cat /etc/fstab echo fi echo "-- lsmod" lsmod echo debian/askpass.c0000644000000000000000000002522612234756536011023 0ustar /* * askpass.c - prompts a user for a passphrase using any suitable method * and prints the result to stdout. * * Copyright (C) 2008 David Härdeman * * This package is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This package is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this package; if not, write to the Free Software * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ #define _GNU_SOURCE #define _BSD_SOURCE #define _POSIX_C_SOURCE 1 #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define DEBUG 0 #define ARRAY_SIZE(x) (sizeof(x)/sizeof(x[0])) static bool disable_method(const char *method); /***************************************************************************** * Utility functions * *****************************************************************************/ static void debug(const char *fmt, ...) { va_list ap; static bool first = true; static FILE *dbgfile; if (!DEBUG) return; if (first) { first = false; dbgfile = fopen("/tmp/askpass.debug", "a"); } if (!dbgfile) return; va_start(ap, fmt); vfprintf(dbgfile, fmt, ap); va_end(ap); } static void usage(const char *arg0, const char *errmsg) { if (errmsg) fprintf(stderr, "Error: %s\nUsage: %s PROMPT\n", errmsg, arg0); else fprintf(stderr, "Usage: %s PROMPT\n", arg0); exit(EXIT_FAILURE); } static void fifo_common_finish(int fd, char **buf, size_t *used, size_t *size) { if (fd >= 0) close(fd); if (!*buf) return; memset(*buf, '\0', *size); free(*buf); *buf = NULL; *used = 0; *size = 0; } static bool fifo_common_read(int fd, char **buf, size_t *used, size_t *size) { ssize_t result; again: if ((*size - *used) == 0) { *size += 4096; *buf = realloc(*buf, *size); if (!*buf) { *size = 0; *used = 0; debug("Failed to allocate memory for passphrase\n"); return false; } } reread: result = read(fd, *buf + *used, *size - *used); if (result < 0) { if (errno == EAGAIN) return false; if (errno == EINTR) goto reread; debug("Error when reading from fifo\n"); return false; } debug("Read %i bytes from fifo\n", (int)result); *used += result; if (result == 0) return true; goto again; } /***************************************************************************** * splashy functions * *****************************************************************************/ /* It might be better style to just do a popen of splashy_update ? */ #define SPLASHY_SOCK "\0/splashy" static size_t splashyused = 0; static size_t splashysize = 0; static char *splashybuf = NULL; static int splashy_prepare(const char *prompt) { int fd; struct sockaddr addr = {AF_UNIX, SPLASHY_SOCK}; struct iovec iov[2]; if ((fd = socket (PF_UNIX, SOCK_STREAM, 0)) == -1) { return -1; } if (connect (fd, &addr, sizeof addr) == -1) { close (fd); return -1; } iov[0].iov_base = "getpass "; iov[0].iov_len = strlen ("getpass "); iov[1].iov_base = (char *)prompt; iov[1].iov_len = strlen (prompt) + 1; if (writev (fd, iov, 2) == -1) { close (fd); return -1; } /* Shutdown write? */ return fd; } static bool splashy_read(int fd, char **buf, size_t *size) { debug("In splashy_read\n"); if (fifo_common_read(fd, &splashybuf, &splashyused, &splashysize)) { *buf = splashybuf; *size = splashyused; return true; } return false; } static void splashy_finish(int fd) { fifo_common_finish (fd, &splashybuf, &splashyused, &splashysize); } /***************************************************************************** * fifo functions * *****************************************************************************/ #define FIFO_PATH "/lib/cryptsetup/passfifo" static size_t fifoused = 0; static size_t fifosize = 0; static char *fifobuf = NULL; static void fifo_finish(int fd) { fifo_common_finish(fd, &fifobuf, &fifoused, &fifosize); } static bool fifo_read(int fd, char **buf, size_t *size) { debug("In fifo_read\n"); if (fifo_common_read(fd, &fifobuf, &fifoused, &fifosize)) { *buf = fifobuf; *size = fifoused; return true; } return false; } static int fifo_prepare(const char *prompt) { int ret; ret = mkfifo(FIFO_PATH, 0600); if (ret && errno != EEXIST) return -1; return open(FIFO_PATH, O_RDONLY | O_NONBLOCK); } /***************************************************************************** * console functions * *****************************************************************************/ #define CONSOLE_PATH "/dev/console" static struct termios term_old; static bool term_set = false; static char *consolebuf = NULL; static size_t consolebuflen = 0; static void console_finish(int fd) { if (consolebuf) { memset(consolebuf, '\0', consolebuflen); free(consolebuf); consolebuf = NULL; consolebuflen = 0; } if (!term_set || fd < 0) return; term_set = false; tcsetattr(fd, TCSAFLUSH, &term_old); fprintf(stderr, "\n"); klogctl(7, NULL, 0); } bool console_read(int fd, char **buf, size_t *size) { ssize_t nread; /* Console is in ICANON mode so we'll get entire lines */ nread = getline(&consolebuf, &consolebuflen, stdin); if (nread < 0) return NULL; /* Strip trailing newline, if any */ if (nread > 0 && consolebuf[nread - 1] == '\n') { nread--; consolebuf[nread] = '\0'; } *size = nread; *buf = consolebuf; return true; } static int console_prepare(const char *prompt) { struct termios term_new; const char *prompt_ptr = prompt; char *newline = NULL; if (!isatty(STDIN_FILENO)) { if (access(CONSOLE_PATH, R_OK | W_OK)) { debug("No access to console device " CONSOLE_PATH "\n"); return -1; } if (!freopen(CONSOLE_PATH, "r", stdin) || !freopen(CONSOLE_PATH, "a", stdout) || !freopen(CONSOLE_PATH, "a", stderr) || !isatty(STDIN_FILENO)) { debug("Failed to open console\n"); return -1; } } if (tcgetattr(STDIN_FILENO, &term_old)) { debug("Failed to get terminal settings\n"); return -1; } term_new = term_old; term_new.c_lflag &= ~ECHO; term_new.c_lflag |= ICANON; if (tcsetattr(STDIN_FILENO, TCSAFLUSH, &term_new)) { debug("Failed to disable echoing\n"); return -1; } /* handle any non-literal embedded newlines in prompt */ while ( (newline = strstr(prompt_ptr,"\\n")) != NULL ) { /* Calculate length of string leading up to newline. */ int line_len = newline - prompt_ptr; /* Force trimming of prompt to location of newline. */ if (fwrite(prompt_ptr, line_len, 1, stderr) < 1 || fwrite("\n", 1, 1, stderr) < 1) { debug("Failed to print prompt\n"); tcsetattr(STDIN_FILENO, TCSAFLUSH, &term_old); return -1; } /* Skip over newline. */ prompt_ptr = newline + 2; } if (fputs(prompt_ptr, stderr) < 0) { debug("Failed to print prompt\n"); tcsetattr(STDIN_FILENO, TCSAFLUSH, &term_old); return -1; } /* Disable printk to console */ klogctl(6, NULL, 0); term_set = true; return STDIN_FILENO; } /***************************************************************************** * main functions * *****************************************************************************/ struct method { const char *name; int (*prepare)(const char *prompt); bool (*read)(int fd, char **buf, size_t *size); void (*finish)(int fd); bool active; bool enabled; int fd; }; static struct method methods[] = { { "splashy", splashy_prepare, splashy_read, splashy_finish, false, true, -1 }, { "fifo", fifo_prepare, fifo_read, fifo_finish, false, true, -1 }, { "console", console_prepare, console_read, console_finish, false, true, -1 } }; static bool disable_method(const char *method) { int i; bool result = false; debug("Disabling method %s\n", method ? method : "ALL"); for (i = 0; i < ARRAY_SIZE(methods); i++) { /* A NULL method means all methods should be disabled */ if (method && strcmp(methods[i].name, method)) continue; if (!methods[i].enabled) continue; if (methods[i].active) methods[i].finish(methods[i].fd); methods[i].active = false; methods[i].fd = -1; methods[i].enabled = false; result = true; } return result; } int main(int argc, char **argv, char **envp) { char *pass = NULL; size_t passlen = 0; int i; int nfds; fd_set fds; int ret; bool done = false; sigset_t sigset; if (argc != 2) usage(argv[0], "incorrect number of arguments"); sigfillset(&sigset); sigprocmask(SIG_BLOCK, &sigset, NULL); for (i = 0; i < ARRAY_SIZE(methods); i++) { if (!methods[i].enabled) continue; debug("Enabling method %s\n", methods[i].name); methods[i].fd = methods[i].prepare(argv[1]); if (methods[i].fd < 0) methods[i].active = false; else methods[i].active = true; } while (!done) { nfds = 0; FD_ZERO(&fds); for (i = 0; i < ARRAY_SIZE(methods); i++) { if (!methods[i].enabled || methods[i].fd < 0) continue; debug("method %i has fd %i and name %s\n", i, methods[i].fd, methods[i].name); FD_SET(methods[i].fd, &fds); if (methods[i].fd + 1 > nfds) nfds = methods[i].fd + 1; } if (nfds == 0) { debug("All methods disabled\n"); exit(EXIT_FAILURE); } debug("Starting select with nfds %i\n", nfds); ret = select(nfds, &fds, NULL, NULL, NULL); if (ret <= 0) { if (ret == 0 || errno == EINTR) continue; debug("Select failed\n"); disable_method(NULL); exit(EXIT_FAILURE); } for (i = 0; i < ARRAY_SIZE(methods); i++) { if (!methods[i].enabled || methods[i].fd < 0) continue; if (!FD_ISSET(methods[i].fd, &fds)) continue; if (methods[i].read(methods[i].fd, &pass, &passlen) && pass) { done = true; break; } } } debug("Writing %i bytes to stdout\n", (int)passlen); if (write(STDOUT_FILENO, pass, passlen) == -1) { disable_method(NULL); exit(EXIT_FAILURE); } exit(EXIT_SUCCESS); } debian/README.keyctl0000644000000000000000000000607612234756536011366 0ustar decrypt_keyctl ============== A passphrase caching script to be used in /etc/crypttab on Debian and Ubuntu. When there are multiple cryptsetup (either plain or LUKS) volumes with the same passphrase, it is an unnecessary task to input the passphrase more than once. Just add this script as keyscript to your /etc/crypttab and it will cache the passphrase of all cryptab entries with the same identifier. Either copy decrypt_keyctl into the default search path for keyscripts from cryptsetup /lib/cryptdisks/scripts/. So you can just write keyscript=decrypt_keyctl in /etc/crypttab, or use a random path of your choice and give the full path e.g keyscript=/sbin/decrypt_keyctl. Requirements ------------ - Debian cryptsetup package with /etc/crypttab handling and keyscript option - Tested with Debian Lenny, Squeeze and Sid - Installed and working keyutils package (keyctl) - Needs CONFIG_KEYS=y in your kernel configuration What For? --------- The current state for dm-crypt in Linux is that it is single threaded, thus every dm-crypt mapping only uses a single core for crypto operations. To use the full power of your many-core processor it is thus necessary to split the dm-crypt device. For Linux software raid arrays the easiest segmentation is to just put the dm-crypt layer below the software raid layer. But with a 5 disk raid5 it is a rather daunting task to input the passphrase five times. This is what this keyscripts solve for you. Usage ----- Best shown by example: - 5 disks - Linux software raid5 Layer: sda sdb sdc ... sde +-----------+ +-----------+ | LUKS | | LUKS | | +-------+ | | +-------+ | | | RAID5 | | | | RAID5 | | | | ... | | | | ... | | Crypttab Entries: sda_crypt /dev/sda2 main_data_raid luks,keyscript=decrypt_keyctl sdb_crypt /dev/sdb2 main_data_raid luks,keyscript=decrypt_keyctl ... sde_crypt /dev/sde2 main_data_raid luks,keyscript=decrypt_keyctl How does it work ---------------- Crypttab Interface: A keyscript is added to options including a keyfile definition as third parameter in the crypttab file. The keyscript is called with the keyfile as the first and only parameter. Additionally there are a few environment variables set but currently are not used by this keyscript (man 5 crypttab for exact description). Keyscript: Keyctl_keyscript uses the Linux kernel keyring facility to securly cache passphrases between multiple invocations. The keyfile parameter from cryptab is used to find the same passphrase between multiple invocations. Currently the cache timeout is 60 seconds and not configurable (please report a bug if it is too low for you). Problems -------- - Passphrase is piped between processes and could end up in unsecured memory, thus later swapped to disk! => Use of cryptoswap recommend! Hints ----- To remove all traces of this keyscript you may want to cleanup the keyring completely with the following command afterwards: sudo keyctl clear @u debian/cryptsetup.prerm0000644000000000000000000000103012234756536012466 0ustar #! /bin/sh set -e . /usr/share/debconf/confmodule case "$1" in remove) cryptmap="$(dmsetup table | sed -ne 's/^\([a-zA-Z0-9_-]*\): [0-9] [0-9]* crypt .*$/\1/p' | awk '{printf "%s ", $0}')" if [ -n "$cryptmap" ]; then db_fset cryptsetup/prerm_active_mappings seen false db_subst cryptsetup/prerm_active_mappings cryptmap "$cryptmap" db_input high cryptsetup/prerm_active_mappings || true db_go || true db_get cryptsetup/prerm_active_mappings if [ "$RET" = "false" ]; then exit 1 fi fi ;; esac #DEBHELPER# debian/cryptsetup.apport0000644000000000000000000000040312234756536012651 0ustar '''apport package hook for cryptsetup (c) 2009 Author: Reinhard Tartler ''' from apport.hookutils import * def add_info(report): attach_file(report, '/etc/fstab', 'fstab') attach_file_if_exists(report, '/etc/crypttab', 'crypttab') debian/cryptsetup-bin.dirs0000644000000000000000000000006612234756536013060 0ustar /sbin /usr/sbin /usr/share/locale /usr/share/man/man8 debian/cryptdisks-udev.upstart0000644000000000000000000000063412234756536013772 0ustar # cryptdisks - enable encrypted block devices description "enable encrypted block devices" start on block-device-added ID_FS_USAGE=crypto instance $DEVNAME task script if [ -r /lib/cryptsetup/cryptdisks.functions ]; then . /lib/cryptsetup/cryptdisks.functions else exit 0 fi case "$CRYPTDISKS_ENABLE" in [Nn]*) exit 1 ;; esac INITSTATE=udev crypttab_start_one_disk "$DEVNAME" end script debian/initramfs/0000755000000000000000000000000012234756536011177 5ustar debian/initramfs/cryptopenct-hook0000644000000000000000000000304112234756536014430 0ustar #!/bin/sh set -e PREREQ="cryptroot" prereqs() { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac . /usr/share/initramfs-tools/hook-functions # Hooks for loading smartcard reading software into the initramfs # Check whether cryptroot hook has installed decrypt_openct script if [ ! -x ${DESTDIR}/lib/cryptsetup/scripts/decrypt_openct ] ; then exit 0 fi # Install cryptroot key files into initramfs keys=$(sed 's/^\(.*,\|\)key=//; s/,.*//' ${DESTDIR}/conf/conf.d/cryptroot) if [ "${keys}" != "none" ] then if [ -z "${keys}" ] ; then echo $0: Missing key files in ${DESTDIR}/conf/conf.d/cryptroot >&2 cat ${DESTDIR}/conf/conf.d/cryptroot >&2 exit 1 fi for key in ${keys} ; do if [ ! -d ${DESTDIR}/$(dirname ${key}) ] ; then mkdir -p ${DESTDIR}/$(dirname ${key}) fi cp ${key} ${DESTDIR}/${key} done fi # Install directories needed by smartcard reading daemon, command, and # key-script for dir in etc etc/init.d etc/udev/rules.d lib/udev usr/bin usr/sbin var/run/openct tmp ; do if [ ! -d ${DESTDIR}/${dir} ] ; then mkdir -p ${DESTDIR}/${dir} ; fi done # Install openct tools, drivers, conf file cp /etc/openct.conf ${DESTDIR}/etc/ cp /etc/udev/rules.d/z60_openct.rules ${DESTDIR}/etc/udev/rules.d/ cp /lib/udev/openct_pcmcia ${DESTDIR}/lib/udev/ cp /lib/udev/openct_serial ${DESTDIR}/lib/udev/ cp /lib/udev/openct_usb ${DESTDIR}/lib/udev/ copy_exec /usr/bin/openct-tool copy_exec /usr/bin/pkcs15-tool copy_exec /usr/sbin/ifdhandler copy_exec /usr/sbin/openct-control debian/initramfs/cryptroot-conf0000644000000000000000000000033512234756536014113 0ustar # This will setup non-us keyboards in early userspace, # necessary for punching in passphrases. KEYMAP=y # force busybox on initramfs BUSYBOX=y # and for systems using plymouth instead, use the new option FRAMEBUFFER=y debian/initramfs/cryptopensc-hook0000644000000000000000000000274612234756536014442 0ustar #!/bin/sh set -e PREREQ="cryptroot" prereqs() { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac . /usr/share/initramfs-tools/hook-functions # Hooks for loading smartcard reading software into the initramfs # Check whether cryptroot hook has installed decrypt_opensc script if [ ! -x ${DESTDIR}/lib/cryptsetup/scripts/decrypt_opensc ] ; then exit 0 fi # Install cryptroot key files into initramfs keys=$(sed 's/^\(.*,\|\)key=//; s/,.*//' ${DESTDIR}/conf/conf.d/cryptroot) if [ "${keys}" != "none" ]; then if [ -z "${keys}" ]; then echo $0: Missing key files in ${DESTDIR}/conf/conf.d/cryptroot >&2 cat ${DESTDIR}/conf/conf.d/cryptroot >&2 exit 1 fi for key in ${keys} ; do if [ ! -d ${DESTDIR}/$(dirname ${key}) ] ; then mkdir -p ${DESTDIR}/$(dirname ${key}) fi cp ${key} ${DESTDIR}/${key} done fi # Install directories needed by smartcard reading daemon, command, and # key-script for dir in etc/opensc usr/lib/pcsc var/run tmp ; do if [ ! -d ${DESTDIR}/${dir} ] ; then mkdir -p ${DESTDIR}/${dir} ; fi done # Install pcscd daemon, drivers, conf file, and include libgcc as well since # pcscd utilizes pthread_cancel copy_exec /usr/sbin/pcscd cp -r /usr/lib/pcsc ${DESTDIR}/usr/lib cp /etc/reader.conf ${DESTDIR}/etc # Install opensc commands and conf file copy_exec /usr/bin/opensc-tool copy_exec /usr/bin/pkcs15-crypt cp /etc/opensc/opensc.conf ${DESTDIR}/etc/opensc debian/initramfs/cryptopensc-script-local-top0000644000000000000000000000132112234756536016662 0ustar #!/bin/sh set -e PREREQ="" prereqs() { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac . /scripts/functions # Hook for starting smartcard reading software if [ ! -e /sbin/pcscd ]; then exit 0 fi # Start pcscd daemon nomrally: # start-stop-daemon --start --quiet \ # --pidfile /var/run/pcscd.pid \ # --exec /sbin/pcscd # Alternatively, start pcscd daemon in foreground so that it's pretty colored # output may be seen on the console, useful for watching error messages since # pcscd uses syslog which is not available (use --error or --critical to filter # out debug message clutter): # /sbin/pcscd --error --foreground & /sbin/pcscd --foreground & debian/initramfs/cryptpassdev-hook0000644000000000000000000000162112234756536014607 0ustar #!/bin/sh set -e PREREQ="cryptroot" prereqs() { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac . /usr/share/initramfs-tools/hook-functions # Hooks for adding filesystem modules to the initramfs when the passdev # keyscript is used # Check whether the passdev script has been included if [ ! -x "${DESTDIR}/lib/cryptsetup/scripts/passdev" ]; then exit 0 fi # The filesystem type of the removable device is probed at boot-time, so # we add a generous list of filesystems to include. This also helps with # recovery situation as including e.g. the vfat module might help a user # who needs to create a new cryptkey (using a backup of a keyfile) on # a windows-machine for example. # This list needs to be kept in sync with the one defined in passdev.c for fs in ext4 ext3 ext2 vfat btrfs reiserfs xfs jfs ntfs iso9660 udf; do manual_add_modules "$fs" >/dev/null 2>&1 || true done exit 0 debian/initramfs/cryptroot-hook0000644000000000000000000003173612234756536014137 0ustar #!/bin/sh PREREQ="" prereqs() { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac . /usr/share/initramfs-tools/hook-functions get_root_device() { local device mount type options dump pass if [ ! -r /etc/fstab ]; then return 1 fi grep -s '^[^#]' /etc/fstab | \ while read device mount type options dump pass; do if [ "$mount" = "/" ]; then device=$(canonical_device "$device") || return 0 echo "$device" return fi done } get_resume_devices() { local device opt count dupe candidates devices candidates="" # First, get a list of potential resume devices # uswsusp if [ -e /etc/uswsusp.conf ]; then device=$(sed -rn 's/^resume device[[:space:]]*[:=][[:space:]]*// p' /etc/uswsusp.conf) if [ -n "$device" ]; then candidates="$candidates $device" fi fi # uswsusp - again... if [ -e /etc/suspend.conf ]; then device=$(sed -rn 's/^resume device[[:space:]]*[:=][[:space:]]*// p' /etc/suspend.conf) if [ -n "$device" ]; then candidates="$candidates $device" fi fi # regular swsusp for opt in $(cat /proc/cmdline); do case $opt in resume=*) device="${opt#resume=}" candidates="$candidates $device" ;; esac done # initramfs-tools if [ -e /etc/initramfs-tools/conf.d/resume ]; then device=$(sed -rn 's/^RESUME[[:space:]]*=[[:space:]]*// p' /etc/initramfs-tools/conf.d/resume) if [ -n "$device" ]; then candidates="$candidates $device" fi fi # Now check the sanity of all candidates devices="" count=0 for device in $candidates; do # Remove quotes around device candidate device=$(echo $device | sed -e 's/^"\(.*\)"[[:space:]]*$/\1/' -e "s/^'\(.*\)'[[:space:]]*$/\1/") # Weed out clever defaults if [ "$device" = "" ]; then continue fi # Detect devices required by decrypt_derived derived="$(grep "^${device#/dev/mapper/}\b.*decrypt_derived" /etc/crypttab 2>/dev/null | awk '{print $3}')" if [ -n "$derived" ]; then if grep -q "^$derived" /etc/crypttab; then derived=$(canonical_device "/dev/mapper/$derived") || return 0 if [ "$derived" != "$rootdev" ]; then devices="$devices $derived" fi else echo "cryptsetup: WARNING: decrypt_derived device $derived not found in crypttab" >&2 fi fi device=$(canonical_device "$device") || return 0 # Weed out duplicates dupe=0 for opt in $devices; do if [ "$device" = "$opt" ]; then dupe=1 fi done if [ $dupe -eq 1 ]; then continue fi # This device seems ok devices="$devices $device" count=$(( $count + 1 )) done if [ $count -gt 1 ]; then echo "cryptsetup: WARNING: found more than one resume device candidate:" >&2 for device in $devices; do echo " $device" >&2 done fi if [ $count -gt 0 ]; then echo $devices fi return 0 } node_is_in_crypttab() { local node node="$1" grep -q "^$node\b" /etc/crypttab return $? } get_lvm_deps() { local node deps maj min depnode node="$1" if [ -z $node ]; then echo "cryptsetup: WARNING: get_lvm_deps - invalid arguments" >&2 return 1 fi if ! deps=$(vgs --noheadings -o pv_name $(dmsetup --noheadings splitname $node | cut -d':' -f1) 2>/dev/null); then # $node is not a LVM node, stopping here return 0 fi # We should now have a list physical volumes for the VG for dep in $deps; do depnode=$(dmsetup info -c --noheadings -o name "$dep" 2>/dev/null) if [ -z "$depnode" ]; then continue fi if [ "$(dmsetup table "$depnode" 2>/dev/null | cut -d' ' -f3)" != "crypt" ]; then get_lvm_deps "$depnode" continue fi echo "$depnode" done return 0 } get_device_opts() { local target source link extraopts rootopts opt target="$1" extraopts="$2" KEYSCRIPT="" OPTIONS="" if [ -z "$target" ]; then echo "cryptsetup: WARNING: get_device_opts - invalid arguments" >&2 return 1 fi opt=$( grep "^$target\b" /etc/crypttab | head -1 | sed 's/[[:space:]]\+/ /g' ) source=$( echo $opt | cut -d " " -f2 ) key=$( echo $opt | cut -d " " -f3 ) rootopts=$( echo $opt | cut -d " " -f4- ) if [ -z "$opt" ] || [ -z "$source" ] || [ -z "$key" ] || [ -z "$rootopts" ]; then echo "cryptsetup: WARNING: invalid line in /etc/crypttab for $target - $opt" >&2 return 1 fi # Sanity checks for $source if [ -h "$source" ]; then link=$(readlink -nqe "$source") if [ -z "$link" ]; then echo "cryptsetup: WARNING: $source is a dangling symlink" >&2 return 1 fi if [ "$link" != "${link#/dev/mapper/}" ]; then echo "cryptsetup: NOTE: using $link instead of $source for $target" >&2 source="$link" fi fi # Sanity checks for $key if [ "$key" = "/dev/random" ] || [ "$key" = "/dev/urandom" ]; then echo "cryptsetup: WARNING: target $target has a random key, skipped" >&2 return 1 fi if [ -n "$extraopts" ]; then rootopts="$extraopts,$rootopts" fi # We have all the basic options, let's go trough them OPTIONS="target=$target,source=$source,key=$key" local IFS=", " unset HASH_FOUND unset LUKS_FOUND for opt in $rootopts; do case $opt in cipher=*) OPTIONS="$OPTIONS,$opt" ;; hash=*) OPTIONS="$OPTIONS,$opt" HASH_FOUND=1 ;; size=*) OPTIONS="$OPTIONS,$opt" ;; lvm=*) OPTIONS="$OPTIONS,$opt" ;; keyscript=*) opt=${opt#keyscript=} if [ ! -x "/lib/cryptsetup/scripts/$opt" ] && [ ! -x "$opt" ]; then echo "cryptsetup: WARNING: target $target has an invalid keyscript, skipped" >&2 return 1 fi KEYSCRIPT="$opt" OPTIONS="$OPTIONS,keyscript=/lib/cryptsetup/scripts/$(basename "$opt")" ;; tries=*) OPTIONS="$OPTIONS,$opt" ;; rootdev) OPTIONS="$OPTIONS,$opt" ;; discard) OPTIONS="$OPTIONS,$opt" ;; luks) LUKS_FOUND=1 ;; *) # Presumably a non-supported option ;; esac done # Warn for missing hash option, unless we have a LUKS partition if [ -z "$HASH_FOUND" ] && [ -z "$LUKS_FOUND" ]; then echo "WARNING: Option hash missing in crypttab for target $target, assuming ripemd160." >&2 echo " If this is wrong, this initramfs image will not boot." >&2 echo " Please read /usr/share/doc/cryptsetup/README.initramfs.gz and add" >&2 echo " the correct hash option to your /etc/crypttab." >&2 fi # If keyscript is set, the "key" is just an argument to the script if [ "$key" != "none" ] && [ -z "$KEYSCRIPT" ]; then echo "cryptsetup: WARNING: target $target uses a key file, skipped" >&2 return 1 fi } get_device_modules() { local node value cipher blockcipher ivhash node="$1" # Check the ciphers used by the active root mapping value=$(dmsetup table "$node" | cut -d " " -f4) cipher=$(echo "$value" | cut -d ":" -f1 | cut -d "-" -f1) blockcipher=$(echo "$value" | cut -d ":" -f1 | cut -d "-" -f2) ivhash=$(echo "$value" | cut -d ":" -s -f2) if [ -n "$cipher" ]; then echo "$cipher" else return 1 fi if [ -n "$blockcipher" ] && [ "$blockcipher" != "plain" ]; then echo "$blockcipher" fi if [ -n "$ivhash" ] && [ "$ivhash" != "plain" ]; then echo "$ivhash" fi return 0 } canonical_device() { local dev altdev original dev="$1" altdev="${dev#LABEL=}" if [ "$altdev" != "$dev" ]; then dev="/dev/disk/by-label/$altdev" fi altdev="${dev#UUID=}" if [ "$altdev" != "$dev" ]; then dev="/dev/disk/by-uuid/$altdev" fi original="$dev" if [ -h "$dev" ]; then dev=$(readlink -e "$dev") fi if [ "x${dev%/dev/dm-*}" = "x" ]; then # try to detect corresponding symlink in /dev/mapper/ for dmdev in /dev/mapper/*; do if [ "$(readlink -e "$dmdev")" = "$dev" ]; then dev="$dmdev" fi done fi altdev="${dev#/dev/mapper/}" if [ "$altdev" != "$dev" ]; then echo "$altdev" return 0 elif [ "x${original%/dev/disk/by-*/*}" = "x" ]; then # support crypttab UUID/LABEL entries # this is a /dev/disk/by-*/ path so return just the 'basename' echo "${original##/dev/disk/by-*/}" return 0 fi echo "cryptsetup: WARNING: failed to detect canonical device of $original" >&2 return 1 } add_device() { local node nodes opts lastopts i count nodes="$1" opts="" # Applied to all nodes lastopts="" # Applied to last node if [ -z "$nodes" ]; then return 0 fi # Flag root device if [ "$nodes" = "$rootdev" ]; then if [ -z "$opts" ]; then opts="rootdev" else opts="$opts,rootdev" fi fi # Check that it is a node under /dev/mapper/ # nodes=$(canonical_device "$nodes") || return 0 # Can we find this node in crypttab if ! node_is_in_crypttab "$nodes"; then # dm node but not in crypttab, is it a lvm device backed by dm-crypt nodes? lvmnodes=$(get_lvm_deps "$nodes") || return 1 # not backed by any dm-crypt nodes; stop here if [ -z "$lvmnodes" ]; then return 0 fi # It is a lvm device! lastopts="lvm=$nodes" nodes="$lvmnodes" fi # Prepare to setup each node count=$(echo "$nodes" | wc -w) i=1 for node in $nodes; do # Prepare the additional options if [ $i -eq $count ]; then if [ -z "$opts" ]; then opts="$lastopts" elif [ -n "$lastopts" ]; then opts="$opts,$lastopts" fi fi # Get crypttab root options if ! get_device_opts "$node" "$opts"; then continue fi echo "$OPTIONS" >>"$DESTDIR/conf/conf.d/cryptroot" # If we have a keyscript, make sure it is included if [ -n "$KEYSCRIPT" ]; then if [ ! -d "$DESTDIR/lib/cryptsetup/scripts" ]; then mkdir -p "$DESTDIR/lib/cryptsetup/scripts" fi if [ -e "/lib/cryptsetup/scripts/$KEYSCRIPT" ]; then copy_exec "/lib/cryptsetup/scripts/$KEYSCRIPT" /lib/cryptsetup/scripts >&2 elif [ -e "$KEYSCRIPT" ]; then copy_exec "$KEYSCRIPT" /lib/cryptsetup/scripts >&2 elif KSTYPE="$(type "$KEYSCRIPT" 2>&1)"; then if [ -x "${KSTYPE#"$KEYSCRIPT" is }" ]; then copy_exec "${KSTYPE#"$KEYSCRIPT" is }" /lib/cryptsetup/scripts >&2 fi else echo "cryptsetup: WARNING: failed to find keyscript $KEYSCRIPT" >&2 continue fi fi # Calculate needed modules modules=$(get_device_modules $node | sort | uniq) if [ -z "$modules" ]; then echo "cryptsetup: WARNING: failed to determine cipher modules to load for $node" >&2 continue fi echo dm_mod echo dm_crypt echo "$modules" # Load hardware aes module if cpu_has_aesni; then echo aesni fi i=$(( $i + 1 )) done return 0 } cpu_has_aesni() { return $(grep -q "^flags\s*:\s*.*aes" /proc/cpuinfo) } add_crypto_modules() { local mod file altmod found genericfound mod="$1" found="" genericfound="" if [ -z "$mod" ]; then return 1 fi # We have several potential sources of modules (in order of preference): # # a) /lib/modules/$VERSION/kernel/arch/$ARCH/crypto/$mod-$specific.ko # b) /lib/modules/$VERSION/kernel/crypto/$mod_generic.ko # c) /lib/modules/$VERSION/kernel/crypto/$mod.ko # # and (currently ignored): # # d) /lib/modules/$VERSION/kernel/drivers/crypto/$specific-$mod.ko for file in $(find "$MODULESDIR/kernel/arch/" -name "$mod-*.ko" 2>/dev/null); do altmod="${file##*/}" altmod="${altmod%.ko}" manual_add_modules "$altmod" found="yes" done for file in $(find "$MODULESDIR/kernel/crypto/" -name "${mod}_generic.ko" 2>/dev/null); do altmod="${file##*/}" altmod="${altmod%.ko}" manual_add_modules "$altmod" found="yes" genericfound="yes" done if [ -z "$genericfound" ]; then for file in $(find "$MODULESDIR/kernel/crypto/" -name "${mod}.ko" 2>/dev/null); do altmod="${file##*/}" altmod="${altmod%.ko}" manual_add_modules "$altmod" found="yes" done fi if [ -z "$found" ]; then return 1 fi return 0 } # # Begin real processing # setup="no" rootdev="" resumedevs="" # Include cryptsetup modules, regardless of _this_ machine # configuration if [ -n "$CRYPTSETUP" ] && [ "$CRYPTSETUP" != "n" ]; then setup="yes" fi # Find the root and resume device(s) if [ -r /etc/crypttab ]; then rootdev=$(get_root_device) if [ -z "$rootdev" ]; then echo "cryptsetup: WARNING: could not determine root device from /etc/fstab" >&2 fi resumedevs=$(get_resume_devices) fi # Load the config opts and modules for each device for dev in $rootdev $resumedevs; do if ! modules=$(add_device "$dev"); then echo "cryptsetup: FAILURE: could not determine configuration for $dev" >&2 continue fi if [ -n "$modules" ]; then setup="yes" fi if [ "$setup" = "no" ]; then continue fi if [ "$MODULES" = "most" ]; then archcrypto="$(find "$MODULESDIR/kernel/arch" -type d -name "crypto" 2>/dev/null)" if [ -n "$archcrypto" ]; then copy_modules_dir "${archcrypto##*${MODULESDIR}/}" fi copy_modules_dir "kernel/crypto" else for mod in $modules; do add_crypto_modules $mod done fi done # With large initramfs, we always add a basic subset of modules if [ "$MODULES" != "dep" ] && [ "$setup" = "yes" ]; then for mod in aes cbc chainiv cryptomgr krng sha256 xts; do add_crypto_modules $mod done fi # See if we need to add the basic components if [ "$setup" = "yes" ]; then for mod in dm_mod dm_crypt; do manual_add_modules $mod done copy_exec /sbin/cryptsetup copy_exec /sbin/dmsetup copy_exec /lib/cryptsetup/askpass # We need sed. Either via busybox or as standalone binary. if [ "$BUSYBOX" = "n" ] || [ ! -e ${BUSYBOXDIR}/busybox ]; then copy_exec /bin/sed fi fi exit 0 debian/initramfs/cryptroot-script0000644000000000000000000001745712234756536014507 0ustar #!/bin/sh PREREQ="cryptroot-prepare" # # Standard initramfs preamble # prereqs() { # Make sure that cryptroot is run last in local-top for req in $(dirname $0)/*; do script=${req##*/} if [ $script != cryptroot ]; then echo $script fi done } case $1 in prereqs) prereqs exit 0 ;; esac # source for log_*_msg() functions, see LP: #272301 . /scripts/functions # # Helper functions # message() { if [ -x /bin/plymouth ] && plymouth --ping; then plymouth message --text="$@" else echo "$@" >&2 fi return 0 } udev_settle() { # Wait for udev to be ready, see https://launchpad.net/bugs/85640 if command -v udevadm >/dev/null 2>&1; then udevadm settle --timeout=30 elif command -v udevsettle >/dev/null 2>&1; then udevsettle --timeout=30 fi return 0 } parse_options() { local cryptopts cryptopts="$1" if [ -z "$cryptopts" ]; then return 1 fi # Defaults cryptcipher=aes-cbc-essiv:sha256 cryptsize=256 crypthash=ripemd160 crypttarget=cryptroot cryptsource="" cryptlvm="" cryptkeyscript="" cryptkey="" # This is only used as an argument to an eventual keyscript crypttries=3 cryptrootdev="" cryptdiscard="" CRYPTTAB_OPTIONS="" local IFS=" ," for x in $cryptopts; do case $x in hash=*) crypthash=${x#hash=} ;; size=*) cryptsize=${x#size=} ;; cipher=*) cryptcipher=${x#cipher=} ;; target=*) crypttarget=${x#target=} export CRYPTTAB_NAME="$crypttarget" ;; source=*) cryptsource=${x#source=} if [ ${cryptsource#UUID=} != $cryptsource ]; then cryptsource="/dev/disk/by-uuid/${cryptsource#UUID=}" elif [ ${cryptsource#LABEL=} != $cryptsource ]; then cryptsource="/dev/disk/by-label/${cryptsource#LABEL=}" fi export CRYPTTAB_SOURCE="$cryptsource" ;; lvm=*) cryptlvm=${x#lvm=} ;; keyscript=*) cryptkeyscript=${x#keyscript=} ;; key=*) if [ "${x#key=}" != "none" ]; then cryptkey=${x#key=} fi export CRYPTTAB_KEY="$cryptkey" ;; tries=*) crypttries="${x#tries=}" case "$crypttries" in *[![:digit:].]*) crypttries=3 ;; esac ;; rootdev) cryptrootdev="yes" ;; discard) cryptdiscard="yes" ;; esac PARAM="${x%=*}" if [ "$PARAM" = "$x" ]; then VALUE="yes" else VALUE="${x#*=}" fi CRYPTTAB_OPTIONS="$CRYPTTAB_OPTIONS $PARAM" eval export CRYPTTAB_OPTION_$PARAM="\"$VALUE\"" done export CRYPTTAB_OPTIONS if [ -z "$cryptsource" ]; then message "cryptsetup: source parameter missing" return 1 fi return 0 } activate_vg() { # Sanity checks if [ ! -x /sbin/lvm ]; then message "cryptsetup: lvm is not available" return 1 fi # Detect and activate available volume groups /sbin/lvm vgscan /sbin/lvm vgchange -a y --sysinit return $? } setup_mapping() { local opts count cryptcreate cryptremove NEWROOT opts="$1" if [ -z "$opts" ]; then return 0 fi parse_options "$opts" || return 1 if [ -n "$cryptkeyscript" ] && ! type "$cryptkeyscript" >/dev/null; then message "cryptsetup: error - script \"$cryptkeyscript\" missing" return 1 fi # The same target can be specified multiple times # e.g. root and resume lvs-on-lvm-on-crypto if [ -e "/dev/mapper/$crypttarget" ]; then return 0 fi modprobe -q dm_crypt # Make sure the cryptsource device is available if [ ! -e $cryptsource ]; then activate_vg fi # If the encrypted source device hasn't shown up yet, give it a # little while to deal with removable devices # the following lines below have been taken from # /usr/share/initramfs-tools/scripts/local, as suggested per # https://launchpad.net/bugs/164044 if [ ! -e "$cryptsource" ]; then log_begin_msg "Waiting for encrypted source device..." # Default delay is 180s if [ -z "${ROOTDELAY}" ]; then slumber=180 else slumber=${ROOTDELAY} fi slumber=$(( ${slumber} * 10 )) while [ ! -e "$cryptsource" ]; do /bin/sleep 0.1 slumber=$(( ${slumber} - 1 )) [ ${slumber} -gt 0 ] || break done if [ ${slumber} -gt 0 ]; then log_end_msg 0 else log_end_msg 1 || true fi fi udev_settle # We've given up, but we'll let the user fix matters if they can while [ ! -e "${cryptsource}" ]; do echo " Check cryptopts=source= bootarg: cat /proc/cmdline" echo " or missing modules, devices: cat /proc/modules; ls /dev" panic -r "ALERT! ${cryptsource} does not exist. Dropping to a shell!" done # Prepare commands cryptcreate="/sbin/cryptsetup -T 1" if [ "$cryptdiscard" = "yes" ]; then cryptcreate="$cryptcreate --allow-discards" fi if /sbin/cryptsetup isLuks $cryptsource >/dev/null 2>&1; then cryptcreate="$cryptcreate luksOpen $cryptsource $crypttarget" else cryptcreate="$cryptcreate -c $cryptcipher -s $cryptsize -h $crypthash create $crypttarget $cryptsource" fi cryptremove="/sbin/cryptsetup remove $crypttarget" NEWROOT="/dev/mapper/$crypttarget" # Try to get a satisfactory password $crypttries times count=0 while [ $crypttries -le 0 ] || [ $count -lt $crypttries ]; do export CRYPTTAB_TRIED="$crypttries" count=$(( $count + 1 )) if [ $count -gt 1 ]; then /bin/sleep 3 fi if [ -z "$cryptkeyscript" ]; then cryptkey="Unlocking the disk $cryptsource ($crypttarget)\nEnter passphrase: " if [ -x /bin/plymouth ] && plymouth --ping; then cryptkeyscript="plymouth ask-for-password --prompt" cryptkey=$(printf "$cryptkey") else cryptkeyscript="/lib/cryptsetup/askpass" fi fi if [ ! -e "$NEWROOT" ]; then if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \ $cryptkeyscript "$cryptkey" | $cryptcreate --key-file=- ; then message "cryptsetup: cryptsetup failed, bad password or options?" continue fi fi if [ ! -e "$NEWROOT" ]; then message "cryptsetup: unknown error setting up device mapping" return 1 fi #FSTYPE='' #eval $(fstype < "$NEWROOT") FSTYPE="$(/sbin/blkid -s TYPE -o value "$NEWROOT")" # See if we need to setup lvm on the crypto device #if [ "$FSTYPE" = "lvm" ] || [ "$FSTYPE" = "lvm2" ]; then if [ "$FSTYPE" = "LVM_member" ] || [ "$FSTYPE" = "LVM2_member" ]; then if [ -z "$cryptlvm" ]; then message "cryptsetup: lvm fs found but no lvm configured" return 1 elif ! activate_vg; then # disable error message, LP: #151532 #message "cryptsetup: failed to setup lvm device" return 1 fi NEWROOT=${cmdline_root:-/dev/mapper/$cryptlvm} if [ "$cryptrootdev" = "yes" ]; then # required for lilo to find the root device echo "ROOT=$NEWROOT" >>/conf/param.conf fi eval $(fstype < "$NEWROOT") fi #if [ -z "$FSTYPE" ] || [ "$FSTYPE" = "unknown" ]; then if [ -z "$FSTYPE" ]; then message "cryptsetup: unknown fstype, bad password or options?" udev_settle $cryptremove continue fi message "cryptsetup: $crypttarget set up successfully" break done if [ $crypttries -gt 0 ] && [ $count -gt $crypttries ]; then message "cryptsetup: maximum number of tries exceeded for $crypttarget" return 1 fi udev_settle return 0 } # # Begin real processing # # Do we have any kernel boot arguments? cmdline_cryptopts='' unset cmdline_root for opt in $(cat /proc/cmdline); do case $opt in cryptopts=*) opt="${opt#cryptopts=}" if [ -n "$opt" ]; then if [ -n "$cmdline_cryptopts" ]; then cmdline_cryptopts="$cmdline_cryptopts $opt" else cmdline_cryptopts="$opt" fi fi ;; root=*) opt="${opt#root=}" case $opt in /*) # Absolute path given. Not lilo major/minor number. cmdline_root=$opt ;; *) # lilo major/minor number (See #398957). Ignore esac ;; esac done if [ -n "$cmdline_cryptopts" ]; then # Call setup_mapping separately for each possible cryptopts= setting for cryptopt in $cmdline_cryptopts; do setup_mapping "$cryptopt" done exit 0 fi # Do we have any settings from the /conf/conf.d/cryptroot file? if [ -r /conf/conf.d/cryptroot ]; then while read mapping <&3; do setup_mapping "$mapping" 3<&- done 3< /conf/conf.d/cryptroot fi exit 0 debian/initramfs/cryptgnupg-hook0000644000000000000000000000176712234756536014275 0ustar #!/bin/sh set -e PREREQ="cryptroot" prereqs() { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac . /usr/share/initramfs-tools/hook-functions # Hooks for loading gnupg software and key into the initramfs # Check whether cryptroot hook has installed decrypt_gnupg script if [ ! -x ${DESTDIR}/lib/cryptsetup/scripts/decrypt_gnupg ] ; then exit 0 fi # Install cryptroot key files into initramfs keys=$(sed 's/^\(.*,\|\)key=//; s/,.*//' ${DESTDIR}/conf/conf.d/cryptroot) if [ "${keys}" != "none" ]; then if [ -z "${keys}" ]; then echo "$0: Missing key files in ${DESTDIR}/conf/conf.d/cryptroot" >&2 cat ${DESTDIR}/conf/conf.d/cryptroot >&2 exit 1 fi for key in ${keys} ; do echo "WARNING: GnuPG key $key is copied to initramfs" >&2 if [ ! -d ${DESTDIR}/$(dirname ${key}) ] ; then mkdir -p ${DESTDIR}/$(dirname ${key}) fi cp ${key} ${DESTDIR}/${key} done fi # Install gnupg software copy_exec /usr/bin/gpg exit 0 debian/initramfs/cryptopensc-script-local-bottom0000644000000000000000000000100012234756536017356 0ustar #!/bin/sh set -e PREREQ="" prereqs() { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac . /scripts/functions # Hook for stopping smartcard reading software if [ ! -e /sbin/pcscd ]; then exit 0 fi # Start pcscd daemon nomrally. If it was started in foregound, chances are # it'll harmlessly complain about missing /var/run/pcscd* files due to the root # filessytem being remounted. start-stop-daemon --stop --quiet --pidfile /var/run/pcscd.pid --name pcscd debian/initramfs/cryptkeyctl-hook0000644000000000000000000000070412234756536014436 0ustar #!/bin/sh set -e PREREQ="cryptroot" prereqs() { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac . /usr/share/initramfs-tools/hook-functions # Hooks for loading keyctl software into the initramfs # Check whether cryptroot hook has installed decrypt_keyctl script if [ ! -x ${DESTDIR}/lib/cryptsetup/scripts/decrypt_keyctl ]; then exit 0 fi # Install binaries into initramfs copy_exec /bin/keyctl copy_exec /bin/stty exit 0 debian/README.openct0000644000000000000000000001303512234756536011354 0ustar openct with cryptsetup and luks in Debian ----------------------------------------- This is a overview on how you can make use of cryptsetup with your smartcard device supported by openct. Please make sure that your smartcard reader or token is supposed to be operated with openct and not with opensc or pcscd. You can get some information about the supported hardware by openct at the following homepage: This example is based on the ability of openct to store arbitrary data objects on the smartcard. Note that you therefore have to use openct in version 0.6.12 or newer, any versions before 0.6.12 do not properly support data objects. Although this use case was done with the Aladdin eToken PRO 32k, an USB crypto token, this is a generic approach which works the same way with all supported smartcard devices by openct. First of all, you should plug in your crypto token into USB or whatever interface it uses and initialise the reader with the following command (as root): # openct-control init To check if your reader has been detected, you can run: # openct-tool list This should give you a similar result to this: 0 Aladdin eToken PRO If you do not see any reader listed, you have a problem and should read again about the supported hardware on and make sure you have the required support (e.g. USB) compiled into your kernel needed to connect to your token. If you use a pre-compiled kernel from Debian, everything is already built kernel-wise and you probably only need to load the module. In case you want to erase your previously used smartcard, you can do that by executing the following command: # pkcs15-init --erase-card To setup the smartcard, you need to do the following: # pkcs15-init --create-pkcs15 Caution: You are being asked about the 'Security Officer PIN' and the 'User unblocking PIN'. Although both of these pins are optional and can be left empty, you should never do this: In case the personal user pin is typed wrong for a given number (mostly three times), the smartcard is locked and can only be unlocked with the user unblocking pin. If you even mistype the user unblocking pin for a given number (mostly three times), the smartcard is locked and can only be unlocked with the security officer pin, which is the most superior pin in this hierarchy. With an unset (empty) security officer pin or user unblocking pin, depending on the smartcard, an attacker can have unlimited tries to crack your personal user pin, or, an attacker can simply make the smartcard unusable as it cannot be unlocked anymore at all. To create a new identity on the smartcard, do the following: # pkcs15-init --store-pin --auth-id 01 --label "Daniel Baumann" If you have already one or more identities, you certainly want to bump the auth-id here, and normally, the label used to describe the identify is the persons first and last name. As we want to use the smartcard with luks, we first need to get some random data: # dd if=/dev/random of=data.txt bs=1 count=32 And we store that random data as a data object to the private section of the smartcard with: # pkcs15-init --store-data data.txt --auth-id 01 As of the time of writing, openct version 0.6.12 is available and does not support labelling different data objects. Once this gets fixed in openct upstream, you can store multiple data objects to the smartcard (create them by appending '--label foo' to the above command and replace foo with the label you want to use). Then, read the random data from the smartcard in order... # pkcs15-tool --read-data-object pkcs15-init -o /proc/self/fd/3 3>&1 1>/dev/null 2>&1 # pkcs15-tool --read-data-object pkcs15-init -o key.txt 1>/dev/null 2>&1 ...to import that output to luks as a valid key (assumed that /dev/sda5 is your encrypted partition): # cryptsetup luksAddKey /dev/sda5 key.txt To tell cryptsetup to let you authenticate with the openct backend, you need to pass the respective decrypt script to it as a parameter in /etc/crypttab (assumed that /dev/sda5 is your encrypted partition): sda5_crypt /dev/sda5 none luks,keyscript=/lib/cryptsetup/scripts/decrypt_openct At the moment all data objects have the same label 'pkcs15-init'. Once openct supports labelling data objects, you can pass the respective label to openct with the key parameter in /etc/crypttab like this: sda5_crypt /dev/sda5 none luks,keyscript=/lib/cryptsetup/scripts/decrypt_openct,key=foo For the time being, 'pkcs15-init' is passed to openct when no key is specified. Don't forget to backup key.txt to a save place and remove the temporary files afterwards: # shred -uz key.txt data.txt Caution: cryptsetup as of version 1.0.5-1 does not support fallback to passphrase if smartcard authentication fails (be it three times wrong pin or not compatible/not detected smartcard reader). That means, that for testing purposes, it is recommended to keep an initrd image in /boot available which does *not* use openct or opensc for authentication, so that you can change your bootloader configuration on the fly if something does not work out as expected. Therefore, copy your current initrd (the .bak backups from initramfs-tools can maybe get overwritten by update-initramfs during the setup of openct, so it is better to be on the save side): # cp /boot/initrd.img-`uname -r` /boot/initrd.img-`uname -r`.temp If you have completed all the steps up to now, you can update your initramfs image with: # update-initramfs -u -k `uname -r` and reboot your machine. -- Daniel Baumann Wed, 22 Aug 2007 10:36:00 +0200 debian/cryptsetup.postrm0000644000000000000000000000021412234756536012670 0ustar #! /bin/sh set -e case "$1" in remove) if [ -x /usr/sbin/update-initramfs ]; then update-initramfs -u fi ;; esac #DEBHELPER# debian/README.initramfs0000644000000000000000000002277412234756536012072 0ustar 1. Introduction --------------- Kernels more recent than 2.6.12 have dropped support for devfs, which means that initrd-tools can no longer be used to boot into an encrypted root partition. Instead, a similar functionality has been developed for use with an initramfs-image. 2. A fresh installation ----------------------- If you plan to perform a completely new installation of Debian onto a machine and to do so using an encrypted root partition, you might want to consider using a version of Debian Installer with partman-crypto (see http://wiki.debian.org/DebianInstaller/PartmanCrypto). The installation will then take care of all the details and perform the necessary configuration for you, meaning that you should not have to read the rest of this document to get a machine with an encrypted root filesystem up and running. However, if you are not planning to perform a new installation from scratch, the following information might be useful to you. 3. Requirements --------------- In order to boot from an encrypted root filesystem, you need an initramfs-image which includes the necessary kernel modules and scripts to setup the root device after the kernel has been initialized, but before the rest of the operating system is booted. To do so, you need two partitions: - an unencrypted /boot partition - an encrypted / partition In addition, you need to have both initramfs-tools and busybox installed. NOTE: You should make sure that your swap partition is either encrypted, or that you are using a swap file on an encrypted partition, as crypto keys and other sensitive information might otherwise be written out to the swap partition in unencrypted form. 4. Setup (regular dm-crypt) --------------------------- First of all, you must edit /etc/crypttab and add a line describing your root device, for example: cryptroot /dev/hda2 none cipher=aes-cbc-essiv:sha256,size=256,hash=sha256 This will allow cryptsetup to create /dev/mapper/cryptroot from the encrypted partition /dev/hda2 during boot. In addition, you must also make sure that the root device is listed in /etc/fstab, for example: /dev/mapper/cryptroot / ext4 defaults 0 1 This will allow the initramfs support scripts to know which of the devices in the crypttab that is the root device. After doing these changes, you should regenerate the initramfs by running "initramfs-update -u", then make sure that your boot loader is configured to feed the initramfs to the kernel when booting. The kernel root argument should also be changed to /dev/mapper/cryptroot. Now, reboot the machine, and if everything is correctly configured, you should be given a prompt to type in the passphrase for the encrypted root partition before the boot can continue. NOTE: the initramfs scripts default to using the sha256 hash function while the plain cryptsetup binary defaults to using the ripemd160 hash function. In order to ensure that the crypto setup works in a consistent manner, you should make sure that the hash function is specified in the /etc/crypttab file if you are using regular dm-crypt (with LUKS the hash function to use is stored in the LUKS header). 5. Setup (using LUKS) --------------------- If you are using the LUKS feature of cryptsetup, the above setup recipe should still apply, but since most options can be derived from the information stored in the LUKS header on-disk, the line to add to /etc/crypttab should look something like this: cryptroot /dev/sda2 none luks 6. Exotic key types ------------------- The above examples assume that you use a regular passphrase as the key to the encrypted filesystem. However, if you wish to make use of more complex setups (such as root-key-on-usb-memory), you can create a script which does all the steps necessary to retrieve the key and then prints it to stdout. Then add a keyscript=/path/to/your/script.sh to the options (fourth column) in the above mentioned /etc/crypttab line, so that it looks something like this: cryptroot /dev/sda2 none luks,keyscript=/usr/local/sbin/cryptkey Next, regenerate your initramfs image. This will copy the script into the initramfs image under the /lib/cryptsetup/keyscripts/ directory. NOTE: there is a limited set of tools available when the script is executing as part of the initramfs bootup, you have to make sure that you do not use any tools which are not available or your script, and therefore boot, will fail. 7. "cryptopts" boot argument ---------------------------- In general, you should use the above approach with a line describing your root partition in /etc/crypttab and /etc/fstab. However, if for some reason you wish to override the settings that are derived from these files and stored in the initramfs image, you can use the "cryptopts" boot argument (this *only* works for the root partition). The format of cryptopts is: cryptopts==,=... Beside the "hash", "size", "cipher" and "lvm" options that correspond to the same options in the fourth field of /etc/crypttab, the options "target", "source" and "key" are also supported. They correspond to the first, second and third field of /etc/crypttab, respectively. See the crypttab man page for further details. Several "cryptopts" boot arguments can also be specified in case more than one mapping needs to be setup in the initramfs stage of the boot. Example boot arguments: root=/dev/mapper/crypt0 cryptopts=target=crypt0,source=/dev/hda1,cipher=twofish 8. Resume device support ------------------------ The initramfs scripts will also try to automatically determine the devices, if any, that are used for software suspend (swsusp, suspend2 or uswsusp) and to set them up during the initramfs stage in order to allow suspend and resume in combination with encryption to keep the resume image safe from potential attackers. If your resume device and your root partition use two different cryptsetup mappings, you might want to use the "decrypt_derived" keyscript as described below. 9. The "decrypt_derived" keyscript ---------------------------------- Assume that you have two entries in /etc/crypttab: cryptroot /dev/hda1 none luks cryptswap /dev/hda2 none luks If cryptswap is used as your suspend/resume device, you'd normally need to enter two different passphrases during the boot, but the "decrypt_derived" script can generate the key for the second mapping using a hash of the key for the first mapping. In short, you'll need to do something like the following to take advantage of the decrypt_derived script: 1) swapoff -a 2) cryptsetup luksClose cryptswap 3) edit /etc/crypttab and change the cryptswap line to e.g.: cryptswap /dev/hda2 cryptroot cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,keyscript=/lib/cryptsetup/scripts/decrypt_derived,swap 4) /etc/init.d/cryptdisks start 5) Make sure that /dev/mapper/cryptswap has been created 6) swapon -a 7) (optional) update-initramfs -u After you've followed the above steps, your swap device should be setup automatically after the root device has been setup during the boot stage. WARNING: If you use the decrypt_derived keyscript for devices with persistent data (i.e. not swap or temp devices), then you will lose access to that data permanently if something damages the LUKS header of the LUKS device you derive from. The same applies if you luksFormat the device, even if you use the same passphrase(s). A LUKS header backup, or better a backup of the data on the derived device may be a good idea. See the Cryptsetup FAQ on how to do this right. Note: If you don't use suspend device support, it's better to use completely random keys for your encrypted swap device. See the section '2. Encrypted swap partition(s)' in /usr/share/doc/cryptsetup/README.Debian for information on how to setup this. 10. The "passdev" keyscript ---------------------------- If you have a keyfile on a removable device (e.g. a USB-key), you can use the passdev keyscript. It will wait for the device to appear, mount it read-only, read the key and then unmount the device. The "key" part of /etc/crypttab will be interpreted as :[:], it is strongly recommended that you use one of the persistent device names from /dev/disk/*, e.g. /dev/disk/by-label/myusbkey. This is an example of a suitable line in cryptsetup: cryptroot /dev/hda2 /dev/disk/by-label/myusbkey:/keys/root.key cipher=aes-cbc-essiv:sha256,size=256,hash=plain,keyscript=/lib/cryptsetup/scripts/passdev The above line would cause the boot to pause until /dev/disk/by-label/myusbkey appears in the fs, then mount that device and use the file /keys/root.key on the device as the key (without any hashing) as the key for the fs. The timeout option has to be in seconds. If any modules are required in order to mount the filesystem on the removable device, then initramfs-tools needs to be configured to add these modules to the initramfs. This can be done by listing the required modules in /etc/initramfs-tools/modules. 11. Limitation: renaming of target name for encrypted root device ----------------------------------------------------------------- As spotted by Adam Lee in bug report #671037[1], it's not possible to simply rename the target name for encrypted root devices. It breaks the initramfs creation process. The bug report submitter found a solution to work around this limitation: 0. enter another system (like livecd) 1. luksOpen with the new name, change the target name to the new one 2. chroot into it (now, the current target name is the same as it in conf) 3. update-initramfs -u 4. reboot [1] http://bugs.debian.org/671037 -- David Härdeman -- Jonas Meurer Thu, 01 Nov 2012 13:44:31 +0100 debian/rules0000755000000000000000000002112112234756536010260 0ustar #!/usr/bin/make -f # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 DEB_VERSION := $(strip $(shell LC_ALL=C dpkg-parsechangelog | \ egrep '^Version:' | head -n1 | cut -f2 -d ' ' )) DEB_DATE := $(strip $(shell LC_ALL=C dpkg-parsechangelog | \ egrep '^Date:' | head -n1 | cut -f2- -d ' ' | \ LC_ALL=C date --file=- +%F )) # These are used for cross-compiling and for saving the configure script # from having to guess our platform (since we know it already) export DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) export DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) ifeq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE)) confflags += --build $(DEB_HOST_GNU_TYPE) else confflags += --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE) endif # Export dpkg build flags DEB_CFLAGS_MAINT_APPEND = -Wall DPKG_EXPORT_BUILDFLAGS = 1 -include /usr/share/dpkg/buildflags.mk ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) INSTALL_PROGRAM += -s endif ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) MAKEFLAGS += -j$(NUMJOBS) endif configure: configure-stamp configure-stamp: dh_testdir find -xtype f ! -name manifest >manifest autoreconf --force --install ./configure $(confflags) \ --prefix=/usr \ --libdir=/lib \ --sbindir=/sbin \ --mandir=/usr/share/man \ --enable-shared \ --enable-cryptsetup-reencrypt find -xtype f >manifest.new diff manifest manifest.new | grep '>' | cut -b3- >config.mess touch $@ build-stamp: configure-stamp touch $@ build-indep: build-stamp dh_testdir # generate manpages sed 's/VERSION/$(DEB_VERSION)/;s/DATE/$(DEB_DATE)/' \ debian/doc/variables.xml.in >debian/doc/variables.xml xsltproc --nonet --xinclude -o debian/doc/ \ /usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl \ debian/doc/manpages.xml pod2man --section=8 --center="Administrative commands" --release="" debian/scripts/luksformat \ debian/luksformat.8 # generate gettext po files (for luksformat) $(MAKE) -C debian/scripts/po all luksformat.pot build-arch: build-stamp dh_testdir # build upstream cryptsetup $(MAKE) # build askpass and passdev keyscripts gcc $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -pedantic -std=c99 debian/askpass.c -o debian/askpass gcc $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -pedantic -std=c99 debian/passdev.c -o debian/scripts/passdev build: build-indep build-arch install: install-stamp install-stamp: build-stamp dh_testdir dh_testroot dh_clean dh_installdirs mkdir -p $(CURDIR)/debian/cryptsetup-udeb mkdir -p $(CURDIR)/debian/libcryptsetup4-udeb $(MAKE) DESTDIR=$(CURDIR)/debian/cryptsetup-bin install # Copy library files to library packages cp -a $(CURDIR)/debian/cryptsetup-bin/lib/libcryptsetup.so.* \ $(CURDIR)/debian/libcryptsetup4/lib/ #cp -a $(CURDIR)/debian/cryptsetup-bin/lib/libcryptsetup.la \ # $(CURDIR)/debian/libcryptsetup-dev/usr/lib/ #cp -a $(CURDIR)/debian/cryptsetup-bin/lib/libcryptsetup.a \ # $(CURDIR)/debian/libcryptsetup-dev/usr/lib/ cp -a $(CURDIR)/debian/cryptsetup-bin/lib/pkgconfig/libcryptsetup.pc \ $(CURDIR)/debian/libcryptsetup-dev/usr/lib/pkgconfig/ cp -a $(CURDIR)/debian/cryptsetup-bin/usr/include/libcryptsetup.h \ $(CURDIR)/debian/libcryptsetup-dev/usr/include/ #cp -a $(CURDIR)/debian/cryptsetup-bin/lib/libcryptsetup.so \ # $(CURDIR)/debian/libcryptsetup-dev/usr/lib/ dh_link -plibcryptsetup-dev lib/$$(basename $$(readlink debian/cryptsetup-bin/lib/libcryptsetup.so)) usr/lib/libcryptsetup.so # Remove libraries from cryptsetup package, they're shiped in seperate library packages rm -rf $(CURDIR)/debian/cryptsetup-bin/lib rm -rf $(CURDIR)/debian/cryptsetup-bin/usr/include install -m 0644 debian/cryptdisks.functions $(CURDIR)/debian/cryptsetup/lib/cryptsetup/ install -m 0755 debian/checks/* $(CURDIR)/debian/cryptsetup/lib/cryptsetup/checks/ install -m 0755 debian/scripts/luksformat $(CURDIR)/debian/cryptsetup-bin/usr/sbin/ install -m 0755 debian/scripts/cryptdisks_start $(CURDIR)/debian/cryptsetup/sbin/ install -m 0755 debian/scripts/cryptdisks_stop $(CURDIR)/debian/cryptsetup/sbin/ dh_link -pcryptsetup sbin/cryptdisks_start usr/sbin/cryptdisks_start dh_link -pcryptsetup sbin/cryptdisks_stop usr/sbin/cryptdisks_stop install -m 0755 debian/scripts/decrypt_* $(CURDIR)/debian/cryptsetup/lib/cryptsetup/scripts/ install -m 0755 debian/scripts/passdev $(CURDIR)/debian/cryptsetup/lib/cryptsetup/scripts/ install -m 0755 debian/askpass $(CURDIR)/debian/cryptsetup/lib/cryptsetup/ install -m 0755 debian/initramfs/cryptgnupg-hook \ $(CURDIR)/debian/cryptsetup/usr/share/initramfs-tools/hooks/cryptgnupg install -m 0755 debian/initramfs/cryptkeyctl-hook \ $(CURDIR)/debian/cryptsetup/usr/share/initramfs-tools/hooks/cryptkeyctl install -m 0755 debian/initramfs/cryptopenct-hook \ $(CURDIR)/debian/cryptsetup/usr/share/initramfs-tools/hooks/cryptopenct install -m 0755 debian/initramfs/cryptopensc-hook \ $(CURDIR)/debian/cryptsetup/usr/share/initramfs-tools/hooks/cryptopensc install -m 0755 debian/initramfs/cryptopensc-script-local-bottom \ $(CURDIR)/debian/cryptsetup/usr/share/initramfs-tools/scripts/local-bottom/cryptopensc install -m 0755 debian/initramfs/cryptopensc-script-local-top \ $(CURDIR)/debian/cryptsetup/usr/share/initramfs-tools/scripts/local-top/cryptopensc install -m 0755 debian/initramfs/cryptpassdev-hook \ $(CURDIR)/debian/cryptsetup/usr/share/initramfs-tools/hooks/cryptpassdev install -m 0644 debian/initramfs/cryptroot-conf \ $(CURDIR)/debian/cryptsetup/usr/share/initramfs-tools/conf-hooks.d/cryptsetup install -m 0755 debian/initramfs/cryptroot-hook \ $(CURDIR)/debian/cryptsetup/usr/share/initramfs-tools/hooks/cryptroot install -m 0755 debian/initramfs/cryptroot-script \ $(CURDIR)/debian/cryptsetup/usr/share/initramfs-tools/scripts/local-top/cryptroot install -m 0644 debian/cryptdisks.bash_completion \ $(CURDIR)/debian/cryptsetup/etc/bash_completion.d/cryptdisks install -m 0755 debian/cryptsetup.reportbug-script \ $(CURDIR)/debian/cryptsetup/usr/share/bug/cryptsetup ifeq ($(shell dpkg-vendor --is Ubuntu && echo yes),yes) mkdir -p $(CURDIR)/debian/cryptsetup/usr/share/apport/package-hooks install -m 0644 debian/cryptsetup.apport \ $(CURDIR)/debian/cryptsetup/usr/share/apport/package-hooks/cryptsetup.py endif $(MAKE) -C debian/scripts/po DESTDIR=$(CURDIR)/debian/cryptsetup-bin install touch $@ binary-indep: build install # We have nothing to do by default. binary-arch: build install dh_testdir dh_testroot dh_installdebconf -a dh_installchangelogs -a ChangeLog dh_installdocs -a dh_installexamples -a debian/scripts/gen-ssl-key dh_installinit -a --no-start --name=cryptdisks-early --update-rcd-params="start 26 S . start 59 0 6 ." dh_installinit -a --no-start --name=cryptdisks-udev dh_installinit -a --no-start --name=cryptdisks --update-rcd-params="start 28 S . start 48 0 6 ." dh_installman -a debian/doc/crypttab.5 debian/doc/cryptdisks_start.8 debian/doc/cryptdisks_stop.8 dh_installman -p cryptsetup-bin debian/luksformat.8 # Copy relevant parts to cryptsetup-udeb package cp -a $(CURDIR)/debian/cryptsetup/etc $(CURDIR)/debian/cryptsetup-udeb/ cp -a $(CURDIR)/debian/cryptsetup/lib $(CURDIR)/debian/cryptsetup-udeb/ mkdir $(CURDIR)/debian/cryptsetup-udeb/sbin cp -a $(CURDIR)/debian/cryptsetup-bin/sbin/cryptsetup $(CURDIR)/debian/cryptsetup-udeb/sbin/ # Copy relevant parts to libcryptsetup4-udeb package cp -a $(CURDIR)/debian/libcryptsetup4/lib $(CURDIR)/debian/libcryptsetup4-udeb/ dh_lintian -a dh_compress -a dh_fixperms -a dh_strip -a # Check for new/changed symbols in libcryptsetup #dpkg-gensymbols -plibcryptsetup4 -Pdebian/libcryptsetup4 -Odebian/libcrypsetup4.symbols dh_makeshlibs -a -V --add-udeb=libcryptsetup4-udeb dh_shlibdeps -a dh_gencontrol -a dh_installdeb -a dh_md5sums -a dh_builddeb -a binary: binary-indep binary-arch clean: dh_testdir dh_testroot # clean up the source directory if test -f Makefile; then $(MAKE) distclean; fi rm -f autom4te.cache rm -f manifest manifest.new rm -f debian/doc/*.[0-9] debian/doc/variables.xml rm -f debian/luksformat.8 $(MAKE) -C debian/scripts/po update clean rm -f debian/scripts/passdev rm -f debian/askpass # clean up leftovers which where forgotten if test -f config.mess; then rm -f `cat config.mess`; fi rm -f config.mess dh_clean configure-stamp build-stamp install-stamp # update debconf po files debconf-updatepo .PHONY: configure build-indep build-arch build install binary-indep binary-arch binary clean debian/watch0000644000000000000000000000021412234756536010231 0ustar version=3 http://code.google.com/p/cryptsetup/downloads/list?can=1 .*/cryptsetup-(\d[\d\.]*)\.(?:zip|tgz|tbz2|txz|tar\.gz|tar\.bz2|tar\.xz) debian/README.opensc0000644000000000000000000001201112234756536011344 0ustar opensc/pcscd with cryptsetup and LUKS on Debian ------------------------------------------------------------------------ This is an overview on how you can make use of cryptsetup with your smartcard device supported by opensc/pcscd. If your reader is supported by openct please refer to the README.openct.gz in the cryptsetup docs. I assume that you already have an initialized smartcard with a RSA key that has the proper X509 properties for encryption set. To generate such a key in hardware on the smartcard you should execute the following command: # pkcs15-init -G rsa/2048 -a [PIN id] -u sign,decrypt If your smart card doesn't support 2048 bit RSA just change the argument to the largest size possible. The decrypt_opensc keyscript decrypts an encrypted key in your boot partition with the private key on your smartcard. Therefore you have to create a key for the partition that is to be decrypted using the smartcard. As pkcs15-crypt does not seem to support PKCS1 padding, the key is required to have the same size as your RSA key. For a 2048 bit key use the following (the byte count is 256 as 2048/8 is 256): # dd if=/dev/random of=/boot/keys/key bs=1 count=256 Now the key is added to the LUKS partition: # cryptsetup luksAddKey /dev/sdXn /boot/keys/key Enter an already existing pass phrase and watch cryptsetup doing its job. As we don't want the key in clear on the hard drive, we are going to encrypt it with the public key to the key on the smartcard. Read the public key first: # pkcs15-tool --read-public-key [key id] -o pubkey Then encrypt the random data with the extracted key, destroy the plain text one and remove your public key from the hard drive (it isn't necessary to shred it as a potential attacker can't use your public key for anything). # openssl rsautl -in /boot/keys/key -inkey pubkey -pubin -raw \ -encrypt -out /boot/keys/root # shred -u /boot/keys/key # rm -rf pubkey Now you'll have to edit /etc/crypttab. The format should be familiar but I'll state it here again: name device /boot/keys/root luks, keyscript=/lib/cryptsetup/scripts/decrypt_opensc The modules needed by the reader should now be added to /etc/initramfs-tools/modules, so they are loaded on boot time. For example yenta_socket, pcmcia, pcmcia_core, serial_cs, rsrc_nonstatic for PCMCIA card readers. In a perfect world you would just rebuild the initramfs now and it would work. Unfortunately there are some additional issues to address. The most important one is pcscd. Newer versions of pcscd use HAL and dbus to detect readers. As most people (including me) aren't too enthusiastic about adding these two daemons to the initramfs, we will rebuild the daemon to use the traditional polling method with libusb. Again, this step is only necessary if your reader uses pcscd (for example the Gemalto PC Card readers). To do this, download the ccid and pcsc-lite packages from Install the libusb header files, extract the tarballs and build pcscd with the following commands: # apt-get install libusb-dev # ./configure --disable-libhal --enable-libusb # make # make install Now go to the ccid directory and execute these commands (the option is only need if you use the libccidtwin.so to access your reader: # ./configure [--enable-twinserial] # make # make install This installs the new pcscd and it's libraries in /usr/local/. To reflect the new situation we have to change the initramfs scripts. Edit /etc/reader.conf to instruct pcscd to use the new libraries (they should be in /usr/local/pcsc/drivers/) instead of the ones from the Debian package. Replace everything after line 45 in /usr/share/initramfs-tools/hooks/cryptopensc with the following chunk: for dir in etc/opensc usr/local/pcsc var/run tmp ; do if [ ! -d ${DESTDIR}/${dir} ] ; then mkdir -p ${DESTDIR}/${dir} ; fi done # Install pcscd daemon, drivers, conf file, and include libgcc as # well since # pcscd utilizes pthread_cancel copy_exec /usr/local/sbin/pcscd cp -r /usr/local/pcsc ${DESTDIR}/usr/local cp /etc/reader.conf ${DESTDIR}/etc cp -r /usr/local/lib ${DESTDIR}/usr/local # Install opensc commands and conf file copy_exec /usr/bin/opensc-tool copy_exec /usr/bin/pkcs15-crypt cp /lib/libgcc_s.so.1 ${DESTDIR}/lib cp /etc/opensc/opensc.conf ${DESTDIR}/etc/opensc Edit /usr/share/initramfs-tools/scripts/local-bottom/cryptopensc and /usr/share/initramfs-tools/scripts/local-top/cryptopensc to use the new binary in /usr/local/sbin/pcscd instead of /usr/sbin/pcscd and change the path in the existence test to: if [ ! -e /usr/local/sbin/pcscd ]; then exit 0 fi If you have completed all the steps up to now, you can update your initramfs image with: # update-initramfs -u -k `uname -r` and reboot your machine. This leaves a backup of your old initramfs in the boot partition if something doesn't work. If you have to debug your initramfs during boot just append the "break=mount" option to the kernel to have a debug shell just before the root partition would be mounted. -- Benjamin Kiessling , Sun, 26 Jul 2009 debian/cryptsetup.templates0000644000000000000000000000077212234756536013353 0ustar Template: cryptsetup/prerm_active_mappings Type: boolean Default: true _Description: Continue with cryptsetup removal? This system has unlocked dm-crypt devices: ${cryptmap} . If these devices are managed with cryptsetup, you might be unable to lock the devices after the package removal, though other tools can be used for managing dm-crypt devices. Any system shutdown or reboot will lock the devices. . Do not choose this option if you want to lock the dm-crypt devices before package removal. debian/libcryptsetup-dev.dirs0000644000000000000000000000005112234756536013547 0ustar /usr/include /usr/lib /usr/lib/pkgconfig debian/NEWS0000644000000000000000000002125612234756536007710 0ustar cryptsetup (2:1.1.3-1) unstable; urgency=low Cryptdisks init scripts changed their behaviour for failures at starting and stopping encrypted devices. Cryptdisks init script now raises a warning for failures at starting encrypted devices, and cryptdisks-early warns about failures at stopping encrypted devices. -- Jonas Meurer Sat, 10 Jul 2010 14:36:33 +0200 cryptsetup (2:1.1.0-1) unstable; urgency=low The default key size for LUKS was changed from 128 to 256 bits, and default plain mode changed from aes-cbc-plain to aes-cbc-essiv:sha256. In case that you use plain mode encryption and don't have set cipher and hash in /etc/crypttab, you should do so now. The new defaults are not backwards compatible. See the manpage for crypttab(5) for further information. If your dm-crypt setup was done by debian-installer, you can ignore that warning. Additionally, the keyscript decrypt_gpg, which was disabled by default up to now, has been rewritten and renamed to decrypt_gnupg. If you use a customized version of the decrypt_gpg keyscript, please backup it before upgrading the package. -- Jonas Meurer Thu, 04 Mar 2010 17:31:40 +0100 cryptsetup (2:1.1.0~rc2-1) unstable; urgency=low The cryptroot initramfs hook script has been changed to include all available crypto kernel modules in case that initramfs-tools is configured with MODULES=most (default). See /etc/initramfs-tools/initramfs.conf for more information. If initramfs-tools is configured with MODULES=dep, the cryptroot hook script still tries to detect required modules, as it did by default in the past. -- Jonas Meurer Sun, 27 Sep 2009 16:49:20 +0200 cryptsetup (2:1.0.7-2) unstable; urgency=low Checkscripts vol_id and un_vol_id have been replaced by blkid and un_blkid. In case that you explicitly set keyscript=vol_id or keyscript=un_vol_id in /etc/crypttab, you will need to update your /etc/crypttab manually. Replacing 'vol_id' with 'blkid' and 'un_vol_id' with 'un_blkid' should work. The new *blkid keyscripts are fully compatible to the old *vol_id scripts. -- Jonas Meurer Sun, 23 Aug 2009 23:32:49 +0200 cryptsetup (2:1.0.6-8) unstable; urgency=low Keyscripts inside the initramfs have been moved from /keyscripts to /lib/cryptsetup/scripts. This way they're now available at the same location as on the normal system. In most cases no manual action is required. Only if you reference a keyscript by path in some script that is included in the initramfs, then you need to update that reference by updating the path. -- Jonas Meurer Tue, 23 Dec 2008 00:43:10 +0100 cryptsetup (2:1.0.6-7) unstable; urgency=medium Support for the timeout option has been removed from cryptdisks initscripts in order to support splash screens and remote shells in boot process. The implementation had been unclean and problematic anyway. If you used the timeout option on headless systems without physical access, then it's a much cleaner solution anyway, to use the 'noauto' option in /etc/crypttab, and start the encrypted devices manually with '/etc/init.d/cryptdisks force-start'. Another approach is to start a minimal ssh-server in the initramfs and unlock the encrypted devices after connecting to it. This even supports encrypted root filesystems for headless server systems. For more information, please see /usr/share/docs/cryptsetup/README.Debian.gz -- Jonas Meurer Tue, 16 Dec 2008 18:37:16 +0100 cryptsetup (2:1.0.6-4) unstable; urgency=medium The obsolete keyscript decrypt_old_ssl and the corresponding example script gen-old-ssl-key have been removed from the package. If you're still using them, either save a local backup of /lib/cryptsetup/scripts/decrypt_old_ssl and put it back after the upgrade finished, or migrate your setup to use keyscripts that are still supported. -- Jonas Meurer Sun, 27 Jul 2008 16:22:57 +0200 cryptsetup (2:1.0.6~pre1+svn45-1) unstable; urgency=low The default hash used by the initramfs cryptroot scripts has been changed from sha256 to ripemd160 for consistency with the cryptsetup default. If you have followed the recommendation to configure the hash in /etc/crypttab this change will have no effect on you. If you set up disk encryption on your system using the Debian installer and/or if you use LUKS encryption, everything is already set up correctly and you don't need to do anything. If you did *not* use the Debian installer and if you have encrypted devices which do *not* use LUKS, you must make sure that the relevant entries in /etc/crypttab contain a hash= setting. -- Jonas Meurer Tue, 29 Jan 2008 11:46:57 +0100 cryptsetup (2:1.0.5-2) unstable; urgency=low The vol_id and un_vol_id check scripts no longer regard minix as a valid filesystem, since random data can be mistakenly identified as a minix filesystem due to an inadequate signature length. If you use minix filesystems, you should not rely on prechecks anymore. -- Jonas Meurer Mon, 10 Sep 2007 14:39:44 +0200 cryptsetup (2:1.0.4+svn16-1) unstable; urgency=high The --key-file=- argument has changed. If a --hash parameter is passed, it will now be honoured. This means that the decrypt_derived keyscript will in some situations create a different key than previously meaning that any swap partitions that rely on the script will have to be recreated. To emulate the old behaviour, make sure that you pass "--hash=plain" to cryptsetup. -- David Härdeman Tue, 21 Nov 2006 21:29:50 +0100 cryptsetup (2:1.0.4-7) unstable; urgency=low The cryptsetup initramfs scripts now also tries to detect swap partitions used for software suspend (swsusp/suspend2/uswsusp) and to set them up during the initramfs stage. See README.initramfs for more details. -- David Härdeman Mon, 13 Nov 2006 19:27:02 +0100 cryptsetup (2:1.0.4-1) unstable; urgency=low The ssl and gpg options in /etc/crypttab have been deprecated in favour of the keyscripts option. The options will still work, but generate warnings. You should change any lines containing these options to use keyscript=/lib/cryptsetup/scripts/decrypt_old_ssl or keyscript=/lib/cryptsetup/scripts/decrypt_gpg instead as support will be completely removed in the future. -- David Härdeman Mon, 16 Oct 2006 00:00:12 +0200 cryptsetup (2:1.0.3-4) unstable; urgency=low Up to now, the us keymap was loaded at the passphrase prompt in the boot process and ASCII characters were always used. With this upload this is fixed, meaning that the correct keymap is loaded and the keyboard is (optionally) set to UTF8 mode before the passphrase prompt. This may result in your password not working any more in the boot process. In this case, you should add a new key with cryptsetup luksAddKey with your correct keymap loaded. Additionally, all four fields are now mandatory in /etc/crypttab. An entry which does not contain all fields will be ignored. It is recommended to set cipher, size and hash anyway, as defaults may change in the future. If you didn't set any of these settings yet, then you should add cipher=aes-cbc-plain,size=128,hash=ripemd160 to the the options in /etc/crypttab. See man crypttab(5) for more details. -- David Härdeman Sat, 19 Aug 2006 18:08:40 +0200 cryptsetup (2:1.0.2+1.0.3-rc2-2) unstable; urgency=low The crypttab 'retry' has been renamed to 'tries' to reflect upstream's functionality. Default is 3 tries now, even if the option is not given. See the crypttab.5 manpage for more information. -- Jonas Meurer Fri, 28 Apr 2006 17:42:15 +0200 cryptsetup (2:1.0.2+1.0.3-rc2-1) unstable; urgency=low Since release 2:1.0.1-9, the cryptsetup package uses cryptsetup-luks as upstream source. This is a enhanced version of plain cryptsetup which includes support for the LUKS extension, a standard on-disk format for hard disk encryption. Plain dm-crypt (as provided by the old cryptsetup package) is still available, thus backwards compatibility is given. Nevertheless it is recommended to update your encrypted partitions to LUKS, as this implementation is more secure than the plain dm-crypt. Another major change is the check option for crypttab. It allows to configure checks that are run after cryptsetup has been invoked, and prechecks to be run against the source device before cryptsetup has been invoked. See man crypttab(5) or README.Debian for more information. -- Jonas Meurer Fri, 3 Feb 2006 13:41:35 +0100 debian/cryptdisks.functions0000644000000000000000000004030512234756536013336 0ustar # # This file is for inclusion with # . /lib/cryptsetup/cryptdisks.functions # and should not be executed directly. PATH="/usr/sbin:/usr/bin:/sbin:/bin" TABFILE=${TABFILE-"/etc/crypttab"} CRYPTDISKS_ENABLE="Yes" #set -x # Sanity check #1 [ -x /sbin/cryptsetup ] || exit 0 . /lib/lsb/init-functions if [ -r /etc/default/cryptdisks ]; then . /etc/default/cryptdisks fi # Sanity check #2 [ -f "$TABFILE" ] || exit 0 MOUNT="$CRYPTDISKS_MOUNT" # Parses the option field from the crypttab file parse_opts () { local opts opt IFS PARAM VALUE # Strip comments - https://bugs.launchpad.net/bugs/185380 opts=$(echo -n $1 | sed 's/ *#.*//') PARAMS="" LUKSPARAMS="" PLAINPARAMS="" CHECK="" CHECKARGS="" PRECHECK="" TRIES="3" TMPFS="" MAKESWAP="" USELUKS="" KEYSCRIPT="" IGNORE="" CRYPTTAB_OPTIONS="" LOUD="$DEFAULT_LOUD" # Parse the options field, convert to cryptsetup parameters # and construct the command line IFS=',' for opt in $opts; do PARAM=$(echo "$opt" | sed 's/=.*//') VALUE=$(echo "$opt" | sed '/=/!d;s/^.*=//') case "$PARAM" in readonly) PARAMS="$PARAMS -r" ;; cipher) if [ -z "$VALUE" ]; then log_warning_msg "$dst: no value for cipher option, skipping" return 1 fi PLAINPARAMS="$PLAINPARAMS -c $VALUE" ;; size) if [ -z "$VALUE" ] || echo "$VALUE" | grep -q "^[[:digit:]]\+$" && [ "$VALUE" -gt 0 ]; then PLAINPARAMS="$PLAINPARAMS -s $VALUE" else log_warning_msg "$dst: option size used with an incorrect argument, skipping" return 1 fi ;; hash) if [ -z "$VALUE" ]; then log_warning_msg "$dst: no value for hash option, skipping" return 1 fi PLAINPARAMS="$PLAINPARAMS -h $VALUE" ;; offset) if [ -z "$VALUE" ]; then log_warning_msg "$dst: no value for offset option, skipping" return 1 fi PLAINPARAMS="$PLAINPARAMS -o $VALUE" ;; skip) if [ -z "$VALUE" ]; then log_warning_msg "$dst: no value for skip option, skipping" return 1 fi PLAINPARAMS="$PLAINPARAMS -p $VALUE" ;; verify) PARAMS="$PARAMS -y" ;; check) if [ -z "$VALUE" ]; then VALUE="$CRYPTDISKS_CHECK" fi if [ -x "$VALUE" ]; then CHECK="$VALUE" elif [ -x "/lib/cryptsetup/checks/$VALUE" ]; then CHECK="/lib/cryptsetup/checks/$VALUE" else log_warning_msg "check $VALUE is not an executable script, skipping" return 1 fi ;; checkargs) if [ -n "$VALUE" ]; then CHECKARGS="$VALUE" fi ;; precheck) if [ -z "$VALUE" ]; then VALUE="$CRYPTDISKS_PRECHECK" fi if [ -x "$VALUE" ]; then PRECHECK="$VALUE" elif [ -x "/lib/cryptsetup/checks/$VALUE" ]; then PRECHECK="/lib/cryptsetup/checks/$VALUE" else log_warning_msg "precheck $VALUE is not an executable script, skipping" return 1 fi ;; tries) if echo "$VALUE" | grep -q "^[[:digit:]]\+$" && [ "$VALUE" -ge 0 ]; then TRIES="$VALUE" else log_warning_msg "$dst: option tries used with an incorrect argument - forced to $TRIES" fi ;; discard) PARAMS="$PARAMS --allow-discards" ;; swap) MAKESWAP="yes" ;; tmp) if [ -z "$VALUE" ]; then TMPFS="ext4" else TMPFS="$VALUE" fi ;; luks) USELUKS="yes" ;; noearly) if [ "$INITSTATE" = "early" ]; then IGNORE="yes" fi ;; noauto) if [ "$INITSTATE" != "manual" ]; then IGNORE="yes" fi ;; loud) LOUD="yes" ;; quiet) LOUD="" ;; keyscript) if [ -n "$KEYSCRIPT" ]; then log_warning_msg "$dst: multiple key decryption options are not allowed together, skipping" return 1 elif [ -z "$VALUE" ]; then log_warning_msg "$dst: no value for keyscript option, skipping" return 1 elif [ -x "$VALUE" ]; then KEYSCRIPT="$VALUE" elif [ -x "/lib/cryptsetup/scripts/$VALUE" ]; then KEYSCRIPT="/lib/cryptsetup/scripts/$VALUE" elif type "$VALUE" >/dev/null 2>&1; then KEYSCRIPT="$VALUE" else log_warning_msg "script $VALUE is not an executable script, skipping" return 1 fi ;; keyslot) if [ -z "$VALUE" ]; then log_warning_msg "$dst: no value for keyslot option, skipping" return 1 fi LUKSPARAMS="$LUKSPARAMS --key-slot $VALUE" ;; esac CRYPTTAB_OPTIONS="$CRYPTTAB_OPTIONS $PARAM" [ -z "$VALUE" ] && VALUE="yes" eval export CRYPTTAB_OPTION_$PARAM="\"$VALUE\"" done export CRYPTTAB_OPTIONS return 0 } # Sanity check for keys check_key () { local GMODE OMODE OWNER GROUP # If the keyscript option is set, the "key" is just an argument to # the keyscript and not necessarily a file if [ -n "$KEYSCRIPT" ]; then return 0 fi if [ -z "$key" ] || [ "$key" = "none" ]; then key="" return 0 fi if [ ! -e "$key" ]; then log_warning_msg "$dst: keyfile not found" return 1 fi # LUKS requires a persistent key, /dev/*random is not supported if [ "$USELUKS" = "yes" ] && [ "$key" != "${key%random}" ]; then log_warning_msg "$dst: LUKS does not work with random data as key" return 1 fi # Check ownership of $key OWNER="$(/bin/ls -l "$(readlink -f $key)" | sed 's/^.\{10\}[+\.]\?.[^[:space:]]* \([^[:space:]]*\).*/\1/')" if [ "$OWNER" != "root" ]; then log_warning_msg "$dst: INSECURE OWNER FOR $key, see /usr/share/doc/cryptsetup/README.Debian." fi # If key is random, we're done if [ "$key" != "${key%random}" ]; then return 0 fi # Check owner group of $key GROUP="$(/bin/ls -l "$(readlink -f $key)" | sed 's/^.\{12\}[+\.]\?.[^[:space:]]* \([^[:space:]]*\).*/\1/')" if [ "$GROUP" != "root" ]; then log_warning_msg "$dst: INSECURE OWNER GROUP FOR $key, see /usr/share/doc/cryptsetup/README.Debian." fi # Check group and other permissions GMODE="$(/bin/ls -l "$(readlink -f $key)" | sed 's/[[:space:]].*//;s/^.\{4\}\(.\{3\}\).*/\1/')" OMODE="$(/bin/ls -l "$(readlink -f $key)" | sed 's/[[:space:]].*//;s/^.\{7\}\(.\{3\}\).*/\1/')" if [ "$GMODE" != "---" ] && [ "$OMODE" != "---" ]; then log_warning_msg "$dst: INSECURE MODE FOR $key, see /usr/share/doc/cryptsetup/README.Debian." fi return 0 } # Setup a luks mapping do_luks () { local tried keyscriptarg tried=0 keyscriptarg="" if ! cryptsetup isLuks "$src" >/dev/null 2>&1; then log_warning_msg "$dst: device '$src' is not a LUKS partition, skipping" return 1 fi if [ -n "$KEYSCRIPT" ]; then # keyscript => "key" is just an argument to the keyscript keyscriptarg="$key" key="-" elif [ -z "$key" ]; then # no keyscript, no key => password keyscriptarg="Unlocking the disk $src ($dst)\nEnter passphrase: " key="-" if [ -x /bin/plymouth ] && plymouth --ping; then KEYSCRIPT="plymouth ask-for-password --prompt" keyscriptarg=$(printf "$keyscriptarg") else KEYSCRIPT="/lib/cryptsetup/askpass" fi elif [ "$key" != "${key%/dev/*}" ]; then # no keyscript, device key => special treatment keyscriptarg="" key="$key" KEYSCRIPT="" else # no keyscript, key => file input keyscriptarg="$key" key="-" KEYSCRIPT="cat" fi PARAMS="$PARAMS --key-file=$key" while [ "$tried" -lt "$TRIES" ] || [ "$TRIES" -eq "0" ]; do export CRYPTTAB_TRIED="$tried" if [ -n "$KEYSCRIPT" ]; then if $KEYSCRIPT "$keyscriptarg" | cryptsetup $PARAMS $LUKSPARAMS luksOpen "$src" "${dst}_unformatted"; then break fi else if cryptsetup $PARAMS $LUKSPARAMS luksOpen "$src" "${dst}_unformatted"; then break fi fi tried=$(( $tried + 1 )) if [ "$tried" -ge "$TRIES" ] && [ "$TRIES" -ne "0" ]; then return 1 fi done if [ -n "$CHECK" ] && ! "$CHECK" "/dev/mapper/${dst}_unformatted" $CHECKARGS; then log_warning_msg "$dst: the check for '/dev/mapper/$dst' failed" cryptsetup luksClose "${dst}_unformatted" return 1 fi return 0 } # Setup a regular mapping do_noluks () { local pre_out tried keyscriptarg tried=0 keyscriptarg="" if [ -z "$PRECHECK" ]; then PRECHECK="/lib/cryptsetup/checks/un_blkid" fi if ! pre_out="$($PRECHECK "$src" 2>/dev/null)" && \ ! /lib/cryptsetup/checks/blkid "$src" swap >/dev/null; then log_warning_msg "$dst: the precheck for '$src' failed: $pre_out" return 1 fi if [ -n "$KEYSCRIPT" ]; then # keyscript => "key" is just an argument to the keyscript keyscriptarg="$key" key="-" elif [ -z "$key" ]; then # no keyscript, no key => password keyscriptarg="Unlocking the disk $src ($dst)\nEnter passphrase: " key="-" if [ -x /bin/plymouth ] && plymouth --ping; then KEYSCRIPT="plymouth ask-for-password --prompt" keyscriptarg=$(printf "$keyscriptarg") else KEYSCRIPT="/lib/cryptsetup/askpass" fi else # no keyscript, key => file input keyscriptarg="" key="$key" KEYSCRIPT="" fi PARAMS="$PARAMS --key-file=$key" while [ "$tried" -lt "$TRIES" ]; do export CRYPTTAB_TRIED="$tried" if [ -n "$KEYSCRIPT" ]; then $KEYSCRIPT "$keyscriptarg" | cryptsetup $PLAINPARAMS $PARAMS create "${dst}_unformatted" "$src" else cryptsetup $PLAINPARAMS $PARAMS create "${dst}_unformatted" "$src" fi if [ -z "$CHECK" ] || "$CHECK" "/dev/mapper/${dst}_unformatted" $CHECKARGS; then break else log_warning_msg "$dst: the check for '/dev/mapper/$dst' failed - maybe the password is wrong" cryptsetup remove "${dst}_unformatted" fi tried=$(( $tried + 1 )) if [ "$tried" -ge "$TRIES" ]; then return 1 fi done return 0 } # Premounts file systems mount_fs () { local point MOUNTED="" for point in $MOUNT; do if mount "$point" >/dev/null; then MOUNTED="$MOUNTED $point" fi done } # Postunmounts file systems umount_fs () { local point for point in $MOUNTED; do umount "$point" >/dev/null done } # Prepares swap partitions using random keys do_swap () { local swap_out if [ "$MAKESWAP" != "yes" ] || [ ! -b "/dev/mapper/${dst}_unformatted" ]; then return 0 fi if swap_out="$(/lib/cryptsetup/checks/un_blkid "/dev/mapper/${dst}_unformatted" 2>/dev/null)" || \ /lib/cryptsetup/checks/blkid "/dev/mapper/${dst}_unformatted" swap >/dev/null 2>&1; then mkswap "/dev/mapper/${dst}_unformatted" >/dev/null 2>&1 else log_warning_msg "$dst: the check for '/dev/mapper/$dst' failed. /dev/mapper/$dst contains data: $swap_out" do_close return 1 fi return 0 } # Prepares tmp partitions using random keys do_tmp () { if [ "x$TMPFS" = "x" ] || [ ! -b "/dev/mapper/${dst}_unformatted" ]; then return 0 fi mkfs -t $TMPFS -q "/dev/mapper/${dst}_unformatted" >/dev/null 2>&1 || return 1 mkdir -p "/var/run/cryptsetup/$dst" mount -t $TMPFS "/dev/mapper/${dst}_unformatted" "/var/run/cryptsetup/$dst" || return 1 chmod 1777 "/var/run/cryptsetup/$dst" umount "/var/run/cryptsetup/$dst" return 0 } # Rename the device from its temp name to its final name, which will # trigger mountall finalize_device () { if command -v udevadm >/dev/null 2>&1; then udevadm settle fi dmsetup rename "${dst}_unformatted" "$dst" } # Removes a mapping do_close () { local found IFS opt found="no" IFS=',' for opt in $opts; do if [ "$opt" = "luks" ]; then found="yes" break fi done if [ "$found" = "yes" ]; then cryptsetup luksClose "$dst" else cryptsetup remove "$dst" fi return $? } load_optimized_module () { local module optmodule module="$1" optmodule=$(find "/lib/modules/$(uname -r)/kernel/arch" -name "${module}*.ko" 2>/dev/null) if [ -n "$optmodule" ] && [ "$(echo -n "$optmodule" | wc -l)" -eq 1 ]; then modprobe "$optmodule" 2>/dev/null && return 0 fi modprobe "$module" 2>/dev/null || return 1 return 0 } # Sets up all entries in crypttab handle_crypttab_line_start () { dst=$1 src=$2 key=$3 opts=$4 # Make sure that all fields are present if [ -z "$dst" ]; then return 1 elif [ -z "$src" ] || [ -z "$key" ] || [ -z "$opts" ]; then device_msg "$dst" "skipped, missing parameters" return 1 fi # parse UUID= symlinks if [ "${src#UUID=}" != "$src" ]; then src="/dev/disk/by-uuid/${src#UUID=}" elif [ "${src#LABEL=}" != "$src" ]; then src="/dev/disk/by-label/${src#LABEL=}" fi # Do the preparatory steps if ! parse_opts "$opts"; then device_msg "$dst" "invalid opts" return 1 fi # Ignore noauto devices if [ "$IGNORE" = "yes" ] && [ -z "$FORCE_START" ]; then device_msg "$dst" "ignored" return 0 fi if ! check_key; then device_msg "$dst" "invalid key" return 1 fi # Export crypttab fields as environment variables export CRYPTTAB_NAME="$dst" export CRYPTTAB_SOURCE="$src" export CRYPTTAB_KEY="$key" # Make sure source device exists if [ ! -r "$src" ]; then if [ "$LOUD" = "yes" ]; then device_msg "$dst" "skipped, device $src does not exist" return 1 fi return 0 fi # Make sure that target device doesn't exist if [ -b "/dev/mapper/${dst}_unformatted" ] || [ -b "/dev/mapper/$dst" ]; then device_msg "$dst" "running" return 0 fi # All checks passed, do the real setup log_action_msg "$dst (starting).." result="ok" if [ "$USELUKS" = "yes" ]; then do_luks || result="fail" else do_noluks || result="fail" fi # Finish up if [ "$result" != "ok" ]; then device_msg "$dst" "failed" return 1 else do_swap do_tmp finalize_device device_msg "$dst" "started" fi return 0 } handle_crypttab_line_stop () { dst=$1 src=$2 key=$3 opts=$4 if [ ! -b "/dev/mapper/$dst" ]; then device_msg "$dst" "stopped" return 0 fi opencount=$(dmsetup info -c --noheadings -o open "$dst" 2>/dev/null || true) if [ -z "$opencount" ]; then device_msg "$dst" "error" return 1 elif [ "$opencount" != "0" ]; then device_msg "$dst" "busy" if [ "$INITSTATE" = "early" ] || [ "$INITSTATE" = "manual" ]; then return 1 fi return 0 fi #major=$(dmsetup info -c --noheadings -o major "$dst" 2>/dev/null || true) #minor=$(dmsetup info -c --noheadings -o minor "$dst" 2>/dev/null || true) src_major="$(dmsetup deps "$dst" 2>/dev/null | sed -e 's/^.*(\([0-9]*\), [0-9]*)$/\1/g' || true)" src_minor="$(dmsetup deps "$dst" 2>/dev/null | sed -e 's/^.*([0-9]*, \([0-9]*\))$/\1/g' || true)" if [ -z "$src_major" ] || [ -z "$src_minor" ]; then device_msg "$dst" "error" return 1 fi do_close || return $? device_msg "$dst" "stopping" return 0 } crypttab_start_one_disk () { local dst src key opts result local ret=0 egrep -v "^[[:space:]]*(#|$)" "$TABFILE" | while read dst src key opts; do if [ "xUUID=$ID_FS_UUID" = "x$src" ]; then src="/dev/disk/by-uuid/${src#UUID=}" elif [ "xLABEL=$ID_FS_LABEL_ENC" = "x$src" ]; then src="/dev/disk/by-label/${src#LABEL=}" elif [ "x$1" != "x$src" ]; then found= for link in $DEVLINKS; do if [ "x$link" = "x$src" ]; then found=1 break fi done if [ -z "$found" ]; then continue fi fi modprobe -qb dm-mod || true modprobe -qb dm-crypt || true dmsetup mknodes > /dev/null 2>&1 || true # FIXME: no locking mount_fs handle_crypttab_line_start "$dst" "$src" "$key" "$opts" || ret=$? umount_fs done return $ret } do_start () { local dst src key opts result modprobe -qb dm-mod || true modprobe -qb dm-crypt || true dmsetup mknodes >/dev/null 2>&1 || true if [ "$INITSTATE" != "init" ]; then log_action_begin_msg "Starting $INITSTATE crypto disks" fi mount_fs egrep -v "^[[:space:]]*(#|$)" "$TABFILE" | while read dst src key opts; do dev_match="$src" if [ "${dev_match#UUID=}" != "$dev_match" ]; then dev_match="$(readlink -f /dev/disk/by-uuid/${dev_match#UUID=})" elif [ "${dev_match#LABEL=}" != "$dev_match" ]; then dev_match="$(readlink -f /dev/disk/by-label/${dev_match#LABEL=})" fi # if there's already a udev-triggered job running for this # device, wait for it to finish, then re-process to confirm # that it's started successfully. In the general case this # will just be a no-op, but we don't want to defer to the # other job entirely because this is the fallback for fixing # up any ordering-dependent decrypting. while status cryptdisks-udev DEVNAME="$dev_match" 2>&1 | grep -q 'start' do sleep 1 done handle_crypttab_line_start "$dst" "$src" "$key" "$opts" <&3 || log_action_end_msg $? done 3<&1 umount_fs log_action_end_msg 0 } # Removes all mappings in crypttab do_stop () { local dst src key opts opencount major minor dmsetup mknodes log_action_begin_msg "Stopping $INITSTATE crypto disks" egrep -v "^[[:space:]]*(#|$)" "$TABFILE" | while read dst src key opts; do handle_crypttab_line_stop "$dst" "$src" "$key" "$opts" <&3 || log_action_end_msg $? done 3<&1 log_action_end_msg 0 } # Convenience function to handle $VERBOSE device_msg () { local dst msg dst="$1" msg="$2" if [ "$VERBOSE" != "no" ]; then log_action_cont_msg "$dst ($msg)" fi } debian/cryptdisks.default0000644000000000000000000000121412234756536012746 0ustar # Run cryptdisks initscripts at startup? Default is Yes. CRYPTDISKS_ENABLE=Yes # Mountpoints to mount, before cryptsetup is invoked at initscripts. Takes # mountpoins which are configured in /etc/fstab as arguments. Separate # mountpoints by space. # This is useful for keyfiles on removable media. Default is unset. CRYPTDISKS_MOUNT="" # Default check script. Takes effect, if the 'check' option is set in crypttab # without a value. CRYPTDISKS_CHECK=blkid # Default precheck script. Takes effect, if the 'precheck' option is set in # crypttab without a value. # Default is 'un_blkid' for plain dm-crypt devices if unset here. CRYPTDISKS_PRECHECK= debian/scripts/0000755000000000000000000000000012234756536010672 5ustar debian/scripts/decrypt_ssl0000644000000000000000000000053312234756536013151 0ustar #!/bin/sh # # Script to decrypt the key which is encrypted with openssl. # See /usr/share/doc/cryptsetup/examples/gen-ssl-key to create such a key. # decrypt_ssl () { echo "" >&2 echo "Decrypting ssl key $1..." >&2 if ! /usr/bin/openssl enc -aes-256-cbc -d -salt -in $1 >/dev/null 2>&1; then return 1 fi return 0 } decrypt_ssl $1 exit $? debian/scripts/gen-ssl-key0000644000000000000000000000114512234756536012754 0ustar #!/bin/sh # # script to generate a keyfile that is encrypted with openssl # # Written 2005 by Markus Nass # Improved 2006 by Jonas Meurer # Further improved 2006 by Markus Nass usage() { echo "Usage: $0 " exit 1 } if [ "$1" = "" -o "$1" = "-h" -o "$1" = "--help" ]; then usage fi if [ -x /usr/bin/openssl ]; then key=`tempfile` dd if=/dev/random of=$key bs=1c count=256 openssl enc -aes-256-cbc -e -salt -in $key -out $1 #rm -f $key; key="" shred -uz $key; key="" else echo "/usr/bin/openssl is not available" && exit 1 fi debian/scripts/decrypt_keyctl0000644000000000000000000000517312234756536013650 0ustar #!/bin/sh # decrypt_keyctl - to use in /etc/crypttab as keyscript # Allows to cache passwords for cryptdevices for 60s # The same password is used for for cryptdevices with the same identifier. # The keyfile parameter, which is the third field from /etc/crypttab, is # used as identifier in this keyscript. # # sample crypttab entries: # test1 /dev/sda1 test_pw luks,keyscript=decrypt_keyctl # test2 /dev/sda2 test_pw luks,keyscript=decrypt_keyctl # test3 /dev/sda3 test_other_pw luks,keyscript=decrypt_keyctl # # test1 and test2 have the same identifier thus test2 does not need a password # typed in manually die() { echo "$@" >&2 exit 1 } # the keyfile given from crypttab is used as identifier in the keyring # including the prefix "cryptkey-" ID_="cryptkey-$1" TIMEOUT_='60' ASKPASS_='/lib/cryptsetup/askpass' STTY_='/bin/stty' PW_READER_='undefined' PROMPT_="Caching passphrase for ${CRYPTTAB_SOURCE}: " test -x "$STTY_" && PW_READER_='stty' # 1. backup method test -x "$ASKPASS_" && PW_READER_='askpass' # prefered method KID_=$(keyctl search @u user "$ID_" 2>/dev/null) if [ $? -ne 0 ] || [ -z "$KID_" ]; then # key not found, ask the user case "$PW_READER_" in askpass) KEY_=$($ASKPASS_ "$PROMPT_") || die "Error executing $ASKPASS_" ;; stty) # disable echoing with stty $STTY_ -echo if ! read -r KEY_; then $STTY_ echo die "Error reading key from /dev/stdin" else $STTY_ echo echo >&2 fi ;; *) # first try to read the posix way, then at least give the user a chance echo -n "$PROMPT_" >&2 if ! read -res KEY_; then echo echo "ERROR: Can not disable echoing, YOUR PASSWORD WILL BE VISIBLE!" >&2 echo "This can be fixed if you add either $ASKPASS_" >&2 echo "or $STTY_ to your initramfs" >&2 echo -n "$PROMPT_" >&2 if ! read -r KEY_; then die "Error reading key from /dev/stdin" else echo >&2 fi else echo >&2 fi ;; esac KID_=$(echo -n "$KEY_" |keyctl padd user "$ID_" @u) [ -z "$KID_" ] && die "Error adding passphrase to kernel keyring" if ! keyctl timeout $KID_ $TIMEOUT_; then keyctl unlink $KID_ @u die "Error setting timeout on key ($KID_), removing" fi else echo "Using cached passphrase for ${CRYPTTAB_SOURCE}." >&2 fi keyctl pipe $KID_ debian/scripts/decrypt_opensc0000644000000000000000000000260612234756536013642 0ustar #!/bin/sh # Why not use "openct-tool rwait" instead of polling opensc-tool exit status? # Well openct daemon has to be running which interferes with pcscd since both # implement reader drivers, my particular CCID reader (SCM SCR331-LC1) doesn't # work with the CCID driver in openct, however it does work with pcscd. # Why not use "opensc-tool --wait" instead of polling opensc-tool exit status? # Although opensc-tool --help reports that there is a --wait option, it doesn't # seem to be implemented. check_card() { cardfound=0 cardtmp=$(/usr/bin/opensc-tool -n 2>&1) if [ $? = 0 ] ; then cardfound=1 fi } wait_card() { check_card if [ $cardfound = 0 ] ; then echo "Waiting for Smart Card..." >&2 tries=0 while [ $cardfound = 0 -a $tries -lt 60 ] ; do sleep 1 check_card tries=$(($tries + 1)) done if [ $cardfound = 0 ] ; then echo 'Failed to find Smart Card card!' >&2 exit 1 fi fi } wait_card if [ -x /bin/plymouth ] && plymouth --ping; then # Get pin number from plymouth /usr/bin/pkcs15-crypt --decipher --input $1 --pkcs1 --raw --pin "$(plymouth ask-for-password --prompt "Enter pin for $crypttarget ($cryptsource): ")" else # Get pin number from console /usr/bin/pkcs15-crypt --decipher --input $1 --pkcs1 --raw < /dev/console 2>/dev/console fi exit $? debian/scripts/cryptdisks_start0000644000000000000000000000215612234756536014235 0ustar #!/bin/sh # cryptdisks_start - wrapper around cryptsetup which parses # /etc/crypttab, just like mount parses /etc/fstab. # Initial code and (c) 2007 Jon Dowland # License: GNU General Public License, v2 or any later # (http://www.gnu.org/copyleft/gpl.html) set -e if [ $# -lt 1 ]; then echo "usage: $0 " >&2 echo >&2 echo "reads /etc/crypttab and starts the mapping corresponding to " >&2 exit 1 fi . /lib/cryptsetup/cryptdisks.functions INITSTATE="manual" DEFAULT_LOUD="yes" if [ -x "/usr/bin/id" ] && [ "$(/usr/bin/id -u)" != "0" ]; then log_warning_msg "$0 needs root privileges" exit 1 fi log_action_begin_msg "Starting crypto disk" mount_fs count=0 tablen="$(egrep -vc "^[[:space:]]*(#|$)" "$TABFILE")" egrep -v "^[[:space:]]*(#|$)" "$TABFILE" | while read dst src key opts; do count=$(( $count + 1 )) if [ "$1" = "$dst" ]; then ret=0 handle_crypttab_line_start "$dst" "$src" "$key" "$opts" <&3 || ret=$? elif [ $count -ge $tablen ]; then ret=1 device_msg "$1" "failed, not found in crypttab" else continue fi umount_fs log_action_end_msg $ret exit $ret done 3<&1 debian/scripts/decrypt_derived0000644000000000000000000000230012234756536013764 0ustar #!/bin/sh # WARNING: If you use the decrypt_derived keyscript for devices with # persistent data (i.e. not swap or temp devices), then you will lose # access to that data permanently if something damages the LUKS header # of the LUKS device you derive from. The same applies if you luksFormat # the device, even if you use the same passphrase(s). A LUKS header # backup, or better a backup of the data on the derived device may be # a good idea. See the Cryptsetup FAQ on how to do this right. countlines() { local IFS input count tmp input="$1" count=0 IFS=' ' for tmp in $input; do count=$(( $count + 1 )) done echo $count } if [ -z "$1" ]; then echo "$0: must be executed with a crypto device as argument" >&2 exit 1 fi if ! device=$(dmsetup --showkeys table 2>/dev/null | grep "^$1:"); then echo "$0: failed to find $1 in dmtable" >&2 exit 1 fi if [ -z "$device" ]; then echo "$0: device $1 doesn't exist" >&2 exit 1 fi count=$(countlines "$device") if [ $count -ne 1 ]; then echo "$0: more than one device match $1" >&2 exit 1 fi eval set -- $device type="$4" key="$6" if [ "$type" != "crypt" ]; then echo "$0: device $1 is not a crypto device" >&2 exit 1 fi echo -n "$key" exit 0 debian/scripts/po/0000755000000000000000000000000012234756536011310 5ustar debian/scripts/po/luksformat.pot0000644000000000000000000000331312234756536014223 0ustar # SOME DESCRIPTIVE TITLE. # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: pkg-cryptsetup-devel@lists.alioth.debian.org\n" "POT-Creation-Date: 2011-09-19 13:54+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=CHARSET\n" "Content-Transfer-Encoding: 8bit\n" #: ../luksformat:33 msgid "This program needs to be started as root\n" msgstr "" #: ../luksformat:38 msgid "" "luksformat - Create and format an encrypted LUKS device\n" "Usage: luksformat [-t ] [ mkfs options ]\n" "\n" msgstr "" #: ../luksformat:56 #, perl-format msgid "Error: device mounted: %s\n" msgstr "" #: ../luksformat:66 #, perl-format msgid "Error: invalid file system: %s\n" msgstr "" #: ../luksformat:79 #, perl-format msgid "Error: could not generate temporary mapped device name" msgstr "" #. we do not need to be overly concerned with race conditions here, cryptsetup #. will just fail if the name already exists now. #: ../luksformat:83 #, perl-format msgid "Creating encrypted device on %s...\n" msgstr "" #: ../luksformat:85 #, perl-format msgid "Could not create LUKS device %s" msgstr "" #: ../luksformat:88 msgid "Please enter your passphrase again to verify it\n" msgstr "" #: ../luksformat:90 msgid "The passphrases you entered were not identical\n" msgstr "" #: ../luksformat:99 #, perl-format msgid "Could not format device with file system %s" msgstr "" debian/scripts/po/de.po0000644000000000000000000000465612234756536012253 0ustar # German translations for cryptsetup package # German messages for luksformat in cryptsetup. # Copyright (C) 2011 THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the cryptsetup package. # root , 2011. # msgid "" msgstr "" "Project-Id-Version: cryptsetup 2:1.3.0-1\n" "Report-Msgid-Bugs-To: pkg-cryptsetup-devel@lists.alioth.debian.org\n" "POT-Creation-Date: 2011-09-19 13:54+0200\n" "PO-Revision-Date: 2011-03-08 19:40+0100\n" "Last-Translator: root \n" "Language-Team: German\n" "Language: de\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n" #: ../luksformat:33 msgid "This program needs to be started as root\n" msgstr "Dieses Programm muss als Benutzer root gestartet werden\n" #: ../luksformat:38 msgid "" "luksformat - Create and format an encrypted LUKS device\n" "Usage: luksformat [-t ] [ mkfs options ]\n" "\n" msgstr "" "luksformat - LUKS-verschlüsselte Partition erstellen und formatieren\n" "Verwendung: luksformat [-t ] [ mkfs Optionen ]\n" "\n" #: ../luksformat:56 #, perl-format msgid "Error: device mounted: %s\n" msgstr "Fehler: Partition ist eingebunden: %s\n" #: ../luksformat:66 #, perl-format msgid "Error: invalid file system: %s\n" msgstr "Fehler: Ungültiges Dateisystem: %s\n" #: ../luksformat:79 #, perl-format msgid "Error: could not generate temporary mapped device name" msgstr "Fehler: Erstellen einer temporären Partition schlug fehl" #. we do not need to be overly concerned with race conditions here, cryptsetup #. will just fail if the name already exists now. #: ../luksformat:83 #, perl-format msgid "Creating encrypted device on %s...\n" msgstr "Erstelle verschlüsselte Partition auf %s...\n" #: ../luksformat:85 #, perl-format msgid "Could not create LUKS device %s" msgstr "Erstellen der LUKS-Partition %s schlug fehl" #: ../luksformat:88 msgid "Please enter your passphrase again to verify it\n" msgstr "Bitte zum verifizieren das Passwort erneut eingeben\n" #: ../luksformat:90 msgid "The passphrases you entered were not identical\n" msgstr "Die eingegebenen Passwörter waren nicht identisch\n" #: ../luksformat:99 #, perl-format msgid "Could not format device with file system %s" msgstr "Formatieren der Partition mit dem Dateisystem %s schlug fehl" #~ msgid "%s: %s" #~ msgstr "%s: %s" debian/scripts/po/Makefile0000644000000000000000000000135012234756536012747 0ustar XGETTEXT = xgettext MSGFMT = msgfmt MSGMERGE = msgmerge LOCALEDIR = /usr/share/locale .SUFFIXES: .po .mo .pot %.mo: %.po $(MSGFMT) -o $@ $< PO = $(wildcard *.po) LANG = $(basename $(PO)) MO = $(addsuffix .mo,$(LANG)) SOURCES = ../luksformat all: update $(MO) update: luksformat.pot -@for po in $(PO); do \ echo -n "Updating $$po"; \ $(MSGMERGE) -U $$po luksformat.pot; \ done; luksformat.pot: $(SOURCES) $(XGETTEXT) -c -L Perl -kgtx \ --msgid-bugs-address=pkg-cryptsetup-devel@lists.alioth.debian.org \ -o $@ $(SOURCES) install: all for i in $(MO) ; do \ t=$(DESTDIR)/$(LOCALEDIR)/`basename $$i .mo`/LC_MESSAGES ;\ install -d $$t ;\ install -m 644 $$i $$t/luksformat.mo ;\ done clean: $(RM) $(MO) *~ .PHONY: update debian/scripts/decrypt_gnupg0000644000000000000000000000110012234756536013457 0ustar #!/bin/sh decrypt_gpg () { echo "Performing GPG key decryption ..." >&2 if ! /lib/cryptsetup/askpass "Enter passphrase for key $1: " | \ /usr/bin/gpg -q --batch --no-options --no-mdc-warning \ --no-random-seed-file --no-default-keyring \ --keyring /dev/null --secret-keyring /dev/null \ --trustdb-name /dev/null --passphrase-fd 0 --decrypt $1; then return 1 fi return 0 } if [ ! -x /usr/bin/gpg ]; then echo "$0: /usr/bin/gpg is not available" >&2 exit 1 fi if [ -z "$1" ]; then echo "$0: missing key as argument" >&2 exit 1 fi decrypt_gpg "$1" exit $? debian/scripts/decrypt_openct0000644000000000000000000000327412234756536013645 0ustar #!/bin/sh #check_reader() { # readerfound=0 # # readertmp=$(/usr/bin/openct-tool list 2>&1) # if [ $? = 0 ] ; then # readerfound=1 # fi #} wait_reader() { # check_reader echo "Waiting for Smart Card reader..." >&2 /usr/bin/openct-tool rwait >/dev/null 2>&1 if [ $? != 0 ]; then echo 'Failed to find Smart Card reader!' >&2 fi # if [ $readerfound = 0 ] ; then # tries=0 # while [ $readerfound == 0 -a $tries -lt 60 ] ; do # echo "Waiting for Smart Card reader..." >&2 # sleep 1 # check_reader # tries=$(($tries + 1)) # done # if [ $readerfound = 0 ] ; then # echo 'Failed to find Smart Card reader!' >&2 # exit 1 # fi # fi } wait_card() { echo "Waiting for Smart Card..." >&2 /usr/bin/openct-tool wait >/dev/null 2>&1 if [ $? != 0 ]; then echo 'Failed to find Smart Card!' >&2 fi } /usr/sbin/openct-control init wait_reader wait_card # Due to a bug in openct, the --label does not work on data objects, means, # all data objects have by default the label 'pkcs15-init', that's why we are # setting the label manually if none is configured by the user. if [ -z "$1" ] || [ "$1" = "none" ] ; then LABEL="pkcs15-init" else LABEL="$1" fi if [ -x /bin/plymouth ] && plymouth --ping; then # Get pin number from plymouth /usr/bin/pkcs15-tool --read-data-object $LABEL --pin "$(plymouth ask-for-password --prompt "Enter pin for $crypttarget ($cryptsource): ")" -o /proc/self/fd/3 3>&1 1>/dev/null 2>&1 else # Interactive call, user enters pin /usr/bin/pkcs15-tool --read-data-object $LABEL -o /proc/self/fd/3 3>&1 1>/dev/null 2>&1 fi exit $? debian/scripts/cryptdisks_stop0000644000000000000000000000224712234756536014066 0ustar #!/bin/sh # cryptdisks_stop - wrapper around cryptsetup which parses # /etc/crypttab, just like mount parses /etc/fstab. # Initial code stolen from cryptdisks_start by Jon Dowland # Copyright (C) 2008 by Jonas Meurer # License: GNU General Public License, v2 or any later # (http://www.gnu.org/copyleft/gpl.html) set -e if [ $# -lt 1 ]; then echo "usage: $0 " >&2 echo >&2 echo "reads /etc/crypttab and stops the mapping corresponding to " >&2 exit 1 fi . /lib/cryptsetup/cryptdisks.functions INITSTATE="manual" DEFAULT_LOUD="yes" if [ -x "/usr/bin/id" ] && [ "$(/usr/bin/id -u)" != "0" ]; then log_warning_msg "$0 needs root privileges" exit 1 fi log_action_begin_msg "Stopping crypto disk" count=0 tablen="$(egrep -vc "^[[:space:]]*(#|$)" "$TABFILE")" egrep -v "^[[:space:]]*(#|$)" "$TABFILE" | while read dst src key opts; do count=$(( $count + 1 )) if [ "$1" = "$dst" ]; then ret=0 handle_crypttab_line_stop "$dst" "$src" "$key" "$opts" <&3 || ret=$? elif [ $count -ge $tablen ]; then ret=1 device_msg "$1" "failed, not found in crypttab" else continue fi log_action_end_msg $ret exit $ret done 3<&1 debian/scripts/luksformat0000644000000000000000000000635412234756536013014 0ustar #!/usr/bin/perl -w # luksformat - wrapper around LUKS-capable cryptsetup and mkfs for easy # creation of an encrypted device. # # (C) 2005 Canonical Ltd. # Author: Martin Pitt # License: GNU General Public License, v2 or any later # (http://www.gnu.org/copyleft/gpl.html) use Getopt::Long qw(:config pass_through); BEGIN { eval 'use Locale::gettext'; if ($@) { *gettext = sub { shift }; *textdomain = sub { "" }; *LC_MESSAGES = sub { 5 }; } eval { require POSIX; import POSIX qw(setlocale); }; if ($@) { *setlocale = sub { return 1 }; } } setlocale(LC_MESSAGES, ""); textdomain("luksformat"); if ($> != 0) { print STDERR gettext("This program needs to be started as root\n"); exit 1; } sub usage() { print gettext("luksformat - Create and format an encrypted LUKS device Usage: luksformat [-t ] [ mkfs options ]\n\n"); exit 1; } # default file system $fs = 'vfat'; exit 1 unless GetOptions ('t|type=s' => \$fs); GetOptions ('help', \$help); if (($#ARGV < 0) || ($help)) { usage(); } $device = shift(@ARGV); open(MOUNTS, "/proc/mounts"); while () { die sprintf(gettext("Error: device mounted: %s\n"), $device) if (/\Q$device\E/) } if (-x "/sbin/mkfs.$fs") { $mkfs = "/sbin/mkfs.$fs"; } elsif (-x "/usr/sbin/mkfs.$fs") { $mkfs = "/usr/sbin/mkfs.$fs"; } else { printf STDERR (gettext("Error: invalid file system: %s\n"), $fs); exit 1; } # generate temporary mapped device name which is not yet used $name = ""; for ($i = 1; $i < 100; $i++) { if (! -e "/dev/mapper/luksformat$i") { $name = "luksformat$i"; last; } } $name or die sprintf(gettext("Error: could not generate temporary mapped device name")); # we do not need to be overly concerned with race conditions here, cryptsetup # will just fail if the name already exists now. printf (gettext("Creating encrypted device on %s...\n"), $device); if ((system 'cryptsetup', 'luksFormat', '-s', '256', '--cipher', 'aes-cbc-essiv:sha256', $device)) { die sprintf(gettext("Could not create LUKS device %s"), $device); } print gettext("Please enter your passphrase again to verify it\n"); if ((system 'cryptsetup', 'luksOpen', $device, $name) != 0) { print STDERR gettext("The passphrases you entered were not identical\n"); exit 1; } $result = system $mkfs, "/dev/mapper/$name", @ARGV; print "\n"; system 'udevadm', 'settle', '--timeout=30'; system 'cryptsetup', 'luksClose', $name; die sprintf(gettext("Could not format device with file system %s"), $fs) if $result; __END__ =head1 NAME luksformat - Create and format an encrypted LUKS device =head1 SYNOPSIS B [B<-t> I] I [ mkfs options ] =head1 DESCRIPTION B is a wrapper around B and B which provides an easy interface for creating an encrypted device that follows the LUKS standard and for putting a file system onto the encrypted device. The default file system is B since that is most commonly used on removable devices. However, you can specify any available file system with the B<-t> option. =head1 SEE ALSO L, L =head1 AUTHOR This program was written by Martin Pitt . debian/patches/0000755000000000000000000000000012234756536010632 5ustar debian/patches/series0000644000000000000000000000000012234756536012035 0ustar debian/compat0000644000000000000000000000000212234756536010401 0ustar 6 debian/po/0000755000000000000000000000000012234764510007610 5ustar debian/po/vi.po0000644000000000000000000000400212234756536010573 0ustar # SOME DESCRIPTIVE TITLE. # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # msgid "" msgstr "" "Project-Id-Version: cryptsetup 2:1.3.0-4\n" "Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" "POT-Creation-Date: 2011-09-15 12:30+0200\n" "PO-Revision-Date: 2011-09-15 19:27+0700\n" "Last-Translator: Hung Tran \n" "Language-Team: debian-l10n-vietnamese \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Poedit-Language: Vietnamese\n" "X-Poedit-Country: Vietnam\n" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "Continue with cryptsetup removal?" msgstr "Tiếp tục việc gỡ bỏ cryptsetup?" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "This system has unlocked dm-crypt devices: ${cryptmap}" msgstr "Hệ thống này đã mở khóa những thiết bị dm-crypt: ${cryptmap}" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "If these devices are managed with cryptsetup, you might be unable to lock the devices after the package removal, though other tools can be used for managing dm-crypt devices. Any system shutdown or reboot will lock the devices." msgstr "Nếu các thiết bị này được quản lý với cryptsetup, có thể bạn sẽ không thể khóa các thiết bị sau khi gỡ bỏ gói ứng dụng, mặc dù các công cụ khác có thể được sử dụng để quản lý các thiết bị dm-crypt. Tắt hay khởi động lại hệ thống sẽ khóa các thiết bị." #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "Do not choose this option if you want to lock the dm-crypt devices before package removal." msgstr "Đừng chọn tùy chọn này nếu bạn muốn khóa các thiết bị dm-crypt trước khi gỡ bỏ gói ứng dụng." debian/po/it.po0000644000000000000000000000507512234756536010604 0ustar # Italian translation of debconf template for cryptsetup package. # Copyright (C) 2011 Jonas meurer # This file is distributed under the same license as the cryptsetup package. # Francesca Ciceri , 2012 # msgid "" msgstr "" "Project-Id-Version: cryptsetup\n" "Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" "POT-Creation-Date: 2011-09-15 12:30+0200\n" "PO-Revision-Date: 2012-01-23 00:30+0100\n" "Last-Translator: Francesca Ciceri \n" "Language-Team: Italian \n" "Language: Italian\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "Continue with cryptsetup removal?" msgstr "Continuare con la rimozione di cryptsetup?" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 #, fuzzy #| msgid "You have unlocked dm-crypt devices: ${cryptmap}" msgid "This system has unlocked dm-crypt devices: ${cryptmap}" msgstr "I seguenti dispositivi dm-crypt sono sbloccati: ${cryptmap}" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 #, fuzzy #| msgid "" #| "If you used to manage these devices with cryptsetup, you might be unable " #| "to lock the devices after the package removal. There are other tools for " #| "managing dm-crypt devices though. In any case, system shutdown/reboot " #| "will lock the devices." msgid "" "If these devices are managed with cryptsetup, you might be unable to lock " "the devices after the package removal, though other tools can be used for " "managing dm-crypt devices. Any system shutdown or reboot will lock the " "devices." msgstr "" "Se questi dispositivi erano gestiti con cryptsetup, si potrebbe essere " "impossibilitati a bloccarli nuovamente dopo la rimozione del pacchetto. " "Tuttavia, esistono altri strumenti per gestire i dispositivi dm-crypt. In " "ogni caso, lo spegnimento o il riavvio del sistema bloccheranno i " "dispositivi." #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "" "Do not choose this option if you want to lock the dm-crypt devices before " "package removal." msgstr "" #~ msgid "" #~ "In case you want to lock the dm-crypt devices before package removal, say " #~ "no here, and continue with removal after all dm-crypt devices have been " #~ "locked." #~ msgstr "" #~ "Nel caso in cui si desideri bloccare i dispositivi dm-crypt prima della " #~ "rimozione del pacchetto, scegliere no adesso, e riprendere la rimozione " #~ "una volta che tutti i dispositivi dm-crypt siano stati bloccati." debian/po/sv.po0000644000000000000000000000436012234756536010614 0ustar # Translation of cryptsetup debconf template to Swedish # Copyright (C) 2011 Martin Bagge # This file is distributed under the same license as the cryptsetup package. # # Martin Bagge , 2011 msgid "" msgstr "" "Project-Id-Version: cryptsetup VERSION\n" "Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" "POT-Creation-Date: 2011-09-15 12:30+0200\n" "PO-Revision-Date: 2011-09-22 21:28+0100\n" "Last-Translator: Martin Bagge / brother \n" "Language-Team: Swedish \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Poedit-Language: Swedish\n" "X-Poedit-Country: Sweden\n" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "Continue with cryptsetup removal?" msgstr "Ska cryptsetup tas bort?" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "This system has unlocked dm-crypt devices: ${cryptmap}" msgstr "Detta system har olåsta dm-crypt-enheter: ${cryptmap}" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "" "If these devices are managed with cryptsetup, you might be unable to lock " "the devices after the package removal, though other tools can be used for " "managing dm-crypt devices. Any system shutdown or reboot will lock the " "devices." msgstr "" "Om dessa enheter hanteras av cryptsetup kan det innebära att dessa enheter " "inte kan låsas upp efter paketet tagits bort. Det finns dock andra verktyg " "för att hantera dm-crypt-enheter. Hur som helst så kommer enheterna att " "låsas när systemet stängs av eller startas om." #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "" "Do not choose this option if you want to lock the dm-crypt devices before " "package removal." msgstr "" "Välj inte detta alternativ om du vill låsa dm-crypt-enheter innan paketet " "tas bort." #~ msgid "" #~ "In case you want to lock the dm-crypt devices before package removal, say " #~ "no here, and continue with removal after all dm-crypt devices have been " #~ "locked." #~ msgstr "" #~ "Vill du låsa dm-crypt-enheterna innan paketet tas bort svara nej här och " #~ "fortsätt när alla dm-crypt-enheter har låsts." debian/po/nl.po0000644000000000000000000000367612234756536010606 0ustar # Dutch translation of cryptsetup debconf templates. # Copyright (C) 2011 THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the cryptsetup package. # Jeroen Schot , 2011. # msgid "" msgstr "" "Project-Id-Version: cryptsetup 2:1.3.0-4\n" "Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" "POT-Creation-Date: 2011-09-15 12:30+0200\n" "PO-Revision-Date: 2011-09-28 11:15+0200\n" "Last-Translator: Jeroen Schot \n" "Language-Team: Debian l10n Dutch \n" "Language: nl\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "Continue with cryptsetup removal?" msgstr "Doorgaan met het verwijderen van cryptsetup?" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "This system has unlocked dm-crypt devices: ${cryptmap}" msgstr "" "De volgende dm-crypt-apparaten op het systeem zijn ontgrendeld: ${cryptmap}" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "" "If these devices are managed with cryptsetup, you might be unable to lock " "the devices after the package removal, though other tools can be used for " "managing dm-crypt devices. Any system shutdown or reboot will lock the " "devices." msgstr "" "Als deze apparaten worden beheerd met cryptsetup kunt u ze mogelijk niet " "meer vergrendelen na het verwijderen van het pakket, hoewel dm-crypt-" "apparaten ook met andere hulpprogramma's kunnen worden beheerd. Het " "uitzetten of herstarten van het systeem zal deze apparaten vergrendelen." #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "" "Do not choose this option if you want to lock the dm-crypt devices before " "package removal." msgstr "" "Kies niet voor deze optie indien u de dm-crypt-apparaten wilt vergrendelen " "voor het verwijderen van het pakket." debian/po/cs.po0000644000000000000000000000361212234756536010570 0ustar # Czech PO debconf template translation of cryptsetup. # Copyright (C) 2010 Michal Simunek # This file is distributed under the same license as the cryptsetup package. # Michal Simunek , 2011. # msgid "" msgstr "" "Project-Id-Version: cryptsetup 2:1.3.0-4\n" "Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" "POT-Creation-Date: 2011-09-15 12:30+0200\n" "PO-Revision-Date: 2011-09-23 17:31+0200\n" "Last-Translator: Michal Simunek \n" "Language-Team: Czech \n" "Language: cs\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "Continue with cryptsetup removal?" msgstr "Pokračovat v odstraňování cryptsetup?" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "This system has unlocked dm-crypt devices: ${cryptmap}" msgstr "Tento systém má odemčená zařízení dm-crypt: ${cryptmap}" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "" "If these devices are managed with cryptsetup, you might be unable to lock " "the devices after the package removal, though other tools can be used for " "managing dm-crypt devices. Any system shutdown or reboot will lock the " "devices." msgstr "" "Jsou-li tato zařízení spravována s cryptsetup, nebudete je moci po " "odstranění balíčku uzamknout i přes to, že ke správě zařízení dm-crypt lze " "použít i jiné nástroje. Jakékoli vypnutí či restart systému tato zařízení " "uzamkne." #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "" "Do not choose this option if you want to lock the dm-crypt devices before " "package removal." msgstr "" "Chcete-li před odstraněním balíčku zařízení dm-crypt uzamknout, tuto " "možnost nevybírejte." debian/po/POTFILES.in0000644000000000000000000000005712234756536011400 0ustar [type: gettext/rfc822deb] cryptsetup.templates debian/po/templates.pot0000644000000000000000000000253212234756536012345 0ustar # SOME DESCRIPTIVE TITLE. # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" "POT-Creation-Date: 2011-09-15 12:30+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=CHARSET\n" "Content-Transfer-Encoding: 8bit\n" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "Continue with cryptsetup removal?" msgstr "" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "This system has unlocked dm-crypt devices: ${cryptmap}" msgstr "" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "" "If these devices are managed with cryptsetup, you might be unable to lock " "the devices after the package removal, though other tools can be used for " "managing dm-crypt devices. Any system shutdown or reboot will lock the " "devices." msgstr "" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "" "Do not choose this option if you want to lock the dm-crypt devices before " "package removal." msgstr "" debian/po/da.po0000644000000000000000000000347712234756536010560 0ustar # Danish translation cryptsetup. # Copyright (C) 2011 cryptsetup & nedenstående oversættere. # This file is distributed under the same license as the cryptsetup package. # Joe Hansen , 2011. # msgid "" msgstr "" "Project-Id-Version: cryptsetup\n" "Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" "POT-Creation-Date: 2011-09-15 12:30+0200\n" "PO-Revision-Date: 2011-10-09 17:30+01:00\n" "Last-Translator: Joe Hansen \n" "Language-Team: Danish \n" "Language: da\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "Continue with cryptsetup removal?" msgstr "Fortsæt med fjernelsen af cryptsetup?" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "This system has unlocked dm-crypt devices: ${cryptmap}" msgstr "Dette system har frigjort dm-crypt-enheder: ${cryptmap}" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "" "If these devices are managed with cryptsetup, you might be unable to lock " "the devices after the package removal, though other tools can be used for " "managing dm-crypt devices. Any system shutdown or reboot will lock the " "devices." msgstr "" "Hvis disse enheder håndteres med cryptsetup, vil du måske ikke kunne låse " "enhederne efter pakkefjernelsen, dog kan andre værktøjer bruges til at " "håndtere dm-crypt-enheder. Alle systemnedlukninger eller genstarter vil låse " "enhederne." #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "" "Do not choose this option if you want to lock the dm-crypt devices before " "package removal." msgstr "" "Vælg ikke denne indstilling hvis du ønsker at låse dm-crypt-enhederne før " "pakkefjernelse." debian/po/fr.po0000644000000000000000000000461612234756536010577 0ustar # Translation to French of cryptsetup debconf templates. # Copyright (C) 2011 Debian French l10n team # This file is distributed under the same license as the cryptsetup package. # Julien Patriarca , 2011. # msgid "" msgstr "" "Project-Id-Version: cryptsetup VERSION\n" "Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" "POT-Creation-Date: 2011-09-15 12:30+0200\n" "PO-Revision-Date: 2011-09-15 15:04+0100\n" "Last-Translator: Julien Patriarca \n" "Language-Team: FRENCH \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "Continue with cryptsetup removal?" msgstr "Poursuivre la suppression de cryptsetup ?" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "This system has unlocked dm-crypt devices: ${cryptmap}" msgstr "Ce système a déverrouillé des périphériques dm-crypt : ${cryptmap}" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "" "If these devices are managed with cryptsetup, you might be unable to lock " "the devices after the package removal, though other tools can be used for " "managing dm-crypt devices. Any system shutdown or reboot will lock the " "devices." msgstr "" "Si ces périphériques sont gérés avec cryptsetup, il pourrait devenir " "impossible de les verrouiller après la suppression du paquet. Cependant, " "d'autres outils existent pour gérer des périphériques dm-crypt. Dans tous " "les cas, un arrêt ou redémarrage du système verrouillera les périphériques." #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "" "Do not choose this option if you want to lock the dm-crypt devices before " "package removal." msgstr "" "Ne sélectionnez pas cette option si vous souhaitez verrouiller les " "périphériques dm-crypt avant la suppression du paquet." #~ msgid "" #~ "In case you want to lock the dm-crypt devices before package removal, say " #~ "no here, and continue with removal after all dm-crypt devices have been " #~ "locked." #~ msgstr "" #~ "Refusez la suppression du paquet si vous souhaitez préalablement " #~ "verrouiller les périphériques dm-crypt et poursuivez-la après que tous " #~ "les périphériques dm-crypt ont été déverrouillés." debian/po/pt.po0000644000000000000000000000360312234756536010606 0ustar # Portuguese translation for cryptsetup's package # Copyright (C) 2011 cryptsetup's copyright holder # This file is distributed under the same license as the cryptsetup package. # Miguel Figueiredo , 2011. # msgid "" msgstr "" "Project-Id-Version: cryptsetup\n" "Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" "POT-Creation-Date: 2011-09-15 12:30+0200\n" "PO-Revision-Date: 2011-09-16 18:48+0100\n" "Last-Translator: Miguel Figueiredo \n" "Language-Team: Portuguese \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "Continue with cryptsetup removal?" msgstr "Continuar com a remoção do cryptsetup?" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "This system has unlocked dm-crypt devices: ${cryptmap}" msgstr "Este sistema tem dispositivos dm-crypt desbloqueados: ${cryptmap}" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "" "If these devices are managed with cryptsetup, you might be unable to lock " "the devices after the package removal, though other tools can be used for " "managing dm-crypt devices. Any system shutdown or reboot will lock the " "devices." msgstr "" "Se estes dispositivos forem geridos com o cryptsetup, poderá não ser capaz " "de bloquear os dispositivos após a remoção do pacote, apesar de poderem " "ser utilizadas outras ferramentas para gerir os dispositivos dm-crypt. " "Desligar ou reiniciar o sistema irá bloquear os dispositivos." #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "" "Do not choose this option if you want to lock the dm-crypt devices before " "package removal." msgstr "" "Não escolha esta opção se deseja bloquear os dispositivos dm-crypt antes " "da remoção do pacote." debian/po/ja.po0000644000000000000000000000400712234756536010554 0ustar # SOME DESCRIPTIVE TITLE. # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the PACKAGE package. # victory , 2012. # msgid "" msgstr "" "Project-Id-Version: cryptsetup\n" "Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" "POT-Creation-Date: 2011-09-15 12:30+0200\n" "PO-Revision-Date: 2012-06-17 00:27+09:00\n" "Last-Translator: victory \n" "Language-Team: Japanese \n" "Language: ja\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "Continue with cryptsetup removal?" msgstr "cryptsetup の削除を続行しますか?" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "This system has unlocked dm-crypt devices: ${cryptmap}" msgstr "" "このシステムにはロックされていない dm-crypt デバイスがあります: ${cryptmap}" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "" "If these devices are managed with cryptsetup, you might be unable to lock " "the devices after the package removal, though other tools can be used for " "managing dm-crypt devices. Any system shutdown or reboot will lock the " "devices." msgstr "" "cryptsetup により管理されているデバイスがある場合、パッケージ削除後にデバイス" "をロックできなくなる可能性がありますが、他のツールを使って dm-crypt デバイス" "を管理することができます。システムのシャットダウンや再起動が発生するとデバイ" "スはロックされます。" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "" "Do not choose this option if you want to lock the dm-crypt devices before " "package removal." msgstr "" "パッケージ削除の前に dm-crypt デバイスをロックしたい場合はこのオプションを選" "択しないでください。" debian/po/ru.po0000644000000000000000000000553612234756536010620 0ustar # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the cryptsetup package. # # Yuri Kozlov , 2011, 2012. msgid "" msgstr "" "Project-Id-Version: cryptsetup 2:1.4.1-2\n" "Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" "POT-Creation-Date: 2011-09-15 12:30+0200\n" "PO-Revision-Date: 2012-02-26 11:02+0400\n" "Last-Translator: Yuri Kozlov \n" "Language-Team: Russian \n" "Language: ru\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: Lokalize 1.0\n" "Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" "%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "Continue with cryptsetup removal?" msgstr "Продолжить удаление cryptsetup?" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "This system has unlocked dm-crypt devices: ${cryptmap}" msgstr "В системе имеются незаблокированные устройства dm-crypt: ${cryptmap}" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "" "If these devices are managed with cryptsetup, you might be unable to lock " "the devices after the package removal, though other tools can be used for " "managing dm-crypt devices. Any system shutdown or reboot will lock the " "devices." msgstr "" "Если эти устройства управляются с помощью cryptsetup, то вы не сможете " "заблокировать эти устройства после удаления пакета, хотя для управления " "устройствами dm-crypt можно использовать другие инструменты. При следующем " "выключении или перезагрузке машины устройства будут заблокированы." #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "" "Do not choose this option if you want to lock the dm-crypt devices before " "package removal." msgstr "" "Ответьте отрицательно, если хотите заблокировать устройства dm-crypt до " "удаления пакета." #~ msgid "" #~ "In case you want to lock the dm-crypt devices before package removal, say " #~ "no here, and continue with removal after all dm-crypt devices have been " #~ "locked." #~ msgstr "" #~ "Если вы хотите заблокировать устройства dm-crypt до удаления пакета, то " #~ "ответьте отрицательно и повторите удаление после того, как все устройства " #~ "dm-crypt будут заблокированы." debian/po/es.po0000644000000000000000000000603112234756536010570 0ustar # cryptsetup po-debconf translation to Spanish # Copyright (C) 2010 Software in the Public Interest # This file is distributed under the same license as the cryptsetup package. # # Changes: # - Initial translation # Camaleón , 2011 # # - Updates # # # Traductores, si no conocen el formato PO, merece la pena leer la # documentación de gettext, especialmente las secciones dedicadas a este # formato, por ejemplo ejecutando: # info -n '(gettext)PO Files' # info -n '(gettext)Header Entry' # # Equipo de traducción al español, por favor lean antes de traducir # los siguientes documentos: # # - El proyecto de traducción de Debian al español # http://www.debian.org/intl/spanish/ # especialmente las notas y normas de traducción en # http://www.debian.org/intl/spanish/notas # # - La guía de traducción de po's de debconf: # /usr/share/doc/po-debconf/README-trans # o http://www.debian.org/intl/l10n/po-debconf/README-trans # msgid "" msgstr "" "Project-Id-Version: cryptsetup 2:1.4.1-2\n" "Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" "POT-Creation-Date: 2011-09-15 12:30+0200\n" "PO-Revision-Date: 2012-02-22 15:11+0100\n" "Last-Translator: Camaleón \n" "Language-Team: Debian Spanish \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "Continue with cryptsetup removal?" msgstr "¿Desea continuar con la eliminación de cryptsetup?" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "This system has unlocked dm-crypt devices: ${cryptmap}" msgstr "" "Este sistema tiene los siguientes dispositivos dm-crypt desbloqueados: " "${cryptmap}" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "" "If these devices are managed with cryptsetup, you might be unable to lock " "the devices after the package removal, though other tools can be used for " "managing dm-crypt devices. Any system shutdown or reboot will lock the " "devices." msgstr "" "Si estos dispositivos se administran con cryptsetup es posible que no pueda " "bloquearlos si elimina el paquete, aunque puede usar otras herramientas para " "administrar los dispositivos dm-crypt. Apagar o reiniciar el sistema " "bloqueará los dispositivos." #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "" "Do not choose this option if you want to lock the dm-crypt devices before " "package removal." msgstr "" "No seleccione esta opción si quiere bloquear los dispositivos dm-crypt antes " "de eliminar el paquete." #~ msgid "" #~ "In case you want to lock the dm-crypt devices before package removal, say " #~ "no here, and continue with removal after all dm-crypt devices have been " #~ "locked." #~ msgstr "" #~ "Si quiere bloquear los dispositivos dm-crypt antes de eliminar el " #~ "paquete, seleccione «no» en este apartado y continúe con la eliminación " #~ "después de que se hayan bloqueado todos los dispositivos dm-crypt." debian/po/pt_BR.po0000644000000000000000000000370312234756536011172 0ustar # Debconf translations for cryptsetup. # Copyright (C) 2011 THE cryptsetup'S COPYRIGHT HOLDER # This file is distributed under the same license as the cryptsetup package. # Adriano Rafael Gomes , 2011. # msgid "" msgstr "" "Project-Id-Version: cryptsetup\n" "Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" "POT-Creation-Date: 2011-09-15 12:30+0200\n" "PO-Revision-Date: 2011-10-09 17:56-0300\n" "Last-Translator: Adriano Rafael Gomes \n" "Language-Team: Brazilian Portuguese \n" "Language: pt_BR\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "Continue with cryptsetup removal?" msgstr "Continuar com a remoção do cryptsetup?" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "This system has unlocked dm-crypt devices: ${cryptmap}" msgstr "Esse sistema tem dispositivos dm-crypt desbloqueados: ${cryptmap}" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "" "If these devices are managed with cryptsetup, you might be unable to lock " "the devices after the package removal, though other tools can be used for " "managing dm-crypt devices. Any system shutdown or reboot will lock the " "devices." msgstr "" "Se esses dispositivos são gerenciados com o cryptsetup, você pode não " "conseguir bloquear os dispositivos depois da remoção do pacote, embora " "outras ferramentas possam ser usadas para gerenciar dispositivos dm-crypt. " "Qualquer desligamento ou reinicialização do sistema bloqueará os " "dispositivos." #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "" "Do not choose this option if you want to lock the dm-crypt devices before " "package removal." msgstr "" "Não escolha essa opção se você quiser bloquear os dispositivos dm-crypt " "antes da remoção do pacote." debian/po/de.po0000644000000000000000000000400212234756536010545 0ustar # GERMAN TRANSLATION OF CRYPTSETUP. # Copyright (C) 2011 Erik Pfannenstein # This file is distributed under the same license as the cryptsetup package. # Erik Pfannenstein , 2011. msgid "" msgstr "" "Project-Id-Version: 1.3.0-4\n" "Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" "POT-Creation-Date: 2011-09-15 12:30+0200\n" "PO-Revision-Date: 2011-09-15 22:10+0200\n" "Last-Translator: Erik Pfannenstein \n" "Language-Team: debian-l10n-german@lists.debian.org\n" "Language: de\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n" "X-Generator: Virtaal 0.7.0\n" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "Continue with cryptsetup removal?" msgstr "Mit der Entfernung von Cryptsetup fortfahren?" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "This system has unlocked dm-crypt devices: ${cryptmap}" msgstr "Dieses System verfügt über entsperrte dm-crypt-Geräte: ${cryptmap}" #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "" "If these devices are managed with cryptsetup, you might be unable to lock " "the devices after the package removal, though other tools can be used for " "managing dm-crypt devices. Any system shutdown or reboot will lock the " "devices." msgstr "" "Wenn diese Geräte über Cryptsetup verwaltet werden, werden Sie nach der " "Entfernung des Pakets möglicherweise nicht mehr in der Lage sein, sie zu " "sperren, obwohl für die Handhabung von dm-crypt-verschlüsselten Geräten auch " "andere Werkzeuge bereit stehen. Jedes Herunterfahren oder Neustarten wird " "die Geräte sperren." #. Type: boolean #. Description #: ../cryptsetup.templates:1001 msgid "" "Do not choose this option if you want to lock the dm-crypt devices before " "package removal." msgstr "" "Wählen Sie diese Option nicht, wenn Sie die dm-crypt-verschlüsselten Geräte " "vor der Entfernung des Pakets sperren wollen." debian/cryptsetup.postinst0000644000000000000000000000405512234756536013236 0ustar #! /bin/sh set -e # needed for debconf magic in prerm script . /usr/share/debconf/confmodule # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-deconfigure' `in-favour' # `removing' # case "$1" in configure) if [ -x /usr/sbin/update-initramfs ]; then update-initramfs -u fi # Do a number of checks on the currently installed crypttab egrep -v "^[[:space:]]*(#|$)" /etc/crypttab | while read dst src key opts; do if [ -z "$dst" ]; then continue elif [ -z "$src" ] || [ -z "$key" ] || [ -z "$opts" ]; then # All fields must be present echo "WARNING: $dst in /etc/crypttab is missing some arguments, see man cryptab(5)." >&2 continue else # Strip comments - https://bugs.launchpad.net/bugs/185380 opts=$(echo -n $opts | sed 's/ *#.*//') plainopts="0" IFS=',' for opt in $opts; do PARAM=$(echo "$opt" | sed 's/=.*//') case "$PARAM" in # Some options are deprecated gpg) echo "WARNING: $dst in /etc/crypttab uses the deprecated gpg option, see man crypttab(5)." >&2 ;; ssl) echo "WARNING: $dst in /etc/crypttab uses the deprecated ssl option, see man crypttab(5)." >&2 ;; luks) plainopts="3" ;; cipher|hash|size) plainopts="$(($plainopts+1))" ;; esac done if [ "$plainopts" -lt "3" ]; then echo "WARNING: you need to set all of cipher, hash and size for the plain dm-crypt mapping $dst in /etc/crypttab." >&2 fi unset IFS fi done ;; abort-upgrade|abort-remove|abort-deconfigure) ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 1 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# debian/checks/0000755000000000000000000000000012234756536010443 5ustar debian/checks/swap0000644000000000000000000000022412234756536011336 0ustar #!/bin/sh echo "WARNING: The check script $0 is depreciated. Please use check script blkid instead." >&2 /lib/cryptsetup/checks/blkid "$1" "swap" debian/checks/xfs0000644000000000000000000000022312234756536011163 0ustar #!/bin/sh echo "WARNING: The check script $0 is depreciated. Please use check script blkid instead." >&2 /lib/cryptsetup/checks/blkid "$1" "xfs" debian/checks/un_blkid0000644000000000000000000000147312234756536012162 0ustar #!/bin/sh # this script depends on /sbin/blkid from the util-linux package # usage: un_blkid # may be any device that should be checked. # if no is given, the check fails for any valid filesystem # if is given, the check fails when a filesystem type # is found on the device. if test ! -x "/sbin/blkid"; then echo " - WARNING: blkid from util-linux is not available, impossible to run checks." exit 1 fi dev="$1" fs="$2" blkid="$(/sbin/blkid -o value -s TYPE -p $dev)" # blkid output is empty if $dev has an unknown filesystem if [ -n "$blkid" ] && [ -z "$fs" ]; then echo " - The device $dev contains a filesystem type $blkid." exit 1 elif [ -n "$fs" ] && [ "$blkid" = "$fs" ]; then echo " - The device $dev contains a filesystem type $fs." exit 1 fi debian/checks/ext20000644000000000000000000000060312234756536011247 0ustar #!/bin/sh echo "WARNING: The check script $0 is depreciated. Please use check script blkid instead." >&2 not_fs="" for fs in ext2 ext3 ext4 ext4dev; do /lib/cryptsetup/checks/blkid "$1" "$fs" >/dev/null || not_fs="$not_fs $fs" done if [ "$not_fs" = " ext2 ext3 ext4 ext4dev" ]; then echo " - The device $1 does not contain a valid ext2, ext3, ext4 or ext4dev filesystem." exit 1 fi debian/checks/blkid0000644000000000000000000000202012234756536011445 0ustar #!/bin/sh # this script depends on /sbin/blkid from the util-linux package # usage: blkid # may be any device that should be checked. # if no is given, the check fails if no valid filesystem is found. # if is given, the check fails when no filesystem type # is found on the device. if is 'none', the check fails if any # know filesystem is found. if test ! -x "/sbin/blkid"; then echo " - WARNING: blkid from util-linux is not available, impossible to run checks." exit 1 fi dev="$1" fs="$2" blkid="$(/sbin/blkid -o value -s TYPE -p $dev)" # blkid output is empty if $dev has an unknown filesystem if [ -z "$blkid" ] && [ -z "$fs" ]; then echo " - The device $dev does not contain a known filesystem." exit 1 elif [ -n "$blkid" ] && [ "$fs" = "none" ]; then echo " - The device $dev contains a filesystem type $blkid." exit 1 elif [ -n "$fs" ] && [ "$blkid" != "$fs" ]; then echo " - The device $dev does not contain a filesystem type $fs." exit 1 fi debian/cryptdisks.init0000644000000000000000000000165212234756536012273 0ustar #! /bin/sh ### BEGIN INIT INFO # Provides: cryptdisks # Required-Start: checkroot cryptdisks-early # Required-Stop: umountroot cryptdisks-early # Should-Start: udev mdadm-raid lvm2 # Should-Stop: udev mdadm-raid lvm2 # X-Start-Before: checkfs # X-Stop-After: umountfs # X-Interactive: true # Default-Start: S # Default-Stop: 0 6 # Short-Description: Setup remaining encrypted block devices. # Description: ### END INIT INFO set -e if [ -r /lib/cryptsetup/cryptdisks.functions ]; then . /lib/cryptsetup/cryptdisks.functions else exit 0 fi INITSTATE="remaining" DEFAULT_LOUD="yes" case "$CRYPTDISKS_ENABLE" in [Nn]*) exit 0 ;; esac case "$1" in start) do_start ;; stop) do_stop ;; restart|reload|force-reload) do_stop do_start ;; force-start) FORCE_START="yes" do_start ;; *) echo "Usage: cryptdisks {start|stop|restart|reload|force-reload|force-start}" exit 1 ;; esac debian/libcryptsetup-dev.docs0000644000000000000000000000001612234756536013537 0ustar docs/examples