horok/cryptsetup
1
0
Fork 0
Code Activity

Adding debian version 2:2.7.5-2.

Browse source 
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
This commit is contained in:
Daniel Baumann 2025-06-21 10:45:48 +02:00
parent 309c0fd158
commit 74b680e410
Signed by: daniel.baumann
GPG key ID: BCC918A2ABD66424
182 changed files with 18186 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

12
debian/NEWS vendored Normal file
View file

@ -0,0 +1,12 @@
cryptsetup (2:2.3.3-3+exp1) experimental; urgency=medium
This release adds a new binary package 'cryptsetup-suspend' which brings
support to suspend encrypted LUKS devices before the system goes to sleep
(via ACPI S3 system suspend). In other words, the encryption keys for
LUKS devices are removed automatically from system memory before system
suspend. After system resume, LUKS devices will be unlocked again and
the user may be asked to provide a passphrase if required.
See the cryptsetup-suspend(7) manpage for more information.
-- Jonas Meurer <jonas@freesources.org> Wed, 12 Aug 2020 21:31:47 +0200

344
debian/README.Debian vendored Normal file
View file

@ -0,0 +1,344 @@
Cryptsetup for Debian
=====================
Table of Contents
-----------------
* 1. Introduction into Cryptsetup for Debian
* 2. Encrypted swap partition(s)
* 3. Insecure mode/owner for keys
* 4. Cryptsetup and udev
* 5. Useful keyscripts: askpass and passdev
* 6. The `check` option
* 7. Cryptsetup and Splashy
* 8. Remotely unlock encrypted rootfs
* 9. Backup the LUKS header
* 10. Changing the boot order of cryptdisks init scripts
* 11. Unlocking LUKS devices from GRUB
* 12. Suspend LUKS devices on system suspend
* 13. Credits
1. Introduction into Cryptsetup for Debian
------------------------------------------
Cryptsetup is a command-line interface for configuring encrypted block
devices via dm-crypt, a kernel device-mapper target. For documentation about
the cryptsetup tool, see manpage of cryptsetup(8) and the frequently asked
questions at `/usr/share/doc/cryptsetup/FAQ.gz`.
The Debian cryptsetup package provides the initscript `/etc/init.d/cryptdisks`
and a configuration file `/etc/crypttab` for automatically configuring encrypted
devices at boot time. The applications cryptdisks_start and cryptdisks_stop
are provided to process crypttab configured devices manually. See the manpages
of crypttab(5), cryptdisks_start(8) and cryptdisks_stop(8) for more information.
The systemd init system masks our initscripts as it has native
cryptsetup support; use cryptdisks_start(8) or systemd-cryptsetup@.service(8) to
manually unlock devices on such systems.
The luksformat script provides a simple interface for creating an encrypted
device that follows the LUKS standard and for putting a file system onto the
encrypted device. See man luksformat(8) for more information.
If you wish to perform a Debian installation to an encrypted root, you might
be interested in using a version of Debian Installer with partman-crypto,
which will install the system and setup cryptsetup and initramfs-tools.
For instructions about how to encrypt your root filesystem and integrate
cryptsetup into initramfs on a running system, see
`/usr/share/doc/cryptsetup-initramfs/README.initramfs.gz`.
2. Encrypted swap partition(s)
------------------------------
An encrypted swap partition prevents spying on plaintext secrets (passwords)
that may be written to disk when memory is swapped to disk.
To encrypt your swap partitions, you'll first have to deactivate your swap:
swapoff -a
You'll have to add an entry for every swap partition in `/etc/crypttab`. Be
sure to place the source device (here `/dev/sde9`) with your swap devices:
# <target name> <source device> <key file> <options>
cswap1 /dev/sde9 /dev/urandom plain,cipher=aes-xts-plain64,size=256,swap
Now you need to change the swap devices in `/etc/fstab` to the encrypted swap
device names (`/dev/mapper/cswap1` in this example).
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/sde9 none swap sw 0 0
becomes
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/cswap1 none swap sw 0 0
Then, you need to start the cryptsetup swap devices and reactivate swap:
cryptdisks_start cswap1
swapon -a
And finally, if `/dev/sde9` was previously used as resume device, you should
disable it (the new swap partition is mapped with a non-persistent key hence
can't be used for resuming after suspend to disk). With initramfs-tools 0.130
and later, this can be done with
echo "RESUME=none" >/etc/initramfs-tools/conf.d/resume
update-initramfs -u
That's it! You have a crypted swap device. Note that `/dev/urandom` provides
only pseudo-random entropy. So if you're paranoid rather use `/dev/random` as
source for random data. Be aware though that `/dev/random` might not provide
enough random bytes for your key, causing your system to hang at boot, waiting
for more entropy. Moving mouse and keyboard typing might help in this case.
Read the crypttab(5) manpage for more information, for example options to use
a different encryption algorithm than the default.
3. Insecure mode/owner for keys
-------------------------------
Any key that is stored somewhere to be used with cryptsetup should have the
mode 400 (`-r--------`) and root as owner/group. `chown root.root keyfile` and
`chmod 400 keyfile` will do the trick for you.
If a key is stored on a vfat filesystem (very common for removable media),
chmod and chown will not work. The vfat filesystem (and several others too)
does not support file permissions and ownership. Instead, you should use the
uid, gid and umask options in `/etc/fstab` to ensure secure permissions for
the key.
As an example, assume that `/dev/sdg8` is the removable media containing
keyfiles on a vfat filesystem and that it is going to be mounted on
`/media/flash0`. The configuration in `/etc/fstab` should then be something
like this:
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/sdg8 /media/flash0 vfat uid=0,gid=0,umask=277 0 0
If you are using udev, it might be a good idea to use the `/dev/disk/by-label`
links instead of `/dev/sdg8` as the link will work no matter in which order the
media is inserted and detected.
4. Cryptsetup and udev
----------------------
As a workaround for some yet-to-be-fixed race condition in kernel,
device-mapper or udev, cryptsetup currently runs udevsettle.
This leads to problems if you invoke cryptsetup as part of a udev rule.
udevsettle waits until queued kernel/udev events are processed and the
"run programs" have finished. Due to cryptsetup itself being a "run
program" in this case, this ends in a deadlock.
Therefore cryptsetup should be detached directly after invocation in this
case, so that it runs asynchronously.
5. Useful keyscripts: askpass and passdev
-----------------------------------------
The cryptsetup package ships with several keyscripts. Keyscripts may be
configured in `/etc/crypttab` in order to provide the key required to unlock
the device. The shipped keyscripts are located at `/lib/cryptsetup/scripts`.
Some keyscripts have an own README file at `/usr/share/doc/cryptsetup/`.
Two special keyscripts, worth being mentioned here, are askpass and passdev.
Askpass is located at `/lib/cryptsetup/askpass`. It's a simple helper program
that supports different methods (console, fifo, splashy, ...) to prompt for a
passphrase, and prints the result to stdout. The syntax is:
/lib/cryptsetup/askpass PROMPT
Passdev will wait for a given device to appear, mount it read-only, read the
key, and unmount the device. See `/usr/share/doc/cryptsetup-initramfs/README.initramfs.gz`
for more information about passdev.
6. The `check` option
---------------------
The `check` option in crypttab allows one to configure checks to be run
against the target device after cryptsetup has been invoked.
The default check `blkid` can check for any known filesystem type, as it uses
blkid from util-linux. you can check for a particular filesystem by giving for
example `checkargs=ext4` or `checkargs=swap` as an option in `/etc/crypttab`.
Please send us your checks, if you write new ones. If they are generally
useful, we will include them in the package.
See man crypttab(5) for more information about the checksystem.
7. Cryptsetup and Splashy
-------------------------
Splashy support in cryptsetup is currently somehow limited. Splashy is known
to freeze at the password dialog for encrypted non-root filesystems. Only the
password dialog for the encrypted root filesystem works.
It seems like splashy freezes for any input dialog in initscripts while
input dialogs at initramfs stage seem to work. This leads to the assumption
that the bug is somewhere in splashy and neither in cryptsetups initscripts
nor in askpass.
8. Remotely unlock encrypted rootfs
-----------------------------------
Thanks to Chris <debian@x.ray.net> it's possible to install a dropbear SSH
server into the initramfs, connect to this SSH server during execution of
initramfs early in the boot process, and unlock encrypted devices - even
the root device - before the boot process continues. (Note that in order
to force an arbitrary device to be processed at initramfs stage you
might need to set the `initramfs` option in its crypttab entry; see
crypttab(5) for details.)
This way it is possible to use an encrypted root filesystem on headless
systems where no physical access is available during boot process.
Dropbear 0.52-1 or later is required for this to work. (Since 2015.68-1 the
functionality has its own binary package `dropbear-initramfs`.) Consult
`/usr/share/doc/dropbear-initramfs/README.initramfs` from the dropbear-initramfs
package for information how to install and configure the dropbear SSH server
into the initramfs.
You can then unlock the disk remotely via SSH with
ssh -tF ~/.luks/ssh.conf root@remote.system.com cryptroot-unlock
Or, using a local gpg-encrypted key file:
gpg --decrypt ~/.luks/remote.key.gpg | ssh -TF ~/.luks/ssh.conf root@remote.system.com cryptroot-unlock
When its standard input is a TTY, `cryptroot-unlock` keeps prompting for
passphrases until there are no more devices to unlock; otherwise you'll
need to invoke it as many times as there are devices to unlock.
That's it. Now that all required encrypted devices are unlocked, the
remote system should continue with the boot process.
You can also use the following authorized_keys(5) options in
`/etc/dropbear-initramfs/authorized_keys` to restrict access and avoid
users poking around:
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="/bin/cryptroot-unlock" ssh-rsa ...
(Be sure to rebuild the initrd afterwards: `update-initramfs -u -k all`)
9. Backup the LUKS header
-------------------------
WARNING: This information might be outdated. Please read the cryptsetup FAQ
at `/usr/share/doc/cryptsetup/FAQ.gz` for up-to-date information on how to
backup the LUKS header.
The LUKS header is located at the beginning of every LUKS encrypted device.
It stores information such as used cipher, hash, etc. But most importantly,
the header contains eight keyslots, which do keep an encrypted version of the
LUKS masterkey. the data on an encrypted LUKS partition is encrypted with this
masterkey. thus, there's no way to restore the data once the masterkey is
lost. For that reason, one might want to backup the LUKS header in order to
prevent accidental data loss.
On the other hand keeping a backup of the LUKS header isn't recommended for
security reasons. The reason is, that LUKS was designed with key revocation in
mind. Once the LUKS header is copied to a backup, revoking a (possibly
compromised) passphrase or keyfile from the keyslot isn't enough anymore. the
revoked passphrase/keyfile can easily be reactived by writing back the header
backup to the device.
Beginning with version 1.1.0, cryptsetup has support for the commands
luksHeaderBackup and luksHeaderRestore. If you want to store a backup of your
LUKS header with the mentioned drawbacks in mind, do the following:
Prepare a ramdisk to store the backup temporarely. You should do that in order
to prevent any hardware caching functions or filesystem jounals to copy the
backup around to places you cannot control. If you want to store the backup
permanently, write it to a read-only medium like CD immediately from ramdisk,
without your burning program writing an intermediate image to some temp dir.
To actually backup the header, use the following command:
cryptsetup luksHeaderBackup <luks-device> --header-backup-file <destination-on-ramdisk>
That's it. But once again, keep in mind all the security implications when
doing LUKS header backups. In general it's better to backup the data from
encrypted LUKS devices to another encrypted LUKS device. That way you can
manage the keyslots for both original and backup device independently.
10. Changing the boot order of cryptdisks init scripts
------------------------------------------------------
In order to support non-standard setups, it might be necessary to change the
order of init scripts in the boot process. Cryptsetup already installs two
init scripts, cryptdisks-early and cryptdisks, in order to support some complex
setups. For example, both "lvm on luks" and "luks on lvm" are supported that
way.
If your system isn't supported by the default order of init scripts in the
boot process, you need to change the boot process on your own. In some cases
it might be enough to change the LSB dependency headers at initscripts, see
`/etc/init.d/README` for more information about that. For more complex setups,
more intrusive changes are required. For example, adding a third cryptdisks
init script might help. See the log of bugreport [#576646] and [discussion on
debian-devel] for further information.
[#576646]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=576646
[discussion on debian-devel]: https://lists.debian.org/debian-devel/2010/06/msg00021.html
11. Unlocking LUKS devices from GRUB
------------------------------------
GRUB has been able to unlock LUKS1 devices since early in Jessie's
release cycle. This feature removes the need for a separate cleartext
`/boot` partition, hence enables "real" full disk encryption. However
cryptsetup >=2.1 uses LUKS version 2 by default, which GRUB 2.02 doesn't
support. In other words, as of Buster it is not possible to unlock from
GRUB new LUKS devices formatted with the default parameters.
Neither Jessie nor Stretch's installers natively support unlocking from
GRUB, hence users already had to implement various workarounds to enable
it. **Former workarounds won't work anymore with LUKS2**. Integration
between LUKS and GRUB is documented at
<https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html>,
including recipes to enable the feature starting from the usual
"encrypted LVM" partitioning method of the Debian Installer -- both with
LUKS1 (pre-Buster) and LUKS2 (Buster and later) devices.
12. Suspend LUKS devices on system suspend
------------------------------------------
The 'cryptsetup-suspend' package brings support to suspend encrypted
LUKS devices before the system goes to sleep (via ACPI S3 system suspend).
In other words, the encryption keys for LUKS devices are removed
automatically from system memory before system suspend. After system
resume, LUKS devices will be unlocked again and the user may be asked
to provide a passphrase if required.
See the cryptsetup-suspend(7) manpage for more information.
13. Credits
-----------
People who contributed to the Debian cryptsetup package:
* Guilhem Moulin <guilhem@debian.org>
* Jonas Meurer <jonas@freesources.org>
* David Härdeman <david@hardeman.nu>
* Bastian Kleineidam <calvin@debian.org>
* Michael Gebetsroither <michael.geb@gmx.at>
-- Jonas Meurer <jonas@freesources.org>, Sun, 09 Jun 2019 15:01:09 +0200

72
debian/README.debug vendored Normal file
View file

@ -0,0 +1,72 @@
Debugging Cryptsetup issues
===========================
Cryptsetup is responsible for unlocking dm-crypt devices. The cryptsetup Debian
provide a whole slew of helper scripts that integrate cryptsetup into the
Debian operating system. The most important ones are the `cryptdisks` init
script and the `cryptroot` initramfs scripts, both implementing support for the
`/etc/crypttab` configuration file and for automatic unlocking of encrypted
devices during the boot process.
This page collects information on debugging different features of the Debian
cryptsetup packages in case of problems.
Debug cryptroot initramfs script
--------------------------------
In order to debug the cryptroot initramfs script during initramfs stage, the
following steps are required:
* Boot into the initramfs rescue shell by adding `break=premount` as kernel
option during boot
In grub, this can be done interactively from the grub boot menu: `<E>` to
edit, and `<Ctrl>+<X>` to boot once you've edited the kernel line.
See <https://help.ubuntu.com/community/Grub2/Troubleshooting#Editing_the_GRUB_2_Menu_During_Boot>
for details.
* Append `-x` to the shebang (first line) of cryptroot initramfs script:
sed -i -e '1s,^#!/bin/sh,& -x,' /scripts/local-top/cryptroot
* Run the cryptroot initramfs script manually, redirecting output to a log file:
/scripts/local-top/cryptroot 2>&1 | tee /run/initramfs/cryptroot.debug
**Please note:** if the boot process is broken, you might need to mount an
external storage device (e.g. a USB flash drive) inside the initramfs and
redirect the output to a log files on this external device.
* Continue the boot process (by pressing `<Ctrl>+<D>`) and save a copy of the
debug log file to `/run/initramfs/cryptroot.debug`. The content of `/run/`
will be lost after reboot.
Sometimes, debugging the initramfs directly can be helpful as well. See
<https://wiki.debian.org/InitramfsDebug#Saving_debug_information> for details.
Gather debugging information in the initramfs rescue shell
----------------------------------------------------------
Useful commands to gather information from initramfs rescue shell:
* Check for device-mapper support (these directories/symlinks exist only if
kernel has device-mapper support):
ls -l /sys/class/misc/device-mapper /sys/devices/virtual/misc/device-mapper
* Check whether dm-crypt kernel module is loaded:
lsmod | grep dm-crypt
* Display cryptroot configuration and list loaded kernel modules:
cat /cryptroot/crypttab
lsmod
* Gather information about the available block devices:
blkid
ls -l /dev/disk/by-*/
-- Jonas Meurer <jonas@freesources.org>, Wed 25 Dec 2019 02:58:00 PM CET

42
debian/README.gnupg vendored Normal file
View file

@ -0,0 +1,42 @@
Using GnuPG keys for LUKS dm-crypt devices in Debian
====================================================
The Debian cryptsetup package provides the keyscript `decrypt_gnupg` for
setups with a GnuPG encrypted LUKS keyfile.
The following example assumes that you store the encrypted keyfile in
`/etc/keys/cryptkey.gpg`. LUKS device is `/dev/<luks_device>`.
First, you'll have to create the encrypted keyfile:
dd if=/dev/random bs=1 count=256 | gpg --no-options --no-random-seed-file \
--no-default-keyring --keyring /dev/null \
--trustdb-name /dev/null --symmetric --output /etc/keys/cryptkey.gpg
Next the LUKS device needs to be formated with the key. For that, the
`decrypt_gnupg` keyscript can be used:
/lib/cryptsetup/scripts/decrypt_gnupg /etc/keys/cryptkey.gpg | \
cryptsetup --key-file=- luksFormat /dev/<luks_device>
In order to unlock the encrypted LUKS device automatically during boot process,
add the following to `/etc/crypttab`:
cdev1 /dev/<luks_device> /etc/keys/cryptkey.gpg luks,discard,keyscript=decrypt_gnupg
Decrypting the keyfile at initramfs stage
-----------------------------------------
If the device is to be unlocked at initramfs stage (such as for the root FS or
the resume device), the provided initramfs hooks should do all additionally
required work for you when the initramfs is created or updated.
Be warned though, that for such devices the GnuPG encrypted key is copied to
the initramfs by the initramfs cryptgnupg hook. If you don't want this, you
should take a look at the initramfs cryptgnupg hook, which is located at
`/usr/share/initramfs-tools/hooks/cryptgnupg`.
-- Jonas Meurer <jonas@freesources.org> Thu, 04 Mar 2010 17:31:40 +0100
-- Guilhem Moulin <guilhem@guilhem.org> Sat, 17 Sep 2016 16:14:41 +0200

55
debian/README.gnupg-sc vendored Normal file
View file

@ -0,0 +1,55 @@
Using an OpenPGP smartcard for LUKS dm-crypt devices in Debian
==============================================================
The Debian cryptsetup package provides the keyscript `decrypt_gnupg-sc`
for setups with a keyfile that is encrypted using an OpenPGP smartcard.
The following example assumes that you store the encrypted keyfile in
`/etc/keys/cryptkey.gpg`. LUKS device is `/dev/<luks_device>`.
First, you'll have to create the keyfile and encrypt it with your key
0xDEADBEEF:
dd if=/dev/random bs=1 count=256 | gpg --recipient 0xDEADBEEF \
--output /etc/keys/cryptkey.gpg --encrypt
Next the LUKS device needs to be formated with the key. For that, the
`decrypt_gnupg-sc` keyscript can be used:
/lib/cryptsetup/scripts/decrypt_gnupg-sc /etc/keys/cryptkey.gpg | \
cryptsetup --key-file=- luksFormat /dev/<luks_device>
In order to unlock the encrypted LUKS device automatically during boot process,
add the following to `/etc/crypttab`:
cdev1 /dev/<luks_device> /etc/keys/cryptkey.gpg luks,keyscript=decrypt_gnupg-sc
In order to avoid data loss if the smartcard is damaged or lost, you may
want to decrypt `/etc/keys/cryptkey.gpg` and store the plaintext in a safe
place. Or alternatively, use another slot with your backup key:
cryptsetup luksAddKey /dev/<luks_device> /path/to/backup.key
Decrypting the keyfile at initramfs stage
-----------------------------------------
If the device is to be unlocked at initramfs stage (such as for the root
FS or the resume device), you need to copy the public part of the
encryption key to `/etc/cryptsetup-initramfs/pubring.gpg`:
gpg --export 0xDEADBEEF >/etc/cryptsetup-initramfs/pubring.gpg
Then the provided initramfs hooks should do all additionally required
work for you when the initramfs is created or updated.
Be warned though, that for such devices the OpenPGP encrypted key is copied
to the initramfs by the initramfs cryptgnupg-sc hook. If you don't want this,
you should take a look at the initramfs cryptgnupg-sc hook, which is located
at `/usr/share/initramfs-tools/hooks/cryptgnupg-sc`.
Moreover, note that unlocking at initramfs stage is currently not compatible
with plymouth or other bootsplash, as a curses-based prompt is used for PIN
entry.
-- Guilhem Moulin <guilhem@guilhem.org> Sun, 23 Sep 2018 03:28:31 +0200

291
debian/README.initramfs vendored Normal file
View file

@ -0,0 +1,291 @@
Debian Cryptsetup Initramfs integration
=======================================
1. Introduction
---------------
Kernels more recent than 2.6.12 have dropped support for devfs, which
means that initrd-tools can no longer be used to boot into an encrypted
root partition. Instead, a similar functionality has been developed for
use with an initramfs-image.
2. A fresh installation
-----------------------
If you plan to perform a completely new installation of Debian onto a
machine and to do so using an encrypted root partition, you might want
to consider using a version of Debian Installer with partman-crypto
(see https://wiki.debian.org/DebianInstaller/PartmanCrypto).
The installation will then take care of all the details and perform the
necessary configuration for you, meaning that you should not have to
read the rest of this document to get a machine with an encrypted
root filesystem up and running.
However, if you are not planning to perform a new installation from scratch,
the following information might be useful to you.
3. Requirements
---------------
In order to boot from an encrypted root filesystem, you need an
initramfs-image which includes the necessary kernel modules and scripts to
setup the root device after the kernel has been initialized, but before the
rest of the operating system is booted.
To do so, you need two partitions:
* an unencrypted `/boot` partition
* an encrypted `/` partition
In addition, you need to have both initramfs-tools and busybox installed.
NOTE: You should make sure that your swap partition is either encrypted, or
that you are using a swap file on an encrypted partition, as crypto keys and
other sensitive information might otherwise be written out to the swap
partition in unencrypted form.
4. Setup (regular dm-crypt)
---------------------------
First of all, you must edit `/etc/crypttab` and add a line describing your
root device, for example:
cryptroot /dev/sda2 none cipher=aes-xts-plain64,size=256,hash=sha1
This will allow cryptsetup to create `/dev/mapper/cryptroot` from the
encrypted partition `/dev/sda2` during boot.
In addition, you must also make sure that the root device is listed in
`/etc/fstab`, for example:
/dev/mapper/cryptroot / ext4 defaults 0 1
This will allow the initramfs support scripts to know which of the devices
in the crypttab that is the root device.
After doing these changes, you should regenerate the initramfs by running
`update-initramfs -u`, then make sure that your boot loader is configured
to feed the initramfs to the kernel when booting. The kernel root argument
should also be changed to `/dev/mapper/cryptroot`.
Now, reboot the machine, and if everything is correctly configured, you
should be given a prompt to type in the passphrase for the encrypted
root partition before the boot can continue.
NOTE: In order to ensure that the crypto setup works in a consistent
manner, you should make sure that the hash function is specified in the
/etc/crypttab file if you are using regular dm-crypt (with LUKS the hash
function to use is stored in the LUKS header).
5. Setup (using LUKS)
---------------------
If you are using the LUKS feature of cryptsetup, the above setup recipe should
still apply, but since most options can be derived from the information stored
in the LUKS header on-disk, the line to add to `/etc/crypttab` should look
something like this:
cryptroot /dev/sda2 none luks,discard
6. Exotic key types
-------------------
The above examples assume that you use a regular passphrase as the key to the
encrypted filesystem. However, if you wish to make use of more complex setups
(such as root-key-on-usb-memory), you can create a script which does all the
steps necessary to retrieve the key and then prints it to stdout.
Then add a `keyscript=/path/to/your/script.sh` to the options (fourth column)
in the above mentioned `/etc/crypttab` line, so that it looks something like
this:
cryptroot /dev/sda2 none luks,discard,keyscript=/usr/local/sbin/cryptkey
Next, regenerate your initramfs image. This will copy the script into the
initramfs image under the `/lib/cryptsetup/keyscripts/` directory.
NOTE: there is a limited set of tools available when the script is executing
as part of the initramfs bootup, you have to make sure that you do not use
any tools which are not available or your script, and therefore boot, will
fail.
7. "cryptopts" boot argument
----------------------------
In general, you should use the above approach with a line describing your
root partition in `/etc/crypttab` and `/etc/fstab`. However, if for some
reason you wish to override the settings that are derived from these files
and stored in the initramfs image, you can use the "cryptopts" boot argument
(this *only* works for the root partition).
The format of cryptopts is:
cryptopts=<opt1>[=<value1>],<opt2>[=<value2>]...
Beside options from the 4th field of /etc/crypttab, the options
`target`, `source` and `key` are also supported: they respectively
correspond to the first, second and third field of /etc/crypttab.
Consult the crypttab manual page for further details.
Several `cryptopts` boot arguments can also be specified in case more than
one mapping needs to be setup in the initramfs stage of the boot.
Example boot arguments:
root=/dev/mapper/crypt0 cryptopts=target=crypt0,source=/dev/sda1,cipher=aes-xts-plain64,size=256,hash=sha1
In particular, if all `cryptopts` boot arguments have an empty value
then no mapping is setup. This can be used to disable the cryptsetup
initramfs scripts for a particular boot.
8. Resume device support
------------------------
The initramfs scripts will also try to automatically determine the devices,
if any, that are used for software suspend (swsusp, suspend2 or uswsusp) and
to set them up during the initramfs stage in order to allow suspend and resume
in combination with encryption to keep the resume image safe from potential
attackers.
If your resume device and your root partition use two different cryptsetup
mappings, you might want to use the `decrypt_derived` keyscript as described
below.
9. The `decrypt_derived` keyscript
----------------------------------
Assume that you have two entries in `/etc/crypttab`:
cryptroot /dev/sda1 none luks,discard
cryptswap /dev/sda2 none luks
If cryptswap is used as your suspend/resume device, you'd normally need to
enter two different passphrases during the boot, but the `decrypt_derived`
script can generate the key for the second mapping using a hash of the key
for the first mapping.
In short, you'll need to do something like the following to take advantage
of the decrypt_derived script:
1. `swapoff -a`
2. `cryptsetup luksClose cryptswap`
3. edit `/etc/crypttab` and change the cryptswap line to e.g.:
`cryptswap /dev/sda2 cryptroot cipher=aes-xts-plain65,size=256,hash=sha1,keyscript=decrypt_derived,swap`
4. `cryptdisks_start cryptswap`
5. Make sure that `/dev/mapper/cryptswap` has been created
6. `swapon -a`
7. (optional) `update-initramfs -u`
After you've followed the above steps, your swap device should be setup
automatically after the root device has been setup during the boot stage.
WARNING: If you use the decrypt_derived keyscript for devices with persistent
data (i.e. not swap or temp devices), then you will lose access to that data
permanently if something damages the LUKS header of the LUKS device you derive
from. The same applies if you luksFormat the device, even if you use the same
passphrase(s). A LUKS header backup, or better a backup of the data on the
derived device may be a good idea. See the Cryptsetup FAQ on how to do this
right.
Note: The decrypt_derived keyscript won't work when the volume key of the
device being derived from is offloaded to the kernel keyring service (thus not
readable by userspace). That behavior is the default for LUKS2 devices (unless
opened with the `--disable-keyring` option) since Linux 4.10. For such devices,
an alternative is to use the same passphrase and unlock the source device using
the `decrypt_keyctl` keyscript.
Note: If you don't use suspend device support, it's better to use completely
random keys for your encrypted swap device. See the section '2. Encrypted
swap partition(s)' in `/usr/share/doc/cryptsetup/README.Debian.gz` for
information on how to setup this.
10. The `passdev` keyscript
----------------------------
If you have a keyfile on a removable device (e.g. a USB-key), you can use the
passdev keyscript. It will wait for the device to appear, mount it read-only,
read the key and then unmount the device.
The `key` part of `/etc/crypttab` will be interpreted as `<device>:<path>[:<timeout>]`,
it is strongly recommended that you use one of the persistent device names from
`/dev/disk/*`, e.g. `/dev/disk/by-label/myusbkey`.
This is an example of a suitable line in cryptsetup:
cryptroot /dev/sda2 /dev/disk/by-label/myusbkey:/keys/root.key discard,cipher=aes-xts-plain64,size=256,hash=sha1,keyscript=passdev
The above line would cause the boot to pause until `/dev/disk/by-label/myusbkey`
appears in the fs, then mount that device and use the file `/keys/root.key`
on the device as the key (without any hashing) as the key for the fs.
The timeout option has to be in seconds.
If any modules are required in order to mount the filesystem on the removable
device, then initramfs-tools needs to be configured to add these modules to
the initramfs. This can be done by listing the required modules in
`/etc/initramfs-tools/modules`.
11. Limitation: renaming of target name for encrypted root device
-----------------------------------------------------------------
As spotted by Adam Lee in bug report [#671037], it's not possible to simply
rename the target name for encrypted root devices. It breaks the initramfs
creation process. The bug report submitter found a solution to work around
this limitation:
0. enter another system (like livecd)
1. open luks device with the new name, change the target name to the new one
2. chroot into it (now, the current target name is the same as it in conf)
3. `update-initramfs -u`
4. reboot
[#671037]: https://bugs.debian.org/671037
12. Storing keyfiles directly in the initramfs
----------------------------------------------
Normally devices using a keyfile are ignored (with a loud warning), and
the key file itself is not included in the initramfs, because the initramfs
image typically lives on an unencrypted `/boot` partition. However in
some cases it is desirable to include the key file in the initramfs; for
instance recent versions of GRUB support booting from encrypted block
devices, allowing an encrypted `/boot` partition.
Among the key files listed in the crypttab(5), those matching the value
of the environment variable KEYFILE_PATTERN (interpreted as a shell
pattern) will be included in the initramfs image. For instance if
`/etc/crypttab` lists two key files `/etc/keys/{root,swap}.key`, you can
add the following to `/etc/cryptsetup-initramfs/conf-hook` to add them to
the initramfs.
KEYFILE_PATTERN="/etc/keys/*.key"
Furthermore if the initramfs image is to include private key material,
you'll want to create it with a restrictive umask in order to keep
non-privileged users at bay. This can be achieved by adding the
following to `/etc/initramfs-tools/initramfs.conf`.
UMASK=0077
13. The stages in the initramfs at which dm-crypt devices are mapped
--------------------------------------------------------------------
The devices necessary for the root filesystem, /usr, any resume swap device and
any device with the `initramfs`-option in `crypttab` are first tried to be
mapped (that is: "opened" or "decrypted") in `initramfs-tools`'s `local-top`-
phase.
Any which couldn't be mapped there are retried in the `local-block`-phase.
This may be subject to change.
-- David Härdeman <david@hardeman.nu>
-- Jonas Meurer <mejo@debian.org> Thu, 01 Nov 2012 13:44:31 +0100
-- Guilhem Moulin <guilhem@debian.org> Wed, 09 Dec 2015 04:53:41 +0100

106
debian/README.keyctl vendored Normal file
View file

@ -0,0 +1,106 @@
decrypt_keyctl
==============
A passphrase caching script to be used in `/etc/crypttab` on Debian and Ubuntu.
When there are multiple cryptsetup (either plain or LUKS) volumes with the same
passphrase, it is an unnecessary task to input the passphrase more than once.
Just add this script as keyscript to your `/etc/crypttab` and it will cache the
passphrase of all crypttab entries with the same identifier.
Either copy decrypt_keyctl into the default search path for keyscripts from
cryptsetup /lib/cryptdisks/scripts/. So you can just write
`keyscript=decrypt_keyctl` in `/etc/crypttab`, or use a random path of your
choice and give the full path e.g `keyscript=/sbin/decrypt_keyctl`.
Requirements
------------
* Debian cryptsetup package with `/etc/crypttab` handling and keyscript option
* Tested with Debian Lenny, Squeeze and Sid
* Installed and working keyutils package (`keyctl`)
* Needs `CONFIG_KEYS=y` in your kernel configuration
What For?
---------
In old (pre 2.6.38) kernels, dm-crypt used to be single threaded. Thus every
dm-crypt mapping only used a single core for crypto operations. To use the full
power of your many-core processor it is was necessary to split the dm-crypt
device. For Linux software raid arrays the easiest segmentation was to just put
the dm-crypt layer below the software raid layer.
But with a 5 disk raid5 it is a rather daunting task to input the passphrase
five times. This is what this keyscripts solve for you.
Usage
-----
Best shown by example:
* 5 disks
* Linux software raid5
Layer:
sda sdb sdc ... sde
+-----------+ +-----------+
| LUKS | | LUKS |
| +-------+ | | +-------+ |
| | RAID5 | | | | RAID5 | |
| | ... | | | | ... | |
Crypttab Entries:
<target> <source> <keyfile> <options>
sda_crypt /dev/sda2 main_data_raid luks,discard,keyscript=decrypt_keyctl
sdb_crypt /dev/sdb2 main_data_raid luks,discard,keyscript=decrypt_keyctl
...
sde_crypt /dev/sde2 main_data_raid luks,discard,keyscript=decrypt_keyctl
How does it work
----------------
Crypttab Interface:
A keyscript is added to options including a keyfile definition as third
parameter in the crypttab file. The keyscript is called with the keyfile as the
first and only parameter. Additionally there are a few environment variables
set but currently are not used by this keyscript (man 5 crypttab for exact
description).
Keyscript:
`decrypt_keyctl` uses the Linux kernel keyring facility to securely cache
passphrases between multiple invocations.
The keyfile parameter from crypttab is used to find the same passphrase
between multiple invocations. The term used to described the key in the user
keyring is `cryptsetup:$CRYPTTAB_KEY`, unless `$CRYPTTAB_KEY` is empty
or has the special value `none`, in which case the description is merely
`cryptsetup` (thus allowing compatibility with other tools like gdm and
systemd-ask-password(1).)
Currently the cache timeout is 60 seconds and not configurable (please report a
bug if it is too low for you).
Problems
--------
Passphrase is piped between processes and could end up in unsecured memory,
thus later swapped to disk! => Use of cryptoswap recommend!
Hints
-----
To remove all traces of this keyscript you may want to cleanup the keyring
completely with the following command afterwards:
sudo keyctl clear @u
-- Jonas Meurer <jonas@freesources.org> Mon, 27 Sep 2010 14:01:35 +0000
-- Guilhem Moulin <guilhem@debian.org> Tue, 25 Dec 2018 01:12:24 +0100

124
debian/README.opensc vendored Normal file
View file

@ -0,0 +1,124 @@
opensc/pcscd with cryptsetup and LUKS on Debian
===============================================
This is an overview on how you can make use of cryptsetup with your
smartcard device supported by opensc/pcscd.
I assume that you already have an initialized smartcard with a RSA key
that has the proper X509 properties for encryption set. To generate such
a key in hardware on the smartcard you should execute the following
command:
pkcs15-init -G rsa/2048 -a [PIN id] -u sign,decrypt
If your smart card doesn't support 2048 bit RSA just change the argument
to the largest size possible.
The decrypt_opensc keyscript decrypts an encrypted key in your boot
partition with the private key on your smartcard. Therefore you have to
create a key for the partition that is to be decrypted using the
smartcard. As pkcs15-crypt does not seem to support PKCS1 padding, the
key is required to have the same size as your RSA key. For a 2048 bit
key use the following (the byte count is 256 as 2048/8 is 256):
dd if=/dev/random of=/boot/keys/key bs=1 count=256
Now the key is added to the LUKS partition:
cryptsetup luksAddKey /dev/sdXn /boot/keys/key
Enter an already existing pass phrase and watch cryptsetup doing its
job. As we don't want the key in clear on the hard drive, we are going
to encrypt it with the public key to the key on the smartcard.
Read the public key first:
pkcs15-tool --read-public-key [key id] -o pubkey
Then encrypt the random data with the extracted key, destroy the
plain text one and remove your public key from the hard drive (it isn't
necessary to shred it as a potential attacker can't use your public key
for anything).
openssl rsautl -in /boot/keys/key -inkey pubkey -pubin -raw \
-encrypt -out /boot/keys/root
shred -u /boot/keys/key
rm -rf pubkey
Now you'll have to edit `/etc/crypttab`. The format should be familiar but
I'll state it here again:
name device /boot/keys/root luks,discard,keyscript=decrypt_opensc
The modules needed by the reader should now be added to
`/etc/initramfs-tools/modules`, so they are loaded on boot time. For
example yenta_socket, pcmcia, pcmcia_core, serial_cs, rsrc_nonstatic for
PCMCIA card readers.
In a perfect world you would just rebuild the initramfs now and it would
work. Unfortunately there are some additional issues to address. The
most important one is pcscd. Newer versions of pcscd use HAL and dbus to
detect readers. As most people (including me) aren't too enthusiastic
about adding these two daemons to the initramfs, we will rebuild the
daemon to use the traditional polling method with libusb. Again, this
step is only necessary if your reader uses pcscd (for example the
Gemalto PC Card readers).
To do this, download the ccid and pcsc-lite packages from
https://pcsc-lite.alioth.debian.org/
Install the libusb header files, extract the tarballs and build pcscd
with the following commands:
apt-get install libusb-dev
./configure --disable-libhal --enable-libusb
make
make install
Now go to the ccid directory and execute these commands (the option is
only need if you use the libccidtwin.so to access your reader:
./configure [--enable-twinserial]
make
make install
This installs the new pcscd and it's libraries in `/usr/local/`. To
reflect the new situation we have to change the initramfs scripts.
Edit /etc/reader.conf to instruct `pcscd` to use the new libraries (they
should be in `/usr/local/pcsc/drivers/`) instead of the ones from the Debian
package. Replace everything after line 45 in
`/usr/share/initramfs-tools/hooks/cryptopensc` with the following chunk:
for dir in etc/opensc usr/local/pcsc var/run tmp ; do
if [ ! -d ${DESTDIR}/${dir} ] ; then mkdir -p ${DESTDIR}/${dir} ; fi
done
# Install pcscd daemon, drivers, conf file
copy_exec /usr/local/sbin/pcscd
cp -r /usr/local/pcsc ${DESTDIR}/usr/local
cp /etc/reader.conf ${DESTDIR}/etc
cp -r /usr/local/lib ${DESTDIR}/usr/local
# Install opensc commands and conf file
copy_exec /usr/bin/opensc-tool
copy_exec /usr/bin/pkcs15-crypt
cp /etc/opensc/opensc.conf ${DESTDIR}/etc/opensc
Edit `/usr/share/initramfs-tools/scripts/local-bottom/cryptopensc` and
`/usr/share/initramfs-tools/scripts/local-top/cryptopensc` to use the new
binary in `/usr/local/sbin/pcscd` instead of `/usr/sbin/pcscd` and change
the path in the existence test to:
if [ ! -x /usr/local/sbin/pcscd ]; then
exit 0
fi
If you have completed all the steps up to now, you can update your
initramfs image with:
update-initramfs -u -k `uname -r`
and reboot your machine. This leaves a backup of your old initramfs in
the boot partition if something doesn't work. If you have to debug your
initramfs during boot just append the `break=mount` option to the kernel
to have a debug shell just before the root partition would be mounted.
-- Benjamin Kiessling <benjaminkiessling@bttec.org>, Sun, 26 Jul 2009

40
debian/README.source vendored Normal file
View file

@ -0,0 +1,40 @@
General maintenance
This package is maintained in Git via the Alioth pkg-cryptsetup project.
Alioth is used only for repository access control and mailinglist hosting,
not for any of its other features.
This package uses the "3.0 (quilt)" source format.
Importing a new upstream release
Since upstream release 1.7.2, we use cryptographically signed Git release
tags as basis for the Debian cryptsetup package.
To import a new upstream release into our packaging repository, do the
following:
0. Ensure that you have the cryptsetup upstream Git repository available
as a remote in the Git repository where you're doing the packaging
work:
git remote add upstream https://gitlab.com/cryptsetup/cryptsetup.git
1. Merge the newest upstream release tag (pass --upstream-version=$VERSION
if you want a specific upstream version) into the 'debian/latest'
branch of your packaging repository:
gbp import-orig --uscan
That commands does all the magic, namely
- updating the `upstream` remote,
- verifying the cryptographic signature on the upstream tag 'v$VERSION',
- creating a new tag 'upstream/$VERSION' with 'v$VERSION' as additional parent, and
- merging 'upstream/$VERSION' into 'debian/latest'
N. After development and testing, the final packages to be uploaded to
Debian are built and tagged in the repository as follows:
gbp buildpackage --git-tag
-- Jonas Meurer <jonas@freesources.org> Fri, 15 Jun 2018 13:39:49 +0200

47
debian/TODO.md vendored Normal file
View file

@ -0,0 +1,47 @@
# TODO list
* luks nuke feature
* https://www.kali.org/tutorials/nuke-kali-linux-luks/
* https://pkg.kali.org/pkg/cryptsetup
* https://github.com/offensive-security/cryptsetup-nuke-keys
* TODO:
* review and improve original patch to address upstream's concerns
* http://article.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt/7184
* patch luks2 functions to support it as well
* documentation in manpage (and README.Debian?)
* bash completion
* systemd integration and future of cryptscripts
* patch cryptsetup.c in systemd to support cryptscripts?
* try the patches
* https://github.com/systemd/systemd/pull/3007#pullrequestreview-39358162
* https://lists.freedesktop.org/archives/systemd-devel/2012-June/005693.html
* or completely remove cryptscripts feature from cryptsetup in Debian?
* ephemeral swap encryption
* improve test suite
* cryptroot hook script:
- We should add parent device detection for ZFS (#820888) so users
don't have to manually add the 'initramfs' option to the crypttab.
## Old list
* Would a fallback make sense? like when using any keyscript, try passphrase
in the case that it fails. if we implement that at all, never make it the
default, and warn about security issues in README.Debian. even explain that
backup passphrase keyslots thwart the extra security of keyfiles/keyscripts.
(#438481, #471729)
* Implement something like 'ignore-if-no-device' to mount (/etc/fstab), and
thus support several situations where cryptsetup fails to setup a device:
-> the device is not attached at all
-> wrong passphrase/no keyfile available
-> timeouts arise
(#474120)
* seems like the fstab flag alread does exists: nofail. so reimplement
timeout?
* Reimplement timeout support in a cleaner way?

573
debian/askpass.c vendored Normal file
View file

@ -0,0 +1,573 @@
/*
* askpass.c - prompts a user for a passphrase using any suitable method
* and prints the result to stdout.
*
* Copyright (C) 2008 David Härdeman <david@hardeman.nu>
*
* This package is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This package is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this package; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
#define _GNU_SOURCE
#define _DEFAULT_SOURCE
#define _POSIX_C_SOURCE 1
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdarg.h>
#include <stdlib.h>
#include <errno.h>
#include <stdbool.h>
#include <string.h>
#include <termios.h>
#include <sys/klog.h>
#include <sys/select.h>
#include <sys/ioctl.h>
#include <signal.h>
#include <sys/un.h>
#define DEBUG 0
#define ARRAY_SIZE(x) (sizeof(x)/sizeof(x[0]))
static bool disable_method(const char *method);
/*****************************************************************************
* Utility functions *
*****************************************************************************/
static void
debug(const char *fmt, ...)
{
va_list ap;
static bool first = true;
static FILE *dbgfile;
if (!DEBUG)
return;
if (first) {
first = false;
dbgfile = fopen("/tmp/askpass.debug", "a");
}
if (!dbgfile)
return;
va_start(ap, fmt);
vfprintf(dbgfile, fmt, ap);
va_end(ap);
}
static void
usage(const char *arg0, const char *errmsg)
{
if (errmsg)
fprintf(stderr, "Error: %s\nUsage: %s PROMPT\n", errmsg, arg0);
else
fprintf(stderr, "Usage: %s PROMPT\n", arg0);
exit(EXIT_FAILURE);
}
static void
fifo_common_finish(int fd, char **buf, size_t *used, size_t *size)
{
if (fd >= 0)
close(fd);
if (!*buf)
return;
memset(*buf, '\0', *size);
free(*buf);
*buf = NULL;
*used = 0;
*size = 0;
}
static bool
fifo_common_read(int fd, char **buf, size_t *used, size_t *size)
{
ssize_t result;
again:
if ((*size - *used) == 0) {
*size += 4096;
*buf = realloc(*buf, *size);
if (!*buf) {
*size = 0;
*used = 0;
debug("Failed to allocate memory for passphrase\n");
return false;
}
}
reread:
result = read(fd, *buf + *used, *size - *used);
if (result < 0) {
if (errno == EAGAIN)
return false;
if (errno == EINTR)
goto reread;
debug("Error when reading from fifo\n");
return false;
}
debug("Read %i bytes from fifo\n", (int)result);
*used += result;
if (result == 0)
return true;
goto again;
}
/*****************************************************************************
* systemd functions *
*****************************************************************************/
#define SYSTEMD_ASKPASS "/bin/systemd-ask-password"
static pid_t systemdpid;
static size_t systemdused = 0;
static size_t systemdsize = 0;
static char *systemdbuf = NULL;
static int
systemd_prepare(const char *prompt)
{
struct stat a, b;
int pipefds[2];
/* is systemd running? */
if (lstat("/sys/fs/cgroup", &a) < 0)
return -1;
if (lstat("/sys/fs/cgroup/systemd", &b) < 0)
return -1;
if (a.st_dev == b.st_dev)
return -1;
if (access(SYSTEMD_ASKPASS, X_OK))
return -1;
if (pipe(pipefds))
return -1;
systemdpid = fork();
if (systemdpid < 0) {
close(pipefds[0]);
close(pipefds[1]);
return -1;
}
if (systemdpid == 0) {
close(pipefds[0]);
if (dup2(pipefds[1], STDOUT_FILENO) < 0)
exit(EXIT_FAILURE);
execl(SYSTEMD_ASKPASS, SYSTEMD_ASKPASS,
"--timeout=0", prompt, (char*)NULL);
exit(EXIT_FAILURE);
}
close(pipefds[1]);
return pipefds[0];
}
static bool
systemd_read(int fd, char **buf, size_t *size)
{
debug("In systemd_read\n");
if (fifo_common_read(fd, &systemdbuf, &systemdused, &systemdsize)) {
/* systemd likes to include the terminating newline */
if (systemdused >= 1 && systemdbuf[systemdused - 1] == '\n') {
systemdbuf[systemdused - 1] = '\0';
systemdused--;
}
*buf = systemdbuf;
*size = systemdused;
return true;
}
return false;
}
static void
systemd_finish(int fd)
{
kill(systemdpid, SIGTERM);
fifo_common_finish(fd, &systemdbuf, &systemdused, &systemdsize);
}
/*****************************************************************************
* plymouth functions *
*****************************************************************************/
#define PLYMOUTH_PATH "/bin/plymouth"
static pid_t plymouthpid;
static size_t plymouthused = 0;
static size_t plymouthsize = 0;
static char *plymouthbuf = NULL;
static int
plymouth_prepare(const char *prompt)
{
int pipefds[2];
if (access(PLYMOUTH_PATH, X_OK))
return -1;
if (system(PLYMOUTH_PATH" --ping"))
return -1;
/* Plymouth will add a ':' if it is a non-graphical prompt */
char *prompt2 = strdup(prompt);
int len = strlen(prompt2);
if (len > 1 && prompt2[len-2] == ':' && prompt2[len - 1] == ' ')
prompt2[len - 2] = '\0';
else if (len > 0 && prompt2[len - 1] == ':')
prompt2[len - 1] = '\0';
if (pipe(pipefds))
return -1;
plymouthpid = fork();
if (plymouthpid < 0) {
close(pipefds[0]);
close(pipefds[1]);
return -1;
}
if (plymouthpid == 0) {
close(pipefds[0]);
if (dup2(pipefds[1], STDOUT_FILENO) < 0)
exit(EXIT_FAILURE);
execl(PLYMOUTH_PATH, PLYMOUTH_PATH,
"ask-for-password", "--prompt", prompt2, (char*)NULL);
exit(EXIT_FAILURE);
}
free(prompt2);
close(pipefds[1]);
return pipefds[0];
}
static bool
plymouth_read(int fd, char **buf, size_t *size)
{
debug("In plymouth_read\n");
if (fifo_common_read(fd, &plymouthbuf, &plymouthused, &plymouthsize)) {
*buf = plymouthbuf;
*size = plymouthused;
return true;
}
return false;
}
static void
plymouth_finish(int fd)
{
kill(plymouthpid, SIGKILL);
fifo_common_finish(fd, &plymouthbuf, &plymouthused, &plymouthsize);
}
/*****************************************************************************
* fifo functions *
*****************************************************************************/
#define FIFO_PATH "/lib/cryptsetup/passfifo"
static size_t fifoused = 0;
static size_t fifosize = 0;
static char *fifobuf = NULL;
static void
fifo_finish(int fd)
{
fifo_common_finish(fd, &fifobuf, &fifoused, &fifosize);
}
static bool
fifo_read(int fd, char **buf, size_t *size)
{
debug("In fifo_read\n");
if (fifo_common_read(fd, &fifobuf, &fifoused, &fifosize)) {
*buf = fifobuf;
*size = fifoused;
return true;
}
return false;
}
static int
fifo_prepare(const char *prompt)
{
int ret;
ret = mkfifo(FIFO_PATH, 0600);
if (ret && errno != EEXIST)
return -1;
return open(FIFO_PATH, O_RDONLY | O_NONBLOCK);
}
/*****************************************************************************
* console functions *
*****************************************************************************/
#define CONSOLE_PATH "/dev/console"
static struct termios term_old;
static bool term_set = false;
static char *consolebuf = NULL;
static size_t consolebuflen = 0;
static void
console_finish(int fd)
{
if (consolebuf) {
memset(consolebuf, '\0', consolebuflen);
free(consolebuf);
consolebuf = NULL;
consolebuflen = 0;
}
if (!term_set || fd < 0)
return;
term_set = false;
tcsetattr(fd, TCSAFLUSH, &term_old);
fprintf(stderr, "\n");
klogctl(7, NULL, 0);
}
bool
console_read(int fd, char **buf, size_t *size)
{
ssize_t nread;
/* Console is in ICANON mode so we'll get entire lines */
nread = getline(&consolebuf, &consolebuflen, stdin);
if (nread < 0) {
clearerr(stdin);
return false;
}
/* Strip trailing newline, if any */
if (nread > 0 && consolebuf[nread - 1] == '\n') {
nread--;
consolebuf[nread] = '\0';
}
*size = nread;
*buf = consolebuf;
return true;
}
static int
console_prepare(const char *prompt)
{
struct termios term_new;
const char *prompt_ptr = prompt;
char *newline = NULL;
if (!isatty(STDIN_FILENO)) {
if (access(CONSOLE_PATH, R_OK | W_OK)) {
debug("No access to console device " CONSOLE_PATH "\n");
return -1;
}
if (!freopen(CONSOLE_PATH, "r", stdin) ||
!freopen(CONSOLE_PATH, "a", stdout) ||
!freopen(CONSOLE_PATH, "a", stderr) ||
!isatty(STDIN_FILENO)) {
debug("Failed to open console\n");
return -1;
}
}
if (tcgetattr(STDIN_FILENO, &term_old)) {
debug("Failed to get terminal settings\n");
return -1;
}
term_new = term_old;
term_new.c_lflag &= ~ECHO;
term_new.c_lflag |= ICANON;
if (tcsetattr(STDIN_FILENO, TCSAFLUSH, &term_new)) {
debug("Failed to disable echoing\n");
return -1;
}
/* handle any non-literal embedded newlines in prompt */
while ( (newline = strstr(prompt_ptr,"\\n")) != NULL ) {
/* Calculate length of string leading up to newline. */
int line_len = newline - prompt_ptr;
/* Force trimming of prompt to location of newline. */
if (fwrite(prompt_ptr, line_len, 1, stderr) < 1 ||
fwrite("\n", 1, 1, stderr) < 1) {
debug("Failed to print prompt\n");
tcsetattr(STDIN_FILENO, TCSAFLUSH, &term_old);
return -1;
}
/* Skip over newline. */
prompt_ptr = newline + 2;
}
if (fputs(prompt_ptr, stderr) < 0) {
debug("Failed to print prompt\n");
tcsetattr(STDIN_FILENO, TCSAFLUSH, &term_old);
return -1;
}
/* Disable printk to console */
klogctl(6, NULL, 0);
term_set = true;
return STDIN_FILENO;
}
/*****************************************************************************
* main functions *
*****************************************************************************/
struct method {
const char *name;
int (*prepare)(const char *prompt);
bool (*read)(int fd, char **buf, size_t *size);
void (*finish)(int fd);
bool no_more;
bool active;
bool enabled;
int fd;
};
static struct method methods[] = {
{ "systemd", systemd_prepare, systemd_read, systemd_finish, true, false, true, -1 },
{ "fifo", fifo_prepare, fifo_read, fifo_finish, false, false, true, -1 },
{ "plymouth", plymouth_prepare, plymouth_read, plymouth_finish, true, false, true, -1 },
{ "console", console_prepare, console_read, console_finish, false, false, true, -1 }
};
static bool
disable_method(const char *method)
{
int i;
bool result = false;
debug("Disabling method %s\n", method ? method : "ALL");
for (i = 0; i < ARRAY_SIZE(methods); i++) {
/* A NULL method means all methods should be disabled */
if (method && strcmp(methods[i].name, method))
continue;
if (!methods[i].enabled)
continue;
if (methods[i].active)
methods[i].finish(methods[i].fd);
methods[i].active = false;
methods[i].fd = -1;
methods[i].enabled = false;
result = true;
}
return result;
}
int
main(int argc, char **argv, char **envp)
{
char *pass = NULL;
size_t passlen = 0;
int i;
int nfds;
fd_set fds;
int ret;
bool done = false;
sigset_t sigset;
if (argc != 2)
usage(argv[0], "incorrect number of arguments");
sigfillset(&sigset);
sigprocmask(SIG_BLOCK, &sigset, NULL);
for (i = 0; i < ARRAY_SIZE(methods); i++) {
if (!methods[i].enabled)
continue;
debug("Enabling method %s\n", methods[i].name);
methods[i].fd = methods[i].prepare(argv[1]);
if (methods[i].fd < 0) {
methods[i].active = false;
methods[i].enabled = false;
} else {
methods[i].active = true;
methods[i].enabled = true;
if (methods[i].no_more)
break;
}
}
while (!done) {
nfds = 0;
FD_ZERO(&fds);
for (i = 0; i < ARRAY_SIZE(methods); i++) {
if (!methods[i].enabled || methods[i].fd < 0)
continue;
debug("method %i has fd %i and name %s\n", i, methods[i].fd, methods[i].name);
FD_SET(methods[i].fd, &fds);
if (methods[i].fd + 1 > nfds)
nfds = methods[i].fd + 1;
}
if (nfds == 0) {
debug("All methods disabled\n");
exit(EXIT_FAILURE);
}
debug("Starting select with nfds %i\n", nfds);
ret = select(nfds, &fds, NULL, NULL, NULL);
if (ret <= 0) {
if (ret == 0 || errno == EINTR)
continue;
debug("Select failed\n");
disable_method(NULL);
exit(EXIT_FAILURE);
}
for (i = 0; i < ARRAY_SIZE(methods); i++) {
if (!methods[i].enabled || methods[i].fd < 0)
continue;
if (!FD_ISSET(methods[i].fd, &fds))
continue;
if (methods[i].read(methods[i].fd, &pass, &passlen) && pass) {
done = true;
break;
}
}
}
debug("Writing %i bytes to stdout\n", (int)passlen);
if (write(STDOUT_FILENO, pass, passlen) == -1) {
disable_method(NULL);
exit(EXIT_FAILURE);
}
disable_method(NULL);
exit(EXIT_SUCCESS);
}

42
debian/bash_completion/cryptdisks_start vendored Normal file
View file

@ -0,0 +1,42 @@
# cryptdisks_{start,stop} completion by first column of crypttab
#
# Copyright 2013 Claudius Hubig <cl_crds@chubig.net>, 2-clause BSD
_cryptdisks() {
local action="$1" t
for t in $( awk -vt="${COMP_WORDS[COMP_CWORD]}" \
'($1 !~ /^#/ && index($1,t) == 1) {print $1}' \
"${TABFILE-"/etc/crypttab"}" ); do
if [ "$action" = start -a ! -e "/dev/mapper/$t" ] ||
[ "$action" = stop -a -e "/dev/mapper/$t" ]; then
COMPREPLY+=( "$t" )
fi
done
return 0;
}
_cryptdisks_start() {
local i include_options=y
COMPREPLY=()
for (( i=0; i < COMP_CWORD-1; i++ )); do
if [ "${COMP_WORDS[i]}" = "--" ] || [[ "${COMP_WORDS[i]}" != -* ]]; then
include_options=n
break
fi
done
if [ "$include_options" = "y" ]; then
for i in "-r" "--readonly" "--"; do
if [[ "$i" == "${COMP_WORDS[COMP_CWORD]}"* ]]; then
COMPREPLY+=( "$i" )
fi
done
fi
_cryptdisks start "$@"
}
_cryptdisks_stop() {
COMPREPLY=()
_cryptdisks stop "$@";
}
complete -F _cryptdisks_start cryptdisks_start
complete -F _cryptdisks_stop cryptdisks_stop

38
debian/bug-script vendored Normal file
View file

@ -0,0 +1,38 @@
#!/bin/bash
cat <<EOF
Providing additional information can help diagnose problems with cryptsetup.
Specifically, this would include:
- kernel cmdline (copy of /proc/cmdline).
- crypttab configuration (copy of /etc/crypttab).
- fstab configuration (copy of /etc/fstab).
If this information is not relevant for your bug report or you have privacy
concerns, please choose no.
EOF
yesno "Do you want to provide additional information [Y|n]? " yep
[ "$REPLY" = yep ] || exit 0
exec >&3
echo "-- /proc/cmdline"
cat /proc/cmdline
echo
if [ -r /etc/crypttab ]; then
echo "-- /etc/crypttab"
cat /etc/crypttab
echo
fi
if [ -r /etc/fstab ]; then
echo "-- /etc/fstab"
cat /etc/fstab
echo
fi
echo "-- lsmod"
lsmod
echo

3853
debian/changelog vendored Normal file
View file

File diff suppressed because it is too large Load diff

32
debian/checks/blkid vendored Normal file
View file

@ -0,0 +1,32 @@
#!/bin/sh
# this script depends on /sbin/blkid from the util-linux package
# usage: blkid <device> <fs_type> [<offset>]
# <device> may be any device that should be checked.
# if no <fs_type> is given, the check fails if no valid filesystem is found.
# if <fs_type> is given, the check fails when no filesystem type <fs_type>
# is found on the device. if <fs_type> is 'none', the check fails if any
# know filesystem is found.
if test ! -x "/sbin/blkid"; then
echo " - WARNING: blkid from util-linux is not available, impossible to run checks."
exit 1
fi
dev="$1"
fs="$2"
offset="${3-}"
blkid="$(/sbin/blkid -o value -s TYPE -p ${offset:+-O "$offset"} -- "$dev")"
# blkid output is empty if $dev has an unknown filesystem
if [ -z "$blkid" ] && [ -z "$fs" ]; then
echo " - The device $dev does not contain a known filesystem${offset:+" at offset $offset"}."
exit 1
elif [ -n "$blkid" ] && [ "$fs" = "none" ]; then
echo " - The device $dev contains a filesystem type $blkid${offset:+" at offset $offset"}."
exit 1
elif [ -n "$fs" ] && [ "$blkid" != "$fs" ]; then
echo " - The device $dev does not contain a filesystem type $fs${offset:+" at offset $offset"}."
exit 1
fi

12
debian/checks/ext2 vendored Normal file
View file

@ -0,0 +1,12 @@
#!/bin/sh
echo "WARNING: The check script $0 is deprecated. Please use check script blkid instead." >&2
not_fs=""
for fs in ext2 ext3 ext4 ext4dev; do
/lib/cryptsetup/checks/blkid "$1" "$fs" >/dev/null || not_fs="$not_fs $fs"
done
if [ "$not_fs" = " ext2 ext3 ext4 ext4dev" ]; then
echo " - The device $1 does not contain a valid ext2, ext3, ext4 or ext4dev filesystem."
exit 1
fi

5
debian/checks/swap vendored Normal file
View file

@ -0,0 +1,5 @@
#!/bin/sh
echo "WARNING: The check script $0 is deprecated. Please use check script blkid instead." >&2
/lib/cryptsetup/checks/blkid "$1" "swap"

28
debian/checks/un_blkid vendored Normal file
View file

@ -0,0 +1,28 @@
#!/bin/sh
# this script depends on /sbin/blkid from the util-linux package
# usage: un_blkid <device> <fs_type> [<offset>]
# <device> may be any device that should be checked.
# if no <fs_type> is given, the check fails for any valid filesystem
# if <fs_type> is given, the check fails when a filesystem type <fs_type>
# is found on the device.
if test ! -x "/sbin/blkid"; then
echo " - WARNING: blkid from util-linux is not available, impossible to run checks."
exit 1
fi
dev="$1"
fs="$2"
offset="${3-}"
blkid="$(/sbin/blkid -o value -s TYPE -p ${offset:+-O "$offset"} -- "$dev")"
# blkid output is empty if $dev has an unknown filesystem
if [ -n "$blkid" ] && [ -z "$fs" ]; then
echo " - The device $dev contains a filesystem type $blkid${offset:+" at offset $offset"}."
exit 1
elif [ -n "$fs" ] && [ "$blkid" = "$fs" ]; then
echo " - The device $dev contains a filesystem type $fs${offset:+" at offset $offset"}."
exit 1
fi

5
debian/checks/xfs vendored Normal file
View file

@ -0,0 +1,5 @@
#!/bin/sh
echo "WARNING: The check script $0 is deprecated. Please use check script blkid instead." >&2
/lib/cryptsetup/checks/blkid "$1" "xfs"

10
debian/clean vendored Normal file
View file

@ -0,0 +1,10 @@
debian/askpass
debian/doc/*.[0-9]
debian/doc/variables.xml
debian/scripts/passdev
debian/scripts/suspend/cryptsetup-suspend
# `make clean` doesn't remove all gitignore(5)'d files, instead
# .gitlab/ci/debian.yml runs `git clean -xdf`
man/*.8
po/*.gmo
po/stamp-po

194
debian/control vendored Normal file
View file

@ -0,0 +1,194 @@
Source: cryptsetup
Section: admin
Priority: optional
Maintainer: Debian Cryptsetup Team <pkg-cryptsetup-devel@alioth-lists.debian.net>
Uploaders: Jonas Meurer <jonas@freesources.org>,
Guilhem Moulin <guilhem@debian.org>
Rules-Requires-Root: no
Build-Depends: asciidoctor <!nodoc>,
autoconf,
automake (>= 1:1.12),
autopoint,
debhelper-compat (= 13),
dh-strip-nondeterminism,
docbook-xml <!nodoc>,
docbook-xsl <!nodoc>,
gettext,
jq <!nocheck>,
libblkid-dev,
libdevmapper-dev,
libjson-c-dev,
libpopt-dev,
libselinux1-dev,
libsepol-dev,
libssh-dev,
libssl-dev (>> 3.2~),
libtool,
openssl-provider-legacy <!nocheck>,
pkgconf,
po-debconf,
procps <!nocheck>,
uuid-dev,
xsltproc <!nodoc>,
xxd <!nocheck>
Standards-Version: 4.7.2
Homepage: https://gitlab.com/cryptsetup/cryptsetup
Vcs-Browser: https://salsa.debian.org/cryptsetup-team/cryptsetup
Vcs-Git: https://salsa.debian.org/cryptsetup-team/cryptsetup.git -b debian/latest
Package: cryptsetup
Architecture: linux-any
Multi-Arch: foreign
Depends: cryptsetup-bin (>= 2:2.7.2-1),
dmsetup,
${misc:Depends},
${shlibs:Depends}
Conflicts: cryptsetup-nuke-password (<< 5~)
Suggests: cryptsetup-initramfs, dosfstools, keyutils, liblocale-gettext-perl
Description: disk encryption support - startup scripts
Cryptsetup provides an interface for configuring encryption on block
devices (such as /home or swap partitions), using the Linux kernel
device mapper target dm-crypt. It features integrated Linux Unified Key
Setup (LUKS) support.
.
Cryptsetup is backwards compatible with the on-disk format of cryptoloop,
but also supports more secure formats. This package includes support for
automatically configuring encrypted devices at boot time via the config
file /etc/crypttab. Additional features are cryptoroot support through
initramfs-tools and several supported ways to read a passphrase or key.
.
This package provides the cryptdisks_start and _stop wrappers, as well as
luksformat.
Package: cryptsetup-bin
Architecture: linux-any
Multi-Arch: foreign
Depends: ${misc:Depends}, ${shlibs:Depends}
Description: disk encryption support - command line tools
Cryptsetup provides an interface for configuring encryption on block
devices (such as /home or swap partitions), using the Linux kernel
device mapper target dm-crypt. It features integrated Linux Unified Key
Setup (LUKS) support.
.
This package provides the cryptsetup, integritysetup and veritysetup
utilities.
Package: cryptsetup-ssh
Architecture: linux-any
Multi-Arch: foreign
Depends: ${misc:Depends}, ${shlibs:Depends}
Recommends: cryptsetup-bin (>= ${source:Version})
Breaks: cryptsetup (<< 2:2.5.0~rc1-3), cryptsetup-bin (<< 2:2.5.0~rc1-3)
Replaces: cryptsetup (<< 2:2.5.0~rc1-3), cryptsetup-bin (<< 2:2.5.0~rc1-3)
Description: disk encryption support - experimental SSH token handler
Cryptsetup provides an interface for configuring encryption on block
devices (such as /home or swap partitions), using the Linux kernel
device mapper target dm-crypt. It features integrated Linux Unified Key
Setup (LUKS) support.
.
This package provides the cryptsetup-ssh(8) utility and an SSH token plugin
which can be used to unlock LUKS2 devices using a remote keyfile hosted on a
system accessible through SSH. This is currently an *experimental* feature
and mostly serves as a demonstration of the plugin interface API.
Package: cryptsetup-initramfs
Architecture: all
Depends: busybox | busybox-static,
cryptsetup (>= ${source:Version}),
initramfs-tools (>= 0.137) | linux-initramfs-tool,
${misc:Depends}
Recommends: console-setup, kbd
Breaks: cryptsetup (<< 2:2.0.3-1), libcryptsetup12 (<< 2:2.7.2-1)
Replaces: cryptsetup (<< 2:2.0.3-1)
Conflicts: lvm2 (<< 2.03.15-1)
Description: disk encryption support - initramfs integration
Cryptsetup provides an interface for configuring encryption on block
devices (such as /home or swap partitions), using the Linux kernel
device mapper target dm-crypt. It features integrated Linux Unified Key
Setup (LUKS) support.
.
This package provides initramfs integration for cryptsetup.
Package: cryptsetup-suspend
Architecture: linux-any
Multi-Arch: foreign
Depends: cryptsetup-initramfs (>= ${source:Version}),
initramfs-tools-core,
kbd,
systemd,
${misc:Depends},
${shlibs:Depends}
Description: disk encryption support - suspend mode integration
Cryptsetup provides an interface for configuring encryption on block
devices (such as /home or swap partitions), using the Linux kernel
device mapper target dm-crypt. It features integrated Linux Unified Key
Setup (LUKS) support.
.
This package provides suspend mode integration for cryptsetup. It takes
care of removing LUKS master key from memory before system suspend.
.
Please note that the suspend mode integration is limited to LUKS devices
and requires systemd. Moreover, this is an early implementation and may not
be as mature as the other cryptsetup-* packages yet.
Package: libcryptsetup12
Section: libs
Architecture: linux-any
Multi-Arch: same
Depends: ${misc:Depends}, ${shlibs:Depends}
Description: disk encryption support - shared library
Cryptsetup provides an interface for configuring encryption on block
devices (such as /home or swap partitions), using the Linux kernel
device mapper target dm-crypt. It features integrated Linux Unified Key
Setup (LUKS) support.
.
This package provides the libcryptsetup shared library.
Package: libcryptsetup-dev
Section: libdevel
Architecture: linux-any
Multi-Arch: same
# XXX [#1025065] ideal we would have "Depends: libcryptsetup12
# (= ${binary:Version}), ${misc:Depends}, ${pkgconf:Depends}"
Depends: libblkid-dev,
libcryptsetup12 (= ${binary:Version}),
libdevmapper-dev,
libjson-c-dev,
libssl-dev,
uuid-dev,
${misc:Depends}
Description: disk encryption support - development files
Cryptsetup provides an interface for configuring encryption on block
devices (such as /home or swap partitions), using the Linux kernel
device mapper target dm-crypt. It features integrated Linux Unified Key
Setup (LUKS) support.
.
This package provides the libcryptsetup development files.
Package: cryptsetup-udeb
Section: debian-installer
Package-Type: udeb
Build-Profiles: <!noudeb>
Architecture: linux-any
Depends: dmsetup-udeb, ${misc:Depends}, ${shlibs:Depends}
Description: disk encryption support - commandline tools (udeb)
Cryptsetup provides an interface for configuring encryption on block
devices (such as /home or swap partitions), using the Linux kernel
device mapper target dm-crypt. It features integrated Linux Unified Key
Setup (LUKS) support.
.
This udeb package provides cryptsetup for the Debian Installer.
Package: libcryptsetup12-udeb
Section: debian-installer
Package-Type: udeb
Build-Profiles: <!noudeb>
Architecture: linux-any
Depends: ${misc:Depends}, ${shlibs:Depends}
Description: disk encryption support - shared library (udeb)
Cryptsetup provides an interface for configuring encryption on block
devices (such as /home or swap partitions), using the Linux kernel
device mapper target dm-crypt. It features integrated Linux Unified Key
Setup (LUKS) support.
.
This udeb package provides libcryptsetup for the Debian Installer.

612
debian/copyright vendored Normal file
View file

@ -0,0 +1,612 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Contact: Milan Broz <mbroz@redhat.com>
Source: https://gitlab.com/cryptsetup/cryptsetup
Upstream-Name: cryptsetup
Files: *
Copyright: © 2004 Christophe Saout <christophe@saout.de>
© 2004-2008 Clemens Fruhwirth <clemens@endorphin.org>
© 2008-2023 Red Hat, Inc.
© 2008-2023 Milan Broz <gmazyland@gmail.com>
License: GPL-2+ with OpenSSL exception
Files: debian/*
Copyright: © 2004-2005 Wesley W. Terpstra <terpstra@debian.org>
© 2005-2006 Michael Gebetsroither <michael.geb@gmx.at>
© 2006-2008 David Härdeman <david@hardeman.nu>
© 2005-2015 Jonas Meurer <jonas@freesources.org>
© 2016-2023 Guilhem Moulin <guilhem@debian.org>
License: GPL-2+
Files: debian/scripts/suspend/cryptsetup-suspend.c
Copyright: © 2018 Guilhem Moulin <guilhem@debian.org>
© 2018-2020 Jonas Meurer <jonas@freesources.org>
License: GPL-3+
Files: debian/scripts/suspend/cryptsetup-suspend-wrapper
Copyright: © 2019-2020 Tim <tim@systemli.org>
© 2019-2020 Jonas Meurer <jonas@freesources.org>
© 2020-2022 Guilhem Moulin <guilhem@debian.org>
License: GPL-3+
Files: debian/askpass.c debian/scripts/passdev.c
Copyright: © 2008 David Härdeman <david@hardeman.nu>
License: GPL-2+
Files: debian/initramfs/cryptroot-unlock
Copyright: © 2015-2018 Guilhem Moulin <guilhem@debian.org>
License: GPL-3+
Files: debian/README.opensc
Copyright: © 2008 Benjamin Kiessling <benjaminkiessling@bttec.org>
License: GPL-2+
Files: debian/scripts/cryptdisks_start
Copyright: © 2007 Jon Dowland <jon@alcopop.org>
License: GPL-2+
Files: debian/scripts/luksformat
Copyright: © 2005 Canonical Ltd.
License: GPL-2+
Files: debian/scripts/decrypt_gnupg-sc debian/README.gnupg-sc debian/initramfs/hooks/cryptgnupg-sc debian/initramfs/scripts/local-bottom/cryptgnupg-sc
Copyright: © 2005-2015 Jonas Meurer <jonas@freesources.org>
© 2016-2018 Guilhem Moulin <guilhem@debian.org>
© 2009,2014 Peter Lebbing <peter@digitalbrains.com>
© 2018 Erik Nellessen
License: GPL-2+
Files: debian/tests/*
Copyright: © 2021-2022 Guilhem Moulin <guilhem@debian.org>
License: GPL-3+
Files: docs/examples/* tests/all-symbols-test.c
Copyright: © 2011-2023 Red Hat, Inc.
License: LGPL-2.1+
Files: lib/bitlk/*
Copyright: © 2019-2023 Red Hat, Inc.
© 2019-2023 Milan Broz <gmazyland@gmail.com>
© 2019-2023 Vojtech Trefny
License: LGPL-2.1+
Files: tokens/ssh/*
Copyright: © 2016-2023 Milan Broz <gmazyland@gmail.com>
© 2020-2023 Vojtech Trefny
License: LGPL-2.1+
Files: tokens/ssh/cryptsetup-ssh.c
Copyright: © 2016-2023 Milan Broz <gmazyland@gmail.com>
© 2021-2023 Vojtech Trefny
License: GPL-2+
Files: lib/crypto_backend/* lib/integrity/* lib/loopaes/* lib/tcrypt/* lib/verity/*
Copyright: © 2009-2023 Red Hat, Inc.
© 2010-2023 Milan Broz <gmazyland@gmail.com>
License: LGPL-2.1+
Files: lib/crypto_backend/base64.c
Copyright: © 2010 Lennart Poettering
© 2021-2023 Milan Broz <gmazyland@gmail.com>
License: LGPL-2.1+
Files: lib/crypto_backend/utf8.c
Copyright: © 2010 Lennart Poettering
© 2021-2023 Vojtech Trefny
© 1999 Tom Tromey
© 2000 Red Hat, Inc.
License: GPL-2+
Files: lib/crypto_backend/crypto_openssl.c
Copyright: © 2009-2023 Red Hat, Inc.
© 2010-2023 Milan Broz <gmazyland@gmail.com>
License: LGPL-2.1+ with OpenSSL exception
Files: lib/fvault2/fvault2.c lib/fvault2/fvault2.h
Copyright: © 2021-2022 Pavel Tobias
License: LGPL-2.1+ with OpenSSL exception
Files: lib/keyslot_context.c lib/keyslot_context.h
Copyright: © 2022-2023 Red Hat, Inc.
© 2022-2023 Ondrej Kozina <okozina@redhat.com>
License: GPL-2+
Files: lib/crypto_backend/argon2/*
Copyright: © 2015 Daniel Dinu
© 2015 Dmitry Khovratovich
© 2015 Jean-Philippe Aumasson
© 2015 Samuel Neves
License: CC0 or Apache-2.0
Files: lib/crypto_backend/argon2/encoding.c
Copyright: © 2015 Thomas Pornin <pornin@bolet.org>
License: CC0 or Apache-2.0
Files: lib/crypto_backend/crc32.c
Copyright: © 1986 Gary S. Brown
License: public-domain
Gary S. Brown's license is as follows:
.
You may use this program, or code or tables extracted from it, as
desired without restriction.
Files: lib/bitops.h
Copyright: © Karel Zak <kzak@redhat.com>
License: public-domain
Karel Zak's license is as follows:
.
No copyright is claimed. This code is in the public domain; do with it
what you wish.
Files: misc/luks-header-from-active
Copyright: © 2011-2024 Milan Broz <gmazyland@gmail.com>
License: LGPL-2.1+
Files: FAQ.md
Copyright: © Arno Wagner <arno@wagner.name>
© Milan Broz <gmazyland@gmail.com>
License: CC-BY-SA-4.0
License: GPL-2+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
.
You should have received a copy of the GNU General Public License along
with this program. If not, see <https://www.gnu.org/licenses/>.
.
On Debian systems, the complete text of the GNU General Public
License version 2 can be found in `/usr/share/common-licenses/GPL-2'.
License: GPL-2+ with OpenSSL exception
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
.
You should have received a copy of the GNU General Public License along
with this program. If not, see <https://www.gnu.org/licenses/>.
.
On Debian systems, the complete text of the GNU General Public
License version 2 can be found in `/usr/share/common-licenses/GPL-2'.
.
In addition, as a special exception, the copyright holders give
permission to link the code of portions of this program with the
OpenSSL library under certain conditions as described in each
individual source file, and distribute linked combinations including
the two. You must obey the GNU General Public License in all respects
for all of the code used other than OpenSSL. If you modify file(s)
with this exception, you may extend this exception to your version of
the file(s), but you are not obligated to do so. If you do not wish to
do so, delete this exception statement from your version. If you
delete this exception statement from all source files in the program,
then also delete it here.
License: GPL-3+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
.
You should have received a copy of the GNU General Public License along
with this program. If not, see <https://www.gnu.org/licenses/>.
.
On Debian systems, the complete text of the GNU General Public License
version 3 can be found in `/usr/share/common-licenses/GPL-3`.
License: LGPL-2.1+
This program is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published
by the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
.
You should have received a copy of the GNU Lesser General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
.
On Debian systems, the complete text of the GNU Lesser General Public
License version 2.1 can be found in `/usr/share/common-licenses/LGPL-2.1'.
License: LGPL-2.1+ with OpenSSL exception
This program is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published
by the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
.
You should have received a copy of the GNU Lesser General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
.
On Debian systems, the complete text of the GNU Lesser General Public
License version 2.1 can be found in `/usr/share/common-licenses/LGPL-2.1'.
.
In addition, as a special exception, the copyright holders give
permission to link the code of portions of this program with the
OpenSSL library under certain conditions as described in each
individual source file, and distribute linked combinations including
the two. You must obey the GNU Lesser General Public License in all
respects for all of the code used other than OpenSSL. If you modify
file(s) with this exception, you may extend this exception to your
version of the file(s), but you are not obligated to do so. If you do
not wish to do so, delete this exception statement from your version.
If you delete this exception statement from all source files in the
program, then also delete it here.
License: CC0
You may use this work under the terms of a Creative Commons CC0 1.0
License/Waiver.
.
On Debian systems, the complete text of the Creative Commons CC0 1.0
Universal license can be found in `/usr/share/common-licenses/CC0-1.0'.
License: Apache-2.0
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
.
https://www.apache.org/licenses/LICENSE-2.0
.
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
.
On Debian systems, the complete text of the Apache version 2.0 license
can be found in "/usr/share/common-licenses/Apache-2.0".
License: CC-BY-SA-4.0
THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS
CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS
PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE
WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS
PROHIBITED.
.
BY EXERCISING THE LICENSED RIGHTS (DEFINED BELOW), YOU ACCEPT AND AGREE
TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS CREATIVE COMMONS
ATTRIBUTION-SHAREALIKE 4.0 INTERNATIONAL PUBLIC LICENSE ("PUBLIC
LICENSE"). TO THE EXTENT THIS PUBLIC LICENSE MAY BE INTERPRETED AS A
CONTRACT, YOU ARE GRANTED THE LICENSED RIGHTS IN CONSIDERATION OF YOUR
ACCEPTANCE OF THESE TERMS AND CONDITIONS, AND THE LICENSOR GRANTS YOU
SUCH RIGHTS IN CONSIDERATION OF BENEFITS THE LICENSOR RECEIVES FROM
MAKING THE LICENSED MATERIAL AVAILABLE UNDER THESE TERMS AND
CONDITIONS.
.
Section 1 — Definitions
.
a. "Adapted Material" means material subject to Copyright and Similar
Rights that is derived from or based upon the Licensed Material and in
which the Licensed Material is translated, altered, arranged,
transformed, or otherwise modified in a manner requiring permission
under the Copyright and Similar Rights held by the Licensor. For
purposes of this Public License, where the Licensed Material is a
musical work, performance, or sound recording, Adapted Material is
always produced where the Licensed Material is synched in timed
relation with a moving image.
.
b. "Adapter's License" means the license You apply to Your Copyright
and Similar Rights in Your contributions to Adapted Material in
accordance with the terms and conditions of this Public License.
.
c. "BY-SA Compatible License" means a license listed at
creativecommons.org/compatiblelicenses , approved by Creative Commons
as essentially the equivalent of this Public License.
.
d. "Copyright and Similar Rights" means copyright and/or similar
rights closely related to copyright including, without limitation,
performance, broadcast, sound recording, and Sui Generis Database
Rights, without regard to how the rights are labeled or categorized.
For purposes of this Public License, the rights specified in Section
2(b)(1)-(2) are not Copyright and Similar Rights.
.
e. "Effective Technological Measures" means those measures that, in
the absence of proper authority, may not be circumvented under laws
fulfilling obligations under Article 11 of the WIPO Copyright Treaty
adopted on December 20, 1996, and/or similar international agreements.
.
f. "Exceptions and Limitations" means fair use, fair dealing, and/or
any other exception or limitation to Copyright and Similar Rights that
applies to Your use of the Licensed Material.
.
g. "License Elements" means the license attributes listed in the name
of a Creative Commons Public License. The License Elements of this
Public License are Attribution and ShareAlike.
.
h. "Licensed Material" means the artistic or literary work, database,
or other material to which the Licensor applied this Public License.
.
i. "Licensed Rights" means the rights granted to You subject to the
terms and conditions of this Public License, which are limited to all
Copyright and Similar Rights that apply to Your use of the Licensed
Material and that the Licensor has authority to license.
.
j. "Licensor" means the individual(s) or entity(ies) granting rights
under this Public License.
.
k. "Share" means to provide material to the public by any means or
process that requires permission under the Licensed Rights, such as
reproduction, public display, public performance, distribution,
dissemination, communication, or importation, and to make material
available to the public including in ways that members of the public
may access the material from a place and at a time individually chosen
by them.
.
l. "Sui Generis Database Rights" means rights other than copyright
resulting from Directive 96/9/EC of the European Parliament and of the
Council of 11 March 1996 on the legal protection of databases, as
amended and/or succeeded, as well as other essentially equivalent
rights anywhere in the world.
.
m. "You" means the individual or entity exercising the Licensed Rights
under this Public License. "Your" has a corresponding meaning.
.
Section 2 — Scope.
.
a. License grant.
.
1. Subject to the terms and conditions of this Public License, the
Licensor hereby grants You a worldwide, royalty-free,
non-sublicensable, non-exclusive, irrevocable license to exercise the
Licensed Rights in the Licensed Material to:
.
A. reproduce and Share the Licensed Material, in whole or in part;
and
.
B. produce, reproduce, and Share Adapted Material.
.
2. Exceptions and Limitations. For the avoidance of doubt, where
Exceptions and Limitations apply to Your use, this Public License
does not apply, and You do not need to comply with its terms and
conditions.
.
3. Term. The term of this Public License is specified in Section 6(a).
.
4. Media and formats; technical modifications allowed. The Licensor
authorizes You to exercise the Licensed Rights in all media and
formats whether now known or hereafter created, and to make technical
modifications necessary to do so. The Licensor waives and/or agrees
not to assert any right or authority to forbid You from making
technical modifications necessary to exercise the Licensed Rights,
including technical modifications necessary to circumvent Effective
Technological Measures. For purposes of this Public License, simply
making modifications authorized by this Section 2(a)(4) never
produces Adapted Material.
.
5. Downstream recipients.
.
A. Offer from the Licensor Licensed Material. Every recipient of
the Licensed Material automatically receives an offer from the
Licensor to exercise the Licensed Rights under the terms and
conditions of this Public License.
.
B. Additional offer from the Licensor Adapted Material. Every
recipient of Adapted Material from You automatically receives an
offer from the Licensor to exercise the Licensed Rights in the
Adapted Material under the conditions of the Adapters License You
apply.
.
C. No downstream restrictions. You may not offer or impose any
additional or different terms or conditions on, or apply any
Effective Technological Measures to, the Licensed Material if doing
so restricts exercise of the Licensed Rights by any recipient of the
Licensed Material.
.
D. No endorsement. Nothing in this Public License constitutes or may
be construed as permission to assert or imply that You are, or that
Your use of the Licensed Material is, connected with, or sponsored,
endorsed, or granted official status by, the Licensor or others
designated to receive attribution as provided in Section
3(a)(1)(A)(i) .
.
b. Other rights.
.
1. Moral rights, such as the right of integrity, are not licensed
under this Public License, nor are publicity, privacy, and/or other
similar personality rights; however, to the extent possible, the
Licensor waives and/or agrees not to assert any such rights held by
the Licensor to the limited extent necessary to allow You to exercise
the Licensed Rights, but not otherwise.
.
2. Patent and trademark rights are not licensed under this Public
License.
.
3. To the extent possible, the Licensor waives any right to collect
royalties from You for the exercise of the Licensed Rights, whether
directly or through a collecting society under any voluntary or
waivable statutory or compulsory licensing scheme. In all other cases
the Licensor expressly reserves any right to collect such royalties.
.
Section 3 — License Conditions.
.
Your exercise of the Licensed Rights is expressly made subject to the
following conditions.
.
a. Attribution.
.
1. If You Share the Licensed Material (including in modified form),
You must:
.
A. retain the following if it is supplied by the Licensor with the
Licensed Material:
.
i. identification of the creator(s) of the Licensed Material and
any others designated to receive attribution, in any reasonable
manner requested by the Licensor (including by pseudonym if
designated);
.
ii. a copyright notice;
.
iii. a notice that refers to this Public License;
.
iv. a notice that refers to the disclaimer of warranties;
.
v. a URI or hyperlink to the Licensed Material to the extent
reasonably practicable;
.
B. indicate if You modified the Licensed Material and retain an
indication of any previous modifications; and
.
C. indicate the Licensed Material is licensed under this Public
License, and include the text of, or the URI or hyperlink to, this
Public License.
.
2. You may satisfy the conditions in Section 3(a)(1) in any
reasonable manner based on the medium, means, and context in which
You Share the Licensed Material. For example, it may be reasonable to
satisfy the conditions by providing a URI or hyperlink to a resource
that includes the required information.
.
3. If requested by the Licensor, You must remove any of the
information required by Section 3(a)(1)(A) to the extent reasonably
practicable.
.
b. ShareAlike.
.
In addition to the conditions in Section 3(a) , if You Share Adapted
Material You produce, the following conditions also apply.
.
1. The Adapters License You apply must be a Creative Commons license
with the same License Elements, this version or later, or a BY-SA
Compatible License.
.
2. You must include the text of, or the URI or hyperlink to, the
Adapter's License You apply. You may satisfy this condition in any
reasonable manner based on the medium, means, and context in which
You Share Adapted Material.
.
3. You may not offer or impose any additional or different terms or
conditions on, or apply any Effective Technological Measures to,
Adapted Material that restrict exercise of the rights granted under
the Adapter's License You apply.
.
Section 4 — Sui Generis Database Rights.
.
Where the Licensed Rights include Sui Generis Database Rights that
apply to Your use of the Licensed Material:
.
a. for the avoidance of doubt, Section 2(a)(1) grants You the right to
extract, reuse, reproduce, and Share all or a substantial portion of
the contents of the database;
.
b. if You include all or a substantial portion of the database
contents in a database in which You have Sui Generis Database Rights,
then the database in which You have Sui Generis Database Rights (but
not its individual contents) is Adapted Material, including for
purposes of Section 3(b) ; and
.
c. You must comply with the conditions in Section 3(a) if You Share
all or a substantial portion of the contents of the database.
.
For the avoidance of doubt, this Section 4 supplements and does not
replace Your obligations under this Public License where the Licensed
Rights include other Copyright and Similar Rights.
.
Section 5 — Disclaimer of Warranties and Limitation of Liability.
.
a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS AND
AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND
CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, IMPLIED, STATUTORY,
OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, WARRANTIES OF TITLE,
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT,
ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OR
ABSENCE OF ERRORS, WHETHER OR NOT KNOWN OR DISCOVERABLE. WHERE
DISCLAIMERS OF WARRANTIES ARE NOT ALLOWED IN FULL OR IN PART, THIS
DISCLAIMER MAY NOT APPLY TO YOU.
.
b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE TO
YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, NEGLIGENCE) OR
OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, COSTS, EXPENSES,
OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR USE OF THE LICENSED
MATERIAL, EVEN IF THE LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH LOSSES, COSTS, EXPENSES, OR DAMAGES. WHERE A LIMITATION OF
LIABILITY IS NOT ALLOWED IN FULL OR IN PART, THIS LIMITATION MAY NOT
APPLY TO YOU.
.
c. The disclaimer of warranties and limitation of liability provided
above shall be interpreted in a manner that, to the extent possible,
most closely approximates an absolute disclaimer and waiver of all
liability.
.
Section 6 — Term and Termination.
.
a. This Public License applies for the term of the Copyright and
Similar Rights licensed here. However, if You fail to comply with this
Public License, then Your rights under this Public License terminate
automatically.
.
b. Where Your right to use the Licensed Material has terminated under
Section 6(a), it reinstates:
.
1. automatically as of the date the violation is cured, provided it
is cured within 30 days of Your discovery of the violation; or
.
2. upon express reinstatement by the Licensor.
.
For the avoidance of doubt, this Section 6(b) does not affect any
right the Licensor may have to seek remedies for Your violations of
this Public License.
.
c. For the avoidance of doubt, the Licensor may also offer the
Licensed Material under separate terms or conditions or stop
distributing the Licensed Material at any time; however, doing so will
not terminate this Public License.
.
d. Sections 1 , 5 , 6 , 7 , and 8 survive termination of this Public License.
.
Section 7 — Other Terms and Conditions.
.
a. The Licensor shall not be bound by any additional or different
terms or conditions communicated by You unless expressly agreed.
.
b. Any arrangements, understandings, or agreements regarding the
Licensed Material not stated herein are separate from and independent
of the terms and conditions of this Public License.
.
Section 8 — Interpretation.
.
a. For the avoidance of doubt, this Public License does not, and shall
not be interpreted to, reduce, limit, restrict, or impose conditions
on any use of the Licensed Material that could lawfully be made
without permission under this Public License.
.
b. To the extent possible, if any provision of this Public License is
deemed unenforceable, it shall be automatically reformed to the
minimum extent necessary to make it enforceable. If the provision
cannot be reformed, it shall be severed from this Public License
without affecting the enforceability of the remaining terms and
conditions.
.
c. No term or condition of this Public License will be waived and no
failure to comply consented to unless expressly agreed to by the
Licensor.
.
d. Nothing in this Public License constitutes or may be interpreted as
a limitation upon, or waiver of, any privileges and immunities that
apply to the Licensor or You, including from the legal processes of
any jurisdiction or authority.

286
debian/cryptdisks-functions vendored Normal file
View file

@ -0,0 +1,286 @@
#
# This file is for inclusion with
# . /lib/cryptsetup/cryptdisks-functions
# and should not be executed directly.
PATH="/usr/sbin:/usr/bin:/sbin:/bin"
CRYPTDISKS_ENABLE="Yes"
#set -x
# Sanity check #1
[ -x /sbin/cryptsetup ] || exit 0
. /lib/lsb/init-functions
. /lib/cryptsetup/functions
if [ -r /etc/default/cryptdisks ]; then
. /etc/default/cryptdisks
fi
MOUNT="$CRYPTDISKS_MOUNT"
# do_start()
# Unlock all devices in the crypttab(5)
do_start() {
[ -s "$TABFILE" ] || return 0
# Create locking directory before invoking cryptsetup(8) to avoid warnings
mkdir -pm0700 /run/cryptsetup
modprobe -qb dm-mod || true
modprobe -qb dm-crypt || true
dmsetup mknodes >/dev/null 2>&1 || true
if [ "$INITSTATE" != "init" ]; then
log_action_begin_msg "Starting $INITSTATE crypto disks"
fi
mount_fs
crypttab_foreach_entry _do_start_callback
umount_fs
log_action_end_msg 0
}
_do_start_callback() {
setup_mapping || log_action_end_msg $?
}
# mount_fs()
# Premounts file systems
mount_fs() {
local point
MOUNTED=""
for point in $MOUNT; do
if mount "$point" >/dev/null; then
MOUNTED="$MOUNTED $point"
fi
done
}
# Postunmounts file systems
umount_fs() {
local point
for point in $MOUNTED; do
umount "$point" >/dev/null
done
}
# setup_mapping()
# Set up a crypttab(5) mapping defined by $CRYPTTAB_NAME,
# $CRYPTTAB_SOURCE, $CRYPTTAB_KEY, $CRYPTTAB_OPTIONS.
setup_mapping() {
if dm_blkdevname "$CRYPTTAB_NAME" >/dev/null; then
device_msg "running"
return 0
fi
local loud="${DEFAULT_LOUD:-}"
crypttab_parse_options --export --missing-path=fail || return 1
if [ -n "${CRYPTTAB_OPTION_quiet+x}" ]; then
loud="no"
elif [ -n "${CRYPTTAB_OPTION_loud+x}" ]; then
loud="yes"
fi
if [ -z "${FORCE_START-}" ]; then
if [ "$INITSTATE" = "early" -a -n "${CRYPTTAB_OPTION_noearly+x}" ] ||
[ "$INITSTATE" != "manual" -a -n "${CRYPTTAB_OPTION_noauto+x}" ]; then
device_msg "ignored"
return 0
fi
fi
if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then
if ! crypttab_key_check; then
device_msg "invalid key"
return 1
fi
CRYPTTAB_OPTION_tries=1
fi
if ! crypttab_resolve_source; then
if [ "$loud" = "yes" ]; then
device_msg "skipped, device $CRYPTTAB_SOURCE does not exist"
fi
return 1
fi
device_msg "starting"
local offset_bytes=""
if [ -n "${CRYPTTAB_OPTION_offset+x}" ] && [ ${#CRYPTTAB_OPTION_offset} -le 7 ] && [ $CRYPTTAB_OPTION_offset -lt 4194304 ]; then
# silently ignore large offset values which might cause the multiplication to overflow...
offset_bytes=$((CRYPTTAB_OPTION_offset * 512))
fi
local out tmpdev
if [ "$CRYPTTAB_TYPE" != "luks" ] && [ "$CRYPTTAB_TYPE" != "bitlk" ]; then
# fail if the device has a filesystem and the disk encryption format doesn't
# verify the key digest (unlike LUKS); unless it's swap, otherwise people can't
# easily convert an existing plainttext swap partition to an encrypted one
if ! out="$(/lib/cryptsetup/checks/un_blkid "$CRYPTTAB_SOURCE" "" ${CRYPTTAB_OPTION_offset+"$offset_bytes"} 2>/dev/null)" &&
! /lib/cryptsetup/checks/blkid "$CRYPTTAB_SOURCE" swap ${CRYPTTAB_OPTION_offset+"$offset_bytes"} >/dev/null; then
log_warning_msg "$CRYPTTAB_NAME: the precheck for '$CRYPTTAB_SOURCE' failed: $out"
return 1
fi
fi
local count=0 maxtries="${CRYPTTAB_OPTION_tries:-3}" fstype rv
local target="$CRYPTTAB_NAME"
CRYPTTAB_NAME="${CRYPTTAB_NAME}_unformatted" # XXX potential conflict
while [ $maxtries -le 0 ] || [ $count -lt $maxtries ]; do
if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then
# unlock via keyfile
unlock_mapping "$CRYPTTAB_KEY"
else
# unlock interactively or via keyscript
CRYPTTAB_NAME="$target" run_keyscript "$count" | unlock_mapping
fi
rv=$?
count=$(( $count + 1 ))
if [ $rv -ne 0 ] || ! tmpdev="$(dm_blkdevname "$CRYPTTAB_NAME")"; then
continue
fi
if [ -n "${CRYPTTAB_OPTION_check+x}" ] && \
! "$CRYPTTAB_OPTION_check" "$tmpdev" ${CRYPTTAB_OPTION_checkargs+"$CRYPTTAB_OPTION_checkargs"}; then
log_warning_msg "$target: the check for '$CRYPTTAB_NAME' failed"
cryptsetup remove -- "$CRYPTTAB_NAME"
continue
fi
if [ "${CRYPTTAB_OPTION_swap+x}" ]; then
if out="$(/lib/cryptsetup/checks/un_blkid "$tmpdev" "" ${CRYPTTAB_OPTION_offset+"$offset_bytes"} 2>/dev/null)" ||
/lib/cryptsetup/checks/blkid "$tmpdev" swap ${CRYPTTAB_OPTION_offset+"$offset_bytes"} >/dev/null 2>&1; then
mkswap "$tmpdev" >/dev/null 2>&1
else
log_warning_msg "$target: the check for '$CRYPTTAB_NAME' failed. $CRYPTTAB_NAME contains data: $out"
cryptsetup remove -- "$CRYPTTAB_NAME"
return 1
fi
elif [ "${CRYPTTAB_OPTION_tmp+x}" ]; then
local tmpdir="$(mktemp --tmpdir="/run/cryptsetup" --directory)" rv=0
if ! mkfs -t "$CRYPTTAB_OPTION_tmp" -q "$tmpdev" >/dev/null 2>&1 ||
! mount -t "$CRYPTTAB_OPTION_tmp" "$tmpdev" "$tmpdir" ||
! chmod 1777 "$tmpdir"; then
rv=1
fi
umount "$tmpdir" || true
rmdir "$tmpdir" || true
[ $rv -eq 0 ] || return $rv
fi
if command -v udevadm >/dev/null 2>&1; then
udevadm settle
fi
dmsetup rename -- "$CRYPTTAB_NAME" "$target"
device_msg "$target" "started"
return 0
done
device_msg "$target" "failed"
return 1
}
# Removes all mappings in crypttab, except the ones holding the root
# file system or /usr
do_stop() {
local devno_rootfs devno_usr
dmsetup mknodes
log_action_begin_msg "Stopping $INITSTATE crypto disks"
devno_rootfs="$(get_mnt_devno /)" || devno_rootfs=""
devno_usr="$(get_mnt_devno /usr)" || devno_usr=""
crypttab_foreach_entry _do_stop_callback
log_action_end_msg 0
}
_do_stop_callback() {
local skip="n" devno rv=0
# traverse the device tree for each crypttab(5) entry and mark / and
# /usr holders as skipped. that's suboptimal but we can't use
# mapped device names as they might contain any character other than
# NUL. shouldn't be much overhead anyway as the device tree is
# likely not that long
foreach_cryptdev _do_stop_skipped $devno_rootfs $devno_usr
[ "$skip" = "n" ] || return $rv
if devno="$(dmsetup info -c --noheadings -o devno -- "$CRYPTTAB_NAME" 2>/dev/null)" && [ -n "$devno" ]; then
foreach_cryptdev --reverse _do_stop_remove "$devno" || rv=$? # try to remove slave devices first
fi
return $rv
}
_do_stop_skipped() {
if [ "$1" = "$CRYPTTAB_NAME" ]; then
skip="y"
fi
}
_do_stop_remove() {
local name="$1" i rv=0
for i in 1 2 4 8 16 32; do
remove_mapping "$name" 3<&- && break || rv=$?
if [ $rv -eq 1 ] || [ $rv -eq 2 -a $i -gt 16 ]; then
log_action_end_msg $rv
break
fi
log_action_cont_msg "$name busy..."
sleep $i
done
}
# device_msg([$name], $message)
# Convenience function to handle $VERBOSE
device_msg() {
local name message
if [ $# -eq 1 ]; then
name="$CRYPTTAB_NAME"
message="$1"
else
name="$1"
message="$2"
fi
if [ "$VERBOSE" != "no" ]; then
log_action_cont_msg "$name ($message)"
fi
}
# remove_mapping($target)
# Remove mapping $target
remove_mapping() {
local CRYPTTAB_NAME="$1"
if ! dm_blkdevname "$CRYPTTAB_NAME" >/dev/null; then
device_msg "stopped"
return 0
fi
if [ "$(dmsetup info --noheadings -c -o subsystem -- "$CRYPTTAB_NAME")" != "CRYPT" ]; then
device_msg "error"
return 1
fi
local opencount="$(dmsetup info -c --noheadings -o open -- "$CRYPTTAB_NAME" 2>/dev/null || true)"
if [ -z "$opencount" ]; then
device_msg "error"
return 1
elif [ "$opencount" != "0" ]; then
device_msg "busy"
if [ "$INITSTATE" = "early" ] || [ "$INITSTATE" = "manual" ]; then
return 1
elif [ "$INITSTATE" = "remaining" ]; then
return 2
fi
return 0
fi
if cryptsetup remove -- "$CRYPTTAB_NAME"; then
device_msg "stopping"
return 0
else
device_msg "error"
return 1
fi
}
# vim: set filetype=sh :

251
debian/cryptsetup-bin.NEWS vendored Normal file
View file

@ -0,0 +1,251 @@
cryptsetup (2:2.7.5-1) unstable; urgency=medium
Devices using legacy hash algorithms such as whirlpool now require the
openssl-provider-legacy binary package. This is due to changes in the
OpenSSL packaging. For now that package is transitively installed, but
users relying on it are advised to mark it as manually installed with the
following command:
apt-mark manual openssl-provider-legacy
Note that hash algorithms found in the openssl-provider-legacy binary
package are deemed insecure and it is therefore advised to use another
algorithm if possible. (In that case openssl-provider-legacy can safely
be uninstalled once no other package depends on it.) The default hash
algorithms are listed in the output of `cryptsetup --help`.
-- Guilhem Moulin <guilhem@debian.org> Tue, 03 Sep 2024 12:23:09 +0200
cryptsetup (2:2.7.0~rc0-1) experimental; urgency=medium
Default cipher and password hashing for plain mode have respectively
been changed to aes-xts-plain64 and sha256 (from aes-cbc-essiv:sha256
resp. ripemd160).
The new values matches what is used for LUKS, but the change does NOT
affect LUKS volumes.
This is a backward incompatible change for plain mode when relying on
the defaults, which (for plain mode only) is strongly advised against.
For many releases the Debian wrappers found in the cryptsetup binary
package have spewed a loud warning for plain devices from crypttab(5)
where cipher= or hash= are not explicitly specified. The
cryptsetup(8) executable now issue such a warning as well.
-- Guilhem Moulin <guilhem@debian.org> Wed, 29 Nov 2023 17:19:10 +0100
cryptsetup (2:2.3.6-1+exp1) bullseye-security; urgency=high
This release fixes a key truncation issue for standalone dm-integrity
devices using HMAC integrity protection. For existing such devices
with extra long HMAC keys (typically >106 bytes of length, see
https://bugs.debian.org/949336#78 for the various corner cases), one
might need to manually truncate the key using integritysetup(8)'s
`--integrity-key-size` option in order to properly map the device
under 2:2.3.6-1+exp1 and later.
Only standalone dm-integrity devices are affected. dm-crypt devices,
including those using authenticated disk encryption, are unaffected.
-- Guilhem Moulin <guilhem@debian.org> Fri, 28 May 2021 22:54:20 +0200
cryptsetup (2:1.6.6-1) unstable; urgency=medium
The whirlpool hash implementation has been broken in gcrypt until version
1.5.3. This has been fixed in subsequent gcrypt releases. In particular,
the gcrypt version that is used by cryptsetup starting with this release,
has the bug fixed. Consequently, LUKS containers created with broken
whirlpool will fail to open from now on.
In the case that you're affected by the whirlpool bug, please read section
'8.3 Gcrypt after 1.5.3 breaks Whirlpool' of the cryptsetup FAQ at
https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions
carefully. It explains how to open your LUKS container and reencrypt it
afterwards.
-- Jonas Meurer <mejo@debian.org> Tue, 04 Mar 2014 23:17:37 +0100
cryptsetup (2:1.1.3-1) unstable; urgency=low
Cryptdisks init scripts changed their behaviour for failures at starting and
stopping encrypted devices. Cryptdisks init script now raises a warning for
failures at starting encrypted devices, and cryptdisks-early warns about
failures at stopping encrypted devices.
-- Jonas Meurer <mejo@debian.org> Sat, 10 Jul 2010 14:36:33 +0200
cryptsetup (2:1.1.0-1) unstable; urgency=low
The default key size for LUKS was changed from 128 to 256 bits, and default
plain mode changed from aes-cbc-plain to aes-cbc-essiv:sha256.
In case that you use plain mode encryption and don't have set cipher and hash
in /etc/crypttab, you should do so now. The new defaults are not backwards
compatible. See the manpage for crypttab(5) for further information. If your
dm-crypt setup was done by debian-installer, you can ignore that warning.
Additionally, the keyscript decrypt_gpg, which was disabled by default up to
now, has been rewritten and renamed to decrypt_gnupg. If you use a customized
version of the decrypt_gpg keyscript, please backup it before upgrading the
package.
-- Jonas Meurer <mejo@debian.org> Thu, 04 Mar 2010 17:31:40 +0100
cryptsetup (2:1.1.0~rc2-1) unstable; urgency=low
The cryptroot initramfs hook script has been changed to include all
available crypto kernel modules in case that initramfs-tools is configured
with MODULES=most (default). See /etc/initramfs-tools/initramfs.conf for
more information.
If initramfs-tools is configured with MODULES=dep, the cryptroot hook script
still tries to detect required modules, as it did by default in the past.
-- Jonas Meurer <mejo@debian.org> Sun, 27 Sep 2009 16:49:20 +0200
cryptsetup (2:1.0.7-2) unstable; urgency=low
Checkscripts vol_id and un_vol_id have been replaced by blkid and un_blkid.
In case that you explicitly set keyscript=vol_id or keyscript=un_vol_id in
/etc/crypttab, you will need to update your /etc/crypttab manually.
Replacing 'vol_id' with 'blkid' and 'un_vol_id' with 'un_blkid' should work.
The new *blkid keyscripts are fully compatible to the old *vol_id scripts.
-- Jonas Meurer <mejo@debian.org> Sun, 23 Aug 2009 23:32:49 +0200
cryptsetup (2:1.0.6-8) unstable; urgency=low
Keyscripts inside the initramfs have been moved from /keyscripts to
/lib/cryptsetup/scripts. This way they're now available at the same location
as on the normal system.
In most cases no manual action is required. Only if you reference a keyscript
by path in some script that is included in the initramfs, then you need to
update that reference by updating the path.
-- Jonas Meurer <mejo@debian.org> Tue, 23 Dec 2008 00:43:10 +0100
cryptsetup (2:1.0.6-7) unstable; urgency=medium
Support for the timeout option has been removed from cryptdisks initscripts
in order to support splash screens and remote shells in boot process.
The implementation had been unclean and problematic anyway.
If you used the timeout option on headless systems without physical access,
then it's a much cleaner solution anyway, to use the 'noauto' option in
/etc/crypttab, and start the encrypted devices manually with
'/etc/init.d/cryptdisks force-start'.
Another approach is to start a minimal ssh-server in the initramfs and unlock
the encrypted devices after connecting to it. This even supports encrypted
root filesystems for headless server systems.
For more information, please see /usr/share/docs/cryptsetup/README.Debian.gz
-- Jonas Meurer <mejo@debian.org> Tue, 16 Dec 2008 18:37:16 +0100
cryptsetup (2:1.0.6-4) unstable; urgency=medium
The obsolete keyscript decrypt_old_ssl and the corresponding example script
gen-old-ssl-key have been removed from the package. If you're still using
them, either save a local backup of /lib/cryptsetup/scripts/decrypt_old_ssl
and put it back after the upgrade finished, or migrate your setup to use
keyscripts that are still supported.
-- Jonas Meurer <mejo@debian.org> Sun, 27 Jul 2008 16:22:57 +0200
cryptsetup (2:1.0.6~pre1+svn45-1) unstable; urgency=low
The default hash used by the initramfs cryptroot scripts has been changed
from sha256 to ripemd160 for consistency with the cryptsetup default. If you
have followed the recommendation to configure the hash in /etc/crypttab this
change will have no effect on you.
If you set up disk encryption on your system using the Debian installer
and/or if you use LUKS encryption, everything is already set up correctly
and you don't need to do anything.
If you did *not* use the Debian installer and if you have encrypted devices
which do *not* use LUKS, you must make sure that the relevant entries in
/etc/crypttab contain a hash=<hash> setting.
-- Jonas Meurer <mejo@debian.org> Tue, 29 Jan 2008 11:46:57 +0100
cryptsetup (2:1.0.5-2) unstable; urgency=low
The vol_id and un_vol_id check scripts no longer regard minix as a valid
filesystem, since random data can be mistakenly identified as a minix
filesystem due to an inadequate signature length.
If you use minix filesystems, you should not rely on prechecks anymore.
-- Jonas Meurer <mejo@debian.org> Mon, 10 Sep 2007 14:39:44 +0200
cryptsetup (2:1.0.4+svn16-1) unstable; urgency=high
The --key-file=- argument has changed. If a --hash parameter is passed, it
will now be honoured. This means that the decrypt_derived keyscript will in
some situations create a different key than previously meaning that any swap
partitions that rely on the script will have to be recreated. To emulate the
old behaviour, make sure that you pass "--hash=plain" to cryptsetup.
-- David Härdeman <david@hardeman.nu> Tue, 21 Nov 2006 21:29:50 +0100
cryptsetup (2:1.0.4-7) unstable; urgency=low
The cryptsetup initramfs scripts now also tries to detect swap
partitions used for software suspend (swsusp/suspend2/uswsusp) and
to set them up during the initramfs stage. See README.initramfs for
more details.
-- David Härdeman <david@hardeman.nu> Mon, 13 Nov 2006 19:27:02 +0100
cryptsetup (2:1.0.4-1) unstable; urgency=low
The ssl and gpg options in /etc/crypttab have been deprecated in
favour of the keyscripts option. The options will still work, but
generate warnings. You should change any lines containing these
options to use keyscript=/lib/cryptsetup/scripts/decrypt_old_ssl or
keyscript=/lib/cryptsetup/scripts/decrypt_gpg instead as support
will be completely removed in the future.
-- David Härdeman <david@hardeman.nu> Mon, 16 Oct 2006 00:00:12 +0200
cryptsetup (2:1.0.3-4) unstable; urgency=low
Up to now, the us keymap was loaded at the passphrase prompt in the boot
process and ASCII characters were always used. With this upload this is
fixed, meaning that the correct keymap is loaded and the keyboard is
(optionally) set to UTF8 mode before the passphrase prompt.
This may result in your password not working any more in the boot process.
In this case, you should add a new key with cryptsetup luksAddKey with your
correct keymap loaded.
Additionally, all four fields are now mandatory in /etc/crypttab. An entry
which does not contain all fields will be ignored. It is recommended to
set cipher, size and hash anyway, as defaults may change in the future.
If you didn't set any of these settings yet, then you should add
cipher=aes-cbc-plain,size=128,hash=ripemd160
to the the options in /etc/crypttab. See man crypttab(5) for more details.
-- David Härdeman <david@2gen.com> Sat, 19 Aug 2006 18:08:40 +0200
cryptsetup (2:1.0.2+1.0.3-rc2-2) unstable; urgency=low
The crypttab 'retry' has been renamed to 'tries' to reflect upstream's
functionality. Default is 3 tries now, even if the option is not given.
See the crypttab.5 manpage for more information.
-- Jonas Meurer <mejo@debian.org> Fri, 28 Apr 2006 17:42:15 +0200
cryptsetup (2:1.0.2+1.0.3-rc2-1) unstable; urgency=low
Since release 2:1.0.1-9, the cryptsetup package uses cryptsetup-luks as
upstream source. This is a enhanced version of plain cryptsetup which
includes support for the LUKS extension, a standard on-disk format for
hard disk encryption. Plain dm-crypt (as provided by the old cryptsetup
package) is still available, thus backwards compatibility is given.
Nevertheless it is recommended to update your encrypted partitions to
LUKS, as this implementation is more secure than the plain dm-crypt.
Another major change is the check option for crypttab. It allows to
configure checks that are run after cryptsetup has been invoked, and
prechecks to be run against the source device before cryptsetup has been
invoked. See man crypttab(5) or README.Debian for more information.
-- Jonas Meurer <mejo@debian.org> Fri, 3 Feb 2006 13:41:35 +0100

5
debian/cryptsetup-bin.install vendored Normal file
View file

@ -0,0 +1,5 @@
usr/sbin/cryptsetup
usr/sbin/integritysetup
usr/sbin/veritysetup
usr/lib/tmpfiles.d/cryptsetup.conf
usr/share/locale/*/*/*

44
debian/cryptsetup-bin.manpages vendored Normal file
View file

@ -0,0 +1,44 @@
# We don't use a glob here since we want to exclude cryptsetup-ssh.8
# which we ship in the 'cryptsetup-ssh' binary package.
# Explicitely listing all manual pages here isn't as brittle as it might
# sound since in compat >=13 dh_listing(1) fails if upstream installs
# files which aren't part of any binary package.
usr/share/man/man8/cryptsetup-benchmark.8
usr/share/man/man8/cryptsetup-bitlkDump.8
usr/share/man/man8/cryptsetup-bitlkOpen.8
usr/share/man/man8/cryptsetup-close.8
usr/share/man/man8/cryptsetup-config.8
usr/share/man/man8/cryptsetup-convert.8
usr/share/man/man8/cryptsetup-create.8
usr/share/man/man8/cryptsetup-erase.8
usr/share/man/man8/cryptsetup-fvault2Dump.8
usr/share/man/man8/cryptsetup-fvault2Open.8
usr/share/man/man8/cryptsetup-isLuks.8
usr/share/man/man8/cryptsetup-loopaesOpen.8
usr/share/man/man8/cryptsetup-luksAddKey.8
usr/share/man/man8/cryptsetup-luksChangeKey.8
usr/share/man/man8/cryptsetup-luksConvertKey.8
usr/share/man/man8/cryptsetup-luksDump.8
usr/share/man/man8/cryptsetup-luksErase.8
usr/share/man/man8/cryptsetup-luksFormat.8
usr/share/man/man8/cryptsetup-luksHeaderBackup.8
usr/share/man/man8/cryptsetup-luksHeaderRestore.8
usr/share/man/man8/cryptsetup-luksKillSlot.8
usr/share/man/man8/cryptsetup-luksOpen.8
usr/share/man/man8/cryptsetup-luksRemoveKey.8
usr/share/man/man8/cryptsetup-luksResume.8
usr/share/man/man8/cryptsetup-luksSuspend.8
usr/share/man/man8/cryptsetup-luksUUID.8
usr/share/man/man8/cryptsetup-open.8
usr/share/man/man8/cryptsetup-plainOpen.8
usr/share/man/man8/cryptsetup-reencrypt.8
usr/share/man/man8/cryptsetup-refresh.8
usr/share/man/man8/cryptsetup-repair.8
usr/share/man/man8/cryptsetup-resize.8
usr/share/man/man8/cryptsetup-status.8
usr/share/man/man8/cryptsetup-tcryptDump.8
usr/share/man/man8/cryptsetup-tcryptOpen.8
usr/share/man/man8/cryptsetup-token.8
usr/share/man/man8/cryptsetup.8
usr/share/man/man8/integritysetup.8
usr/share/man/man8/veritysetup.8

15
debian/cryptsetup-initramfs.NEWS vendored Normal file
View file

@ -0,0 +1,15 @@
cryptsetup (2:2.0.3-2) unstable; urgency=medium
In order to defeat online brute-force attacks, the initramfs boot
script sleeps for 1 second after each failed try. On the other
hand, it no longer sleeps for a full minute after exceeding the
maximum number of unlocking tries. This behavior was added in
2:1.7.3-2 as an attempt to mitigate CVE-2016-4484; to avoid dropping
to the debug shell after exceeding the maximum number of unlocking
tries, users need to use the 'panic' boot parameter and lock down
their boot loader & BIOS/UEFI.
The initramfs hook nows uses /proc/mounts instead of /etc/fstab to
detect the root device that is to be unlocked at initramfs stage.
-- Guilhem Moulin <guilhem@debian.org> Fri, 15 Jun 2018 18:50:56 +0200

1
debian/cryptsetup-initramfs.docs vendored Normal file
View file

@ -0,0 +1 @@
debian/README.initramfs

10
debian/cryptsetup-initramfs.install vendored Normal file
View file

@ -0,0 +1,10 @@
debian/initramfs/conf-hook /etc/cryptsetup-initramfs/
debian/initramfs/conf-hooks.d/cryptsetup /usr/share/initramfs-tools/conf-hooks.d/
debian/initramfs/cryptroot-unlock /usr/share/cryptsetup/initramfs/bin/
debian/initramfs/hooks/* /usr/share/initramfs-tools/hooks/
debian/initramfs/scripts/local-block/cryptroot /usr/share/initramfs-tools/scripts/local-block/
debian/initramfs/scripts/local-bottom/cryptgnupg-sc /usr/share/initramfs-tools/scripts/local-bottom/
debian/initramfs/scripts/local-bottom/cryptopensc /usr/share/initramfs-tools/scripts/local-bottom/
debian/initramfs/scripts/local-bottom/cryptroot /usr/share/initramfs-tools/scripts/local-bottom/
debian/initramfs/scripts/local-top/cryptopensc /usr/share/initramfs-tools/scripts/local-top/
debian/initramfs/scripts/local-top/cryptroot /usr/share/initramfs-tools/scripts/local-top/

6
debian/cryptsetup-initramfs.lintian-overrides vendored Normal file
View file

@ -0,0 +1,6 @@
# `cryptroot-unlock` is meant to be run from the initramfs image, using busybox's /bin/ash
unusual-interpreter /bin/busybox [usr/share/cryptsetup/initramfs/bin/cryptroot-unlock]
no-debconf-config
# valid use of Conflicts:, cf. section 7.4 of the Debian Policy
conflicts-with-version lvm2 (<< 2.03.15-1)

41
debian/cryptsetup-initramfs.postinst vendored Normal file
View file

@ -0,0 +1,41 @@
#! /bin/sh
set -e
# needed for debconf magic in prerm script
. /usr/share/debconf/confmodule
# summary of how this script can be called:
# * <postinst> `configure' <most-recently-configured-version>
# * <old-postinst> `abort-upgrade' <new version>
# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
# <new-version>
# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
# <failed-install-package> <version> `removing'
# <conflicting-package> <version>
case "$1" in
configure)
if command -v update-initramfs >/dev/null; then
update-initramfs -u
fi
;;
abort-upgrade|abort-remove|abort-deconfigure)
;;
*)
echo "postinst called with unknown argument \`$1'" >&2
exit 1
;;
esac
# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.
#DEBHELPER#
exit 0

15
debian/cryptsetup-initramfs.postrm vendored Normal file
View file

@ -0,0 +1,15 @@
#! /bin/sh
set -e
case "$1" in
remove)
if command -v update-initramfs >/dev/null; then
update-initramfs -u
fi
;;
esac
#DEBHELPER#
exit 0

29
debian/cryptsetup-initramfs.prerm vendored Normal file
View file

@ -0,0 +1,29 @@
#! /bin/sh
set -e
. /usr/share/debconf/confmodule
case "$1" in
remove)
if grep -q '^dm_mod\s' /proc/modules; then
# XXX we overshoot here, only devices that need to be present at
# initramfs stage need to be checked here
cryptmap="$(dmsetup table --target crypt | sed -n 's/:.*//p' | tr '\n' ' ')"
if [ -n "$cryptmap" ]; then
db_fset cryptsetup-initramfs/prerm_active_mappings seen false
db_subst cryptsetup-initramfs/prerm_active_mappings cryptmap "$cryptmap"
db_input high cryptsetup-initramfs/prerm_active_mappings || true
db_go || true
db_get cryptsetup-initramfs/prerm_active_mappings
if [ "$RET" = "false" ]; then
exit 1
fi
fi
fi
;;
esac
#DEBHELPER#
exit 0

9
debian/cryptsetup-initramfs.templates vendored Normal file
View file

@ -0,0 +1,9 @@
Template: cryptsetup-initramfs/prerm_active_mappings
Type: boolean
Default: true
_Description: Continue with cryptsetup-initramfs removal?
This system has unlocked dm-crypt devices: ${cryptmap}
.
If these devices are managed with cryptsetup and need to be present at
initramfs stage, then you might be unable to boot your system after the
package removal.

11
debian/cryptsetup-run.NEWS vendored Normal file
View file

@ -0,0 +1,11 @@
cryptsetup (2:2.0.3-2) unstable; urgency=medium
The 'decrypt_openct' keyscript has been removed, since openct itself
is no longer developed and was removed from Debian since Jessie.
The 'precheck' crypttab(5) option is no longer supported. The
precheck for LUKS devices is still hardcoded to `cryptsetup isLuks`;
the script refuses to unlock non-LUKS devices (plain dm-crypt and
tcrypt devices) containing a known filesystem (other that swap).
-- Guilhem Moulin <guilhem@debian.org> Fri, 15 Jun 2018 18:49:45 +0200

2
debian/cryptsetup-ssh.install vendored Normal file
View file

@ -0,0 +1,2 @@
usr/lib/${DEB_HOST_MULTIARCH}/cryptsetup/libcryptsetup-token-ssh.so
usr/sbin/cryptsetup-ssh

1
debian/cryptsetup-ssh.manpages vendored Normal file
View file

@ -0,0 +1 @@
usr/share/man/man8/cryptsetup-ssh.8

5
debian/cryptsetup-suspend.install vendored Normal file
View file

@ -0,0 +1,5 @@
debian/scripts/suspend/cryptsetup-suspend /usr/lib/cryptsetup/scripts/suspend/
debian/scripts/suspend/cryptsetup-suspend-wrapper /usr/lib/cryptsetup/scripts/suspend/
debian/scripts/suspend/cryptsetup-suspend.shutdown /usr/lib/systemd/system-shutdown/
debian/scripts/suspend/suspend.conf /etc/cryptsetup/
debian/scripts/suspend/systemd/cryptsetup-suspend.conf /usr/lib/systemd/system/systemd-suspend.service.d/

1
debian/cryptsetup-suspend.manpages vendored Normal file
View file

@ -0,0 +1 @@
debian/doc/cryptsetup-suspend.7

14
debian/cryptsetup-suspend.postinst vendored Normal file
View file

@ -0,0 +1,14 @@
#!/bin/sh
set -e
# dh_installsystemd(1) doesn't support overrides but we manually copy
# the snippet it would add.
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ]; then
if [ -d /run/systemd/system ]; then
systemctl --system daemon-reload >/dev/null || true
fi
fi
#DEBHELPER#
exit 0

12
debian/cryptsetup-suspend.postrm vendored Normal file
View file

@ -0,0 +1,12 @@
#!/bin/sh
set -e
# dh_installsystemd(1) doesn't support overrides but we manually copy
# the snippet it would add.
if [ -d /run/systemd/system ]; then
systemctl --system daemon-reload >/dev/null || true
fi
#DEBHELPER#
exit 0

7
debian/cryptsetup-udeb.install vendored Normal file
View file

@ -0,0 +1,7 @@
debian/askpass /usr/lib/cryptsetup/
debian/checks/* /usr/lib/cryptsetup/checks/
debian/cryptdisks-functions /usr/lib/cryptsetup/
debian/functions /usr/lib/cryptsetup/
debian/scripts/decrypt_* /usr/lib/cryptsetup/scripts/
debian/scripts/passdev /usr/lib/cryptsetup/scripts/
usr/sbin/cryptsetup

32
debian/cryptsetup-udeb.preinst vendored Normal file
View file

@ -0,0 +1,32 @@
#! /bin/sh
set -e
create_crypttab() {
if [ ! -f "/etc/crypttab" ]; then
cat <<-EOC >/etc/crypttab
# <target name> <source device> <key file> <options>
EOC
fi
}
case "$1" in
install)
create_crypttab
;;
upgrade)
;;
abort-upgrade)
;;
*)
echo "preinst called with unknown argument '$1'" >&2
exit 1
;;
esac
#DEBHELPER#
exit 0

62
debian/cryptsetup.NEWS vendored Normal file
View file

@ -0,0 +1,62 @@
cryptsetup (2:2.5.0~rc1-3) experimental; urgency=medium
The experimental SSH token handler and cryptsetup-ssh(8) utility are now
shipped in a separate binary package 'cryptsetup-ssh'. (They were first
included in cryptsetup 2:2.4.0~rc0-1+exp1 so have never been part of a
stable Debian release.) No pre-existing binary package in src:cryptsetup
declares any dependency on the new binary package so users who need
experimental SSH token support need to manually run `apt install
cryptsetup-ssh`.
-- Guilhem Moulin <guilhem@debian.org> Thu, 21 Jul 2022 20:41:20 +0200
cryptsetup (2:2.1.0-7) unstable; urgency=low
The 'cryptsetup' and 'cryptsetup-run' packages have been swapped:
'cryptsetup' now contains init scripts, libraries, keyscripts, etc.,
while 'cryptsetup-run' is a transitional dummy package depending on
'cryptsetup'.
On systems which do rely on the initramfs integration, one can mark
'cryptsetup-initramfs' as being manually installed (so APT never
selects it for auto-removal) with the following command:
apt-mark manual cryptsetup-initramfs
On the other hand, the 'cryptsetup-initramfs' package can be safely
removed on systems not relying on initramfs integration.
-- Guilhem Moulin <guilhem@debian.org> Sun, 21 Jul 2019 17:08:52 -0300
cryptsetup (2:2.0.3-2) unstable; urgency=medium
The 'decrypt_openct' keyscript has been removed, since openct itself
is no longer developed and was removed from Debian since Jessie.
In order to defeat online brute-force attacks, the initramfs boot
script sleeps for 1 second after each failed try. On the other
hand, it no longer sleeps for a full minute after exceeding the
maximum number of unlocking tries. This behavior was added in
2:1.7.3-2 as an attempt to mitigate CVE-2016-4484; to avoid dropping
to the debug shell after exceeding the maximum number of unlocking
tries, users need to use the 'panic' boot parameter and lock down
their boot loader & BIOS/UEFI.
The initramfs hook nows uses /proc/mounts instead of /etc/fstab to
detect the root device that is to be unlocked at initramfs stage.
The 'precheck' crypttab(5) option is no longer supported. The
precheck for LUKS devices is still hardcoded to `cryptsetup isLuks`;
the script refuses to unlock non-LUKS devices (plain dm-crypt and
tcrypt devices) containing a known filesystem (other that swap).
-- Guilhem Moulin <guilhem@debian.org> Tue, 22 May 2018 01:47:21 +0200
cryptsetup (2:2.0.3-1) unstable; urgency=medium
With this version, cryptsetup has been split into cryptsetup-run
(init script) and cryptsetup-initramfs (initramfs integration).
'cryptsetup' is now a transitional dummy package depending on
cryptsetup-run and cryptsetup-initramfs.
-- Guilhem Moulin <guilhem@debian.org> Wed, 16 May 2018 23:39:20 +0200

43
debian/cryptsetup.apport vendored Normal file
View file

@ -0,0 +1,43 @@
'''apport package hook for cryptsetup
(c) 2009 Author: Reinhard Tartler <siretart@tauware.de>
(c) 2015 Author: Jonas Meurer <jonas@freesources.org>
'''
from apport.hookutils import *
msg = \
"""
Providing additional information can help diagnose problems with cryptsetup.
Specifically, this would include:
- kernel cmdline (copy of /proc/cmdline).
- crypttab configuration (copy of /etc/crypttab).
- fstab configuration (copy of /etc/fstab).
If this information is not relevant for your bug report or you have privacy
concerns, please choose no.
Do you want to provide additional information?
(you will be able to review the data before it is sent)
"""
def add_info(report, ui):
attach_files = False
if ui:
if ui.yesno(msg) == None:
# user decided to cancel
raise StopIteration
# user is allowing files to be attached.
attach_files = True
if attach_files == False:
# do not attach any files
return
attach_file(report, '/proc/cmdline', 'cmdline')
attach_file(report, '/etc/fstab', 'fstab')
attach_file_if_exists(report, '/etc/crypttab', 'crypttab')

53
debian/cryptsetup.cryptdisks-early.init vendored Normal file
View file

@ -0,0 +1,53 @@
#! /bin/sh
### BEGIN INIT INFO
# Provides: cryptdisks-early
# Required-Start: checkroot
# Required-Stop: umountroot
# Should-Start: udev mdadm-raid
# Should-Stop: udev mdadm-raid
# X-Start-Before: lvm2
# X-Stop-After: lvm2 umountfs
# X-Interactive: true
# Default-Start: S
# Default-Stop: 0 6
# Short-Description: Setup early encrypted block devices.
# Description:
### END INIT INFO
set -e
if [ -r /lib/cryptsetup/cryptdisks-functions ]; then
. /lib/cryptsetup/cryptdisks-functions
else
exit 0
fi
INITSTATE="early"
DEFAULT_LOUD=""
case "$CRYPTDISKS_ENABLE" in
[Nn]*)
exit 0
;;
esac
case "$1" in
start)
do_start
;;
stop)
do_stop
;;
restart|reload|force-reload)
do_stop
do_start
;;
force-start)
FORCE_START="yes"
do_start
;;
*)
echo "Usage: cryptdisks-early {start|stop|restart|reload|force-reload|force-start}"
exit 1
;;
esac

12
debian/cryptsetup.cryptdisks.default vendored Normal file
View file

@ -0,0 +1,12 @@
# Run cryptdisks initscripts at startup? Default is Yes.
CRYPTDISKS_ENABLE=Yes
# Mountpoints to mount, before cryptsetup is invoked at initscripts. Takes
# mountpoins which are configured in /etc/fstab as arguments. Separate
# mountpoints by space.
# This is useful for keyfiles on removable media. Default is unset.
CRYPTDISKS_MOUNT=""
# Default check script. Takes effect, if the 'check' option is set in crypttab
# without a value.
CRYPTDISKS_CHECK=blkid

53
debian/cryptsetup.cryptdisks.init vendored Normal file
View file

@ -0,0 +1,53 @@
#! /bin/sh
### BEGIN INIT INFO
# Provides: cryptdisks
# Required-Start: checkroot cryptdisks-early
# Required-Stop: umountroot cryptdisks-early
# Should-Start: udev mdadm-raid lvm2
# Should-Stop: udev mdadm-raid lvm2
# X-Start-Before: checkfs
# X-Stop-After: umountfs
# X-Interactive: true
# Default-Start: S
# Default-Stop: 0 6
# Short-Description: Setup remaining encrypted block devices.
# Description:
### END INIT INFO
set -e
if [ -r /lib/cryptsetup/cryptdisks-functions ]; then
. /lib/cryptsetup/cryptdisks-functions
else
exit 0
fi
INITSTATE="remaining"
DEFAULT_LOUD="yes"
case "$CRYPTDISKS_ENABLE" in
[Nn]*)
exit 0
;;
esac
case "$1" in
start)
do_start
;;
stop)
do_stop
;;
restart|reload|force-reload)
do_stop
do_start
;;
force-start)
FORCE_START="yes"
do_start
;;
*)
echo "Usage: cryptdisks {start|stop|restart|reload|force-reload|force-start}"
exit 1
;;
esac

10
debian/cryptsetup.docs vendored Normal file
View file

@ -0,0 +1,10 @@
AUTHORS
FAQ.md
README.md
debian/README.debug
debian/README.gnupg
debian/README.gnupg-sc
debian/README.keyctl
debian/README.opensc
docs/*.txt
docs/*ReleaseNotes

1
debian/cryptsetup.examples vendored Normal file
View file

@ -0,0 +1 @@
debian/scripts/gen-ssl-key

9
debian/cryptsetup.install vendored Normal file
View file

@ -0,0 +1,9 @@
debian/askpass /usr/lib/cryptsetup/
debian/bash_completion/cryptdisks_start /usr/share/bash-completion/completions/
debian/checks/* /usr/lib/cryptsetup/checks/
debian/cryptdisks-functions /usr/lib/cryptsetup/
debian/functions /usr/lib/cryptsetup/
debian/scripts/cryptdisks_* /usr/sbin/
debian/scripts/decrypt_* /usr/lib/cryptsetup/scripts/
debian/scripts/luksformat /usr/sbin/
debian/scripts/passdev /usr/lib/cryptsetup/scripts/

1
debian/cryptsetup.links vendored Normal file
View file

@ -0,0 +1 @@
/usr/share/bash-completion/completions/cryptdisks_start /usr/share/bash-completion/completions/cryptdisks_stop

4
debian/cryptsetup.lintian-overrides vendored Normal file
View file

@ -0,0 +1,4 @@
init.d-script-does-not-implement-status-option [etc/init.d/cryptdisks]
init.d-script-does-not-implement-status-option [etc/init.d/cryptdisks-early]
no-debconf-config
cryptsetup: conflicts-with-version cryptsetup-nuke-password (<< 5~)

2
debian/cryptsetup.maintscript vendored Normal file
View file

@ -0,0 +1,2 @@
rm_conffile /etc/init/cryptdisks-udev.conf 2:2.4.0-1
rm_conffile /etc/init/cryptdisks.conf 2:2.4.0-1

2
debian/cryptsetup.manpages vendored Normal file
View file

@ -0,0 +1,2 @@
debian/doc/*.5
debian/doc/*.8

68
debian/cryptsetup.postinst vendored Normal file
View file

@ -0,0 +1,68 @@
#! /bin/sh
set -e
# needed for debconf magic in prerm script
. /usr/share/debconf/confmodule
# summary of how this script can be called:
# * <postinst> `configure' <most-recently-configured-version>
# * <old-postinst> `abort-upgrade' <new version>
# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
# <new-version>
# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
# <failed-install-package> <version> `removing'
# <conflicting-package> <version>
# begin-remove-after: released:forky
if [ "$1" = configure ] &&
[ "$(dpkg-divert --truename /usr/lib/cryptsetup/askpass)" = /usr/lib/cryptsetup/askpass.usr-is-merged ] &&
[ "$(dpkg-divert --listpackage /usr/lib/cryptsetup/askpass)" = cryptsetup-nuke-password ]; then
# /usr/lib/cryptsetup/askpass is still diverted in the same way as our
# preinst did. Conclude that cryptsetup-nuke-password was installed
# during preinst, we duplicated the diversion and now
# cryptsetup-nuke-password is removed. We have to clean up.
echo "Removing duplicated diversion of /usr/lib/cryptsetup/askpass after cryptsetup-nuke-password is removed."
dpkg-divert --rename --package cryptsetup-nuke-password \
--divert /usr/lib/cryptsetup/askpass.usr-is-merged \
--remove /usr/lib/cryptsetup/askpass
fi
# end-remove-after
case "$1" in
configure)
for file in cryptdisks_start cryptdisks_stop; do
if [ ! -e "/usr/sbin/$file" ]; then
ln -s "/sbin/$file" "/usr/sbin/$file"
fi
done
# Do a number of checks on the currently installed crypttab
. /lib/cryptsetup/functions
crypttab_foreach_entry crypttab_parse_options || true
;;
abort-upgrade|abort-remove|abort-deconfigure)
;;
*)
echo "postinst called with unknown argument \`$1'" >&2
exit 1
;;
esac
# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.
#DEBHELPER#
# try to remove /etc/init if it exists, it's empty and isn't owned
# NOTE: this needs to placed *after* the dh_installdeb-replaced snippet
# which contains calls to `dpkg-maintscript-helper rm_conffile`
if [ "$1" = "configure" ] && [ -d /etc/init ] && dpkg --compare-versions -- "${2-}" lt "2:2.4.0-1" && \
! { dpkg-query -S /etc/init >/dev/null 2>&1 || [ $? -ne 1 ]; } then
rmdir --ignore-fail-on-non-empty /etc/init
fi
exit 0

26
debian/cryptsetup.postrm vendored Normal file
View file

@ -0,0 +1,26 @@
#! /bin/sh
set -e
case "$1" in
remove)
for file in cryptdisks_start cryptdisks_stop; do
if [ -L /usr/sbin/$file ]; then
rm /usr/sbin/$file
fi
done
;;
esac
#DEBHELPER#
# try to remove /etc/init if it exists, it's empty and isn't owned
# NOTE: this needs to placed *after* the dh_installdeb-replaced snippet
# which contains calls to `dpkg-maintscript-helper rm_conffile`
if [ "$1" = "remove" ] || [ "$1" = "purge" ]; then
if [ -d /etc/init ] && ! { dpkg-query -S /etc/init >/dev/null 2>&1 || [ $? -ne 1 ]; } then
rmdir --ignore-fail-on-non-empty /etc/init
fi
fi
exit 0

27
debian/cryptsetup.preinst vendored Normal file
View file

@ -0,0 +1,27 @@
#!/bin/sh
set -e
if [ "$1" = install ] && [ ! -f "/etc/crypttab" ]; then
cat <<-EOC >/etc/crypttab
# <target name> <source device> <key file> <options>
EOC
fi
# begin-remove-after: released:forky
if [ "$1" = "upgrade" ] || [ "$1" = install ]; then
if [ "$(dpkg-divert --truename /lib/cryptsetup/askpass)" = /lib/cryptsetup/askpass.cryptsetup ] &&
[ "$(dpkg-divert --listpackage /lib/cryptsetup/askpass)" = cryptsetup-nuke-password ] &&
[ "$(dpkg-divert --truename /usr/lib/cryptsetup/askpass)" = /usr/lib/cryptsetup/askpass ]; then
# A pre-/usr-merge cryptsetup-nuke-password is installed.
echo "Mitigating diversion of /lib/cryptsetup/askpass on behalf of cryptsetup-nuke-password"
dpkg-divert --no-rename --package cryptsetup-nuke-password \
--divert /usr/lib/cryptsetup/askpass.usr-is-merged \
--add /usr/lib/cryptsetup/askpass
fi
fi
# end-remove-after
#DEBHELPER#
exit 0

27
debian/cryptsetup.prerm vendored Normal file
View file

@ -0,0 +1,27 @@
#! /bin/sh
set -e
. /usr/share/debconf/confmodule
case "$1" in
remove)
if grep -q '^dm_mod\s' /proc/modules; then
cryptmap="$(dmsetup table --target crypt | sed -n 's/:.*//p' | tr '\n' ' ')"
if [ -n "$cryptmap" ]; then
db_fset cryptsetup/prerm_active_mappings seen false
db_subst cryptsetup/prerm_active_mappings cryptmap "$cryptmap"
db_input high cryptsetup/prerm_active_mappings || true
db_go || true
db_get cryptsetup/prerm_active_mappings
if [ "$RET" = "false" ]; then
exit 1
fi
fi
fi
;;
esac
#DEBHELPER#
exit 0

13
debian/cryptsetup.templates vendored Normal file
View file

@ -0,0 +1,13 @@
Template: cryptsetup/prerm_active_mappings
Type: boolean
Default: true
_Description: Continue with cryptsetup removal?
This system has unlocked dm-crypt devices: ${cryptmap}
.
If these devices are managed with cryptsetup, you might be unable to
lock the devices after the package removal, though other tools can be
used for managing dm-crypt devices. Any system shutdown or reboot will
lock the devices.
.
Do not choose this option if you want to lock the dm-crypt devices
before package removal.

60
debian/doc/cryptdisks_start.xml vendored Normal file
View file

@ -0,0 +1,60 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "/usr/share/xml/docbook/schema/dtd/4.2/docbookx.dtd">
<refentry id="command.cryptdisks_start">
<xi:include href="variables.xml"
xpointer="xpointer(/refentry/refentryinfo)"
xmlns:xi="http://www.w3.org/2001/XInclude"/>
<refmeta>
<refentrytitle>cryptdisks_start</refentrytitle>
<manvolnum>8</manvolnum>
<xi:include href="variables.xml"
xpointer="xpointer(/refentry/refmeta/*)"
xmlns:xi="http://www.w3.org/2001/XInclude"/>
</refmeta>
<refnamediv>
<refname>cryptdisks_start</refname>
<refpurpose>wrapper around cryptsetup that parses /etc/crypttab.</refpurpose>
</refnamediv>
<refsynopsisdiv>
<simpara>
<emphasis role="strong">cryptdisks_start</emphasis>
<emphasis>&lt;name&gt;</emphasis>
</simpara>
</refsynopsisdiv>
<refsect1 id="cryptdisks_start.description">
<title>DESCRIPTION</title>
<simpara>
<emphasis role="strong">cryptdisks_start</emphasis> is a wrapper around
<emphasis role="strong">cryptsetup</emphasis> that parses
<emphasis role="strong">/etc/crypttab</emphasis> just like the initscript
/etc/init.d/cryptdisks does and starts the dm-crypt mapping that
corresponds to <emphasis>&lt;name&gt;</emphasis>.
</simpara>
<simpara>
Note that this wrapper passes <option>--key-file=-</option> to
<command moreinfo="refentry">cryptsetup</command>, so the passphrase
in any referenced key file must not be followed by a newline character.
</simpara>
</refsect1>
<refsect1 id="cryptdisks_start.see_also">
<title>SEE ALSO</title>
<simpara>
<emphasis>cryptdisks_stop</emphasis>(8),
<emphasis>cryptsetup</emphasis>(8), <emphasis>crypttab</emphasis>(5)
</simpara>
</refsect1>
<refsect1 id="cryptdisks_start.author">
<title>AUTHOR</title><simpara>This manual page was written by Jonas Meurer
&lt;mejo@debian.org&gt; in December 2007.
</simpara>
</refsect1>
</refentry>

55
debian/doc/cryptdisks_stop.xml vendored Normal file
View file

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "/usr/share/xml/docbook/schema/dtd/4.2/docbookx.dtd">
<refentry id="command.cryptdisks_stop">
<xi:include href="variables.xml"
xpointer="xpointer(/refentry/refentryinfo)"
xmlns:xi="http://www.w3.org/2001/XInclude"/>
<refmeta>
<refentrytitle>cryptdisks_stop</refentrytitle>
<manvolnum>8</manvolnum>
<xi:include href="variables.xml"
xpointer="xpointer(/refentry/refmeta/*)"
xmlns:xi="http://www.w3.org/2001/XInclude"/>
</refmeta>
<refnamediv>
<refname>cryptdisks_stop</refname>
<refpurpose>wrapper around cryptsetup that parses /etc/crypttab.</refpurpose>
</refnamediv>
<refsynopsisdiv>
<simpara>
<emphasis role="strong">cryptdisks_stop</emphasis>
<emphasis>&lt;name&gt;</emphasis>
</simpara>
</refsynopsisdiv>
<refsect1 id="cryptdisks_stop.description">
<title>DESCRIPTION</title>
<simpara>
<emphasis role="strong">cryptdisks_stop</emphasis> is a wrapper around
<emphasis role="strong">cryptsetup</emphasis> that parses
<emphasis role="strong">/etc/crypttab</emphasis> just like the initscript
/etc/init.d/cryptdisks does and stops the dm-crypt mapping that corresponds
to <emphasis>&lt;name&gt;</emphasis>.
</simpara>
</refsect1>
<refsect1 id="cryptdisks_stop.see_also">
<title>SEE ALSO</title>
<simpara>
<emphasis>cryptdisks_start</emphasis>(8),
<emphasis>cryptsetup</emphasis>(8), <emphasis>crypttab</emphasis>(5)
</simpara>
</refsect1>
<refsect1 id="cryptdisks_stop.author">
<title>AUTHOR</title><simpara>This manual page was written by Jonas Meurer
&lt;mejo@debian.org&gt; in January 2008.
</simpara>
</refsect1>
</refentry>

120
debian/doc/cryptsetup-suspend.xml vendored Normal file
View file

@ -0,0 +1,120 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "/usr/share/xml/docbook/schema/dtd/4.2/docbookx.dtd">
<refentry id="overview.cryptsetup-suspend">
<xi:include href="variables.xml"
xpointer="xpointer(/refentry/refentryinfo)"
xmlns:xi="http://www.w3.org/2001/XInclude"/>
<refmeta>
<refentrytitle>cryptsetup-suspend</refentrytitle>
<manvolnum>7</manvolnum>
<xi:include href="variables.xml"
xpointer="xpointer(/refentry/refmeta/*)"
xmlns:xi="http://www.w3.org/2001/XInclude"/>
</refmeta>
<refnamediv>
<refname>cryptsetup-suspend</refname>
<refpurpose>automatically suspend LUKS devices on system suspend</refpurpose>
</refnamediv>
<refsect1 id="cryptsetup-suspend.description">
<title>DESCRIPTION</title>
<simpara>
<emphasis>cryptsetup-suspend</emphasis> brings support to automatically
suspend LUKS devices before entering system suspend mode. Devices will be
unlocked at system resume time, asking for passwords if required.
The feature is enabled automatically by installing the
<emphasis>cryptsetup-suspend</emphasis> package. No further configuration
is required.
</simpara>
<simpara>
<emphasis>cryptsetup-suspend</emphasis> supports all setups of LUKS
devices that are supported by the <emphasis>cryptsetup</emphasis>
packages. To do so, it depends on scripts from the Debian package
<emphasis>cryptsetup-initramfs</emphasis>. See the
<reference>INTERNALS</reference> section about details on how it works.
</simpara>
</refsect1>
<refsect1 id="cryptsetup-suspend.security-aspects">
<title>SECURITY ASPECTS</title>
<simpara>
Suspending LUKS devices basically means to remove the corresponding
encryption keys from system memory. This protects against all sort of
attacks that try to read out the memory from a suspended system, like
for example cold-boot attacks.
</simpara>
<simpara>
<emphasis>cryptsetup-suspend</emphasis> protects <emphasis>only</emphasis>
the encryption keys of your LUKS devices against being read from the
memory. Most likely there's more sensitive data in system memory, be
it other kinds of private keys (e.g. OpenPGP, OpenSSH) or any kind
of documents with sensitive content.
</simpara>
<simpara>
The initramfs image is extracted in memory and left unencrypted (see the
<reference>INTERNALS</reference> section) so all key material it might
include, for instance key files copied using the hooks'
<emphasis>KEYFILE_PATTERN=</emphasis> option, will remain unprotected.
</simpara>
</refsect1>
<refsect1 id="cryptsetup-suspend.limitations">
<title>LIMITATIONS</title>
<simpara>
The <emphasis>cryptsetup-suspend</emphasis> feature is limited to LUKS
devices and doesn't work with <emphasis>plain dm-crypt</emphasis> or
<emphasis>tcrypt</emphasis> devices.
</simpara>
</refsect1>
<refsect1 id="cryptsetup-suspend.internals">
<title>INTERNALS</title>
<simpara>
<emphasis>cryptsetup-suspend</emphasis> consists of three parts:
<simplelist type="inline">
<member>
<command>cryptsetup-suspend</command>: A c program that takes a list
of LUKS devices as arguments, suspends them via
<emphasis>luksSuspend</emphasis> and suspends the system afterwards.
</member>
<member>
<command>cryptsetup-suspend-wrapper</command>: A shell wrapper script
which works the following way:
<simplelist type="inline">
<member>1. Disable swap and extract the initramfs into a tmpfs (the chroot)</member>
<member>2. Run (systemd) pre-suspend scripts, stop udev, freeze cgroups</member>
<member>3. run cryptsetup-suspend in chroot</member>
<member>4. resume initramfs devices inside chroot after resume</member>
<member>5. resume non-initramfs devices outside chroot</member>
<member>6. thaw groups, start udev, run (systemd) post-suspend scripts</member>
<member>7. Unmount the tmpfs and re-enable swap</member>
</simplelist>
</member>
<member>
A systemd unit drop-in file that overrides the Exec property of
<filename class="devicefile">systemd-suspend.service</filename> so that
it invokes the script <command>cryptsetup-suspend-wrapper</command>.
</member>
</simplelist>
</simpara>
</refsect1>
<refsect1 id="cryptsetup-suspend.see_also">
<title>SEE ALSO</title>
<simpara>
<emphasis>cryptsetup</emphasis>(8), <emphasis>crypttab</emphasis>(5)
</simpara>
</refsect1>
<refsect1 id="cryptsetup-suspend.author">
<title>AUTHOR</title><simpara>This manual page was written by Jonas Meurer
&lt;jonas@freesources.org&gt; in December 2019.
</simpara>
</refsect1>
</refentry>

771
debian/doc/crypttab.xml vendored Normal file
View file

@ -0,0 +1,771 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "/usr/share/xml/docbook/schema/dtd/4.2/docbookx.dtd">
<refentry id="file.crypttab">
<xi:include href="variables.xml"
xpointer="xpointer(/refentry/refentryinfo)"
xmlns:xi="http://www.w3.org/2001/XInclude"/>
<refmeta>
<refentrytitle>crypttab</refentrytitle>
<manvolnum>5</manvolnum>
<xi:include href="variables.xml"
xpointer="xpointer(/refentry/refmeta/*)"
xmlns:xi="http://www.w3.org/2001/XInclude"/>
</refmeta>
<refnamediv>
<refname>crypttab</refname>
<refpurpose>static information about encrypted filesystems</refpurpose>
</refnamediv>
<refsect1 id="crypttab.description">
<title>DESCRIPTION</title>
<simpara>
The file <filename>/etc/crypttab</filename> contains descriptive
information about encrypted devices. <filename>crypttab</filename>
is only read by programs (e.g.
<command moreinfo="refentry">cryptdisks_start</command> and
<command moreinfo="refentry">cryptdisks_stop</command>),
and not written; it is the duty of the system
administrator to properly create and maintain this file.
<filename>crypttab</filename> entries are treated sequentially, so their
order matters (dependencies need to listed first).
</simpara>
<simpara>
Each encrypted device is described on a separate line. Fields on each line
are separated by tabs or spaces. Lines starting with '#' are comments, and blank
lines are ignored.
Octal sequences <code>\0</code><emphasis>num</emphasis> within a field are
decoded, which can be used for values containing spaces or special characters.
A backslash which doesn't start an octal sequence yields undefined behavior.
</simpara>
<simpara>
The first field, <emphasis>target</emphasis>, describes the mapped
device name. It must be a plain filename without any directory components.
A mapped device which encrypts/decrypts data to/from the <emphasis>source
device</emphasis> will be created at
<filename class="devicefile">/dev/mapper/target</filename> by
<command moreinfo="refentry">cryptsetup</command>.
</simpara>
<simpara>
The second field, <emphasis>source device</emphasis>, describes either the
block special device or file that contains the encrypted data. Instead of
giving the <emphasis>source device</emphasis> explicitly, the UUID
(resp. LABEL, PARTUUID and PARTLABEL) is supported as well, using <quote>UUID=&lt;uuid&gt;</quote>
(resp. <quote>LABEL=&lt;label&gt;</quote>, <quote>PARTUUID=&lt;partuuid&gt;</quote>
and <quote>PARTLABEL=&lt;partlabel&gt;</quote>).
</simpara>
<simpara>
The third field, <emphasis>key file</emphasis>, describes the file to use
as a key for decrypting the data of the <emphasis>source device</emphasis>.
In case of a <emphasis>keyscript</emphasis>, the value of this field is
given as argument to the keyscript.
Note that the <emphasis>entire</emphasis> key file will be used as the
passphrase; the passphrase must <emphasis>not</emphasis> be followed by a
newline character.
</simpara>
<simpara>
It can also be a device name (e.g.
<filename class="devicefile">/dev/urandom</filename>), note however that
LUKS requires a persistent key and therefore does <emphasis>not</emphasis>
support random data keys.
</simpara>
<simpara>
If the <emphasis>key file</emphasis> is the string
<emphasis>none</emphasis>, a passphrase will be read interactively from the
console. In this case, the options check, checkargs and tries may be
useful.
</simpara>
<simpara>
The fourth field, <emphasis>options</emphasis>, is an optional comma-separated
list of options and/or flags describing the device type (<emphasis>luks</emphasis>,
<emphasis>tcrypt</emphasis>, <emphasis>bitlk</emphasis>, <emphasis>fvault2</emphasis>,
or <emphasis>plain</emphasis> which is also the default) and cryptsetup options
associated with the encryption process.
The supported options are described below.
For plain dm-crypt devices the <emphasis>cipher</emphasis>, <emphasis>hash</emphasis>
and <emphasis>size</emphasis> options are required.
Some options can be changed on active mappings using
<command>cryptsetup refresh [&lt;options&gt;] &lt;name&gt;</command>.
Furthermore some options can be permanently written into metadata of LUKS2
headers using cryptsetup's <emphasis>--persistent</emphasis> flag.
</simpara>
<simpara>
Note that the first three fields are required and that a missing field will lead
to unspecified behaviour.
</simpara>
</refsect1>
<refsect1 id="crypttab.implementations">
<title>ON DIFFERENT CRYPTTAB FORMATS</title>
<simpara>
Please note that there are several independent cryptsetup wrappers with
their own <emphasis>crypttab</emphasis> format. This manpage covers
Debian's implementation for <emphasis>initramfs</emphasis> scripts and
<emphasis>SysVinit</emphasis> init scripts. <emphasis>systemd</emphasis>
brings its own <emphasis>crypttab</emphasis> implementation.
We try to cover the differences between the <emphasis>systemd</emphasis> and
our implementation in this manpage, but if in doubt, better check the
<emphasis>systemd</emphasis>
<citerefentry><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum></citerefentry>
manpage, e.g. online at
<ulink url="https://www.freedesktop.org/software/systemd/man/crypttab.html"/>.
</simpara>
</refsect1>
<refsect1 id="crypttab.options">
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term><emphasis>cipher</emphasis>=&lt;cipher&gt;</term>
<listitem>
<simpara>
Encryption algorithm (ignored for LUKS and TCRYPT devices). See
<command>cryptsetup -c</command>.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>size</emphasis>=&lt;size&gt;</term>
<listitem>
<simpara>
Encryption key size (ignored for LUKS and TCRYPT devices). See
<command>cryptsetup -s</command>.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>sector-size</emphasis>=&lt;bytes&gt;</term>
<listitem>
<simpara>
Sector size. See
<citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for possible values and the default value of this option.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>hash</emphasis>=&lt;hash&gt;</term>
<listitem>
<simpara>
Hash algorithm (ignored for LUKS and TCRYPT devices). See
<command>cryptsetup -h</command>.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>offset</emphasis>=&lt;offset&gt;</term>
<listitem>
<simpara>
Start offset (ignored for LUKS and TCRYPT devices). Uses
<emphasis role="strong">cryptsetup -o</emphasis>.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>skip</emphasis>=&lt;skip&gt;</term>
<listitem>
<simpara>
Skip sectors at the beginning (ignored for LUKS and TCRYPT devices).
Uses <emphasis role="strong">cryptsetup -p</emphasis>.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>keyfile-offset</emphasis>=&lt;keyfile-offset&gt;</term>
<listitem>
<simpara>
Specifies the number of bytes to skip at the start of the key file.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>keyfile-size</emphasis>=&lt;keyfile-size&gt;</term>
<listitem>
<simpara>
Specifies the maximum number of bytes to read from the key file.
The default is to read the whole file up to the compiled-in maximum,
that can be queried with <emphasis role="strong">cryptsetup --help</emphasis>.
This option is ignored for plain dm-crypt devices, as the key file
size is then given by the encryption key size (option
<emphasis>size</emphasis>).
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>keyslot</emphasis>=&lt;slot&gt;, <emphasis>key-slot</emphasis>=&lt;slot&gt;</term>
<listitem>
<simpara>
Key slot (ignored for non-LUKS devices). See <command>cryptsetup
-S</command>.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>header</emphasis>=&lt;path&gt;</term>
<listitem>
<simpara>
Detached header file (ignored for plain dm-crypt devices). See
<command>cryptsetup --header</command>.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>verify</emphasis></term>
<listitem>
<simpara>
Verify password. Uses <emphasis role="strong">cryptsetup -y</emphasis>.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>readonly</emphasis>, <emphasis>read-only</emphasis></term>
<listitem>
<simpara>Set up a read-only mapping.</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>tries</emphasis>=&lt;num&gt;</term>
<listitem>
<simpara>Try to unlock the device &lt;num&gt; before failing. It's
particularly useful when using a passphrase or a
<emphasis>keyscript</emphasis> that asks for interactive input. If you
want to disable retries, pass <quote>tries=1</quote>. Default is
<quote>3</quote>. Setting <quote>tries=0</quote> means infinitive
retries.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>discard</emphasis></term>
<listitem>
<simpara>Allow using of discards (TRIM) requests for device.</simpara>
<simpara>Starting with Debian 10 (Buster), this option is added per
default to new dm-crypt devices by the Debian Installer. If you
don't care about leaking access patterns (filesystem type, used
space) and don't have hidden truecrypt volumes inside this volume,
then it should be safe to enable this option. See the following
warning for further information.</simpara>
<simpara><emphasis role="strong">WARNING</emphasis>: Assess the
specific security risks carefully before enabling this option.
For example, allowing discards on encrypted devices may lead to
the leak of information about the ciphertext device (filesystem
type, used space etc.) if the discarded blocks can be located
easily on the device later.</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>luks</emphasis></term>
<listitem>
<simpara>Force LUKS mode. When this mode is used, the following options
are ignored since they are provided by the LUKS header on the device:
<emphasis>cipher=</emphasis>, <emphasis>hash=</emphasis>,
<emphasis>size=</emphasis></simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>plain</emphasis></term>
<listitem>
<simpara>Force plain encryption mode.</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>bitlk</emphasis></term>
<listitem>
<simpara>
Force BITLK (Windows BitLocker-compatible) mode.
WARNING: <emphasis>crypttab</emphasis> support is currently experimental.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>fvault2</emphasis></term>
<listitem>
<simpara>
Force Apple's FileVault2 mode.
Only the (legacy) FileVault2 format based on Core Storage and HFS+
filesystem (introduced in MacOS X 10.7 Lion) is currently supported;
the new version of FileVault based on the APFS filesystem used in
recent macOS versions is not supported.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>tcrypt</emphasis></term>
<listitem>
<simpara>Use TrueCrypt encryption mode. When this mode is used, the
following options are ignored since they are provided by the TrueCrypt
header on the device or do not apply: <emphasis>cipher=</emphasis>,
<emphasis>hash=</emphasis>, <emphasis>keyfile-offset=</emphasis>,
<emphasis>keyfile-size=</emphasis>, <emphasis>size=</emphasis></simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>veracrypt</emphasis>, <emphasis>tcrypt-veracrypt</emphasis></term>
<listitem>
<simpara>
Use VeraCrypt extension to TrueCrypt device. Only useful in
conjunction with <emphasis>tcrypt</emphasis> option (ignored for
non-TrueCrypt devices).
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>tcrypthidden</emphasis>, <emphasis>tcrypt-hidden</emphasis></term>
<listitem>
<simpara>
Use hidden TCRYPT header (ignored for non-TCRYPT devices).
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>same-cpu-crypt</emphasis></term>
<listitem>
<simpara>
Perform encryption using the same cpu that IO was submitted on.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>submit-from-crypt-cpus</emphasis></term>
<listitem>
<simpara>
Disable offloading writes to a separate thread after encryption.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>no-read-workqueue</emphasis>, <emphasis>no-write-workqueue</emphasis></term>
<listitem>
<simpara>
Bypass dm-crypt internal workqueue and process read or write requests synchronously.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>swap</emphasis></term>
<listitem>
<simpara>
Run <command moreinfo="refentry">mkswap</command> on the created device.
</simpara>
<simpara>
This option is ignored for <emphasis>initramfs</emphasis> devices.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>tmp</emphasis>[=&lt;tmpfs&gt;]</term>
<listitem>
<simpara>
Run <command moreinfo="refentry">mkfs</command> with filesystem type
&lt;tmpfs&gt; (or ext4 if omitted) on the created device.
</simpara>
<simpara>
This option is ignored for <emphasis>initramfs</emphasis> devices.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>check</emphasis>[=&lt;check&gt;]</term>
<listitem>
<simpara>Check the content of the target device by a suitable program; if
the check fails, the device is closed immediately. The program is being
run with decrypted volume (target device) as first positional argument and,
if the <emphasis>checkargs</emphasis> option is used, its value as second
argument. See the CHECKSCRIPTS section for more information.
</simpara>
<simpara>The program is either specified by full path or relative to
<filename class="directory">/lib/cryptsetup/checks/</filename>.
If omitted, then the value of $CRYPTDISKS_CHECK set in
<filename>/etc/default/cryptdisks</filename> is used
(<filename>blkid</filename> by default).
</simpara>
<simpara>
This option is specific to the Debian <emphasis>crypttab</emphasis>
format. It's not supported by <emphasis>systemd</emphasis>.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>checkargs</emphasis>=&lt;arguments&gt;</term>
<listitem>
<simpara>Give &lt;arguments&gt; as the second argument to the check
script. See the CHECKSCRIPTS section for more information.
</simpara>
</listitem>
<simpara>
This option is specific to the Debian <emphasis>crypttab</emphasis>
format. It's not supported by <emphasis>systemd</emphasis>.
</simpara>
</varlistentry>
<varlistentry>
<term><emphasis>initramfs</emphasis></term>
<listitem>
<simpara>The initramfs hook processes the root device, any resume devices
and any devices with the <emphasis>initramfs</emphasis> option set. These
devices are processed within the initramfs stage of boot. As an example,
that allows the use of remote unlocking using dropbear.
</simpara>
<simpara>
This option is specific to the Debian <emphasis>crypttab</emphasis>
format. It's not supported by <emphasis>systemd</emphasis>.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>noearly</emphasis></term>
<listitem>
<simpara>The cryptsetup init scripts are invoked twice during the boot
process - once before lvm, raid, etc. are started and once again after
that. Sometimes you need to start your encrypted disks in a special
order. With this option the device is ignored during the first invocation
of the cryptsetup init scripts.
</simpara>
<simpara>
This option is ignored for <emphasis>initramfs</emphasis> devices and
specific to the Debian <emphasis>crypttab</emphasis> format. It's not
supported by <emphasis>systemd</emphasis>.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>noauto</emphasis></term>
<listitem>
<simpara>Entirely ignore the device at the boot process. It's still
possible to map the device manually using cryptdisks_start.
</simpara>
<simpara>
This option is ignored for <emphasis>initramfs</emphasis> devices and
specific to the Debian <emphasis>crypttab</emphasis> format.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>loud</emphasis></term>
<listitem>
<simpara>Be loud. Print warnings if a device does not exist.
This option overrides the option <emphasis>quiet</emphasis>.</simpara>
<simpara>
This option is ignored for <emphasis>initramfs</emphasis> devices and
specific to the Debian <emphasis>crypttab</emphasis> format. It's not
supported by <emphasis>systemd</emphasis>.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>quiet</emphasis></term>
<listitem>
<simpara>Be quiet. Don't print warnings if a device does not exist.
This option overrides the option <emphasis>loud</emphasis>.</simpara>
<simpara>
This option is ignored for <emphasis>initramfs</emphasis> devices and
specific to the Debian <emphasis>crypttab</emphasis> format. It's not
supported by <emphasis>systemd</emphasis>.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>keyscript</emphasis>=&lt;path&gt;</term>
<listitem>
<simpara>
The executable at the indicated path is executed with the value of the
<emphasis>third field</emphasis> as only argument. The keyscript's standard
output is passed to cryptsetup as decyption key. Its exit status is currently
ignored, but no assumption should be made in that regard.
When used in initramfs, the executable either needs to be self-contained
(i.e. doesn't rely on any external program which is not present in the
initramfs environment) or the dependencies have to added to the initramfs
image by other means.
The program is either specified by full path or relative to
<filename class="directory">/lib/cryptsetup/scripts/</filename>.
</simpara>
<simpara>
LIMITATIONS: All binaries and files on which the keyscript depends must
be available at the time of execution. Special care needs to be taken for
encrypted filesystems like /usr or /var. As an example, unlocking
encrypted /usr must not depend on binaries from /usr/(s)bin.
</simpara>
<simpara>
This option is specific to the Debian <emphasis>crypttab</emphasis>
format. It's not supported by <emphasis>systemd</emphasis>.
</simpara>
<simpara>
WARNING: With systemd as init system, this option might be ignored. At
the time this is written (December 2016), the systemd cryptsetup helper
doesn't support the keyscript option to /etc/crypttab. For the time
being, the only option to use keyscripts along with systemd is to force
processing of the corresponding crypto devices in the initramfs. See the
'initramfs' option for further information.
</simpara>
<para>
All fields of the appropriate crypttab entry are available to the
keyscript as exported environment variables:
<variablelist>
<varlistentry>
<term>CRYPTTAB_NAME, _CRYPTTAB_NAME</term>
<listitem><para>
The target name (after resp. before octal sequence decoding).
</para></listitem>
</varlistentry>
<varlistentry>
<term>CRYPTTAB_SOURCE, _CRYPTTAB_SOURCE</term>
<listitem><para>
The source device (after resp. before octal sequence decoding and device resolution).
</para></listitem>
</varlistentry>
<varlistentry>
<term>CRYPTTAB_KEY, _CRYPTTAB_KEY</term>
<listitem><para>
The value of the third field (after resp. before octal sequence decoding).
</para></listitem>
</varlistentry>
<varlistentry>
<term>CRYPTTAB_OPTIONS, _CRYPTTAB_OPTIONS</term>
<listitem><para>
A list of exported crypttab options (after resp. before octal sequence decoding).
</para></listitem>
</varlistentry>
<varlistentry>
<term>CRYPTTAB_OPTION_&lt;option&gt;</term>
<listitem><para>
The value of the appropriate crypttab option, with value set to 'yes'
in case the option is merely a flag.
For option aliases, such as 'readonly' and 'read-only', the
variable name refers to the first alternative listed (thus
'CRYPTTAB_OPTION_readonly' in that case).
If the crypttab option name contains '-' characters, then they
are replaced with '_' in the exported variable name. For
instance, the value of the 'CRYPTTAB_OPTION_keyfile_offset'
environment variable is set to the value of the
'keyfile-offset' crypttab option.
</para></listitem>
</varlistentry>
<varlistentry>
<term>CRYPTTAB_TRIED</term>
<listitem><para>
Number of previous tries since start of cryptdisks (counts until
maximum number of tries is reached).
</para></listitem>
</varlistentry>
</variablelist>
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id="crypttab.checkscripts">
<title>CHECKSCRIPTS</title>
<variablelist>
<varlistentry>
<term><emphasis>blkid</emphasis></term>
<listitem>
<simpara>Checks for any known filesystem. Supports a filesystem type as
argument via &lt;checkargs&gt;:
</simpara>
<itemizedlist>
<listitem><para>
no checkargs - succeeds if any valid filesystem is found on the device.
</para></listitem>
<listitem><para>
"none" - succeeds if no valid filesystem is found on the device.
</para></listitem>
<listitem><para>
"ext4" [or another filesystem type like xfs, swap, crypto_LUKS, ...] -
succeeds if ext4 filesystem is found on the device.
</para></listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>un_blkid</emphasis></term>
<listitem>
<simpara>Checks for no known filesystem. Supports a filesystem type as
argument via &lt;checkargs&gt;:
</simpara>
<itemizedlist>
<listitem><para>
no checkargs - succeeds if no valid filesystem is found on the device.
</para></listitem>
<listitem><para>
"ext4" [or another filesystem type like xfs, swap, crypto_LUKS, ...] -
succeeds if no ext4 filesystem is found on the device.
</para></listitem>
</itemizedlist>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id="crypttab.examples">
<title>EXAMPLES</title>
<para>
<screen>
# Encrypted swap device
cswap /dev/sda6 /dev/urandom plain,cipher=aes-xts-plain64,size=256,hash=sha1,swap
# Encrypted LUKS disk with interactive password, identified by its UUID, discard enabled
cdisk0 UUID=12345678-9abc-def012345-6789abcdef01 none luks,discard
# Encrypted TCRYPT disk with interactive password, discard enabled
tdisk0 /dev/sr0 none tcrypt,discard
# Encrypted ext4 disk with interactive password, discard enabled
# - retry 5 times if the check fails
cdisk1 /dev/sda2 none plain,cipher=aes-xts-plain64,size=256,hash=sha1,check,checkargs=ext4,tries=5,discard
# Encrypted disk with interactive password, discard enabled
# - use a nondefault check script
# - no retries
cdisk2 /dev/sdc1 none plain,cipher=aes-xts-plain64,size=256,hash=sha1,check=customscript,tries=1,discard
# Encrypted disk with interactive password, discard enabled
# - Twofish as the cipher, RIPEMD-160 as the hash
cdisk3 /dev/sda3 none plain,cipher=twofish,size=256,hash=ripemd160,discard
</screen>
</para>
</refsect1>
<refsect1 id="crypttab.environment">
<title>ENVIRONMENT</title>
<variablelist>
<varlistentry>
<term><emphasis>CRYPTDISKS_ENABLE</emphasis></term>
<listitem>
<simpara>
Set to <emphasis>yes</emphasis> to run cryptdisks initscripts at startup.
Set to <emphasis>no</emphasis> to disable cryptdisks initscripts. Default
is <emphasis>yes</emphasis>.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>CRYPTDISKS_MOUNT</emphasis></term>
<listitem>
<simpara>Specifies the mountpoints that are mounted before cryptdisks is
invoked. Takes mountpoints configured in /etc/fstab as arguments. Separate
mountpoints by space.
This is useful for keys on removable devices, such as cdrom, usbstick,
flashcard, etc. Default is unset.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>CRYPTDISKS_CHECK</emphasis></term>
<listitem>
<simpara>Specifies the default checkscript to be run against the target
device, after cryptdisks has been invoked. The target device is passed as
the first and only argument to the checkscript. Takes effect if the
<emphasis>check</emphasis> option is given in crypttab with no value. See
documentation for <emphasis>check</emphasis> option above for more
information.
</simpara>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id="crypttab.known_upgrade_issues">
<title>KNOWN UPGRADE ISSUES</title>
<simpara>
The upstream defaults for encryption cipher, hash and keysize have changed
several times in the past, and they're expected to change again in future,
for example if security issues arise.
On LUKS devices, the used settings are stored in the LUKS header, and thus
don't need to be configured in <filename>/etc/crypttab</filename>. For plain
dm-crypt devices, no information about used cipher, hash and keysize are
available at all.
Therefore we strongly suggest to configure the cipher, hash and keysize in
<filename>/etc/crypttab</filename> for plain dm-crypt devices, even if they
match the current default.
</simpara>
</refsect1>
<refsect1 id="crypttab.see_also">
<title>SEE ALSO</title>
<simplelist type="inline">
<member><command moreinfo="refentry">cryptsetup</command>(8)</member>
<member><command moreinfo="refentry">cryptdisks_start</command>(8)</member>
<member><command moreinfo="refentry">cryptdisks_stop</command>(8)</member>
<member><filename>/usr/share/doc/cryptsetup-initramfs/README.initramfs.gz</filename></member>
</simplelist>
</refsect1>
<refsect1 id="crypttab.author">
<title>AUTHOR</title>
<simpara>
This manual page was originally written by
<author>
<firstname>Bastian</firstname>
<surname>Kleineidam</surname>
</author>
<email>calvin@debian.org</email>
for the Debian distribution of cryptsetup. It has been further improved by
<author>
<firstname>Michael</firstname>
<surname>Gebetsroither</surname>
</author>
<email>michael.geb@gmx.at</email>,
<author>
<firstname>David</firstname>
<surname>Härdeman</surname>
</author>
<email>david@hardeman.nu</email>
and
<author>
<firstname>Jonas</firstname>
<surname>Meurer</surname>
</author>
<email>jonas@freesources.org</email>.
</simpara>
</refsect1>
</refentry>

10
debian/doc/manpages.xml vendored Normal file
View file

@ -0,0 +1,10 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "/usr/share/xml/docbook/schema/dtd/4.2/docbookx.dtd">
<reference>
<title>Manual Pages</title>
<xi:include href="cryptdisks_start.xml" xpointer="command.cryptdisks_start" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="cryptdisks_stop.xml" xpointer="command.cryptdisks_stop" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="cryptsetup-suspend.xml" xpointer="overview.cryptsetup-suspend" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="crypttab.xml" xpointer="file.crypttab" xmlns:xi="http://www.w3.org/2001/XInclude"/>
</reference>

536
debian/doc/pandoc/encrypted-boot.md vendored Normal file
View file

@ -0,0 +1,536 @@
% Full disk encryption, including `/boot`: Unlocking LUKS devices from GRUB
Introduction
============
So called “full disk encryption” is often a misnomer, because there is
typically a separate plaintext partition holding `/boot`. For instance
the Debian Installer does this in its “encrypted LVM” partitioning method.
Since not all bootloaders are able to unlock LUKS devices, a plaintext
`/boot` is the only solution that works for all of them.
However, GRUB2 is (since Jessie) able to unlock LUKS devices with its
[`cryptomount`](https://www.gnu.org/software/grub/manual/grub/html_node/cryptomount.html)
command, which therefore enables encryption of the `/boot` partition as
well: using that feature reduces the amount of plaintext data written to
disk. It is especially interesting when GRUB is installed to a read-only
media, for instance as [coreboot payload](https://doc.coreboot.org/payloads.html#grub2)
flashed to a write-protected chip. On the other hand, it is *incompatible*
with some other features that only enabled later at initramfs stage, such
as splash screens or remote unlocking.
Since enabling unlocking LUKS devices from GRUB [isn't exposed to the d-i
interface](https://bugs.debian.org/814798) (as of Buster), people have
come up with various custom workarounds. But as of Buster [`cryptsetup`(8)]
defaults to a new [LUKS header format version](https://gitlab.com/cryptsetup/LUKS2-docs),
which isn't supported by GRUB as of 2.04. **Hence the pre-Buster
workarounds won't work anymore**. Until LUKS *version2* support is
[added to GRUB2](https://savannah.gnu.org/bugs/?55093), the device(s)
holding `/boot` needs to be in *LUKS format version1* to be unlocked from
the boot loader.
This document describes a generic way to unlock LUKS devices from GRUB
for Debian Buster.
Encrypting the device holding `/boot`
=====================================
There are two alternatives here:
* Either format an existing `/boot` partition to LUKS1; or
* Move `/boot` to the root file system. The root device(s) needs to
use LUKS version 1, but existing LUKS2 devices can be *converted*
(in-place) to LUKS1.
These two alternatives are described in the two following sub-sections.
We assume the system resides on a single drive `/dev/sda`, partitioned
with d-i's “encrypted LVM” scheme:
root@debian:~# lsblk -o NAME,FSTYPE,MOUNTPOINT /dev/sda
NAME FSTYPE MOUNTPOINT
sda
├─sda1 ext2 /boot
├─sda2
└─sda5 crypto_LUKS
└─sda5_crypt LVM2_member
├─debian--vg-root ext4 /
└─debian--vg-swap_1 swap [SWAP]
*Note*: The partition layout of your system may differ.
Formatting the existing `/boot` partition to LUKS1
--------------------------------------------------
Since the installer creates a separate (plaintext) `/boot` partition by
default in its “encrypted LVM” partitioning method, the simplest
solution is arguably to re-format it as LUKS1, especially if the root
device is in LUKS2 format.
That way other partitions, including the one holding the root file
system, can remain in LUKS2 format and benefit from the *stronger
security guaranties* and *convenience features* of the newer version:
more secure (memory-hard) Key Derivation Function, backup header,
ability to offload the volume key to the kernel keyring (thus preventing
access from userspace), custom sector size, persistent flags, unattended
unlocking via kernel keyring tokens, etc.
Furthermore every command in this sub-section can be run from the main
system: no need to reboot into a live CD or an initramfs shell.
1. Before copying content of the `/boot` directory, remount it read-only
to make sure data is not modified while it's being copied.
root@debian:~# mount -oremount,ro /boot
2. Archive the directory elsewhere (on another device), and unmount it
afterwards.
root@debian:~# install -m0600 /dev/null /tmp/boot.tar
<!-- -->
root@debian:~# tar -C /boot --acls --xattrs --one-file-system -cf /tmp/boot.tar .
<!-- -->
root@debian:~# umount /boot
(If `/boot` has sub-mountpoints, like `/boot/efi`, you'll need to
unmount them as well.)
3. Optionally, wipe out the underlying block device (assumed to be
`/dev/sda1` in the rest of this sub-section).
root@debian:~# dd if=/dev/urandom of=/dev/sda1 bs=1M status=none
dd: error writing '/dev/sda1': No space left on device
4. Format the underlying block device to LUKS1. (Note the `--type luks1`
in the command below, as Buster's [`cryptsetup`(8)] defaults to LUKS
version 2 for `luksFormat`.)
root@debian:~# cryptsetup luksFormat --type luks1 /dev/sda1
WARNING!
========
This will overwrite data on /dev/sda1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/sda1:
Verify passphrase:
5. Add a corresponding entry to [`crypttab`(5)] with mapped device name
`boot_crypt`, and open it afterwards.
root@debian:~# uuid="$(blkid -o value -s UUID /dev/sda1)"
<!-- -->
root@debian:~# echo "boot_crypt UUID=$uuid none luks" | tee -a /etc/crypttab
<!-- -->
root@debian:~# cryptdisks_start boot_crypt
Starting crypto disk...boot_crypt (starting)...
Please unlock disk boot_crypt: ********
boot_crypt (started)...done.
6. Create a file system on the mapped device. Assuming source device for
`/boot` is specified by its UUID in the [`fstab`(5)] -- which the
Debian Installer does by default -- reusing the old UUID avoids
editing the file.
root@debian:~# grep /boot /etc/fstab
# /boot was on /dev/sda1 during installation
UUID=c104749f-a0fa-406c-9e9a-3fc01f8e2f78 /boot ext2 defaults 0 2
<!-- -->
root@debian:~# mkfs.ext2 -m0 -U c104749f-a0fa-406c-9e9a-3fc01f8e2f78 /dev/mapper/boot_crypt
mke2fs 1.44.5 (15-Dec-2018)
Creating filesystem with 246784 1k blocks and 61752 inodes
Filesystem UUID: c104749f-a0fa-406c-9e9a-3fc01f8e2f78
[…]
7. Finally, mount `/boot` again from [`fstab`(5)], and copy the saved
tarball to the new (and now encrypted) file system.
root@debian:~# mount -v /boot
mount: /dev/mapper/boot_crypt mounted on /boot.
<!-- -->
root@debian:~# tar -C /boot --acls --xattrs -xf /tmp/boot.tar
(If `/boot` had sub-mountpoints, like `/boot/efi`, you'll need to
mount them back as well.)
You can skip the next sub-section and go directly to [Enabling
`cryptomount` in GRUB2]. Note that `init`(1) needs to unlock the
`/boot` partition *again* during the boot process. See [Avoiding the
extra password prompt] for details and a proposed workaround. (You'll
need to substitute `/` resp. `sda5` with `/boot` resp. `sda1` in that
section, however only steps 1-3 are relevant here: no need to copy the
key file to the initramfs image since `/boot` can be unlocked and
mounted later during the boot process.)
Moving `/boot` to the root file system
--------------------------------------
The [previous sub-section][Formatting the existing `/boot` partition to LUKS1]
described how to to re-format the `/boot` partition as LUKS1.
Alternatively, it can be moved to the root file system, assuming the
latter is not held by any LUKS2 device. (As shown below, LUKS2 devices
created with default parameters can be “downgraded” to LUKS1.)
The advantage of this method is that the original `/boot` partition can
be preserved and used in case of *disaster recovery* (if for some reason
the GRUB image is lacking the `cryptodisk` module and the original
plaintext `/boot` partition is lost, you'd need to reboot into a live CD
to recover). Moreover increasing the number of partitions *increases
usage pattern visibility*: a separate `/boot` partition, even encrypted,
will likely leak the fact that a kernel update took place to an attacker
with access to both pre- and post-update snapshots.
On the other hand, the downside of that method is that the root file
system can't benefit from the nice LUKS2 improvements over LUKS1, some
of which were listed above. Another (minor) downside is that space
occupied by the former `/boot` partition (typically 256MiB) becomes
unused and can't easily be reclaimed by the root file system.
### Downgrading LUKS2 to LUKS1 ###
Check the LUKS format version on the root device (assumed to be
`/dev/sda5` in the rest of this sub-section):
root@debian:~# cryptsetup luksDump /dev/sda5 | grep -A1 "^LUKS"
LUKS header information
Version: 2
Here the LUKS format version is 2, so the device needs to be *converted*
to LUKS *version 1* to be able to unlock from GRUB. Unlike the rest of
this document, conversion can't be done on an open device, so you'll
need reboot into a live CD or an [initramfs shell]. (The `(initramfs)`
prompt strings in this sub-section indicates commands that are executed
from an initramfs shell.) Also, if you have valuable data in the root
partition, then *make sure you have a backup* (at least of the LUKS
header)!
[initramfs shell]: https://wiki.debian.org/InitramfsDebug#Rescue_shell_.28also_known_as_initramfs_shell.29
Run `cryptsetup convert --type luks1 DEVICE` to downgrade. However if
the device was created with the default parameters then in-place
conversion will fail:
(initramfs) cryptsetup convert --type luks1 /dev/sda5
WARNING!
========
This operation will convert /dev/sda5 to LUKS1 format.
Are you sure? (Type uppercase yes): YES
Cannot convert to LUKS1 format - keyslot 0 is not LUKS1 compatible.
This is because its first key slot uses Argon2 as Password-Based Key
Derivation Function (PBKDF) algorithm:
(initramfs) cryptsetup luksDump /dev/sda5 | grep "PBKDF:"
PBKDF: argon2i
Argon2 is a *memory-hard* function that was selected as the winner of
the Password-Hashing Competition; LUKS2 devices use it by default for
key slots, but LUKS1's only supported PBKDF algorithm is PBKDF2. Hence
the key slot has to be converted to PBKDF2 prior to LUKS format version
downgrade.
(initramfs) cryptsetup luksConvertKey --pbkdf pbkdf2 /dev/sda5
Enter passphrase for keyslot to be converted:
Now that all key slots use the PBKDF2 algorithm, the device shouldn't
have any LUKS2-only features left, and can be converted to LUKS1.
(initramfs) cryptsetup luksDump /dev/sda5 | grep "PBKDF:"
PBKDF: pbkdf2
<!-- -->
(initramfs) cryptsetup convert --type luks1 /dev/sda5
WARNING!
========
This operation will convert /dev/sda5 to LUKS1 format.
Are you sure? (Type uppercase yes): YES
<!-- -->
(initramfs) cryptsetup luksDump /dev/sda5 | grep -A1 "^LUKS"
LUKS header information
### Moving `/boot` to the root file system ###
(The moving operation can be done from the normal system. No need to
reboot into a live CD or an initramfs shell if the root file system
resides in a LUKS1 device.)
1. To ensure data is not modified while it's being copied, remount
`/boot` read-only.
root@debian:~# mount -oremount,ro /boot
2. Recursively copy the directory to the root file system, and replace
the old `/boot` mountpoint with the new directory.
<!-- -->
root@debian:~# cp -axT /boot /boot.tmp
<!-- -->
root@debian:~# umount /boot
<!-- -->
root@debian:~# rmdir /boot
<!-- -->
root@debian:~# mv -T /boot.tmp /boot
(If `/boot` has sub-mountpoints, like `/boot/efi`, you'll need to
unmount them first, and then remount them once `/boot` has been
moved to the root file system.)
3. Comment out the [`fstab`(5)] entry for the `/boot` mountpoint.
Otherwise at reboot `init`(1) will mount it and therefore shadow data
in the new `/boot` directory with data from the old plaintext
partition.
root@debian:~# grep /boot /etc/fstab
## /boot was on /dev/sda1 during installation
#UUID=c104749f-a0fa-406c-9e9a-3fc01f8e2f78 /boot ext2 defaults 0 2
Enabling `cryptomount` in GRUB2
===============================
Enable the feature and update the GRUB image:
root@debian:~# echo "GRUB_ENABLE_CRYPTODISK=y" >>/etc/default/grub
<!-- -->
root@debian:~# update-grub
<!-- -->
root@debian:~# grub-install /dev/sda
If everything went well, `/boot/grub/grub.cfg` should contain `insmod
cryptodisk` (and also `insmod lvm` if `/boot` is on a Logical Volume).
*Note*: The PBKDF parameters are determined via benchmark upon key slot
creation (or update). Thus they only makes sense if the environment in
which the LUKS device is open matches (same CPU, same RAM size, etc.)
the one in which it's been formatted. Unlocking from GRUB does count as
an environment mismatch, because GRUB operates under tighter memory
constraints and doesn't take advantage of all crypto-related CPU
instructions. Concretely, that means unlocking a LUKS device from GRUB
might take *a lot* longer than doing it from the normal system. Since
GRUB's LUKS implementation isn't able to benchmark, you'll need to do it
manually. It's easier for PBKDF2 as there is a single parameter to play
with (iteration count) — while Argon2 has two (iteration count and
memory) — and changing it affects the unlocking time linearly: for
instance halving the iteration count would speed up unlocking by a
factor of two. (And of course, making low entropy passphrases twice as
easy to brute-force. There is a trade-off to be made here. Balancing
convenience and security is the whole point of running PBKDF
benchmarks.)
root@debian:~# cryptsetup luksDump /dev/sda1 | grep -B1 "Iterations:"
Key Slot 0: ENABLED
Iterations: 1000000
<!-- -->
root@debian:~# cryptsetup luksChangeKey --pbkdf-force-iterations 500000 /dev/sda1
Enter passphrase to be changed:
Enter new passphrase:
Verify passphrase:
(You can reuse the existing passphrase in the above prompts. Replace
`/dev/sda1` with the LUKS1 volume holding `/boot`; in this document
that's `/dev/sda1` if `/boot` resides on a separated encrypted
partition, or `/dev/sda5` if `/boot` was moved to the root file system.)
*Note*: `cryptomount` lacks an option to specify the key slot index to
open. All active key slots are tried sequentially until a match is
found. Running the PBKDF algorithm is a slow operation, so to speed up
things you'll want the key slot to unlock at GRUB stage to be the first
active one. Run the following command to discover its index.
root@debian:~# cryptsetup luksOpen --test-passphrase --verbose /dev/sda5
Enter passphrase for /dev/sda5:
Key slot 0 unlocked.
Command successful.
Avoiding the extra password prompt
==================================
The device holding the kernel (and the initramfs image) is unlocked by
GRUB, but the root device needs to be *unlocked again* at initramfs
stage, regardless whether it's the same device or not. This is because
GRUB boots with the given `vmlinuz` and initramfs images, but there is
currently no way to securely pass cryptographic material (or Device
Mapper information) to the kernel. Hence the Device Mapper table is
initially empty at initramfs stage; in other words, all devices are
locked, and the root device needs to be unlocked again.
To avoid extra passphrase prompts at initramfs stage, a workaround is
to *unlock via key files stored into the initramfs image*. Since the
initramfs image now resides on an encrypted device, this still provides
protection for data at rest. After all for LUK1 the volume key can
already be found by userspace in the Device Mapper table, so one could
argue that including key files to the initramfs image -- created with
restrictive permissions -- doesn't change the threat model for LUKS1
devices. Please note however that for LUKS2 the volume key is normally
*offloaded to the kernel keyring* (hence no longer readable by
userspace), while key files lying on disk are of course readable by
userspace.
1. Generate the shared secret (here with 512 bits of entropy as it's also
the size of the volume key) inside a new file.
root@debian:~# mkdir -m0700 /etc/keys
<!-- -->
root@debian:~# ( umask 0077 && dd if=/dev/urandom bs=1 count=64 of=/etc/keys/root.key conv=excl,fsync )
64+0 records in
64+0 records out
64 bytes copied, 0.000698363 s, 91.6 kB/s
2. Create a new key slot with that key file.
root@debian:~# cryptsetup luksAddKey /dev/sda5 /etc/keys/root.key
Enter any existing passphrase:
<!-- -->
root@debian:~# cryptsetup luksDump /dev/sda5 | grep "^Key Slot"
Key Slot 0: ENABLED
Key Slot 1: ENABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
3. Edit the [`crypttab`(5)] and set the third column to the key file path
for the root device entry.
root@debian:~# cat /etc/crypttab
root_crypt UUID=… /etc/keys/root.key luks,discard,key-slot=1
The unlock logic normally runs the PBKDF algorithm through each key
slot sequentially until a match is found. Since the key file is
explicitly targeting the second key slot, its index is specified with
`key-slot=1` in the [`crypttab`(5)] to save useless expensive PBKDF
computations and *reduce boot time*.
4. In `/etc/cryptsetup-initramfs/conf-hook`, set `KEYFILE_PATTERN` to a
`glob`(7) expanding to the key path names to include to the initramfs
image.
root@debian:~# echo "KEYFILE_PATTERN=\"/etc/keys/*.key\"" >>/etc/cryptsetup-initramfs/conf-hook
5. In `/etc/initramfs-tools/initramfs.conf`, set `UMASK` to a restrictive
value to avoid leaking key material. See [`initramfs.conf`(5)] for
details.
root@debian:~# echo UMASK=0077 >>/etc/initramfs-tools/initramfs.conf
6. Finally re-generate the initramfs image, and double-check that it
1/ has restrictive permissions; and 2/ includes the key.
root@debian:~# update-initramfs -u
update-initramfs: Generating /boot/initrd.img-4.19.0-4-amd64
<!-- -->
root@debian:~# stat -L -c "%A %n" /initrd.img
-rw------- /initrd.img
<!-- -->
root@debian:~# lsinitramfs /initrd.img | grep "^cryptroot/keyfiles/"
cryptroot/keyfiles/root_crypt.key
(`cryptsetup-initramfs` normalises and renames key files inside the
initramfs, hence the new file name.)
Should be safe to reboot now :-) If all went well you should see a
single passphrase prompt.
Using a custom keyboard layout
==============================
GRUB uses the US keyboard layout by default. Alternative layouts for
the LUKS passphrase prompts can't be loaded from `/boot` or the root
file system, as the underlying devices haven't been mapped yet at that
stage. If you require another layout to type in your passphrase, then
you'll need to manually generate the core image using
[`grub-mkimage`(1)]. A possible solution is to embed a memdisk
containing the keymap inside the core image.
1. Create a memdisk (in GNU tar format) with the desired keymap, for
instance dvorak's. (The XKB keyboard layout and variant passed to
`grub-kbdcomp`(1) are described in the [`setxkbmap`(1)] manual.)
root@debian:~# memdisk="$(mktemp --tmpdir --directory)"
<!-- -->
root@debian:~# grub-kbdcomp -o "$memdisk/keymap.gkb" us dvorak
<!-- -->
root@debian:~# tar -C "$memdisk" -cf /boot/grub/memdisk.tar .
2. Generate an early configuration file to embed inside the image.
root@debian:~# uuid="$(blkid -o value -s UUID /dev/sda1)"
<!-- -->
root@debian:~# cat >/etc/early-grub.cfg <<-EOF
terminal_input --append at_keyboard
keymap (memdisk)/keymap.gkb
cryptomount -u ${uuid//-/}
set root=(cryptouuid/${uuid//-/})
set prefix=/grub
configfile grub.cfg
EOF
*Note*: This is for the case of a separate `/boot` partition. If
`/boot` resides on the root file system, then replace `/dev/sda1`
with `/dev/sda5` (the LUKS device holding the root file system) and
set `prefix=/boot/grub`; if it's in a logical volume you'll also
[need to set][GRUB device syntax] `root=(lvm/DMNAME)`.
*Note*: You might need to remove the first line if you use a USB
keyboard, or tweak it if GRUB doesn't see any PC/AT keyboard among its
available terminal input devices. Start by specifing `terminal_input`
in an interactive GRUB shell in order to determine the suitable input
device. (Choosing an incorrect device might prevent unlocking if no
input can be be entered.)
3. Finally, manually create and install the GRUB image. Don't use
`grub-install`(1) here, as we need to pass an early configuration
and a ramdisk. Instead, use [`grub-mkimage`(1)] with suitable image
file name, format, and module list.
root@debian:~# grub-mkimage \
-c /etc/early-grub.cfg -m /boot/grub/memdisk.tar \
-o "$IMAGE" -O "$FORMAT" \
diskfilter cryptodisk luks gcry_rijndael gcry_sha256 \
memdisk tar keylayouts configfile \
at_keyboard usb_keyboard uhci ehci \
ahci part_msdos part_gpt lvm ext2
(Replace with `ahci` with a suitable module if the drive holding
`/boot` isn't a SATA drive supporting AHCI. Also, replace `ext2`
with a file system driver suitable for `/boot` if the file system
isn't ext2, ext3 or ext4.)
The value of `IMAGE` and `FORMAT` depend on whether GRUB is in EFI
or BIOS mode.
a. For EFI mode: `IMAGE="/boot/efi/EFI/debian/grubx64.efi"` and
`FORMAT="x86_64-efi"`.
b. For BIOS mode: `IMAGE="/boot/grub/i386-pc/core.img"`,
`FORMAT="i386-pc"` and set up the image as follows:
root@debian:~# grub-bios-setup -d /boot/grub/i386-pc /dev/sda
You can now delete the memdisk and the early GRUB configuration
file, but note that subquent runs of `grub-install`(1) will override
these changes.
[`cryptsetup`(8)]: https://manpages.debian.org/cryptsetup.8.en.html
[`crypttab`(5)]: https://manpages.debian.org/crypttab.5.en.html
[`fstab`(5)]: https://manpages.debian.org/fstab.5.en.html
[`initramfs.conf`(5)]: https://manpages.debian.org/initramfs.conf.5.en.html
[`grub-mkimage`(1)]: https://manpages.debian.org/grub-mkimage.1.en.html
[`setxkbmap`(1)]: https://manpages.debian.org/setxkbmap.1.en.html
[GRUB device syntax]: https://www.gnu.org/software/grub/manual/grub/grub.html#Device-syntax
-- Guilhem Moulin <guilhem@debian.org>, Sun, 09 Jun 2019 16:35:20 +0200

24
debian/doc/pandoc/index.md vendored Normal file
View file

@ -0,0 +1,24 @@
Cryptsetup for Debian
=====================
The main documentation:
* [Debian Cryptsetup README](README.Debian.html)
* [Debian Cryptsetup Debugging README](README.debug.html)
* [Cryptsetup Initramfs intregration README](README.initramfs.html)
Detailed documentation of specific setups:
* [Debian encrypted boot documentation](encrypted-boot.html)
Documentation of some particular keyscripts:
* [Cryptsetup GnuPG keyscript README](README.gnupg.html)
* [Cryptsetup GnuPG smartcard keyscript README](README.gnupg-sc.html)
* [Cryptsetup keyctl keyscript README](README.keyctl.html)
* [Cryptsetup smartcard keyscript README](README.opensc.html)
**Please note**: Some of the documentation might be outdated. We
recommend to look at the date of the page footer. It gives an idea
about when the docs last got written and/or updated.

77
debian/doc/pandoc/pandoc.css vendored Normal file
View file

@ -0,0 +1,77 @@
body {
margin: auto;
padding-right: 1em;
padding-left: 1em;
margin-left: 2em;
border-left: 1px solid black;
color: black;
font-size: 100%;
line-height: 140%;
color: #333;
}
pre {
border: 1px dotted gray;
background-color: #ececec;
color: #1111111;
padding: 0.5em;
line-height: 1.42857143;
tab-size: 4;
-moz-tab-size: 4;
}
code {
font-family: monospace;
}
h1 a, h2 a, h3 a, h4 a, h5 a {
text-decoration: none;
color: #7a5ada;
}
h1, h2, h3, h4, h5 {
font-family: sans-serif;
font-weight: bold;
text-decoration: underline;
color: #7a5ada;
}
h1 {
font-size: 130%;
}
h2 {
font-size: 110%;
}
h3 {
font-size: 95%;
}
h4 {
font-size: 90%;
font-style: italic;
}
h5 {
font-size: 90%;
font-style: italic;
}
h1.title {
font-size: 200%;
font-weight: bold;
padding-top: 0.2em;
padding-bottom: 0.2em;
text-align: left;
border: none;
}
dt code {
font-weight: bold;
}
dd p {
margin-top: 0;
}
#TOC {
float: right;
width: 40%;
background: #eee;
font-size: 0.8em;
padding: 1em 2em;
margin: 0.0 0.5em 0.5em;
}

16
debian/doc/variables.xml.in vendored Normal file
View file

@ -0,0 +1,16 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "/usr/share/xml/docbook/schema/dtd/4.2/docbookx.dtd">
<refentry>
<refmeta>
<refmiscinfo class="version">VERSION</refmiscinfo>
<refmiscinfo class="source">cryptsetup</refmiscinfo>
<refmiscinfo class="manual">cryptsetup manual</refmiscinfo>
</refmeta>
<refentryinfo>
<date>DATE</date>
</refentryinfo>
</refentry>

706
debian/functions vendored Normal file
View file

@ -0,0 +1,706 @@
if [ "${0#/usr/share/initramfs-tools/hooks/}" != "$0" ] ||
[ "${0#/etc/initramfs-tools/hooks/}" != "$0" ]; then
# called from an initramfs-tools hook script
TABFILE="$DESTDIR/cryptroot/crypttab"
elif [ "${0#/scripts/}" != "$0" ]; then
# called at initramfs stage from a boot script
TABFILE="/cryptroot/crypttab"
CRYPTROOT_COUNT_FILE="/run/cryptroot.initrd.cnt"
else
TABFILE="${TABFILE-/etc/crypttab}"
fi
export DM_DEFAULT_NAME_MANGLING_MODE=hex # for dmsetup(8)
# Logging helpers. Send the argument list to plymouth(1), or fold it
# and print it to the standard error.
cryptsetup_message() {
local IFS=' '
if [ "${0#/scripts/}" != "$0" ] && [ -x /bin/plymouth ] && plymouth --ping; then
plymouth message --text="cryptsetup: $*"
elif [ ${#*} -lt 70 ]; then
echo "cryptsetup: $*" >&2
else
# use busybox's fold(1) and sed(1) at initramfs stage
echo "cryptsetup: $*" | fold -s | sed '1! s/^/ /' >&2
fi
return 0
}
# crypttab_parse_options([--export], [--quiet], [--missing-path={ignore|warn|fail}])
# Parse $_CRYPTTAB_OPTIONS, a comma-separated option string from the
# crypttab(5) 4th column, and sets corresponding variables
# CRYPTTAB_OPTION_<option>=<value> (which are added to the environment
# if --export is set). If --path-exists isn't set to "ignore" (the
# default), then options taking a file name, such as header=<path>,
# need to point to an existing path, otherwise a warning is printed;
# and an error is raised if the value is set to "fail".
# For error and warning messages, CRYPTTAB_NAME, (resp. CRYPTTAB_KEY)
# should be set to the (unmangled) mapped device name (resp. key
# file).
# Moreover CRYPTTAB_TYPE is set the device type.
# Return 1 on parsing error, 0 otherwise (incl. if unknown options
# were encountered).
crypttab_parse_options() {
local quiet="n" export="n" missing_path="ignore"
while [ $# -gt 0 ]; do
case "$1" in
--quiet) quiet="y";;
--export) export="y";;
--missing-path=*) missing_path="${1#--missing-path=}";;
*) cryptsetup_message "WARNING: crypttab_parse_options(): unknown option $1"
esac
shift
done
local IFS=',' x OPTION VALUE
CRYPTTAB_TYPE=""
unset -v CRYPTTAB_OPTION_cipher \
CRYPTTAB_OPTION_size \
CRYPTTAB_OPTION_sector_size \
CRYPTTAB_OPTION_hash \
CRYPTTAB_OPTION_offset \
CRYPTTAB_OPTION_skip \
CRYPTTAB_OPTION_verify \
CRYPTTAB_OPTION_readonly \
CRYPTTAB_OPTION_discard \
CRYPTTAB_OPTION_plain \
CRYPTTAB_OPTION_luks \
CRYPTTAB_OPTION_tcrypt \
CRYPTTAB_OPTION_veracrypt \
CRYPTTAB_OPTION_bitlk \
CRYPTTAB_OPTION_fvault2 \
CRYPTTAB_OPTION_swap \
CRYPTTAB_OPTION_tmp \
CRYPTTAB_OPTION_check \
CRYPTTAB_OPTION_checkargs \
CRYPTTAB_OPTION_tries \
CRYPTTAB_OPTION_initramfs \
CRYPTTAB_OPTION_noearly \
CRYPTTAB_OPTION_noauto \
CRYPTTAB_OPTION_loud \
CRYPTTAB_OPTION_quiet \
CRYPTTAB_OPTION_keyscript \
CRYPTTAB_OPTION_keyslot \
CRYPTTAB_OPTION_header \
CRYPTTAB_OPTION_tcrypthidden \
CRYPTTAB_OPTION_same_cpu_crypt \
CRYPTTAB_OPTION_submit_from_crypt_cpus \
CRYPTTAB_OPTION_no_read_workqueue \
CRYPTTAB_OPTION_no_write_workqueue
# use $_CRYPTTAB_OPTIONS not $CRYPTTAB_OPTIONS as options values may
# contain '\054' which is decoded to ',' in the latter
for x in $_CRYPTTAB_OPTIONS; do
OPTION="${x%%=*}"
VALUE="${x#*=}"
if [ "$x" = "$OPTION" ]; then
unset -v VALUE
else
VALUE="$(printf '%b' "$VALUE")"
fi
if ! crypttab_validate_option; then
if [ "$quiet" = "n" ]; then
cryptsetup_message "ERROR: $CRYPTTAB_NAME: invalid value for '${x%%=*}' option, skipping"
fi
return 1
elif [ -z "${OPTION+x}" ]; then
continue
fi
if [ "$export" = "y" ]; then
export "CRYPTTAB_OPTION_$OPTION"="${VALUE-yes}"
else
eval "CRYPTTAB_OPTION_$OPTION"='${VALUE-yes}'
fi
done
IFS=" "
if ! _get_crypt_type; then # set CRYPTTAB_TYPE to the type of crypt device
CRYPTTAB_TYPE="plain"
if [ "$quiet" = "n" ]; then
cryptsetup_message "WARNING: $CRYPTTAB_NAME: couldn't determine device type," \
"assuming default ($CRYPTTAB_TYPE)."
fi
fi
if [ "$quiet" = "n" ] && [ -n "${CRYPTTAB_OPTION_header+x}" ] && [ "$CRYPTTAB_TYPE" != "luks" ]; then
cryptsetup_message "WARNING: $CRYPTTAB_NAME: Headers are only supported for LUKS devices."
fi
if [ "$CRYPTTAB_TYPE" = "plain" ]; then
# the compiled-in default for these are subject to change
options='cipher size'
if [ -n "${CRYPTTAB_OPTION_keyscript+x}" ] || [ "$CRYPTTAB_KEY" = "none" ]; then
options="$options hash" # --hash is being ignored in plain mode with keyfile specified
fi
for o in $options; do
if [ "$quiet" = "n" ] && eval [ -z "\${CRYPTTAB_OPTION_$o+x}" ]; then
cryptsetup_message "WARNING: Option '$o' missing in crypttab for plain dm-crypt" \
"mapping $CRYPTTAB_NAME. Please read /usr/share/doc/cryptsetup-initramfs/README.initramfs.gz and" \
"add the correct '$o' option to your crypttab(5)."
fi
done
fi
}
# crypttab_validate_option()
# Validate $OPTION=$VALUE (or flag $OPTION if VALUE is unset). return
# 1 on error, unsets OPTION for unknown or useless options.
crypttab_validate_option() {
# option aliases
case "$OPTION" in
read-only) OPTION="readonly";;
key-slot) OPTION="keyslot";;
tcrypt-hidden) OPTION="tcrypthidden";;
tcrypt-veracrypt) OPTION="veracrypt";;
esac
# sanitize the option name so CRYPTTAB_OPTION_$OPTION is a valid variable name
local o="$OPTION"
case "$o" in
keyfile-offset) OPTION="keyfile_offset";;
keyfile-size) OPTION="keyfile_size";;
sector-size) OPTION="sector_size";;
same-cpu-crypt) OPTION="same_cpu_crypt";;
submit-from-crypt-cpus) OPTION="submit_from_crypt_cpus";;
no-read-workqueue) OPTION="no_read_workqueue";;
no-write-workqueue) OPTION="no_write_workqueue";;
esac
case "$o" in
# value must be a non-empty string
cipher|hash)
[ -n "${VALUE:+x}" ] || return 1
;;
# value must be a non-empty string, and an existing path if --missing-path is set
header)
[ -n "${VALUE:+x}" ] || return 1
if [ "$missing_path" != "ignore" ]; then
if [ ! -e "$VALUE" ]; then
cryptsetup_message "WARNING: $CRYPTTAB_NAME: $VALUE does not exist";
[ "$missing_path" = "warn" ] || return 1
fi
fi
;;
# numeric options >0
size|keyfile-size|sector-size)
if ! printf '%s' "${VALUE-}" | grep -Exq "0*[1-9][0-9]*"; then
return 1
fi
;;
# numeric options >=0
offset|skip|tries|keyslot|keyfile-offset)
if ! printf '%s' "${VALUE-}" | grep -Exq "[0-9]+"; then
return 1
fi
;;
tmp)
if [ -z "${VALUE+x}" ]; then
VALUE="ext4" # 'tmp flag'
elif [ -z "$VALUE" ]; then
return 1
fi
;;
check)
if [ -z "${VALUE+x}" ]; then
if [ -n "${CRYPTDISKS_CHECK-}" ]; then
VALUE="$CRYPTDISKS_CHECK"
else
unset -v OPTION
return 0
fi
fi
if [ "${VALUE#/}" = "$VALUE" ]; then
VALUE="/lib/cryptsetup/checks/$VALUE"
fi
if [ ! -x "$VALUE" ] || [ ! -f "$VALUE" ]; then
return 1
fi
;;
checkargs)
[ -n "${VALUE+x}" ] || return 1 # must have a value (possibly empty)
;;
keyscript)
[ -n "${VALUE:+x}" ] || return 1 # must have a value
if [ "${VALUE#/}" = "$VALUE" ]; then
VALUE="/lib/cryptsetup/scripts/$VALUE"
fi
if [ ! -x "$VALUE" ] || [ ! -f "$VALUE" ]; then
return 1
fi
;;
# and now the flags
verify) ;;
loud) ;;
quiet) ;;
initramfs) ;;
noearly) ;;
noauto) ;;
readonly) ;;
discard) ;;
plain) ;;
luks) ;;
swap) ;;
tcrypt) ;;
veracrypt) ;;
tcrypthidden) ;;
bitlk) ;;
fvault2) ;;
same-cpu-crypt) ;;
submit-from-crypt-cpus) ;;
no-read-workqueue) ;;
no-write-workqueue) ;;
x-initrd.attach)
unset -v OPTION ;; # ignored, cf. #1072058
*)
if [ "${quiet:-n}" = "n" ]; then
cryptsetup_message "WARNING: $CRYPTTAB_NAME: ignoring unknown option '$o'";
fi
unset -v OPTION
;;
esac
}
# crypttab_resolve_source()
# Resolve the CRYPTTAB_SOURCE variable, containing value of the second
# field of a crypttab(5)-like file.
# On error (non-existing source), CRYPTTAB_SOURCE is not changed and 1
# is returned.
crypttab_resolve_source() {
# return immediately if source is a regular file
[ ! -f "$CRYPTTAB_SOURCE" ] || return 0
# otherwise resolve the block device specification
local dev="$CRYPTTAB_SOURCE"
dev="$(_resolve_device_spec "$dev")" && CRYPTTAB_SOURCE="$dev" || return 1
}
# run_keyscript($tried_count)
# exec()'ute `$CRYPTTAB_OPTION_keyscript "$CRYPTTAB_KEY"`.
# If $CRYPTTAB_OPTION_keyscript is unset or null and $CRYPTTAB_KEY is
# "none" (meaning the passphrase is to be read interactively from the
# console), then use `/lib/cryptsetup/askpass` as keyscript with a
# suitable prompt message instead.
# Since the shell process is replaced with the $CRYPTTAB_OPTION_keyscript
# program, run_keyscript() must be used on the left-hand side of a
# pipe, or similar.
run_keyscript() {
local keyscript keyscriptarg="$CRYPTTAB_KEY"
export CRYPTTAB_NAME CRYPTTAB_SOURCE CRYPTTAB_OPTIONS
export _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_OPTIONS
export CRYPTTAB_TRIED="$1"
if [ -n "${CRYPTTAB_OPTION_keyscript+x}" ] && \
[ "$CRYPTTAB_OPTION_keyscript" != "/lib/cryptsetup/askpass" ]; then
# 'keyscript' option is present: export its argument as $CRYPTTAB_KEY
export CRYPTTAB_KEY _CRYPTTAB_KEY
keyscript="$CRYPTTAB_OPTION_keyscript"
elif [ "$keyscriptarg" = "none" ]; then
# don't export the prompt message as CRYPTTAB_KEY
keyscript="/lib/cryptsetup/askpass"
keyscriptarg="Please unlock disk $CRYPTTAB_NAME: "
fi
exec "$keyscript" "$keyscriptarg"
}
# _get_crypt_type()
# Set CRYPTTAB_TYPE to the mapping type, depending on its
# $CRYPTTAB_OPTION_<option> values
# Return a non-zero status if the mapping couldn't be determined
_get_crypt_type() {
local s="$CRYPTTAB_SOURCE" t="" blk_t
if [ "${CRYPTTAB_OPTION_luks-}" = "yes" ]; then
t="luks"
elif [ "${CRYPTTAB_OPTION_tcrypt-}" = "yes" ]; then
t="tcrypt"
elif [ "${CRYPTTAB_OPTION_plain-}" = "yes" ]; then
t="plain"
elif [ "${CRYPTTAB_OPTION_bitlk-}" = "yes" ]; then
t="bitlk"
elif [ "${CRYPTTAB_OPTION_fvault2-}" = "yes" ]; then
t="fvault2"
elif [ -n "${CRYPTTAB_OPTION_header+x}" ]; then
# detached headers are only supported for LUKS devices
if [ -e "$CRYPTTAB_OPTION_header" ] && /sbin/cryptsetup isLuks -- "$CRYPTTAB_OPTION_header"; then
t="luks"
fi
elif [ -f "$s" ] || s="$(_resolve_device_spec "$CRYPTTAB_SOURCE")"; then
if /sbin/cryptsetup isLuks -- "$s"; then
t="luks"
elif blk_t="$(blkid -s TYPE -o value -- "$s")" && [ "$blk_t" = "BitLocker" ]; then
t="bitlk"
fi
fi
[ -n "$t" ] || return 1
CRYPTTAB_TYPE="$t"
}
# unlock_mapping([$keyfile])
# Run cryptsetup(8) with suitable options and arguments to unlock
# $CRYPTTAB_SOURCE and setup dm-crypt managed device-mapper mapping
# $CRYPTTAB_NAME.
unlock_mapping() {
local keyfile="${1:--}"
if [ "$CRYPTTAB_TYPE" = "luks" ] || [ "$CRYPTTAB_TYPE" = "tcrypt" ]; then
# ignored for LUKS and TCRYPT devices
unset -v CRYPTTAB_OPTION_cipher \
CRYPTTAB_OPTION_size \
CRYPTTAB_OPTION_hash \
CRYPTTAB_OPTION_offset \
CRYPTTAB_OPTION_skip
fi
if [ "$CRYPTTAB_TYPE" = "plain" ] || [ "$CRYPTTAB_TYPE" = "tcrypt" ]; then
unset -v CRYPTTAB_OPTION_keyfile_size
fi
if [ "$CRYPTTAB_TYPE" = "tcrypt" ]; then
# ignored for TCRYPT devices
unset -v CRYPTTAB_OPTION_keyfile_offset
else
# ignored for non-TCRYPT devices
unset -v CRYPTTAB_OPTION_veracrypt CRYPTTAB_OPTION_tcrypthidden
fi
if [ "$CRYPTTAB_TYPE" != "luks" ]; then
# ignored for non-LUKS devices
unset -v CRYPTTAB_OPTION_keyslot
fi
/sbin/cryptsetup -T1 \
${CRYPTTAB_OPTION_header:+--header="$CRYPTTAB_OPTION_header"} \
${CRYPTTAB_OPTION_cipher:+--cipher="$CRYPTTAB_OPTION_cipher"} \
${CRYPTTAB_OPTION_size:+--key-size="$CRYPTTAB_OPTION_size"} \
${CRYPTTAB_OPTION_sector_size:+--sector-size="$CRYPTTAB_OPTION_sector_size"} \
${CRYPTTAB_OPTION_hash:+--hash="$CRYPTTAB_OPTION_hash"} \
${CRYPTTAB_OPTION_offset:+--offset="$CRYPTTAB_OPTION_offset"} \
${CRYPTTAB_OPTION_skip:+--skip="$CRYPTTAB_OPTION_skip"} \
${CRYPTTAB_OPTION_verify:+--verify-passphrase} \
${CRYPTTAB_OPTION_readonly:+--readonly} \
${CRYPTTAB_OPTION_discard:+--allow-discards} \
${CRYPTTAB_OPTION_veracrypt:+--veracrypt} \
${CRYPTTAB_OPTION_keyslot:+--key-slot="$CRYPTTAB_OPTION_keyslot"} \
${CRYPTTAB_OPTION_tcrypthidden:+--tcrypt-hidden} \
${CRYPTTAB_OPTION_keyfile_size:+--keyfile-size="$CRYPTTAB_OPTION_keyfile_size"} \
${CRYPTTAB_OPTION_keyfile_offset:+--keyfile-offset="$CRYPTTAB_OPTION_keyfile_offset"} \
${CRYPTTAB_OPTION_same_cpu_crypt:+--perf-same_cpu_crypt} \
${CRYPTTAB_OPTION_submit_from_crypt_cpus:+--perf-submit_from_crypt_cpus} \
${CRYPTTAB_OPTION_no_read_workqueue:+--perf-no_read_workqueue} \
${CRYPTTAB_OPTION_no_write_workqueue:+--perf-no_write_workqueue} \
--type="$CRYPTTAB_TYPE" --key-file="$keyfile" \
open -- "$CRYPTTAB_SOURCE" "$CRYPTTAB_NAME"
}
# resume_mapping([$keyfile])
# Run cryptsetup(8) with suitable options and arguments to resume
# $CRYPTTAB_NAME.
resume_mapping() {
local keyfile="${1:--}"
/sbin/cryptsetup -T1 \
${CRYPTTAB_OPTION_header:+--header="$CRYPTTAB_OPTION_header"} \
${CRYPTTAB_OPTION_keyslot:+--key-slot="$CRYPTTAB_OPTION_keyslot"} \
${CRYPTTAB_OPTION_keyfile_size:+--keyfile-size="$CRYPTTAB_OPTION_keyfile_size"} \
${CRYPTTAB_OPTION_keyfile_offset:+--keyfile-offset="$CRYPTTAB_OPTION_keyfile_offset"} \
--type="$CRYPTTAB_TYPE" --key-file="$keyfile" \
luksResume "$CRYPTTAB_NAME"
}
# resume_device($device)
# Resume $device with endless retries. Used by cryptsetup-suspend-wrapper.
resume_device() {
local device="$1"
# check if device is really suspended
if [ "$(dmsetup info -c --noheadings -o suspended -- "$device" 2>/dev/null)" != "Suspended" ]; then
cryptsetup_message "ERROR: $device: device was not suspendend"
return 1
fi
if ! crypttab_find_entry "$device" || ! crypttab_parse_options --quiet; then
cryptsetup_message "ERROR: $device: not found in $TABFILE"
return 1
fi
if [ "$CRYPTTAB_TYPE" != "luks" ]; then
cryptsetup_message "ERROR: $CRYPTTAB_NAME: unable to resume non-LUKS device"
return 1
fi
# Loop endlessly until the resume command succeeded
while true; do
if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then
resume_mapping "$CRYPTTAB_KEY" && break || true
else
run_keyscript 1 | resume_mapping && break || true
fi
done
}
# crypttab_key_check()
# Sanity checks for keyfile $CRYPTTAB_KEY. CRYPTTAB_NAME and
# CRYPTTAB_OPTION_<option> must be set appropriately.
crypttab_key_check() {
if [ ! -f "$CRYPTTAB_KEY" ] && [ ! -b "$CRYPTTAB_KEY" ] && [ ! -c "$CRYPTTAB_KEY" ] ; then
cryptsetup_message "WARNING: $CRYPTTAB_NAME: keyfile '$CRYPTTAB_KEY' not found"
return 0
fi
if [ "$CRYPTTAB_KEY" = "/dev/random" ] || [ "$CRYPTTAB_KEY" = "/dev/urandom" ]; then
if [ -n "${CRYPTTAB_OPTION_luks+x}" ] || [ -n "${CRYPTTAB_OPTION_tcrypt+x}" ]; then
cryptsetup_message "WARNING: $CRYPTTAB_NAME: has random data as key"
return 1
else
return 0
fi
fi
local mode="$(stat -L -c"%04a" -- "$CRYPTTAB_KEY")"
if [ $(stat -L -c"%u" -- "$CRYPTTAB_KEY") -ne 0 ] || [ "${mode%00}" = "$mode" ]; then
cryptsetup_message "WARNING: $CRYPTTAB_NAME: key file $CRYPTTAB_KEY has" \
"insecure ownership, see /usr/share/doc/cryptsetup/README.Debian.gz."
fi
}
# _resolve_device_spec($spec)
# Resolve LABEL=<label>, UUID=<uuid>, PARTUUID=<partuuid> and
# PARTLABEL=<partlabel> to a block special device. If $spec is
# already a (link to a block special device) then it is echoed as is.
# Return 1 if $spec doesn't correspond to a block special device.
_resolve_device_spec() {
local spec="$1"
case "$spec" in
UUID=*|LABEL=*|PARTUUID=*|PARTLABEL=*)
# don't use /dev/disk/by-label/... to avoid gessing udev mangling
spec="$(blkid -l -t "$spec" -o device)" || spec=
;;
esac
[ -b "$spec" ] && printf '%s\n' "$spec" || return 1
}
# dm_blkdevname($name)
# Print the mapped device name, or return 1 if the the device doesn't exist.
dm_blkdevname() {
local name="$1" dev
# /dev/mapper/$name isn't reliable due to udev mangling
if dev="$(dmsetup info -c --noheadings -o blkdevname -- "$name" 2>/dev/null)" &&
[ -n "$dev" ] && [ -b "/dev/$dev" ]; then
echo "/dev/$dev"
return 0
else
return 1
fi
}
# crypttab_find_entry([--quiet], $target)
# Search in the crypttab(5) for the given $target, and sets the
# variables CRYPTTAB_NAME, CRYPTTAB_SOURCE, CRYPTTAB_KEY and
# CRYPTTAB_OPTIONS accordingly. (In addition _CRYPTTAB_NAME,
# _CRYPTTAB_SOURCE, _CRYPTTAB_KEY and _CRYPTTAB_OPTIONS are set to the
# unmangled values before decoding the escape sequence.) If there are
# duplicates then only the first match is considered.
# Return 0 if a match is found, and 1 otherwise.
crypttab_find_entry() {
local target="$1" quiet="n" IFS
if [ "$target" = "--quiet" ] && [ $# -eq 2 ]; then
quiet="y"
target="$2"
fi
if [ -f "$TABFILE" ]; then
while IFS=" " read -r _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_KEY _CRYPTTAB_OPTIONS; do
if [ "${_CRYPTTAB_NAME#\#}" != "$_CRYPTTAB_NAME" ] || [ -z "$_CRYPTTAB_NAME" ]; then
# ignore comments and empty lines
continue
fi
# unmangle names
CRYPTTAB_NAME="$(printf '%b' "$_CRYPTTAB_NAME")"
if [ -z "$_CRYPTTAB_SOURCE" ] || [ -z "$_CRYPTTAB_KEY" ]; then
cryptsetup_message "WARNING: '$CRYPTTAB_NAME' is missing some arguments, see crypttab(5)"
continue
elif [ "$CRYPTTAB_NAME" = "$target" ]; then
CRYPTTAB_SOURCE="$( printf '%b' "$_CRYPTTAB_SOURCE" )"
CRYPTTAB_KEY="$( printf '%b' "$_CRYPTTAB_KEY" )"
CRYPTTAB_OPTIONS="$(printf '%b' "$_CRYPTTAB_OPTIONS")"
return 0
fi
done <"$TABFILE"
fi
if [ "$quiet" = "n" ]; then
cryptsetup_message "WARNING: target '$target' not found in $TABFILE"
fi
return 1
}
# crypttab_foreach_entry($callback)
# Iterate through the crypttab(5) and run the given $callback for each
# entry found. Variables CRYPTTAB_NAME, CRYPTTAB_SOURCE, CRYPTTAB_KEY
# and CRYPTTAB_OPTIONS are set accordingly and available to the
# $callback. (In addition _CRYPTTAB_NAME, _CRYPTTAB_SOURCE,
# _CRYPTTAB_KEY and _CRYPTTAB_OPTIONS are set to the original values
# before decoding the escape sequence.)
# Return 0 if a match is found, and 1 otherwise.
crypttab_foreach_entry() {
local callback="$1" IFS
local _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_KEY _CRYPTTAB_OPTIONS \
CRYPTTAB_NAME CRYPTTAB_SOURCE CRYPTTAB_KEY CRYPTTAB_OPTIONS
[ -f "$TABFILE" ] || return
while IFS=" " read -r _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_KEY _CRYPTTAB_OPTIONS <&9; do
if [ "${_CRYPTTAB_NAME#\#}" != "$_CRYPTTAB_NAME" ] || [ -z "$_CRYPTTAB_NAME" ]; then
# ignore comments and empty lines
continue
fi
# unmangle names
CRYPTTAB_NAME="$(printf '%b' "$_CRYPTTAB_NAME")"
if [ -z "$_CRYPTTAB_SOURCE" ] || [ -z "$_CRYPTTAB_KEY" ]; then
cryptsetup_message "WARNING: '$CRYPTTAB_NAME' is missing some arguments, see crypttab(5)"
continue
fi
CRYPTTAB_SOURCE="$( printf '%b' "$_CRYPTTAB_SOURCE" )"
CRYPTTAB_KEY="$( printf '%b' "$_CRYPTTAB_KEY" )"
CRYPTTAB_OPTIONS="$(printf '%b' "$_CRYPTTAB_OPTIONS")"
"$callback" 9<&-
done 9<"$TABFILE"
}
# _device_uuid($device)
# Print the UUID attribute of given block special $device. Return 0
# on success, 1 on error.
_device_uuid() {
local device="$1" uuid
if uuid="$(blkid -s UUID -o value -- "$device")" && [ -n "$uuid" ]; then
printf '%s\n' "$uuid"
else
return 1
fi
}
# _resolve_device({$device | $spec})
# Take a path to (or spec for) a block special device, and set DEV to
# the (symlink to block) device, and MAJ (resp. MIN) to its major-ID
# (resp. minor ID) decimal value. On error these variables are not
# changed and 1 is returned.
_resolve_device() {
local spec="$1" dev devno maj min
if dev="$(_resolve_device_spec "$spec")" &&
devno="$(stat -L -c"%t:%T" -- "$dev" 2>/dev/null)" &&
maj="${devno%:*}" && min="${devno#*:}" &&
[ "$devno" = "$maj:$min" ] && [ -n "$maj" ] && [ -n "$min" ] &&
maj=$(( 0x$maj )) && min=$(( 0x$min )) && [ $maj -gt 0 ]; then
DEV="$dev"
MAJ="$maj"
MIN="$min"
return 0
else
cryptsetup_message "ERROR: Couldn't resolve device $spec"
fi
return 1
}
# get_mnt_devno($mountpoint)
# Print the major:minor device ID(s) holding the file system currently
# mounted currenty mounted on $mountpoint.
# Return 0 on success, 1 on error (if $mountpoint is not a mountpoint).
get_mnt_devno() {
local wantmount="$1" devnos="" uuid dev
local out spec fstype DEV MAJ MIN
# use awk rather than a `while read; do done` loop here as /proc/mounts
# can be many thousands lines long and the `read` builtin goes one
# byte at the time which slows down execution time, see MR !36
out="$(awk -v mp="$wantmount" -- '
BEGIN {
FS = "[ \t]"
ret = ""
}
!/^\s*(#|$)/ {
# decode octal sequences; per procfs(5) the format of /proc/mounts
# is analogous to fstab(5)
head = ""
while (match($2, /\\[0-7]{3}/)) {
oct = substr($2, RSTART+1, RLENGTH-1)
dec = (substr(oct, 1, 1) * 8 + substr(oct, 2, 1)) * 8 + substr(oct, 3, 1)
head = head substr($2, 1, RSTART-1) sprintf("%c", dec)
$2 = substr($2, RSTART+RLENGTH)
}
if (head $2 == mp) {
# take the last mountpoint if used several times (shadowed)
ret = $1 " " $3
}
}
END {
print ret
}' </proc/mounts)" || out=""
spec="$(printf '%b' "${out% *}")"
if [ -n "$out" ] && _resolve_device "$spec"; then # _resolve_device() already warns on error
fstype="${out##* }"
if [ "$fstype" = "btrfs" ]; then
# btrfs can span over multiple devices
if uuid="$(_device_uuid "$DEV")"; then
for dev in "/sys/fs/$fstype/$uuid/devices"/*/dev; do
devnos="${devnos:+$devnos }$(cat "$dev")"
done
else
cryptsetup_message "ERROR: $spec: Couldn't determine UUID"
fi
elif [ -n "$fstype" ]; then
devnos="$MAJ:$MIN"
fi
fi
if [ -z "${devnos:+x}" ]; then
return 1 # not found
else
printf '%s' "$devnos"
fi
}
# foreach_cryptdev([--reverse], $callback, $maj:$min, [$maj:$min ..])
# Run $callback on the (unmangled) name of each dm-crypt device
# recursively holding $maj:$min (typically corresponding to an md,
# linear, or dm-crypt device). Slaves that aren't dm-crypt devices
# are ignored.
# By default each device is processed after its *slaves*. If
# --reverse is set then each device is processed after its *holders*
# instead.
foreach_cryptdev() {
local callback="$1" reverse="n" devno base
shift
if [ "$callback" = "--reverse" ]; then
reverse="y"
callback="$1"
shift
fi
for devno in "$@"; do
base="/sys/dev/block/$devno"
if [ ! -d "$base" ]; then
cryptsetup_message "ERROR: Couldn't find sysfs directory for $devno"
return 1
fi
_foreach_cryptdev "$base"
done
}
_foreach_cryptdev() {
local d="$1" devno maj min name t d2
[ "$reverse" = "y" ] && t="holders" || t="slaves"
[ -d "$d/$t" ] || return 0
for d2 in "$d/$t"/*; do
if [ -d "$d2" ] && d2="$(realpath -e -- "$d2")"; then
_foreach_cryptdev "$d2"
fi
done
if [ -d "$d/dm" ] && devno="$(cat "$d/dev")" &&
maj="${devno%:*}" && min="${devno#*:}" &&
[ "$devno" = "$maj:$min" ] && [ -n "$maj" ] && [ -n "$min" ] &&
[ "$(dmsetup info -c --noheadings -o subsystem -j "$maj" -m "$min")" = "CRYPT" ] &&
name="$(dmsetup info -c --noheadings -o unmangled_name -j "$maj" -m "$min")"; then
"$callback" "$name"
fi
}
# vim: set filetype=sh :

11
debian/gbp.conf vendored Normal file
View file

@ -0,0 +1,11 @@
[DEFAULT]
debian-branch = debian/latest
upstream-branch = upstream/latest
compression = gzip
pristine-tar = False
[import-orig]
upstream-vcs-tag = v%(version)s
[pq]
patch-numbers = False

44
debian/initramfs/conf-hook vendored Normal file
View file

@ -0,0 +1,44 @@
#
# Configuration file for the cryptroot initramfs hook.
#
#
# KEYFILE_PATTERN: ...
#
# The value of this variable is interpreted as a shell pattern.
# Matching key files from the crypttab(5) are included in the initramfs
# image. The associated devices can then be unlocked without manual
# intervention. (For instance if /etc/crypttab lists two key files
# /etc/keys/{root,swap}.key, you can set KEYFILE_PATTERN="/etc/keys/*.key"
# to add them to the initrd.)
#
# If KEYFILE_PATTERN if null or unset (default) then no key file is
# copied to the initramfs image.
#
# Note that the glob(7) is not expanded for crypttab(5) entries with a
# 'keyscript=' option. In that case, the field is not treated as a file
# name but given as argument to the keyscript.
#
# WARNING:
# * If the initramfs image is to include private key material, you'll
# want to create it with a restrictive umask in order to keep
# non-privileged users at bay. For instance, set UMASK=0077 in
# /etc/initramfs-tools/initramfs.conf
# * If you use cryptsetup-suspend, private key material inside the
# initramfs will be in memory during suspend period, defeating the
# purpose of cryptsetup-suspend.
#
#KEYFILE_PATTERN=
#
# ASKPASS: [ y | n ]
#
# Whether to include the askpass binary to the initramfs image. askpass
# is required for interactive passphrase prompts, and ASKPASS=y (the
# default) is implied when the hook detects that same device needs to be
# unlocked interactively (i.e., not via keyfile nor keyscript) at
# initramfs stage. Setting ASKPASS=n also skips `cryptroot-unlock`
# inclusion as it requires the askpass executable.
#ASKPASS=y

9
debian/initramfs/conf-hooks.d/cryptsetup vendored Normal file
View file

@ -0,0 +1,9 @@
# This will setup non-us keyboards in early userspace,
# necessary for punching in passphrases.
KEYMAP=y
# force busybox on initramfs
BUSYBOX=y
# and for systems using plymouth instead, use the new option
FRAMEBUFFER=y

196
debian/initramfs/cryptroot-unlock vendored Normal file
View file

@ -0,0 +1,196 @@
#!/bin/busybox ash
# Remotely unlock encrypted volumes.
#
# Copyright © 2015-2018 Guilhem Moulin <guilhem@debian.org>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
set -ue
PATH=/sbin:/bin
TIMEOUT=10
PASSFIFO=/lib/cryptsetup/passfifo
ASKPASS=/lib/cryptsetup/askpass
UNLOCK_ALL=n
[ -f /lib/cryptsetup/functions ] || return 0
. /lib/cryptsetup/functions
TABFILE="/cryptroot/crypttab"
unset -v IFS
if [ ! -f "$TABFILE" ] || [ "$TABFILE" -ot "/proc/1" ]; then
# Too early, init-top/cryptroot hasn't finished yet
echo "Try again later" >&2
exit 1
fi
# Print the list of PIDs the executed command of which is $exe.
pgrep_exe() {
local exe pid
exe="$(readlink -f -- "$1" 2>/dev/null)" && [ -f "$exe" ] || return 0
ps -eo pid= | while read pid; do
[ "$(readlink -f "/proc/$pid/exe")" != "$exe" ] || printf '%d\n' "$pid"
done
}
# Return 0 if $pid has a file descriptor pointing to $name, and 1
# otherwise.
in_fds() {
local pid="$1" name fd
name="$(readlink -f -- "$2" 2>/dev/null)" && [ -e "$name" ] || return 1
for fd in $(find "/proc/$pid/fd" -type l); do
[ "$(readlink -f "$fd")" != "$name" ] || return 0
done
return 1
}
# Print the PID of the askpass process with a file descriptor opened to
# /lib/cryptsetup/passfifo.
get_askpass_pid() {
local pid
for pid in $(pgrep_exe "$ASKPASS"); do
if in_fds "$pid" "$PASSFIFO"; then
echo "$pid"
return 0
fi
done
return 1
}
# Print the number of configured crypt devices that have not been unlocked yet.
count_locked_devices() {
local COUNT=0
crypttab_foreach_entry count_locked_devices_callback
printf '%d\n' "$COUNT"
}
count_locked_devices_callback() {
dm_blkdevname "$CRYPTTAB_NAME" >/dev/null || COUNT=$(( $COUNT + 1 ))
}
# Wait for askpass, then set $PID (resp. $BIRTH) to the PID (resp.
# birth date) of the cryptsetup process with same $CRYPTTAB_NAME.
wait_for_prompt() {
local pid timer num_locked_devices=-1 n
# wait for the fifo
while :; do
n=$(count_locked_devices)
if [ $n -eq 0 ]; then
# all configured devices have been unlocked, we're done
exit 0
elif [ $num_locked_devices -lt 0 ] || [ $n -lt $num_locked_devices ]; then
# reset $timer if a device was unlocked (for instance using
# a keyscript) while we were waiting
timer=$(( 10 * $TIMEOUT ))
fi
num_locked_devices=$n
if pid=$(get_askpass_pid) && [ -p "$PASSFIFO" ]; then
break
fi
usleep 100000
timer=$(( $timer - 1 ))
if [ $timer -le 0 ]; then
echo "Error: Timeout reached while waiting for askpass." >&2
exit 1
fi
done
# find the cryptsetup process with same $CRYPTTAB_NAME
local o v
for o in NAME TRIED OPTION_tries; do
if v="$(grep -z -m1 "^CRYPTTAB_$o=" "/proc/$pid/environ")"; then
eval "CRYPTTAB_$o"="\${v#CRYPTTAB_$o=}"
else
eval unset -v "CRYPTTAB_$o"
fi
done
if [ -z "${CRYPTTAB_NAME:+x}" ] || [ -z "${CRYPTTAB_TRIED:+x}" ]; then
return 1
fi
if ( ! crypttab_find_entry --quiet "$CRYPTTAB_NAME" ); then
# use a subshell to avoid polluting our enironment
echo "Error: Refusing to process unknown device $CRYPTTAB_NAME" >&2
exit 1
fi
for pid in $(pgrep_exe "/sbin/cryptsetup"); do
if grep -Fxqz "CRYPTTAB_NAME=$CRYPTTAB_NAME" "/proc/$pid/environ"; then
PID=$pid
BIRTH=$(stat -c"%Z" "/proc/$PID" 2>/dev/null) || break
return 0
fi
done
PID=
BIRTH=
return 1
}
# Wait until $PID no longer exists or has a birth date greater that
# $BIRTH (ie was reallocated). Then return with exit value 0 if
# /dev/mapper/$CRYPTTAB_NAME exists, and with exit value 1 if the
# maximum number of tries exceeded. Otherwise (if the unlocking
# failed), return with value 1.
wait_for_answer() {
local timer=$(( 10 * $TIMEOUT )) b
while [ -d "/proc/$PID" ] && b=$(stat -c"%Z" "/proc/$PID" 2>/dev/null) && [ $b -le $BIRTH ]; do
usleep 100000
timer=$(( $timer - 1 ))
if [ $timer -le 0 ]; then
echo "Error: Timeout reached while waiting for PID $PID." >&2
exit 1
fi
done
if dm_blkdevname "$CRYPTTAB_NAME" >/dev/null; then
echo "cryptsetup: $CRYPTTAB_NAME set up successfully" >&2
[ "$UNLOCK_ALL" = y ] && return 0 || exit 0
elif [ $(( ${CRYPTTAB_TRIED:-0} + 1 )) -ge ${CRYPTTAB_OPTION_tries:-3} ] &&
[ ${CRYPTTAB_OPTION_tries:-3} -gt 0 ]; then
echo "cryptsetup: maximum number of tries exceeded for $CRYPTTAB_NAME" >&2
exit 1
else
echo "cryptsetup: cryptsetup failed, bad password or options?" >&2
return 1
fi
}
if [ -t 0 ] && [ -x "$ASKPASS" ]; then
# interactive mode on a TTY: keep trying until all configured devices have
# been unlocked or the maximum number of tries exceeded
UNLOCK_ALL=y
while :; do
# note: if the script is not killed before pivot_root it should
# exit on its own once $TIMEOUT is reached
if ! wait_for_prompt; then
usleep 100000
continue
fi
read -rs -p "Please unlock disk $CRYPTTAB_NAME: "; echo
printf '%s' "$REPLY" >"$PASSFIFO"
wait_for_answer || true
done
else
# non-interactive mode: slurp the passphrase from stdin and exit
wait_for_prompt || exit 1
echo "Please unlock disk $CRYPTTAB_NAME"
cat >"$PASSFIFO"
wait_for_answer || exit 1
fi
# vim: set filetype=sh :

46
debian/initramfs/hooks/cryptgnupg vendored Normal file
View file

@ -0,0 +1,46 @@
#!/bin/sh
set -e
PREREQ="cryptroot"
prereqs()
{
echo "$PREREQ"
}
case "$1" in
prereqs)
prereqs
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
. /lib/cryptsetup/functions
if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/decrypt_gnupg" ] || [ ! -f "$TABFILE" ]; then
exit 0
fi
# Hooks for loading gnupg software and symmetrically encrypted key into
# the initramfs
copy_keys() {
crypttab_parse_options
if [ "${CRYPTTAB_OPTION_keyscript-}" = "/lib/cryptsetup/scripts/decrypt_gnupg" ]; then
if [ -f "$CRYPTTAB_KEY" ]; then
[ -f "$DESTDIR$CRYPTTAB_KEY" ] || copy_file keyfile "$CRYPTTAB_KEY" || RV=$?
else
cryptsetup_message "ERROR: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY"
RV=1
fi
fi
}
RV=0
crypttab_foreach_entry copy_keys
# install askpass and GnuPG
copy_exec /lib/cryptsetup/askpass
copy_exec /usr/bin/gpg
exit $RV

87
debian/initramfs/hooks/cryptgnupg-sc vendored Normal file
View file

@ -0,0 +1,87 @@
#!/bin/sh
set -e
PREREQ="cryptroot"
prereqs()
{
echo "$PREREQ"
}
case "$1" in
prereqs)
prereqs
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
. /lib/cryptsetup/functions
if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/decrypt_gnupg-sc" ] || [ ! -f "$TABFILE" ]; then
exit 0
fi
# Hooks for loading gnupg software and encrypted key into the initramfs
copy_keys() {
crypttab_parse_options
if [ "${CRYPTTAB_OPTION_keyscript-}" = "/lib/cryptsetup/scripts/decrypt_gnupg-sc" ]; then
if [ -f "$CRYPTTAB_KEY" ]; then
[ -f "$DESTDIR$CRYPTTAB_KEY" ] || copy_file keyfile "$CRYPTTAB_KEY" || RV=$?
else
cryptsetup_message "ERROR: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY"
RV=1
fi
fi
}
RV=0
crypttab_foreach_entry copy_keys
PUBRING="/etc/cryptsetup-initramfs/pubring.gpg"
if [ ! -f "$PUBRING" ]; then
cryptsetup_message "WARNING: $PUBRING: No such file"
else
[ -d "$DESTDIR/cryptroot/gnupghome" ] || mkdir -pm0700 "$DESTDIR/cryptroot/gnupghome"
# let gpg(1) create the keyring on the fly; we're not relying on its
# internals since it's the very same binary we're copying to the
# initramfs
/usr/bin/gpg --no-options --no-autostart --trust-model=always \
--quiet --batch --no-tty --logger-file=/dev/null \
--homedir="$DESTDIR/cryptroot/gnupghome" --import <"$PUBRING"
# make sure not to clutter the initramfs with backup keyrings
find "$DESTDIR/cryptroot" -name "*~" -type f -delete
fi
copy_exec /usr/bin/gpg
copy_exec /usr/bin/gpg-agent
copy_exec /usr/lib/gnupg/scdaemon
copy_exec /usr/bin/gpgconf
copy_exec /usr/bin/gpg-connect-agent
if [ ! -x "$DESTDIR/usr/bin/pinentry" ]; then
if [ -x "/usr/bin/pinentry-curses" ]; then
pinentry="/usr/bin/pinentry-curses"
elif [ -x "/usr/bin/pinentry-tty" ]; then
pinentry="/usr/bin/pinentry-tty"
else
cryptsetup_message "ERROR: missing required binary pinentry-curses or pinentry-tty"
RV=1
fi
copy_exec "$pinentry"
ln -s "$pinentry" "$DESTDIR/usr/bin/pinentry"
fi
# #1028202: ncurses-base: move terminfo files from /lib/terminfo to
# /usr/share/terminfo
for d in "/usr/share/terminfo" "/lib/terminfo"; do
if [ -f "$d/l/linux" ]; then
if [ ! -f "$DESTDIR$d/l/linux" ]; then
copy_file terminfo "$d/l/linux" || RV=$?
fi
break
fi
done
exit $RV

30
debian/initramfs/hooks/cryptkeyctl vendored Normal file
View file

@ -0,0 +1,30 @@
#!/bin/sh
set -e
PREREQ="cryptroot"
prereqs()
{
echo "$PREREQ"
}
case "$1" in
prereqs)
prereqs
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
# Hooks for loading keyctl software into the initramfs
# Check whether cryptroot hook has installed decrypt_keyctl script
if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/decrypt_keyctl" ]; then
exit 0
fi
copy_exec /lib/cryptsetup/askpass
copy_exec /bin/keyctl
exit 0

62
debian/initramfs/hooks/cryptopensc vendored Normal file
View file

@ -0,0 +1,62 @@
#!/bin/sh
set -e
PREREQ="cryptroot"
prereqs()
{
echo "$PREREQ"
}
case "$1" in
prereqs)
prereqs
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
. /lib/cryptsetup/functions
if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/decrypt_opensc" ] || [ ! -f "$TABFILE" ]; then
exit 0
fi
# Hooks for loading smartcard reading software into the initramfs
copy_keys() {
crypttab_parse_options
if [ "${CRYPTTAB_OPTION_keyscript-}" = "/lib/cryptsetup/scripts/decrypt_opensc" ]; then
if [ -f "$CRYPTTAB_KEY" ]; then
[ -f "$DESTDIR$CRYPTTAB_KEY" ] || copy_file keyfile "$CRYPTTAB_KEY" || RV=$?
else
cryptsetup_message "ERROR: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY"
RV=1
fi
fi
}
RV=0
crypttab_foreach_entry copy_keys
# Install directories needed by smartcard reading daemon, command, and
# key-script
mkdir -p -- "$DESTDIR/etc/opensc" "$DESTDIR/usr/lib/pcsc" "$DESTDIR/var/run" "$DESTDIR/tmp"
# Install pcscd daemon, drivers, conf file
copy_exec /usr/sbin/pcscd
cp -rt "$DESTDIR/usr/lib" /usr/lib/pcsc
cp -t "$DESTDIR/etc" /etc/reader.conf || true
cp -t "$DESTDIR/etc" /etc/libccid_Info.plist
for so in $(ldconfig -p | sed -nr 's/^\s*(libusb-[0-9.-]+|libpcsclite)\.so\.[0-9]+\s.*=>\s*//p'); do
copy_exec "$so"
done
# Install opensc commands and conf file
copy_exec /usr/bin/opensc-tool
copy_exec /usr/bin/pkcs15-crypt
cp -t "$DESTDIR/etc/opensc" /etc/opensc/opensc.conf
exit $RV

38
debian/initramfs/hooks/cryptpassdev vendored Normal file
View file

@ -0,0 +1,38 @@
#!/bin/sh
set -e
PREREQ="cryptroot"
prereqs()
{
echo "$PREREQ"
}
case "$1" in
prereqs)
prereqs
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
# Hooks for adding filesystem modules to the initramfs when the passdev
# keyscript is used
# Check whether the passdev script has been included
if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/passdev" ]; then
exit 0
fi
# The filesystem type of the removable device is probed at boot-time, so
# we add a generous list of filesystems to include. This also helps with
# recovery situation as including e.g. the vfat module might help a user
# who needs to create a new cryptkey (using a backup of a keyfile) on
# a windows-machine for example.
# This list needs to be kept in sync with the one defined in passdev.c
manual_add_modules ext4 ext3 ext2 vfat btrfs reiserfs xfs jfs ntfs iso9660 udf
exit 0

384
debian/initramfs/hooks/cryptroot vendored Normal file
View file

@ -0,0 +1,384 @@
#!/bin/sh
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case "$1" in
prereqs)
prereqs
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
. /lib/cryptsetup/functions
TABFILE="/etc/crypttab"
# crypttab_find_and_print_entry($target)
# Find the crypttab(5) entry for the given (unmangled) $target and
# print it - preserving the mangling - to FD nr. 3; but only if the
# target has not already been processed during an earlier function
# call. (Processed target names are stored in
# $DESTDIR/cryptroot/targets.)
# Return 0 on success, 1 on error.
crypttab_find_and_print_entry() {
local target="$1"
local _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_KEY _CRYPTTAB_OPTIONS
if ! grep -Fxqz -e "$target" -- "$DESTDIR/cryptroot/targets"; then
printf '%s\0' "$target" >>"$DESTDIR/cryptroot/targets"
crypttab_find_entry "$target" || return 1
crypttab_parse_options --missing-path=warn || return 1
crypttab_print_entry
fi
}
# crypttab_print_entry()
# Print an unmangled crypttab(5) entry to FD nr. 3, using CRYPTTAB_*
# and _CRYPTTAB_* values.
# _CRYPTTAB_SOURCE is replaced with UUID=<uuid> if possible (eg, for
# LUKS), unless the value starts with /dev/disk/by- or /dev/mapper/,
# or is already a device specification (such as LABEL= or PARTUUID=).
# If the entry uses the 'decrypt_derived' keyscript, the other
# crypttab(5) entries it depends on are (recursively) printed before
# hand.
# Various checks are performed on the key and crypttab options, but no
# parsing is done so it's the responsibility of the caller to call
# crypttab_parse_options().
# Return 0 on success, 1 on error.
crypttab_print_entry() {
local DEV MAJ MIN name_uses uuid keyfile
if _resolve_device "$CRYPTTAB_SOURCE"; then
name_uses="$(dmsetup info -c --noheadings -o devnos_used -- "$CRYPTTAB_NAME" 2>/dev/null)" || name_uses="N/A"
if [ "$name_uses" != "$MAJ:$MIN" ]; then
cryptsetup_message "ERROR: Source mismatch: $CRYPTTAB_NAME uses $name_uses, but $CRYPTTAB_SOURCE is $MAJ:$MIN"
elif [ "${_CRYPTTAB_SOURCE#[A-Za-z]*=}" = "$_CRYPTTAB_SOURCE" ] && \
[ "${CRYPTTAB_SOURCE#/dev/disk/by-}" = "$CRYPTTAB_SOURCE" ] && \
[ "${CRYPTTAB_SOURCE#/dev/mapper/}" = "$CRYPTTAB_SOURCE" ] && \
uuid="$(_device_uuid "$DEV")"; then
_CRYPTTAB_SOURCE="UUID=$uuid"
fi
# on failure _resolve_device() prints a warning and we try our
# luck with the unchanged _CRYPTTAB_SOURCE value
fi
# if keyscript is set, the "key" is just an argument to the script
if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then
crypttab_key_check || return 1
case "$CRYPTTAB_KEY" in
$KEYFILE_PATTERN)
mkdir -pm0700 -- "$DESTDIR/cryptroot/keyfiles"
# $CRYPTTAB_NAME can't contain '/' (even after unmangling)
keyfile="/cryptroot/keyfiles/$CRYPTTAB_NAME.key"
if [ ! -f "$DESTDIR$keyfile" ] && ! copy_file keyfile "$CRYPTTAB_KEY" "$keyfile"; then
cryptsetup_message "WARNING: couldn't copy keyfile $CRYPTTAB_KEY"
fi
_CRYPTTAB_KEY="/cryptroot/keyfiles/$_CRYPTTAB_NAME.key" # preserve mangled name
;;
*)
if [ "$usage" = rootfs ]; then
cryptsetup_message "WARNING: Skipping root target $CRYPTTAB_NAME: uses a key file"
return 1
elif [ "$usage" = resume ]; then
cryptsetup_message "WARNING: Resume target $CRYPTTAB_NAME uses a key file"
fi
if [ -L "$CRYPTTAB_KEY" ] && keyfile="$(readlink -- "$CRYPTTAB_KEY")" &&
[ "${keyfile#/}" != "$keyfile" ]; then
cryptsetup_message "WARNING: Skipping target $CRYPTTAB_NAME: key file is a symlink with absolute target"
return 1
elif [ -f "$CRYPTTAB_KEY" ] && [ "$(stat -L -c"%m" -- "$CRYPTTAB_KEY" 2>/dev/null)" != "/" ]; then
cryptsetup_message "WARNING: Skipping target $CRYPTTAB_NAME: key file is not on the root FS"
return 1
fi
if [ ! -e "$CRYPTTAB_KEY" ]; then
cryptsetup_message "WARNING: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY"
else
_CRYPTTAB_KEY="/FIXME-initramfs-rootmnt$_CRYPTTAB_KEY" # preserve mangled name
fi
esac
fi
if [ -n "${CRYPTTAB_OPTION_keyscript+x}" ]; then
copy_exec "$CRYPTTAB_OPTION_keyscript"
elif [ "$CRYPTTAB_KEY" = "none" ]; then
ASKPASS="y"
fi
if [ "${CRYPTTAB_OPTION_keyscript-}" = "/lib/cryptsetup/scripts/decrypt_derived" ]; then
# (recursively) list first the device to derive the key from (so
# the boot scripts unlock it first); since _CRYPTTAB_* are local
# to crypttab_find_and_print_entry() the new value won't
# override the new ones
crypttab_find_and_print_entry "$CRYPTTAB_KEY"
fi
printf '%s %s %s %s\n' \
"$_CRYPTTAB_NAME" "$_CRYPTTAB_SOURCE" "$_CRYPTTAB_KEY" "$_CRYPTTAB_OPTIONS" >&3
}
# get_resume_devno()
# Return the device ID(s) used for system suspend/hibernate.
get_resume_devno() {
local dev filename
# uswsusp
for filename in /etc/uswsusp.conf /etc/suspend.conf; do
[ -e "$filename" ] || continue
dev="$(sed -nr '/^resume device\s*[:=]\s*/ {s///p;q}' "$filename")"
if [ -n "$dev" ] && [ "$dev" != "<path_to_resume_device_file>" ]; then
# trim quotes
dev="$(printf '%s' "$dev" | sed -re 's/^"(.*)"\s*$/\1/' -e "s/^'(.*)'\\s*$/\\1/")"
_print_devno "$(printf '%b' "$dev")" # unmangle
fi
done
# regular swsusp
dev="$(sed -nr 's,^(.*\s)?resume=(\S+)(\s.*)?$,\2,p' /proc/cmdline)"
_print_devno "$(printf '%b' "$dev")" # unmangle
# initramfs-tools >=0.129
dev="${RESUME:-auto}"
if [ "$dev" != none ]; then
if [ "$dev" = auto ]; then
# next line from /usr/share/initramfs-tools/hooks/resume
dev="$(grep ^/dev/ /proc/swaps | sort -rnk3 | head -n 1 | cut -d " " -f 1)"
fi
_print_devno "$(printf '%b' "$dev")" # unmangle
fi
}
_print_devno() {
local DEV MAJ MIN # locally scope the 3 variables _resolve_device() sets
if [ -n "$1" ] && _resolve_device "$1"; then
printf '%d:%d\n' "$MAJ" "$MIN"
fi
}
# crypttab_print_initramfs_entry()
# Print a crypttab(5) entry - unless it was already processed - if it
# has the 'initramfs' option set.
crypttab_print_initramfs_entry() {
local usage=
if ! grep -Fxqz -e "$CRYPTTAB_NAME" -- "$DESTDIR/cryptroot/targets" &&
crypttab_parse_options --quiet &&
[ "${CRYPTTAB_OPTION_initramfs-no}" = "yes" ]; then
printf '%s\0' "$CRYPTTAB_NAME" >>"$DESTDIR/cryptroot/targets"
crypttab_print_entry
fi
}
# generate_initrd_crypttab()
# Generate the crypttab(5) snippet that is relevant at initramfs
# stage. (Devices that aren't required at initramfs stage are
# ignored.)
generate_initrd_crypttab() {
local devnos usage IFS="$(printf '\t\n ')"
mkdir -- "$DESTDIR/cryptroot"
true >"$DESTDIR/cryptroot/targets"
{
# add crypttab entries with the 'initramfs' option set
crypttab_foreach_entry crypttab_print_initramfs_entry
if devnos="$(get_mnt_devno /)"; then
usage=rootfs foreach_cryptdev crypttab_find_and_print_entry $devnos
else
cryptsetup_message "WARNING: Couldn't determine root device"
fi
if devnos="$(get_resume_devno)"; then
usage=resume foreach_cryptdev crypttab_find_and_print_entry $devnos
fi
if devnos="$(get_mnt_devno /usr)"; then
usage="" foreach_cryptdev crypttab_find_and_print_entry $devnos
fi
} 3>"$DESTDIR/cryptroot/crypttab"
rm -f "$DESTDIR/cryptroot/targets"
}
# populate_CRYPTO_HASHES()
# Find out which crypto hashes are required for a crypttab(5) entry,
# and append them to the CRYPTO_HASHES variable.
populate_CRYPTO_HASHES() {
local hash source newline="
"
if crypttab_parse_options --quiet && [ -n "${CRYPTTAB_OPTION_header+x}" ]; then
source="$CRYPTTAB_OPTION_header"
else
source="$(_resolve_device_spec "$CRYPTTAB_SOURCE")" || source=""
fi
if [ ! -e "$source" ]; then
# missing source device or detached header, can't determine hashing function(s)
hash="@@UNKNOWN@@"
elif [ "$CRYPTTAB_TYPE" = "luks" ]; then
# using --dump-json-metadata would be more robust for LUKS2 but
# we also have to support LUKS1 hence have to parse luksDump output
hash="$(/sbin/cryptsetup luksDump -- "$source" | sed -nr 's/^\s*(AF hash|Hash|Hash spec)\s*:\s*//Ip')"
elif [ "$CRYPTTAB_TYPE" = "plain" ]; then
# --hash is being ignored when opening via key file
if [ "$CRYPTTAB_KEY" = "none" ] && [ -z "${CRYPTTAB_OPTION_keyscript+x}" ]; then
hash="${CRYPTTAB_OPTION_hash-sha256}" # default password hashing as of cryptsetup 2.7
fi
else
hash="" # or hash="@@UNKNOWN@@"?
fi
if [ -n "$hash" ]; then
CRYPTO_HASHES="${CRYPTO_HASHES:+$CRYPTO_HASHES$newline}$hash"
fi
}
# populate_CRYPTO_MODULES()
# Find out which crypto modules are required for a crypttab(5) entry,
# and append them to the CRYPTO_MODULES variable.
populate_CRYPTO_MODULES() {
local cipher iv
# cf. dmsetup(8) and https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt
cipher="$(dmsetup table --target crypt -- "$CRYPTTAB_NAME" | cut -d' ' -f4)"
if [ -z "$cipher" ]; then
cryptsetup_message "WARNING: Couldn't determine cipher modules to load for $CRYPTTAB_NAME"
elif [ "${cipher#capi:}" = "$cipher" ]; then
# direct specification "cipher[:keycount]-chainmode-ivmode[:ivopts]"
CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }${cipher%%[-:]*}" # cipher
cipher="${cipher#"${cipher%%-*}-"}" # chainmode-ivmode[:ivopts]"
CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }${cipher%-*}" # chainmode
iv="${cipher##*-}" # ivmode[:ivopts]"
CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }${iv%%:*}" # ivmode
if [ "${iv#*:}" != "$iv" ]; then
CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }${iv#*:}" # ivopts
fi
else
# kernel crypto API format "capi:cipher_api_spec-ivmode[:ivopts]", since linux 4.12
cipher="${cipher#capi:}"
cryptsetup_message "WARNING: Couldn't determine cipher modules to load for $CRYPTTAB_NAME" \
"(kernel crypto API format isn't supported yet)"
fi
}
# add_modules($glob, $moduledir, [$moduledir ..])
# Add modules matching under the given $moduledir(s), the name of
# which matching $glob.
# Return 0 if any module was found found, 1 if not.
add_modules() {
local glob="$1" found=n
shift
for mod in $(find -H "$@" -name "$glob.ko*" -type f -printf '%f\n'); do
manual_add_modules "${mod%%.*}"
found=y
done
[ "$found" = y ] && return 0 || return 1
}
# add_crypto_modules($name, [$name ..])
# Determine kernel module name and add to initramfs.
add_crypto_modules() {
local mod
for mod in "$@"; do
# We have several potential sources of modules (in order of preference):
#
# a) /lib/modules/$VERSION/kernel/arch/$ARCH/crypto/$mod-$specific.ko
# b) /lib/modules/$VERSION/kernel/crypto/$mod_generic.ko
# c) /lib/modules/$VERSION/kernel/crypto/$mod.ko
#
# and (currently ignored):
#
# d) /lib/modules/$VERSION/kernel/drivers/crypto/$specific-$mod.ko
add_modules "$mod-*" "$MODULESDIR"/kernel/arch/*/crypto || true
add_modules "${mod}_generic" "$MODULESDIR/kernel/crypto" \
|| add_modules "$mod" "$MODULESDIR/kernel/crypto" \
|| true
done
}
# copy_libssl_legacy_library()
# Copy ossl-modules/legacy.so (from libssl library) to initramfs if needed.
# OpenSSL 3.0 moved support for some crypto hashes into legacy.so.
# See https://launchpad.net/bugs/1979159
copy_libssl_legacy_library() {
local libcryptodir CRYPTO_HASHES=""
libcryptodir="$(env --unset=LD_PRELOAD ldd /sbin/cryptsetup | sed -nr '/.*=>\s*(\S+)\/libcrypto\.so\..*/ {s//\1/p;q}')"
[ -d "$libcryptodir" ] || return
crypttab_foreach_entry populate_CRYPTO_HASHES
# See https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html#Hashing-Algorithms-Message-Digests
if printf '%s\n' "$CRYPTO_HASHES" | grep -Fxq -e @@UNKNOWN@@ -e whirlpool; then
# legacy hashes are used so legacy.so needs to be copied to the initramfs
# (assume ossl-modules/legacy.so is relative to the linked libcrypto.so)
copy_exec "$libcryptodir/ossl-modules/legacy.so" || true
fi
}
#######################################################################
# Begin real processing
unset -v ASKPASS KEYFILE_PATTERN
ASKPASS="y"
KEYFILE_PATTERN=
# Load the hook config
if [ -f "/etc/cryptsetup-initramfs/conf-hook" ]; then
. /etc/cryptsetup-initramfs/conf-hook
fi
if [ -n "$KEYFILE_PATTERN" ]; then
case "${UMASK:-$(umask)}" in
0[0-7]77) ;;
*) cryptsetup_message "WARNING: Permissive UMASK (${UMASK:-$(umask)})." \
"Private key material within the initrd might be left unprotected."
;;
esac
fi
CRYPTO_MODULES=
if [ -r "$TABFILE" ]; then
generate_initrd_crypttab
TABFILE="$DESTDIR/cryptroot/crypttab"
crypttab_foreach_entry populate_CRYPTO_MODULES
copy_libssl_legacy_library
fi
# add required components
manual_add_modules dm_mod dm_crypt
copy_exec /sbin/cryptsetup
copy_exec /sbin/dmsetup
[ "$ASKPASS" = n ] || copy_exec /lib/cryptsetup/askpass
# We need sed. Either via busybox or as standalone binary.
if [ "$BUSYBOX" = n ] || [ -z "$BUSYBOXDIR" ]; then
copy_exec /bin/sed
fi
# detect whether the host CPU has AES-NI support
if grep -Eq '^flags\s*:(.*\s)?aes(\s.*)?$' /proc/cpuinfo; then
CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }aesni"
else
# workaround for #883595/#901884 (xts depends on ecb)
CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }ecb"
fi
# add userspace crypto module (only required for opening LUKS2 devices
# we add the module unconditionally as it's the default format)
CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }algif_skcipher"
if [ "$MODULES" = most ]; then
for d in "$MODULESDIR"/kernel/arch/*/crypto; do
copy_modules_dir "${d#"$MODULESDIR/"}"
done
copy_modules_dir "kernel/crypto"
else
if [ "$MODULES" != "dep" ]; then
# with large initramfs, we always add a basic subset of modules
add_crypto_modules aes cbc chainiv cryptomgr krng sha256 xts vmx_crypto
fi
add_crypto_modules $(printf '%s' "${CRYPTO_MODULES-}" | tr ' ' '\n' | sort -u)
fi
copy_file library /lib/cryptsetup/functions /lib/cryptsetup/functions

40
debian/initramfs/hooks/cryptroot-unlock vendored Normal file
View file

@ -0,0 +1,40 @@
#!/bin/sh
prereqs()
{
# cryptroot-unlock needs to be run last among crypt* since other hooks might include askpass
local req script
for req in "${0%/*}"/crypt*; do
script="${req##*/}"
if [ "$script" != "${0##*/}" ]; then
printf '%s\n' "$script"
fi
done
}
case "$1" in
prereqs)
prereqs
exit 0
;;
esac
if [ ! -f "$DESTDIR/lib/cryptsetup/askpass" ]; then
# cryptroot-unlock is useless without askpass
exit 0
fi
. /usr/share/initramfs-tools/hook-functions
if [ ! -f "$DESTDIR/bin/cryptroot-unlock" ] &&
! copy_file script /usr/share/cryptsetup/initramfs/bin/cryptroot-unlock /bin/cryptroot-unlock; then
echo "ERROR: Couldn't copy /bin/cryptroot-unlock" >&2
exit 1
fi
if [ -f /etc/initramfs-tools/etc/motd ]; then
copy_file text /etc/initramfs-tools/etc/motd /etc/motd
else
cat >>"$DESTDIR/etc/motd" <<- EOF
To unlock root partition, and maybe others like swap, run \`cryptroot-unlock\`.
EOF
fi

21
debian/initramfs/scripts/local-block/cryptroot vendored Normal file
View file

@ -0,0 +1,21 @@
#!/bin/sh
PREREQ=""
prereqs()
{
echo $PREREQ
}
case $1 in
# get pre-requisites
prereqs)
prereqs
exit 0
;;
esac
if [ -x /scripts/local-top/cryptroot ]; then
export CRYPTROOT_STAGE="local-block"
exec /scripts/local-top/cryptroot
fi

18
debian/initramfs/scripts/local-bottom/cryptgnupg-sc vendored Normal file
View file

@ -0,0 +1,18 @@
#!/bin/sh
PREREQ=""
prereqs() {
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
if [ -x /usr/bin/gpgconf ] && [ -d "/cryptroot/gnupghome" ]; then
gpgconf --homedir="/cryptroot/gnupghome" --kill all
fi

32
debian/initramfs/scripts/local-bottom/cryptopensc vendored Normal file
View file

@ -0,0 +1,32 @@
#!/bin/sh
set -e
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# Hook for stopping smartcard reading software
if [ ! -x /usr/sbin/pcscd ]; then
exit 0
fi
. /scripts/functions
if PID="$(cat /run/pcscd.pid)" 2>/dev/null &&
[ "$(readlink -f "/proc/$PID/exe")" = "/usr/sbin/pcscd" ]; then
log_begin_msg "Stopping pcscd"
kill -TERM "$PID"
log_end_msg
fi

45
debian/initramfs/scripts/local-bottom/cryptroot vendored Normal file
View file

@ -0,0 +1,45 @@
#!/bin/sh
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# If we reached this stage, we do have a rootfs mounted
# so let's clean-up cryptroot setup mess...
[ -f /lib/cryptsetup/functions ] || return 0
. /lib/cryptsetup/functions
rm -f -- "$CRYPTROOT_COUNT_FILE"
dmremove_deferred() {
local d="$1" d2 name devno maj min
if [ -d "$d/dm" ] && devno="$(cat "$d/dev")" &&
maj="${devno%:*}" && min="${devno#*:}" &&
[ "$devno" = "$maj:$min" ] && [ -n "$maj" ] && [ -n "$min" ] &&
name="$(dmsetup info -c --noheadings -o unmangled_name -j "$maj" -m "$min")"; then
dmsetup remove --deferred "$name"
fi
if [ -d "$d/slaves" ]; then
for d2 in "$d/slaves"/*; do
if [ -d "$d2" ] && d2="$(realpath "$d2")"; then
dmremove_deferred "$d2"
fi
done
fi
}
if devnos="$(get_mnt_devno "$rootmnt")"; then
for devno in $devnos; do
dmremove_deferred "/sys/dev/block/$devno"
done
fi

37
debian/initramfs/scripts/local-top/cryptopensc vendored Normal file
View file

@ -0,0 +1,37 @@
#!/bin/sh
set -e
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# Hook for starting smartcard reading software
if [ ! -x /usr/sbin/pcscd ]; then
exit 0
fi
. /scripts/functions
# Start pcscd daemon normally:
# start-stop-daemon --start --quiet \
# --pidfile /run/pcscd.pid \
# --exec /usr/sbin/pcscd
# Alternatively, start pcscd daemon in foreground so that it's pretty colored
# output may be seen on the console, useful for watching error messages since
# pcscd uses syslog which is not available (use --error or --critical to filter
# out debug message clutter):
# /usr/sbin/pcscd --error --foreground &
/usr/sbin/pcscd --foreground &
echo $! >/run/pcscd.pid

240
debian/initramfs/scripts/local-top/cryptroot vendored Normal file
View file

@ -0,0 +1,240 @@
#!/bin/sh
PREREQ="cryptroot-prepare"
#
# Standard initramfs preamble
#
prereqs() {
# Make sure that cryptroot is run last in local-top
local req script="${0##*/}" dir
dir="$DESTDIR/scripts/${CRYPTROOT_STAGE-local-top}"
for req in "$dir"/*; do
test -x "$req" || continue
req="${req##*/}"
if [ "$req" != "$script" ]; then
printf '%s\n' "$req"
fi
done
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
. /scripts/functions
[ -f /lib/cryptsetup/functions ] || return 0
. /lib/cryptsetup/functions
# wait_for_source()
# Wait for encrypted $CRYPTTAB_SOURCE . Set $CRYPTTAB_SOURCE
# to its normalized device name when it shows up;
# return 1 if timeout.
wait_for_source() {
wait_for_udev 10
if crypttab_resolve_source; then
# the device is here already, no need to loop
return 0
fi
# If the source device hasn't shown up yet, give it a little while
# to allow for asynchronous device discovery (e.g. USB).
#
# We also need to take into account RAID or other devices that may
# only be available on local-block stage. So, wait 5 seconds upfront,
# in local-top; if that fails, end execution relying on local-block
# invocations. Allow $ROOTDELAY/4 invocations with 1s sleep times (with
# a minimum of 20 invocations), and if after that we still fail, then it's
# really time to give-up. Variable $initrd_cnt tracks the re-invocations.
#
# Part of the lines below has been taken from initramfs-tools
# scripts/local's local_device_setup(), as suggested per
# https://launchpad.net/bugs/164044 .
local slumber=5
if [ "${CRYPTROOT_STAGE-}" = "local-block" ]; then
slumber=1
fi
cryptsetup_message "Waiting for encrypted source device $CRYPTTAB_SOURCE..."
while [ $slumber -gt 0 ]; do
sleep 1
if crypttab_resolve_source; then
wait_for_udev 10
return 0
fi
slumber=$(( $slumber - 1 ))
done
return 1
}
# setup_mapping()
# Set up a crypttab(5) mapping defined by $CRYPTTAB_NAME,
# $CRYPTTAB_SOURCE, $CRYPTTAB_KEY, $CRYPTTAB_OPTIONS.
setup_mapping() {
local dev initrd_cnt
# We control here the number of re-invocations of this script from
# local-block - the heuristic is $ROOTDELAY/4, with a minimum of 20.
if [ -f "$CRYPTROOT_COUNT_FILE" ]; then
initrd_cnt="$(cat <"$CRYPTROOT_COUNT_FILE")"
else
initrd_cnt="${ROOTDELAY:-180}"
initrd_cnt=$(( initrd_cnt/4 ))
if [ $initrd_cnt -lt 20 ]; then
initrd_cnt=20
fi
echo "$initrd_cnt" >"$CRYPTROOT_COUNT_FILE"
fi
# The same target can be specified multiple times
# e.g. root and resume lvs-on-lvm-on-crypto
if dm_blkdevname "$CRYPTTAB_NAME" >/dev/null; then
return 0
fi
crypttab_parse_options --export --missing-path=fail || return 1
if ! wait_for_source; then
if [ $initrd_cnt -eq 0 ]; then
# we've given up
if [ -n "$panic" ]; then
panic "ALERT! encrypted source device $CRYPTTAB_SOURCE does not exist, can't unlock $CRYPTTAB_NAME."
else
# let the user fix matters if they can
echo " ALERT! encrypted source device $CRYPTTAB_SOURCE does not exist, can't unlock $CRYPTTAB_NAME."
echo " Check cryptopts=source= bootarg: cat /proc/cmdline"
echo " or missing modules, devices: cat /proc/modules; ls /dev"
panic "Dropping to a shell."
fi
return 1 # can't continue because environment is lost
else
initrd_cnt=$(( initrd_cnt - 1 ))
echo "$initrd_cnt" >"$CRYPTROOT_COUNT_FILE"
return 0 # allow some attempts on local-block stage
fi
fi
# our `cryptroot-unlock` script searches for cryptsetup processes
# with a given CRYPTTAB_NAME it their environment
export CRYPTTAB_NAME
if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ]; then
# no keyscript: interactive unlocking, or key file
if [ "${CRYPTTAB_KEY#/FIXME-initramfs-rootmnt/}" != "$CRYPTTAB_KEY" ]; then
# skip the mapping for now if the root FS is not mounted yet
sed -rn 's/^\s*[^#[:blank:]]\S*\s+(\S+)\s.*/\1/p' /proc/mounts | grep -Fxq -- "$rootmnt" || return 1
# substitute the "/FIXME-initramfs-rootmnt/" prefix by the real root FS mountpoint otherwise
CRYPTTAB_KEY="$rootmnt/${CRYPTTAB_KEY#/FIXME-initramfs-rootmnt/}"
fi
if [ "$CRYPTTAB_KEY" != "none" ]; then
if [ ! -e "$CRYPTTAB_KEY" ]; then
cryptsetup_message "ERROR: Skipping target $CRYPTTAB_NAME: non-existing key file $CRYPTTAB_KEY"
return 1
fi
# try only once if we have a key file
CRYPTTAB_OPTION_tries=1
fi
fi
local count=0 maxtries="${CRYPTTAB_OPTION_tries:-3}" fstype vg rv
while [ $maxtries -le 0 ] || [ $count -lt $maxtries ]; do
if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then
# unlock via keyfile
unlock_mapping "$CRYPTTAB_KEY"
else
# unlock interactively or via keyscript
run_keyscript "$count" | unlock_mapping
fi
rv=$?
count=$(( $count + 1 ))
if [ $rv -ne 0 ]; then
cryptsetup_message "ERROR: $CRYPTTAB_NAME: cryptsetup failed, bad password or options?"
sleep 1
continue
elif ! dev="$(dm_blkdevname "$CRYPTTAB_NAME")"; then
cryptsetup_message "ERROR: $CRYPTTAB_NAME: unknown error setting up device mapping"
return 1
fi
if ! fstype="$(get_fstype "$dev")" || [ "$fstype" = "unknown" ]; then
if [ "$CRYPTTAB_TYPE" != "luks" ]; then
# bad password for plain dm-crypt device? or mkfs not run yet?
cryptsetup_message "ERROR: $CRYPTTAB_NAME: unknown fstype, bad password or options?"
wait_for_udev 10
/sbin/cryptsetup remove -- "$CRYPTTAB_NAME"
sleep 1
continue
fi
fi
cryptsetup_message "$CRYPTTAB_NAME: set up successfully"
wait_for_udev 10
return 0
done
cryptsetup_message "ERROR: $CRYPTTAB_NAME: maximum number of tries exceeded"
exit 1
}
#######################################################################
# Begin real processing
mkdir -p /cryptroot # might not exist yet if the main system has no crypttab(5)
# Do we have any kernel boot arguments?
if ! grep -qE '^(.*\s)?cryptopts=' /proc/cmdline; then
# ensure $TABFILE exists and has a mtime greater than the boot time
# (existing $TABFILE is preserved)
touch -- "$TABFILE"
else
# let the read builtin unescape the '\' as GRUB substitutes '\' by '\\' in the cmdline
tr ' ' '\n' </proc/cmdline | sed -n 's/^cryptopts=//p' | while IFS= read cryptopts; do
# skip empty values (which can be used to disable the initramfs
# scripts for a particular boot, cf. #873840)
[ -n "$cryptopts" ] || continue
unset -v target source key options
IFS=","
for x in $cryptopts; do
case "$x" in
target=*) target="${x#target=}";;
source=*) source="${x#source=}";;
key=*) key="${x#key=}";;
*) options="${options+$options,}$x";;
esac
done
if [ -z "${source:+x}" ]; then
cryptsetup_message "ERROR: Missing source= value in kernel parameter cryptopts=$cryptopts"
else
# preserve mangling
printf '%s %s %s %s\n' "${target:-cryptroot}" "$source" "${key:-none}" "${options-}"
fi
done >"$TABFILE"
fi
# Do we have any settings from the $TABFILE?
if [ -s "$TABFILE" ]; then
# Create locking directory before invoking cryptsetup(8) to avoid warnings
mkdir -pm0700 /run/cryptsetup
modprobe -q dm_crypt
crypttab_foreach_entry setup_mapping
fi
exit 0

1
debian/libcryptsetup-dev.docs vendored Normal file
View file

@ -0,0 +1 @@
docs/examples

3
debian/libcryptsetup-dev.install vendored Normal file
View file

@ -0,0 +1,3 @@
usr/lib/${DEB_HOST_MULTIARCH}/*.so
usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig/*.pc
usr/include/*.h

1
debian/libcryptsetup12-udeb.install vendored Normal file
View file

@ -0,0 +1 @@
usr/lib/${DEB_HOST_MULTIARCH}/*.so.*

1
debian/libcryptsetup12.install vendored Normal file
View file

@ -0,0 +1 @@
usr/lib/${DEB_HOST_MULTIARCH}/*.so.*

151
debian/libcryptsetup12.symbols vendored Normal file
View file

@ -0,0 +1,151 @@
libcryptsetup.so.12 libcryptsetup12 #MINVER#
* Build-Depends-Package: libcryptsetup-dev
CRYPTSETUP_2.0@CRYPTSETUP_2.0 2:2.0
CRYPTSETUP_2.4@CRYPTSETUP_2.4 2:2.4
CRYPTSETUP_2.5@CRYPTSETUP_2.5 2:2.5
CRYPTSETUP_2.6@CRYPTSETUP_2.6 2:2.6
CRYPTSETUP_2.7@CRYPTSETUP_2.7 2:2.7
crypt_activate_by_keyfile@CRYPTSETUP_2.0 2:1.4
crypt_activate_by_keyfile_offset@CRYPTSETUP_2.0 2:1.4.3
crypt_activate_by_keyring@CRYPTSETUP_2.0 2:2.0
crypt_activate_by_keyslot_context@CRYPTSETUP_2.7 2:2.7
crypt_activate_by_keyfile_device_offset@CRYPTSETUP_2.0 2:2.0.1
crypt_activate_by_passphrase@CRYPTSETUP_2.0 2:1.4
crypt_activate_by_signed_key@CRYPTSETUP_2.0 2:2.3
crypt_activate_by_token@CRYPTSETUP_2.0 2:2.0
crypt_activate_by_token_pin@CRYPTSETUP_2.4 2:2.4
crypt_activate_by_volume_key@CRYPTSETUP_2.0 2:1.4
crypt_keyslot_add_by_keyfile_device_offset@CRYPTSETUP_2.0 2:2.0.1
crypt_benchmark@CRYPTSETUP_2.0 2:1.6
crypt_benchmark_pbkdf@CRYPTSETUP_2.0 2:2.0
crypt_convert@CRYPTSETUP_2.0 2:2.0
crypt_deactivate@CRYPTSETUP_2.0 2:1.4
crypt_deactivate_by_name@CRYPTSETUP_2.0 2:2.0
crypt_dump@CRYPTSETUP_2.0 2:1.4
crypt_dump_json@CRYPTSETUP_2.4 2:2.4
crypt_format@CRYPTSETUP_2.0 2:1.4
crypt_format@CRYPTSETUP_2.4 2:2.4
crypt_format_luks2_opal@CRYPTSETUP_2.7 2:2.7
crypt_free@CRYPTSETUP_2.0 2:1.4
crypt_get_active_device@CRYPTSETUP_2.0 2:1.4
crypt_get_active_integrity_failures@CRYPTSETUP_2.0 2:2.0.3
crypt_get_cipher@CRYPTSETUP_2.0 2:1.4
crypt_get_cipher_mode@CRYPTSETUP_2.0 2:1.4
crypt_get_compatibility@CRYPTSETUP_2.0 2:2.3
crypt_get_data_offset@CRYPTSETUP_2.0 2:1.4
crypt_get_default_type@CRYPTSETUP_2.0 2:2.1
crypt_get_device_name@CRYPTSETUP_2.0 2:1.4
crypt_get_dir@CRYPTSETUP_2.0 2:1.4
crypt_get_hw_encryption_key_size@CRYPTSETUP_2.7 2:2.7
crypt_get_hw_encryption_type@CRYPTSETUP_2.7 2:2.7
crypt_get_integrity_info@CRYPTSETUP_2.0 2:2.0
crypt_get_iv_offset@CRYPTSETUP_2.0 2:1.4
crypt_get_label@CRYPTSETUP_2.5 2:2.5
crypt_get_metadata_device_name@CRYPTSETUP_2.0 2:2.1
crypt_get_metadata_size@CRYPTSETUP_2.0 2:2.1
crypt_get_pbkdf_default@CRYPTSETUP_2.0 2:2.0.3
crypt_get_pbkdf_type@CRYPTSETUP_2.0 2:2.0
crypt_get_pbkdf_type_params@CRYPTSETUP_2.0 2:2.1
crypt_get_rng_type@CRYPTSETUP_2.0 2:1.4
crypt_get_sector_size@CRYPTSETUP_2.0 2:2.0
crypt_get_subsystem@CRYPTSETUP_2.5 2:2.5
crypt_get_type@CRYPTSETUP_2.0 2:1.4
crypt_get_uuid@CRYPTSETUP_2.0 2:1.4
crypt_get_verity_info@CRYPTSETUP_2.0 2:1.5
crypt_get_volume_key_size@CRYPTSETUP_2.0 2:1.4
crypt_header_backup@CRYPTSETUP_2.0 2:1.4
crypt_header_is_detached@CRYPTSETUP_2.4 2:2.4
crypt_header_restore@CRYPTSETUP_2.0 2:1.4
crypt_init@CRYPTSETUP_2.0 2:1.4
crypt_init_by_name@CRYPTSETUP_2.0 2:1.4
crypt_init_by_name_and_header@CRYPTSETUP_2.0 2:1.4
crypt_init_data_device@CRYPTSETUP_2.0 2:2.1
crypt_keyfile_device_read@CRYPTSETUP_2.0 2:2.0.1
crypt_keyfile_read@CRYPTSETUP_2.0 2:2.0
crypt_keyslot_add_by_key@CRYPTSETUP_2.0 2:2.0
crypt_keyslot_add_by_keyfile@CRYPTSETUP_2.0 2:1.4
crypt_keyslot_add_by_keyfile_offset@CRYPTSETUP_2.0 2:1.4.3
crypt_keyslot_add_by_keyslot_context@CRYPTSETUP_2.6 2:2.6
crypt_keyslot_add_by_passphrase@CRYPTSETUP_2.0 2:1.4
crypt_keyslot_add_by_volume_key@CRYPTSETUP_2.0 2:1.4
crypt_keyslot_area@CRYPTSETUP_2.0 2:1.6
crypt_keyslot_change_by_passphrase@CRYPTSETUP_2.0 2:1.6
crypt_keyslot_context_free@CRYPTSETUP_2.6 2:2.6
crypt_keyslot_context_get_error@CRYPTSETUP_2.6 2:2.6
crypt_keyslot_context_get_type@CRYPTSETUP_2.6 2:2.6
crypt_keyslot_context_init_by_keyfile@CRYPTSETUP_2.6 2:2.6
crypt_keyslot_context_init_by_keyring@CRYPTSETUP_2.7 2:2.7
crypt_keyslot_context_init_by_passphrase@CRYPTSETUP_2.6 2:2.6
crypt_keyslot_context_init_by_signed_key@CRYPTSETUP_2.7 2:2.7
crypt_keyslot_context_init_by_token@CRYPTSETUP_2.6 2:2.6
crypt_keyslot_context_init_by_vk_in_keyring@CRYPTSETUP_2.7 2:2.7
crypt_keyslot_context_init_by_volume_key@CRYPTSETUP_2.6 2:2.6
crypt_keyslot_context_set_pin@CRYPTSETUP_2.6 2:2.6
crypt_keyslot_destroy@CRYPTSETUP_2.0 2:1.4
crypt_keyslot_get_encryption@CRYPTSETUP_2.0 2:2.1
crypt_keyslot_get_key_size@CRYPTSETUP_2.0 2:2.0.3
crypt_keyslot_get_pbkdf@CRYPTSETUP_2.0 2:2.1
crypt_keyslot_get_priority@CRYPTSETUP_2.0 2:2.0
crypt_keyslot_max@CRYPTSETUP_2.0 2:1.4
crypt_keyslot_set_encryption@CRYPTSETUP_2.0 2:2.1
crypt_keyslot_set_priority@CRYPTSETUP_2.0 2:2.0
crypt_keyslot_status@CRYPTSETUP_2.0 2:1.4
crypt_load@CRYPTSETUP_2.0 2:1.4
crypt_log@CRYPTSETUP_2.0 2:1.4
crypt_logf@CRYPTSETUP_2.4 2:2.4
crypt_memory_lock@CRYPTSETUP_2.0 2:1.4
crypt_metadata_locking@CRYPTSETUP_2.0 2:2.0
crypt_persistent_flags_get@CRYPTSETUP_2.0 2:2.0
crypt_persistent_flags_set@CRYPTSETUP_2.0 2:2.0
crypt_reencrypt@CRYPTSETUP_2.0 2:2.2
crypt_reencrypt_init_by_keyring@CRYPTSETUP_2.0 2:2.2
crypt_reencrypt_init_by_passphrase@CRYPTSETUP_2.0 2:2.2
crypt_reencrypt_run@CRYPTSETUP_2.4 2:2.4
crypt_reencrypt_status@CRYPTSETUP_2.0 2:2.2
crypt_repair@CRYPTSETUP_2.0 2:1.4.3
crypt_resize@CRYPTSETUP_2.0 2:1.4
crypt_resume_by_keyfile@CRYPTSETUP_2.0 2:1.4
crypt_resume_by_keyfile_device_offset@CRYPTSETUP_2.0 2:2.0.1
crypt_resume_by_keyfile_offset@CRYPTSETUP_2.0 2:1.4.3
crypt_resume_by_keyslot_context@CRYPTSETUP_2.7 2:2.7
crypt_resume_by_passphrase@CRYPTSETUP_2.0 2:1.4
crypt_resume_by_token_pin@CRYPTSETUP_2.5 2:2.5
crypt_resume_by_volume_key@CRYPTSETUP_2.0 2:2.3
crypt_safe_alloc@CRYPTSETUP_2.0 2:2.3
crypt_safe_free@CRYPTSETUP_2.0 2:2.3
crypt_safe_memzero@CRYPTSETUP_2.0 2:2.3
crypt_safe_realloc@CRYPTSETUP_2.0 2:2.3
crypt_set_compatibility@CRYPTSETUP_2.0 2:2.3
crypt_set_confirm_callback@CRYPTSETUP_2.0 2:1.4
crypt_set_data_device@CRYPTSETUP_2.0 2:1.4
crypt_set_data_offset@CRYPTSETUP_2.0 2:2.1
crypt_set_debug_level@CRYPTSETUP_2.0 2:1.4
crypt_set_iteration_time@CRYPTSETUP_2.0 2:1.4.1
crypt_set_keyring_to_link@CRYPTSETUP_2.7 2:2.7
crypt_set_label@CRYPTSETUP_2.0 2:2.0
crypt_set_log_callback@CRYPTSETUP_2.0 2:1.4
crypt_set_metadata_size@CRYPTSETUP_2.0 2:2.1
crypt_set_pbkdf_type@CRYPTSETUP_2.0 2:2.0
crypt_set_rng_type@CRYPTSETUP_2.0 2:1.4
crypt_set_uuid@CRYPTSETUP_2.0 2:1.4
crypt_status@CRYPTSETUP_2.0 2:1.4
crypt_suspend@CRYPTSETUP_2.0 2:1.4
crypt_token_assign_keyslot@CRYPTSETUP_2.0 2:2.0
crypt_token_external_disable@CRYPTSETUP_2.4 2:2.4
crypt_token_external_path@CRYPTSETUP_2.4 2:2.4
crypt_token_is_assigned@CRYPTSETUP_2.0 2:2.0.2
crypt_token_json_get@CRYPTSETUP_2.0 2:2.0
crypt_token_json_set@CRYPTSETUP_2.0 2:2.0
crypt_token_luks2_keyring_get@CRYPTSETUP_2.0 2:2.0
crypt_token_luks2_keyring_set@CRYPTSETUP_2.0 2:2.0
crypt_token_max@CRYPTSETUP_2.4 2:2.4
crypt_token_register@CRYPTSETUP_2.0 2:2.0
crypt_token_set_external_path@CRYPTSETUP_2.7 2:2.7
crypt_token_status@CRYPTSETUP_2.0 2:2.0
crypt_token_unassign_keyslot@CRYPTSETUP_2.0 2:2.0
crypt_volume_key_get@CRYPTSETUP_2.0 2:1.4
crypt_volume_key_get_by_keyslot_context@CRYPTSETUP_2.6 2:2.6
crypt_volume_key_keyring@CRYPTSETUP_2.0 2:2.0
crypt_volume_key_verify@CRYPTSETUP_2.0 2:1.4
crypt_wipe@CRYPTSETUP_2.0 2:2.0
crypt_wipe_hw_opal@CRYPTSETUP_2.7 2:2.7

2
debian/not-installed vendored Normal file
View file

@ -0,0 +1,2 @@
usr/lib/${DEB_HOST_MULTIARCH}/libcryptsetup.la
usr/lib/${DEB_HOST_MULTIARCH}/cryptsetup/libcryptsetup-token-ssh.la

1
debian/po/POTFILES.in vendored Normal file
View file

@ -0,0 +1 @@
[type: gettext/rfc822deb] cryptsetup.templates

54
debian/po/ca.po vendored Normal file
View file

@ -0,0 +1,54 @@
# Catalan translation of cryptsetup's debconf messages
# Copyright © 2024 Free Software Foundation, Inc.
# This file is distributed under the same license as the cryptsetup package.
# poc senderi <pocsenderi@protonmail.com>, 2024.
#
msgid ""
msgstr ""
"Project-Id-Version: cryptsetup\n"
"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n"
"POT-Creation-Date: 2018-06-18 01:42+0200\n"
"PO-Revision-Date: 2024-12-07 16:56+0100\n"
"Language: ca\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Last-Translator: poc senderi <pocsenderi@protonmail.com>\n"
"Language-Team: Catalan <debian-l10n-catalan@lists.debian.org>\n"
"X-Generator: Poedit 2.4.2\n"
#. Type: boolean
#. Description
#: ../cryptsetup.templates:1001
msgid "Continue with cryptsetup removal?"
msgstr "Voleu continuar amb l'eliminació del «cryptsetup»?"
#. Type: boolean
#. Description
#: ../cryptsetup.templates:1001
msgid "This system has unlocked dm-crypt devices: ${cryptmap}"
msgstr "Aquest sistema té dispositius «dm-crypt» desbloquejats: ${cryptmap}"
#. Type: boolean
#. Description
#: ../cryptsetup.templates:1001
msgid ""
"If these devices are managed with cryptsetup, you might be unable to lock the "
"devices after the package removal, though other tools can be used for "
"managing dm-crypt devices. Any system shutdown or reboot will lock the "
"devices."
msgstr ""
"Si aquests dispositius es gestionen amb el «cryptsetup», és possible que no "
"pugueu bloquejar els dispositius després de l'eliminació del paquet, tot i "
"que es poden utilitzar altres eines per a gestionar dispositius «dm-crypt». "
"Qualsevol apagada o reinici del sistema bloquejarà els dispositius."
#. Type: boolean
#. Description
#: ../cryptsetup.templates:1001
msgid ""
"Do not choose this option if you want to lock the dm-crypt devices before "
"package removal."
msgstr ""
"No trieu aquesta opció si voleu bloquejar els dispositius «dm-crypt» abans de "
"l'eliminació del paquet."

53
debian/po/cs.po vendored Normal file
View file

@ -0,0 +1,53 @@
# Czech PO debconf template translation of cryptsetup.
# Copyright (C) 2010 Michal Simunek <michal.simunek@gmail.com>
# This file is distributed under the same license as the cryptsetup package.
# Michal Simunek <michal.simunek@gmail.com>, 2011.
#
msgid ""
msgstr ""
"Project-Id-Version: cryptsetup 2:1.3.0-4\n"
"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n"
"POT-Creation-Date: 2018-06-18 01:42+0200\n"
"PO-Revision-Date: 2011-09-23 17:31+0200\n"
"Last-Translator: Michal Simunek <michal.simunek@gmail.com>\n"
"Language-Team: Czech <debian-l10n-czech@lists.debian.org>\n"
"Language: cs\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=utf-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Type: boolean
#. Description
#: ../cryptsetup.templates:1001
msgid "Continue with cryptsetup removal?"
msgstr "Pokračovat v odstraňování cryptsetup?"
#. Type: boolean
#. Description
#: ../cryptsetup.templates:1001
msgid "This system has unlocked dm-crypt devices: ${cryptmap}"
msgstr "Tento systém má odemčená zařízení dm-crypt: ${cryptmap}"
#. Type: boolean
#. Description
#: ../cryptsetup.templates:1001
msgid ""
"If these devices are managed with cryptsetup, you might be unable to lock "
"the devices after the package removal, though other tools can be used for "
"managing dm-crypt devices. Any system shutdown or reboot will lock the "
"devices."
msgstr ""
"Jsou-li tato zařízení spravována s cryptsetup, nebudete je moci po "
"odstranění balíčku uzamknout i přes to, že ke správě zařízení dm-crypt lze "
"použít i jiné nástroje. Jakékoli vypnutí či restart systému tato zařízení "
"uzamkne."
#. Type: boolean
#. Description
#: ../cryptsetup.templates:1001
msgid ""
"Do not choose this option if you want to lock the dm-crypt devices before "
"package removal."
msgstr ""
"Chcete-li před odstraněním balíčku zařízení dm-crypt uzamknout, tuto možnost "
"nevybírejte."

53
debian/po/da.po vendored Normal file
View file

@ -0,0 +1,53 @@
# Danish translation cryptsetup.
# Copyright (C) 2011 cryptsetup & nedenstående oversættere.
# This file is distributed under the same license as the cryptsetup package.
# Joe Hansen <joedalton2@yahoo.dk>, 2011.
#
msgid ""
msgstr ""
"Project-Id-Version: cryptsetup\n"
"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n"
"POT-Creation-Date: 2018-06-18 01:42+0200\n"
"PO-Revision-Date: 2011-10-09 17:30+01:00\n"
"Last-Translator: Joe Hansen <joedalton2@yahoo.dk>\n"
"Language-Team: Danish <debian-l10n-danish@lists.debian.org>\n"
"Language: da\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Type: boolean
#. Description
#: ../cryptsetup.templates:1001
msgid "Continue with cryptsetup removal?"
msgstr "Fortsæt med fjernelsen af cryptsetup?"
#. Type: boolean
#. Description
#: ../cryptsetup.templates:1001
msgid "This system has unlocked dm-crypt devices: ${cryptmap}"
msgstr "Dette system har frigjort dm-crypt-enheder: ${cryptmap}"
#. Type: boolean
#. Description
#: ../cryptsetup.templates:1001
msgid ""
"If these devices are managed with cryptsetup, you might be unable to lock "
"the devices after the package removal, though other tools can be used for "
"managing dm-crypt devices. Any system shutdown or reboot will lock the "
"devices."
msgstr ""
"Hvis disse enheder håndteres med cryptsetup, vil du måske ikke kunne låse "
"enhederne efter pakkefjernelsen, dog kan andre værktøjer bruges til at "
"håndtere dm-crypt-enheder. Alle systemnedlukninger eller genstarter vil låse "
"enhederne."
#. Type: boolean
#. Description
#: ../cryptsetup.templates:1001
msgid ""
"Do not choose this option if you want to lock the dm-crypt devices before "
"package removal."
msgstr ""
"Vælg ikke denne indstilling hvis du ønsker at låse dm-crypt-enhederne før "
"pakkefjernelse."

55
debian/po/de.po vendored Normal file
View file

@ -0,0 +1,55 @@
# GERMAN TRANSLATION OF CRYPTSETUP.
# Copyright (C) 2011 Erik Pfannenstein
# This file is distributed under the same license as the cryptsetup package.
# Erik Pfannenstein <debianignatz@gmx.de>, 2011.
msgid ""
msgstr ""
"Project-Id-Version: 1.3.0-4\n"
"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n"
"POT-Creation-Date: 2018-06-18 01:42+0200\n"
"PO-Revision-Date: 2011-09-15 22:10+0200\n"
"Last-Translator: Erik Pfannenstein <debianignatz@gmx.de>\n"
"Language-Team: debian-l10n-german@lists.debian.org\n"
"Language: de\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=(n != 1);\n"
"X-Generator: Virtaal 0.7.0\n"
#. Type: boolean
#. Description
#: ../cryptsetup.templates:1001
msgid "Continue with cryptsetup removal?"
msgstr "Mit der Entfernung von Cryptsetup fortfahren?"
#. Type: boolean
#. Description
#: ../cryptsetup.templates:1001
msgid "This system has unlocked dm-crypt devices: ${cryptmap}"
msgstr "Dieses System verfügt über entsperrte dm-crypt-Geräte: ${cryptmap}"
#. Type: boolean
#. Description
#: ../cryptsetup.templates:1001
msgid ""
"If these devices are managed with cryptsetup, you might be unable to lock "
"the devices after the package removal, though other tools can be used for "
"managing dm-crypt devices. Any system shutdown or reboot will lock the "
"devices."
msgstr ""
"Wenn diese Geräte über Cryptsetup verwaltet werden, werden Sie nach der "
"Entfernung des Pakets möglicherweise nicht mehr in der Lage sein, sie zu "
"sperren, obwohl für die Handhabung von dm-crypt-verschlüsselten Geräten auch "
"andere Werkzeuge bereit stehen. Jedes Herunterfahren oder Neustarten wird "
"die Geräte sperren."
#. Type: boolean
#. Description
#: ../cryptsetup.templates:1001
msgid ""
"Do not choose this option if you want to lock the dm-crypt devices before "
"package removal."
msgstr ""
"Wählen Sie diese Option nicht, wenn Sie die dm-crypt-verschlüsselten Geräte "
"vor der Entfernung des Pakets sperren wollen."

88
debian/po/es.po vendored Normal file
View file

@ -0,0 +1,88 @@
# cryptsetup po-debconf translation to Spanish
# Copyright (C) 2010 Software in the Public Interest
# This file is distributed under the same license as the cryptsetup package.
#
# Changes:
# - Initial translation
# Camaleón <noelamac@gmail.com>, 2011
#
# - Updates
#
#
# Traductores, si no conocen el formato PO, merece la pena leer la
# documentación de gettext, especialmente las secciones dedicadas a este
# formato, por ejemplo ejecutando:
# info -n '(gettext)PO Files'
# info -n '(gettext)Header Entry'
#
# Equipo de traducción al español, por favor lean antes de traducir
# los siguientes documentos:
#
# - El proyecto de traducción de Debian al español
# https://www.debian.org/intl/spanish/
# especialmente las notas y normas de traducción en
# http://www.debian.org/intl/spanish/notas
#
# - La guía de traducción de po's de debconf:
# /usr/share/doc/po-debconf/README-trans
# o https://www.debian.org/intl/l10n/po-debconf/README-trans
#
msgid ""
msgstr ""
"Project-Id-Version: cryptsetup 2:1.4.1-2\n"
"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n"
"POT-Creation-Date: 2018-06-18 01:42+0200\n"
"PO-Revision-Date: 2012-02-22 15:11+0100\n"
"Last-Translator: Camaleón <noelamac@gmail.com>\n"
"Language-Team: Debian Spanish <debian-l10n-spanish@lists.debian.org>\n"
"Language: \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Type: boolean
#. Description
#: ../cryptsetup.templates:1001
msgid "Continue with cryptsetup removal?"
msgstr "¿Desea continuar con la eliminación de cryptsetup?"
#. Type: boolean
#. Description
#: ../cryptsetup.templates:1001
msgid "This system has unlocked dm-crypt devices: ${cryptmap}"
msgstr ""
"Este sistema tiene los siguientes dispositivos dm-crypt desbloqueados: "
"${cryptmap}"
#. Type: boolean
#. Description
#: ../cryptsetup.templates:1001
msgid ""
"If these devices are managed with cryptsetup, you might be unable to lock "
"the devices after the package removal, though other tools can be used for "
"managing dm-crypt devices. Any system shutdown or reboot will lock the "
"devices."
msgstr ""
"Si estos dispositivos se administran con cryptsetup es posible que no pueda "
"bloquearlos si elimina el paquete, aunque puede usar otras herramientas para "
"administrar los dispositivos dm-crypt. Apagar o reiniciar el sistema "
"bloqueará los dispositivos."
#. Type: boolean
#. Description
#: ../cryptsetup.templates:1001
msgid ""
"Do not choose this option if you want to lock the dm-crypt devices before "
"package removal."
msgstr ""
"No seleccione esta opción si quiere bloquear los dispositivos dm-crypt antes "
"de eliminar el paquete."
#~ msgid ""
#~ "In case you want to lock the dm-crypt devices before package removal, say "
#~ "no here, and continue with removal after all dm-crypt devices have been "
#~ "locked."
#~ msgstr ""
#~ "Si quiere bloquear los dispositivos dm-crypt antes de eliminar el "
#~ "paquete, seleccione «no» en este apartado y continúe con la eliminación "
#~ "después de que se hayan bloqueado todos los dispositivos dm-crypt."

62
debian/po/fr.po vendored Normal file
View file

@ -0,0 +1,62 @@
# Translation to French of cryptsetup debconf templates.
# Copyright (C) 2011 Debian French l10n team <debian-l10n-french@lists.debian.org>
# This file is distributed under the same license as the cryptsetup package.
# Julien Patriarca <patriarcaj@gmail.com>, 2011.
#
msgid ""
msgstr ""
"Project-Id-Version: cryptsetup VERSION\n"
"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n"
"POT-Creation-Date: 2018-06-18 01:42+0200\n"
"PO-Revision-Date: 2011-09-15 15:04+0100\n"
"Last-Translator: Julien Patriarca <patriarcaj@gmail.com>\n"
"Language-Team: FRENCH <debian-l10n-french@lists.debian.org>\n"
"Language: \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Type: boolean
#. Description
#: ../cryptsetup.templates:1001
msgid "Continue with cryptsetup removal?"
msgstr "Poursuivre la suppression de cryptsetup ?"
#. Type: boolean
#. Description
#: ../cryptsetup.templates:1001
msgid "This system has unlocked dm-crypt devices: ${cryptmap}"
msgstr "Ce système a déverrouillé des périphériques dm-crypt : ${cryptmap}"
#. Type: boolean
#. Description
#: ../cryptsetup.templates:1001
msgid ""
"If these devices are managed with cryptsetup, you might be unable to lock "
"the devices after the package removal, though other tools can be used for "
"managing dm-crypt devices. Any system shutdown or reboot will lock the "
"devices."
msgstr ""
"Si ces périphériques sont gérés avec cryptsetup, il pourrait devenir "
"impossible de les verrouiller après la suppression du paquet. Cependant, "
"d'autres outils existent pour gérer des périphériques dm-crypt. Dans tous "
"les cas, un arrêt ou redémarrage du système verrouillera les périphériques."
#. Type: boolean
#. Description
#: ../cryptsetup.templates:1001
msgid ""
"Do not choose this option if you want to lock the dm-crypt devices before "
"package removal."
msgstr ""
"Ne sélectionnez pas cette option si vous souhaitez verrouiller les "
"périphériques dm-crypt avant la suppression du paquet."
#~ msgid ""
#~ "In case you want to lock the dm-crypt devices before package removal, say "
#~ "no here, and continue with removal after all dm-crypt devices have been "
#~ "locked."
#~ msgstr ""
#~ "Refusez la suppression du paquet si vous souhaitez préalablement "
#~ "verrouiller les périphériques dm-crypt et poursuivez-la après que tous "
#~ "les périphériques dm-crypt ont été déverrouillés."

Some files were not shown because too many files have changed in this diff Show more