summaryrefslogtreecommitdiffstats
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/NEWS12
-rw-r--r--debian/README.Debian344
-rw-r--r--debian/README.debug72
-rw-r--r--debian/README.gnupg42
-rw-r--r--debian/README.gnupg-sc55
-rw-r--r--debian/README.initramfs280
-rw-r--r--debian/README.keyctl106
-rw-r--r--debian/README.opensc124
-rw-r--r--debian/README.source40
-rw-r--r--debian/TODO.md47
-rw-r--r--debian/askpass.c573
-rw-r--r--debian/bash_completion/cryptdisks_start42
-rw-r--r--debian/bug-script38
-rw-r--r--debian/changelog3663
-rw-r--r--debian/checks/blkid32
-rw-r--r--debian/checks/ext212
-rw-r--r--debian/checks/swap5
-rw-r--r--debian/checks/un_blkid28
-rw-r--r--debian/checks/xfs5
-rw-r--r--debian/clean10
-rw-r--r--debian/control194
-rw-r--r--debian/copyright280
-rw-r--r--debian/cryptdisks-functions286
-rw-r--r--debian/cryptsetup-bin.NEWS215
-rw-r--r--debian/cryptsetup-bin.install5
-rw-r--r--debian/cryptsetup-bin.manpages44
-rw-r--r--debian/cryptsetup-initramfs.NEWS15
-rw-r--r--debian/cryptsetup-initramfs.docs1
-rw-r--r--debian/cryptsetup-initramfs.install10
-rw-r--r--debian/cryptsetup-initramfs.lintian-overrides6
-rw-r--r--debian/cryptsetup-initramfs.postinst41
-rw-r--r--debian/cryptsetup-initramfs.postrm15
-rw-r--r--debian/cryptsetup-initramfs.prerm29
-rw-r--r--debian/cryptsetup-initramfs.templates9
-rw-r--r--debian/cryptsetup-run.NEWS11
-rw-r--r--debian/cryptsetup-ssh.install2
-rw-r--r--debian/cryptsetup-ssh.manpages1
-rw-r--r--debian/cryptsetup-suspend.install5
-rw-r--r--debian/cryptsetup-suspend.lintian-overrides2
-rw-r--r--debian/cryptsetup-suspend.manpages1
-rw-r--r--debian/cryptsetup-suspend.postinst14
-rw-r--r--debian/cryptsetup-suspend.postrm12
-rw-r--r--debian/cryptsetup-udeb.install7
-rw-r--r--debian/cryptsetup-udeb.preinst32
-rw-r--r--debian/cryptsetup.NEWS62
-rw-r--r--debian/cryptsetup.apport43
-rw-r--r--debian/cryptsetup.cryptdisks-early.init53
-rw-r--r--debian/cryptsetup.cryptdisks.default12
-rw-r--r--debian/cryptsetup.cryptdisks.init53
-rw-r--r--debian/cryptsetup.docs10
-rw-r--r--debian/cryptsetup.examples1
-rw-r--r--debian/cryptsetup.install9
-rw-r--r--debian/cryptsetup.links1
-rw-r--r--debian/cryptsetup.lintian-overrides3
-rw-r--r--debian/cryptsetup.maintscript2
-rw-r--r--debian/cryptsetup.manpages2
-rw-r--r--debian/cryptsetup.postinst53
-rw-r--r--debian/cryptsetup.postrm26
-rw-r--r--debian/cryptsetup.preinst13
-rw-r--r--debian/cryptsetup.prerm27
-rw-r--r--debian/cryptsetup.templates13
-rw-r--r--debian/doc/cryptdisks_start.xml60
-rw-r--r--debian/doc/cryptdisks_stop.xml55
-rw-r--r--debian/doc/cryptsetup-suspend.xml120
-rw-r--r--debian/doc/crypttab.xml772
-rw-r--r--debian/doc/manpages.xml10
-rw-r--r--debian/doc/pandoc/encrypted-boot.md536
-rw-r--r--debian/doc/pandoc/index.md24
-rw-r--r--debian/doc/pandoc/pandoc.css77
-rw-r--r--debian/doc/variables.xml.in16
-rw-r--r--debian/functions686
-rw-r--r--debian/gbp.conf11
-rw-r--r--debian/initramfs/conf-hook44
-rw-r--r--debian/initramfs/conf-hooks.d/cryptsetup9
-rw-r--r--debian/initramfs/cryptroot-unlock196
-rw-r--r--debian/initramfs/hooks/cryptgnupg46
-rw-r--r--debian/initramfs/hooks/cryptgnupg-sc87
-rw-r--r--debian/initramfs/hooks/cryptkeyctl30
-rw-r--r--debian/initramfs/hooks/cryptopensc62
-rw-r--r--debian/initramfs/hooks/cryptpassdev38
-rw-r--r--debian/initramfs/hooks/cryptroot406
-rw-r--r--debian/initramfs/hooks/cryptroot-unlock40
-rw-r--r--debian/initramfs/scripts/local-block/cryptroot21
-rw-r--r--debian/initramfs/scripts/local-bottom/cryptgnupg-sc18
-rw-r--r--debian/initramfs/scripts/local-bottom/cryptopensc32
-rw-r--r--debian/initramfs/scripts/local-bottom/cryptroot22
-rw-r--r--debian/initramfs/scripts/local-top/cryptopensc37
-rw-r--r--debian/initramfs/scripts/local-top/cryptroot239
-rw-r--r--debian/libcryptsetup-dev.docs1
-rw-r--r--debian/libcryptsetup-dev.install3
-rw-r--r--debian/libcryptsetup12-udeb.install1
-rw-r--r--debian/libcryptsetup12.install1
-rw-r--r--debian/libcryptsetup12.lintian-overrides3
-rw-r--r--debian/libcryptsetup12.symbols139
-rw-r--r--debian/not-installed2
-rw-r--r--debian/patches/Check-for-physical-memory-available-also-in-PBKDF-benchma.patch74
-rw-r--r--debian/patches/Print-warning-when-keyslot-requires-more-memory-than-avai.patch49
-rw-r--r--debian/patches/Try-to-avoid-OOM-killer-on-low-memory-systems-without-swa.patch163
-rw-r--r--debian/patches/Use-only-half-of-detected-free-memory-on-systems-without-.patch43
-rw-r--r--debian/patches/series4
-rw-r--r--debian/po/POTFILES.in1
-rw-r--r--debian/po/cs.po53
-rw-r--r--debian/po/da.po53
-rw-r--r--debian/po/de.po55
-rw-r--r--debian/po/es.po88
-rw-r--r--debian/po/fr.po62
-rw-r--r--debian/po/id.po57
-rw-r--r--debian/po/it.po53
-rw-r--r--debian/po/ja.po54
-rw-r--r--debian/po/nl.po54
-rw-r--r--debian/po/pt.po53
-rw-r--r--debian/po/pt_BR.po55
-rw-r--r--debian/po/ro.po62
-rw-r--r--debian/po/ru.po64
-rw-r--r--debian/po/sv.po63
-rw-r--r--debian/po/templates.pot48
-rw-r--r--debian/po/vi.po56
-rwxr-xr-xdebian/rules100
-rw-r--r--debian/salsa-ci.yml63
-rw-r--r--debian/scripts/cryptdisks_start63
-rw-r--r--debian/scripts/cryptdisks_stop38
-rw-r--r--debian/scripts/decrypt_derived32
-rw-r--r--debian/scripts/decrypt_gnupg26
-rw-r--r--debian/scripts/decrypt_gnupg-sc44
-rw-r--r--debian/scripts/decrypt_keyctl55
-rw-r--r--debian/scripts/decrypt_opensc46
-rw-r--r--debian/scripts/decrypt_ssl17
-rw-r--r--debian/scripts/gen-ssl-key22
-rw-r--r--debian/scripts/luksformat133
-rw-r--r--debian/scripts/passdev.c286
-rw-r--r--debian/scripts/po/Makefile39
-rw-r--r--debian/scripts/po/de.po76
-rw-r--r--debian/scripts/po/luksformat.pot69
-rw-r--r--debian/scripts/suspend/cryptsetup-suspend-wrapper320
-rw-r--r--debian/scripts/suspend/cryptsetup-suspend.c225
-rw-r--r--debian/scripts/suspend/cryptsetup-suspend.shutdown3
-rw-r--r--debian/scripts/suspend/suspend.conf10
-rw-r--r--debian/scripts/suspend/systemd/cryptsetup-suspend.conf12
-rw-r--r--debian/source/format1
-rw-r--r--debian/source/lintian-overrides1
-rw-r--r--debian/tests/control133
-rwxr-xr-xdebian/tests/cryptdisks764
-rwxr-xr-xdebian/tests/cryptdisks.init84
l---------debian/tests/cryptroot-legacy1
-rw-r--r--debian/tests/cryptroot-legacy.d/bottom9
-rw-r--r--debian/tests/cryptroot-legacy.d/config14
-rwxr-xr-xdebian/tests/cryptroot-legacy.d/mock32
-rw-r--r--debian/tests/cryptroot-legacy.d/preinst14
-rw-r--r--debian/tests/cryptroot-legacy.d/setup46
l---------debian/tests/cryptroot-lvm1
-rw-r--r--debian/tests/cryptroot-lvm.d/bottom9
-rw-r--r--debian/tests/cryptroot-lvm.d/config10
-rwxr-xr-xdebian/tests/cryptroot-lvm.d/mock49
-rw-r--r--debian/tests/cryptroot-lvm.d/postinst17
-rw-r--r--debian/tests/cryptroot-lvm.d/preinst14
-rw-r--r--debian/tests/cryptroot-lvm.d/setup45
l---------debian/tests/cryptroot-md1
-rw-r--r--debian/tests/cryptroot-md.d/bottom15
-rw-r--r--debian/tests/cryptroot-md.d/config7
-rwxr-xr-xdebian/tests/cryptroot-md.d/mock41
-rw-r--r--debian/tests/cryptroot-md.d/preinst20
-rw-r--r--debian/tests/cryptroot-md.d/setup84
l---------debian/tests/cryptroot-nested1
-rw-r--r--debian/tests/cryptroot-nested.d/bottom17
-rw-r--r--debian/tests/cryptroot-nested.d/config7
-rwxr-xr-xdebian/tests/cryptroot-nested.d/mock44
-rw-r--r--debian/tests/cryptroot-nested.d/preinst21
-rw-r--r--debian/tests/cryptroot-nested.d/setup107
-rwxr-xr-xdebian/tests/cryptroot-run135
l---------debian/tests/cryptroot-sysvinit1
-rw-r--r--debian/tests/cryptroot-sysvinit.d/bottom9
-rw-r--r--debian/tests/cryptroot-sysvinit.d/config5
-rwxr-xr-xdebian/tests/cryptroot-sysvinit.d/mock31
-rw-r--r--debian/tests/cryptroot-sysvinit.d/postinst15
-rw-r--r--debian/tests/cryptroot-sysvinit.d/preinst16
-rw-r--r--debian/tests/cryptroot-sysvinit.d/setup43
-rwxr-xr-xdebian/tests/initramfs-hook267
-rwxr-xr-xdebian/tests/utils/cryptroot-common537
-rwxr-xr-xdebian/tests/utils/debootstrap125
-rwxr-xr-xdebian/tests/utils/init273
-rwxr-xr-xdebian/tests/utils/mkinitramfs159
-rw-r--r--debian/tests/utils/mock.pm347
-rw-r--r--debian/upstream/metadata6
-rw-r--r--debian/upstream/signing-key.asc51
-rw-r--r--debian/watch6
185 files changed, 17572 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS
new file mode 100644
index 0000000..87e657a
--- /dev/null
+++ b/debian/NEWS
@@ -0,0 +1,12 @@
+cryptsetup (2:2.3.3-3+exp1) experimental; urgency=medium
+
+ This release adds a new binary package 'cryptsetup-suspend' which brings
+ support to suspend encrypted LUKS devices before the system goes to sleep
+ (via ACPI S3 system suspend). In other words, the encryption keys for
+ LUKS devices are removed automatically from system memory before system
+ suspend. After system resume, LUKS devices will be unlocked again and
+ the user may be asked to provide a passphrase if required.
+
+ See the cryptsetup-suspend(7) manpage for more information.
+
+ -- Jonas Meurer <jonas@freesources.org> Wed, 12 Aug 2020 21:31:47 +0200
diff --git a/debian/README.Debian b/debian/README.Debian
new file mode 100644
index 0000000..99633bf
--- /dev/null
+++ b/debian/README.Debian
@@ -0,0 +1,344 @@
+Cryptsetup for Debian
+=====================
+
+Table of Contents
+-----------------
+
+* 1. Introduction into Cryptsetup for Debian
+* 2. Encrypted swap partition(s)
+* 3. Insecure mode/owner for keys
+* 4. Cryptsetup and udev
+* 5. Useful keyscripts: askpass and passdev
+* 6. The `check` option
+* 7. Cryptsetup and Splashy
+* 8. Remotely unlock encrypted rootfs
+* 9. Backup the LUKS header
+* 10. Changing the boot order of cryptdisks init scripts
+* 11. Unlocking LUKS devices from GRUB
+* 12. Suspend LUKS devices on system suspend
+* 13. Credits
+
+
+1. Introduction into Cryptsetup for Debian
+------------------------------------------
+
+ Cryptsetup is a command-line interface for configuring encrypted block
+devices via dm-crypt, a kernel device-mapper target. For documentation about
+the cryptsetup tool, see manpage of cryptsetup(8) and the frequently asked
+questions at `/usr/share/doc/cryptsetup/FAQ.gz`.
+
+ The Debian cryptsetup package provides the initscript `/etc/init.d/cryptdisks`
+and a configuration file `/etc/crypttab` for automatically configuring encrypted
+devices at boot time. The applications cryptdisks_start and cryptdisks_stop
+are provided to process crypttab configured devices manually. See the manpages
+of crypttab(5), cryptdisks_start(8) and cryptdisks_stop(8) for more information.
+The systemd init system masks our initscripts as it has native
+cryptsetup support; use cryptdisks_start(8) or systemd-cryptsetup@.service(8) to
+manually unlock devices on such systems.
+
+ The luksformat script provides a simple interface for creating an encrypted
+device that follows the LUKS standard and for putting a file system onto the
+encrypted device. See man luksformat(8) for more information.
+
+ If you wish to perform a Debian installation to an encrypted root, you might
+be interested in using a version of Debian Installer with partman-crypto,
+which will install the system and setup cryptsetup and initramfs-tools.
+
+ For instructions about how to encrypt your root filesystem and integrate
+cryptsetup into initramfs on a running system, see
+`/usr/share/doc/cryptsetup-initramfs/README.initramfs.gz`.
+
+
+2. Encrypted swap partition(s)
+------------------------------
+
+ An encrypted swap partition prevents spying on plaintext secrets (passwords)
+that may be written to disk when memory is swapped to disk.
+
+ To encrypt your swap partitions, you'll first have to deactivate your swap:
+
+ swapoff -a
+
+ You'll have to add an entry for every swap partition in `/etc/crypttab`. Be
+sure to place the source device (here `/dev/sde9`) with your swap devices:
+
+ # <target name> <source device> <key file> <options>
+ cswap1 /dev/sde9 /dev/urandom plain,cipher=aes-xts-plain64,size=256,swap
+
+ Now you need to change the swap devices in `/etc/fstab` to the encrypted swap
+device names (`/dev/mapper/cswap1` in this example).
+
+ # <file system> <mount point> <type> <options> <dump> <pass>
+ /dev/sde9 none swap sw 0 0
+
+becomes
+
+ # <file system> <mount point> <type> <options> <dump> <pass>
+ /dev/mapper/cswap1 none swap sw 0 0
+
+ Then, you need to start the cryptsetup swap devices and reactivate swap:
+
+ cryptdisks_start cswap1
+ swapon -a
+
+ And finally, if `/dev/sde9` was previously used as resume device, you should
+disable it (the new swap partition is mapped with a non-persistent key hence
+can't be used for resuming after suspend to disk). With initramfs-tools 0.130
+and later, this can be done with
+
+ echo "RESUME=none" >/etc/initramfs-tools/conf.d/resume
+ update-initramfs -u
+
+ That's it! You have a crypted swap device. Note that `/dev/urandom` provides
+only pseudo-random entropy. So if you're paranoid rather use `/dev/random` as
+source for random data. Be aware though that `/dev/random` might not provide
+enough random bytes for your key, causing your system to hang at boot, waiting
+for more entropy. Moving mouse and keyboard typing might help in this case.
+
+ Read the crypttab(5) manpage for more information, for example options to use
+a different encryption algorithm than the default.
+
+
+3. Insecure mode/owner for keys
+-------------------------------
+
+ Any key that is stored somewhere to be used with cryptsetup should have the
+mode 400 (`-r--------`) and root as owner/group. `chown root.root keyfile` and
+`chmod 400 keyfile` will do the trick for you.
+
+ If a key is stored on a vfat filesystem (very common for removable media),
+chmod and chown will not work. The vfat filesystem (and several others too)
+does not support file permissions and ownership. Instead, you should use the
+uid, gid and umask options in `/etc/fstab` to ensure secure permissions for
+the key.
+
+ As an example, assume that `/dev/sdg8` is the removable media containing
+keyfiles on a vfat filesystem and that it is going to be mounted on
+`/media/flash0`. The configuration in `/etc/fstab` should then be something
+like this:
+
+ # <file system> <mount point> <type> <options> <dump> <pass>
+ /dev/sdg8 /media/flash0 vfat uid=0,gid=0,umask=277 0 0
+
+ If you are using udev, it might be a good idea to use the `/dev/disk/by-label`
+links instead of `/dev/sdg8` as the link will work no matter in which order the
+media is inserted and detected.
+
+
+4. Cryptsetup and udev
+----------------------
+
+ As a workaround for some yet-to-be-fixed race condition in kernel,
+device-mapper or udev, cryptsetup currently runs udevsettle.
+
+ This leads to problems if you invoke cryptsetup as part of a udev rule.
+udevsettle waits until queued kernel/udev events are processed and the
+"run programs" have finished. Due to cryptsetup itself being a "run
+program" in this case, this ends in a deadlock.
+
+ Therefore cryptsetup should be detached directly after invocation in this
+case, so that it runs asynchronously.
+
+
+5. Useful keyscripts: askpass and passdev
+-----------------------------------------
+
+ The cryptsetup package ships with several keyscripts. Keyscripts may be
+configured in `/etc/crypttab` in order to provide the key required to unlock
+the device. The shipped keyscripts are located at `/lib/cryptsetup/scripts`.
+
+ Some keyscripts have an own README file at `/usr/share/doc/cryptsetup/`.
+
+ Two special keyscripts, worth being mentioned here, are askpass and passdev.
+
+ Askpass is located at `/lib/cryptsetup/askpass`. It's a simple helper program
+that supports different methods (console, fifo, splashy, ...) to prompt for a
+passphrase, and prints the result to stdout. The syntax is:
+
+ /lib/cryptsetup/askpass PROMPT
+
+ Passdev will wait for a given device to appear, mount it read-only, read the
+key, and unmount the device. See `/usr/share/doc/cryptsetup-initramfs/README.initramfs.gz`
+for more information about passdev.
+
+
+6. The `check` option
+---------------------
+
+ The `check` option in crypttab allows one to configure checks to be run
+against the target device after cryptsetup has been invoked.
+The default check `blkid` can check for any known filesystem type, as it uses
+blkid from util-linux. you can check for a particular filesystem by giving for
+example `checkargs=ext4` or `checkargs=swap` as an option in `/etc/crypttab`.
+
+ Please send us your checks, if you write new ones. If they are generally
+useful, we will include them in the package.
+
+ See man crypttab(5) for more information about the checksystem.
+
+
+7. Cryptsetup and Splashy
+-------------------------
+
+ Splashy support in cryptsetup is currently somehow limited. Splashy is known
+to freeze at the password dialog for encrypted non-root filesystems. Only the
+password dialog for the encrypted root filesystem works.
+
+ It seems like splashy freezes for any input dialog in initscripts while
+input dialogs at initramfs stage seem to work. This leads to the assumption
+that the bug is somewhere in splashy and neither in cryptsetups initscripts
+nor in askpass.
+
+
+8. Remotely unlock encrypted rootfs
+-----------------------------------
+
+ Thanks to Chris <debian@x.ray.net> it's possible to install a dropbear SSH
+server into the initramfs, connect to this SSH server during execution of
+initramfs early in the boot process, and unlock encrypted devices - even
+the root device - before the boot process continues. (Note that in order
+to force an arbitrary device to be processed at initramfs stage you
+might need to set the `initramfs` option in its crypttab entry; see
+crypttab(5) for details.)
+
+ This way it is possible to use an encrypted root filesystem on headless
+systems where no physical access is available during boot process.
+
+ Dropbear 0.52-1 or later is required for this to work. (Since 2015.68-1 the
+functionality has its own binary package `dropbear-initramfs`.) Consult
+`/usr/share/doc/dropbear-initramfs/README.initramfs` from the dropbear-initramfs
+package for information how to install and configure the dropbear SSH server
+into the initramfs.
+
+ You can then unlock the disk remotely via SSH with
+
+ ssh -tF ~/.luks/ssh.conf root@remote.system.com cryptroot-unlock
+
+ Or, using a local gpg-encrypted key file:
+
+ gpg --decrypt ~/.luks/remote.key.gpg | ssh -TF ~/.luks/ssh.conf root@remote.system.com cryptroot-unlock
+
+ When its standard input is a TTY, `cryptroot-unlock` keeps prompting for
+passphrases until there are no more devices to unlock; otherwise you'll
+need to invoke it as many times as there are devices to unlock.
+
+ That's it. Now that all required encrypted devices are unlocked, the
+remote system should continue with the boot process.
+
+ You can also use the following authorized_keys(5) options in
+`/etc/dropbear-initramfs/authorized_keys` to restrict access and avoid
+users poking around:
+
+ no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="/bin/cryptroot-unlock" ssh-rsa ...
+
+(Be sure to rebuild the initrd afterwards: `update-initramfs -u -k all`)
+
+
+9. Backup the LUKS header
+-------------------------
+
+ WARNING: This information might be outdated. Please read the cryptsetup FAQ
+at `/usr/share/doc/cryptsetup/FAQ.gz` for up-to-date information on how to
+backup the LUKS header.
+
+ The LUKS header is located at the beginning of every LUKS encrypted device.
+It stores information such as used cipher, hash, etc. But most importantly,
+the header contains eight keyslots, which do keep an encrypted version of the
+LUKS masterkey. the data on an encrypted LUKS partition is encrypted with this
+masterkey. thus, there's no way to restore the data once the masterkey is
+lost. For that reason, one might want to backup the LUKS header in order to
+prevent accidental data loss.
+
+ On the other hand keeping a backup of the LUKS header isn't recommended for
+security reasons. The reason is, that LUKS was designed with key revocation in
+mind. Once the LUKS header is copied to a backup, revoking a (possibly
+compromised) passphrase or keyfile from the keyslot isn't enough anymore. the
+revoked passphrase/keyfile can easily be reactived by writing back the header
+backup to the device.
+
+ Beginning with version 1.1.0, cryptsetup has support for the commands
+luksHeaderBackup and luksHeaderRestore. If you want to store a backup of your
+LUKS header with the mentioned drawbacks in mind, do the following:
+
+ Prepare a ramdisk to store the backup temporarely. You should do that in order
+to prevent any hardware caching functions or filesystem jounals to copy the
+backup around to places you cannot control. If you want to store the backup
+permanently, write it to a read-only medium like CD immediately from ramdisk,
+without your burning program writing an intermediate image to some temp dir.
+
+ To actually backup the header, use the following command:
+
+ cryptsetup luksHeaderBackup <luks-device> --header-backup-file <destination-on-ramdisk>
+
+ That's it. But once again, keep in mind all the security implications when
+doing LUKS header backups. In general it's better to backup the data from
+encrypted LUKS devices to another encrypted LUKS device. That way you can
+manage the keyslots for both original and backup device independently.
+
+
+10. Changing the boot order of cryptdisks init scripts
+-----------------------------------------------------
+
+ In order to support non-standard setups, it might be necessary to change the
+order of init scripts in the boot process. Cryptsetup already installs two
+init scripts, cryptdisks-early and cryptdisks, in order to support some complex
+setups. For example, both "lvm on luks" and "luks on lvm" are supported that
+way.
+
+ If your system isn't supported by the default order of init scripts in the
+boot process, you need to change the boot process on your own. In some cases
+it might be enough to change the LSB dependency headers at initscripts, see
+`/etc/init.d/README` for more information about that. For more complex setups,
+more intrusive changes are required. For example, adding a third cryptdisks
+init script might help. See the log of bugreport [#576646] and [discussion on
+debian-devel] for further information.
+
+[#576646]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=576646
+[discussion on debian-devel]: https://lists.debian.org/debian-devel/2010/06/msg00021.html
+
+
+11. Unlocking LUKS devices from GRUB
+------------------------------------
+
+ GRUB has been able to unlock LUKS1 devices since early in Jessie's
+release cycle. This feature removes the need for a separate cleartext
+`/boot` partition, hence enables "real" full disk encryption. However
+cryptsetup >=2.1 uses LUKS version 2 by default, which GRUB 2.02 doesn't
+support. In other words, as of Buster it is not possible to unlock from
+GRUB new LUKS devices formatted with the default parameters.
+
+ Neither Jessie nor Stretch's installers natively support unlocking from
+GRUB, hence users already had to implement various workarounds to enable
+it. **Former workarounds won't work anymore with LUKS2**. Integration
+between LUKS and GRUB is documented at
+<https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html>,
+including recipes to enable the feature starting from the usual
+"encrypted LVM" partitioning method of the Debian Installer -- both with
+LUKS1 (pre-Buster) and LUKS2 (Buster and later) devices.
+
+
+12. Suspend LUKS devices on system suspend
+------------------------------------------
+
+ The 'cryptsetup-suspend' package brings support to suspend encrypted
+LUKS devices before the system goes to sleep (via ACPI S3 system suspend).
+In other words, the encryption keys for LUKS devices are removed
+automatically from system memory before system suspend. After system
+resume, LUKS devices will be unlocked again and the user may be asked
+to provide a passphrase if required.
+
+ See the cryptsetup-suspend(7) manpage for more information.
+
+
+13. Credits
+-----------
+
+ People who contributed to the Debian cryptsetup package:
+
+* Guilhem Moulin <guilhem@debian.org>
+* Jonas Meurer <jonas@freesources.org>
+* David Härdeman <david@hardeman.nu>
+* Bastian Kleineidam <calvin@debian.org>
+* Michael Gebetsroither <michael.geb@gmx.at>
+
+ -- Jonas Meurer <jonas@freesources.org>, Sun, 09 Jun 2019 15:01:09 +0200
diff --git a/debian/README.debug b/debian/README.debug
new file mode 100644
index 0000000..7a627bf
--- /dev/null
+++ b/debian/README.debug
@@ -0,0 +1,72 @@
+Debugging Cryptsetup issues
+===========================
+
+Cryptsetup is responsible for unlocking dm-crypt devices. The cryptsetup Debian
+provide a whole slew of helper scripts that integrate cryptsetup into the
+Debian operating system. The most important ones are the `cryptdisks` init
+script and the `cryptroot` initramfs scripts, both implementing support for the
+`/etc/crypttab` configuration file and for automatic unlocking of encrypted
+devices during the boot process.
+
+This page collects information on debugging different features of the Debian
+cryptsetup packages in case of problems.
+
+Debug cryptroot initramfs script
+--------------------------------
+
+In order to debug the cryptroot initramfs script during initramfs stage, the
+following steps are required:
+
+* Boot into the initramfs rescue shell by adding `break=premount` as kernel
+ option during boot
+
+ In grub, this can be done interactively from the grub boot menu: `<E>` to
+ edit, and `<Ctrl>+<X>` to boot once you've edited the kernel line.
+
+ See <https://help.ubuntu.com/community/Grub2/Troubleshooting#Editing_the_GRUB_2_Menu_During_Boot>
+ for details.
+
+* Append `-x` to the shebang (first line) of cryptroot initramfs script:
+
+ sed -i -e '1s,^#!/bin/sh,& -x,' /scripts/local-top/cryptroot
+
+* Run the cryptroot initramfs script manually, redirecting output to a log file:
+
+ /scripts/local-top/cryptroot 2>&1 | tee /run/initramfs/cryptroot.debug
+
+ **Please note:** if the boot process is broken, you might need to mount an
+ external storage device (e.g. a USB flash drive) inside the initramfs and
+ redirect the output to a log files on this external device.
+
+* Continue the boot process (by pressing `<Ctrl>+<D>`) and save a copy of the
+ debug log file to `/run/initramfs/cryptroot.debug`. The content of `/run/`
+ will be lost after reboot.
+
+Sometimes, debugging the initramfs directly can be helpful as well. See
+<https://wiki.debian.org/InitramfsDebug#Saving_debug_information> for details.
+
+Gather debugging information in the initramfs rescue shell
+----------------------------------------------------------
+
+Useful commands to gather information from initramfs rescue shell:
+
+* Check for device-mapper support (these directories/symlinks exist only if
+ kernel has device-mapper support):
+
+ ls -l /sys/class/misc/device-mapper /sys/devices/virtual/misc/device-mapper
+
+* Check whether dm-crypt kernel module is loaded:
+
+ lsmod | grep dm-crypt
+
+* Display cryptroot configuration and list loaded kernel modules:
+
+ cat /cryptroot/crypttab
+ lsmod
+
+* Gather information about the available block devices:
+
+ blkid
+ ls -l /dev/disk/by-*/
+
+ -- Jonas Meurer <jonas@freesources.org>, Wed 25 Dec 2019 02:58:00 PM CET
diff --git a/debian/README.gnupg b/debian/README.gnupg
new file mode 100644
index 0000000..837d151
--- /dev/null
+++ b/debian/README.gnupg
@@ -0,0 +1,42 @@
+Using GnuPG keys for LUKS dm-crypt devices in Debian
+====================================================
+
+The Debian cryptsetup package provides the keyscript `decrypt_gnupg` for
+setups with a GnuPG encrypted LUKS keyfile.
+
+The following example assumes that you store the encrypted keyfile in
+`/etc/keys/cryptkey.gpg`. LUKS device is `/dev/<luks_device>`.
+
+First, you'll have to create the encrypted keyfile:
+
+ dd if=/dev/random bs=1 count=256 | gpg --no-options --no-random-seed-file \
+ --no-default-keyring --keyring /dev/null --secret-keyring /dev/null \
+ --trustdb-name /dev/null --symmetric --output /etc/keys/cryptkey.gpg
+
+Next the LUKS device needs to be formated with the key. For that, the
+`decrypt_gnupg` keyscript can be used:
+
+ /lib/cryptsetup/scripts/decrypt_gnupg /etc/keys/cryptkey.gpg | \
+ cryptsetup --key-file=- luksFormat /dev/<luks_device>
+
+In order to unlock the encrypted LUKS device automatically during boot process,
+add the following to `/etc/crypttab`:
+
+ cdev1 /dev/<luks_device> /etc/keys/cryptkey.gpg luks,discard,keyscript=decrypt_gnupg
+
+
+Decrypting the keyfile at initramfs stage
+-----------------------------------------
+
+If the device is to be unlocked at initramfs stage (such as for the root FS or
+the resume device), the provided initramfs hooks should do all additionally
+required work for you when the initramfs is created or updated.
+
+Be warned though, that for such devices the GnuPG encrypted key is copied to
+the initramfs by the initramfs cryptgnupg hook. If you don't want this, you
+should take a look at the initramfs cryptgnupg hook, which is located at
+`/usr/share/initramfs-tools/hooks/cryptgnupg`.
+
+ -- Jonas Meurer <jonas@freesources.org> Thu, 04 Mar 2010 17:31:40 +0100
+
+ -- Guilhem Moulin <guilhem@guilhem.org> Sat, 17 Sep 2016 16:14:41 +0200
diff --git a/debian/README.gnupg-sc b/debian/README.gnupg-sc
new file mode 100644
index 0000000..edddfbd
--- /dev/null
+++ b/debian/README.gnupg-sc
@@ -0,0 +1,55 @@
+Using an OpenPGP smartcard for LUKS dm-crypt devices in Debian
+==============================================================
+
+The Debian cryptsetup package provides the keyscript `decrypt_gnupg-sc`
+for setups with a keyfile that is encrypted using an OpenPGP smartcard.
+
+The following example assumes that you store the encrypted keyfile in
+`/etc/keys/cryptkey.gpg`. LUKS device is `/dev/<luks_device>`.
+
+First, you'll have to create the keyfile and encrypt it with your key
+0xDEADBEEF:
+
+ dd if=/dev/random bs=1 count=256 | gpg --recipient 0xDEADBEEF \
+ --output /etc/keys/cryptkey.gpg --encrypt
+
+Next the LUKS device needs to be formated with the key. For that, the
+`decrypt_gnupg-sc` keyscript can be used:
+
+ /lib/cryptsetup/scripts/decrypt_gnupg-sc /etc/keys/cryptkey.gpg | \
+ cryptsetup --key-file=- luksFormat /dev/<luks_device>
+
+In order to unlock the encrypted LUKS device automatically during boot process,
+add the following to `/etc/crypttab`:
+
+ cdev1 /dev/<luks_device> /etc/keys/cryptkey.gpg luks,keyscript=decrypt_gnupg-sc
+
+In order to avoid data loss if the smartcard is damaged or lost, you may
+want to decrypt `/etc/keys/cryptkey.gpg` and store the plaintext in a safe
+place. Or alternatively, use another slot with your backup key:
+
+ cryptsetup luksAddKey /dev/<luks_device> /path/to/backup.key
+
+
+Decrypting the keyfile at initramfs stage
+-----------------------------------------
+
+If the device is to be unlocked at initramfs stage (such as for the root
+FS or the resume device), you need to copy the public part of the
+encryption key to `/etc/cryptsetup-initramfs/pubring.gpg`:
+
+ gpg --export 0xDEADBEEF >/etc/cryptsetup-initramfs/pubring.gpg
+
+Then the provided initramfs hooks should do all additionally required
+work for you when the initramfs is created or updated.
+
+Be warned though, that for such devices the OpenPGP encrypted key is copied
+to the initramfs by the initramfs cryptgnupg-sc hook. If you don't want this,
+you should take a look at the initramfs cryptgnupg-sc hook, which is located
+at `/usr/share/initramfs-tools/hooks/cryptgnupg-sc`.
+
+Moreover, note that unlocking at initramfs stage is currently not compatible
+with plymouth or other bootsplash, as a curses-based prompt is used for PIN
+entry.
+
+ -- Guilhem Moulin <guilhem@guilhem.org> Sun, 23 Sep 2018 03:28:31 +0200
diff --git a/debian/README.initramfs b/debian/README.initramfs
new file mode 100644
index 0000000..d85ae9c
--- /dev/null
+++ b/debian/README.initramfs
@@ -0,0 +1,280 @@
+Debian Cryptsetup Initramfs integration
+=======================================
+
+1. Introduction
+---------------
+
+Kernels more recent than 2.6.12 have dropped support for devfs, which
+means that initrd-tools can no longer be used to boot into an encrypted
+root partition. Instead, a similar functionality has been developed for
+use with an initramfs-image.
+
+
+2. A fresh installation
+-----------------------
+
+If you plan to perform a completely new installation of Debian onto a
+machine and to do so using an encrypted root partition, you might want
+to consider using a version of Debian Installer with partman-crypto
+(see https://wiki.debian.org/DebianInstaller/PartmanCrypto).
+
+The installation will then take care of all the details and perform the
+necessary configuration for you, meaning that you should not have to
+read the rest of this document to get a machine with an encrypted
+root filesystem up and running.
+
+However, if you are not planning to perform a new installation from scratch,
+the following information might be useful to you.
+
+
+3. Requirements
+---------------
+
+In order to boot from an encrypted root filesystem, you need an
+initramfs-image which includes the necessary kernel modules and scripts to
+setup the root device after the kernel has been initialized, but before the
+rest of the operating system is booted.
+
+To do so, you need two partitions:
+* an unencrypted `/boot` partition
+* an encrypted `/` partition
+
+In addition, you need to have both initramfs-tools and busybox installed.
+
+NOTE: You should make sure that your swap partition is either encrypted, or
+that you are using a swap file on an encrypted partition, as crypto keys and
+other sensitive information might otherwise be written out to the swap
+partition in unencrypted form.
+
+
+4. Setup (regular dm-crypt)
+---------------------------
+
+First of all, you must edit `/etc/crypttab` and add a line describing your
+root device, for example:
+
+ cryptroot /dev/sda2 none cipher=aes-xts-plain64,size=256,hash=sha1
+
+This will allow cryptsetup to create `/dev/mapper/cryptroot` from the
+encrypted partition `/dev/sda2` during boot.
+
+In addition, you must also make sure that the root device is listed in
+`/etc/fstab`, for example:
+
+ /dev/mapper/cryptroot / ext4 defaults 0 1
+
+This will allow the initramfs support scripts to know which of the devices
+in the crypttab that is the root device.
+
+After doing these changes, you should regenerate the initramfs by running
+`update-initramfs -u`, then make sure that your boot loader is configured
+to feed the initramfs to the kernel when booting. The kernel root argument
+should also be changed to `/dev/mapper/cryptroot`.
+
+Now, reboot the machine, and if everything is correctly configured, you
+should be given a prompt to type in the passphrase for the encrypted
+root partition before the boot can continue.
+
+NOTE: In order to ensure that the crypto setup works in a consistent
+manner, you should make sure that the hash function is specified in the
+/etc/crypttab file if you are using regular dm-crypt (with LUKS the hash
+function to use is stored in the LUKS header).
+
+
+5. Setup (using LUKS)
+---------------------
+
+If you are using the LUKS feature of cryptsetup, the above setup recipe should
+still apply, but since most options can be derived from the information stored
+in the LUKS header on-disk, the line to add to `/etc/crypttab` should look
+something like this:
+
+ cryptroot /dev/sda2 none luks,discard
+
+
+6. Exotic key types
+-------------------
+
+The above examples assume that you use a regular passphrase as the key to the
+encrypted filesystem. However, if you wish to make use of more complex setups
+(such as root-key-on-usb-memory), you can create a script which does all the
+steps necessary to retrieve the key and then prints it to stdout.
+
+Then add a `keyscript=/path/to/your/script.sh` to the options (fourth column)
+in the above mentioned `/etc/crypttab` line, so that it looks something like
+this:
+
+ cryptroot /dev/sda2 none luks,discard,keyscript=/usr/local/sbin/cryptkey
+
+Next, regenerate your initramfs image. This will copy the script into the
+initramfs image under the `/lib/cryptsetup/keyscripts/` directory.
+
+NOTE: there is a limited set of tools available when the script is executing
+as part of the initramfs bootup, you have to make sure that you do not use
+any tools which are not available or your script, and therefore boot, will
+fail.
+
+
+7. "cryptopts" boot argument
+----------------------------
+
+In general, you should use the above approach with a line describing your
+root partition in `/etc/crypttab` and `/etc/fstab`. However, if for some
+reason you wish to override the settings that are derived from these files
+and stored in the initramfs image, you can use the "cryptopts" boot argument
+(this *only* works for the root partition).
+
+The format of cryptopts is:
+
+ cryptopts=<opt1>[=<value1>],<opt2>[=<value2>]...
+
+Beside options from the 4th field of /etc/crypttab, the options
+`target`, `source` and `key` are also supported: they respectively
+correspond to the first, second and third field of /etc/crypttab.
+Consult the crypttab manual page for further details.
+
+Several `cryptopts` boot arguments can also be specified in case more than
+one mapping needs to be setup in the initramfs stage of the boot.
+
+Example boot arguments:
+
+ root=/dev/mapper/crypt0 cryptopts=target=crypt0,source=/dev/sda1,cipher=aes-xts-plain64,size=256,hash=sha1
+
+In particular, if all `cryptopts` boot arguments have an empty value
+then no mapping is setup. This can be used to disable the cryptsetup
+initramfs scripts for a particular boot.
+
+8. Resume device support
+------------------------
+
+The initramfs scripts will also try to automatically determine the devices,
+if any, that are used for software suspend (swsusp, suspend2 or uswsusp) and
+to set them up during the initramfs stage in order to allow suspend and resume
+in combination with encryption to keep the resume image safe from potential
+attackers.
+
+If your resume device and your root partition use two different cryptsetup
+mappings, you might want to use the `decrypt_derived` keyscript as described
+below.
+
+9. The `decrypt_derived` keyscript
+----------------------------------
+
+Assume that you have two entries in `/etc/crypttab`:
+
+ cryptroot /dev/sda1 none luks,discard
+ cryptswap /dev/sda2 none luks
+
+If cryptswap is used as your suspend/resume device, you'd normally need to
+enter two different passphrases during the boot, but the `decrypt_derived`
+script can generate the key for the second mapping using a hash of the key
+for the first mapping.
+
+In short, you'll need to do something like the following to take advantage
+of the decrypt_derived script:
+
+1. `swapoff -a`
+2. `cryptsetup luksClose cryptswap`
+3. edit `/etc/crypttab` and change the cryptswap line to e.g.:
+ `cryptswap /dev/sda2 cryptroot cipher=aes-xts-plain65,size=256,hash=sha1,keyscript=decrypt_derived,swap`
+4. `cryptdisks_start cryptswap`
+5. Make sure that `/dev/mapper/cryptswap` has been created
+6. `swapon -a`
+7. (optional) `update-initramfs -u`
+
+After you've followed the above steps, your swap device should be setup
+automatically after the root device has been setup during the boot stage.
+
+WARNING: If you use the decrypt_derived keyscript for devices with persistent
+data (i.e. not swap or temp devices), then you will lose access to that data
+permanently if something damages the LUKS header of the LUKS device you derive
+from. The same applies if you luksFormat the device, even if you use the same
+passphrase(s). A LUKS header backup, or better a backup of the data on the
+derived device may be a good idea. See the Cryptsetup FAQ on how to do this
+right.
+
+Note: The decrypt_derived keyscript won't work when the volume key of the
+device being derived from is offloaded to the kernel keyring service (thus not
+readable by userspace). That behavior is the default for LUKS2 devices (unless
+opened with the `--disable-keyring` option) since Linux 4.10. For such devices,
+an alternative is to use the same passphrase and unlock the source device using
+the `decrypt_keyctl` keyscript.
+
+Note: If you don't use suspend device support, it's better to use completely
+random keys for your encrypted swap device. See the section '2. Encrypted
+swap partition(s)' in `/usr/share/doc/cryptsetup/README.Debian.gz` for
+information on how to setup this.
+
+10. The `passdev` keyscript
+----------------------------
+
+If you have a keyfile on a removable device (e.g. a USB-key), you can use the
+passdev keyscript. It will wait for the device to appear, mount it read-only,
+read the key and then unmount the device.
+
+The `key` part of `/etc/crypttab` will be interpreted as `<device>:<path>[:<timeout>]`,
+it is strongly recommended that you use one of the persistent device names from
+`/dev/disk/*`, e.g. `/dev/disk/by-label/myusbkey`.
+
+This is an example of a suitable line in cryptsetup:
+
+ cryptroot /dev/sda2 /dev/disk/by-label/myusbkey:/keys/root.key discard,cipher=aes-xts-plain64,size=256,hash=sha1,keyscript=passdev
+
+The above line would cause the boot to pause until `/dev/disk/by-label/myusbkey`
+appears in the fs, then mount that device and use the file `/keys/root.key`
+on the device as the key (without any hashing) as the key for the fs.
+
+The timeout option has to be in seconds.
+
+If any modules are required in order to mount the filesystem on the removable
+device, then initramfs-tools needs to be configured to add these modules to
+the initramfs. This can be done by listing the required modules in
+`/etc/initramfs-tools/modules`.
+
+11. Limitation: renaming of target name for encrypted root device
+-----------------------------------------------------------------
+
+As spotted by Adam Lee in bug report [#671037], it's not possible to simply
+rename the target name for encrypted root devices. It breaks the initramfs
+creation process. The bug report submitter found a solution to work around
+this limitation:
+
+0. enter another system (like livecd)
+1. open luks device with the new name, change the target name to the new one
+2. chroot into it (now, the current target name is the same as it in conf)
+3. `update-initramfs -u`
+4. reboot
+
+[#671037]: https://bugs.debian.org/671037
+
+12. Storing keyfiles directly in the initrd
+-------------------------------------------
+
+Normally devices using a keyfile are ignored (with a loud warning), and
+the key file itself is not included in the initrd, because the initramfs
+image typically lives on an unencrypted `/boot` partition. However in
+some cases it is desirable to include the key file in the initrd; for
+instance recent versions of GRUB support booting from encrypted block
+devices, allowing an encrypted `/boot` partition.
+
+Among the key files listed in the crypttab(5), those matching the value
+of the environment variable KEYFILE_PATTERN (interpreted as a shell
+pattern) will be included in the initramfs image. For instance if
+`/etc/crypttab` lists two key files `/etc/keys/{root,swap}.key`, you can
+add the following to `/etc/cryptsetup-initramfs/conf-hook` to add them to
+the initrd.
+
+ KEYFILE_PATTERN="/etc/keys/*.key"
+
+Furthermore if the initramfs image is to include private key material,
+you'll want to create it with a restrictive umask in order to keep
+non-privileged users at bay. This can be achieved by adding the
+following to `/etc/initramfs-tools/initramfs.conf`.
+
+ UMASK=0077
+
+ -- David Härdeman <david@hardeman.nu>
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 01 Nov 2012 13:44:31 +0100
+
+ -- Guilhem Moulin <guilhem@debian.org> Wed, 09 Dec 2015 04:53:41 +0100
diff --git a/debian/README.keyctl b/debian/README.keyctl
new file mode 100644
index 0000000..6585c8b
--- /dev/null
+++ b/debian/README.keyctl
@@ -0,0 +1,106 @@
+decrypt_keyctl
+==============
+
+A passphrase caching script to be used in `/etc/crypttab` on Debian and Ubuntu.
+When there are multiple cryptsetup (either plain or LUKS) volumes with the same
+passphrase, it is an unnecessary task to input the passphrase more than once.
+
+Just add this script as keyscript to your `/etc/crypttab` and it will cache the
+passphrase of all crypttab entries with the same identifier.
+
+Either copy decrypt_keyctl into the default search path for keyscripts from
+cryptsetup /lib/cryptdisks/scripts/. So you can just write
+`keyscript=decrypt_keyctl` in `/etc/crypttab`, or use a random path of your
+choice and give the full path e.g `keyscript=/sbin/decrypt_keyctl`.
+
+
+Requirements
+------------
+
+* Debian cryptsetup package with `/etc/crypttab` handling and keyscript option
+ * Tested with Debian Lenny, Squeeze and Sid
+* Installed and working keyutils package (`keyctl`)
+ * Needs `CONFIG_KEYS=y` in your kernel configuration
+
+What For?
+---------
+
+In old (pre 2.6.38) kernels, dm-crypt used to be single threaded. Thus every
+dm-crypt mapping only used a single core for crypto operations. To use the full
+power of your many-core processor it is was necessary to split the dm-crypt
+device. For Linux software raid arrays the easiest segmentation was to just put
+the dm-crypt layer below the software raid layer.
+
+But with a 5 disk raid5 it is a rather daunting task to input the passphrase
+five times. This is what this keyscripts solve for you.
+
+Usage
+-----
+
+Best shown by example:
+
+* 5 disks
+* Linux software raid5
+
+Layer:
+
+ sda sdb sdc ... sde
+ +-----------+ +-----------+
+ | LUKS | | LUKS |
+ | +-------+ | | +-------+ |
+ | | RAID5 | | | | RAID5 | |
+ | | ... | | | | ... | |
+
+Crypttab Entries:
+
+ <target> <source> <keyfile> <options>
+ sda_crypt /dev/sda2 main_data_raid luks,discard,keyscript=decrypt_keyctl
+ sdb_crypt /dev/sdb2 main_data_raid luks,discard,keyscript=decrypt_keyctl
+ ...
+ sde_crypt /dev/sde2 main_data_raid luks,discard,keyscript=decrypt_keyctl
+
+
+How does it work
+----------------
+
+Crypttab Interface:
+
+A keyscript is added to options including a keyfile definition as third
+parameter in the crypttab file. The keyscript is called with the keyfile as the
+first and only parameter. Additionally there are a few environment variables
+set but currently are not used by this keyscript (man 5 crypttab for exact
+description).
+
+Keyscript:
+
+`decrypt_keyctl` uses the Linux kernel keyring facility to securely cache
+passphrases between multiple invocations.
+The keyfile parameter from crypttab is used to find the same passphrase
+between multiple invocations. The term used to described the key in the user
+keyring is `cryptsetup:$CRYPTTAB_KEY`, unless `$CRYPTTAB_KEY` is empty
+or has the special value `none`, in which case the description is merely
+`cryptsetup` (thus allowing compatibility with other tools like gdm and
+systemd-ask-password(1).)
+
+Currently the cache timeout is 60 seconds and not configurable (please report a
+bug if it is too low for you).
+
+
+Problems
+--------
+
+Passphrase is piped between processes and could end up in unsecured memory,
+thus later swapped to disk! => Use of cryptoswap recommend!
+
+
+Hints
+-----
+
+To remove all traces of this keyscript you may want to cleanup the keyring
+completely with the following command afterwards:
+
+ sudo keyctl clear @u
+
+ -- Jonas Meurer <jonas@freesources.org> Mon, 27 Sep 2010 14:01:35 +0000
+
+ -- Guilhem Moulin <guilhem@debian.org> Tue, 25 Dec 2018 01:12:24 +0100
diff --git a/debian/README.opensc b/debian/README.opensc
new file mode 100644
index 0000000..b8212b4
--- /dev/null
+++ b/debian/README.opensc
@@ -0,0 +1,124 @@
+opensc/pcscd with cryptsetup and LUKS on Debian
+===============================================
+
+This is an overview on how you can make use of cryptsetup with your
+smartcard device supported by opensc/pcscd.
+
+I assume that you already have an initialized smartcard with a RSA key
+that has the proper X509 properties for encryption set. To generate such
+a key in hardware on the smartcard you should execute the following
+command:
+
+ pkcs15-init -G rsa/2048 -a [PIN id] -u sign,decrypt
+
+If your smart card doesn't support 2048 bit RSA just change the argument
+to the largest size possible.
+
+The decrypt_opensc keyscript decrypts an encrypted key in your boot
+partition with the private key on your smartcard. Therefore you have to
+create a key for the partition that is to be decrypted using the
+smartcard. As pkcs15-crypt does not seem to support PKCS1 padding, the
+key is required to have the same size as your RSA key. For a 2048 bit
+key use the following (the byte count is 256 as 2048/8 is 256):
+
+ dd if=/dev/random of=/boot/keys/key bs=1 count=256
+
+Now the key is added to the LUKS partition:
+
+ cryptsetup luksAddKey /dev/sdXn /boot/keys/key
+
+Enter an already existing pass phrase and watch cryptsetup doing its
+job. As we don't want the key in clear on the hard drive, we are going
+to encrypt it with the public key to the key on the smartcard.
+Read the public key first:
+
+ pkcs15-tool --read-public-key [key id] -o pubkey
+
+Then encrypt the random data with the extracted key, destroy the
+plain text one and remove your public key from the hard drive (it isn't
+necessary to shred it as a potential attacker can't use your public key
+for anything).
+
+ openssl rsautl -in /boot/keys/key -inkey pubkey -pubin -raw \
+ -encrypt -out /boot/keys/root
+ shred -u /boot/keys/key
+ rm -rf pubkey
+
+Now you'll have to edit `/etc/crypttab`. The format should be familiar but
+I'll state it here again:
+
+ name device /boot/keys/root luks,discard,keyscript=decrypt_opensc
+
+The modules needed by the reader should now be added to
+`/etc/initramfs-tools/modules`, so they are loaded on boot time. For
+example yenta_socket, pcmcia, pcmcia_core, serial_cs, rsrc_nonstatic for
+PCMCIA card readers.
+
+In a perfect world you would just rebuild the initramfs now and it would
+work. Unfortunately there are some additional issues to address. The
+most important one is pcscd. Newer versions of pcscd use HAL and dbus to
+detect readers. As most people (including me) aren't too enthusiastic
+about adding these two daemons to the initramfs, we will rebuild the
+daemon to use the traditional polling method with libusb. Again, this
+step is only necessary if your reader uses pcscd (for example the
+Gemalto PC Card readers).
+
+To do this, download the ccid and pcsc-lite packages from
+https://pcsc-lite.alioth.debian.org/
+
+Install the libusb header files, extract the tarballs and build pcscd
+with the following commands:
+
+ apt-get install libusb-dev
+ ./configure --disable-libhal --enable-libusb
+ make
+ make install
+
+Now go to the ccid directory and execute these commands (the option is
+only need if you use the libccidtwin.so to access your reader:
+
+ ./configure [--enable-twinserial]
+ make
+ make install
+
+This installs the new pcscd and it's libraries in `/usr/local/`. To
+reflect the new situation we have to change the initramfs scripts.
+Edit /etc/reader.conf to instruct `pcscd` to use the new libraries (they
+should be in `/usr/local/pcsc/drivers/`) instead of the ones from the Debian
+package. Replace everything after line 45 in
+`/usr/share/initramfs-tools/hooks/cryptopensc` with the following chunk:
+
+ for dir in etc/opensc usr/local/pcsc var/run tmp ; do
+ if [ ! -d ${DESTDIR}/${dir} ] ; then mkdir -p ${DESTDIR}/${dir} ; fi
+ done
+
+ # Install pcscd daemon, drivers, conf file
+ copy_exec /usr/local/sbin/pcscd
+ cp -r /usr/local/pcsc ${DESTDIR}/usr/local
+ cp /etc/reader.conf ${DESTDIR}/etc
+ cp -r /usr/local/lib ${DESTDIR}/usr/local
+ # Install opensc commands and conf file
+ copy_exec /usr/bin/opensc-tool
+ copy_exec /usr/bin/pkcs15-crypt
+ cp /etc/opensc/opensc.conf ${DESTDIR}/etc/opensc
+
+Edit `/usr/share/initramfs-tools/scripts/local-bottom/cryptopensc` and
+`/usr/share/initramfs-tools/scripts/local-top/cryptopensc` to use the new
+binary in `/usr/local/sbin/pcscd` instead of `/usr/sbin/pcscd` and change
+the path in the existence test to:
+
+ if [ ! -x /usr/local/sbin/pcscd ]; then
+ exit 0
+ fi
+
+If you have completed all the steps up to now, you can update your
+initramfs image with:
+
+ update-initramfs -u -k `uname -r`
+
+and reboot your machine. This leaves a backup of your old initramfs in
+the boot partition if something doesn't work. If you have to debug your
+initramfs during boot just append the `break=mount` option to the kernel
+to have a debug shell just before the root partition would be mounted.
+
+ -- Benjamin Kiessling <benjaminkiessling@bttec.org>, Sun, 26 Jul 2009
diff --git a/debian/README.source b/debian/README.source
new file mode 100644
index 0000000..f641e46
--- /dev/null
+++ b/debian/README.source
@@ -0,0 +1,40 @@
+General maintenance
+
+ This package is maintained in Git via the Alioth pkg-cryptsetup project.
+ Alioth is used only for repository access control and mailinglist hosting,
+ not for any of its other features.
+
+ This package uses the "3.0 (quilt)" source format.
+
+Importing a new upstream release
+
+ Since upstream release 1.7.2, we use cryptographically signed Git release
+ tags as basis for the Debian cryptsetup package.
+
+ To import a new upstream release into our packaging repository, do the
+ following:
+
+ 0. Ensure that you have the cryptsetup upstream Git repository available
+ as a remote in the Git repository where you're doing the packaging
+ work:
+
+ git remote add upstream https://gitlab.com/cryptsetup/cryptsetup.git
+
+ 1. Merge the newest upstream release tag (pass --upstream-version=$VERSION
+ if you want a specific upstream version) into the 'debian/latest'
+ branch of your packaging repository:
+
+ gbp import-orig --uscan
+
+ That commands does all the magic, namely
+ - updating the `upstream` remote,
+ - verifying the cryptographic signature on the upstream tag 'v$VERSION',
+ - creating a new tag 'upstream/$VERSION' with 'v$VERSION' as additional parent, and
+ - merging 'upstream/$VERSION' into 'debian/latest'
+
+ N. After development and testing, the final packages to be uploaded to
+ Debian are built and tagged in the repository as follows:
+
+ gbp buildpackage --git-tag
+
+ -- Jonas Meurer <jonas@freesources.org> Fri, 15 Jun 2018 13:39:49 +0200
diff --git a/debian/TODO.md b/debian/TODO.md
new file mode 100644
index 0000000..8958ec2
--- /dev/null
+++ b/debian/TODO.md
@@ -0,0 +1,47 @@
+# TODO list
+
+* luks nuke feature
+ * https://www.kali.org/tutorials/nuke-kali-linux-luks/
+ * https://pkg.kali.org/pkg/cryptsetup
+ * https://github.com/offensive-security/cryptsetup-nuke-keys
+ * TODO:
+ * review and improve original patch to address upstream's concerns
+ * http://article.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt/7184
+ * patch luks2 functions to support it as well
+ * documentation in manpage (and README.Debian?)
+ * bash completion
+
+* systemd integration and future of cryptscripts
+ * patch cryptsetup.c in systemd to support cryptscripts?
+ * try the patches
+ * https://github.com/systemd/systemd/pull/3007#pullrequestreview-39358162
+ * https://lists.freedesktop.org/archives/systemd-devel/2012-June/005693.html
+ * or completely remove cryptscripts feature from cryptsetup in Debian?
+
+* ephemeral swap encryption
+
+* improve test suite
+
+* cryptroot hook script:
+ - We should add parent device detection for ZFS (#820888) so users
+ don't have to manually add the 'initramfs' option to the crypttab.
+
+
+## Old list
+
+* Would a fallback make sense? like when using any keyscript, try passphrase
+ in the case that it fails. if we implement that at all, never make it the
+ default, and warn about security issues in README.Debian. even explain that
+ backup passphrase keyslots thwart the extra security of keyfiles/keyscripts.
+ (#438481, #471729)
+
+* Implement something like 'ignore-if-no-device' to mount (/etc/fstab), and
+ thus support several situations where cryptsetup fails to setup a device:
+ -> the device is not attached at all
+ -> wrong passphrase/no keyfile available
+ -> timeouts arise
+ (#474120)
+ * seems like the fstab flag alread does exists: nofail. so reimplement
+ timeout?
+
+* Reimplement timeout support in a cleaner way?
diff --git a/debian/askpass.c b/debian/askpass.c
new file mode 100644
index 0000000..07826de
--- /dev/null
+++ b/debian/askpass.c
@@ -0,0 +1,573 @@
+/*
+ * askpass.c - prompts a user for a passphrase using any suitable method
+ * and prints the result to stdout.
+ *
+ * Copyright (C) 2008 David Härdeman <david@hardeman.nu>
+ *
+ * This package is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This package is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this package; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+
+#define _GNU_SOURCE
+#define _DEFAULT_SOURCE
+#define _POSIX_C_SOURCE 1
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <stdbool.h>
+#include <string.h>
+#include <termios.h>
+#include <sys/klog.h>
+#include <sys/select.h>
+#include <sys/ioctl.h>
+#include <signal.h>
+#include <sys/un.h>
+
+#define DEBUG 0
+
+#define ARRAY_SIZE(x) (sizeof(x)/sizeof(x[0]))
+
+static bool disable_method(const char *method);
+
+/*****************************************************************************
+ * Utility functions *
+ *****************************************************************************/
+static void
+debug(const char *fmt, ...)
+{
+ va_list ap;
+ static bool first = true;
+ static FILE *dbgfile;
+
+ if (!DEBUG)
+ return;
+
+ if (first) {
+ first = false;
+ dbgfile = fopen("/tmp/askpass.debug", "a");
+ }
+
+ if (!dbgfile)
+ return;
+
+ va_start(ap, fmt);
+ vfprintf(dbgfile, fmt, ap);
+ va_end(ap);
+}
+
+static void
+usage(const char *arg0, const char *errmsg)
+{
+ if (errmsg)
+ fprintf(stderr, "Error: %s\nUsage: %s PROMPT\n", errmsg, arg0);
+ else
+ fprintf(stderr, "Usage: %s PROMPT\n", arg0);
+ exit(EXIT_FAILURE);
+}
+
+static void
+fifo_common_finish(int fd, char **buf, size_t *used, size_t *size)
+{
+ if (fd >= 0)
+ close(fd);
+
+ if (!*buf)
+ return;
+
+ memset(*buf, '\0', *size);
+ free(*buf);
+ *buf = NULL;
+ *used = 0;
+ *size = 0;
+}
+
+static bool
+fifo_common_read(int fd, char **buf, size_t *used, size_t *size)
+{
+ ssize_t result;
+
+again:
+ if ((*size - *used) == 0) {
+ *size += 4096;
+ *buf = realloc(*buf, *size);
+ if (!*buf) {
+ *size = 0;
+ *used = 0;
+ debug("Failed to allocate memory for passphrase\n");
+ return false;
+ }
+ }
+
+reread:
+ result = read(fd, *buf + *used, *size - *used);
+
+ if (result < 0) {
+ if (errno == EAGAIN)
+ return false;
+ if (errno == EINTR)
+ goto reread;
+ debug("Error when reading from fifo\n");
+ return false;
+ }
+
+ debug("Read %i bytes from fifo\n", (int)result);
+ *used += result;
+
+ if (result == 0)
+ return true;
+
+ goto again;
+}
+
+/*****************************************************************************
+ * systemd functions *
+ *****************************************************************************/
+
+#define SYSTEMD_ASKPASS "/bin/systemd-ask-password"
+static pid_t systemdpid;
+static size_t systemdused = 0;
+static size_t systemdsize = 0;
+static char *systemdbuf = NULL;
+
+static int
+systemd_prepare(const char *prompt)
+{
+ struct stat a, b;
+ int pipefds[2];
+
+ /* is systemd running? */
+ if (lstat("/sys/fs/cgroup", &a) < 0)
+ return -1;
+ if (lstat("/sys/fs/cgroup/systemd", &b) < 0)
+ return -1;
+ if (a.st_dev == b.st_dev)
+ return -1;
+
+ if (access(SYSTEMD_ASKPASS, X_OK))
+ return -1;
+
+ if (pipe(pipefds))
+ return -1;
+
+ systemdpid = fork();
+ if (systemdpid < 0) {
+ close(pipefds[0]);
+ close(pipefds[1]);
+ return -1;
+ }
+
+ if (systemdpid == 0) {
+ close(pipefds[0]);
+ if (dup2(pipefds[1], STDOUT_FILENO) < 0)
+ exit(EXIT_FAILURE);
+ execl(SYSTEMD_ASKPASS, SYSTEMD_ASKPASS,
+ "--timeout=0", prompt, (char*)NULL);
+ exit(EXIT_FAILURE);
+ }
+
+ close(pipefds[1]);
+ return pipefds[0];
+}
+
+static bool
+systemd_read(int fd, char **buf, size_t *size)
+{
+ debug("In systemd_read\n");
+ if (fifo_common_read(fd, &systemdbuf, &systemdused, &systemdsize)) {
+ /* systemd likes to include the terminating newline */
+ if (systemdused >= 1 && systemdbuf[systemdused - 1] == '\n') {
+ systemdbuf[systemdused - 1] = '\0';
+ systemdused--;
+ }
+ *buf = systemdbuf;
+ *size = systemdused;
+ return true;
+ }
+
+ return false;
+}
+
+static void
+systemd_finish(int fd)
+{
+ kill(systemdpid, SIGTERM);
+ fifo_common_finish(fd, &systemdbuf, &systemdused, &systemdsize);
+}
+
+/*****************************************************************************
+ * plymouth functions *
+ *****************************************************************************/
+
+#define PLYMOUTH_PATH "/bin/plymouth"
+static pid_t plymouthpid;
+static size_t plymouthused = 0;
+static size_t plymouthsize = 0;
+static char *plymouthbuf = NULL;
+
+static int
+plymouth_prepare(const char *prompt)
+{
+ int pipefds[2];
+
+ if (access(PLYMOUTH_PATH, X_OK))
+ return -1;
+
+ if (system(PLYMOUTH_PATH" --ping"))
+ return -1;
+
+ /* Plymouth will add a ':' if it is a non-graphical prompt */
+ char *prompt2 = strdup(prompt);
+ int len = strlen(prompt2);
+ if (len > 1 && prompt2[len-2] == ':' && prompt2[len - 1] == ' ')
+ prompt2[len - 2] = '\0';
+ else if (len > 0 && prompt2[len - 1] == ':')
+ prompt2[len - 1] = '\0';
+
+ if (pipe(pipefds))
+ return -1;
+
+ plymouthpid = fork();
+ if (plymouthpid < 0) {
+ close(pipefds[0]);
+ close(pipefds[1]);
+ return -1;
+ }
+
+ if (plymouthpid == 0) {
+ close(pipefds[0]);
+ if (dup2(pipefds[1], STDOUT_FILENO) < 0)
+ exit(EXIT_FAILURE);
+ execl(PLYMOUTH_PATH, PLYMOUTH_PATH,
+ "ask-for-password", "--prompt", prompt2, (char*)NULL);
+ exit(EXIT_FAILURE);
+ }
+ free(prompt2);
+
+ close(pipefds[1]);
+ return pipefds[0];
+}
+
+static bool
+plymouth_read(int fd, char **buf, size_t *size)
+{
+ debug("In plymouth_read\n");
+ if (fifo_common_read(fd, &plymouthbuf, &plymouthused, &plymouthsize)) {
+ *buf = plymouthbuf;
+ *size = plymouthused;
+ return true;
+ }
+
+ return false;
+}
+
+static void
+plymouth_finish(int fd)
+{
+ kill(plymouthpid, SIGKILL);
+ fifo_common_finish(fd, &plymouthbuf, &plymouthused, &plymouthsize);
+}
+
+/*****************************************************************************
+ * fifo functions *
+ *****************************************************************************/
+#define FIFO_PATH "/lib/cryptsetup/passfifo"
+static size_t fifoused = 0;
+static size_t fifosize = 0;
+static char *fifobuf = NULL;
+
+static void
+fifo_finish(int fd)
+{
+ fifo_common_finish(fd, &fifobuf, &fifoused, &fifosize);
+}
+
+static bool
+fifo_read(int fd, char **buf, size_t *size)
+{
+ debug("In fifo_read\n");
+ if (fifo_common_read(fd, &fifobuf, &fifoused, &fifosize)) {
+ *buf = fifobuf;
+ *size = fifoused;
+ return true;
+ }
+
+ return false;
+}
+
+static int
+fifo_prepare(const char *prompt)
+{
+ int ret;
+
+ ret = mkfifo(FIFO_PATH, 0600);
+ if (ret && errno != EEXIST)
+ return -1;
+
+ return open(FIFO_PATH, O_RDONLY | O_NONBLOCK);
+}
+
+/*****************************************************************************
+ * console functions *
+ *****************************************************************************/
+#define CONSOLE_PATH "/dev/console"
+static struct termios term_old;
+static bool term_set = false;
+static char *consolebuf = NULL;
+static size_t consolebuflen = 0;
+
+static void
+console_finish(int fd)
+{
+ if (consolebuf) {
+ memset(consolebuf, '\0', consolebuflen);
+ free(consolebuf);
+ consolebuf = NULL;
+ consolebuflen = 0;
+ }
+
+ if (!term_set || fd < 0)
+ return;
+
+ term_set = false;
+ tcsetattr(fd, TCSAFLUSH, &term_old);
+ fprintf(stderr, "\n");
+ klogctl(7, NULL, 0);
+}
+
+bool
+console_read(int fd, char **buf, size_t *size)
+{
+ ssize_t nread;
+
+ /* Console is in ICANON mode so we'll get entire lines */
+ nread = getline(&consolebuf, &consolebuflen, stdin);
+
+ if (nread < 0) {
+ clearerr(stdin);
+ return false;
+ }
+
+ /* Strip trailing newline, if any */
+ if (nread > 0 && consolebuf[nread - 1] == '\n') {
+ nread--;
+ consolebuf[nread] = '\0';
+ }
+
+ *size = nread;
+ *buf = consolebuf;
+
+ return true;
+}
+
+static int
+console_prepare(const char *prompt)
+{
+ struct termios term_new;
+ const char *prompt_ptr = prompt;
+ char *newline = NULL;
+
+ if (!isatty(STDIN_FILENO)) {
+ if (access(CONSOLE_PATH, R_OK | W_OK)) {
+ debug("No access to console device " CONSOLE_PATH "\n");
+ return -1;
+ }
+
+ if (!freopen(CONSOLE_PATH, "r", stdin) ||
+ !freopen(CONSOLE_PATH, "a", stdout) ||
+ !freopen(CONSOLE_PATH, "a", stderr) ||
+ !isatty(STDIN_FILENO)) {
+ debug("Failed to open console\n");
+ return -1;
+ }
+ }
+
+ if (tcgetattr(STDIN_FILENO, &term_old)) {
+ debug("Failed to get terminal settings\n");
+ return -1;
+ }
+
+ term_new = term_old;
+ term_new.c_lflag &= ~ECHO;
+ term_new.c_lflag |= ICANON;
+
+ if (tcsetattr(STDIN_FILENO, TCSAFLUSH, &term_new)) {
+ debug("Failed to disable echoing\n");
+ return -1;
+ }
+
+ /* handle any non-literal embedded newlines in prompt */
+ while ( (newline = strstr(prompt_ptr,"\\n")) != NULL ) {
+ /* Calculate length of string leading up to newline. */
+ int line_len = newline - prompt_ptr;
+
+ /* Force trimming of prompt to location of newline. */
+ if (fwrite(prompt_ptr, line_len, 1, stderr) < 1 ||
+ fwrite("\n", 1, 1, stderr) < 1) {
+ debug("Failed to print prompt\n");
+ tcsetattr(STDIN_FILENO, TCSAFLUSH, &term_old);
+ return -1;
+ }
+
+ /* Skip over newline. */
+ prompt_ptr = newline + 2;
+ }
+ if (fputs(prompt_ptr, stderr) < 0) {
+ debug("Failed to print prompt\n");
+ tcsetattr(STDIN_FILENO, TCSAFLUSH, &term_old);
+ return -1;
+ }
+
+ /* Disable printk to console */
+ klogctl(6, NULL, 0);
+ term_set = true;
+ return STDIN_FILENO;
+}
+
+/*****************************************************************************
+ * main functions *
+ *****************************************************************************/
+
+struct method {
+ const char *name;
+ int (*prepare)(const char *prompt);
+ bool (*read)(int fd, char **buf, size_t *size);
+ void (*finish)(int fd);
+ bool no_more;
+ bool active;
+ bool enabled;
+ int fd;
+};
+
+static struct method methods[] = {
+ { "systemd", systemd_prepare, systemd_read, systemd_finish, true, false, true, -1 },
+ { "fifo", fifo_prepare, fifo_read, fifo_finish, false, false, true, -1 },
+ { "plymouth", plymouth_prepare, plymouth_read, plymouth_finish, true, false, true, -1 },
+ { "console", console_prepare, console_read, console_finish, false, false, true, -1 }
+};
+
+static bool
+disable_method(const char *method)
+{
+ int i;
+ bool result = false;
+
+ debug("Disabling method %s\n", method ? method : "ALL");
+
+ for (i = 0; i < ARRAY_SIZE(methods); i++) {
+ /* A NULL method means all methods should be disabled */
+ if (method && strcmp(methods[i].name, method))
+ continue;
+ if (!methods[i].enabled)
+ continue;
+ if (methods[i].active)
+ methods[i].finish(methods[i].fd);
+
+ methods[i].active = false;
+ methods[i].fd = -1;
+ methods[i].enabled = false;
+ result = true;
+ }
+
+ return result;
+}
+
+int
+main(int argc, char **argv, char **envp)
+{
+ char *pass = NULL;
+ size_t passlen = 0;
+ int i;
+ int nfds;
+ fd_set fds;
+ int ret;
+ bool done = false;
+ sigset_t sigset;
+
+ if (argc != 2)
+ usage(argv[0], "incorrect number of arguments");
+
+ sigfillset(&sigset);
+ sigprocmask(SIG_BLOCK, &sigset, NULL);
+
+ for (i = 0; i < ARRAY_SIZE(methods); i++) {
+ if (!methods[i].enabled)
+ continue;
+ debug("Enabling method %s\n", methods[i].name);
+ methods[i].fd = methods[i].prepare(argv[1]);
+ if (methods[i].fd < 0) {
+ methods[i].active = false;
+ methods[i].enabled = false;
+ } else {
+ methods[i].active = true;
+ methods[i].enabled = true;
+ if (methods[i].no_more)
+ break;
+ }
+ }
+
+ while (!done) {
+ nfds = 0;
+ FD_ZERO(&fds);
+ for (i = 0; i < ARRAY_SIZE(methods); i++) {
+ if (!methods[i].enabled || methods[i].fd < 0)
+ continue;
+ debug("method %i has fd %i and name %s\n", i, methods[i].fd, methods[i].name);
+ FD_SET(methods[i].fd, &fds);
+ if (methods[i].fd + 1 > nfds)
+ nfds = methods[i].fd + 1;
+ }
+
+ if (nfds == 0) {
+ debug("All methods disabled\n");
+ exit(EXIT_FAILURE);
+ }
+
+ debug("Starting select with nfds %i\n", nfds);
+ ret = select(nfds, &fds, NULL, NULL, NULL);
+
+ if (ret <= 0) {
+ if (ret == 0 || errno == EINTR)
+ continue;
+ debug("Select failed\n");
+ disable_method(NULL);
+ exit(EXIT_FAILURE);
+ }
+
+ for (i = 0; i < ARRAY_SIZE(methods); i++) {
+ if (!methods[i].enabled || methods[i].fd < 0)
+ continue;
+ if (!FD_ISSET(methods[i].fd, &fds))
+ continue;
+ if (methods[i].read(methods[i].fd, &pass, &passlen) && pass) {
+ done = true;
+ break;
+ }
+ }
+ }
+
+ debug("Writing %i bytes to stdout\n", (int)passlen);
+ if (write(STDOUT_FILENO, pass, passlen) == -1) {
+ disable_method(NULL);
+ exit(EXIT_FAILURE);
+ }
+ disable_method(NULL);
+ exit(EXIT_SUCCESS);
+}
+
diff --git a/debian/bash_completion/cryptdisks_start b/debian/bash_completion/cryptdisks_start
new file mode 100644
index 0000000..679c302
--- /dev/null
+++ b/debian/bash_completion/cryptdisks_start
@@ -0,0 +1,42 @@
+# cryptdisks_{start,stop} completion by first column of crypttab
+#
+# Copyright 2013 Claudius Hubig <cl_crds@chubig.net>, 2-clause BSD
+
+_cryptdisks() {
+ local action="$1" t
+ for t in $( awk -vt="${COMP_WORDS[COMP_CWORD]}" \
+ '($1 !~ /^#/ && index($1,t) == 1) {print $1}' \
+ "${TABFILE-"/etc/crypttab"}" ); do
+ if [ "$action" = start -a ! -e "/dev/mapper/$t" ] ||
+ [ "$action" = stop -a -e "/dev/mapper/$t" ]; then
+ COMPREPLY+=( "$t" )
+ fi
+ done
+ return 0;
+}
+
+_cryptdisks_start() {
+ local i include_options=y
+ COMPREPLY=()
+ for (( i=0; i < COMP_CWORD-1; i++ )); do
+ if [ "${COMP_WORDS[i]}" = "--" ] || [[ "${COMP_WORDS[i]}" != -* ]]; then
+ include_options=n
+ break
+ fi
+ done
+ if [ "$include_options" = "y" ]; then
+ for i in "-r" "--readonly" "--"; do
+ if [[ "$i" == "${COMP_WORDS[COMP_CWORD]}"* ]]; then
+ COMPREPLY+=( "$i" )
+ fi
+ done
+ fi
+ _cryptdisks start "$@"
+}
+_cryptdisks_stop() {
+ COMPREPLY=()
+ _cryptdisks stop "$@";
+}
+
+complete -F _cryptdisks_start cryptdisks_start
+complete -F _cryptdisks_stop cryptdisks_stop
diff --git a/debian/bug-script b/debian/bug-script
new file mode 100644
index 0000000..302afdf
--- /dev/null
+++ b/debian/bug-script
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+cat <<EOF
+
+Providing additional information can help diagnose problems with cryptsetup.
+Specifically, this would include:
+- kernel cmdline (copy of /proc/cmdline).
+- crypttab configuration (copy of /etc/crypttab).
+- fstab configuration (copy of /etc/fstab).
+If this information is not relevant for your bug report or you have privacy
+concerns, please choose no.
+
+EOF
+
+yesno "Do you want to provide additional information [Y|n]? " yep
+[ "$REPLY" = yep ] || exit 0
+
+exec >&3
+
+echo "-- /proc/cmdline"
+cat /proc/cmdline
+echo
+
+if [ -r /etc/crypttab ]; then
+ echo "-- /etc/crypttab"
+ cat /etc/crypttab
+ echo
+fi
+
+if [ -r /etc/fstab ]; then
+ echo "-- /etc/fstab"
+ cat /etc/fstab
+ echo
+fi
+
+echo "-- lsmod"
+lsmod
+echo
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..78803a1
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,3663 @@
+cryptsetup (2:2.6.1-6) unstable; urgency=medium
+
+ [ Kevin Locke ]
+ * cryptsetup-initramfs: Add support from compressed kernel modules.
+ (Closes: #1036049, #1057441)
+
+ [ Guilhem Moulin ]
+ * d/tests: Replace `passwd --delete` with `busybox passwd -d`.
+ * add_modules(): Change suffix drop logic to match initramfs-tools.
+ * Fix DEP-8 tests with kernels shipping compressed modules.
+
+ -- Guilhem Moulin <guilhem@debian.org> Tue, 05 Dec 2023 17:48:58 +0100
+
+cryptsetup (2:2.6.1-5) unstable; urgency=medium
+
+ [ Guilhem Moulin ]
+ * d/control: Drop cryptsetup-run transitional binary package.
+ (Closes: #1038285)
+
+ [ Michael Biebl ]
+ * cryptsetup-suspend-wrapper: Don't error out on missing
+ /lib/systemd/system-sleep directory, which was removed from the systemd
+ package. (Closes: #1050606)
+
+ -- Guilhem Moulin <guilhem@debian.org> Sun, 27 Aug 2023 12:24:57 +0200
+
+cryptsetup (2:2.6.1-4) unstable; urgency=medium
+
+ * Backport upstream MR !498, see #1028250:
+ + 7893c33d: Check for physical memory available also in PBKDF benchmark.
+ + 6721d3a8: Use only half of detected free memory on systems without swap.
+
+ -- Guilhem Moulin <guilhem@debian.org> Thu, 20 Apr 2023 23:46:08 +0200
+
+cryptsetup (2:2.6.1-3) unstable; urgency=medium
+
+ [ Guilhem Moulin ]
+ * initramfs hook: Fix copy_libgcc_argon2() on non merged-/usr systems.
+ (Closes: #1032518)
+ * Backport upstream MR !490, see #1028250:
+ + 27f8e5c0: Try to avoid OOM killer on low-memory systems without swap
+ + 899bad8c: Print warning when keyslot requires more memory than available
+ * d/t/initramfs-hook: Pass `-xdev` to `find "$INITRD_DIR"` in order to solve
+ a race condition in that autopkgtest.
+
+ [ Remus-Gabriel Chelu ]
+ * Add Romanian debconf templates translation. (Closes: #1031497)
+
+ -- Guilhem Moulin <guilhem@debian.org> Mon, 13 Mar 2023 23:43:50 +0100
+
+cryptsetup (2:2.6.1-2) unstable; urgency=medium
+
+ * initramfs hook: Explicitly call copy_libgcc(). The recent libargon2-1
+ upgrade is built with glibc ≥2.34 hence no longer links libpthread. This
+ in turns means that initramfs-tool's copy_exec() is no longer able to
+ detect pthread_*() need and thus doesn't copy libgcc_s.so anymore. So we
+ need to do it manually instead. Closes: #1032221
+
+ -- Guilhem Moulin <guilhem@debian.org> Thu, 02 Mar 2023 05:01:53 +0100
+
+cryptsetup (2:2.6.1-1) unstable; urgency=medium
+
+ * New upstream bugfix release.
+ * d/README.Debian: Explicitly set cswap1's device type to 'plain'.
+ (Closes: #1025136)
+ * d/control: Update standards version to 4.6.2, no changes needed.
+ * d/clean: Add some gitignore(5)'d files. (Closes: #1026838)
+ * cryptgnupg-sc hook: Look terminfo file in /usr/share/terminfo in adition
+ to /lib/terminfo, see #1028202. (Closes: 1028234)
+ * d/copyright: Bump copyright years.
+
+ -- Guilhem Moulin <guilhem@debian.org> Fri, 10 Feb 2023 00:50:42 +0100
+
+cryptsetup (2:2.6.0-2) unstable; urgency=low
+
+ * libcryptsetup-dev: Add 'Depends: libargon2-dev, libblkid-dev,
+ libdevmapper-dev, libjson-c-dev, libssl-dev, uuid-dev' to account for
+ libcryptsetup.pc's Requires.private. Closes: #1025054.
+
+ -- Guilhem Moulin <guilhem@debian.org> Tue, 29 Nov 2022 15:42:25 +0100
+
+cryptsetup (2:2.6.0-1) unstable; urgency=low
+
+ * New upstream release 2.6.0.
+
+ -- Guilhem Moulin <guilhem@debian.org> Tue, 29 Nov 2022 01:20:38 +0100
+
+cryptsetup (2:2.6.0~rc0-1) experimental; urgency=medium
+
+ * New upstream release candidate 2.6.0, introducing support for handling
+ macOS FileVault2 devices (FVAULT2). The new version of FileVault based on
+ the APFS filesystem used in recent macOS versions is currently not
+ supported: only the (legacy) FileVault2 format based on Core Storage and
+ HFS+ filesystem (introduced in MacOS X 10.7 Lion) is supported. Moreover
+ header formatting and changes are not supported; cryptsetup never changes
+ the metadata on the device.
+ Closes: #923513.
+ * Update d/copyright for 2:2.6.0~rc0-1.
+ * Ship cryptsetup-fvault2Dump(8) and cryptsetup-fvault2Open(8) to
+ cryptsetup-bin binary package.
+ * Update d/libcryptsetup12.symbols for 2:2.6.0~rc0-1.
+ * Add 'fvault2' flag to crypttab(5) to force detection of Apple's FileVault2
+ volumes.
+ * d/rules: Add new target execute_before_dh_auto_test so blhc ignores
+ compilations of tests/*.c.
+ * d/u/metadata: Set 'Security-Contact' upstream metadata field.
+
+ -- Guilhem Moulin <guilhem@debian.org> Sat, 19 Nov 2022 17:30:40 +0100
+
+cryptsetup (2:2.5.0-6) unstable; urgency=medium
+
+ * d/t/cryptroot-*: Mask systemd-firstboot.service.
+ * d/t/cryptroot-*: Use camel case for apt.conf(5) settings.
+ * d/t/cryptroot-*: _apt(): Sort apt.conf(5) settings.
+ * d/t/cryptroot-*: Honor apt_preferences(5) settings under autopkgtest.
+ * d/t/cryptroot-*: init: bind mount temporary filesystems to fix
+ autopkgtests with systemd 252. (Closes: #1022970)
+
+ -- Guilhem Moulin <guilhem@debian.org> Fri, 28 Oct 2022 19:30:14 +0200
+
+cryptsetup (2:2.5.0-5) unstable; urgency=medium
+
+ * d/t/cryptroot-*: Bump setup timeout to 3600s so autopkgtests don't fail on
+ debci runners lacking KVM support.
+
+ -- Guilhem Moulin <guilhem@debian.org> Tue, 04 Oct 2022 20:01:50 +0200
+
+cryptsetup (2:2.5.0-4) unstable; urgency=medium
+
+ * suspend.conf: Improve description and typofix.
+ * d/t/cryptroot-*: Fix race condition between creating new partition and
+ using them.
+ * d/t/cryptroot-*: Fail the test after a reasonable timeout.
+ (Closes: #1020714)
+ * d/t/cryptroot-*: setup_apt(): Add 'Identifier: Packages' to `apt-get
+ indextargets` filter.
+ * cryptsetup-suspend-wrapper: Explicitly disable udev support when resuming.
+ (Closes: #1020553)
+ * d/t/cryptroot-*: Pin versions for all packages in PKGS_EXTRA that are part
+ of src:cryptsetup.
+
+ -- Guilhem Moulin <guilhem@debian.org> Tue, 04 Oct 2022 01:14:30 +0200
+
+cryptsetup (2:2.5.0-3) unstable; urgency=low
+
+ * d/t/cryptroot-*: Disable VGA card on the guest.
+ * d/t/cryptroot-*: Communicate with guests on /dev/hvc0 and remove
+ console=hvc0 from the kernel command line to get a noise-free channel.
+ * d/t/cryptroot-*: poweroff(): Use poweroff(8) not `echo o
+ >/proc/sysrq-trigger`.
+ * d/t/cryptroot-*: hibernate(): Use systemctl(1) not `echo disk
+ >/sys/power/state`.
+ * d/t/cryptroot-*: Use a separate logfile for each communication channel.
+ * Refactor d/t/utils/mock.pm and add QMP support; this adds 'Depends:
+ libjson-perl' to cryptroot-* autopkgtests.
+ * d/t/cryptroot-*: Use the QMP "quit" command to destroy guests early.
+ * d/t/cryptroot-*: Start getty on /dev/hvc0 only (not /dev/ttyS0) in
+ non-interactive mode.
+ * d/t/cryptroot-*: Remove console=tty0 from the kernel command line.
+ * d/t/cryptroot-*: Mask all timer units to avoid cluttering test
+ environments with background jobs.
+ * d/t/cryptroot-lvm: Also test cryptsetup-suspend (enter to and resume from
+ S3 state).
+ * d/t/cryptroot-*: Simplify login prompt regex.
+ * d/t/cryptroot-*: Use $' when consuming input buffers.
+ * Salsa CI: Include recipes/debian.yml.
+ * Salsa CI: Remove redundant variable RELEASE=unstable.
+ * Salsa CI: Re-enable autopkgtest job with partial coverage.
+ * cryptsetup-suspend-wrapper: Improve quoting.
+ * cryptsetup-suspend-wrapper: Use crypttab_find_entry()'s return status.
+ * d/copyright: Improve wording.
+ * d/copyright: Fix license for d/scripts/suspend/cryptsetup-suspend.c .
+ * Add license headers for d/scripts/suspend/*.
+ * Relicense own code from GPLv2+ to GPLv3+.
+ * cryptsetup-suspend-wrapper: Don't bindmount temporary filesystems.
+ * cryptsetup-suspend-wrapper: Improve $INITRAMFS_DIR detection and cleanup.
+ * cryptsetup-suspend-wrapper: Improve TODO comment.
+ * d/t/cryptroot-*: Add a network device in interactive mode.
+ * d/t/cryptroot-lvm: Test I/O on the root FS after wakeup to make sure the
+ device is not suspended.
+ * cryptsetup-suspend-wrapper: Harden chroot environment: mount ramfs
+ read-only and with the 'nodev' option, make it unbindable, and use a
+ restrictive root mode.
+ * initramfs hook: Remove duplicate unmangling.
+ * initramfs hook: populate_CRYPTO_HASHES(): Add missing call to
+ crypttab_parse_options().
+ * d/functions: crypttab_parse_options(): Always reset $CRYPTTAB_TYPE.
+ * cryptsetup-suspend-wrapper: Ignore $KEEP_INITRAMFS if a newer initrd is
+ detected.
+ * d/functions: resume_device(): Fix resuming by keyscript.
+ * d/functions: Refactor resume_device() and freeze_cgroups().
+ * cryptsetup-suspend-wrapper: Don't copy /lib/firmware if it already exists
+ in the initrd.
+ * cryptsetup-suspend-wrapper: Don't treat udevd specially as luksResume now
+ appears to work when udevd is still frozen.
+ * cryptsetup-suspend-wrapper: Populate ACTIVE_DEVICES via callback.
+ * cryptsetup-suspend-wrapper: Use FD3 to list remaining devices.
+ * d/t/utils/debootstrap: Strip colon and suffix from package (Pre-)Depends.
+ * d/t/utils/debootstrap: Remove obsolete comment and Pre-Depends.
+ * d/t/cryptroot-*: Manually create merged-/usr layout and install
+ usr-is-merged.
+
+ -- Guilhem Moulin <guilhem@debian.org> Sun, 18 Sep 2022 23:01:46 +0200
+
+cryptsetup (2:2.5.0-2) unstable; urgency=low
+
+ [ Matthias Klose ]
+ * Add support for 'noudeb' build profile. (Closes: #983318)
+
+ [ Christoph Anton Mitterer ]
+ * initramfs hook: align busybox check on klibc-utils's hook.
+
+ [ Benjamin Drung ]
+ * initramfs hook: Fix broken compatibility with OpenSSL3 when cryptsetup
+ needs legacy hashes (currently ripemd160 and whirlpool). (LP: #1979159)
+
+ [ Guilhem Moulin ]
+ * New DEP-8 test for crude checks of the initramfs hook.
+ * Minor changes to the legacy.so inclusion logic.
+ * DEP-8: Add checks for OpenSSL's legacy.so inclusion.
+ * d/rules: Inspect DEB_BUILD_* with $(filter ,) not $(findstring ,).
+ * initramfs boot script: Remove custom LVM handling. Since 2.03.15-1 lvm2
+ doesn't ship an initramfs boot script anymore and relies solely on udev
+ rules instead. We therefore don't have to manually activate LVs/VGs
+ anymore, but cryptsetup-initramfs now conflicts with earlier lvm2
+ versions. (Closes: #928943)
+ * Override lintian tag 'conflicts-with-version' given the above.
+ * initramfs hook: Don't overwrite crypttab(5) source to /dev/mapper/$NAME
+ for mapped devices. (Closes: #1016455)
+ * initramfs hook: Preserve crypttab source specifications and devices
+ starting with /dev/disk/by- or /dev/mapper/.
+ * d/README.initramfs: Improve section about cryptopts= kernel parameter.
+ * d/Debian.README: Mention that systemd masks /etc/init.d/cryptdisks.
+ (Closes: #1010708)
+ * Rename systemd_cryptsetup-suspend.conf to systemd/cryptsetup-suspend.conf.
+ * cryptsetup-suspend-wrapper: Fix grep calls in some corner cases such as
+ template cgroups.
+ * cryptsetup-suspend-wrapper: Avoid double slash in cgroup paths.
+ * cryptsetup-suspend-wrapper: Consolidate style.
+ * d/t/cryptroot-*: Relax the kernel.deb regex to account for release
+ candidates.
+ * d/t/cryptroot-*: Add more partition type GUIDs.
+ * d/t/cryptroot-*: Improve sources.list(5) generation.
+ * d/t/cryptroot-*: Make APT repository Origin and URI configurable.
+ * d/t/cryptroot-*: Start udevd before setting up the guest.
+ * d/t/cryptroot-*: Use a separate /run partition when bootstrapping.
+ * Run `chmod +x d/t/cryptdisks d/t/utils/init` for consistency.
+ * d/t/cryptroot-*.d/config: Remove 'cryptsetup' from PKGS_EXTRA as it's only
+ needed for cryptroot-sysvinit.
+ * d/t/cryptroot-sysvinit: Rename 'rootfs.key' keyfile to 'homefs.key' which
+ better describes the purpose of the keyfile.
+ * d/t/cryptroot-*: Replace /target with '$ROOT'.
+ * d/t/cryptroot-*: Rename 'testvg' Volume Group to 'cryptvg'.
+ * d/t/cryptroot-*: Add note about testing cryptsetup-suspend.
+ * d/t: Add convenience wrapper script for local cryptroot-* test runs.
+ * New DEP-8 test for LVM-on-MD-on-LUKS2 layout backed by 4 independently
+ encrypted partitions (all unlocked at initramfs stage).
+ * New DEP-8 test for a complex nested block device stack.
+ * Salsa CI: Disable autopkgtest job for now.
+
+ -- Guilhem Moulin <guilhem@debian.org> Tue, 09 Aug 2022 01:40:50 +0200
+
+cryptsetup (2:2.5.0-1) unstable; urgency=medium
+
+ * New upstream release. (Closes: #1000634, #1011128)
+ * d/copyright: Fix licence for tokens/ssh/cryptsetup-ssh.c.
+ * Remove patches applied upstream.
+ * Rename 'ssh-plugin-test' to 'ssh-test-plugin'.
+ * Add DEP-8 tests for cryptroot unlocking at early boot stage.
+
+ -- Guilhem Moulin <guilhem@debian.org> Fri, 29 Jul 2022 16:31:23 +0200
+
+cryptsetup (2:2.5.0~rc1-3) experimental; urgency=medium
+
+ * DEP-8: Add 'Features: test-name=' in order to name inline tests.
+ * d/t/control: Add 'Restrictions: rw-build-tree' to upstream-testsuite.
+ * d/control: Remove cryptsetup-reencrypt from cryptsetup-bin package
+ description since the utility was removed upstream in v2.5.0-rc1.
+ * d/changelog: Retroactively correct 2:2.4.0~rc0-1+exp1 entry.
+ * Update d/patches with what's landed upstream since v2.5.0-rc1.
+ * d/patches, d/rules: Pass $(LDFLAGS) when building fake_token_path.so and
+ no longer silence blhc(1) for test files.
+ * Move SSH token plugin stuff into new binary package 'cryptsetup-ssh'.
+ That plugin is arguably not useful for everyone and we can save the
+ 'Depends: libssh-4' on cryptsetup-bin by moving cryptsetup-ssh(8) and
+ libcryptsetup-token-ssh.so to a separate package. Since LUKS2 SSH token
+ support was added after the Bullseye release, and since it is still in
+ experimental stage, we don't let cryptsetup-bin or cryptsetup depend on
+ the new binary package. Users who need that feature will need to install
+ it manually.
+
+ -- Guilhem Moulin <guilhem@debian.org> Thu, 21 Jul 2022 20:41:20 +0200
+
+cryptsetup (2:2.5.0~rc1-2) experimental; urgency=medium
+
+ * localtest: Treat skipped tests as failure for full coverage.
+ * d/watch: Add uversionmangle option for release candidates.
+ * unit-wipe-test: Skip DIO tests when the file system doesn't support
+ O_DIRECT. This is needed on the buildds where the source tree appears to
+ be on a tmpfs.
+
+ -- Guilhem Moulin <guilhem@debian.org> Fri, 15 Jul 2022 20:49:13 +0200
+
+cryptsetup (2:2.5.0~rc1-1) experimental; urgency=low
+
+ * New upstream release candidate 2.5.0. Highlights include:
+ + Remove cryptsetup-reencrypt(8) executable, use `cryptsetup reencrypt`
+ instead (for both LUKS1 and LUKS2).
+ + Split manual pages into per-action pages, for instance cryptsetup-open.8
+ which can be consulted with `man cryptsetup open`.
+ + Add LUKS2 encryption removal support with `cryptsetup reencrypt
+ --decrypt`.
+ + Preserve unknown metadata option (features implemented in more recent
+ cryptsetup releases) during reencryption.
+ * Salsa CI's deploy stage: Use a Bullseye image.
+ * Salsa CI's deploy stage: Use apt-get(8) not apt(8).
+ * Salsa CI's deploy stage: Replace `cp` with `install`.
+ * Salsa CI's reprotest job: Remove '--no-diffoscope' flag.
+ * Salsa CI's reprotest job: Update reason for running under 'nocheck' build
+ profile.
+ * d/README.source: Update text to reflect current practices.
+ * DEP-8: Run installed binaries and libraries through the full upstream test
+ suite (needs machine-level isolation).
+ * Retroactivately add NEWS.Debian for #949336.
+ * d/t/control: Add 'Depends: xxd' for 'Tests: cryptdisks' stanza.
+ * foreach_cryptdev(): Process each device *after* its slaves.
+ * do_stop(): Remove device holders beforehand. (Closes: #1006802)
+ * Fix space damage.
+ * d/u/metadata: Add FAQ URL.
+ * Refresh lintian overrides to accommodate lintian v2.115.
+ * d/control: New Build-Depends: asciidoctor (unless under 'nodoc' build
+ profile).
+ * d/cryptsetup.docs: Fix FAQ filename.
+ * Move usr/share/man/*/* glob to debian/*.manpages where it belongs.
+ * Update d/libcryptsetup12.symbols.
+ * Bump Standards-Version to 4.6.1 (no changes needed).
+ * Update d/copyright.
+
+ -- Guilhem Moulin <guilhem@debian.org> Fri, 15 Jul 2022 01:49:59 +0200
+
+cryptsetup (2:2.4.3-1) unstable; urgency=high
+
+ [ Guilhem Moulin ]
+ * New upstream security release 2.4.3, with fix for CVE-2021-4122:
+ decryption through LUKS2 reencryption crash recovery. (Closes: #1003685,
+ #1003686)
+ * Remove cryptsetup-initramfs.preinst. (Closes: #1001063)
+
+ [ Christoph Anton Mitterer ]
+ * d/rules: don't expand here-document.
+
+ -- Guilhem Moulin <guilhem@debian.org> Thu, 13 Jan 2022 19:07:05 +0100
+
+cryptsetup (2:2.4.2-1) unstable; urgency=high
+
+ * New upstream bugfix release 2.4.2.
+ * d/control: Replace Build-Depends on removed package libsepol1-dev with
+ libsepol-dev. (Closes: #999815)
+ * blkid/un_blkid checks: Ignore large offsets when converting from sectors
+ to bytes.
+ * crypttab(5): Formatting fix.
+ * Refresh d/copyright.
+ * Refresh lintian overrides to accommodate lintian v2.112.
+
+ -- Guilhem Moulin <guilhem@debian.org> Thu, 18 Nov 2021 17:15:08 +0100
+
+cryptsetup (2:2.4.1-1) unstable; urgency=medium
+
+ [ Guilhem Moulin ]
+ * New upstream bugfix release 2.4.1.
+ * d/rules:
+ + Use execute_after_dh_* from Debhelper compatibility level 13 when
+ relevant.
+ + Skip documentation generation under nodoc profile.
+ + Add new target execute_before_dh_auto_test so blhc ignores compilations
+ of tests/*.c.
+ * d/cryptsetup-initramfs.lintian-overrides: Refresh for lintian 2.107.0.
+ * crypttab(5):
+ + Improve documentation about escape sequences.
+ + Document that keyscript= can also take an absolute path.
+ (Closes: #994219)
+ + Document that keyscript's exit status is ignored.
+ + Various typo fixes and manpages improvements.
+ * initramfs: Add new hook configuration option ASKPASS=[Yn] to opt out from
+ askpass inclusion. (Closes: #994486)
+ * d/cryptsetup-initramfs.post*: Replace `which` with `command -v`.
+ * Merge debian/experimental branch and bring cryptsetup-suspend to sid.
+ * d/bash_completion: s/mawk/awk/. We're only using the POSIX subset so any
+ implementation should work. (Closes: #993374)
+ * Add DEP-8 tests for cryptdisks_start and cryptdisks_stop covering most of
+ d/functions and d/cryptdisks-functions. The testbed requires
+ 'isolation-machine' restriction since we need to load kernel modules and
+ create loop devices.
+ * d/gbp.conf, d/watch: Explicitly use gzip compression.
+
+ [ Christoph Anton Mitterer ]
+ * d/functions: Export _CRYPTTAB_* to the keyscript's environment.
+
+ [ Lukas Schwaighofer ]
+ * initramfs: Honor activation/auto_activation_volume_list setting.
+ (Closes: #993725)
+
+ [ Thorsten Glaser ]
+ * blkid/un_blkid checks: Honor offset= option. (Closes: #994056)
+
+ -- Guilhem Moulin <guilhem@debian.org> Fri, 08 Oct 2021 14:27:03 +0200
+
+cryptsetup (2:2.4.0-1+exp1) experimental; urgency=medium
+
+ * Upload to experimental.
+ * d/rules: Prefix /lib/systemd/system-shutdown/cryptsetup-suspend.shutdown
+ with /usr to fix FTBS with debhelper 13.4; see #992469.
+
+ -- Guilhem Moulin <guilhem@debian.org> Thu, 19 Aug 2021 22:55:02 +0200
+
+cryptsetup (2:2.4.0-1) unstable; urgency=low
+
+ [ Guilhem Moulin ]
+ * New upstream release.
+ * Salsa CI: Set SALSA_CI_BLHC_ARGS to avoid failing when *test* files are
+ built without the "right" LDFLAGS.
+ * Remove obsolete upstart configuration files on upgrade and purge.
+ (Closes: #990490)
+ * d/*.{pre,post}*: Explicitly exit with status code 0.
+ * d/copyright: Set field Upstream-Name.
+ * d/control: Bump Standards-Version to 4.6.0 (no changes necessary).
+ * d/control: Remove cryptsetup-run from cryptsetup's Recommends.
+ (Closes: #987769)
+ * d/control: Demote cryptsetup-initramfs from cryptsetup's Recommends to
+ Suggests. This concludes the package split started in 2:2.0.3-1 during
+ the Buster release cycle.
+
+ [ Ayla Ounce ]
+ * Add support for --perf_* flags to initramfs.
+
+ -- Guilhem Moulin <guilhem@debian.org> Thu, 19 Aug 2021 03:11:11 +0200
+
+cryptsetup (2:2.4.0~rc1-1+exp1) experimental; urgency=medium
+
+ * New upstream release candidate.
+ * d/copyright: Update file.
+ * d/cryptsetup.docs: Add upstream's README.md.
+ * d/TODO.md: Remove implemented `luksSuspend` integration.
+
+ -- Guilhem Moulin <guilhem@debian.org> Fri, 30 Jul 2021 02:37:32 +0200
+
+cryptsetup (2:2.4.0~rc0-1+exp1) experimental; urgency=medium
+
+ * New upstream release candidate 2.4.0. Highlights include:
+ + Support for external libraries (plugins) for handling LUKS2 token
+ objects.
+ + Experimental SSH token handler and cryptsetup-ssh(8) utility (resp.
+ shipped in the 'cryptsetup' and 'cryptsetup-bin' binary packages) as a
+ demonstration of the external LUKS2 token interface. This adds
+ libssh-dev to build-depends.
+ + Change default LUKS2 PBKDF to Argon2id from Argon2i.
+ + Increase minimal memory cost for Argon2 benchmark to 64MiB (suggested
+ value in Argon2 RFC).
+ + Autodetect optimal encryption sector size on LUKS2 format.
+ + integritysetup: add integrity-recalculate-reset flag.
+ + cryptsetup: retains keyslot number in luksChangeKey for LUKS2.
+ + Add close --deferred and --cancel-deferred options.
+
+ -- Guilhem Moulin <guilhem@debian.org> Tue, 06 Jul 2021 10:18:17 +0200
+
+cryptsetup (2:2.3.6-1+exp1) experimental; urgency=medium
+
+ * New upstream bugfix release. (Closes: #949336)
+
+ -- Guilhem Moulin <guilhem@debian.org> Fri, 28 May 2021 22:54:20 +0200
+
+cryptsetup (2:2.3.5-1+exp1) experimental; urgency=medium
+
+ * Upload to experimental.
+
+ -- Guilhem Moulin <guilhem@debian.org> Thu, 11 Mar 2021 23:36:01 +0100
+
+cryptsetup (2:2.3.5-1) unstable; urgency=medium
+
+ * New upstream bugfix release. (Closes: #985581)
+ * d/watch: Monitor upstream tags rather than tarballs.
+ * d/gbp.conf: Set 'upstream-vcs-tag' to add upstream tag as additional
+ parent.
+ * Simplify d/README.source in accordance with the above.
+ * Rename d/upstream-signing-key.asc to d/upstream/signing-key.asc as uscan
+ is now able to verify git tags.
+ * encrypted-boot.md: Clarify how to solve double password prompt for the
+ device holding /boot.
+ * d/copyright: Update copyright year.
+
+ -- Guilhem Moulin <guilhem@debian.org> Fri, 02 Apr 2021 23:43:41 +0200
+
+cryptsetup (2:2.3.4-2+exp1) experimental; urgency=medium
+
+ * Upload to experimental.
+
+ -- Guilhem Moulin <guilhem@debian.org> Thu, 14 Jan 2021 19:55:25 +0100
+
+cryptsetup (2:2.3.4-2) unstable; urgency=medium
+
+ [ Guilhem Moulin ]
+ * d/control: Remove Build-Depends: dh-exec. In compatibility level 13
+ Debhelper supports variable expansion, which was why we used dh-exec in
+ the first place.
+ * libcryptsetup-dev: Install libcryptsetup.so to /lib/$DEB_HOST_MULTIARCH
+ not /usr/lib/$DEB_HOST_MULTIARCH (closes: #978585), and override
+ subsequent lintian warning per #843932.
+ * d/*.install: Replace wildcard with $DEB_HOST_MULTIARCH for consistency.
+ * d/cryptsetup.lintian-overrides: Rename "init.d-script-does-not-implement-
+ optional-option $FOO status" tags to "init.d-script-does-not-implement-
+ status-option $FOO".
+ * Bump Standards-Version to 4.5.1 (no changes necessary).
+ * d/cryptdisks-functions: Rename left-over loop_cryptdevs() to
+ foreach_cryptdev(). Regression from 2:2.3.0-1. (Closes: #974591)
+ * Initramfs boot script: Drop `lvm vgchange`'s --ignoreskippedcluster flag
+ which is now a no-op.
+ * Make d/cryptsetup-initramfs.preinst mangling idempotent.
+ * Rename Debian resp. upstream branch to debian/latest resp. upstream/latest
+ for DEP-14 compliance.
+ * Rename d/gitlab-ci.yml to d/salsa-ci.yml.
+ * Consolidate d/gbp.conf.
+ * cryptsetup-initramfs now requires initramfs-tools 0.137 or later and no
+ longer copies libgcc_s.so.1 to the initrd since recent initramfs-tools
+ take care of it.
+ * Add libcryptsetup.la to debian/not-installed.
+
+ [ Guilherme G. Piccoli ]
+ * Initramfs boot script: Fix a deadlock when cryptroot would wait at
+ local-top stage for a device to appear, while the device would only be
+ created at local-block stage. This can be the case in dm-crypt-over-MD
+ scenario when booting the RAID array in degraded mode. (Closes: #933059)
+
+ [ Felix C. Stegerman ]
+ * Fix typo in README.gnupg-sc
+
+ -- Guilhem Moulin <guilhem@debian.org> Thu, 14 Jan 2021 19:16:40 +0100
+
+cryptsetup (2:2.3.4-1+exp1) experimental; urgency=medium
+
+ * Upload to experimental.
+
+ -- Guilhem Moulin <guilhem@debian.org> Fri, 04 Sep 2020 00:55:41 +0200
+
+cryptsetup (2:2.3.4-1) unstable; urgency=high
+
+ * New upstream bugfix release, including fix for CVE-2020-14382:
+ possible out-of-bounds memory write while validating LUKS2 data
+ segments metadata on 32-bits platforms. (Closes: #969471)
+
+ -- Guilhem Moulin <guilhem@debian.org> Fri, 04 Sep 2020 00:30:40 +0200
+
+cryptsetup (2:2.3.3-3+exp3) experimental; urgency=medium
+
+ * d/control: Make cryptsetup-suspend explicitly depend on
+ initramfs-tools-core as we use unmkinitramfs(8) in the wrapper.
+ * systemd-suspend.service override: Set OOMScoreAdjust to -1000 to
+ disable OOM killing of processes of the unit. Thanks, ಚಿರಾಗ್.
+ (Closes: #968569)
+ * d/doc/cryptsetup-suspend.xml: Document that key material included in the
+ initramfs image will remain unencrypted (see #969286).
+
+ -- Guilhem Moulin <guilhem@debian.org> Mon, 31 Aug 2020 00:09:10 +0200
+
+cryptsetup (2:2.3.3-3+exp2) experimental; urgency=medium
+
+ * d/control: Typofix in cryptsetup-suspend's long description.
+ (Closes: #968455)
+ * d/control: Make cryptsetup-suspend explicitly depend on kbd as we use
+ openvt(1) in the systemd-suspend.service override. (Closes: #969226)
+ * d/*: Run wrap-and-sort(1).
+ * d/scripts/suspend/cryptsetup-suspend-wrapper:
+ + Parse /proc/meminfo in a single pass using shell builtins rather than
+ calling awk(1).
+ + Use "/boot/initrd.img-$(uname -r)" as path to the initrd instead of
+ deriving it from the kernel command line. BOOT_IMAGE's value is
+ relative to the boot's loader viewpoint, which might differ from that of
+ the main system.
+ + run_dir(): Prefer find(1)'s -execdir option over -exec.
+ + Conditionally remove/copy firmware into the initramfs image.
+ (Closes: #969270)
+ * d/rules: Build our scripts with `-Wall -Werror`.
+ * d/cryptsetup-suspend.{postinst,postrm}: Call `systemctl daemon-reload`,
+ which appears to be needed on upgrades. (dh_installsystemd(1) doesn't
+ support overrides so we manually copy the snippet it would add.)
+
+ -- Guilhem Moulin <guilhem@debian.org> Sun, 30 Aug 2020 18:01:49 +0200
+
+cryptsetup (2:2.3.3-3+exp1) experimental; urgency=medium
+
+ * Add new binary package 'crypsetup-suspend', which implements support
+ to luksSuspend LUKS devices before ACPI S3 system suspend.
+ + See the cryptsetup-suspend(7) manpage for further information.
+
+ -- Jonas Meurer <jonas@freesources.org> Wed, 12 Aug 2020 21:29:31 +0200
+
+cryptsetup (2:2.3.3-2) unstable; urgency=medium
+
+ [ Helmut Grohne ]
+ * d/control: Annotate Build-Depends with <!nocheck>. (Closes: #964092)
+
+ [ Guilhem Moulin ]
+ * d/rules: Build with `--with-tmpfilesdir` to force installing
+ usr/lib/tmpfiles.d/cryptsetup.conf instead of picking the source from
+ scripts/cryptsetup.conf. This fixes FTBS in environments containing
+ systemd. (Closes: #968250)
+ * Add 'bitlk' flag in crypttab(5) to force detection of Windows BitLocker
+ volumes. (Closes: #967853)
+
+ -- Guilhem Moulin <guilhem@debian.org> Wed, 12 Aug 2020 00:22:59 +0200
+
+cryptsetup (2:2.3.3-1) unstable; urgency=medium
+
+ [ Guilhem Moulin ]
+ * New upstream bugfix release.
+ * d/scripts/decrypt_derived: Remove useless call to `| tr -d '\n'`.
+ * d/control: Bump debhelper compatibility level to 13. Remove
+ debian/tmp/lib/$DEB_HOST_MULTIARCH/libcryptsetup.la as we don't install it
+ anywhere.
+
+ [ Rob Pilling ]
+ * d/scripts/decrypt_derived:
+ + move an error message to standard error so it's not accidentally used as
+ a key
+ + exit with a success code when successful
+
+ -- Guilhem Moulin <guilhem@debian.org> Thu, 04 Jun 2020 01:41:44 +0200
+
+cryptsetup (2:2.3.2-1) unstable; urgency=medium
+
+ * New upstream release.
+ * debian/control: Set 'Rules-Requires-Root: no'.
+ * d/initramfs/hooks/cryptroot: Unconditionally copy 'ecb' kernel module
+ when the host CPU lacks AES-NI support. On such systems XTS needs ECB.
+ This is a work around for #883595 on kernels 4.10 and later.
+ (Closes: #959423)
+
+ -- Guilhem Moulin <guilhem@debian.org> Wed, 06 May 2020 16:22:01 +0200
+
+cryptsetup (2:2.3.1-1) unstable; urgency=medium
+
+ * New upstream release.
+ * d/initramfs/hooks/cryptroot: Don't set unused variable LIBC_DIR.
+
+ -- Guilhem Moulin <guilhem@debian.org> Tue, 24 Mar 2020 02:07:07 +0100
+
+cryptsetup (2:2.3.0-1) unstable; urgency=low
+
+ * New upstream release, introducing support for BitLocker-compatible
+ devices (BITLK format) used in Windows systems.
+ WARNING: crypttab(5) support for these devices is currently *experimental*
+ and requires blkid from util-linux >=2.33 (i.e., Buster or later). These
+ devices currently have no keyword to use in the 4th field (unlike 'luks'
+ or 'plain'), the device type is inferred from the signature instead.
+ * crypttab(5): Make the 4th field (options) optional so we don't have to
+ introduce a new keyword for each new device type. (That field is also
+ optional in the systemd implementation.) Other fields (dm target name,
+ source device, and key file) remain required.
+ * Install cryptdisks_{start,stop} bash completion scripts to the right
+ path/name so they are loaded automatically. This was no longer the case
+ since 2:1.7.0-1. (Closes: #949623)
+ * d/*.install: Replace tabs with spaces.
+ * d/cryptdisks-functions: Fix broken $FORCE_START handling. Since
+ 2:2.0.3-2 the SysV init scripts' "force-start" option was no longer
+ overriding noauto/noearly. (Closes: #933142)
+ * Move some functions to d/function from the initramfs hook.
+ * SysV init scripts: skip devices holding the root FS and/or /usr during the
+ shutdown phase; these file systems are still mounted at this point so any
+ attempt to gracefully close the underlying device(s) is bound to fail.
+ (Closes: #916649, #918008)
+ * Bump Standards-Version to 4.5.0 (no changes necessary).
+
+ -- Guilhem Moulin <guilhem@debian.org> Wed, 04 Mar 2020 00:48:19 +0100
+
+cryptsetup (2:2.2.2-3) unstable; urgency=high
+
+ * initramfs hook: Workaround fix for the libgcc_s's source location.
+ (Closes: #950628, #939766.) Fixing #950254 will provide a better
+ solution.
+
+ -- Guilhem Moulin <guilhem@debian.org> Tue, 04 Feb 2020 14:11:12 +0100
+
+cryptsetup (2:2.2.2-2) unstable; urgency=medium
+
+ [ Guilhem Moulin ]
+ * d/initramfs/hooks/cryptroot: On initramfs images built with MODULES=dep,
+ include the IV generator found in the cipher specification when there is a
+ matching kernel module. On 5.4 kernels ESSIV isn't implemented in
+ dm_crypt anymore, but by a dedicated 'essiv' module which thus needs to be
+ available in order to unlock dm-crypt target using 'aes-cbc-essiv:sha256'.
+ Closes: #948593.
+
+ [ Debian Janitor ]
+ * Set debhelper-compat version in Build-Depends.
+ * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository,
+ Repository-Browse.
+
+ -- Guilhem Moulin <guilhem@debian.org> Sat, 18 Jan 2020 20:53:19 +0100
+
+cryptsetup (2:2.2.2-1) unstable; urgency=medium
+
+ * New upstream bugfix release.
+ * debian/control:
+ + Add 'procps' to the Build-Depends since the upstream test suite uses
+ free(1).
+ + Bump Standards-Version to 4.4.1 (no changes necessary).
+
+ -- Guilhem Moulin <guilhem@debian.org> Fri, 01 Nov 2019 19:32:36 +0100
+
+cryptsetup (2:2.2.1-1) unstable; urgency=medium
+
+ * New upstream bugfix release.
+ * Remove d/patches, applied upstream.
+
+ -- Guilhem Moulin <guilhem@debian.org> Fri, 06 Sep 2019 13:28:55 +0200
+
+cryptsetup (2:2.2.0-3) unstable; urgency=medium
+
+ * Cherry pick upstream commit 8f8f0b32: Fix mapped segments overflow on
+ 32bit architectures. Regression since 2:2.1.0-1. (Closes: #935702)
+
+ -- Guilhem Moulin <guilhem@debian.org> Mon, 26 Aug 2019 12:53:45 +0200
+
+cryptsetup (2:2.2.0-2) unstable; urgency=medium
+
+ * debian/control: Add 'Multi-Arch: foreign' tag to the transitional dummy
+ package 'crytsetup-run'.
+ * debian/control, debian/compat: Bump debhelper compatibility level to 12.
+ * debian/rules: Remove dh_makeshlibs(1) override; debhelper 12.3's auto
+ detection feature subsumes our use of --add-udeb=. This fixes FTBFS with
+ debhelper 12.5.
+
+ -- Guilhem Moulin <guilhem@debian.org> Wed, 21 Aug 2019 22:45:12 +0200
+
+cryptsetup (2:2.2.0-1) unstable; urgency=medium
+
+ * New upstream release 2.2.0. Highlights include:
+ + New LUKS2 online reencryption extension, allowing reencryption of
+ mounted LUKS2 devices.
+ + Optional global serialization lock for memory hard PBKDF, to workaround
+ situations when multiple devices are unlocked in parallel, possibly
+ exhausting memory and triggering the OOM killer. (Cf. #924560.)
+ + Add integritysetup support for bitmap mode (Linux >=5.2).
+ + Reduce keyslots area size in luksFormat when the header device is too
+ small.
+ * Remove d/patches, applied upstream.
+
+ -- Guilhem Moulin <guilhem@debian.org> Thu, 15 Aug 2019 09:31:55 +0200
+
+cryptsetup (2:2.1.0-8) unstable; urgency=medium
+
+ * encrypted-boot.md:
+ + Clarify partition layout.
+ + encrypted-boot.md: New section 'Using a custom keyboard layout'.
+ * d/gbp.conf: New section [export-orig] mirroring [buildpackage].
+ * d/gitlab-ci.yml: Add 'publish' stage and make yamllint(1) happy.
+ * d/patches: Backport upstream commit c03e3fe8 so libcryptsetup's
+ crypt_keyslot_add_by_volume_key() also works a on LUKS2 header where all
+ bound key slots were deleted, like it does for LUKS1. (Closes: #934715)
+
+ -- Guilhem Moulin <guilhem@debian.org> Wed, 14 Aug 2019 16:34:23 +0200
+
+cryptsetup (2:2.1.0-7) unstable; urgency=low
+
+ * debian/cryptsetup.NEWS: Mention the 'cryptsetup' and 'cryptsetup-run'
+ package swap.
+ * debian/control: Add 'cryptsetup-initramfs' to 'cryptsetup's Recommends:,
+ so upgrading systems pull it automatically on upgrade. (cryptsetup
+ <2:2.1.0-6 was a dummy transitional package depending on cryptsetup-run
+ and cryptsetup-initramfs.) Closes: #932643.
+ * debian/control: Add 'cryptsetup-run' to 'cryptsetup's Recommends. This
+ avoids it being removed by `apt upgrade --autoremove` from <2:2.1.0-6,
+ thus avoids the old cryptsetup-run's prerm script showing a scary (but
+ moot) warning. After upgrading the prerm script is gone and the package
+ can be removed without troubles, so we can get rid of it after Bullseye.
+ (Closes: #932625.)
+ * cryptsetup-initramfs: Add loud warning upon "prerm remove" if there are
+ mapped crypt devices (like for cryptsetup.prerm).
+ * Thanks to David Prévot for helping with the upgrade path!
+
+ -- Guilhem Moulin <guilhem@debian.org> Sun, 21 Jul 2019 21:21:10 -0300
+
+cryptsetup (2:2.1.0-6) unstable; urgency=low
+
+ * debian/control:
+ + Add 'Multi-Arch: foreign' tags to 'cryptsetup-bin' and 'crytsetup-run',
+ as binaries from these packages are architecture independent.
+ (Closes: #930115)
+ + Add 'Build-Depends: jq, xxd' as the jq(1) and xxd(1) executables are
+ required for some upstream tests (skipped if the executables are not
+ found in $PATH).
+ + Swap 'cryptsetup' and 'cryptsetup-run' packages: the former now contains
+ init scripts, libraries, keyscripts, etc. while the latter is now a
+ transitional dummy package.
+ + Remove obsolete cryptsetup.maintscript.
+ + Bump Standards-Version to 4.4.0 (no changes necessary).
+ * debian/*:
+ + Fix path names for /usr/share/doc/cryptsetup*/**. (Closes: #904916).
+ + Remove compatibility warnings regarding setting 'CRYPTSETUP' in
+ the initramfs hook configuration. The variable is no longer honored,
+ and cryptsetup is always integrated to the initramfs when the
+ 'cryptsetup-initramfs' package is installed.
+ * debian/doc/pandoc/encrypted-boot.md: Minor refactoring.
+ * debian/gitlab-ci.yml: Adapt pandoc flags to Debian 9 (pass '-S').
+ * debian/initramfs/conf-hook: Clarify that KEYFILE_PATTERN isn't expanded
+ for crypttab(5) entries with a 'keyscript=' option. (Closes: #930696)
+ * debian/doc/crypttab.xml: Point to README.initramfs in the "See Also"
+ section. (Closes: #913233)
+
+ -- Guilhem Moulin <guilhem@debian.org> Sat, 20 Jul 2019 22:15:04 -0300
+
+cryptsetup (2:2.1.0-5) unstable; urgency=medium
+
+ [ Jonas Meurer ]
+ * debian/README.*: Fix markdown formatting issues
+ * Copy https://wiki.debian.org/CryptsetupDebug to debian/README.debug
+
+ [ Guilhem Moulin ]
+ * d/README.Debian: New section "Unlocking LUKS devices from GRUB" pointing
+ to https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html .
+
+ -- Guilhem Moulin <guilhem@debian.org> Mon, 10 Jun 2019 14:51:15 +0200
+
+cryptsetup (2:2.1.0-4) unstable; urgency=medium
+
+ [Guilhem Moulin]
+ * d/initramfs/hooks/cryptroot: Always add userspace crypto module
+ ('algif_skcipher' kernel module) to the initramfs. This module is
+ required for required for opening LUKS2 devices, and since 2:2.0.2-2 it's
+ added to large initramfs (i.e., when the MODULES variable isn't set to
+ "dep"). It's now added regardless of the value of $MODULES, as 1/ LUKS2
+ is the default LUKS header format version; and 2/ we can't check at
+ initramfs creation time whether there are LUKS2 devices to be opened at
+ early boot stage (detached headers might not be present then).
+ Closes: #929616.
+
+ [Jonathan Dowland]
+ * Update package descriptions to reflect the move of luksformat from
+ cryptsetup-bin to cryptsetup-run. Closes: #928751.
+
+ -- Guilhem Moulin <guilhem@debian.org> Tue, 28 May 2019 17:04:16 +0200
+
+cryptsetup (2:2.1.0-3) unstable; urgency=medium
+
+ * d/scripts/decrypt_opensc: Fix standard output poisoning. Thanks to Nils
+ Mueller for the report and patch. (Closes: #926573.)
+ * d/initramfs/hooks/cryptopensc: Ensure that libpcsclite.so is copied to the
+ initramfs on non-usrmerge systems. (Closes: #928263.)
+
+ -- Guilhem Moulin <guilhem@debian.org> Tue, 30 Apr 2019 21:20:47 +0200
+
+cryptsetup (2:2.1.0-2) unstable; urgency=medium
+
+ * debian/copyright:
+ + Update copyright years.
+ + Add OpenSSL linking exception, in accordance with upstream's "COPYING"
+ and "COPYING.LGPL" files. Since 2:2.1.0-1 the cryptsetup binaries and
+ library are linked against libssl, which is the new upstream default
+ backend for LUKS header processing.
+ * debian/askpass.c: in the console backend, clear stdin's end-of-file
+ indicator before calling getline() again. Thanks to Ken Milmore for the
+ detailed report and patch. (Closes: #921906.)
+
+ -- Guilhem Moulin <guilhem@debian.org> Thu, 28 Feb 2019 22:32:43 +0100
+
+cryptsetup (2:2.1.0-1) unstable; urgency=medium
+
+ * New upstream release. Highlights include:
+ - The on-disk LUKS format version now defaults to LUKS2 (use `luksFormat
+ --type luks1` to use LUKS1 format). Closes: #919725.
+ - The cryptographic backend used for LUKS header processing is now libssl
+ instead of libgcrypt.
+ - LUKS' default key size is now 512 in XTS mode, half of which is used for
+ block encryption. XTS mode uses two internal keys, hence the previous
+ default key size (256) caused AES-128 to be used for block encryption,
+ while users were expecting AES-256.
+
+ [ Guilhem Moulin ]
+ * Add docs/Keyring.txt and docs/LUKS2-locking.txt to
+ /usr/share/doc/cryptsetup-run.
+ * debian/README.Debian: Mention that for non-persistent encrypted swap one
+ should also disable the resume device.
+ * debian/README.initramfs: Mention that keyscript=decrypt_derived normally
+ won't work with LUKS2 sources. (The volume key of LUKS2 devices is by
+ default offloaded to the kernel keyring service, hence not readable by
+ userspace.) Since 2:2.0.3-5 the keyscript loudly fails on such sources.
+ * decrypt_keyctl keyscript: Always use our askpass binary for password
+ prompt (fail instead of falling back to using stty or `read -s` if askpass
+ is not available). askpass and decrypt_keyctl are both shipped in our
+ 'cryptsetup-run' and 'cryptsetup-udeb' binary packages, and the cryptsetup
+ and askpass binaries are added together to the initramfs image.
+ * decrypt_keyctl: Document the identifier used in the user keyring:
+ "cryptsetup:$CRYPTTAB_KEY", or merely "cryptsetup" if "$CRYPTTAB_KEY" is
+ empty or "none". The latter improves compatibility with gdm and
+ systemd-ask-password(1).
+ * debian/*: run wrap-and-sort(1).
+ * debian/doc/crypttab.xml: mention `cryptsetup refresh` and the `--persistent`
+ option flag.
+ * debian/control: Bump Standards-Version to 4.3.0 (no changes necessary).
+
+ [ Jonas Meurer ]
+ * Update docs about 'discard' option: Mention in manpage, that it's enabled
+ per default by Debian Installer. Give advice to add it to new devices in
+ /etc/crypttab and add it to crypttab example entries in the docs.
+
+ -- Guilhem Moulin <guilhem@debian.org> Sat, 09 Feb 2019 00:40:17 +0100
+
+cryptsetup (2:2.0.6-1) unstable; urgency=medium
+
+ * New upstream bugfix release. Highlights include:
+ - Fix support of larger metadata areas in LUKS2 header.
+ - Fix checking of device size alignment and hash & AEAD algorithms to
+ avoid formatting devices that later cannot be activated.
+ - Fix cryptsetup-reencrypt interrupt handling.
+ - Allow Adiantum cipher construction (require Linux 4.21 or later).
+
+ -- Guilhem Moulin <guilhem@debian.org> Mon, 03 Dec 2018 20:16:07 +0100
+
+cryptsetup (2:2.0.5-2) unstable; urgency=medium
+
+ * debian/initramfs/hooks/*: Skip call to copy_file() when the target already
+ exists (as the function return value 1 in the case).
+ * OpenPGP Smartcard support, based on work by Peter Lebbing and Erik
+ Nellessen. (Closes: #888916, #903163.)
+ * Move header presence check to crypttab_parse_options() from
+ unlock_mapping(). Having the presence checks in unlock_mapping() caused
+ dummy password prompts in interactive mode when the LUKS header file was
+ missing. Regression since 2:2.0.3-2. (Closes: #914458.)
+
+ -- Guilhem Moulin <guilhem@debian.org> Sat, 24 Nov 2018 18:34:42 +0100
+
+cryptsetup (2:2.0.5-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Remove d/patches/Disable-blockwise-compat-test-as-it-s-FS-dependent.patch
+ as the test suite no longer fails on misaligned I/O in O_DIRECT mode.
+ (Cf. upstream issue #403.)
+
+ -- Guilhem Moulin <guilhem@debian.org> Mon, 29 Oct 2018 12:21:00 +0100
+
+cryptsetup (2:2.0.4-3) unstable; urgency=medium
+
+ [ Guilhem Moulin ]
+ * debian/initramfs/hooks/cryptroot:
+ + Make _CRYPTTAB_* variables local to crypttab_find_and_print_entry().
+ (Closes: #907243.)
+ + Silence the warning that honoring CRYPTSETUP="[y|n]" in the config is
+ deprecated when the variable is set to "y". (Keep the warning when it's
+ set to "n" though.) Closes: #908220.
+ * debian/functions: Make get_crypt_type() set variable CRYPTTAB_TYPE to the
+ type of crypt device ("luks" / "plain" / "tcrypt").
+ * debian/initramfs/scripts/local-top/cryptroot: Don't complain that
+ (successful) unlocking of a LUKS device doesn't yield a known file system.
+ The check is preserved for plain dm-crypt devices and tcrypt devices.
+ (Closes: #906283.)
+ * debian/control: Bump Standards-Version to 4.2.1 (no changes necessary).
+ * debian/doc/crypttab.xml: Improve formatting.
+ * debian/cryptsetup-run.lintian-overrides: Remove unused override
+ init.d-script-possible-missing-stop (x2).
+ * debian/libcryptsetup12.symbols: Add "Build-Depends-Package:
+ libcryptsetup-dev" field.
+
+ [ Helmut Grohne ]
+ * Fix FTCBFS: Supply $(CC) from dpkg's buildtools.mk. (Closes: #911042)
+
+ [ Dimitri John Ledkov ]
+ * Implement support for `cryptsetup --sector-size` in crypttab(5).
+ LP: #1776626.
+
+ -- Guilhem Moulin <guilhem@debian.org> Mon, 22 Oct 2018 17:45:35 +0200
+
+cryptsetup (2:2.0.4-2) unstable; urgency=medium
+
+ * debian/cryptsetup-initramfs.preinst: Don't try to overwrite
+ /etc/cryptsetup-initramfs/conf-hook if that file doesn't exist. (The fix
+ for #905188 broke 2:2.0.4-1's instability on sid.) Closes: #905514.
+ * debian/control: Bump Standards-Version to 4.2.0 (no changes necessary).
+
+ -- Guilhem Moulin <guilhem@debian.org> Tue, 07 Aug 2018 17:25:30 +0200
+
+cryptsetup (2:2.0.4-1) unstable; urgency=medium
+
+ * New upstream release. Add 'libblkid-dev' to Build-Depends since
+ libcryptsetup and utilities are now linked to libblkid.
+ * debian/cryptsetup-initramfs.preinst: Improve conffile ownership transfer
+ from 'cryptsetup' to 'cryptsetup-initramfs' to comply with Policy §10.7.3.
+ (Closes: #905188.)
+
+ -- Guilhem Moulin <guilhem@debian.org> Sun, 05 Aug 2018 04:59:10 +0800
+
+cryptsetup (2:2.0.3-7) unstable; urgency=medium
+
+ * debian/scripts/gen-ssl-key: avoid storing temporary key file on disk.
+ * debian/initramfs/*, debian/scripts/*: improve quoting.
+ * debian/initramfs/cryptroot-unlock: Normalize paths before comparison.
+ This fixes usage on initramfs images with an usrmerge layout, such as
+ images made by mkinitramfs(8) from initramfs-tools-core 0.132. (Closes:
+ #904926.)
+ * debian/functions: crypttab_find_entry(), crypttab_foreach_entry(): return
+ gracefully if $TABFILE doesn't exist.
+
+ -- Guilhem Moulin <guilhem@debian.org> Mon, 30 Jul 2018 16:32:07 +0800
+
+cryptsetup (2:2.0.3-6) unstable; urgency=medium
+
+ * debian/TODO.md: Remove mention of parent device detection for mdadm
+ (#629236) as it's fixed since 2:2.0.3-2.
+ * debian/README.gnupg, debian/TODO.md, debian/doc/crypttab.xml: minor typo
+ fixes.
+ * debian/rules, debian/patches/disable-internal-tests.patch: Remove patch to
+ add configure flag '--disable-internal-tests'. The internal test suite is
+ run by dh_auto_test(1), and it is skipped if DEB_BUILD_OPTIONS environment
+ variable contains the string "nocheck".
+ * debian/cryptdisks-functions, debian/initramfs/scripts/local-top/cryptroot:
+ When the 2nd column of a crypttab entry denodes a block special device,
+ resolve the device but don't convert it to /dev/block/$major:$minor.
+ (Closes: #903246.)
+ * debian/initramfs/hooks/cryptroot:
+ + Treat null device numbers as invalid in resolve_device(), cf.
+ /Documentation/admin-guide/devices.txt in the kernel source tree.
+ + generate_initrd_crypttab(): add '\n' to the local IFS since
+ get_resume_devno() prints one major:minor pair per line.
+ * debian/initramfs/scripts/local-{top,bottom}/cryptopensc:
+ + Save process ID of the pcscd daemon at local-top stage, and kill it at
+ local-bottom stage. Thanks to Pascal Vibet for the patch.
+ (Closes: #903574.)
+ + Fix path to the pcscd executable (the fix for #880750 was incomplete).
+ * debian/README.opensc: Remove mention of 'README.openct.gz' as it's gone
+ since 2:2.0.3-2.
+ * debian/scripts/decrypt_opensc: Fix plymouth prompt message (use
+ $CRYPTTAB_NAME not $crypttarget).
+
+ -- Guilhem Moulin <guilhem@debian.org> Fri, 13 Jul 2018 22:10:43 +0200
+
+cryptsetup (2:2.0.3-5) unstable; urgency=medium
+
+ [ Jonas Meurer ]
+ * debian/askpass.c, debian/scripts/passdev.c, debian/rules:
+ + Drop _BSD_SOURCE in favor of _DEFAULT_SOURCE
+ + Drop c99 std, as the default is now higher than that
+ * debian/control:
+ + Drop explicit dependencies on libgcrypt20 and libgpg-error0 from
+ libcryptsetup12. They're pulled in by ${shlibs:Depends} automatically.
+
+ [ Guilhem Moulin ]
+ * debian/initramfs/cryptroot-unlock: Keep looping forever (as long as the
+ disk is locked) if the CRYPTTAB_OPTION_tries variable is set to 0, cf.
+ crypttab(5).
+ * debian/doc/crypttab.xml: Clarify that the 'readonly' flag sets up a
+ read-only mapping. Cf. `cryptsetup --readonly`.
+ * debian/initramfs/hooks/cryptroot:
+ + Fix generation of initrd crypttab(5) with `update-initramfs -u -v` for
+ key files matching $KEYFILE_PATTERN, or when a 'keyscript' is specified
+ in the crypttab options. Regression since 2:2.0.3-2. (Closes: #902733.)
+ + Avoid processing entries multiple times in get_crypttab_entry(), which
+ could happen with 'keyscript=decrypt_derived' for instance.
+ + Don't complain that the sysfs dir can't be found when the hook failed to
+ normalize the device (another warning is shown already).
+ + If source device is mapped (for instance if it's a logical volume), put
+ its dm name into the initrd crypttab. LVM2's local-block script doesn't
+ work with UUIDs, and giving it a VG+LV is better anyway as we avoid to
+ activate all volumes at initramfs stage. (Closes: #902943.)
+ * debian/initramfs/conf-hook: Clarify that if KEYFILE_PATTERN if null or
+ unset then no key file is copied.
+ * debian/initramfs/*, debian/functions, debian/cryptdisks-functions:
+ + Use major:minor device IDs internally, as this facilitate discovery of
+ sysfs directories, and we don't have to take care of the udev mangling.
+ + Decode octal sequences when reading /etc/crypttab or /etc/fstab. This
+ means that key files and option values can contain blanks and special
+ characters encoded as octal sequences.
+ + Refactor crypttab(5) parsing logic, to avoid duplication of boilerplate
+ code.
+ * debian/functions: If the key file is a symlink, warn about insecure
+ permissions of the target, not the link itself.
+ * debian/scripts/decrypt_derived: For devices with keys in the kernel
+ keyring (e.g., LUKS2 by default), refuse to derive anything.
+ * debian/patches/disable-internal-tests.patch: Add configure option
+ '--disable-internal-tests' to disable the internal test suite.
+ * debian/rules: Don't run upstream's internal test suite if
+ $DEB_BUILD_OPTIONS contains the string "skip-internal-tests". (Tests are
+ still run by default.)
+ * debian/cryptdisks-functions: Restore support for crypttab(5) entries with
+ regular files as source device. Regression since 2:2.0.3-2.
+ (Closes: #902879.)
+ * debian/control: Bump Standards-Version to 4.1.5 (no changes necessary).
+
+ -- Guilhem Moulin <guilhem@debian.org> Sat, 07 Jul 2018 01:47:57 +0200
+
+cryptsetup (2:2.0.3-4) unstable; urgency=low
+
+ * debian/initramfs/hooks/cryptroot:
+ + Fix typo in warning message. (Closes: #901971.)
+ + sysfs_devdir(): don't croak when the normalized device pathname isn't of
+ the form /dev/$blk. This is the case in the Debian installer, where the
+ devtmpfs pseudo-filesystem exposes /dev/mapper/$name as a block device
+ instead of a symlink to /dev/dm-$index.
+ + sysfs_devdir(): return /sys/dev/block/$maj:$min (a symlink pointing the
+ sysfs directory corresponding to the device) rather than /sys/block/$blk.
+ While the latter is present for mapped devices, it's not present for
+ block devices corresponding to disk partitions. See sysfs(5) for
+ details. (Closes: #902183.)
+ + get_crypttab_entry(): skip (harmless) warning if blkid_tag() fails to
+ get the UUID of a dm-crypt device's slave (it's normal with plain
+ dm-crypt devices).
+ + get_crypttab_entry(): don't warn that key file doesn't exist if it's
+ e.g., an existing character special device.
+ * debian/functions:unlock_mapping(): translate crypttab(5) option
+ 'size=<size>' to `cryptsetup --key-size=<size>`, not `--size` (which
+ doesn't set the key size but the size of the device in number of 512 byte
+ sectors). Regression since 2:2.0.3-2. (Closes: #902245.)
+ * debian/initramfs/scripts/local-top/cryptroot, debian/cryptdisks-functions,
+ debian/initramfs/cryptroot-unlock: Fix off-by-one unlock count. Some
+ keyscripts (such as decrypt_keyctl) don't work properly if on first try
+ the CRYPTTAB_TRIED environment variable isn't set to 0. Regression since
+ 2:2.0.3-2. (Closes: #902116.)
+ * debian/scripts/decrypt_keyctl: replace the source device path with the
+ mapped device name in messages, to match the new askpass behavior.
+
+ -- Guilhem Moulin <guilhem@debian.org> Sun, 24 Jun 2018 22:48:41 +0200
+
+cryptsetup (2:2.0.3-3) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * debian/*: run wrap-and-sort(1)
+ * debian/control:
+ + Add Conflicts and Breaks on 'cryptsetup-bin (<< 2:2.0.3-2)' to
+ cryptsetup-run. Needed since we moved luksformat between the
+ packages. (Closes: #901773)
+ + Remove all traces of package 'cryptsetup-luks' from dependency
+ headers. This package has never been part of an official Debian
+ release and the time it existed is more than 12 years ago.
+ + Remove Conflicts/Breaks headers from the split of cryptsetup into
+ cryptsetup/cryptsetup-bin in release 2:1.4.1-3. The conflicting
+ version is from Debian Wheezy, which means that there's three
+ releases in between. We don't support dist-upgrades with skipped
+ releases anyway.
+ + Remove obsolete 'Breaks: hashalot (<< 0.3-2)' from cryptsetup-run.
+ + Remove versioned depends of libcryptsetup12 on libgcrypt20 and
+ libgpg-error0. Both versions are satisfied since more than three
+ releases.
+ + Remove versioned build-depends on docbook-xsl, dpkg-dev,
+ libdevmapper-dev, libgcrypt20-dev and libtool. All versions are
+ satisfied since more than three releases.
+ * debian/*: Change maintainer contact address to @alioth-lists.debian.net.
+
+ [ Guilhem Moulin ]
+ * debian/control: Replace 2:2.0.2-2 with 2:2.0.3-1 in Breaks/Replaces/Depends
+ fields. (2:2.0.2-2 was never released, the version we released after the
+ package split was 2:2.0.3-1.)
+ * debian/initramfs/cryptroot-script: exit immediately when
+ /lib/cryptsetup/functions is not present. (Closes: #901830.)
+ * debian/cryptsetup-run.prerm: use `dmsetup table --target crypt` to avoid
+ manually excluding mapped devices using another subsystem.
+ * d/initramfs/hooks/cryptroot:
+ + Fix parser for cipher specifications in mapping table of crypt targets.
+ In particular, the cipher mode wasn't parsed properly, potentially
+ causing missing modules in initrd.img compiled with MODULES=dep.
+ Regression introduced in 2:2.0.3-2. (Closes: #901884.)
+ + Print a warning when the mapping table specifies the cipher in kernel
+ crypto API format ("capi:" prefix). We don't support these yet.
+
+ -- Guilhem Moulin <guilhem@debian.org> Wed, 20 Jun 2018 17:22:36 +0200
+
+cryptsetup (2:2.0.3-2) unstable; urgency=medium
+
+ The "nights are long in summer" cryptsetup sprint release :-)
+
+ Guilhem and Jonas hacked together for three days (and nights), refactored
+ almost all of the cryptsetup packages, squashed (at least) 19 bugs and
+ started work on several new features. Yay!
+
+ [ Guilhem Moulin ]
+ * cryptsetup-initramfs: Demote "Depends: console-setup, kbd" to Recommends:
+ (Closes: #901641.)
+ * debian/initramfs/*-hook: complete refactoring. Common functions are now in
+ /lib/cryptsetup/functions (source-able from shell scripts).
+ (Closes: #784881.)
+ * debian/initramfs/cryptroot-hook:
+ + Use sysfs(5) block (resp. fs) hierarchies to detect slave dm-crypt
+ devices such as LVM2 on top of LUKS (resp. multiple device filesystems
+ such as btrfs). This approach is more robust than parsing the output of
+ `lvs` or `btrfs filesystem`.
+ + Export relevant crypttab(5) snippet (for devices that need to be
+ unlocked at initramfs stage) to the initramfs' /cryptroot/crypttab.
+ + Print a warning inviting the user to uninstall 'cryptsetup-initramfs'
+ if 1/ the CRYPTSETUP configuration option is unset or null (the
+ default), and 2/ the hook didn't detect any device to be unlocked at
+ initramfs stage. The benefit is two-fold: it guides users through the
+ package split, and warns them that their system might not reboot if the
+ hook script didn't work properly.
+ * Remove the 'decrypt_openct' keyscript since openct was last seen in
+ oldoldstable, cf. #760258 (ROM).
+ * debian/initramfs/cryptroot-script: refactoring, using functions from
+ /lib/cryptsetup/functions. (Closes: #720952, #826124.)
+ + One can disable the cryptsetup initramfs scripts for a particular boot
+ by passing "cryptopts=" as kernel boot argument. (Closes: #873840.)
+ + No longer sleep for a full minute after exceeding the maximum number of
+ unlocking tries. (This was added in 2:1.7.3-2 as an attempt to mitigate
+ CVE-2016-4484.) Instead, the script sleeps for 1 second after each failed
+ attempt in order to defeat online brute-force attacks. (Closes: #898495.)
+ * debian/README.initramfs: Remove mention that the initramfs scripts and the
+ crypsetup binary are using a different hash algorithm for plain dm-crypt
+ volumes. This is no longer true since 2:1.0.6~pre1+svn45-1, cf. #406317.
+ * debian/cryptdisks.functions:
+ + Refactoring, using functions from /lib/cryptsetup/functions.
+ (Closes: #859953, #891219.)
+ + Install to /lib/cryptsetup/cryptdisks-functions.
+ * crypttab(5):
+ + Remove support for the 'precheck' option. The precheck for LUKS devices
+ is still hardcoded to `cryptsetup isLuks`; the script refuses to unlock
+ non-LUKS devices (plain dm-crypt and tcrypt devices) containing a known
+ filesystem (other that swap).
+ + Don't ignore the 'plain' option: disable auto-detection and treat the
+ device as a plain dm-crypt device. (Closes: #886007.)
+ + Add support for some option aliases to unify with systemd's crypttab(5)
+ options. Namely, 'read-only' is an alias for 'readonly', 'key-slot=' is
+ an alias for 'keyslot=', 'tcrypt-hidden' is an alias for 'tcrypthidden',
+ and 'tcrypt-veracrypt' is an alias for 'veracrypt'.
+ + Add support for 'keyfile-size=' and 'keyfile-offset=' options.
+ (Closes: #849335.)
+ + Source devices can now be specified using their PARTUUID or PARTLABEL,
+ similar to fstab(5).
+ * debian/scripts/cryptdisks_start: Add support for '-r'/'--readonly' switch
+ to setup readonly mappings. (Closes: #782843.)
+ * debian/scripts/cryptdisks_stop: Add support for closing multiple disks at
+ once. (Closes: #783194.)
+
+ [ Jonas Meurer ]
+ * debian/doc/crypttab.xml:
+ + Add a section about the different crypttab formats of our package and
+ the systemd cryptsetup wrapper.
+ + Document, which options are ignored by the initramfs scripts and which
+ are unsupported by the systemd implementation. (Closes: #714380)
+ + Clarify documentation of option 'tries'. It also applies when using
+ keyscripts, not only with interactive passphrases. (Closes: #826127)
+ + Make it obvious that in case a keyscript is configured, the third option
+ is passed as argument to the keyscript. Mention the optional requirement
+ to quote the value. (Closes: #826122)
+ + Some minor wording improvements.
+ * debian/control, debian/compat: Bump debhelper compatibility level to 11.
+ * debian/rules:
+ + Completely refactor the rules file, adapt to debhelper 11 style.
+ (Closes: #901713)
+ + Run the upstream build-time testsuite thanks to dh_auto_test.
+ + Move the luksformat script from cryptsetup-bin to cryptsetup-run.
+ + Install the bug-script into all packages.
+ + No longer install the sysvinit initscripts into cryptsetup-udeb.
+ + Remove many old build and compile flags, debhelper takes care of most of
+ them nowadays.
+
+ -- Jonas Meurer <jonas@freesources.org> Mon, 18 Jun 2018 02:40:41 +0200
+
+cryptsetup (2:2.0.3-1) unstable; urgency=medium
+
+ [ Guilhem Moulin ]
+ * Split cryptsetup package into cryptsetup-run (init scripts and libraries)
+ and cryptsetup-initramfs (initramfs integration). The 'cryptsetup'
+ package is now a transitional dummy package. (Closes: #783297.)
+ * debian/cryptsetup-run.preinst: remove logic for rm_conffile
+ /etc/udev/rules.d/z60_cryptsetup.rules, which was added for #493151 in
+ 2:1.0.6-5.
+ * debian/cryptdisks.bash_completion: only complete cryptdisks_stop arguments
+ with crypttab(5) targets that already exist, and only complete
+ cryptdisks_start targets with crypttab(5) targets that don't exist yet.
+ (Closes: #827200.)
+ * debian/initramfs/cryptroot-hook:
+ + use copy_file() from hook-functions to copy key files to the initrd.
+ This ensures that relevant messages are printed in verbose mode.
+ (Closes: #898516.)
+ + remove backward compatibility support for setting CRYPTSETUP and
+ KEYFILE_PATTERN in /etc/initramfs-tools/initramfs.conf. Since 2:1.7.2-1
+ they should be set in /etc/cryptsetup-initramfs/conf-hook.
+ + add 'algif_skcipher' kernel module to large initramfs (if the MODULES
+ variable isn't "dep"). That module is required for unlocking LUKS2
+ devices.
+
+ [ Jonas Meurer ]
+ * New upstream release 2.0.3
+ * debian/control:
+ - Bump standards-version to 4.1.4, no changes required
+ - Change my mail address to 'jonas@freesources.org'
+ - Change Vcs links to the new repository on salsa.debian.org
+ * debian/README.source: minor improvements
+ * debian/doc/crypttab.xml: Fix typo in manpage
+
+ -- Jonas Meurer <jonas@freesources.org> Fri, 15 Jun 2018 15:32:16 +0200
+
+cryptsetup (2:2.0.2-1) unstable; urgency=low
+
+ * New upstream release 2.0.2
+ * debian/initramfs/cryptroot-hook: copy libgcc_s.so.1 to the initrd, as
+ libargon2 (used by LUKS2 devices) uses pthread_cancel. (Closes: #890798.)
+ * debian/initramfs/cryptroot-script: create locking directory at initramfs
+ stage, before running the cryptsetup binary, which would create it
+ automatically but also spew a warning.
+ * debian/patches/Fix-loopaesOpen-for-keyfile-on-standard-input.patch:
+ removed as it was cherry-picked from upstream and included in 2.0.2.
+ * debian/libcryptsetup12.symbols: update with new crypt_token_is_assigned()
+ API function.
+
+ -- Guilhem Moulin <guilhem@debian.org> Sat, 17 Mar 2018 18:03:03 +0100
+
+cryptsetup (2:2.0.1-1) unstable; urgency=low
+
+ * New upstream release 2.0.1:
+ - Use /run/cryptsetup as default for cryptsetup locking dir.
+ - Add missing symbols for new functions to debian/libcryptsetup12.symbols.
+ * debian/copyright: update copyright years.
+ * debian/patches: backport upstream's 8728ba08 to fix opening of loop-AES
+ devices using --key-file=-. (Closes: #888162.)
+ * debian/rules: replace `autoreconf -f -i` with `dh_autoreconf` and add
+ `dh_autoreconf_clean` to the "clean:" target. This bumps the minimum
+ debhelper version to 9.20160403~ in Build-Depends. (Closes: #888742.)
+
+ -- Guilhem Moulin <guilhem@debian.org> Sun, 11 Feb 2018 00:02:05 +0100
+
+cryptsetup (2:2.0.0-1) unstable; urgency=low
+
+ [ Guilhem Moulin ]
+ * cryptsetup-bin: Install /usr/lib/tmpfiles.d/cryptsetup.conf to create the
+ LUKS2 locking directory /run/lock/cryptsetup. For sysVinit, this is taken
+ care of by the cryptdisks-early init file.
+ * Remove debian/patches/Use-system-libargon2.patch (applied upstream).
+ * debian/README.{source,gbp.conf}: Upgrade to latest upstream conventions.
+ * debian/control: Bump Standards-Version to 4.1.3 (remove verbatim copy of
+ CC0-1.0 license from debian/copyright).
+ * debian/rules: Fix symlink target of libcryptsetup.so in libcryptsetup-dev
+ package. Thanks to Alan Fung for the report and patch. (Closes: #885435.)
+ * debian/initramfs/cryptroot-{hook,script}: Add support for 'skip' and
+ 'offset' crypttab(5) options in the initramfs script. Thanks to Pascal
+ Liehne for the report and patch. (Closes: #872342.)
+
+ [ Jonas Meurer ]
+ * debian/initramfs/cryptopensc-*: Install required libs and config files for
+ pcscd and use correct path to pcscd. Thanks to Martijn van de Streek for
+ bugreport and patch. (Closes: #880750)
+
+ -- Guilhem Moulin <guilhem@debian.org> Mon, 22 Jan 2018 00:25:52 +0100
+
+cryptsetup (2:2.0.0~rc1-1) experimental; urgency=low
+
+ * debian/rules: Compile with --enable-libargon2 to use system libargon2
+ instead of bundled version.
+ * debian/control: Bump Standards-Version to 4.1.1 (no changes necessary).
+ * debian/copyright: Update licensing information.
+
+ -- Guilhem Moulin <guilhem@debian.org> Wed, 01 Nov 2017 17:37:15 +0100
+
+cryptsetup (2:2.0.0~rc0-1) experimental; urgency=low
+
+ * New upstream release 2.0.0 RC0 (closes: #877566). Highlights include:
+ - Support for new on-disk LUKS2 format, offering authenticated disk
+ encrption (EXPERIMENTAL), memory-hard PBKDF (argon2), kernel keyring for
+ storage of key material, and more.
+ - New CLI `integritysetup` which can setup standalone dm-integrity devices.
+ - soname bump of libcryptsetup library.
+ * Rename library package from libcryptsetup4 to libcryptsetup12.
+ * Also remove deprecated upstart configuration files on upgrade and purge.
+ (Closes: #883677)
+ * debian/control: Bump Standards-Version to 4.1.0 (no changes necessary).
+ * debian/*: Apply wrap-and-sort(1).
+ * debian/copyright: Update copyright years.
+
+ -- Guilhem Moulin <guilhem@debian.org> Tue, 03 Oct 2017 03:37:36 +0200
+
+cryptsetup (2:1.7.5-1) unstable; urgency=low
+
+ * New upstream release 1.7.5.
+ * cryptroot-unlock: When the standard input is a TTY, keep prompting for
+ passphrases until there are no more devices to unlock. (Closes: #866786)
+ * cryptsetup.prerm: Don't try to call `dmsetup table` to list dm-crypt
+ devices when the dm_mod module isn't loaded. (Closes: #870673)
+ * Rename upstream signing key from debian/upstream/signing-key.asc to
+ debian/upstream-signing-key.asc in order to avoid lintian error
+ orig-tarball-missing-upstream-signature" (we use the key to verify
+ signature on upstrem's git tags).
+ * Remove deprecated upstart configuration files: /etc/init/cryptdisks.conf
+ and /etc/init/cryptdisks-udev.conf. Cf. `lintian-info --tags
+ package-installs-deprecated-upstart-configuration`.
+ * debian/cryptsetup.{postinst,postrm}: Don't hard-code path to
+ update-initramfs(1).
+ * debian/rules: Include /usr/share/dpkg/pkg-info.mk to avoid parsing
+ dpkg-parsechangelog(1) output.
+ * debian/control: Bump Standards-Version to 4.0.0 (no changes necessary).
+
+ -- Guilhem Moulin <guilhem@debian.org> Thu, 14 Sep 2017 13:00:23 +0200
+
+cryptsetup (2:1.7.3-4) unstable; urgency=high
+
+ [ Guilhem Moulin ]
+ * Drop obsolete update-rc.d parameters. Thanks to Michael Biebl for the
+ patch. (Closes: #847620)
+ * debian/copyright: Fix license mismatch (docs/examples/*
+ lib/crypto_backend/* lib/loopaes/* lib/tcrypt/* lib/verity/* python/* are
+ LGPL-2.1+ not GPL-2+). (Closes: #861802)
+ * debian/initramfs/cryptroot-hook: honor RESUME={none,auto} as documented in
+ initramfs.conf(5) by initramfs-tools >=0.129. (Closes: #861074)
+
+ -- Jonas Meurer <mejo@debian.org> Tue, 09 May 2017 13:50:59 +0200
+
+cryptsetup (2:1.7.3-3) unstable; urgency=medium
+
+ [ Jonas Meurer ]
+ * debian/scripts/decrypt_ssl: fix script to actually output the decrypted
+ key. Apparently this script has been broken since June 2008. Doesn't seem
+ like anybody is using it. Thanks to g1 for spotting and reporting the
+ error. (Closes: #844050)
+ * debian/initramfs/cryptroot-script:
+ + limit the sleep after max passphrase attempts to devices for the rootfs.
+ This mitigates the negative impact in case of broken keyscripts etc.
+ + add $crypttarget to each message to provide more context.
+ * debian/initramfs/cryptroot-hook: fix sanity check for key files on root
+ fs in get_device_opts(): detect if processed device is a root (parent)
+ device even for LVM setups. (closes: #842951)
+ * debian/README.initramfs: minor fix to the decrypt_derived keyscript
+ section: now that systemd is standard, 'cryptdisks_start' should be used
+ instead of '/etc/init.d/cryptdisks start'.
+ * debian/manpages/crypttab.xml: add a warning to the 'keyscript' option
+ that systemd doesn't support the option (yet) and mention the possible
+ workaround to process the devices in question in the initramfs.
+
+ [ Guilhem Moulin ]
+ * add debian/gbp.conf to set the upstream tag to "v%(version%.%_)s". As
+ this enables git-buildpackage >= 0.8.7 to automatically generate
+ orig.tar.gz, step nr. 5 is now removed from debian/README.source.
+ * debian/compat: bump debhelper compatibility version to 9.
+ * debian/initramfs/cryptroot-hook:
+ + fix tab damage for consistency with the rest of the code
+ + better warning for deprecated settings
+ + fix sanity check for key files in get_device_opts(): print a warning if
+ the key file isn't on the root FS, or if the root device is not
+ encrypted, even for LVM setups.
+ + fix sanity check for key files in get_device_opts(): print a warning if
+ the processed device is a resume device, even for LVM setups.
+ + fix runtime error in get_lvm_deps() if the first argument is either
+ missing or the empty string.
+ + reset IFS after processing $rootopts in get_device_opts(); the missing
+ linefeed in $IFS caused LVM logical volumes spaning over multiple PVs
+ not to have their parent devices detected correctly.
+
+ -- Jonas Meurer <mejo@debian.org> Fri, 09 Dec 2016 01:18:17 +0100
+
+cryptsetup (2:1.7.3-2) unstable; urgency=medium
+
+ [ Guilhem Moulin ]
+ * debian/README.Debian: update authorized_keys(5) path, incorrect since
+ 2:1.7.2-1, for remote unlocking at initramfs stage using the dropbear SSH
+ server.
+
+ [ Jonas Meurer ]
+ * debian/initramfs/cryptroot-script: sleep after max passphrase attempts.
+ This mitigates local brute-force attacks and addresses CVE-2016-4484.
+ Thanks to Ismael Ripoll and Hector Marco for discovery and report.
+ - decrease $count by one in tries loop if unlocking was successful.
+ - warn and sleep for 60 seconds if the maximum allowed attempts of
+ unlocking (configured with crypttab option tries, default=3) are
+ reached.
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 07 Nov 2016 11:34:41 +0100
+
+cryptsetup (2:1.7.3-1) unstable; urgency=medium
+
+ * New upstream release 1.7.3.
+ * debian/rules: run dh_strip_nondeterminism(1p) in binary-arch rules to
+ make the package build more reproducible. Introduces a new Build-Depends
+ on dh-strip-nondeterminism. Thanks to Reiner Herrmann for bugreport and
+ patch. (Closes: #842581)
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 31 Oct 2016 22:00:52 +0100
+
+cryptsetup (2:1.7.2-5) unstable; urgency=high
+
+ [ Guilhem Moulin ]
+ * debian/upstream/signing-key.asc: add upstream's armored OpenPGP key,
+ fingerprint 2A29 1824 3FDE 4664 8D06 86F9 D9B0 577B D93E 98FC.
+ * debian/watch: add "pgpsigurlmangle" option so uscan(1) can automatically
+ verify cryptographic signatures on release tarballs.
+
+ [ Jonas Meurer ]
+ * debian/initramfs/cryptroot-hook: only source crypt-hook from
+ /etc/cryptsetup-initramfs/ when present. (Closes: #841503)
+
+ -- Jonas Meurer <mejo@debian.org> Fri, 21 Oct 2016 18:10:56 +0200
+
+cryptsetup (2:1.7.2-4) unstable; urgency=high
+
+ [ Guilhem Moulin ]
+ * debian/initramfs/cryptroot-hook:
+ + Fix warning printed for lvm devices backed by multiple dm-crypt nodes.
+ Regression introduced in 2:1.7.2-1. Thanks Zoltan Hidvegi, for the
+ patch. (Closes: #840480)
+ + Don't escape all slash characters "/" in device paths of the form
+ /dev/by-label/..., only the label itself. Regression introduced in
+ 2:1.7.2-2 as a fix for #839888.
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 13 Oct 2016 23:11:45 +0200
+
+cryptsetup (2:1.7.2-3) unstable; urgency=medium
+
+ [ Guilhem Moulin ]
+ * debian/initramfs/cryptroot-conf: don't set CRYPTSETUP and KEYFILE_PATTERN,
+ so the (deprecated) values set in /etc/initramfs-tools aren't overridden
+ to the empty string by default. Regression introduced in 2:1.7.2-1.
+ (Closes: #839994.)
+ * debian/README.initramfs: fixed minor typo.
+
+ -- Jonas Meurer <mejo@debian.org> Sat, 08 Oct 2016 00:01:25 +0200
+
+cryptsetup (2:1.7.2-2) unstable; urgency=medium
+
+ * debian/cryptdisks.functions: fix a nasty typo in do_start that rendered
+ systems with sysVinit unbootable. Thanks to Marc Haber for bugreport and
+ patch (Closes: #839888)
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 06 Oct 2016 10:47:05 +0200
+
+cryptsetup (2:1.7.2-1) unstable; urgency=medium
+
+ [ Jonas Meurer ]
+ * new upstream release 1.7.2. Highlights include:
+ - code now uses kernel crypto API backend according to new changes
+ introduced in mainline kernel. (in 1.7.1)
+ - cryptsetup now allows special "-" (standard input) keyfile handling
+ even for TCRYPT (TrueCrypt and VeraCrypt compatible) devices. (in 1.7.1)
+ - Support activation options for error handling modes in Linux kernel
+ dm-verity module. (in 1.7.2)
+ * debian/cryptdisks.functions: use '--key-file=-' again with the tcrypt
+ extension, now that upstream issue #269 is fixed.
+ * migrate the packaging repository from SVN to Git:
+ - debian/control: Update Vcs-* fields to point to the new git repository.
+ - debian/README.source: document new repository structure and release
+ handling.
+ * debian/README.Debian, debian/NEWS: minor typo fixes.
+ * debian/rules: run pod2man --release="$(DEB_VERSION). (Closes: #839352)
+
+ [ Guilhem Moulin ]
+ * debian/control: add self to uploaders.
+ * debian/cryptdisks.functions: when iterating through the crypttab, don't
+ abort after the first disk that fails to be closed. Regression introduced
+ 2:1.7.0-1 when the filed is sourced under 'set -e'.
+ * debian/cryptdisks.functions: stop using `seq` since cryptsetup doesn't
+ depend on busybox. Instead, try again after 1, 2, 4, 8 and 16s when an
+ encrypted disk cannot be closed. (Closes: #811456)
+ * debian/cryptsetup.maintscript: add a "rm_conffile" directive to remove
+ conffile /etc/bash_completion.d/cryptdisks, obsolete since 2:1.7.0-1.
+ (Closes: #810227)
+ * debian/README.initramfs: fix typo s/initramfs-update/update-initramfs/.
+ Thanks, Stuart Prescott. (Closes: #827263)
+ * debian/rules: Add 'hardening=+pie' to DEB_BUILD_MAINT_OPTIONS to compile
+ ELF executables as PIEs.
+ * debian/control: Bump Standards-Version to 3.9.8 (no changes necessary).
+ * debian/cryptsetup.lintian-overrides: Remove unused lintian override
+ init.d-script-does-not-source-init-functions.
+ * Use /etc/crytsetup-initramfs/conf-hook for initramfs hook script
+ configuration. For backward compatibility setting CRYPTSETUP and
+ KEYFILE_PATTERN in /etc/initramfs-tools/initramfs.conf is still supported
+ for now, but causes the hook to print a warning.
+ This is done following the initramfs-tools maintainers' request (see
+ #807527) that hook and boot script configuration files be stored outside
+ the /etc/initramfs-tools directory. (Closes: #783393)
+ * Print a warning when private key material is to be included in the
+ initramfs image (ie, if $KEYFILE_PATTERN is not empty), and the image is
+ created with a permissive mode.
+ * Add Indonesian debconf templates translation. Thanks, Izharul Haq for the
+ patch. (Closes: #835158)
+ * debian/initramfs/cryptroot-hook: Avoid leading space in $rootdevs,
+ $resumedevs, etc.
+ * Support unlocking devices at initramfs stage using a key file stored on
+ the encrypted root FS. Note however that resume devices won't be unlocked
+ this way since the resume boot script is currently run before mounting the
+ root FS. (Closes: #776409)
+ * debian/initramfs/cryptroot-hook: Avoid undesired effects for target or
+ device names containing non-alphanumeric characters such as "." or "-":
+ + replace `grep "^$x\b"` by `awk -vx="$x" '$1==x {print}'`; and
+ + replace `echo "$x"` by printf '%s' "$x" when the argument might start
+ with a dash.
+ * debian/initramfs/cryptroot-{hook,script}, debian/cryptdisks.functions:
+ ensure slash characters "/" from device labels are escaped when
+ constructing symlinks under /dev/disk/by-label.
+ * debian/scripts/decrypt_gnupg:
+ + Remove --no-mdc-warning to display a warning if the MDC integrity
+ protection is missing.
+ + Replace "GnuPG key" by "gpg-encrypted key" in messages and
+ documentation.
+ * debian/initramfs/cryptgnupg-hook: Add support for multiple devices
+ encrypted using a gpg-encrypted key.
+ * debian/README.gnupg: Indicate that not the only the gpg-encrypted key for
+ the root FS is copied onto the initramfs, but also the ones for all
+ devices that need to be unlocked at initramfs stage.
+ * debian/initramfs/cryptroot-hook: Fix bug for device label starting with
+ "UUID=".
+
+ [ Helmut Grohne ]
+ * libcryptsetup-dev: move the .pc file to a multiarch location such that
+ cross-pkg-config can find it. (closes: #811545)
+ * Fix FTCBFS: Use host arch compiler for askpass as well. (closes: #811559)
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 05 Oct 2016 20:53:09 +0200
+
+cryptsetup (2:1.7.0-2) unstable; urgency=medium
+
+ [ Guilhem Moulin ]
+ * Fix cryptsetup shutdown procedure on sysvinit, broken since 2:1.7.0-1 for
+ systems without active crypttab entry at the time fo the shutdown.
+ (Closes: #792552, #810380)
+
+ -- Jonas Meurer <mejo@debian.org> Sun, 10 Jan 2016 18:45:20 +0100
+
+cryptsetup (2:1.7.0-1) unstable; urgency=medium
+
+ [ Jonas Meurer ]
+ * new upstream release 1.7.0. Highlights include:
+ - cryptsetup TCRYPT mode now supports VeraCrypt devices (in 1.6.7)
+ - fix activation using (UNSECURE) ECB mode (in 1.6.7) (closes: #784129)
+ - properly support stdin "-" handling for luksAddKey for both new and old
+ keyfile parameters. (in 1.6.8)
+ - default hash function is now SHA256 (used in key derivation function
+ and anti-forensic splitter) (in 1.7.0)
+ * debian/cryptsetup.functions, debian/initramfs/cryptroot.{hook,script}: add
+ support for veracrypt option to cryptdisks initscript and cryptroot
+ initramfs script. (closes: #806290)
+ * debian/cryptdisks.functions: don't use '--key-file=-' with the tcrypt
+ extension. This fixes the tcrypt implementation in the initscript and
+ provides a workaround for upstream issue #269.
+ * debian/cryptsetup.bug-script: do not send potentially private information
+ without prior user confirmation in reportbug script. (Closes: #783298)
+ * debian/cryptsetup.apport: do not send potentially private information
+ without prior user confirmation in apport hook.
+ * debian/control, debian/NEWS: fix links to cryptsetup homepage/FAQ. Homepage
+ (and FAQ) moved from code.google.com to gitlab.com. (closes: #781674)
+ * debian/*: update hyperlinks to use https instead of http where appropriate.
+ * debian/rules, debian/post{inst,rm}: don't install cryptdisks_st{art,op}
+ symlinks to /usr/sbin if everything-in-usr directories scheme is used.
+ Thanks to Marco d'Itri for the patch. (closes: #767921)
+ * debian/scripts/luksformat: search for mkfs binaries in /usr/sbin, /usr/bin,
+ /sbin and /bin (default order in $PATH). This fixes luksformat for btrfs
+ filesystems. (closes: #805353)
+ * debian/dirs, debian/rules: install cryptdisks bash-completion script into
+ /usr/share/bash-completion/completions.
+ * debian/cryptdisks.functions: iterate over remaining open crypttab devices
+ in do_stop() in order to close dependent devices and don't freeze the
+ shutdown process. Thanks to Avatar for the patch. (closes: #792552)
+ * debian/rules: set V=1 in order to make build logs usable for blhc.
+ * debian/rules: set DEB_VERSION and DEB_DATE in a way to make cryptsetup
+ build reproducible. Thanks to Dhole and Valentin Lorentz for patches.
+ (closes: #780864, #794106)
+ * debian/cryptdisks.functions: bring the passphrase prompt in line with the
+ one from initramfs script in order to make the user experience more
+ consistent. (closes: #772943)
+ * debian/initramfs/cryptroot-script: move sanity checks of $cryptkeyscript
+ and potential expansion to '/lib/cryptsetup/askpass' to the beginning of
+ setup_mapping().
+
+ [ Guilhem Moulin ]
+ * debian/README.{Debian,remote}: remove dropbear-specific configuration and
+ point to dropbear-initramfs instead. Since version 2015.70-1, dropbear
+ ships dropbear-specific initramfs configuration and documentation in an
+ own binary package dropbear-initramfs. (closes: #801471)
+ * debian/initramfs/cryptroot-{hook,script}: add support for 'keyslot' option
+ to cryptroot initramfs script. (closes: #801479)
+ * debian/README.initramfs, debian/initramfs/cryptroot-hook: add support for
+ storing keyfiles directly in the initrd. (closes: #786578)
+ * debian/initramfs/cryptroot-hook: display a warning for invalid source
+ devices. (closes: #720515, #781955, #784435)
+ * debian/askpass.c: add plymouth support to the askpass helper command.
+ * debian/cryptdisks.functions, debian/initramfs/cryptroot-script: remove
+ special treatment of plymouth installations now that askpass supports
+ plymouth natively.
+ * debian/initramfs/cryptroot-unlock(-hook): add initramfs hook and script
+ to remotely unlock cryptroot devices. (closes: #782024, #697156)
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 07 Jan 2016 02:22:33 +0100
+
+cryptsetup (2:1.6.6-5) unstable; urgency=high
+
+ * debian/cryptdisks.functions: fix the precheck for ubuntu+upstart
+ before invoking 'status cryptdisks-udev'. (closes: #773456)
+ * debian/cryptdisks.functions: fix the insufficient grep regex for
+ detecting a running cryptdisks-udev (upstart) init script.
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 22 Jan 2015 21:22:08 +0100
+
+cryptsetup (2:1.6.6-4) unstable; urgency=medium
+
+ [ Simon McVittie ]
+ * debian/initramfs/cryptroot-script: decrypt /usr as well as / so that
+ split-/usr will work with initramfs-tools (>= 0.118). (closes: #767832)
+
+ [ Jonas Meurer ]
+ * debian/cryptdisks.funcctions: check for cryptdisks-udev initscript before
+ actually invoking 'status' on it. It's only useful in ubuntu+upstart
+ environment anyway. (closes: #764564)
+ * debian/askpas.c: fix systemd_read() to really strip trailing newline from
+ input. Thanks to Quentin Lefebvre for report and patch. (closes: #768407)
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 17 Dec 2014 14:24:41 +0100
+
+cryptsetup (2:1.6.6-3) unstable; urgency=medium
+
+ * debian/initramfs/cryptroot-script: fix environment variable $CRYPTTAB_TRIED
+ to hold the number of actual tries instead of the number of maximum tries.
+ Thanks to Luc Maisonobe for debugging and the patch. (closes: #758788)
+
+ -- Jonas Meurer <mejo@debian.org> Tue, 07 Oct 2014 19:51:36 +0200
+
+cryptsetup (2:1.6.6-2) unstable; urgency=medium
+
+ * rename 'luksheader' option in crypttab to 'header', as it may be used for
+ different encryption modes later as well.
+ * add support for detached LUKS header to initramfs scripts. Thanks to Pablo
+ Santiago for the hint and DiagonalArg from Launchpad for patch suggestions.
+ (closes: #716652)
+ * fix support for truecrypt devices in initramfs scripts. Thanks to Lukas
+ Wunner for the patch. (closes: #748286)
+ * use blkid instead of fstype everywhere in cryptroot initramfs scripts.
+ Thanks to Pablo Santiago for the hint.
+ * debian/initramfs/cryptroot-hook: add support for 'initramfs' option to
+ crypttab. Thanks to Hugh Davenport for the patch. (closes: #697162)
+ * debian/initramfs/cryptroot-script: add support for multiple btrfs root
+ devices. This should fix the WARNING at mkinitramfs for unencrypted
+ btrfs root device(s) as well. Thanks to Jon Severinsson and Gerald Turner
+ for patches. (closes: #682751, #762268)
+ * debian/initramfs/cryptroot-script: skip missing device in initramfs after
+ dropping to the panic/emergency shell instead of looping in the panic
+ shell. Thanks to Cédric Barboiron for the patch. (closes: #762573)
+ * debian/initramfs/cryptroot-script: for LVM devices, don't set ROOT to
+ $NEWROOT in /etc/param.conf in case that /etc/param.conf already has ROOT
+ set. This is the case for flash-kernel devices. Thanks to Brandon Parker
+ for bugreport and patch. (closes: #759720)
+ * debian/initramfs/cryptroot-script: in slumber loop, retry vg_activate
+ every ten seconds. Fixes LVM on USB in cases that the USB device didn't
+ come up fast enough. (closes: #762032)
+ * fix package version number in debian/NEWS.
+ * bump standards-version to 3.9.6, no changes needed.
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 20 Aug 2014 19:59:03 +0200
+
+cryptsetup (2:1.6.6-1) unstable; urgency=medium
+
+ * new upsream version 1.6.6.
+ * add versioned dependency on cryptsetup-bin to cryptsetup. (closes: #747670)
+ * change versioned build-depends on automake to >= 1.12 to reflect upstream
+ requirements. Thanks to Joel Johnson. (closes: #740688)
+ * build and link against libgcrypt20 (>= 1.6.1). Add note about whirlpool
+ bug in older libgcrypt releases and how to deal with it to debian/NEWS.
+ * add systemd support to askpass. Thanks to David Härdeman for the patch.
+ (closes: #742600, #755074)
+ * fix initramfs cryptroot hook to not include modules unconditionally. Thanks
+ to Dmitrijs Ledkovs for bugreport and patch. (closes: #714104)
+ * fix decrypt_keyctl script to ask again in case of wrong passphrase. Thanks
+ to Dmitriy Matrosov for bugreport and patch. (closes: #748368)
+ * incorporate changes from ubuntu package:
+ - don't hardcode paths to udevadm and udevsettle.
+ - restore terminal settings in askpass.c. (closes: #714942)
+ - migrate upstart jobs to new names.
+
+ -- Jonas Meurer <mejo@debian.org> Tue, 04 Mar 2014 20:14:07 +0100
+
+cryptsetup (2:1.6.4-4) unstable; urgency=medium
+
+ * really fix plain device opening in initramfs cryptroot script this time.
+ Thanks again to Dirk Griesbach for the patch. (closes: #740592)
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 03 Mar 2014 21:00:16 +0100
+
+cryptsetup (2:1.6.4-3) unstable; urgency=medium
+
+ * fix plain device opening, broken by switch to new unified open command
+ in 1.6.4-1. Thanks to Dirk Griesbach for the patch. (closes: #740592)
+ * update italian debconf translations, thanks to Italian l10n team and
+ Francesca Ciceri. (closes: #740557)
+ * remove trailing whitespaces from text files.
+ * some minor packaging fixes thanks to lintian checks:
+ - fix VCS-* fields in debian/control to use canoncial URIs.
+ - remove empty directory from libcryptsetup4 package.
+ - add lintian-override for init.d-script-not-included-in-package.
+
+ -- Jonas Meurer <mejo@debian.org> Sun, 02 Mar 2014 13:51:35 +0100
+
+cryptsetup (2:1.6.4-2) unstable; urgency=medium
+
+ * fix libcryptsetup.so symlink. Thanks to Michael Biebl. (closes: #740484)
+
+ -- Jonas Meurer <mejo@debian.org> Sun, 02 Mar 2014 01:33:39 +0100
+
+cryptsetup (2:1.6.4-1) unstable; urgency=low
+
+ * new upstream version 1.6.4.
+ - minor fixes in cryptsetup manpage. (closes: #725131)
+ - by default verify new passphrase in luksChangeKey and luksAddKey
+ commands (closes: #728302)
+ - cryptsetup releases are released on kernel.org since 1.6.4. Change
+ debian/watch accordingly.
+ * use compiled defaults for cypher, keysize and hash in luksformat script
+ * improvements to docs (thanks to Christoph Anton Mitterer):
+ - small improvement to explanation for CRYPTTAB_TRIED environment variable
+ in crypttab manpage
+ - update cipher, size and hash settings in examples (closes: #714331)
+ - replace '/dev/hdX' devices with '/dev/sdX' in examples
+ - full path to keyscripts in /lib/cryptsetup/scripts not needed in examples
+ * update init and initramfs scripts to use new open syntax (closes: #714395)
+ * add scripts/local-block/cryptroot in order to support event based block
+ device handling. Thanks to Goswin von Brederlow (closes: #678692)
+ * add support for TCRYPT device handling to cryptdisks init and cryptroot
+ initramfs scripts. (closes: #722509)
+ * improve passphrase prompt in cryptroot initramfs script. Thanks to Joachim
+ Breitner. (closes: #728080)
+ * add support for detached luks header to cryptdisks init script. Thanks to
+ Ximin Luo. (closes: #716652)
+ * enhance docs about remote unlocking feature. Thanks to Karl O. Pinc.
+ (closes: #715487, #714952)
+ * update README.keyctl docs: since linux kernel 2.6.38, dm-crypt is not
+ single-threaded any longer. (closes: #714806)
+ * don't sleep between retries in cryptroot initramfs script. (closes: #715525)
+ * add multi-arch support. Thanks to Shawn Landden. (closes: #696008, #732099)
+ * suggest keyutils. Thanks to Nikolaus Rath. (closes: #734133, #735496)
+ * fix initramfs/cryptroot-hook to support more than one lvm source devices.
+ Thanks to Jens Reinsberger for the patch. (closes: #659688, #737686)
+ * bump standards-version to 3.9.5, no changes needed.
+ * override lintian false positives for init scripts:
+ - init.d-script-does-not-implement-optional-option status
+ - init.d-script-does-not-source-init-functions
+
+ -- Jonas Meurer <mejo@debian.org> Fri, 28 Jun 2013 12:14:55 +0200
+
+cryptsetup (2:1.6.1-1) unstable; urgency=low
+
+ [ Milan Broz ]
+ * new upstream version. (closes: #704827, 707997)
+ - default LUKS encryption mode is XTS (aes-xts-plain64) (closes: #714331)
+ - adds native support for Truecrypt and compatible on-disk format
+ - adds benchmark command
+ - adds cryptsetup-reencrypt, a tool to offline reencrypt LUKS device
+ - adds veritysetup, a tool for dm-verity block device verification module
+ * install docs/examples into docs at cryptsetup-dev package.
+ * fix compilation warnings in askpass.c.
+
+ [ Steve Langasek ]
+ * fix upstart jobs to not cause boot hangs when actually used in
+ conjunction with startpar. (closes: #694499, #677712).
+ * in connection with the above, make the cryptdisks-early job explicitly
+ wait for 'umountfs' on shutdown just like cryptdisks does; otherwise,
+ the teardown of the cryptdisks upstart job may cause the cryptdisks-early
+ init script run before we're done unmounting filesystems.
+
+ [ Jonas Meurer ]
+ * minor wording fixes to README.initramfs, suggested by intrigeri and Adam
+ D. Barrett.
+ * add bash-completion script for cryptdisks_{start,stop}. Thanks to Claudius
+ Hubig for providing a patch. (closes: #700777)
+ * support specifying key-slot in crypttab. Thanks to Kevin Locke for the
+ patch. (closes: #704470)
+ * remove evms support code from cryptroot initramfs script. (closes: #713918)
+ * fix location of keyscripts in initramfs documentation. (closes: #697446)
+ * fix a typo in decrypt_ssl script that prevented stdout from beeing
+ redirected to /dev/null. (closes: #700285)
+ * give full path to blkid in crytproot initramfs script. (closes: #697155)
+ * export number of previous tries from cryptroot and cryptdisks to
+ keyscript. Thanks to Laurens Blankers for the idea. Opens the possibility
+ to fallback after a given number of tries for keyscripts. (closes: #438481,
+ #471729, #697455)
+ * improve check for cpu hardware encryption support in initramfs cryptroot
+ hook. (closes: #714326)
+
+ -- Jonas Meurer <mejo@debian.org> Fri, 28 Jun 2013 12:10:41 +0200
+
+cryptsetup (2:1.4.3-4) unstable; urgency=medium
+
+ * change recommends for busybox to busybox | busybox-static. Thanks to
+ Armin Haas for the bugreport. (closes: #692151)
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 07 Nov 2012 16:12:25 +0100
+
+cryptsetup (2:1.4.3-3) unstable; urgency=medium
+
+ * add recommends for 'kbd, console-setup' to cryptsetup package. Both are
+ necessary to support local keymap in initramfs. Thanks to Raphaël Hertzog
+ for the bugreport. (closes: #689722)
+ * move suggestion for 'initramfs-tools (>= 0.91) | linux-initramfs-tool,
+ busybox' to recommends. Both are required for encrypted root fs.
+ * remove suggestion for udev, most debian systems have it installed anyway.
+ * mention option to use UUID=<luks_uuid> for source device in crypttab(5).
+ Thanks to Felicitus for the bug report. (closes: #688786)
+ * add a paragraph in README.initramfs: Describe, why renaming the target
+ name is not supported for encrypted root devices. Thanks to Adam Lee for
+ bugreport and proposed workaround for this limitation. (closes: #671037)
+ * fix keyfile permission checks in cryptdisks init scripts to follow
+ symlinks. Thanks to intrigeri for the bugreport. (closes: #691517)
+ * fix owner group check for keyfile in cryptdisks init scripts to really
+ check owner group.
+ * update debconf translations:
+ - brasilian portuguese, thanks to Adriano Rafael Gomes. (closes: #685762)
+ - japanese, thanks to victory. (closes: #690784)
+ * fix typo in manpages: s/passphase/passphrase. Thanks to Milan Broz for
+ the bugreport. (closes: #684086)
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 01 Nov 2012 15:34:09 +0100
+
+cryptsetup (2:1.4.3-2) unstable; urgency=medium
+
+ * fix the shared library symbols magic: so far, the symbols file for
+ libcryptsetup4 included just a wildcard for all exported symbols, with
+ libcrypsetup4 (>= 2:1.4) as minimum version. This was wrong. Symbols
+ that were added later need adjusted minimum versions. Thanks for the
+ great help in #debian-mentors. (closes: #677127)
+ * remove emtpy directory /lib from cryptsetup-bin package.
+ * compile askpass and passdev with CFLAGS, CPPFLAGS and LDFLAGS.
+
+ -- Jonas Meurer <mejo@debian.org> Tue, 12 Jun 2012 21:26:18 +0200
+
+cryptsetup (2:1.4.3-1) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * mention limitations for keyscripts in crypttab(5) manpage: keyscripts
+ must not depend on binaries/files which are part of the to-be-unlocked
+ device. (closes: #665494)
+ * bump versioned build-dependency on debhelper now that we install
+ upstart initscripts in debian as well.
+ * change versioned breaks/replaces for cryptsetup-bin on cryptsetup to
+ 1.4.3-1~, fixing upgrades in debian.
+
+ [ Jean-Louis Dupond ]
+ * New upstream version. (closes: #670071)
+ - Fix keyslot removal (closes: #672299)
+ - Add -r to cryptsetup.8 (closes: #674027)
+ * Split up package in cryptsetup and cryptsetup-bin.
+ * I'm now co-maintainer (closes: #600777).
+ * Start cryptdisks-enable upstart job on 'or container', to let us
+ simplify the udevtrigger job.
+ * debian/cryptdisks.functions: handle the case where crypttab contains a
+ name for the source device that is not the kernel's preferred name for
+ it (as is the case for LVs). (Thanks Steve Langasek)
+ * debian/cryptdisks.functions: fix a race condition in some cases by
+ adding and udevadm settle before rename.
+ * debian/cryptdisks.functions: add UUID & LABEL support to do_start.
+ * debian/copyright: really fix lintian warning.
+ * debian/rules: also include upstart files in debian.
+
+ -- Jonas Meurer <mejo@debian.org> Fri, 08 Jun 2012 13:42:51 +0200
+
+cryptsetup (2:1.4.1-3) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * finally add back support for configuration of custom rootfs-devices through
+ the boot parameter 'root' to initramfs cryptroot script. Thanks a lot to
+ August Martin for the bugreport as well as continuously debugging and
+ providing patches. (closes: #546610)
+ * use blkid instead of fstype to detect the content of devices in initramfs
+ cryptroot script. Unfortunately fstype doesn't recognize md-raid devices,
+ which leads to errors with encrypted devices on top of software raid.
+ * check whether $NEWROOT already exists before actually invoking cryptsetup
+ in initramfs cryptroot script. (closes: #653241)
+ * fix conditions for prechecks at do_noluks() in cryptdisks.functions. Should
+ prevent data loss with encrypted swap in most cases. (closes: #652497)
+ * change default value for tmpfs and examples from ext2 to ext4.
+ * minor code cleanup.
+ * update debconf translations:
+ - russian, thanks to Yuri Kozlov. (closes: #661303)
+ - spanish, thanks to Camaleón. (closes: #661316)
+
+ [ Jean-Louis Dupond ]
+ * fix watch file.
+ * always add aesni module to initramfs if we have hardware aes support.
+ (closes: #639832).
+ * debian/copyright: fix lintain warning.
+ * add upstart scripts for ubuntu.
+ * silent warnings on kernels without kernel/{arch,crypto}.
+ * add crypttab_start_one_disk in function script to handle udev startup
+ in ubuntu.
+ * bump standards-version to 3.9.3, no changes needed.
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 11 Apr 2012 23:55:35 +0200
+
+cryptsetup (2:1.4.1-2) unstable; urgency=low
+
+ * acknowledge NMU. Thanks to Michael Biebl. (closes: #659182)
+ * don't print error for non-encrypted rootfs in initramfs cryptroot hook.
+ Thanks to Jamie Heilman and Christoph Anton Mitterer for bugreports.
+ (closes: #659087, #659106)
+ * use dmsetup splitname to extract VG name from $node in initramfs cryptroot
+ hook. Thanks to Kai Weber for the bugreport, Milan Broz and Claudio
+ Imbrenda for suggestions and patches. (closes: #659235)
+
+ -- Jonas Meurer <mejo@debian.org> Sun, 12 Feb 2012 15:51:11 +0100
+
+cryptsetup (2:1.4.1-1.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Fix dangling .so symlink. Don't hard code the library version but use
+ readlink instead to determine where the .so symlink should point at.
+ (closes: #659182)
+
+ -- Michael Biebl <biebl@debian.org> Sat, 11 Feb 2012 04:32:01 +0100
+
+cryptsetup (2:1.4.1-1) unstable; urgency=low
+
+ * new upstream release (1.4.0 + 1.4.1) (closes: #647851)
+ - fixes typo in german translation. (closes: #645528)
+ - remove patches, all incorporated upstream.
+ - soname bump, rename library package to libcryptsetup4
+ * check for busybox in initramfs cryptroot hook, and install the sed binary
+ in case it's either not installed or not activated. (closes: #591853)
+ * add checks for 'type $KEYSCRIPT' to initscripts cryptdisks.functions, and
+ to cryptroot initramfs script/hook. this adds support for keyscripts inside
+ $PATH. thanks to Ian Jackson for the suggestion. (closes: #597583)
+ * use argument '--sysinit' for vgchange in cryptroot initramfs script. Thanks
+ to Christoph Anton Mitterer for the suggestion.
+ * add option for discard/trim features to crypttab and initramfs scripts.
+ Thanks to intrigeri and Peter Colberg for patches. (closes: #648868)
+ * print $target on error in initramfs hook. Thanks to Daniel Hahler for the
+ bugreport. (closes: #648192)
+ * add a warning about using decrypt_derived keyscript for devices with
+ persistent data. Thanks to Arno Wagner for pointing this out.
+ * remove quotes from resume device candidates at get_resume_devs() in
+ initramfs hook script. Thanks to Johannes Rohr. (closes: #634017)
+ * support custom $TABFILE, thanks to Douglas Huff. (closes: #638317)
+ * fix get_lvm_deps() in initramfs cryptroot hook to add all physical volumes
+ of lvm volume group that contains the rootfs logical volume, even if the
+ rootfs is lv is not spread over all physical volumes. Thanks to Christian
+ Pernegger for bugreport and patch. (closes: #634109)
+ * debian/initramfs/cryptroot-script: Move check for maximum number of tries
+ behind the while loop, to make the warning appear in case that maximum
+ number of tries is reached. Thanks to Chistian Lamparter for bugreport and
+ patch. (closes: #646083)
+ * incorporate changes to package descriptions and debconf templates that
+ suggested by debian-l10n-english people. Special thanks go to Justin B Rye.
+ * acknowledge NMU, thanks a lot to Christian Perrier for his great work on
+ the i18n front. (closes: #633105, #641719, #641839, #641947, #642470,
+ #640056, #642540, #643633, #643962, #644853)
+ * add and update debconf translations:
+ - italian, thanks to Milo Casagrande, Francesca Ciceri. (closes: #656933)
+ - german, thanks to Erik Pfannenstein. (closes: #642147)
+ - spanish, thanks to Camaleón. (closes: #658360)
+ - russian, thanks to Yuri Kuzlov (closes: #654676)
+ * set architecture to linux-any, depends on linux kernel anyway. Thanks to
+ Christoph Egger. (closes: #638257)
+ * small updates to the copyright file.
+ * add targets build-indep and build-arch to debian/rules, thanks to lintian.
+
+ -- Jonas Meurer <mejo@debian.org> Sun, 05 Feb 2012 03:17:59 +0100
+
+cryptsetup (2:1.3.0-3.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Fix pending l10n issues. Debconf translations:
+ - French (Julien Patriarca). Closes: #633105
+ - Vietnamese (Hung Tran). Closes: #641719
+ - Portuguese (Miguel Figueiredo). Closes: #641839
+ - Russian (Yuri Kozlov). Closes: #641947
+ - Swedish (Martin Bagge / brother). Closes: #642470,#640056
+ - Czech (Michal Simunek). Closes: #642540
+ - Dutch; (Jeroen Schot). Closes: #643633
+ - Spanish; (Camaleón). Closes: #643962
+ - Danish (Joe Hansen). Closes: #644853
+
+ -- Christian Perrier <bubulle@debian.org> Sun, 25 Dec 2011 19:00:24 +0100
+
+cryptsetup (2:1.3.0-3) unstable; urgency=low
+
+ * drop the loopback magick from cryptdisks scripts. Mario 'Bitkoenig' Holbe
+ pointed out, that auto-destruction support was added to the loopback driver
+ with kernel 2.6.25. Given, that even lenny has a more recent kernel,
+ support for kernels < 2.6.25 is not required any more. (closes: #626458)
+ * add debconf question 'prerm/active-mappings' with priority high to prerm
+ maintainer script. will warn about active dm-crypt mappings before the
+ package is removed/purged. (closes: #626641)
+ * add lintian-override for 'cryptsetup: no-debconf-config', as the debconf
+ question in prerm doesn't require a debconf config script.
+ * add debian/patches/03_create_fix_keyfile.patch. (closes: #626738)
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 19 May 2011 20:50:08 +0200
+
+cryptsetup (2:1.3.0-2) unstable; urgency=low
+
+ * fix changelog of 2:1.3.0-1 release, thanks to Thorsten Glaser for the hint
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 12 May 2011 03:06:46 +0200
+
+cryptsetup (2:1.3.0-1) unstable; urgency=low
+
+ * new upstream release
+ - automatically allocates loopback device for container files. update the
+ cryptdisks functions to only setup loopback device for kernel < 2.6.35.
+ otherwise, let cryptsetup do the magic itself.
+ - introduces maximum default keyfile size, see --help for value. manually
+ set the keyfile size with --keyfile-size in order to overwrite the limit.
+ - adds luksChangeKey command for changing passphrase/keyfile in one step
+ - adds loopAES compatibility command loopaesOpen
+ - remove d/patches/01_luksAddKey_return_code.patch, incorporated upstream
+ * add gettext support to luksformat script. Thanks to intrigeri for initial
+ patch, and adduser sources for implementation ideas. (closes: #558405)
+ * fix KEYSCRIPT checks in cryptdisks.functions for empty values.
+ * update REAMDE.gnupg and initramfs cryptgnupg hook script:
+ - warn about keys being copied to initramfs.
+ - fix the documentation to provide working examples.
+ * update README.Debian and related documentation:
+ - add a section about the 'special' keyscripts askpass and passdev
+ (closes: #601314)
+ - update several sections, remove reference to lenny
+ * add debian/patches/01_create_fix_size.patch, to fix a regression in 1.2.0
+ where the size argument was ignored for create command (closes: #624828)
+ * add debian/patches/02_manpage.patch, escapes minus signs in manpage
+ * remove usplash support from cryptroot initramfs script, askpass and
+ keyscripts, add plymouth support to keyscripts. (closes: #620923)
+ * ignore options like cipher, hash, size, etc. for luks commands in
+ cryptdisks. mention this in the crypttab manpage. (closes: #619249)
+ * again check for existance of /lib/cryptsetup/cryptdisks.functions before
+ sourcing it in cryptdisks(-early).init. required if cryptsetup is removed
+ but not purged, where initscripts are still around. (closes: #625468)
+ * bump standards-version to 3.9.2, no changes needed.
+ * debian/libcryptsetup1.symbols: update, 1.3.0 adds new function symbols
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 11 May 2011 14:45:42 +0200
+
+cryptsetup (2:1.2.0-2) unstable; urgency=low
+
+ * upload to unstable.
+ * fixes a ftbfs due to updated libgpg-error and libgcrypt11 build-
+ dependencies. (closes: #614530)
+ * install cryptkeyctl initramfs hook, needed for keyctl keyscript in
+ initramfs, thanks to Maik Zumstrull (closes: #610750)
+ * use 'egrep -c' instead of wc in cryptdisks_st* scripts, wc might not be
+ available as it's located at /usr/bin. Thanks to Mario 'BitKoenig' Holbe
+ for bugreport and patch. (closes: #611747)
+ * add debian/patches/01_luksAddKey_return_code.patch, fixes the luksAddKey
+ return code when the master key is used. (closes: #610366)
+ * fix luksformat script to invoke usage() with --help. (closes: #612947)
+ * add a paragraph about known upgrade issues to the crypttab manpage. this
+ paragraph strongly suggests to configure cipher, hash and keysize for
+ plain dm-crypt devices. (closes: #612452)
+ * fix examples in crypttab manpage, cipher, hash and keysize should be
+ configured for plain dm-crypt devices.
+ * luksformat: invoke udevadm settle between mkfs.vfat and luksClose, to
+ prevent possible race conditions. This is a workaround. (closes: #601886)
+ * update lintian-overrides for new lintian from experimental.
+ * fix spelling mistake in README.Debian thanks to lintian.
+ * update short and long description for udebs to mention udeb and
+ debian-installer. This satisfies lintian.
+ * fix get_resume_device() in initramfs cryptroot hook script to add source
+ device for decrypt_derived keyscript in case it's not the root device.
+ Thanks to Robert Lange and mahashakti89 for bugreport. (closes: #592430)
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 07 Mar 2011 23:52:13 +0100
+
+cryptsetup (2:1.2.0-1) experimental; urgency=low
+
+ * new major upstream release (closes: #603804)
+ - adds text version of FAQ
+ - adds new options --use-random and --use-urandom for MK generation
+ - fixes luksRemoveKey to not ask for remaining keyslot passphrase
+ - no longer supports luksDelKey command (replaced by luksKillSlot)
+ - no longer supports reload command, dmsetup reload should be used instead
+ - adds support to change the UUID later (with --uuid cmd option)
+ - adds --dump-master-key option for luksDump command
+ - no luksOpen, luksFormat and create for open devices (closes: #600208)
+ - remove debian/patches/01_manpage.patch, incorporated upstream
+ - and many more changes, see upstream changelog for further information
+ - update debian/libcryptsetup1.symbols
+ * invoke update-initramfs at cryptsetup removal in order to not leave behind
+ a broken initramfs. thanks to ubuntu for the hint.
+ * link dynamically against libgcrypt11 and libgpg-error0 now that the
+ libraries have been moved to /lib. add versioned depends for libcryptsetup1
+ on (libgcrypt >= 1.4.6-2) and libgpg-error0 (>= 1.10-0.1).
+ * debian/initramfs/cryptroot-script: prereq 'cryptroot-prepare' added in
+ order to support cryptroot to depend on custom initramfs scripts. thanks
+ to Marc Haber for the suggestion. (closes: #601311)
+ * debian/cryptdisks.functions:
+ + fix check for ownership and permissions of $key to work with slighly
+ different output of 'ls -l' with selinux enabled. (closes: #600522)
+ + fix $TRIES implementation to support TRIES=0 again. (closes: #602501)
+ * change 'echo -e' to 'printf' in debian/initramfs/cryptroot-script. thanks
+ to checkbashisms script devscripts for spotting that bashism.
+ * add a libcryptsetup1-udeb library package for debian-installer in order to
+ satisfy cryptsetup-udeb dependencies with dynamically linked binary.
+ Version the build-depends on libgcrypt11-dev to (>= 1.4.6-3), to satisfy
+ udeb library dependencies.
+ * change 'XC-Package-Type: udeb' to 'Package-Type: udeb' in debian/control
+ * add debian/cryptsetup.apport from Ubuntu, install only for dist=Ubuntu.
+ build-depends on dpkg-dev (>= 1.15.1) is required for this to work.
+
+ -- Jonas Meurer <mejo@debian.org> Sun, 16 Jan 2011 01:01:03 +0100
+
+cryptsetup (2:1.1.3-4) unstable; urgency=high
+
+ * bump standards-version to 3.9.1, no changes required
+ * add patches/01_manpage_units: mention units (512b sectors) for -o option
+ in man page. (closes: #584174)
+ * move cryptdisks_st* scripts from /usr/sbin to /sbin, add symlinks for
+ compatibility reasons. thanks to Mario 'BitKoenig' Holbe. (closes: #589800)
+ * add decrypt_keyctl keyscript and initramfs hook from Michael Gebetsroither,
+ which supports to cache a passphrase for later use. (closes: #563961)
+ * invoke /sbin/lvm with full path in cryptroot initramfs script. thanks to
+ Bernd Zeimetz. (closes: #597648)
+ * print out a warning at initramfs cryptroot hook in case that detection of
+ canonical device failed. (closes: #594092)
+ * add manpage fixes, thanks to Stephen Gildea for patch. (closes: #598237)
+ * fix deprecated ext2 wrapper checkscript to succeed for ext2, ext3, ext4
+ and ext4dev filesystems. (closes: #595331)
+ * again remove duplicates from debian/NEWS.
+ * truncate trailing spaces for some variables at initramfs cryptroot hook.
+ * remove volume group -guessing magic from initramfs scripts and hooks,
+ instead activate all available lvm volume groups. thanks to Christoph
+ Anton Mitterer for the suggestion. (closes: #554506, #591626)
+ * remove /etc/bash_completion.d from debian/cryptsetup.dirs
+ * set urgency=high as this upload fixes two release-critical bugs.
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 04 Nov 2010 20:36:45 +0100
+
+cryptsetup (2:1.1.3-3) unstable; urgency=low
+
+ * fix usage of new variable $DEFAULT_LOUD, and some cosmetical changes.
+ thanks to Mario 'BitKoenig' Holbe. (closes: #589029)
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 22 Jul 2010 12:56:01 +0200
+
+cryptsetup (2:1.1.3-2) unstable; urgency=low
+
+ * introduce new $INITSTATE 'manual' for cryptdisks_st* scripts. that way,
+ noauto devices are processed again by cryptdisks_st* scripts.
+ (closes: #588697, #588698, #589153, #589798)
+ * introduce new variable $DEFAULT_LOUD. now the 'loud' option in crypttab
+ affects only the device in question. thanks to Mario 'BitKoenig' Holbe.
+ * introduce new crypttab option 'quiet' which overwrites and unsets the
+ 'loud' option. thanks to Mario 'BitKoenig' Holbe. (closes: #589029)
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 21 Jul 2010 10:42:49 +0200
+
+cryptsetup (2:1.1.3-1) unstable; urgency=low
+
+ * new upstream release:
+ - fix device alignment ioctl calls parameters for archs like ppc64.
+ - fix activate_by_* API calls to handle NULL device name as documented
+ - fix udev support for old libdevmapper with not compatible definition
+ * fix rm_lo_setup() in cryptdisks.functions for failed device setup. thanks
+ to Roger Pettersson. (closes: #581712)
+ * add X-Stop-After headers to cryptdisks(-early) initscripts. this fixes
+ shutdown process for system without encrypted rootfs at least. thanks to
+ Alfredo Finelli. (closes: #575652)
+ * more merges from ubuntu, thanks to and Steve Langasek (closes: #575024):
+ - debian/cryptdisk.functions: initially create the device under a temporary
+ name and rename it only at the end using 'dmsetup rename', to ensure that
+ upstart/mountall doesn't see our device before it's ready to go.
+ LP: #475936.
+ - cryptdisks.functions: do_tmp should mount under /var/run/cryptsetup for
+ changing the permissions of the filesystem root, not directly on /tmp,
+ since mounting on /tmp a) is racy, b) confuses mountall something fierce.
+ LP: #475936.
+ * fix manpage checkscripts documentation. clarify that both cryptdisks and
+ cryptroot invoke checkscripts. thanks Christoph Anton Mitterer.
+ * remove quotes from $KEYSCRIPT invokation, thanks Alexandre Rossi.
+ (closes: #585099)
+ * fix support for commandline options to mkfs in luksformat. thanks to Eduard
+ Bloch again for bugreport and patch. (closes: #585787)
+ * remove duplicates from debian/NEWS, thanks Steve Langasek (closes: 586019)
+ * improve documentation on environment variables in cryptdisks.default and
+ crypttab manpage. thanks Christoph Anton Mitterer. (closes: #585664)
+ * several improvements to (pre)check scripts, inspired by scripts from
+ Christoph Anton Mitterer (closes: #585418, #585496)
+ - checkscripts exit with error 1 if executables aren't available.
+ - ext2, swap and xfs scripts are deprecated and invoke blkid script.
+ - drop filtering of minix filesystem in blkid, util-linux 2.17.2 in debian
+ - remove *vol_id check scripts, vol_id isn't available in debian any longer
+ - don't use sed in *blkid check scripts any longer
+ * fix initramfs/cryptroot-hook to canonicalize $device in get_resume_devices
+ function. this should really weed out all duplicates. (closes: #586122),
+ and catch all udev/device-mapper symlink setups as well (closes: #554506)
+ * bash-completion file now in pck bash-completion (closes: #586299, #586162)
+ * add a paragraph about the boot order of init scripts to README.Debian,
+ describing the current catch-22 situation. (closes: #576646)
+ * initscripts and cryptdisks_st* no longer silently quit in case that include
+ file /lib/cryptsetup/cryptdisks.functions is missing. (closes: #587220)
+ * fix cryptdisks-early LSB headers to restore legacy boot sequence order.
+ mdadm-raid was started before cryptdisks-early. (closes: #587224)
+ * cryptdisks initscript now raises a warning for failed started devices, and
+ cryptdisks-early initscript raises a warning for failed stopped devices.
+ this makes the initscript actions far more transparent to users. same holds
+ for cryptdisks_st*. thanks to Christoph Anton Mitterer. (closes: #587222)
+ * remove lintian overrides init.d-script-should-depend-on-virtual-facility
+ as lintian lintian 2.4.2 has fixed #580082.
+ * bump standards-version to 3.9.0, remove version information from replaces/
+ provides/conflicts against cryptsetup-luks, change conflicts against
+ hashalot (<= 0.3-1) to breaks hashalot (<< 0.3-1) and add replaces.
+ * fix loads of typos, thanks to Christoph Anton Mitterer. (closes: #588068)
+ * update copyright years and list Milan Broz in debian/copyright
+
+ -- Jonas Meurer <mejo@debian.org> Sat, 10 Jul 2010 14:32:40 +0200
+
+cryptsetup (2:1.1.2-1) unstable; urgency=low
+
+ * new upstream release, changes include:
+ - Fix luksFormat/luksOpen reading passphrase from stdin and "-" keyfile.
+ (closes: #583397)
+ - Add verbose log level and move unlocking message there.
+ - Remove device even if underlying device disappeared (remove, luksClose).
+ (closes: #554600, #574126)
+ - Fix (deprecated) reload device command to accept new device argument.
+ * merged from ubuntu:
+ - if plymouth is present in the initramfs, use this directly, bypassing
+ the cryptsetup askpass script
+ - start usplash in initramfs, since we need it for fancy passphrase input
+ - Set FRAMEBUFFER=y in cryptroot-conf, to pull plymouth into the initramfs
+ - debian/initramfs/cryptroot-hook: Properly anchor our regexps when
+ grepping /etc/crypttab so that we don't incorrectly match device names
+ that are substrings of one another.
+ - debian/initramfs/cryptroot-script: Don't leak /conf/conf.d/cryptroot
+ file descriptor to subprocesses.
+ * sync list of supported filesystems in passdev.c and cryptpassdev-hook
+ * fix debian/watch file to work with updated code.google.com download page
+ * stop building and shipping static libs (closes: #583387, #583471)
+ * improve documentation on (pre)checks in manpage. (closes: #583568, #583567)
+ * remove xfs and ext2 check scripts documentation from crypttab manpage,
+ blkid script can be used. thanks Christoph Anton Mitterer (closes: #583570)
+
+ -- Jonas Meurer <mejo@debian.org> Tue, 01 Jun 2010 15:37:50 +0200
+
+cryptsetup (2:1.1.1-1) unstable; urgency=low
+
+ * new upstream release, changes include:
+ - detects and uses device-mapper udev support if available
+ - fix luksOpen reading of passphrase on stdin if "-" keyfile specified
+ - fix isLuks to initialise crypto backend (closes: #578979)
+ - fix luksClose operation for stacked DM devices
+ * remove all patches, they have all been merged upstream
+ * redirect output of copy_exec in add_device() from initramfs cryptroot
+ hook to stderr. fixes verbose run of mkinitramfs. (closes: #574163)
+ * acknowledge NMU. thanks to maximilian attems. (closes: #576488)
+ * change default for random key from /dev/random to /dev/urandom in
+ README.Debian, extend explanation. (closes: #579932)
+ * add comment to crypttab manpage about how to disable (pre)checks.
+ (closes: #574948)
+ * fix cryptdisks.functions to print cryptsource and crypttarget again at
+ the passphrase prompt. (closes: #578428)
+ * reorder build-depends, add pkg-config, change automake1.9 to automake
+ * add new lintian overrides
+ * switch to new dpkg source format "3.0 (quilt)", use upstream bzip tarball
+ * add ${misc:Depends} to depends for libcryptsetup-dev
+ * remove UID checks from initscripts, as these aren't meant to be invoked by
+ users anyway, and the UID checks introduced dependency on /usr filesystem.
+ * use grep -s for /etc/fstab in initramfs/cryptroot-hook. (closes: #580756)
+ * note that fs modules fore passdev devices need to be added to initramfs
+ in README.initramfs (closes: #580898)
+ * merged from ubuntu:
+ - Fix grammar error in debian/initramfs/cryptroot-script (closes: #581973)
+ * add busybox to suggests, thanks to martin michlmayr. (closes: #582914)
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 26 May 2010 23:38:01 +0200
+
+cryptsetup (2:1.1.0-2.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+
+ [ Martin Pitt ]
+ * debian/initramfs/cryptroot-script: (closes: #576488)
+ - Source /scripts/functions after checking for prerequisites.
+ - prereqs(): Do not assume we are running within initramfs, and calculate
+ relative path correctly.
+
+ -- maximilian attems <maks@debian.org> Thu, 08 Apr 2010 01:37:17 +0200
+
+cryptsetup (2:1.1.0-2) unstable; urgency=low
+
+ * fix version in NEWS.Debian: 2:1.1.0~rc2-1 instead of 2:1.0.7-3.
+ * remove 'NOT RELEASED YET' from 2:1.1.0-1 changelog
+ * capitalize names in changelog
+ * mention the old default plain mode in changelog and NEWS, add a note that
+ debian-installer setups can ignore the warning, and warn for plain dm-crypt
+ mappings in crypttab that don't have set cipher, hash and size.
+ (closes: #573103, #573261)
+
+ -- Jonas Meurer <mejo@debian.org> Tue, 16 Mar 2010 13:44:50 +0100
+
+cryptsetup (2:1.1.0-1) unstable; urgency=low
+
+ * new upstream stable release (1.1.0), notable changes since rc2:
+ - default key size for LUKS changed from 128 to 256 bits
+ - default plain mode changed from aes-cbc-plain to aes-cbc-essiv:sha256
+ - key slot and key diggest iteration minimum set to 1000
+ - convert hash name to lower case in header
+ * update patch 02_manpage
+ * add more supported filesystems to passdev.c, isofs->iso9660. thanks to
+ Christoph Anton Mitterer. (closes: #557405)
+ * update to standards-version 3.8.4, no changes needed
+ * accept spaces in $opts at postinst script. (closes: #559184)
+ * set extended $PATH in cryptdisks.functions. thanks to Christoph Anton
+ Mitterer. (closes: #557329)
+ * fix huge initramfs for archs which don't have kernel/arch directory.
+ thanks to martin michlmayr for bugreport and patch. (closes: #559510)
+ * support commandline options to mkfs in luksformat. thanks to Eduard
+ Bloch for bugreport and patch. (closes: #563975)
+ * extend error messages for evms setup in cryptroot-script
+ * add 03_luksAddKey.patch, to not verify unlocking passphrase in luksAddKey
+ command. (closes: #570418)
+ * add 04_crypto_init.patch, to properly initialise crypto backend in header
+ backup/restore commands.
+ * change build-dependency on cvs to new autopoint package (closes: #572463)
+ * rename decrypt_gpg keyscript to decrypt_gnupg, improve it based on ideas
+ by Christoph Anton Mitterer, mention the keyscript rename in NEWS.Debian.
+ Also, provide a initramfs cryptgnupg hook script. Thanks to Christoph
+ Anton Mitterer for bugreport and ideas. (closes: #560034)
+ * check for root privileges with '/usr/bin/id -u' in init scripts and
+ cryptdisks_{start|stop}. (closes: #563162)
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 08 Mar 2010 14:15:35 +0100
+
+cryptsetup (2:1.1.0~rc2-1) unstable; urgency=low
+
+ * new upstream release candidate (1.1.0-rc2), highlights include:
+ - new libcryptsetup API (documented in libcryptsetup.h)
+ - luksHeaderBackup and luksHeaderRestore commands (closes: #533643)
+ - use libgcrypt, enables all gcrypt hash algorithms for LUKS through
+ -h luksFormat option (closes: #387159, #537385)
+ - new --master-key-file option for luksFormat and luksAddKey
+ - use dm-uuid for all crypt devices, contains device type and name now
+ (closes: #548988, #549870)
+ - command successful messages moved to verbose level (closes: #541805)
+ - several code changes to improve speed of luksOpen (closes: #536415)
+ - luksSuspend and luksResume commands
+ * remove unneeded patches 03_read_rework and 04_no_stderr_success, update
+ 02_manpage for new upstream release candidate.
+ * update patch to comply with DEP-3 (http://dep.debian.net/deps/dep3/)
+ * fix initramfs/cryptroot-hook to support setups where /dev/mapper/ contains
+ symlinks to devices at /dev/dm-*. the lvm2/device-mapper packages had
+ defaults changed to this temporary. it has been fixed in a subsequent
+ upload of lvm2 in the meantime, but still it's not a bad idea to be
+ prepared for such setups in the future. that way cryproot now supports
+ /dev/dm-* devices as well. (closes: #532579, #544487, #544773)
+ * fix initscript dependencies both for cryptdisks and cryptdisks-early.
+ thanks to Petter Reinholdtsen for bugreport and patch. (closes: #548356)
+ * finally change default behaviour of initscripts/cryptroot-hook to include
+ all available crypto modules into the initramfs. this change should fix
+ any problems with cryto modules missing from the initramfs. announce the
+ change in NEWS.Debian. (closes: #547597)
+ * add error messages to lvm detecting code in initramfs/cryptroot-script
+ in order to make debugging easier. (closes: #541248)
+ * implement detection of devices which are required by decrypt_derived
+ keyscript in initscripts/cryptroot-hook. that way setups where encrypted
+ swap has the key derived from non-root partitions should support suspend/
+ resume as well. (closes: #475838)
+ * remove outdated documentation from the source package: CryptoRoot.HowTo,
+ CheckSystem.Doc
+ * mention in README.initramfs that busybox is required for cryptroot to work
+ * stop creating /etc/keys in postinst maintainer script.
+ * update build system to include library files again: (closes: #480157)
+ - split into three packages: cryptsetup, libcryptsetup1, libcryptsetup-dev
+ - rename preinst to cryptsetup.preinst, copy code to create /etc/crypttab
+ skeleton into cryptsetup-udeb.preinst.
+ - build with --enable-shared and --enable-static for libcryptsetup.a
+ - create debian/libcryptsetup1.symbols with help of dpkg-gensymbols
+ * add debian/cryptsetup.lintian-override for two false positives
+ * raise build-depends on debhelper and debian/compat for that reason
+ * update README.remote to work with latest dropbear package. thanks to
+ debian@x.ray.net.
+ * make all crypttab fields available to keyscripts as environment variables.
+ thanks to ludwig nussel from suse for idea and implmentation. document
+ this in crypttab(5) manpage. impelement the same environment variables in
+ initramfs cryptroot script.
+ * fix formatting errors in crypttab(5) manpage.
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 15 Oct 2009 19:26:14 +0200
+
+cryptsetup (2:1.0.7-2) unstable; urgency=low
+
+ * add a paragraph to the cryptsetup manpage that mentions /proc/crypto as
+ source for available crypto ciphers, modes, hashs, keysizes, etc.
+ (closes: #518266)
+ * fix luksformat to check for mkfs.$fs both in /sbin and /usr/sbin. thanks
+ to Jon Dowland. (closes: #539734)
+ * mention era eriksson as author of the typo fixes for manpage (submitted as
+ bug #476624) in changelog of cryptsetup 2:1.0.6-3. (closes: #541344)
+ * bump standards-version to 3.8.3. no changes needed.
+ * add 04_no_stderr_success.patch, which adds an option to suppress success
+ messages to stderr. don't apply the patch as this already has been fixed
+ upstream in another way. next cryptsetup release will print the command
+ successful message to stdout only if opt_verbose is set.
+ * add checkscripts blkid and un_blkid for the reason that vol_id will be
+ removed from udev soon. advertise the new scripts at all places that
+ mentioned vol_id or un_vol_id before.
+ * add /usr/share/bug/cryptsetup which adds /proc/cmdline, /etc/crypttab,
+ /etc/fstab and output of 'lsmod' to bugs against cryptsetup.
+ * add debian/README.remote, which describes how to setup a cryptroot system
+ with support for remote unlocking via ssh login into the initramfs. Thanks
+ to debian@x.ray.net for writing it down.
+ * update debian/copyright for current format from dep.debian.net/deps/dep5
+ * add chainiv, cryptomgr and krng to standard list of modules in initramfs
+ cryptroot hook. (closes: #541835)
+ * add a section describing LUKS header backups and related security
+ implications to README.Debian. a tool to automate this task should not be
+ distributed at all. (closes: #432150)
+
+ -- Jonas Meurer <mejo@debian.org> Tue, 01 Sep 2009 12:38:02 +0200
+
+cryptsetup (2:1.0.7-1) unstable; urgency=low
+
+ * new upstream release, highlights include (diff from ~rc1):
+ - allow removal of last slot in luksRemoveKey and luksKillSlot
+ - eject unsupported --offset and --skip options for luksFormat
+ * make passdev accept a timeout option, thanks to Evgeni Golov for the patch.
+ (closes: #502598)
+ * finally add the cryptsource delay implementation from ubuntu, as it seems
+ to workaround some issues where appearance of the root device takes longer
+ than expected. (closes: #488271)
+ * execute udev_settle before $cryptremove if $cryptcreate fails at
+ setup_mapping() in the initramfs cryptroot script. it seems like a short
+ delay and/or udev_settly is needed in between of 'cryptsetup create' and
+ 'cryptsetup remove'. thanks to Gernot Schilling for the bugreport.
+ (closes: #529527)
+ * talk about /dev/urandom instead of /dev/random in crypttab manpage.
+ (closes: #537344)
+ * check for $IGNORE before check_key() in handle_crypttab_line_start()
+ * rewrite error code handling:
+ - return 1 for errors in handle_crypttab_line_{start|stop}
+ - handle_crypttab_line_... || true needed due to set -e in initscript
+ - check for exit code of handle_crypttab_line_{start<stop} in
+ cryptdisks_{start|stop}, exit with proper status code (closes: #524173)
+ * add a counter to the while loop in cryptdisks_{start|stop}, in order to
+ detect if $dst was not found in crypttab. (closes: #524485)
+ * check for keyscript in the new location in initramfs/cryptopensc-hook.
+ * add README.opensc to docs, thanks to Benjamin Kiessling for writing it.
+ (closes: #514538)
+ * add patches/03_rework_read.patch [rework write_blockwise() and
+ read_blockwise()], but don't apply it yet as it's still experimental.
+ applying it will increase the speed of luksOpen.
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 30 Jul 2009 17:41:16 +0200
+
+cryptsetup (2:1.0.7~rc1-2) unstable; urgency=low
+
+ * flag the root device with rootdev option at /conf/conf.d/cryptroot in
+ initramfs hook, check for that flag before adding ROOT=$NEWROOT to
+ /conf/param.conf in initramfs script. that should prevent the initramfs
+ script from adding ROOT=$NEWROOT for resume devices. (closes: #535801)
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 15 Jul 2009 11:44:45 +0200
+
+cryptsetup (2:1.0.7~rc1-1) unstable; urgency=low
+
+ * new upstream release candidate, highlights include:
+ - use better error messages if device doesn't exist or is already used by
+ other mapping (closes: #492926)
+ - check device size when loading LUKS header
+ - add some error hint if dm-crypt mapping failed (key size and kernel
+ version check for XTS and LRW mode for now) (closes: #494584)
+ - display device name when asking for password
+ - retain readahead of underlying device, if devmapper version supports it
+ - set UUID in device-mapper for LUKS devices
+ - define device-mapper crypt UUID maximal length and check for its size
+ - add some checks for error codes, fixes warning: ignoring return value...
+ - update LUKS homepage in manpage to code.google.com/p/cryptsetup
+ * patches/01_fix_make_distclean.patch: removed, incorporated upstream
+ * patches/02_manpage.patch: updated, mostly incorporated upstream
+ * remove invokation of ./setup-gettext.sh from debian/rules.
+ * set $PATH in checks/xfs. Required to make /usr/sbin/xfs_admin work at early
+ boot stage. Thanks to Stefan Bender. (closes: #525118)
+ * update path to docbook-xsl stylesheet in debian/rules to
+ /usr/share/xml/docbook/stylesheet/docbook-xsl/. Add versioned build-depends
+ to docbook-xsl (>= 1.74.3+dfsg) for that reason.
+ * fix bashisms in scripts/decrypt_opensc, thanks to Raphael Geissert.
+ (closes: #530060)
+ * fix UUID and LABEL handling for cryptroot, thanks to Kees Cook and ubuntu.
+ (closes: #522041)
+ * add ROOT=$NEWROOT to /conf/param.conf in cryptroot initramfs script. This
+ is required for lilo to find the correct root device. Thanks to Pyotr
+ Berezhkov and Christian Schaarschmidt. (closes: #511447, #511840)
+ * replace mini autogen.sh with autoreconf in debian/rules. Thanks to Bastian
+ Kleineidam. (closes: #522798)
+ * support escaped newlines in askpass.c, thanks to Kees Cook and ubuntu.
+ (closes: #528133)
+ * use the same passphrase prompt in init script and initramfs script
+ * mention the incoherent behaviour of cryptsetup create/luksOpen with invalid
+ passwords/keys in cryptsetup manpage. (closes: #529359)
+ * bump standards-version to 3.8.2, no changes required.
+ * add 'X-Interactive: true' LSB-header to initscripts.
+ * fix bash_completion script to use 'command ls'. that way it now works with
+ aliased ls as well. thanks to Daniel Dehennin. (closes: #535351)
+
+ -- Jonas Meurer <mejo@debian.org> Sat, 04 Jul 2009 15:52:06 +0200
+
+cryptsetup (2:1.0.6+20090405.svn49-1) unstable; urgency=low
+
+ * New upstream svn snapshot. Highlights include:
+ - Uses remapping to error target instead of calling udevsettle for
+ temporary crypt device. (closes: #514729, #498964, #521547)
+ - Removes lots of autoconf stuff as it's generated by autogen.sh anyway.
+ - Uses autopoint in build process, thus needs to Build-Depend on cvs.
+ - Fixes signal handler to proper close device.
+ - Wipes start of device before LUKS-formatting.
+ - Allows deletion of key slot with it's own key. (closes: #513596)
+ - Checks device mapper communication and gives proper error message in
+ case the communication fails. (closes: #507727)
+ * Update debian patches accordingly:
+ - Remove obsolete patches 01_gettext_package and 03_check_for_root
+ - Update patch 02_manpage
+ * Add missing newlines to some error messages in passdev.c. Thanks to
+ Christoph Anton Mitterer for bugreport and patch. (closes: #509067)
+ * Move keyscripts in initramfs from /keyscripts to /lib/cryptsetup/scripts
+ for the sake of consistency between initramfs and normal system. Document
+ this change in NEWS.Debian. (closes: #509066)
+ * Fix $LOUD in cryptdisks.init and cryptdisks.functions to take effect. Add
+ LOUD="yes" to cryptdisks_start. (closes: #513149)
+ * cryptdisks_{start,stop}: print error message if no entry is found in
+ crypttab for the given name.
+ * Actually fix watchfile to work with code.google.com.
+ * Update Homepage field to code.google.com URL. (closes: #516236)
+ * Fix location of ltmain.sh, build-depend on versioned libtool.
+ (closes: #521673, #522338)
+ * Some minor changes to make lintian happy:
+ - use set -e instead of /bin/sh -e in preinst.
+ - link to GPL v2 in debian/copyright
+ * Bump standards-version to 3.8.1, no changes needed.
+ * Fix a typo in NEWS.Debian. (closes: #522387)
+ * Taken from ubuntu:
+ - debian/checks/un_vol_id: dynamically build the "unknown volume type"
+ string, to allow for encrypted swap, (closes: #521789, #521469). Fix
+ sed to replace '/' with '\/' instead of '\\/' in device names.
+ - disable error message 'failed to setup lvm device' (LP 151532).
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 06 Apr 2009 08:49:14 +0200
+
+cryptsetup (2:1.0.6-7) unstable; urgency=medium
+
+ * Add patches/01_gettext_package.patch: Remove -luks from GETTEXT_PACKAGE
+ in configure.in.
+ * Support keyfiles option in bash completion. Thanks to Stefan Goebel for
+ the patch. (closes: #499936)
+ * Update patches/02_manpage.patch: Fix the documnetation of default cipher
+ for LUKS mappings. (closes: #495832)
+ * Update debian/watch file to reflect the move of project home to
+ code.google.com.
+ * Check for $CRYPTDISKS_ENABLE in cryptdisks initscripts instead of
+ cryptdisks.functions. This way, cryptdisks_start/stop work even with
+ $CRYPTDISKS_ENABLE != "yes". Thanks to Pietro Abate. (closes: #506643)
+ * Add force-start to cryptdisks(-early).init in order to support starting
+ noauto devices manually. Thanks to Niccolo Rigacci. (closes: #505779)
+ * Document how to enable remote device unlocking via dropbear ssh server
+ in the initramfs during boot process. Thanks to Chris <debian@x.ray.net>
+ for the great work. (closes: #465902)
+ * Completely remove support and documentation of the timeout option,
+ document this in NEWS.Debian. (closes: #495509, #474120)
+ * Use exit instead of return in decrypt_ssl keyscript. Thanks to Rene Wagner.
+ (closes: #499704)
+ * Fix initramfs/cryptpassdev-hook to check for passdev instead of mountdev.
+ Thanks to Christoph Anton Mitterer.
+ * cryptdisks.functions:
+ - Search for keyscript in /lib/cryptdisks/scripts. the cryptoroot initramfs
+ script already supports keyscripts without path as argument. Thanks to
+ Christoph Anton Mitterer.
+ * README.initramfs:
+ - Remove the mention of bug #398302 from the section about suspend/resume,
+ as this bug has been fixes for some time now.
+ - Remove step 6 (mkswap) from the section about decrypt_derived, as it was
+ superfluous. Thanks to Helmut Grohe. (closes: #491867)
+ * Fix initramfs/cryptroot-script to use the lvm binary instead of vgchange.
+ Thanks to Marc Haber. (closes: #506536)
+ * Make get_lvm_deps() recursive in initramfs/cryptroot-hook. This is required
+ to detect the dm-crypt device in setups with more than one level of device
+ mapper mappings. For example if LVM is used with snapshots on top of the
+ dm-crypt mapping. Thanks to Christian Jaeger for bugreport and patch, Ben
+ Hutchings and Yves-Alexis Perez for help with debugging. (closes: #507721)
+ * urgency=medium due to several important fixes.
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 17 Dec 2008 21:25:45 +0100
+
+cryptsetup (2:1.0.6-6) unstable; urgency=high
+
+ * Don't cat keyfile into pipe for do_noluks(). cryptsetup handles
+ --key-file=- different for luks and plain dm-crypt mappings. This time
+ really (closes: #493848). Thus again upload with urgency=high.
+
+ -- Jonas Meurer <mejo@debian.org> Sat, 09 Aug 2008 13:36:31 +0200
+
+cryptsetup (2:1.0.6-5) unstable; urgency=high
+
+ * Fix watch file to not report -pre and -rc releases as superior.
+ * Remove the global var $SIZE from cryptdisks.functions again but keep the
+ extended value checks.
+ * Remove the udev rules file also in preinst, code taken from example at
+ http://wiki.debian.org/DpkgConffileHandling. Thanks Marco d'Itri.
+ (closes: #493151)
+ * Remove duplicated configuration of --key-file in $PARAMS at do_noluks().
+ (closes: #493848).
+ * Invoke mount_fs() and umount_fs() in cryptdisks_start, add
+ log_action_begin_msg() and log_action_end_msg() to both cryptdisks_start
+ and cryptdisks_stop.
+ * Copy fd 3 code from do_start and do_stop to cryptdisks_start and
+ cryptdisks_stop to fix "keyscript | cryptsetup". (closes: #493622)
+ * This upload fixes two RC bugs, thus upload with severity=high.
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 06 Aug 2008 10:19:21 +0200
+
+cryptsetup (2:1.0.6-4) unstable; urgency=medium
+
+ [ David Härdeman ]
+ * Make sure $IGNORE is reset as necessary, patch by Thomas Luzat
+ <thomas@luzat.com> (closes: #490199)
+ * Use askpass in init scripts as well (closes: #489033, #477203)
+
+ [ Jonas Meurer ]
+ * Don't copy_exec libgcc1 in cryptopensc initramfs hook, as it's already
+ copied by copy_exec /usr/sbin/pcscd automaticly. Thanks to Evgeni Golov
+ <sargentd@die-welt.net>. (closes: #490300)
+ * Remove the udev rules file again as the relevant rules are now provided
+ by dmsetup package which cryptsetup depends on.
+ * Add splashy support to askpass, thanks to John Hughes <john@calva.com>
+ for the patch. (closes: #492451) The support is limited to cryptroot
+ though, as splashy freezes for passphrase input dialogs from initscripts.
+ Document that in README.Debian.
+ * Now that askpass is used as keyscript for interactive mode, it's not
+ necessary to set cryptsetup parameter '--tries=$TRIES' and TRIES=1 for
+ interactive mode anymore in cryptdisks.functions.
+ * Implement special treatment for random passphrases now that we use
+ "--key-file=-" for all situations. Only necessary in do_noluks.
+ * Fix the passphrase prompt string in initramfs/cryptroot.script to use
+ $cryptsource instead of $cryptsources.
+ * Major documentation cleanup for lenny:
+ - Rewrite CryptoSwap.HowTo in README.Debian, remove CryptoSwap.HowTo.
+ - Refer to README.initramfs instead of CryptoRoot.HowTo for encrypted root
+ filesystem in README.Debian.
+ - Remove outdated docs CryptoRoot.HowTo, usbcrypto.udev and gen-old-ssl-key
+ as well as the decrypt_old_ssl keyscript.
+ - Remove debian/TODO, didn't have any useful content anyway.
+ - Fix section ''9. The "decrypt_derived" keyscript'': Add swap option to
+ the example line for crypttab and other minor fixes. Thanks to
+ Helmut Grohne <helmut@subdivi.de>. (closes: #491867)
+ * urgency=medium since important (#492451) and security (#477203) bugs get
+ fixed by this upload.
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 28 Jul 2008 00:21:44 +0200
+
+cryptsetup (2:1.0.6-3) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * Fix cryptdisks.functions to actually recognize the noauto option. Thanks
+ to Christian Pernegger <pernegger@gmail.com> (closes: #483882)
+ * Update patches/02_manpage.patch:
+ - fixes two more typos, thanks to and Era Eriksson <era@iki.fi> for the
+ patch, and Bruno Barrera Yever <bbyever@gmail.com> for forwarding it
+ to the bts (closes: #476624)
+ - removes a duplicate sentence
+ * Rephrase "Enter password for $crypttarget" to "Enter password to unlock
+ the disk $cryptsource ($crypttarget)" in initramfs/cryptroot.script.
+ * Bump Standards-Version to 3.8.0:
+ - Add a README.source which references /usr/share/doc/quilt/README.source.
+ - Add support for debian build option parallel=n to debian/rules.
+ * Add a udev rules file to ignore temporary-cryptsetup-* devices, as
+ suggested in bug #467200. Thanks to Sam Morris <sam@robots.org.uk>.
+ * Transform debian/copyright into machine-readable code as proposed in
+ http://wiki.debian.org/Proposals/CopyrightFormat. Update and add several
+ copyright notices.
+ * Change reference to docbook xml v4.2 driver file from an online version
+ to a local one in the manpage files, as the build process should not
+ depend on internet access. Add docbook-xml to build-depends. Thanks to
+ Lucas Nussbaum <lucas@lucas-nussbaum.net>. (closes: #487056)
+
+ [ David Härdeman ]
+ * Hopefully fix askpass to properly handle console and usplash input
+ (closes: #477203)
+ * Clarify crypttab manpage (closes: #487246)
+ * Make regex work if keyfile has extended attributes,
+ https://launchpad.net/bugs/231339 (closes: #488131)
+ * Support comments in options part of crypttab (closes: #488128)
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 07 Jul 2008 00:30:07 +0200
+
+cryptsetup (2:1.0.6-2) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * Taken from ubuntu:
+ - debian/scripts/luksformat: Use 256 bit key size by default. (LP: #78508)
+ - debian/patches/02_manpage.patch: Clarify default key sizes (128 for
+ luksFormat and 256 for create) in cryptsetup.8. (side-note in LP #78508)
+ * Use 'shred -uz' instead of 'rm -r' to remove a tempfile that contains a
+ key in gen-ssl-key example script.
+
+ [ David Härdeman ]
+ * Misc bugfixes to askpass, make sure it is installed to the correct
+ location and is built using pedantic mode.
+ * Change the initramfs script to use askpass to prompt for
+ passphrases, this should hopefully fix #382375 and #465902 once it
+ is enabled in the init scripts as well.
+ * Add a keyscript called passdev which allows a keyfile to be
+ retrieved from a device which is first mounted, mainly useful to get
+ keyfiles off USB devices etc.
+ * Unbreak MODULES=dep booting (closes: #478268)
+ * Relax checks for suspend devices a bit (closes: #477658)
+ * Convert man pages to docbook.
+
+ -- David Härdeman <david@hardeman.nu> Mon, 26 May 2008 08:12:32 +0200
+
+cryptsetup (2:1.0.6-1) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * new upstream release
+ - reload option is deprecated and a warning is printed. (closes: #428288)
+ * convert patch system from dpatch to quilt.
+ * enhance the information regarding the default hash setting in NEWS.Debian.
+ Thanks to Ross Boylan <ross@biostat.ucsf.edu>.
+ * change author of keyslot patch to Marc Merlin in changelog, thanks to
+ U. Kuehn for raising that issue.
+ * doing some debian/rules redesign and cleanup, speeds up the build process.
+ * ignore devices with the noauto option early enough to prevent any checks
+ on them. Thanks to Joachim Breitner <nomeata@debian.org> (closes: #464672)
+ * update debian/copyright to actually mention copyright, thanks lintian.
+ * change script=$(basename $req) to script=${req##*/} in initramfs cryptroot
+ script. Thanks to Adeodato Simó <dato@net.com.org.es>. (closes: #466240)
+ * change test ... -a ... to [ ... ] && [ ... ] in the check scripts.
+ * add support for tries option to initramfs scripts. Thanks to Helmut Grohne
+ <helmut@subdivi.de>. (closes: #430158, #469869) Use --tries=1 for
+ cryptsetup in the initramfs script. Document the difference between
+ initscript and initramfs for tries=0 in the crypttab manpage.
+ * add, build and install askpass.c, a helper program by David Härdeman. The
+ idea is to use it for passphrase prompt in the initramfs script.
+
+ [ David Härdeman ]
+ * Work with LABEL=, UUID= and symlinks in /etc/fstab (closes: #466175)
+ * Improve module loading in initramfs hook so that the newer as well
+ as arch specific crypto drivers are taken into consideration
+ (closes: #464673)
+ * Depend on race-free version of libdevmapper, thus making udevsettle
+ call from cryptsetup binary unnecessary. Also change call to
+ udevsettle in initramfs script (which is still useful as it related
+ to the source device) to optionally use udevadm if present (closes:
+ #456326).
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 31 Mar 2008 15:58:35 +0200
+
+cryptsetup (2:1.0.6~pre1+svn45-1) unstable; urgency=low
+
+ * New upstream svn snapshot:
+ - Adds typo fixes by Justin Pryzby <jpryzby+d@quoininc.com> to cryptsetup.8
+ manpage.
+ - Mentions luksKillSlot in the manpage. Thanks to Alexander Heinlein
+ <alexander.heinlein@web.de>. (closes: #459206)
+ - Adds the patch by Marc Merlin <marc_www@merlins.org> to support explicit
+ key slots for luksFormat and luksAddKey. Thanks to U. Kuehn, who figured
+ out that this patch wasn't applied even though changelog said so.
+ - Supports adding new keys to active devices again. Thanks to Tobias Frost
+ <tobi@coldtobi.de> for the bugreport. (closes: #460409)
+ * Add support for a custom filesystem for /tmp. Patch provided by
+ Hans-Peter Oeri <hp@oeri.ch>.
+ * Add X-Start-Before headers to cryptdisks and cryptdisks-early initscripts.
+ Thanks to Petter Reinholdtsen <pere@debian.org> for report and patch.
+ (closes: #458944)
+ * Add support for a noauto option to cryptdisks. Thanks to U Kuehn
+ <ukuehn@acm.org> for the idea.
+ * Add typo fixes by Justin Pryzby <jpryzby+d@quoininc.com> to crypttab.5
+ manpage. (closes: #460994)
+ * Add a cryptdisks_stop script, corresponding to cryptdisks_start. Thanks to
+ Joachim Breitner <nomeata@debian.org> for the idea. (closes: #459832)
+ * Change log_progress_msg to log_action_msg in cryptdisks.functions. That
+ way a newline is printed after the start of every device. Thanks to Frans
+ Pop <elendil@planet.nl> for the bugreport. (closes: #461548)
+ * Add bash_completition script provided by Kevin Locke <kwl7@cornell.edu>.
+ (closes: #423591)
+ * Fix a spelling error in the package description: linux -> Linux.
+ * Fix bashisms in cryptdisks_{start,stop} found by Raphael Geissert
+ <atomo64+debian@gmail.com>.
+ * Change the default hash in initramfs scripts from sha256 to ripemd160 for
+ consistency with cryptsetup default. Add information about that to
+ NEWS.Debian. Thanks to martin f krafft <madduck@debian.org>.
+ (closes: #406317)
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 30 Jan 2008 09:01:52 +0100
+
+cryptsetup (2:1.0.6~pre1-1) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * New upstream alpha release 1.0.6~pre1:
+ - [01_crypt_luksFormat_libcryptsetup.dpatch] removed, applied upstream
+ - [02_manpage.dpatch] likewise
+ - [04_fix_unused_or_unitialized_variables.dpatch] likewise
+ - [05_segfault_at_nonexisting_device.dpatch] likewise
+ - [06_run_udevsettle.dpatch] update for new upstream
+ * Disable 03_check_for_root.dpatch. As Ludwig Nussel mentioned on
+ dm-crypt@saout.de, cryptsetup 1.0.5 already prints out meaningfull errors
+ if expected permissions are not available. Therefore the check for uid ==
+ 0 is superfluous.
+ * [06_run_udevsettle.dpatch] Run udevsettle after device-mapper device
+ creation. Fixes issues with temporary device files in /dev/mapper. Patch
+ by Reinhard Tartler from Ubuntu. (closes: #444914)
+ * Add support for offset and skip options to cryptdisks/crypttab. Thanks to
+ Marc-Jano Knopp. (closes: #446674)
+ * Update the long description in debian/control. Don't mention kernel 2.6.4
+ any longer, remove references to /usr/share/doc/cryptsetup/CryptoRoot.HowTo
+ and mkinitrd.
+ * Add noearly option to cryptdisks/crypttab, which causes cryptdisks-early
+ to ignore the entry. Thanks to Joerg Jaspert (closes: #423102)
+ * Change log_progress_msg "$dst (started)" to device_msg "$dst" "started" in
+ cryptdisks.functions. Makes console output of cryptdisks more consistent.
+ * Add cryptdisks_start and patch to cryptdisks.functions by Jon Dowland.
+ Also add a manpage for cryptdisks_start(8). (closes: #447159)
+ * Add load_optimized_module() function to cryptdisks.functions. Initial idea
+ by Reinhard Tartler from Ubuntu, enhanced by David Härdeman.
+ (closes: #445186)
+ * Add support for UUID=.. device strings to initramfs cryptroot-hook. Thanks
+ to Reinhard Tartler from Ubuntu for the patch. (closes: #445189)
+ * Support UUID=... and LABEL=... device strings in /etc/crypttab. Thanks
+ to Martin Pitt from Ubuntu for the patch. (closes: #445189)
+ * Add Vcs-Browser and Vcs-Svn fields to debian/control.
+ * Fix debian/rules to not fail to build if autom4te.cache is left behind
+ from a previous incomplete build. Patch again taken from Ubuntu.
+ * Mention in the crypttab manpage that files are allowed as source. In that
+ case they are mounted as loopback device automatically. Thanks to
+ Michal Cihar (closes: #451909)
+ * At stopping dm-crypt devices really remove the corresponding loopback
+ device if one has been used. Thanks to Rene Pavlik for report and to David
+ Härdeman, who had the idea for the fix. (closes: #451916)
+ * Also remove loopback devices if the cryptsetup device setup fails.
+ * Document a possible deadlock if cryptsetup is invoked as a 'run programm'
+ in a udev role. This i related to the invokation of udevsettle in
+ cryptsetup. Thanks to Dick Middleton for reporting and debugging.
+ (closes: #444914)
+ * Move umount_fs() from handle_crypttab_line() to the end of do_start().
+ * Bump Standards-Version to 3.7.3.0. No changes needed.
+ * Remove unused litian-override file
+ * Remove --build $(DEB_BUILD_GNU_TYPE) and --host $(DEB_HOST_GNU_TYPE) from
+ invocation of ./configure, as they are already included in $(confflags).
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 06 Dec 2007 15:56:05 +0100
+
+cryptsetup (2:1.0.5-2) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * Add libselinux1-dev and libsepol1-dev to build-depends. Detected by
+ the build daemon from hell by Steinar H. Gunderson. Thanks to Manoj
+ Srivastava for advice.
+ * Fix the watchfile
+ * Fix cryptopensc-hook to honor key=none. Thanks to Daniel Baumann
+ (closes: #436434)
+ * Remove outdated README.html and example usbcrypto.* scripts from
+ documentation. Add example usbcrypto.udev script. Thanks to Volker Sauer
+ for the update. (closes: #409775)
+ * Document that stdin is read different with '--key-file=-' than without.
+ Thanks to Marc Haber. (closes: #418450)
+ * Document that --timeout is useless in conjunction with --key-file. Thanks
+ Alexander Zangerl. (closes: #421693)
+ * [03_check_for_root.dpatch] Check for UID == 0 before actually doing
+ something. Thanks to Benjamin Seidenberg. (closes: #401766)
+ * [04_fix_unused_or_unitialized_variables.dpatch] Fix some gcc warnings
+ about unused or unitialized variables. Thanks to Ludwig Nussel for the
+ patch.
+ * [05_segfault_at_nonexisting_device.dpatch] Fix segfault when trying to
+ open a non existing device. Thanks to Ludwig Nussel for the patch.
+ (closes: #438198)
+ * Add CFLAGS="$(CFLAGS)" before ./configure invocation in debian/rules.
+ This way CFLAGS are passed to the configure script. Thanks to Gordon
+ Farquharson for the patch. (closes: #438450)
+ * Add a warning about missing hash option in crypttab to initramfs
+ cryptoroot hook. Thanks to Sebastian Leske for the patch.
+ (closes: #438169)
+ * Add support for openct using data objects on a smartcard as key. Thanks to
+ Daniel Baumann <baumann@swiss-it.ch> for patch and documentation.
+ (closes: #438473)
+ * Polish opensc_decrypt and openct_decrypt.
+ * Add initramfs patch by maximilian attems. Bump depends on initramfs-tools
+ to (>= 0.91). (closes: #441428)
+ * several cleanups to make lintian happy:
+ - remove #!/bin/sh from cryptsetup.functions as it is not executable.
+ - remove unused-override configure-generated-file-in-source config.log.
+ - add some hyphen fixes to patches/02_manpage.dpatch
+ * Filter out the detection of filesystem type 'minix' in checks vol_id and
+ un_vol_id if checking for any valid filesystem. The minix fs signature
+ seems short enough to be detected erroneously by /lib/udev/vol_id.
+ Thanks to Fredrik Olofsson and arno for the bugreport. (closes: #411784)
+ * Add Homepage field to debian/control.
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 24 Sep 2007 15:42:06 +0200
+
+cryptsetup (2:1.0.5-1) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * New upstream release, nearly identical to svn snapshot svn29.
+ * Fix watch file to use cryptsetup instead of cryptsetup-luks.
+ * Add 01_crypt_luksFormat_libcryptsetup.dpatch - rename luksInit to
+ luksFormat in libcryptsetup.h.
+ * Merge some ubuntu changes:
+ - make luksformat check if filesystem is already mounted to prevent a
+ strange error message.
+ - modprobe dm-mod in cryptsetup.functions.
+ - wait for udev to be settled in initramfs script.
+
+ [ David Härdeman ]
+ * Allow other crypto devices to be setup even if one fails.
+ (closes: #423100)
+ * Remove an incorrect warning in postinst.
+
+ -- Jonas Meurer <mejo@debian.org> Fri, 27 Jul 2007 04:59:33 +0200
+
+cryptsetup (2:1.0.4+svn29-1) unstable; urgency=low
+
+ * New upstream svn snapshot with several bugfixes
+ - remove 01_tries_fix.dpatch, added upstream
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 02 May 2007 02:48:37 +0200
+
+cryptsetup (2:1.0.4+svn26-3) unstable; urgency=low
+
+ * Add cryptdevice name to prompt before actually starting it. Thanks
+ to Joerg Jaspert. (closes: #421803)
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 02 May 2007 01:05:22 +0200
+
+cryptsetup (2:1.0.4+svn26-2) unstable; urgency=low
+
+ [ David Härdeman ]
+ * Fix typo in crypttab(5), the ext checkscript is called ext2, not
+ ext3. (closes: #410390)
+ * Use the initramfs-tools keymap support instead of our own (requires
+ initramfs-tools >= 0.87)
+ * Add support for usplash password prompt (closes: #397981)
+ * Remove the "ssl" and "gpg" options which are supported by keyscripts
+ since October 2006 (see NEWS for details).
+ * Spring cleaning of cryptdisks.functions, now supports multiple tries
+ for keyscripts and uses lsb logging. (closes: #420105, #383808)
+
+ [ Jonas Meurer ]
+ * Add 01_tries_fix.dpatch, makes the --tries commandline option work
+ again. (closes: #414326, #412064)
+ * Document the un_vol_id check script, remove the swap check script from
+ documentation. The swap check indeed is rather useless, thanks to Frank
+ Engler <bts.to.FrankEngler@spamgourmet.com>. The script itself is kept
+ for compability issues. (closes: #406837)
+ * Add smartcard keyscript and initramfs-tools hooks/scripts. This adds
+ support for disk encryption with smartcards, even for root disks.
+ Thanks a lot to Gerald Turner <gturner@unzane.com> for the patch and a
+ smartcard reader for testing this. (closes: #416528)
+ * update copyright file: change "program" to "package", and mention GPL
+ version 2. add a full disclaimer.
+ * Add "--showkeys" to the dmsetup invocation in decrypt_derived script.
+ (closes: #420399)
+ * Fixes in cryptdisks.functions:
+ - Don't suppress error messages at mount and unmount and don't break
+ if 'mount $point' fails.
+ - Fix handling of checks and prechecks, the vars somehow where mixed
+ - Really use $CHECKARGS if it's defined
+ - Rename "stopped" to "stopping" for devices which are shutdown at
+ 'cryptdisks stop' (show a difference to already stopped devices).
+
+ -- Jonas Meurer <mejo@debian.org> Sat, 28 Apr 2007 20:45:50 +0200
+
+cryptsetup (2:1.0.4+svn26-1) unstable; urgency=high
+
+ [ Jonas Meurer ]
+ * New upstream svn snapshot 1.0.4+svn26
+ - contains a slightly modified patch by Rob Walker
+ <rob@tenfoot.org.uk> to fix a sector size error. (closes: #403075)
+ - fixes a LUKS header corruption on arm, which downgrades bug
+ #403426 from critical to important.
+ - prevents password retrying with I/O errors.
+ * handle chainmode/essiv "plain" correctly in initramfs hook.
+ Thanks to Leonard Norrgard. (closes: #402417)
+ * remove 'rm -rf m4' from a clean target in debian/rules.
+ * urgency=high to get this into etch.
+
+ [ David Härdeman ]
+ * Document the difference in default hash functions between the
+ initramfs scripts and the plain cryptsetup binary. (closes: #398429)
+ * Verify symlinks for source devices when initramfs is generated and
+ correct if necessary. (closes: #405301)
+
+ -- Jonas Meurer <mejo@debian.org> Tue, 9 Jan 2007 21:53:06 +0100
+
+cryptsetup (2:1.0.4+svn16-2) unstable; urgency=high
+
+ [ David Härdeman ]
+ * Add cbc to standard list of modules. Thanks to Michael Olbrich
+ <michael.olbrich@gmx.net>. (closes: #401370)
+ * Fix support for crypto-on-evms. Thanks to Enrico Gatto
+ <cat@legnago.linux.it>. (closes: #402417)
+
+ [ Jonas Meurer ]
+ * urgency=high to get this into etch.
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 14 Dec 2006 01:41:40 +0100
+
+cryptsetup (2:1.0.4+svn16-1) unstable; urgency=medium
+
+ [ David Härdeman ]
+ * Support adding separate blockcipher modules to initramfs image
+ (necessary for kernels >= 2.6.19)
+ * Hashing was previously not done correctly when decrypt_derived was used
+
+ [ Jonas Meurer ]
+ * Add new upstream patch 02_luks_var_keysize.dpatch. Cryptsetup no longer
+ segfaults with unsupported keysize. (closes: #381973)
+ * Urgency medium as we really want these fixes in etch.
+
+ -- Jonas Meurer <mejo@debian.org> Tue, 28 Nov 2006 18:17:12 +0100
+
+cryptsetup (2:1.0.4-8) unstable; urgency=high
+
+ [ Jonas Meurer ]
+ * Add 'set -e' and 'if ...; then ... fi' to cryptdisks-early as well.
+
+ [ David Härdeman ]
+ * Make sure that a failed modprobe does not break with 'set -e'.
+ (closes: #398799)
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 16 Nov 2006 16:59:35 +0100
+
+cryptsetup (2:1.0.4-7) unstable; urgency=low
+
+ [ David Härdeman ]
+ * Do not try to configure resume devices which we cant get the key for
+ and also try harder to find resume devices.
+ (closes: #397887, #397888)
+ * Kill some more bashisms.
+ * Only try three times per crypto device in initramfs scripts to avoid
+ unbootable systems if a swap partition can't be setup.
+ * Added decrypt_derived keyscript and improved documentation of latest
+ changes, see README.initramfs for details.
+
+ -- Jonas Meurer <mejo@debian.org> Tue, 14 Nov 2006 16:27:51 +0100
+
+cryptsetup (2:1.0.4-6) unstable; urgency=high
+
+ [ David Härdeman ]
+ * Improve LVM dependency checks in initramfs hook. Thanks to Loïc
+ Minier <lool@dooz.org> for the patch. (closes: #397633, #397651)
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 9 Nov 2006 13:55:48 +0100
+
+cryptsetup (2:1.0.4-5) unstable; urgency=high
+
+ [ David Härdeman ]
+ * Make sure that duplicate entries in initramfs do not block the boot
+ (closes: #397454)
+ * Do not check for the presence of a key if the keyscript option is
+ set (closes: #397450)
+
+ -- Jonas Meurer <mejo@debian.org> Tue, 7 Nov 2006 18:03:41 +0100
+
+cryptsetup (2:1.0.4-4) unstable; urgency=high
+
+ [ David Härdeman ]
+ * Readd and document the kernel boot argument "cryptopts" due to user
+ demand
+ * Implement support for multiple device setup in initramfs.
+ (closes: #394136, #382280)
+ * Remove bashisms. (closes: #396092)
+ * Fix FTBFS by altering dpatch so that it is applied to Makefile.in.in
+ before configure is executed. (closes: #396126)
+
+ [ Jonas Meurer ]
+ * Only warn for insecure keyfile mode/owner. Add some information about
+ insecure keys in README.Debian. (closes: #395357, #394134)
+
+ -- Jonas Meurer <mejo@debian.org> Fri, 3 Nov 2006 02:22:49 +0100
+
+cryptsetup (2:1.0.4-3) unstable; urgency=medium
+
+ [ Jonas Meurer ]
+ * Suggest dosfstools. Needed for the default settings in luksformat. Thanks
+ to Loïc Minier <lool@dooz.org>. (closes: #393473)
+ * Suggest initramfs-tools (>= 0.60) | linux-initramfs-tool as well.
+ * Still urgency=medium for the same reasons
+
+ [ David Härdeman ]
+ * Change the previous fix for #388871 to use the original patch from
+ Loïc Minier <lool@dooz.org>. This also removes the bogus UTF8 char.
+ (closes: #393895)
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 18 Oct 2006 23:03:47 +0200
+
+cryptsetup (2:1.0.4-2) unstable; urgency=medium
+
+ [ Jonas Meurer ]
+ * Fix postinst, use 'elif [ -z $foo] || [ -z $bar ]; then ...'
+ * Fix a typo in cryptdisks.functions, change $opt to $opts for more
+ consistency with the postinst script.
+ * Fix mount_fs() in cryptdisks.functions to actually do what we want it to
+ do. Up to now, the initscript stopped if a mountpoint failed to mount.
+ * urgency=medium to get cryptsetup 1.0.4 into etch
+
+ -- Jonas Meurer <mejo@debian.org> Tue, 17 Oct 2006 16:16:02 +0200
+
+cryptsetup (2:1.0.4-1) unstable; urgency=low
+
+ [ David Härdeman ]
+ * Always update the current initramfs when a new version is installed
+ * Move the double-ssl decryption into a keyscript and change the ssl
+ option to use that script instead
+ * Move the gpg key decryption into a keyscript and change the gpg
+ option to use that script instead
+ * Clean up cryptdisks.functions
+ * Let initramfs-tools know that we need busybox in the initramfs image
+ * Fix bogus error message from initramfs hook, based on patch by
+ Loïc Minier <lool@dooz.org>. (closes: #388871)
+ * Remove the undocumented kernel boot argument "cryptopts"
+ * Always add some crypto modules/tools to the initramfs image unless
+ MODULES=dep. (closes: #389835)
+ * Update README.initramfs.
+ * Add checks and warnings that the ssl and gpg options are going away
+ in favour of the keyscript option
+ * Fix the decrypt_ssl script (closes: #390514)
+
+ [ Jonas Meurer ]
+ * New upstream release.
+ - [01_terminal_output.dpatch] removed, finally went upstream
+ - [02_docs_tries.dpatch] removed, went upstream
+ - [03_fix_build_error.dpatch] renamed to 01_fix_build_error.dpatch
+ * Fix SYNOPSIS in crypttab(5) manpage to show all arguments as mandatory.
+ Thanks to Michael Steinfurth.
+ * Check in postinst for entries with missing arguments in /etc/crypttab.
+ Warn is one is found. Thanks to Michael Steinfurth (closes: #388083)
+ * Fix pretest for encrypted swap. Allow unencrypted swap on the source
+ device. Thanks to Dennis Furey. (closes: #387158)
+ * Fix posttest for encrypted swap. Don't skip if a swap filesystem is found
+ on the target device. Thanks to Sam Couter. (closes: #385317)
+ * Use 'set -e' and 'if [ -r <file> ]; then ...; fi' in init script. Thanks
+ to Goswin Brederlow. (closes: #390354)
+ * change '... > &2' to ... >&2' in cryptdisks.functions
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 16 Oct 2006 19:22:41 +0200
+
+cryptsetup (2:1.0.4~rc2-1) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * Add some more german translations to de.po.
+ * Add a note to NEWS.Debian where the fix for #376393 is explained. thanks
+ to Robert Bihlmeyer for the report. (closes: #379719)
+ * Allow swap filesystems to be overwritten when the swap flag is set. thanks
+ to Raphaël Quinet for the report. (closes: #379771)
+ * Update to upstream 1.0.4-rc2. (closes: #378422, #379726, closes: #379723)
+ * removed patches 03-05, merged upstream.
+ * [01_terminal_output.dpatch] updated for new upstream.
+ * [02_docs_tries.dpatch] updated for new upstream, to fix luksDelKey
+ documentation and to give more information about the keysize.
+ (closes: #379084)
+
+ [ David Härdeman ]
+ * Make sure that README.initramfs is included in the package (closes
+ #380048)
+ * Replace panic calls in cryptsetup script with exit 1 to match the
+ behaviour of other scripts. The regular initramfs script will panic
+ later when root isn't detected anyway
+ * Make all four fields in crypttab mandatory (closes: #370180,
+ #376941)
+ * Add UTF8 keyboard input support to initramfs image (closes: #379737)
+ * Add a keyscript option (closes: #370302, #375913)
+ * [03_fix_build_error.dpatch] patch po/Makefile with more recent
+ gettext implementation.
+
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 4 Sep 2006 03:55:35 +0200
+
+cryptsetup (2:1.0.3-3) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * revert the change that for swap devices the vol_id check is run by
+ default. if the swap partition is encrypted with a random key, the check
+ will always fail. thanks to Mika Bostrom <bostik@bostik.iki.fi>
+ (closes: #371135, #371160, #377434)
+ * fix the vol_id checkscript to do what it's expected to do.
+ * add the un_vol_id checkscript, which does the reverse of vol_id.
+ * use 'check=un_vol_id, checkargs=swap' for swap devices per default.
+ * added do_close function to cryptdisks.functions, as do_swap needs to use
+ it. up to now, 'cryptsetup remove' was invoked regardless whether the
+ device contains a LUKS partition or not. this is fixed now too.
+ * allow custom check scripts. check only if $CHECK exists in
+ /lib/cryptsetup/checks/ and use the given value as full path otherwise.
+ * make precheck for no_luks mandatory, fail if any known filesystem is
+ found.
+ * update crypttab manpage to reflect the checksystem changes. added an own
+ section for check scripts. update the CheckSystem documentation.
+ * update and simplify the gen-ssl-key script, thanks to Markus Nass
+ <generalstone@gmx.net>
+ * move gen-ssl-key, decrypt_ssl and luksformat to debian/scripts in the
+ source.
+ * add new directory /lib/cryptsetup/scripts/ for key decryption scripts like
+ decrypt_ssl and decrypt_gpg.
+ * add 05_fix_pointer_and_int_comparison.dpatch, fixes compiler warnings on
+ 64bit architectures. Thanks to David Härdeman for the patch.
+ * revert the order of do_start and do_stop at 'cryptdisks restart'. thanks
+ to Hans Peter Wiedau <hpw@quelltext.com> for pointing out that silly typo.
+ (closes: #377591)
+
+ [ David Härdeman ]
+ * Support root-on-crypto-on-lvm in the initramfs scripts without
+ having to change the root variable (closes: #371846)
+ * If possible, load correct keymap in the initramfs image before any
+ password prompts (closes: #376393)
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 10 Jul 2006 20:01:02 +0200
+
+cryptsetup (2:1.0.3-2) unstable; urgency=low
+
+ [ David Härdeman ]
+ * Add patch by Arjan Oosting <arjanoosting@home.nl) for lvm-on-cryptroot
+ in initramfs scripts (closes: #362564)
+
+ [ Jonas Meurer ]
+ * install luksformat to /usr/sbin, as it depends on perl (closes: #369923)
+ * use essiv cipher in luksformat, debian 2.6.16 kernels have essiv support
+ compiled in (closes: #369878)
+ * fix cryptsetup output, patch by David Härdeman <david@2gen.com>
+ (closes: #369575)
+ * add new check 'vol_id', which uses /lib/udev/vol_id from udev and supports
+ checks for any known filesystem type. implement a new option checkargs in
+ cryptdisks for that. suggest udev. closes one half of #370302. thanks to
+ Markus Nass and Darvid Härdeman for the suggestion.
+ * always check for a swap partition before running mkswap
+ * updated README.Debian, Checksystem.Doc and crypttab.5.txt accordingly.
+ * drop usage of strings from swap check, as it is in /usr/bin. thanks to
+ Markus Nass.
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 5 Jun 2006 18:27:07 +0200
+
+cryptsetup (2:1.0.3-1) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * new upstream release, 1.0.3 final
+ - Add alignPayload patch by Peter Palfrader (closes: #358388)
+ - meaningful exitcodes and password retrying by Johannes Weißl
+ (closes: #359277)
+ * add 01_terminal_timeout.dpatch from Andres Salomon <dilinger@debian.org>.
+ - gets rid of getpass(), which is obsolete according to manpage
+ - restores the terminal state before doing the timeout (closes: #364153)
+ * add 02_docs_tries.dpatch, to describe --tries in the cryptsetup manpage.
+ * add 03_stdin_input.dpatch from David Härdeman <david@2gen.com>,
+ fixes input from stdin, accepts input with more than 32 characters
+ (closes: #364529, #365333)
+ * add 04_status_exit_codes.dpatch from David Härdeman <david@2gen.com>,
+ fixes the exit codes of 'cryptsetup status'
+ * provide a cryptsetup-udeb package (closes: #358422)
+ * remove debian/luksformat.8 in clean target (closes: #358386)
+ * fix update-rc.d arguments to start cryptdisks in rc0 and rc6.
+ it is not really started [but stopped], but still the links need to be
+ named S48cryptdisks. otherwise it will be invoked before umountfs.
+ * add initramfs cryptroot functionality, thanks to David Härdeman
+ <david@2gen.com> for the patch (closes: #358452)
+ * rename /lib/cryptsetup/init_functions to cryptdisks.functions
+ * move most of /etc/init.d/cryptdisks to cryptdisks.functions.
+ /etc/init.d/cryptdisks now does not much more than importing
+ cryptdisks.functions. required for running two seperate cryptdisks
+ initscripts.
+ * split the cryptdisks initscript into cryptdisks-early and cryptdisks.
+ actually both scripts do the same except having slightly different output.
+ the early script is run before lvm/evms/... are started, and the other one
+ after they are started. (closes: #363007)
+ * add support for mount to cryptdisks. this makes it possible to use
+ keyfiles from removable media. see the crypttab.5 manpage for more
+ information.
+ * use upstream cryptsetup tries option instead of the shell code in
+ cryptdisks. rename cryptdisks 'retry' option to 'tries'.
+ * document the fact, that the default settings in /etc/default/cryptdisks
+ take only effect if the relevant option is set without a value in
+ crypttab. add the environment section to crypttab.5.txt (closes: #364203)
+ * update the TODO list.
+ * update crypdisks.default
+ * run do_swap and do_tmp. Thanks to Riku Voipio <riku.voipio@iki.fi>
+ (closes: #365633)
+ * bump Standards-Version to 3.7.2.0, no changes needed
+
+ [ David Härdeman ]
+ * add lvm capabilities to initramfs scripts (closes: #362564)
+ * add cryptsetup.postinst which executes update-initramfs when
+ cryptsetup is first installed (not on upgrades)
+
+ -- Jonas Meurer <mejo@debian.org> Sat, 13 May 2006 19:45:08 +0200
+
+cryptsetup (2:1.0.2+1.0.3-rc3-1) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * new upstream release candidate:
+ - fixes sector size of the temporary mapping (closes: #355156)
+ - more verbose error logging (closes: #353755, #356288, #258376)
+ - upstream accepted my patches to the manpage
+ * fixed spelling error in README.Debian
+ * removed debian/cryptsetup.sgml, outdated
+ * ran ispell against doc files in debian/, fixed many typos
+ * change /usr/share/cryptsetup to /lib/cryptsetup in crypttab.5.txt
+ (closes: #354910)
+ * add --build (and maybe even --host) to configure flags, for
+ cross-compiling
+ * remove debian/luksformat.8 in clean target
+ * fix bashism in cryptdisks. thanks to Michal Politowski
+ <mpol@charybda.icm.edu.pl> (closes: #356484)
+ * add support for openssl encrypted keys, based on a patch by General Stone
+ <generalstone@gmx.net> (closes: #350615)
+ * add some code to support gnupg encrypted keys, some parts are missing.
+
+ -- Jonas Meurer <mejo@debian.org> Fri, 17 Mar 2006 00:42:41 +0100
+
+cryptsetup (2:1.0.2+1.0.3-rc2-1) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * new upstream version 1.0.3-rc2, fixing issues with devmapper
+ * new upstream version 1.0.3-rc1, doesn't use essiv per default
+ * new upstream version (1.0.2) released
+ - add --timeout option for interactive usage
+ - add --batch-mode option to suppress input verifications
+ * install local cryptsetup.8 copy instead of the upstream manpage
+ - mention --readonly as possible option to luksOpen (closes: #353753)
+ - mention --batch-mode, --timeout, --version
+ - transform remaining option hyphens from '-' to '\-'
+ * merged ubuntu patches:
+ - modify cryptdisks init script to use lsb functions
+ - add luksformat and a manpage
+ * removed postinst and postrm, empty scripts
+ * added a README.Debian and a TODO
+ * added a NEWS file for Debian, and explain both the upstream transition
+ from plain cryptsetup to cryptsetup-luks, and the check options for
+ crypttab.
+ * install manpages using dh_installman, not with install
+ * updated CryptoRoot.HowTo, mention /etc/mkinitrd/modules and different
+ linux-image versions. (closes: #344867)
+ * removed needless debian/hack
+ * added debian/watch
+ * bumped debhelper compat level to 5, add versioned depends on
+ debhelper (>> 5.0.0)
+ * update debian/cryptsetup.8 to mention batch-mode and timeout
+ * updated cryptdisks
+ - modify init script to use lsb functions, at least where possible
+ - updated comments for cryptdisks.default
+ - moved option parsing and setup of loopback devices to seperate functions.
+ added a new include file /lib/cryptsetup/init_functions with functions
+ parse_opts, lo_setup, check_key, do_luks, do_noluks, do_swap, do_tmp
+ - always check for the source device exists before running cryptsetup
+ - hardcode precheck for LUKS to use 'cryptsetup isLuks'. this is much safer
+ than allowing other random prechecks, as it manifests that the source
+ device actually is a LUKS partition.
+ - don't remove the LUKS device when postcheck fails, as the supplied
+ password/key is correct anyway.
+ - use the new 'timeout' commandline option of cryptsetup instead of an
+ external wrapper
+ - be silent for not existing devices per default. Implement the loud
+ option for crypttab to warn if a device does not exist.
+ - remerge postchecks and prechecks into checks.
+ - don't disable swap & luks combination, instead disable luks with
+ /dev/random, /dev/urandom or /dev/hwrandom as key.
+ - run parse_opts before check_key, to know whether we use luks or not
+
+ [ Michael Gebetsroither ]
+ * converted crypttab.sgml to asciidoc
+ * added dependencies for asciidoc to manpage conversion
+ * added developer documentation for a robust checksystem into cryptdisks
+
+ -- Jonas Meurer <mejo@debian.org> Sun, 26 Feb 2006 20:04:49 +0100
+
+cryptsetup (2:1.0.1-16) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * already fixed in 2:1.0.1-14: binaries xor and delay from
+ usbcrypto.mkinitrd don't exist in debian. replaces with a perl script
+ and /bin/sleep. thanks to wesley terpstra for the help.
+ (closes: #324353)
+ * clean cryptdisks from bashisms (closes: #350360)
+ * check for /usr/bin/timeout before using it in cryptdisks. First, it's
+ only available when /usr is mounted, and that is not definitive when
+ cryptdisks is run at boot time. Second, timeout is a non-essential
+ debian package, and not neccecarily installed. The usage of
+ /usr/bin/timeout in any case is only a temporary workaround.
+ * move /usr/share/cryptsetup to /lib/cryptsetup, as the checks need to be
+ available at boot time, before local filesystems (like i.e. /usr) are
+ mounted.
+ * replace RETRY=`expr $RETRY - 1` with RETRY=$(($RETRY-1)), as expr is in
+ /usr/bin.
+ * install init.d script and default file with dh_installinit
+ (closes: #350548)
+ * don't build-depend on cvs
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 30 Jan 2006 17:54:50 +0100
+
+cryptsetup (2:1.0.1-15) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * rebuilt with -sa, to include the sources into upload
+
+ -- Jonas Meurer <mejo@debian.org> Fri, 27 Jan 2006 18:18:46 +0100
+
+cryptsetup (2:1.0.1-14) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * added a configurable timeout option for interactive password
+ prompt. set the default timeout to 180 seconds in
+ /etc/default/cryptdisks, and documented the crypttab option in
+ the crypttab manpage. (closes: #328961)
+ * fixed the default "precheck" and "postcheck" options, currently
+ no useful precheck exists, so no default here.
+ * removed the dummy cryptsetup-luks package, ftpmaster complains
+ about it.
+
+ [ Michael Gebetsroither ]
+ * make small fixes to CryptoSwap.HowTo
+ * added postcheck for swap (closes: #342079)
+
+ -- Jonas Meurer <mejo@debian.org> Fri, 27 Jan 2006 12:59:10 +0100
+
+cryptsetup (2:1.0.1-13) unstable; urgency=low
+
+ * split the "check" in a "precheck" and a "postcheck" option
+ - adds the possibility to check the source device before creating the
+ decrypted target device, useful for things like swap.
+
+ -- Jonas Meurer <mejo@debian.org> Sun, 22 Jan 2006 21:24:06 +0100
+
+cryptsetup (2:1.0.1-12) unstable; urgency=low
+
+ * correctly parse options in cryptdisks (closes: #304399)
+ * remove the moduledir /usr/lib/cryptsetup from the deb, it's
+ empty anyway (closes: #334648)
+ * replace /usr/local/bin/delay with /bin/sleep in usbcrypto.mkinitrd
+ * cosmetical changes to /etc/crypttab
+ * add "check" and "retry" options to cryptdisks script,
+ thanks to A Mennucc <debdev@mennucci.sns.it>. (closes: #290626)
+
+ -- Jonas Meurer <mejo@debian.org> Sun, 22 Jan 2006 19:46:18 +0100
+
+cryptsetup (2:1.0.1-11) unstable; urgency=low
+
+ * include sources although the debian revision is not -1
+
+ -- Jonas Meurer <mejo@debian.org> Sun, 22 Jan 2006 16:35:12 +0100
+
+cryptsetup (2:1.0.1-10) unstable; urgency=low
+
+ * introduce an epoch to make upgrade happen
+
+ -- Jonas Meurer <mejo@debian.org> Sun, 22 Jan 2006 09:02:47 +0100
+
+cryptsetup (1.0.1-9) unstable; urgency=low
+
+ * rename the package to cryptsetup, provide a dummy cryptsetup-luks package
+ * initial upload to debian
+
+ -- Jonas Meurer <mejo@debian.org> Sun, 22 Jan 2006 08:06:25 +0100
+
+cryptsetup-luks (1.0.1-8) unstable; urgency=low
+
+ * use upstream tarball as orig.tar.gz and keep debian changes in diff.gz
+ * change to use dpatch
+ * adjust build environment to work with upstream sources, and without
+ autogen.sh
+ * merge fixes for debian scripts from cryptsetup.
+ * keep cryptsetup manpage untouched, as merging cryptsetup and
+ cryptsetup-luks manpages is rather complex.
+ * set mandir to /usr/share/man for configure
+ * add a lintian-override file
+
+ -- Jonas Meurer <mejo@debian.org> Sun, 22 Jan 2006 06:48:30 +0100
+
+cryptsetup-luks (1.0.1-7) unstable; urgency=high
+
+ * make cryptsetup create work again (patch for lib/libdevmapper.c)
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Sat, 21 Jan 2006 14:39:36 +0100
+
+cryptsetup-luks (1.0.1-6) unstable; urgency=low
+
+ * recompile for new libdevmapper
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Tue, 10 Jan 2006 15:10:17 +0100
+
+cryptsetup-luks (1.0.1-5) unstable; urgency=low
+
+ * improved documentation for /etc/crypttab
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Mon, 7 Nov 2005 17:05:20 +0100
+
+cryptsetup-luks (1.0.1-4) unstable; urgency=low
+
+ * added luks option for /etc/crypttab (thx to Fabian Thorns
+ <fabian@thorns.it> for the initial patch)
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Thu, 3 Nov 2005 19:22:59 +0100
+
+cryptsetup-luks (1.0.1-3) unstable; urgency=low
+
+ * completly switched to luks upstream
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Thu, 11 Aug 2005 22:14:16 +0200
+
+cryptsetup-luks (1.0.1-2) unstable; urgency=low
+
+ * fixed build dependencies
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Mon, 20 Jun 2005 22:30:38 +0200
+
+cryptsetup-luks (1.0.1-1) unstable; urgency=low
+
+ * synced with luks upstream
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Mon, 20 Jun 2005 16:22:53 +0200
+
+cryptsetup-luks (1.0-5) unstable; urgency=low
+
+ * fixed a small typo in the manpage
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Sat, 23 Apr 2005 11:06:31 +0200
+
+cryptsetup-luks (1.0-4) unstable; urgency=low
+
+ * cleand source-tree for submitting a wishlist report into debian BTS
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Tue, 19 Apr 2005 18:44:13 +0200
+
+cryptsetup-luks (1.0-3) unstable; urgency=low
+
+ * updatet dependencies (libdevmapper1.00 => libdevmapper1.01)
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Tue, 19 Apr 2005 13:51:10 +0200
+
+cryptsetup-luks (1.0-2) unstable; urgency=low
+
+ * replaced original debian cryptsetup manpage with manpage from
+ cryptsetup-luks
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Sun, 3 Apr 2005 13:33:55 +0200
+
+cryptsetup-luks (1.0-1) unstable; urgency=low
+
+ * new upstream release
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Sat, 2 Apr 2005 23:29:43 +0200
+
+cryptsetup-luks (0.993-3) unstable; urgency=low
+
+ * fixed dependencis
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Sun, 13 Feb 2005 01:28:11 +0100
+
+cryptsetup-luks (0.993-2) unstable; urgency=low
+
+ * fixed a few source problems
+ * fixed post/pre install scripts
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Sat, 12 Feb 2005 16:18:07 +0100
+
+cryptsetup-luks (0.993-1) unstable; urgency=low
+
+ * synced with luks upstream
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Sat, 12 Feb 2005 15:50:21 +0100
+
+cryptsetup-luks (0.992-5) unstable; urgency=low
+
+ * fixed a few problems in den debian source package
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Sat, 12 Feb 2005 04:22:30 +0100
+
+cryptsetup-luks (0.992-4) unstable; urgency=low
+
+ * debianized the package
+ * cleand up build system
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Sat, 12 Feb 2005 00:12:43 +0100
+
+cryptsetup-luks (0.992-3) unstable; urgency=low
+
+ * Fixed typo
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Fri, 11 Feb 2005 18:38:42 +0100
+
+cryptsetup-luks (0.992-2) unstable; urgency=low
+
+ * Added note within description
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Fri, 11 Feb 2005 18:21:03 +0100
+
+cryptsetup-luks (0.992-1) unstable; urgency=low
+
+ * "integrated LUKS" support (very messy hack)
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Thu, 10 Feb 2005 18:16:21 +0100
diff --git a/debian/checks/blkid b/debian/checks/blkid
new file mode 100644
index 0000000..27615d3
--- /dev/null
+++ b/debian/checks/blkid
@@ -0,0 +1,32 @@
+#!/bin/sh
+# this script depends on /sbin/blkid from the util-linux package
+
+# usage: blkid <device> <fs_type> [<offset>]
+# <device> may be any device that should be checked.
+# if no <fs_type> is given, the check fails if no valid filesystem is found.
+# if <fs_type> is given, the check fails when no filesystem type <fs_type>
+# is found on the device. if <fs_type> is 'none', the check fails if any
+# know filesystem is found.
+
+if test ! -x "/sbin/blkid"; then
+ echo " - WARNING: blkid from util-linux is not available, impossible to run checks."
+ exit 1
+fi
+
+dev="$1"
+fs="$2"
+offset="${3-}"
+
+blkid="$(/sbin/blkid -o value -s TYPE -p ${offset:+-O "$offset"} -- "$dev")"
+
+# blkid output is empty if $dev has an unknown filesystem
+if [ -z "$blkid" ] && [ -z "$fs" ]; then
+ echo " - The device $dev does not contain a known filesystem${offset:+" at offset $offset"}."
+ exit 1
+elif [ -n "$blkid" ] && [ "$fs" = "none" ]; then
+ echo " - The device $dev contains a filesystem type $blkid${offset:+" at offset $offset"}."
+ exit 1
+elif [ -n "$fs" ] && [ "$blkid" != "$fs" ]; then
+ echo " - The device $dev does not contain a filesystem type $fs${offset:+" at offset $offset"}."
+ exit 1
+fi
diff --git a/debian/checks/ext2 b/debian/checks/ext2
new file mode 100644
index 0000000..0776fce
--- /dev/null
+++ b/debian/checks/ext2
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+echo "WARNING: The check script $0 is deprecated. Please use check script blkid instead." >&2
+
+not_fs=""
+for fs in ext2 ext3 ext4 ext4dev; do
+ /lib/cryptsetup/checks/blkid "$1" "$fs" >/dev/null || not_fs="$not_fs $fs"
+done
+if [ "$not_fs" = " ext2 ext3 ext4 ext4dev" ]; then
+ echo " - The device $1 does not contain a valid ext2, ext3, ext4 or ext4dev filesystem."
+ exit 1
+fi
diff --git a/debian/checks/swap b/debian/checks/swap
new file mode 100644
index 0000000..2891417
--- /dev/null
+++ b/debian/checks/swap
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+echo "WARNING: The check script $0 is deprecated. Please use check script blkid instead." >&2
+
+/lib/cryptsetup/checks/blkid "$1" "swap"
diff --git a/debian/checks/un_blkid b/debian/checks/un_blkid
new file mode 100644
index 0000000..572d937
--- /dev/null
+++ b/debian/checks/un_blkid
@@ -0,0 +1,28 @@
+#!/bin/sh
+# this script depends on /sbin/blkid from the util-linux package
+
+# usage: un_blkid <device> <fs_type> [<offset>]
+# <device> may be any device that should be checked.
+# if no <fs_type> is given, the check fails for any valid filesystem
+# if <fs_type> is given, the check fails when a filesystem type <fs_type>
+# is found on the device.
+
+if test ! -x "/sbin/blkid"; then
+ echo " - WARNING: blkid from util-linux is not available, impossible to run checks."
+ exit 1
+fi
+
+dev="$1"
+fs="$2"
+offset="${3-}"
+
+blkid="$(/sbin/blkid -o value -s TYPE -p ${offset:+-O "$offset"} -- "$dev")"
+
+# blkid output is empty if $dev has an unknown filesystem
+if [ -n "$blkid" ] && [ -z "$fs" ]; then
+ echo " - The device $dev contains a filesystem type $blkid${offset:+" at offset $offset"}."
+ exit 1
+elif [ -n "$fs" ] && [ "$blkid" = "$fs" ]; then
+ echo " - The device $dev contains a filesystem type $fs${offset:+" at offset $offset"}."
+ exit 1
+fi
diff --git a/debian/checks/xfs b/debian/checks/xfs
new file mode 100644
index 0000000..981cde8
--- /dev/null
+++ b/debian/checks/xfs
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+echo "WARNING: The check script $0 is deprecated. Please use check script blkid instead." >&2
+
+/lib/cryptsetup/checks/blkid "$1" "xfs"
diff --git a/debian/clean b/debian/clean
new file mode 100644
index 0000000..f1aea9d
--- /dev/null
+++ b/debian/clean
@@ -0,0 +1,10 @@
+debian/askpass
+debian/doc/*.[0-9]
+debian/doc/variables.xml
+debian/scripts/passdev
+debian/scripts/suspend/cryptsetup-suspend
+# `make clean` doesn't remove all gitignore(5)'d files, instead
+# .gitlab/ci/debian.yml runs `git clean -xdf`
+man/*.8
+po/*.gmo
+po/stamp-po
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..4b0278c
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,194 @@
+Source: cryptsetup
+Section: admin
+Priority: optional
+Maintainer: Debian Cryptsetup Team <pkg-cryptsetup-devel@alioth-lists.debian.net>
+Uploaders: Jonas Meurer <jonas@freesources.org>,
+ Guilhem Moulin <guilhem@debian.org>
+Rules-Requires-Root: no
+Build-Depends: asciidoctor <!nodoc>,
+ autoconf,
+ automake (>= 1:1.12),
+ autopoint,
+ debhelper-compat (= 13),
+ dh-strip-nondeterminism,
+ docbook-xml <!nodoc>,
+ docbook-xsl <!nodoc>,
+ gettext,
+ jq <!nocheck>,
+ libargon2-dev,
+ libblkid-dev,
+ libdevmapper-dev,
+ libjson-c-dev,
+ libpopt-dev,
+ libselinux1-dev,
+ libsepol-dev,
+ libssh-dev,
+ libssl-dev,
+ libtool,
+ pkg-config,
+ po-debconf,
+ procps <!nocheck>,
+ uuid-dev,
+ xsltproc <!nodoc>,
+ xxd <!nocheck>
+Standards-Version: 4.6.2
+Homepage: https://gitlab.com/cryptsetup/cryptsetup
+Vcs-Browser: https://salsa.debian.org/cryptsetup-team/cryptsetup
+Vcs-Git: https://salsa.debian.org/cryptsetup-team/cryptsetup.git -b debian/latest
+
+Package: cryptsetup
+Architecture: linux-any
+Multi-Arch: foreign
+Depends: cryptsetup-bin (>= 2:1.6.0),
+ dmsetup,
+ ${misc:Depends},
+ ${shlibs:Depends}
+Suggests: cryptsetup-initramfs, dosfstools, keyutils, liblocale-gettext-perl
+Description: disk encryption support - startup scripts
+ Cryptsetup provides an interface for configuring encryption on block
+ devices (such as /home or swap partitions), using the Linux kernel
+ device mapper target dm-crypt. It features integrated Linux Unified Key
+ Setup (LUKS) support.
+ .
+ Cryptsetup is backwards compatible with the on-disk format of cryptoloop,
+ but also supports more secure formats. This package includes support for
+ automatically configuring encrypted devices at boot time via the config
+ file /etc/crypttab. Additional features are cryptoroot support through
+ initramfs-tools and several supported ways to read a passphrase or key.
+ .
+ This package provides the cryptdisks_start and _stop wrappers, as well as
+ luksformat.
+
+Package: cryptsetup-bin
+Architecture: linux-any
+Multi-Arch: foreign
+Depends: ${misc:Depends}, ${shlibs:Depends}
+Description: disk encryption support - command line tools
+ Cryptsetup provides an interface for configuring encryption on block
+ devices (such as /home or swap partitions), using the Linux kernel
+ device mapper target dm-crypt. It features integrated Linux Unified Key
+ Setup (LUKS) support.
+ .
+ This package provides the cryptsetup, integritysetup and veritysetup
+ utilities.
+
+Package: cryptsetup-ssh
+Architecture: linux-any
+Multi-Arch: foreign
+Depends: ${misc:Depends}, ${shlibs:Depends}
+Recommends: cryptsetup-bin (>= ${source:Version})
+Breaks: cryptsetup (<< 2:2.5.0~rc1-3), cryptsetup-bin (<< 2:2.5.0~rc1-3)
+Replaces: cryptsetup (<< 2:2.5.0~rc1-3), cryptsetup-bin (<< 2:2.5.0~rc1-3)
+Description: disk encryption support - experimental SSH token handler
+ Cryptsetup provides an interface for configuring encryption on block
+ devices (such as /home or swap partitions), using the Linux kernel
+ device mapper target dm-crypt. It features integrated Linux Unified Key
+ Setup (LUKS) support.
+ .
+ This package provides the cryptsetup-ssh(8) utility and an SSH token plugin
+ which can be used to unlock LUKS2 devices using a remote keyfile hosted on a
+ system accessible through SSH. This is currently an *experimental* feature
+ and mostly serves as a demonstration of the plugin interface API.
+
+Package: cryptsetup-initramfs
+Architecture: all
+Depends: busybox | busybox-static,
+ cryptsetup (>= ${source:Version}),
+ initramfs-tools (>= 0.137) | linux-initramfs-tool,
+ ${misc:Depends}
+Recommends: console-setup, kbd
+Breaks: cryptsetup (<< 2:2.0.3-1)
+Replaces: cryptsetup (<< 2:2.0.3-1)
+Conflicts: lvm2 (<< 2.03.15-1)
+Description: disk encryption support - initramfs integration
+ Cryptsetup provides an interface for configuring encryption on block
+ devices (such as /home or swap partitions), using the Linux kernel
+ device mapper target dm-crypt. It features integrated Linux Unified Key
+ Setup (LUKS) support.
+ .
+ This package provides initramfs integration for cryptsetup.
+
+Package: cryptsetup-suspend
+Architecture: linux-any
+Multi-Arch: foreign
+Depends: cryptsetup-initramfs (>= ${source:Version}),
+ initramfs-tools-core,
+ kbd,
+ systemd,
+ ${misc:Depends},
+ ${shlibs:Depends}
+Description: disk encryption support - suspend mode integration
+ Cryptsetup provides an interface for configuring encryption on block
+ devices (such as /home or swap partitions), using the Linux kernel
+ device mapper target dm-crypt. It features integrated Linux Unified Key
+ Setup (LUKS) support.
+ .
+ This package provides suspend mode integration for cryptsetup. It takes
+ care of removing LUKS master key from memory before system suspend.
+ .
+ Please note that the suspend mode integration is limited to LUKS devices
+ and requires systemd. Moreover, this is an early implementation and may not
+ be as mature as the other cryptsetup-* packages yet.
+
+Package: libcryptsetup12
+Section: libs
+Architecture: linux-any
+Multi-Arch: same
+Depends: ${misc:Depends}, ${shlibs:Depends}
+Description: disk encryption support - shared library
+ Cryptsetup provides an interface for configuring encryption on block
+ devices (such as /home or swap partitions), using the Linux kernel
+ device mapper target dm-crypt. It features integrated Linux Unified Key
+ Setup (LUKS) support.
+ .
+ This package provides the libcryptsetup shared library.
+
+Package: libcryptsetup-dev
+Section: libdevel
+Architecture: linux-any
+Multi-Arch: same
+# XXX [#1025065] ideal we would have "Depends: libcryptsetup12
+# (= ${binary:Version}), ${misc:Depends}, ${pkgconf:Depends}"
+Depends: libargon2-dev,
+ libblkid-dev,
+ libcryptsetup12 (= ${binary:Version}),
+ libdevmapper-dev,
+ libjson-c-dev,
+ libssl-dev,
+ uuid-dev,
+ ${misc:Depends}
+Description: disk encryption support - development files
+ Cryptsetup provides an interface for configuring encryption on block
+ devices (such as /home or swap partitions), using the Linux kernel
+ device mapper target dm-crypt. It features integrated Linux Unified Key
+ Setup (LUKS) support.
+ .
+ This package provides the libcryptsetup development files.
+
+Package: cryptsetup-udeb
+Section: debian-installer
+Package-Type: udeb
+Build-Profiles: <!noudeb>
+Architecture: linux-any
+Depends: dmsetup-udeb, ${misc:Depends}, ${shlibs:Depends}
+Description: disk encryption support - commandline tools (udeb)
+ Cryptsetup provides an interface for configuring encryption on block
+ devices (such as /home or swap partitions), using the Linux kernel
+ device mapper target dm-crypt. It features integrated Linux Unified Key
+ Setup (LUKS) support.
+ .
+ This udeb package provides cryptsetup for the Debian Installer.
+
+Package: libcryptsetup12-udeb
+Section: debian-installer
+Package-Type: udeb
+Build-Profiles: <!noudeb>
+Architecture: linux-any
+Depends: ${misc:Depends}, ${shlibs:Depends}
+Description: disk encryption support - shared library (udeb)
+ Cryptsetup provides an interface for configuring encryption on block
+ devices (such as /home or swap partitions), using the Linux kernel
+ device mapper target dm-crypt. It features integrated Linux Unified Key
+ Setup (LUKS) support.
+ .
+ This udeb package provides libcryptsetup for the Debian Installer.
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..5e9553d
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,280 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Contact: Milan Broz <mbroz@redhat.com>
+Source: https://gitlab.com/cryptsetup/cryptsetup
+Upstream-Name: cryptsetup
+
+Files: *
+Copyright: © 2004 Christophe Saout <christophe@saout.de>
+ © 2004-2008 Clemens Fruhwirth <clemens@endorphin.org>
+ © 2008-2023 Red Hat, Inc.
+ © 2008-2023 Milan Broz <gmazyland@gmail.com>
+License: GPL-2+ with OpenSSL exception
+
+Files: debian/*
+Copyright: © 2004-2005 Wesley W. Terpstra <terpstra@debian.org>
+ © 2005-2006 Michael Gebetsroither <michael.geb@gmx.at>
+ © 2006-2008 David Härdeman <david@hardeman.nu>
+ © 2005-2015 Jonas Meurer <jonas@freesources.org>
+ © 2016-2023 Guilhem Moulin <guilhem@debian.org>
+License: GPL-2+
+
+Files: debian/scripts/suspend/cryptsetup-suspend.c
+Copyright: © 2018 Guilhem Moulin <guilhem@debian.org>
+ © 2018-2020 Jonas Meurer <jonas@freesources.org>
+License: GPL-3+
+
+Files: debian/scripts/suspend/cryptsetup-suspend-wrapper
+Copyright: © 2019-2020 Tim <tim@systemli.org>
+ © 2019-2020 Jonas Meurer <jonas@freesources.org>
+ © 2020-2022 Guilhem Moulin <guilhem@debian.org>
+License: GPL-3+
+
+Files: debian/askpass.c debian/scripts/passdev.c
+Copyright: © 2008 David Härdeman <david@hardeman.nu>
+License: GPL-2+
+
+Files: debian/initramfs/cryptroot-unlock
+Copyright: © 2015-2018 Guilhem Moulin <guilhem@debian.org>
+License: GPL-3+
+
+Files: debian/README.opensc
+Copyright: © 2008 Benjamin Kiessling <benjaminkiessling@bttec.org>
+License: GPL-2+
+
+Files: debian/scripts/cryptdisks_start
+Copyright: © 2007 Jon Dowland <jon@alcopop.org>
+License: GPL-2+
+
+Files: debian/scripts/luksformat
+Copyright: © 2005 Canonical Ltd.
+License: GPL-2+
+
+Files: debian/scripts/decrypt_gnupg-sc debian/README.gnupg-sc debian/initramfs/hooks/cryptgnupg-sc debian/initramfs/scripts/local-bottom/cryptgnupg-sc
+Copyright: © 2005-2015 Jonas Meurer <jonas@freesources.org>
+ © 2016-2018 Guilhem Moulin <guilhem@debian.org>
+ © 2009,2014 Peter Lebbing <peter@digitalbrains.com>
+ © 2018 Erik Nellessen
+License: GPL-2+
+
+Files: debian/tests/*
+Copyright: © 2021-2022 Guilhem Moulin <guilhem@debian.org>
+License: GPL-3+
+
+Files: docs/examples/* tests/all-symbols-test.c
+Copyright: © 2011-2023 Red Hat, Inc.
+License: LGPL-2.1+
+
+Files: lib/bitlk/*
+Copyright: © 2019-2023 Red Hat, Inc.
+ © 2019-2023 Milan Broz <gmazyland@gmail.com>
+ © 2019-2023 Vojtech Trefny
+License: LGPL-2.1+
+
+Files: tokens/ssh/*
+Copyright: © 2016-2023 Milan Broz <gmazyland@gmail.com>
+ © 2020-2023 Vojtech Trefny
+License: LGPL-2.1+
+
+Files: tokens/ssh/cryptsetup-ssh.c
+Copyright: © 2016-2023 Milan Broz <gmazyland@gmail.com>
+ © 2021-2023 Vojtech Trefny
+License: GPL-2+
+
+Files: lib/crypto_backend/* lib/integrity/* lib/loopaes/* lib/tcrypt/* lib/verity/*
+Copyright: © 2009-2023 Red Hat, Inc.
+ © 2010-2023 Milan Broz <gmazyland@gmail.com>
+License: LGPL-2.1+
+
+Files: lib/crypto_backend/base64.c
+Copyright: © 2010 Lennart Poettering
+ © 2021-2023 Milan Broz <gmazyland@gmail.com>
+License: LGPL-2.1+
+
+Files: lib/crypto_backend/utf8.c
+Copyright: © 2010 Lennart Poettering
+ © 2021-2023 Vojtech Trefny
+ © 1999 Tom Tromey
+ © 2000 Red Hat, Inc.
+License: GPL-2+
+
+Files: lib/crypto_backend/crypto_openssl.c
+Copyright: © 2009-2023 Red Hat, Inc.
+ © 2010-2023 Milan Broz <gmazyland@gmail.com>
+License: LGPL-2.1+ with OpenSSL exception
+
+Files: lib/fvault2/fvault2.c lib/fvault2/fvault2.h
+Copyright: © 2021-2022 Pavel Tobias
+License: LGPL-2.1+ with OpenSSL exception
+
+Files: lib/keyslot_context.c lib/keyslot_context.h
+Copyright: © 2022-2023 Red Hat, Inc.
+ © 2022-2023 Ondrej Kozina <okozina@redhat.com>
+License: GPL-2+
+
+Files: lib/crypto_backend/argon2/*
+Copyright: © 2015 Daniel Dinu
+ © 2015 Dmitry Khovratovich
+ © 2015 Jean-Philippe Aumasson
+ © 2015 Samuel Neves
+License: CC0 or Apache-2.0
+
+Files: lib/crypto_backend/argon2/encoding.c
+Copyright: © 2015 Thomas Pornin <pornin@bolet.org>
+License: CC0 or Apache-2.0
+
+Files: lib/crypto_backend/crc32.c
+Copyright: © 1986 Gary S. Brown
+License: public-domain
+ Gary S. Brown's license is as follows:
+ .
+ You may use this program, or code or tables extracted from it, as
+ desired without restriction.
+
+Files: lib/bitops.h
+Copyright: © Karel Zak <kzak@redhat.com>
+License: public-domain
+ Karel Zak's license is as follows:
+ .
+ No copyright is claimed. This code is in the public domain; do with it
+ what you wish.
+
+License: GPL-2+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+ .
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ 02110-1301 USA.
+ .
+ On Debian systems, the complete text of the GNU General Public
+ License version 2 can be found in `/usr/share/common-licenses/GPL-2'.
+
+License: GPL-2+ with OpenSSL exception
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+ .
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ 02110-1301 USA.
+ .
+ On Debian systems, the complete text of the GNU General Public
+ License version 2 can be found in `/usr/share/common-licenses/GPL-2'.
+ .
+ In addition, as a special exception, the copyright holders give
+ permission to link the code of portions of this program with the
+ OpenSSL library under certain conditions as described in each
+ individual source file, and distribute linked combinations including
+ the two. You must obey the GNU General Public License in all respects
+ for all of the code used other than OpenSSL. If you modify file(s)
+ with this exception, you may extend this exception to your version of
+ the file(s), but you are not obligated to do so. If you do not wish to
+ do so, delete this exception statement from your version. If you
+ delete this exception statement from all source files in the program,
+ then also delete it here.
+
+License: GPL-3+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+ .
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software Foundation,
+ Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ .
+ On Debian systems, the complete text of the GNU General Public License
+ version 3 can be found in `/usr/share/common-licenses/GPL-3`.
+
+License: LGPL-2.1+
+ This program is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published
+ by the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+ .
+ This program is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+ .
+ You should have received a copy of the GNU Lesser General Public
+ License along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ 02110-1301 USA.
+ .
+ On Debian systems, the complete text of the GNU Lesser General Public
+ License version 2.1 can be found in `/usr/share/common-licenses/LGPL-2.1'.
+
+License: LGPL-2.1+ with OpenSSL exception
+ This program is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published
+ by the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+ .
+ This program is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+ .
+ You should have received a copy of the GNU Lesser General Public
+ License along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ 02110-1301 USA.
+ .
+ On Debian systems, the complete text of the GNU Lesser General Public
+ License version 2.1 can be found in `/usr/share/common-licenses/LGPL-2.1'.
+ .
+ In addition, as a special exception, the copyright holders give
+ permission to link the code of portions of this program with the
+ OpenSSL library under certain conditions as described in each
+ individual source file, and distribute linked combinations including
+ the two. You must obey the GNU Lesser General Public License in all
+ respects for all of the code used other than OpenSSL. If you modify
+ file(s) with this exception, you may extend this exception to your
+ version of the file(s), but you are not obligated to do so. If you do
+ not wish to do so, delete this exception statement from your version.
+ If you delete this exception statement from all source files in the
+ program, then also delete it here.
+
+License: CC0
+ You may use this work under the terms of a Creative Commons CC0 1.0
+ License/Waiver.
+ .
+ On Debian systems, the complete text of the Creative Commons CC0 1.0
+ Universal license can be found in `/usr/share/common-licenses/CC0-1.0'.
+
+License: Apache-2.0
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ .
+ https://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ .
+ On Debian systems, the complete text of the Apache version 2.0 license
+ can be found in "/usr/share/common-licenses/Apache-2.0".
diff --git a/debian/cryptdisks-functions b/debian/cryptdisks-functions
new file mode 100644
index 0000000..ce5e6f4
--- /dev/null
+++ b/debian/cryptdisks-functions
@@ -0,0 +1,286 @@
+#
+# This file is for inclusion with
+# . /lib/cryptsetup/cryptdisks-functions
+# and should not be executed directly.
+
+PATH="/usr/sbin:/usr/bin:/sbin:/bin"
+CRYPTDISKS_ENABLE="Yes"
+
+#set -x
+
+# Sanity check #1
+[ -x /sbin/cryptsetup ] || exit 0
+
+. /lib/lsb/init-functions
+. /lib/cryptsetup/functions
+
+if [ -r /etc/default/cryptdisks ]; then
+ . /etc/default/cryptdisks
+fi
+
+MOUNT="$CRYPTDISKS_MOUNT"
+
+
+# do_start()
+# Unlock all devices in the crypttab(5)
+do_start() {
+ [ -s "$TABFILE" ] || return 0
+
+ # Create locking directory before invoking cryptsetup(8) to avoid warnings
+ mkdir -pm0700 /run/cryptsetup
+ modprobe -qb dm-mod || true
+ modprobe -qb dm-crypt || true
+ dmsetup mknodes >/dev/null 2>&1 || true
+
+ if [ "$INITSTATE" != "init" ]; then
+ log_action_begin_msg "Starting $INITSTATE crypto disks"
+ fi
+ mount_fs
+
+ crypttab_foreach_entry _do_start_callback
+
+ umount_fs
+ log_action_end_msg 0
+}
+_do_start_callback() {
+ setup_mapping || log_action_end_msg $?
+}
+
+# mount_fs()
+# Premounts file systems
+mount_fs() {
+ local point
+ MOUNTED=""
+
+ for point in $MOUNT; do
+ if mount "$point" >/dev/null; then
+ MOUNTED="$MOUNTED $point"
+ fi
+ done
+}
+
+# Postunmounts file systems
+umount_fs() {
+ local point
+
+ for point in $MOUNTED; do
+ umount "$point" >/dev/null
+ done
+}
+
+# setup_mapping()
+# Set up a crypttab(5) mapping defined by $CRYPTTAB_NAME,
+# $CRYPTTAB_SOURCE, $CRYPTTAB_KEY, $CRYPTTAB_OPTIONS.
+setup_mapping() {
+ if dm_blkdevname "$CRYPTTAB_NAME" >/dev/null; then
+ device_msg "running"
+ return 0
+ fi
+
+ local loud="${DEFAULT_LOUD:-}"
+ crypttab_parse_options --export --missing-path=fail || return 1
+ if [ -n "${CRYPTTAB_OPTION_quiet+x}" ]; then
+ loud="no"
+ elif [ -n "${CRYPTTAB_OPTION_loud+x}" ]; then
+ loud="yes"
+ fi
+
+ if [ -z "${FORCE_START-}" ]; then
+ if [ "$INITSTATE" = "early" -a -n "${CRYPTTAB_OPTION_noearly+x}" ] ||
+ [ "$INITSTATE" != "manual" -a -n "${CRYPTTAB_OPTION_noauto+x}" ]; then
+ device_msg "ignored"
+ return 0
+ fi
+ fi
+
+ if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then
+ if ! crypttab_key_check; then
+ device_msg "invalid key"
+ return 1
+ fi
+ CRYPTTAB_OPTION_tries=1
+ fi
+
+ if ! crypttab_resolve_source; then
+ if [ "$loud" = "yes" ]; then
+ device_msg "skipped, device $CRYPTTAB_SOURCE does not exist"
+ fi
+ return 1
+ fi
+ device_msg "starting"
+
+ local offset_bytes=""
+ if [ -n "${CRYPTTAB_OPTION_offset+x}" ] && [ ${#CRYPTTAB_OPTION_offset} -le 7 ] && [ $CRYPTTAB_OPTION_offset -lt 4194304 ]; then
+ # silently ignore large offset values which might cause the multiplication to overflow...
+ offset_bytes=$((CRYPTTAB_OPTION_offset * 512))
+ fi
+
+ local out tmpdev
+ if [ "$CRYPTTAB_TYPE" != "luks" ] && [ "$CRYPTTAB_TYPE" != "bitlk" ]; then
+ # fail if the device has a filesystem and the disk encryption format doesn't
+ # verify the key digest (unlike LUKS); unless it's swap, otherwise people can't
+ # easily convert an existing plainttext swap partition to an encrypted one
+ if ! out="$(/lib/cryptsetup/checks/un_blkid "$CRYPTTAB_SOURCE" "" ${CRYPTTAB_OPTION_offset+"$offset_bytes"} 2>/dev/null)" &&
+ ! /lib/cryptsetup/checks/blkid "$CRYPTTAB_SOURCE" swap ${CRYPTTAB_OPTION_offset+"$offset_bytes"} >/dev/null; then
+ log_warning_msg "$CRYPTTAB_NAME: the precheck for '$CRYPTTAB_SOURCE' failed: $out"
+ return 1
+ fi
+ fi
+
+ local count=0 maxtries="${CRYPTTAB_OPTION_tries:-3}" fstype rv
+ local target="$CRYPTTAB_NAME"
+ CRYPTTAB_NAME="${CRYPTTAB_NAME}_unformatted" # XXX potential conflict
+ while [ $maxtries -le 0 ] || [ $count -lt $maxtries ]; do
+ if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then
+ # unlock via keyfile
+ unlock_mapping "$CRYPTTAB_KEY"
+ else
+ # unlock interactively or via keyscript
+ CRYPTTAB_NAME="$target" run_keyscript "$count" | unlock_mapping
+ fi
+ rv=$?
+ count=$(( $count + 1 ))
+
+ if [ $rv -ne 0 ] || ! tmpdev="$(dm_blkdevname "$CRYPTTAB_NAME")"; then
+ continue
+ fi
+ if [ -n "${CRYPTTAB_OPTION_check+x}" ] && \
+ ! "$CRYPTTAB_OPTION_check" "$tmpdev" ${CRYPTTAB_OPTION_checkargs+"$CRYPTTAB_OPTION_checkargs"}; then
+ log_warning_msg "$target: the check for '$CRYPTTAB_NAME' failed"
+ cryptsetup remove -- "$CRYPTTAB_NAME"
+ continue
+ fi
+ if [ "${CRYPTTAB_OPTION_swap+x}" ]; then
+ if out="$(/lib/cryptsetup/checks/un_blkid "$tmpdev" "" ${CRYPTTAB_OPTION_offset+"$offset_bytes"} 2>/dev/null)" ||
+ /lib/cryptsetup/checks/blkid "$tmpdev" swap ${CRYPTTAB_OPTION_offset+"$offset_bytes"} >/dev/null 2>&1; then
+ mkswap "$tmpdev" >/dev/null 2>&1
+ else
+ log_warning_msg "$target: the check for '$CRYPTTAB_NAME' failed. $CRYPTTAB_NAME contains data: $out"
+ cryptsetup remove -- "$CRYPTTAB_NAME"
+ return 1
+ fi
+ elif [ "${CRYPTTAB_OPTION_tmp+x}" ]; then
+ local tmpdir="$(mktemp --tmpdir="/run/cryptsetup" --directory)" rv=0
+ if ! mkfs -t "$CRYPTTAB_OPTION_tmp" -q "$tmpdev" >/dev/null 2>&1 ||
+ ! mount -t "$CRYPTTAB_OPTION_tmp" "$tmpdev" "$tmpdir" ||
+ ! chmod 1777 "$tmpdir"; then
+ rv=1
+ fi
+ umount "$tmpdir" || true
+ rmdir "$tmpdir" || true
+ [ $rv -eq 0 ] || return $rv
+ fi
+ if command -v udevadm >/dev/null 2>&1; then
+ udevadm settle
+ fi
+ dmsetup rename -- "$CRYPTTAB_NAME" "$target"
+ device_msg "$target" "started"
+ return 0
+ done
+ device_msg "$target" "failed"
+ return 1
+}
+
+# Removes all mappings in crypttab, except the ones holding the root
+# file system or /usr
+do_stop() {
+ local devno_rootfs devno_usr
+ dmsetup mknodes
+ log_action_begin_msg "Stopping $INITSTATE crypto disks"
+
+ devno_rootfs="$(get_mnt_devno /)" || devno_rootfs=""
+ devno_usr="$(get_mnt_devno /usr)" || devno_usr=""
+
+ crypttab_foreach_entry _do_stop_callback
+ log_action_end_msg 0
+}
+_do_stop_callback() {
+ local skip="n" devno rv=0
+
+ # traverse the device tree for each crypttab(5) entry and mark / and
+ # /usr holders as skipped. that's suboptimal but we can't use
+ # mapped device names as they might contain any character other than
+ # NUL. shouldn't be much overhead anyway as the device tree is
+ # likely not that long
+ foreach_cryptdev _do_stop_skipped $devno_rootfs $devno_usr
+ [ "$skip" = "n" ] || return $rv
+
+ if devno="$(dmsetup info -c --noheadings -o devno -- "$CRYPTTAB_NAME" 2>/dev/null)" && [ -n "$devno" ]; then
+ foreach_cryptdev --reverse _do_stop_remove "$devno" || rv=$? # try to remove slave devices first
+ fi
+ return $rv
+}
+_do_stop_skipped() {
+ if [ "$1" = "$CRYPTTAB_NAME" ]; then
+ skip="y"
+ fi
+}
+_do_stop_remove() {
+ local name="$1" i rv=0
+ for i in 1 2 4 8 16 32; do
+ remove_mapping "$name" 3<&- && break || rv=$?
+ if [ $rv -eq 1 ] || [ $rv -eq 2 -a $i -gt 16 ]; then
+ log_action_end_msg $rv
+ break
+ fi
+ log_action_cont_msg "$name busy..."
+ sleep $i
+ done
+}
+
+# device_msg([$name], $message)
+# Convenience function to handle $VERBOSE
+device_msg() {
+ local name message
+ if [ $# -eq 1 ]; then
+ name="$CRYPTTAB_NAME"
+ message="$1"
+ else
+ name="$1"
+ message="$2"
+ fi
+
+ if [ "$VERBOSE" != "no" ]; then
+ log_action_cont_msg "$name ($message)"
+ fi
+}
+
+# remove_mapping($target)
+# Remove mapping $target
+remove_mapping() {
+ local CRYPTTAB_NAME="$1"
+
+ if ! dm_blkdevname "$CRYPTTAB_NAME" >/dev/null; then
+ device_msg "stopped"
+ return 0
+ fi
+
+ if [ "$(dmsetup info --noheadings -c -o subsystem -- "$CRYPTTAB_NAME")" != "CRYPT" ]; then
+ device_msg "error"
+ return 1
+ fi
+
+ local opencount="$(dmsetup info -c --noheadings -o open -- "$CRYPTTAB_NAME" 2>/dev/null || true)"
+ if [ -z "$opencount" ]; then
+ device_msg "error"
+ return 1
+ elif [ "$opencount" != "0" ]; then
+ device_msg "busy"
+ if [ "$INITSTATE" = "early" ] || [ "$INITSTATE" = "manual" ]; then
+ return 1
+ elif [ "$INITSTATE" = "remaining" ]; then
+ return 2
+ fi
+ return 0
+ fi
+
+ if cryptsetup remove -- "$CRYPTTAB_NAME"; then
+ device_msg "stopping"
+ return 0
+ else
+ device_msg "error"
+ return 1
+ fi
+}
+
+# vim: set filetype=sh :
diff --git a/debian/cryptsetup-bin.NEWS b/debian/cryptsetup-bin.NEWS
new file mode 100644
index 0000000..ec5bf13
--- /dev/null
+++ b/debian/cryptsetup-bin.NEWS
@@ -0,0 +1,215 @@
+cryptsetup (2:2.3.6-1+exp1) bullseye-security; urgency=high
+
+ This release fixes a key truncation issue for standalone dm-integrity
+ devices using HMAC integrity protection. For existing such devices
+ with extra long HMAC keys (typically >106 bytes of length, see
+ https://bugs.debian.org/949336#78 for the various corner cases), one
+ might need to manually truncate the key using integritysetup(8)'s
+ `--integrity-key-size` option in order to properly map the device
+ under 2:2.3.6-1+exp1 and later.
+
+ Only standalone dm-integrity devices are affected. dm-crypt devices,
+ including those using authenticated disk encryption, are unaffected.
+
+ -- Guilhem Moulin <guilhem@debian.org> Fri, 28 May 2021 22:54:20 +0200
+
+cryptsetup (2:1.6.6-1) unstable; urgency=medium
+
+ The whirlpool hash implementation has been broken in gcrypt until version
+ 1.5.3. This has been fixed in subsequent gcrypt releases. In particular,
+ the gcrypt version that is used by cryptsetup starting with this release,
+ has the bug fixed. Consequently, LUKS containers created with broken
+ whirlpool will fail to open from now on.
+
+ In the case that you're affected by the whirlpool bug, please read section
+ '8.3 Gcrypt after 1.5.3 breaks Whirlpool' of the cryptsetup FAQ at
+ https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions
+ carefully. It explains how to open your LUKS container and reencrypt it
+ afterwards.
+
+ -- Jonas Meurer <mejo@debian.org> Tue, 04 Mar 2014 23:17:37 +0100
+
+cryptsetup (2:1.1.3-1) unstable; urgency=low
+
+ Cryptdisks init scripts changed their behaviour for failures at starting and
+ stopping encrypted devices. Cryptdisks init script now raises a warning for
+ failures at starting encrypted devices, and cryptdisks-early warns about
+ failures at stopping encrypted devices.
+
+ -- Jonas Meurer <mejo@debian.org> Sat, 10 Jul 2010 14:36:33 +0200
+
+cryptsetup (2:1.1.0-1) unstable; urgency=low
+
+ The default key size for LUKS was changed from 128 to 256 bits, and default
+ plain mode changed from aes-cbc-plain to aes-cbc-essiv:sha256.
+ In case that you use plain mode encryption and don't have set cipher and hash
+ in /etc/crypttab, you should do so now. The new defaults are not backwards
+ compatible. See the manpage for crypttab(5) for further information. If your
+ dm-crypt setup was done by debian-installer, you can ignore that warning.
+
+ Additionally, the keyscript decrypt_gpg, which was disabled by default up to
+ now, has been rewritten and renamed to decrypt_gnupg. If you use a customized
+ version of the decrypt_gpg keyscript, please backup it before upgrading the
+ package.
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 04 Mar 2010 17:31:40 +0100
+
+cryptsetup (2:1.1.0~rc2-1) unstable; urgency=low
+
+ The cryptroot initramfs hook script has been changed to include all
+ available crypto kernel modules in case that initramfs-tools is configured
+ with MODULES=most (default). See /etc/initramfs-tools/initramfs.conf for
+ more information.
+ If initramfs-tools is configured with MODULES=dep, the cryptroot hook script
+ still tries to detect required modules, as it did by default in the past.
+
+ -- Jonas Meurer <mejo@debian.org> Sun, 27 Sep 2009 16:49:20 +0200
+
+cryptsetup (2:1.0.7-2) unstable; urgency=low
+
+ Checkscripts vol_id and un_vol_id have been replaced by blkid and un_blkid.
+ In case that you explicitly set keyscript=vol_id or keyscript=un_vol_id in
+ /etc/crypttab, you will need to update your /etc/crypttab manually.
+ Replacing 'vol_id' with 'blkid' and 'un_vol_id' with 'un_blkid' should work.
+ The new *blkid keyscripts are fully compatible to the old *vol_id scripts.
+
+ -- Jonas Meurer <mejo@debian.org> Sun, 23 Aug 2009 23:32:49 +0200
+
+cryptsetup (2:1.0.6-8) unstable; urgency=low
+
+ Keyscripts inside the initramfs have been moved from /keyscripts to
+ /lib/cryptsetup/scripts. This way they're now available at the same location
+ as on the normal system.
+ In most cases no manual action is required. Only if you reference a keyscript
+ by path in some script that is included in the initramfs, then you need to
+ update that reference by updating the path.
+
+ -- Jonas Meurer <mejo@debian.org> Tue, 23 Dec 2008 00:43:10 +0100
+
+cryptsetup (2:1.0.6-7) unstable; urgency=medium
+
+ Support for the timeout option has been removed from cryptdisks initscripts
+ in order to support splash screens and remote shells in boot process.
+ The implementation had been unclean and problematic anyway.
+ If you used the timeout option on headless systems without physical access,
+ then it's a much cleaner solution anyway, to use the 'noauto' option in
+ /etc/crypttab, and start the encrypted devices manually with
+ '/etc/init.d/cryptdisks force-start'.
+ Another approach is to start a minimal ssh-server in the initramfs and unlock
+ the encrypted devices after connecting to it. This even supports encrypted
+ root filesystems for headless server systems.
+ For more information, please see /usr/share/docs/cryptsetup/README.Debian.gz
+
+ -- Jonas Meurer <mejo@debian.org> Tue, 16 Dec 2008 18:37:16 +0100
+
+cryptsetup (2:1.0.6-4) unstable; urgency=medium
+
+ The obsolete keyscript decrypt_old_ssl and the corresponding example script
+ gen-old-ssl-key have been removed from the package. If you're still using
+ them, either save a local backup of /lib/cryptsetup/scripts/decrypt_old_ssl
+ and put it back after the upgrade finished, or migrate your setup to use
+ keyscripts that are still supported.
+
+ -- Jonas Meurer <mejo@debian.org> Sun, 27 Jul 2008 16:22:57 +0200
+
+cryptsetup (2:1.0.6~pre1+svn45-1) unstable; urgency=low
+
+ The default hash used by the initramfs cryptroot scripts has been changed
+ from sha256 to ripemd160 for consistency with the cryptsetup default. If you
+ have followed the recommendation to configure the hash in /etc/crypttab this
+ change will have no effect on you.
+
+ If you set up disk encryption on your system using the Debian installer
+ and/or if you use LUKS encryption, everything is already set up correctly
+ and you don't need to do anything.
+ If you did *not* use the Debian installer and if you have encrypted devices
+ which do *not* use LUKS, you must make sure that the relevant entries in
+ /etc/crypttab contain a hash=<hash> setting.
+
+ -- Jonas Meurer <mejo@debian.org> Tue, 29 Jan 2008 11:46:57 +0100
+
+cryptsetup (2:1.0.5-2) unstable; urgency=low
+
+ The vol_id and un_vol_id check scripts no longer regard minix as a valid
+ filesystem, since random data can be mistakenly identified as a minix
+ filesystem due to an inadequate signature length.
+
+ If you use minix filesystems, you should not rely on prechecks anymore.
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 10 Sep 2007 14:39:44 +0200
+
+cryptsetup (2:1.0.4+svn16-1) unstable; urgency=high
+
+ The --key-file=- argument has changed. If a --hash parameter is passed, it
+ will now be honoured. This means that the decrypt_derived keyscript will in
+ some situations create a different key than previously meaning that any swap
+ partitions that rely on the script will have to be recreated. To emulate the
+ old behaviour, make sure that you pass "--hash=plain" to cryptsetup.
+
+ -- David Härdeman <david@hardeman.nu> Tue, 21 Nov 2006 21:29:50 +0100
+
+cryptsetup (2:1.0.4-7) unstable; urgency=low
+
+ The cryptsetup initramfs scripts now also tries to detect swap
+ partitions used for software suspend (swsusp/suspend2/uswsusp) and
+ to set them up during the initramfs stage. See README.initramfs for
+ more details.
+
+ -- David Härdeman <david@hardeman.nu> Mon, 13 Nov 2006 19:27:02 +0100
+
+cryptsetup (2:1.0.4-1) unstable; urgency=low
+
+ The ssl and gpg options in /etc/crypttab have been deprecated in
+ favour of the keyscripts option. The options will still work, but
+ generate warnings. You should change any lines containing these
+ options to use keyscript=/lib/cryptsetup/scripts/decrypt_old_ssl or
+ keyscript=/lib/cryptsetup/scripts/decrypt_gpg instead as support
+ will be completely removed in the future.
+
+ -- David Härdeman <david@hardeman.nu> Mon, 16 Oct 2006 00:00:12 +0200
+
+cryptsetup (2:1.0.3-4) unstable; urgency=low
+
+ Up to now, the us keymap was loaded at the passphrase prompt in the boot
+ process and ASCII characters were always used. With this upload this is
+ fixed, meaning that the correct keymap is loaded and the keyboard is
+ (optionally) set to UTF8 mode before the passphrase prompt.
+
+ This may result in your password not working any more in the boot process.
+ In this case, you should add a new key with cryptsetup luksAddKey with your
+ correct keymap loaded.
+
+ Additionally, all four fields are now mandatory in /etc/crypttab. An entry
+ which does not contain all fields will be ignored. It is recommended to
+ set cipher, size and hash anyway, as defaults may change in the future.
+
+ If you didn't set any of these settings yet, then you should add
+ cipher=aes-cbc-plain,size=128,hash=ripemd160
+ to the the options in /etc/crypttab. See man crypttab(5) for more details.
+
+ -- David Härdeman <david@2gen.com> Sat, 19 Aug 2006 18:08:40 +0200
+
+cryptsetup (2:1.0.2+1.0.3-rc2-2) unstable; urgency=low
+
+ The crypttab 'retry' has been renamed to 'tries' to reflect upstream's
+ functionality. Default is 3 tries now, even if the option is not given.
+ See the crypttab.5 manpage for more information.
+
+ -- Jonas Meurer <mejo@debian.org> Fri, 28 Apr 2006 17:42:15 +0200
+
+cryptsetup (2:1.0.2+1.0.3-rc2-1) unstable; urgency=low
+
+ Since release 2:1.0.1-9, the cryptsetup package uses cryptsetup-luks as
+ upstream source. This is a enhanced version of plain cryptsetup which
+ includes support for the LUKS extension, a standard on-disk format for
+ hard disk encryption. Plain dm-crypt (as provided by the old cryptsetup
+ package) is still available, thus backwards compatibility is given.
+ Nevertheless it is recommended to update your encrypted partitions to
+ LUKS, as this implementation is more secure than the plain dm-crypt.
+
+ Another major change is the check option for crypttab. It allows to
+ configure checks that are run after cryptsetup has been invoked, and
+ prechecks to be run against the source device before cryptsetup has been
+ invoked. See man crypttab(5) or README.Debian for more information.
+
+ -- Jonas Meurer <mejo@debian.org> Fri, 3 Feb 2006 13:41:35 +0100
diff --git a/debian/cryptsetup-bin.install b/debian/cryptsetup-bin.install
new file mode 100644
index 0000000..6c344e1
--- /dev/null
+++ b/debian/cryptsetup-bin.install
@@ -0,0 +1,5 @@
+sbin/cryptsetup
+sbin/integritysetup
+sbin/veritysetup
+usr/lib/tmpfiles.d/cryptsetup.conf
+usr/share/locale/*/*/*
diff --git a/debian/cryptsetup-bin.manpages b/debian/cryptsetup-bin.manpages
new file mode 100644
index 0000000..759911e
--- /dev/null
+++ b/debian/cryptsetup-bin.manpages
@@ -0,0 +1,44 @@
+# We don't use a glob here since we want to exclude cryptsetup-ssh.8
+# which we ship in the 'cryptsetup-ssh' binary package.
+# Explicitely listing all manual pages here isn't as brittle as it might
+# sound since in compat >=13 dh_listing(1) fails if upstream installs
+# files which aren't part of any binary package.
+usr/share/man/man8/cryptsetup-benchmark.8
+usr/share/man/man8/cryptsetup-bitlkDump.8
+usr/share/man/man8/cryptsetup-bitlkOpen.8
+usr/share/man/man8/cryptsetup-close.8
+usr/share/man/man8/cryptsetup-config.8
+usr/share/man/man8/cryptsetup-convert.8
+usr/share/man/man8/cryptsetup-create.8
+usr/share/man/man8/cryptsetup-erase.8
+usr/share/man/man8/cryptsetup-fvault2Dump.8
+usr/share/man/man8/cryptsetup-fvault2Open.8
+usr/share/man/man8/cryptsetup-isLuks.8
+usr/share/man/man8/cryptsetup-loopaesOpen.8
+usr/share/man/man8/cryptsetup-luksAddKey.8
+usr/share/man/man8/cryptsetup-luksChangeKey.8
+usr/share/man/man8/cryptsetup-luksConvertKey.8
+usr/share/man/man8/cryptsetup-luksDump.8
+usr/share/man/man8/cryptsetup-luksErase.8
+usr/share/man/man8/cryptsetup-luksFormat.8
+usr/share/man/man8/cryptsetup-luksHeaderBackup.8
+usr/share/man/man8/cryptsetup-luksHeaderRestore.8
+usr/share/man/man8/cryptsetup-luksKillSlot.8
+usr/share/man/man8/cryptsetup-luksOpen.8
+usr/share/man/man8/cryptsetup-luksRemoveKey.8
+usr/share/man/man8/cryptsetup-luksResume.8
+usr/share/man/man8/cryptsetup-luksSuspend.8
+usr/share/man/man8/cryptsetup-luksUUID.8
+usr/share/man/man8/cryptsetup-open.8
+usr/share/man/man8/cryptsetup-plainOpen.8
+usr/share/man/man8/cryptsetup-reencrypt.8
+usr/share/man/man8/cryptsetup-refresh.8
+usr/share/man/man8/cryptsetup-repair.8
+usr/share/man/man8/cryptsetup-resize.8
+usr/share/man/man8/cryptsetup-status.8
+usr/share/man/man8/cryptsetup-tcryptDump.8
+usr/share/man/man8/cryptsetup-tcryptOpen.8
+usr/share/man/man8/cryptsetup-token.8
+usr/share/man/man8/cryptsetup.8
+usr/share/man/man8/integritysetup.8
+usr/share/man/man8/veritysetup.8
diff --git a/debian/cryptsetup-initramfs.NEWS b/debian/cryptsetup-initramfs.NEWS
new file mode 100644
index 0000000..0f60251
--- /dev/null
+++ b/debian/cryptsetup-initramfs.NEWS
@@ -0,0 +1,15 @@
+cryptsetup (2:2.0.3-2) unstable; urgency=medium
+
+ In order to defeat online brute-force attacks, the initramfs boot
+ script sleeps for 1 second after each failed try. On the other
+ hand, it no longer sleeps for a full minute after exceeding the
+ maximum number of unlocking tries. This behavior was added in
+ 2:1.7.3-2 as an attempt to mitigate CVE-2016-4484; to avoid dropping
+ to the debug shell after exceeding the maximum number of unlocking
+ tries, users need to use the 'panic' boot parameter and lock down
+ their boot loader & BIOS/UEFI.
+
+ The initramfs hook nows uses /proc/mounts instead of /etc/fstab to
+ detect the root device that is to be unlocked at initramfs stage.
+
+ -- Guilhem Moulin <guilhem@debian.org> Fri, 15 Jun 2018 18:50:56 +0200
diff --git a/debian/cryptsetup-initramfs.docs b/debian/cryptsetup-initramfs.docs
new file mode 100644
index 0000000..c1280ac
--- /dev/null
+++ b/debian/cryptsetup-initramfs.docs
@@ -0,0 +1 @@
+debian/README.initramfs
diff --git a/debian/cryptsetup-initramfs.install b/debian/cryptsetup-initramfs.install
new file mode 100644
index 0000000..6780893
--- /dev/null
+++ b/debian/cryptsetup-initramfs.install
@@ -0,0 +1,10 @@
+debian/initramfs/conf-hook /etc/cryptsetup-initramfs/
+debian/initramfs/conf-hooks.d/cryptsetup /usr/share/initramfs-tools/conf-hooks.d/
+debian/initramfs/cryptroot-unlock /usr/share/cryptsetup/initramfs/bin/
+debian/initramfs/hooks/* /usr/share/initramfs-tools/hooks/
+debian/initramfs/scripts/local-block/cryptroot /usr/share/initramfs-tools/scripts/local-block/
+debian/initramfs/scripts/local-bottom/cryptgnupg-sc /usr/share/initramfs-tools/scripts/local-bottom/
+debian/initramfs/scripts/local-bottom/cryptopensc /usr/share/initramfs-tools/scripts/local-bottom/
+debian/initramfs/scripts/local-bottom/cryptroot /usr/share/initramfs-tools/scripts/local-bottom/
+debian/initramfs/scripts/local-top/cryptopensc /usr/share/initramfs-tools/scripts/local-top/
+debian/initramfs/scripts/local-top/cryptroot /usr/share/initramfs-tools/scripts/local-top/
diff --git a/debian/cryptsetup-initramfs.lintian-overrides b/debian/cryptsetup-initramfs.lintian-overrides
new file mode 100644
index 0000000..72e8077
--- /dev/null
+++ b/debian/cryptsetup-initramfs.lintian-overrides
@@ -0,0 +1,6 @@
+# `cryptroot-unlock` is meant to be run from the initramfs image, using busybox's /bin/ash
+unusual-interpreter /bin/busybox [usr/share/cryptsetup/initramfs/bin/cryptroot-unlock]
+no-debconf-config
+
+# valid use of Conflicts:, cf. section 7.4 of the Debian Policy
+conflicts-with-version lvm2 (<< 2.03.15-1)
diff --git a/debian/cryptsetup-initramfs.postinst b/debian/cryptsetup-initramfs.postinst
new file mode 100644
index 0000000..acf6e1b
--- /dev/null
+++ b/debian/cryptsetup-initramfs.postinst
@@ -0,0 +1,41 @@
+#! /bin/sh
+
+set -e
+
+# needed for debconf magic in prerm script
+. /usr/share/debconf/confmodule
+
+# summary of how this script can be called:
+# * <postinst> `configure' <most-recently-configured-version>
+# * <old-postinst> `abort-upgrade' <new version>
+# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+# <new-version>
+# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+# <failed-install-package> <version> `removing'
+# <conflicting-package> <version>
+
+case "$1" in
+ configure)
+
+ if command -v update-initramfs >/dev/null; then
+ update-initramfs -u
+ fi
+
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/cryptsetup-initramfs.postrm b/debian/cryptsetup-initramfs.postrm
new file mode 100644
index 0000000..f42e20e
--- /dev/null
+++ b/debian/cryptsetup-initramfs.postrm
@@ -0,0 +1,15 @@
+#! /bin/sh
+
+set -e
+
+case "$1" in
+ remove)
+ if command -v update-initramfs >/dev/null; then
+ update-initramfs -u
+ fi
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/cryptsetup-initramfs.prerm b/debian/cryptsetup-initramfs.prerm
new file mode 100644
index 0000000..48fa691
--- /dev/null
+++ b/debian/cryptsetup-initramfs.prerm
@@ -0,0 +1,29 @@
+#! /bin/sh
+
+set -e
+
+. /usr/share/debconf/confmodule
+
+case "$1" in
+ remove)
+ if grep -q '^dm_mod\s' /proc/modules; then
+ # XXX we overshoot here, only devices that need to be present at
+ # initramfs stage need to be checked here
+ cryptmap="$(dmsetup table --target crypt | sed -n 's/:.*//p' | tr '\n' ' ')"
+ if [ -n "$cryptmap" ]; then
+ db_fset cryptsetup-initramfs/prerm_active_mappings seen false
+ db_subst cryptsetup-initramfs/prerm_active_mappings cryptmap "$cryptmap"
+ db_input high cryptsetup-initramfs/prerm_active_mappings || true
+ db_go || true
+ db_get cryptsetup-initramfs/prerm_active_mappings
+ if [ "$RET" = "false" ]; then
+ exit 1
+ fi
+ fi
+ fi
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/cryptsetup-initramfs.templates b/debian/cryptsetup-initramfs.templates
new file mode 100644
index 0000000..2d87012
--- /dev/null
+++ b/debian/cryptsetup-initramfs.templates
@@ -0,0 +1,9 @@
+Template: cryptsetup-initramfs/prerm_active_mappings
+Type: boolean
+Default: true
+_Description: Continue with cryptsetup-initramfs removal?
+ This system has unlocked dm-crypt devices: ${cryptmap}
+ .
+ If these devices are managed with cryptsetup and need to be present at
+ initramfs stage, then you might be unable to boot your system after the
+ package removal.
diff --git a/debian/cryptsetup-run.NEWS b/debian/cryptsetup-run.NEWS
new file mode 100644
index 0000000..9dfe5a4
--- /dev/null
+++ b/debian/cryptsetup-run.NEWS
@@ -0,0 +1,11 @@
+cryptsetup (2:2.0.3-2) unstable; urgency=medium
+
+ The 'decrypt_openct' keyscript has been removed, since openct itself
+ is no longer developed and was removed from Debian since Jessie.
+
+ The 'precheck' crypttab(5) option is no longer supported. The
+ precheck for LUKS devices is still hardcoded to `cryptsetup isLuks`;
+ the script refuses to unlock non-LUKS devices (plain dm-crypt and
+ tcrypt devices) containing a known filesystem (other that swap).
+
+ -- Guilhem Moulin <guilhem@debian.org> Fri, 15 Jun 2018 18:49:45 +0200
diff --git a/debian/cryptsetup-ssh.install b/debian/cryptsetup-ssh.install
new file mode 100644
index 0000000..f41adb1
--- /dev/null
+++ b/debian/cryptsetup-ssh.install
@@ -0,0 +1,2 @@
+lib/${DEB_HOST_MULTIARCH}/cryptsetup/libcryptsetup-token-ssh.so
+sbin/cryptsetup-ssh
diff --git a/debian/cryptsetup-ssh.manpages b/debian/cryptsetup-ssh.manpages
new file mode 100644
index 0000000..f89b50f
--- /dev/null
+++ b/debian/cryptsetup-ssh.manpages
@@ -0,0 +1 @@
+usr/share/man/man8/cryptsetup-ssh.8
diff --git a/debian/cryptsetup-suspend.install b/debian/cryptsetup-suspend.install
new file mode 100644
index 0000000..371a98f
--- /dev/null
+++ b/debian/cryptsetup-suspend.install
@@ -0,0 +1,5 @@
+debian/scripts/suspend/cryptsetup-suspend /lib/cryptsetup/scripts/suspend/
+debian/scripts/suspend/cryptsetup-suspend-wrapper /lib/cryptsetup/scripts/suspend/
+debian/scripts/suspend/cryptsetup-suspend.shutdown /lib/systemd/system-shutdown/
+debian/scripts/suspend/suspend.conf /etc/cryptsetup/
+debian/scripts/suspend/systemd/cryptsetup-suspend.conf /lib/systemd/system/systemd-suspend.service.d/
diff --git a/debian/cryptsetup-suspend.lintian-overrides b/debian/cryptsetup-suspend.lintian-overrides
new file mode 100644
index 0000000..c5a34f6
--- /dev/null
+++ b/debian/cryptsetup-suspend.lintian-overrides
@@ -0,0 +1,2 @@
+# cryptsetup-suspend depends on systemd and doesn't work with sysvinit
+cryptsetup-suspend: package-supports-alternative-init-but-no-init.d-script
diff --git a/debian/cryptsetup-suspend.manpages b/debian/cryptsetup-suspend.manpages
new file mode 100644
index 0000000..e338d98
--- /dev/null
+++ b/debian/cryptsetup-suspend.manpages
@@ -0,0 +1 @@
+debian/doc/cryptsetup-suspend.7
diff --git a/debian/cryptsetup-suspend.postinst b/debian/cryptsetup-suspend.postinst
new file mode 100644
index 0000000..daabad5
--- /dev/null
+++ b/debian/cryptsetup-suspend.postinst
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+set -e
+
+# dh_installsystemd(1) doesn't support overrides but we manually copy
+# the snippet it would add.
+if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ]; then
+ if [ -d /run/systemd/system ]; then
+ systemctl --system daemon-reload >/dev/null || true
+ fi
+fi
+
+#DEBHELPER#
+exit 0
diff --git a/debian/cryptsetup-suspend.postrm b/debian/cryptsetup-suspend.postrm
new file mode 100644
index 0000000..2505065
--- /dev/null
+++ b/debian/cryptsetup-suspend.postrm
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+set -e
+
+# dh_installsystemd(1) doesn't support overrides but we manually copy
+# the snippet it would add.
+if [ -d /run/systemd/system ]; then
+ systemctl --system daemon-reload >/dev/null || true
+fi
+
+#DEBHELPER#
+exit 0
diff --git a/debian/cryptsetup-udeb.install b/debian/cryptsetup-udeb.install
new file mode 100644
index 0000000..b37fb69
--- /dev/null
+++ b/debian/cryptsetup-udeb.install
@@ -0,0 +1,7 @@
+debian/askpass /lib/cryptsetup/
+debian/checks/* /lib/cryptsetup/checks/
+debian/cryptdisks-functions /lib/cryptsetup/
+debian/functions /lib/cryptsetup/
+debian/scripts/decrypt_* /lib/cryptsetup/scripts/
+debian/scripts/passdev /lib/cryptsetup/scripts/
+sbin/cryptsetup
diff --git a/debian/cryptsetup-udeb.preinst b/debian/cryptsetup-udeb.preinst
new file mode 100644
index 0000000..483051e
--- /dev/null
+++ b/debian/cryptsetup-udeb.preinst
@@ -0,0 +1,32 @@
+#! /bin/sh
+
+set -e
+
+create_crypttab() {
+ if [ ! -f "/etc/crypttab" ]; then
+ cat <<-EOC >/etc/crypttab
+ # <target name> <source device> <key file> <options>
+ EOC
+ fi
+}
+
+case "$1" in
+ install)
+ create_crypttab
+ ;;
+
+ upgrade)
+ ;;
+
+ abort-upgrade)
+ ;;
+
+ *)
+ echo "preinst called with unknown argument '$1'" >&2
+ exit 1
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/cryptsetup.NEWS b/debian/cryptsetup.NEWS
new file mode 100644
index 0000000..8bf645b
--- /dev/null
+++ b/debian/cryptsetup.NEWS
@@ -0,0 +1,62 @@
+cryptsetup (2:2.5.0~rc1-3) experimental; urgency=medium
+
+ The experimental SSH token handler and cryptsetup-ssh(8) utility are now
+ shipped in a separate binary package 'cryptsetup-ssh'. (They were first
+ included in cryptsetup 2:2.4.0~rc0-1+exp1 so have never been part of a
+ stable Debian release.) No pre-existing binary package in src:cryptsetup
+ declares any dependency on the new binary package so users who need
+ experimental SSH token support need to manually run `apt install
+ cryptsetup-ssh`.
+
+ -- Guilhem Moulin <guilhem@debian.org> Thu, 21 Jul 2022 20:41:20 +0200
+
+cryptsetup (2:2.1.0-7) unstable; urgency=low
+
+ The 'cryptsetup' and 'cryptsetup-run' packages have been swapped:
+ 'cryptsetup' now contains init scripts, libraries, keyscripts, etc.,
+ while 'cryptsetup-run' is a transitional dummy package depending on
+ 'cryptsetup'.
+
+ On systems which do rely on the initramfs integration, one can mark
+ 'cryptsetup-initramfs' as being manually installed (so APT never
+ selects it for auto-removal) with the following command:
+
+ apt-mark manual cryptsetup-initramfs
+
+ On the other hand, the 'cryptsetup-initramfs' package can be safely
+ removed on systems not relying on initramfs integration.
+
+ -- Guilhem Moulin <guilhem@debian.org> Sun, 21 Jul 2019 17:08:52 -0300
+
+cryptsetup (2:2.0.3-2) unstable; urgency=medium
+
+ The 'decrypt_openct' keyscript has been removed, since openct itself
+ is no longer developed and was removed from Debian since Jessie.
+
+ In order to defeat online brute-force attacks, the initramfs boot
+ script sleeps for 1 second after each failed try. On the other
+ hand, it no longer sleeps for a full minute after exceeding the
+ maximum number of unlocking tries. This behavior was added in
+ 2:1.7.3-2 as an attempt to mitigate CVE-2016-4484; to avoid dropping
+ to the debug shell after exceeding the maximum number of unlocking
+ tries, users need to use the 'panic' boot parameter and lock down
+ their boot loader & BIOS/UEFI.
+
+ The initramfs hook nows uses /proc/mounts instead of /etc/fstab to
+ detect the root device that is to be unlocked at initramfs stage.
+
+ The 'precheck' crypttab(5) option is no longer supported. The
+ precheck for LUKS devices is still hardcoded to `cryptsetup isLuks`;
+ the script refuses to unlock non-LUKS devices (plain dm-crypt and
+ tcrypt devices) containing a known filesystem (other that swap).
+
+ -- Guilhem Moulin <guilhem@debian.org> Tue, 22 May 2018 01:47:21 +0200
+
+cryptsetup (2:2.0.3-1) unstable; urgency=medium
+
+ With this version, cryptsetup has been split into cryptsetup-run
+ (init script) and cryptsetup-initramfs (initramfs integration).
+ 'cryptsetup' is now a transitional dummy package depending on
+ cryptsetup-run and cryptsetup-initramfs.
+
+ -- Guilhem Moulin <guilhem@debian.org> Wed, 16 May 2018 23:39:20 +0200
diff --git a/debian/cryptsetup.apport b/debian/cryptsetup.apport
new file mode 100644
index 0000000..ad811ce
--- /dev/null
+++ b/debian/cryptsetup.apport
@@ -0,0 +1,43 @@
+'''apport package hook for cryptsetup
+
+(c) 2009 Author: Reinhard Tartler <siretart@tauware.de>
+(c) 2015 Author: Jonas Meurer <jonas@freesources.org>
+'''
+
+from apport.hookutils import *
+
+msg = \
+"""
+
+Providing additional information can help diagnose problems with cryptsetup.
+Specifically, this would include:
+- kernel cmdline (copy of /proc/cmdline).
+- crypttab configuration (copy of /etc/crypttab).
+- fstab configuration (copy of /etc/fstab).
+If this information is not relevant for your bug report or you have privacy
+concerns, please choose no.
+
+Do you want to provide additional information?
+(you will be able to review the data before it is sent)
+
+"""
+
+def add_info(report, ui):
+ attach_files = False
+
+ if ui:
+ if ui.yesno(msg) == None:
+ # user decided to cancel
+ raise StopIteration
+
+ # user is allowing files to be attached.
+ attach_files = True
+
+ if attach_files == False:
+ # do not attach any files
+ return
+
+ attach_file(report, '/proc/cmdline', 'cmdline')
+ attach_file(report, '/etc/fstab', 'fstab')
+ attach_file_if_exists(report, '/etc/crypttab', 'crypttab')
+
diff --git a/debian/cryptsetup.cryptdisks-early.init b/debian/cryptsetup.cryptdisks-early.init
new file mode 100644
index 0000000..6498431
--- /dev/null
+++ b/debian/cryptsetup.cryptdisks-early.init
@@ -0,0 +1,53 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides: cryptdisks-early
+# Required-Start: checkroot
+# Required-Stop: umountroot
+# Should-Start: udev mdadm-raid
+# Should-Stop: udev mdadm-raid
+# X-Start-Before: lvm2
+# X-Stop-After: lvm2 umountfs
+# X-Interactive: true
+# Default-Start: S
+# Default-Stop: 0 6
+# Short-Description: Setup early encrypted block devices.
+# Description:
+### END INIT INFO
+
+set -e
+
+if [ -r /lib/cryptsetup/cryptdisks-functions ]; then
+ . /lib/cryptsetup/cryptdisks-functions
+else
+ exit 0
+fi
+
+INITSTATE="early"
+DEFAULT_LOUD=""
+
+case "$CRYPTDISKS_ENABLE" in
+[Nn]*)
+ exit 0
+ ;;
+esac
+
+case "$1" in
+start)
+ do_start
+ ;;
+stop)
+ do_stop
+ ;;
+restart|reload|force-reload)
+ do_stop
+ do_start
+ ;;
+force-start)
+ FORCE_START="yes"
+ do_start
+ ;;
+*)
+ echo "Usage: cryptdisks-early {start|stop|restart|reload|force-reload|force-start}"
+ exit 1
+ ;;
+esac
diff --git a/debian/cryptsetup.cryptdisks.default b/debian/cryptsetup.cryptdisks.default
new file mode 100644
index 0000000..c1f837c
--- /dev/null
+++ b/debian/cryptsetup.cryptdisks.default
@@ -0,0 +1,12 @@
+# Run cryptdisks initscripts at startup? Default is Yes.
+CRYPTDISKS_ENABLE=Yes
+
+# Mountpoints to mount, before cryptsetup is invoked at initscripts. Takes
+# mountpoins which are configured in /etc/fstab as arguments. Separate
+# mountpoints by space.
+# This is useful for keyfiles on removable media. Default is unset.
+CRYPTDISKS_MOUNT=""
+
+# Default check script. Takes effect, if the 'check' option is set in crypttab
+# without a value.
+CRYPTDISKS_CHECK=blkid
diff --git a/debian/cryptsetup.cryptdisks.init b/debian/cryptsetup.cryptdisks.init
new file mode 100644
index 0000000..0cd4a83
--- /dev/null
+++ b/debian/cryptsetup.cryptdisks.init
@@ -0,0 +1,53 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides: cryptdisks
+# Required-Start: checkroot cryptdisks-early
+# Required-Stop: umountroot cryptdisks-early
+# Should-Start: udev mdadm-raid lvm2
+# Should-Stop: udev mdadm-raid lvm2
+# X-Start-Before: checkfs
+# X-Stop-After: umountfs
+# X-Interactive: true
+# Default-Start: S
+# Default-Stop: 0 6
+# Short-Description: Setup remaining encrypted block devices.
+# Description:
+### END INIT INFO
+
+set -e
+
+if [ -r /lib/cryptsetup/cryptdisks-functions ]; then
+ . /lib/cryptsetup/cryptdisks-functions
+else
+ exit 0
+fi
+
+INITSTATE="remaining"
+DEFAULT_LOUD="yes"
+
+case "$CRYPTDISKS_ENABLE" in
+[Nn]*)
+ exit 0
+ ;;
+esac
+
+case "$1" in
+start)
+ do_start
+ ;;
+stop)
+ do_stop
+ ;;
+restart|reload|force-reload)
+ do_stop
+ do_start
+ ;;
+force-start)
+ FORCE_START="yes"
+ do_start
+ ;;
+*)
+ echo "Usage: cryptdisks {start|stop|restart|reload|force-reload|force-start}"
+ exit 1
+ ;;
+esac
diff --git a/debian/cryptsetup.docs b/debian/cryptsetup.docs
new file mode 100644
index 0000000..7e2362a
--- /dev/null
+++ b/debian/cryptsetup.docs
@@ -0,0 +1,10 @@
+AUTHORS
+FAQ.md
+README.md
+debian/README.debug
+debian/README.gnupg
+debian/README.gnupg-sc
+debian/README.keyctl
+debian/README.opensc
+docs/*.txt
+docs/*ReleaseNotes
diff --git a/debian/cryptsetup.examples b/debian/cryptsetup.examples
new file mode 100644
index 0000000..3cf5ebb
--- /dev/null
+++ b/debian/cryptsetup.examples
@@ -0,0 +1 @@
+debian/scripts/gen-ssl-key
diff --git a/debian/cryptsetup.install b/debian/cryptsetup.install
new file mode 100644
index 0000000..934801d
--- /dev/null
+++ b/debian/cryptsetup.install
@@ -0,0 +1,9 @@
+debian/askpass /lib/cryptsetup/
+debian/bash_completion/cryptdisks_start /usr/share/bash-completion/completions/
+debian/checks/* /lib/cryptsetup/checks/
+debian/cryptdisks-functions /lib/cryptsetup/
+debian/functions /lib/cryptsetup/
+debian/scripts/cryptdisks_* /sbin/
+debian/scripts/decrypt_* /lib/cryptsetup/scripts/
+debian/scripts/luksformat /usr/sbin/
+debian/scripts/passdev /lib/cryptsetup/scripts/
diff --git a/debian/cryptsetup.links b/debian/cryptsetup.links
new file mode 100644
index 0000000..1c8eea5
--- /dev/null
+++ b/debian/cryptsetup.links
@@ -0,0 +1 @@
+/usr/share/bash-completion/completions/cryptdisks_start /usr/share/bash-completion/completions/cryptdisks_stop
diff --git a/debian/cryptsetup.lintian-overrides b/debian/cryptsetup.lintian-overrides
new file mode 100644
index 0000000..393e3fe
--- /dev/null
+++ b/debian/cryptsetup.lintian-overrides
@@ -0,0 +1,3 @@
+init.d-script-does-not-implement-status-option [etc/init.d/cryptdisks]
+init.d-script-does-not-implement-status-option [etc/init.d/cryptdisks-early]
+no-debconf-config
diff --git a/debian/cryptsetup.maintscript b/debian/cryptsetup.maintscript
new file mode 100644
index 0000000..e29d3ed
--- /dev/null
+++ b/debian/cryptsetup.maintscript
@@ -0,0 +1,2 @@
+rm_conffile /etc/init/cryptdisks-udev.conf 2:2.4.0-1
+rm_conffile /etc/init/cryptdisks.conf 2:2.4.0-1
diff --git a/debian/cryptsetup.manpages b/debian/cryptsetup.manpages
new file mode 100644
index 0000000..efd2b80
--- /dev/null
+++ b/debian/cryptsetup.manpages
@@ -0,0 +1,2 @@
+debian/doc/*.5
+debian/doc/*.8
diff --git a/debian/cryptsetup.postinst b/debian/cryptsetup.postinst
new file mode 100644
index 0000000..635324b
--- /dev/null
+++ b/debian/cryptsetup.postinst
@@ -0,0 +1,53 @@
+#! /bin/sh
+
+set -e
+
+# needed for debconf magic in prerm script
+. /usr/share/debconf/confmodule
+
+# summary of how this script can be called:
+# * <postinst> `configure' <most-recently-configured-version>
+# * <old-postinst> `abort-upgrade' <new version>
+# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+# <new-version>
+# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+# <failed-install-package> <version> `removing'
+# <conflicting-package> <version>
+
+case "$1" in
+ configure)
+ for file in cryptdisks_start cryptdisks_stop; do
+ if [ ! -e "/usr/sbin/$file" ]; then
+ ln -s "/sbin/$file" "/usr/sbin/$file"
+ fi
+ done
+
+ # Do a number of checks on the currently installed crypttab
+ . /lib/cryptsetup/functions
+ crypttab_foreach_entry crypttab_parse_options || true
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+# try to remove /etc/init if it exists, it's empty and isn't owned
+# NOTE: this needs to placed *after* the dh_installdeb-replaced snippet
+# which contains calls to `dpkg-maintscript-helper rm_conffile`
+if [ "$1" = "configure" ] && [ -d /etc/init ] && dpkg --compare-versions -- "${2-}" lt "2:2.4.0-1" && \
+ ! { dpkg-query -S /etc/init >/dev/null 2>&1 || [ $? -ne 1 ]; } then
+ rmdir --ignore-fail-on-non-empty /etc/init
+fi
+
+exit 0
diff --git a/debian/cryptsetup.postrm b/debian/cryptsetup.postrm
new file mode 100644
index 0000000..403f223
--- /dev/null
+++ b/debian/cryptsetup.postrm
@@ -0,0 +1,26 @@
+#! /bin/sh
+
+set -e
+
+case "$1" in
+ remove)
+ for file in cryptdisks_start cryptdisks_stop; do
+ if [ -L /usr/sbin/$file ]; then
+ rm /usr/sbin/$file
+ fi
+ done
+ ;;
+esac
+
+#DEBHELPER#
+
+# try to remove /etc/init if it exists, it's empty and isn't owned
+# NOTE: this needs to placed *after* the dh_installdeb-replaced snippet
+# which contains calls to `dpkg-maintscript-helper rm_conffile`
+if [ "$1" = "remove" ] || [ "$1" = "purge" ]; then
+ if [ -d /etc/init ] && ! { dpkg-query -S /etc/init >/dev/null 2>&1 || [ $? -ne 1 ]; } then
+ rmdir --ignore-fail-on-non-empty /etc/init
+ fi
+fi
+
+exit 0
diff --git a/debian/cryptsetup.preinst b/debian/cryptsetup.preinst
new file mode 100644
index 0000000..7f1e1bc
--- /dev/null
+++ b/debian/cryptsetup.preinst
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+set -e
+
+if [ "$1" = install ] && [ ! -f "/etc/crypttab" ]; then
+ cat <<-EOC >/etc/crypttab
+ # <target name> <source device> <key file> <options>
+ EOC
+fi
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/cryptsetup.prerm b/debian/cryptsetup.prerm
new file mode 100644
index 0000000..f0cb4b2
--- /dev/null
+++ b/debian/cryptsetup.prerm
@@ -0,0 +1,27 @@
+#! /bin/sh
+
+set -e
+
+. /usr/share/debconf/confmodule
+
+case "$1" in
+ remove)
+ if grep -q '^dm_mod\s' /proc/modules; then
+ cryptmap="$(dmsetup table --target crypt | sed -n 's/:.*//p' | tr '\n' ' ')"
+ if [ -n "$cryptmap" ]; then
+ db_fset cryptsetup/prerm_active_mappings seen false
+ db_subst cryptsetup/prerm_active_mappings cryptmap "$cryptmap"
+ db_input high cryptsetup/prerm_active_mappings || true
+ db_go || true
+ db_get cryptsetup/prerm_active_mappings
+ if [ "$RET" = "false" ]; then
+ exit 1
+ fi
+ fi
+ fi
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/cryptsetup.templates b/debian/cryptsetup.templates
new file mode 100644
index 0000000..88540ca
--- /dev/null
+++ b/debian/cryptsetup.templates
@@ -0,0 +1,13 @@
+Template: cryptsetup/prerm_active_mappings
+Type: boolean
+Default: true
+_Description: Continue with cryptsetup removal?
+ This system has unlocked dm-crypt devices: ${cryptmap}
+ .
+ If these devices are managed with cryptsetup, you might be unable to
+ lock the devices after the package removal, though other tools can be
+ used for managing dm-crypt devices. Any system shutdown or reboot will
+ lock the devices.
+ .
+ Do not choose this option if you want to lock the dm-crypt devices
+ before package removal.
diff --git a/debian/doc/cryptdisks_start.xml b/debian/doc/cryptdisks_start.xml
new file mode 100644
index 0000000..fd8269d
--- /dev/null
+++ b/debian/doc/cryptdisks_start.xml
@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "/usr/share/xml/docbook/schema/dtd/4.2/docbookx.dtd">
+
+<refentry id="command.cryptdisks_start">
+
+ <xi:include href="variables.xml"
+ xpointer="xpointer(/refentry/refentryinfo)"
+ xmlns:xi="http://www.w3.org/2001/XInclude"/>
+
+ <refmeta>
+ <refentrytitle>cryptdisks_start</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <xi:include href="variables.xml"
+ xpointer="xpointer(/refentry/refmeta/*)"
+ xmlns:xi="http://www.w3.org/2001/XInclude"/>
+ </refmeta>
+
+ <refnamediv>
+ <refname>cryptdisks_start</refname>
+ <refpurpose>wrapper around cryptsetup that parses /etc/crypttab.</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <simpara>
+ <emphasis role="strong">cryptdisks_start</emphasis>
+ <emphasis>&lt;name&gt;</emphasis>
+ </simpara>
+ </refsynopsisdiv>
+
+ <refsect1 id="cryptdisks_start.description">
+ <title>DESCRIPTION</title>
+ <simpara>
+ <emphasis role="strong">cryptdisks_start</emphasis> is a wrapper around
+ <emphasis role="strong">cryptsetup</emphasis> that parses
+ <emphasis role="strong">/etc/crypttab</emphasis> just like the initscript
+ /etc/init.d/cryptdisks does and starts the dm-crypt mapping that
+ corresponds to <emphasis>&lt;name&gt;</emphasis>.
+ </simpara>
+ <simpara>
+ Note that this wrapper passes <option>--key-file=-</option> to
+ <command moreinfo="refentry">cryptsetup</command>, so the passphrase
+ in any referenced key file must not be followed by a newline character.
+ </simpara>
+ </refsect1>
+
+ <refsect1 id="cryptdisks_start.see_also">
+ <title>SEE ALSO</title>
+ <simpara>
+ <emphasis>cryptdisks_stop</emphasis>(8),
+ <emphasis>cryptsetup</emphasis>(8), <emphasis>crypttab</emphasis>(5)
+ </simpara>
+ </refsect1>
+
+ <refsect1 id="cryptdisks_start.author">
+ <title>AUTHOR</title><simpara>This manual page was written by Jonas Meurer
+ &lt;mejo@debian.org&gt; in December 2007.
+ </simpara>
+ </refsect1>
+
+</refentry>
diff --git a/debian/doc/cryptdisks_stop.xml b/debian/doc/cryptdisks_stop.xml
new file mode 100644
index 0000000..b0ed32a
--- /dev/null
+++ b/debian/doc/cryptdisks_stop.xml
@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "/usr/share/xml/docbook/schema/dtd/4.2/docbookx.dtd">
+
+<refentry id="command.cryptdisks_stop">
+
+ <xi:include href="variables.xml"
+ xpointer="xpointer(/refentry/refentryinfo)"
+ xmlns:xi="http://www.w3.org/2001/XInclude"/>
+
+ <refmeta>
+ <refentrytitle>cryptdisks_stop</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <xi:include href="variables.xml"
+ xpointer="xpointer(/refentry/refmeta/*)"
+ xmlns:xi="http://www.w3.org/2001/XInclude"/>
+ </refmeta>
+
+ <refnamediv>
+ <refname>cryptdisks_stop</refname>
+ <refpurpose>wrapper around cryptsetup that parses /etc/crypttab.</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <simpara>
+ <emphasis role="strong">cryptdisks_stop</emphasis>
+ <emphasis>&lt;name&gt;</emphasis>
+ </simpara>
+ </refsynopsisdiv>
+
+ <refsect1 id="cryptdisks_stop.description">
+ <title>DESCRIPTION</title>
+ <simpara>
+ <emphasis role="strong">cryptdisks_stop</emphasis> is a wrapper around
+ <emphasis role="strong">cryptsetup</emphasis> that parses
+ <emphasis role="strong">/etc/crypttab</emphasis> just like the initscript
+ /etc/init.d/cryptdisks does and stops the dm-crypt mapping that corresponds
+ to <emphasis>&lt;name&gt;</emphasis>.
+ </simpara>
+ </refsect1>
+
+ <refsect1 id="cryptdisks_stop.see_also">
+ <title>SEE ALSO</title>
+ <simpara>
+ <emphasis>cryptdisks_start</emphasis>(8),
+ <emphasis>cryptsetup</emphasis>(8), <emphasis>crypttab</emphasis>(5)
+ </simpara>
+ </refsect1>
+
+ <refsect1 id="cryptdisks_stop.author">
+ <title>AUTHOR</title><simpara>This manual page was written by Jonas Meurer
+ &lt;mejo@debian.org&gt; in January 2008.
+ </simpara>
+ </refsect1>
+
+</refentry>
diff --git a/debian/doc/cryptsetup-suspend.xml b/debian/doc/cryptsetup-suspend.xml
new file mode 100644
index 0000000..c179a6c
--- /dev/null
+++ b/debian/doc/cryptsetup-suspend.xml
@@ -0,0 +1,120 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "/usr/share/xml/docbook/schema/dtd/4.2/docbookx.dtd">
+
+<refentry id="overview.cryptsetup-suspend">
+
+ <xi:include href="variables.xml"
+ xpointer="xpointer(/refentry/refentryinfo)"
+ xmlns:xi="http://www.w3.org/2001/XInclude"/>
+
+ <refmeta>
+ <refentrytitle>cryptsetup-suspend</refentrytitle>
+ <manvolnum>7</manvolnum>
+ <xi:include href="variables.xml"
+ xpointer="xpointer(/refentry/refmeta/*)"
+ xmlns:xi="http://www.w3.org/2001/XInclude"/>
+ </refmeta>
+
+ <refnamediv>
+ <refname>cryptsetup-suspend</refname>
+ <refpurpose>automatically suspend LUKS devices on system suspend</refpurpose>
+ </refnamediv>
+
+ <refsect1 id="cryptsetup-suspend.description">
+ <title>DESCRIPTION</title>
+ <simpara>
+ <emphasis>cryptsetup-suspend</emphasis> brings support to automatically
+ suspend LUKS devices before entering system suspend mode. Devices will be
+ unlocked at system resume time, asking for passwords if required.
+ The feature is enabled automatically by installing the
+ <emphasis>cryptsetup-suspend</emphasis> package. No further configuration
+ is required.
+ </simpara>
+ <simpara>
+ <emphasis>cryptsetup-suspend</emphasis> supports all setups of LUKS
+ devices that are supported by the <emphasis>cryptsetup</emphasis>
+ packages. To do so, it depends on scripts from the Debian package
+ <emphasis>cryptsetup-initramfs</emphasis>. See the
+ <reference>INTERNALS</reference> section about details on how it works.
+ </simpara>
+ </refsect1>
+
+ <refsect1 id="cryptsetup-suspend.security-aspects">
+ <title>SECURITY ASPECTS</title>
+ <simpara>
+ Suspending LUKS devices basically means to remove the corresponding
+ encryption keys from system memory. This protects against all sort of
+ attacks that try to read out the memory from a suspended system, like
+ for example cold-boot attacks.
+ </simpara>
+ <simpara>
+ <emphasis>cryptsetup-suspend</emphasis> protects <emphasis>only</emphasis>
+ the encryption keys of your LUKS devices against being read from the
+ memory. Most likely there's more sensitive data in system memory, be
+ it other kinds of private keys (e.g. OpenPGP, OpenSSH) or any kind
+ of documents with sensitive content.
+ </simpara>
+ <simpara>
+ The initramfs image is extracted in memory and left unencrypted (see the
+ <reference>INTERNALS</reference> section) so all key material it might
+ include, for instance key files copied using the hooks'
+ <emphasis>KEYFILE_PATTERN=</emphasis> option, will remain unprotected.
+ </simpara>
+ </refsect1>
+
+
+ <refsect1 id="cryptsetup-suspend.limitations">
+ <title>LIMITATIONS</title>
+ <simpara>
+ The <emphasis>cryptsetup-suspend</emphasis> feature is limited to LUKS
+ devices and doesn't work with <emphasis>plain dm-crypt</emphasis> or
+ <emphasis>tcrypt</emphasis> devices.
+ </simpara>
+ </refsect1>
+
+ <refsect1 id="cryptsetup-suspend.internals">
+ <title>INTERNALS</title>
+ <simpara>
+ <emphasis>cryptsetup-suspend</emphasis> consists of three parts:
+ <simplelist type="inline">
+ <member>
+ <command>cryptsetup-suspend</command>: A c program that takes a list
+ of LUKS devices as arguments, suspends them via
+ <emphasis>luksSuspend</emphasis> and suspends the system afterwards.
+ </member>
+ <member>
+ <command>cryptsetup-suspend-wrapper</command>: A shell wrapper script
+ which works the following way:
+ <simplelist type="inline">
+ <member>1. Disable swap and extract the initramfs into a tmpfs (the chroot)</member>
+ <member>2. Run (systemd) pre-suspend scripts, stop udev, freeze cgroups</member>
+ <member>3. run cryptsetup-suspend in chroot</member>
+ <member>4. resume initramfs devices inside chroot after resume</member>
+ <member>5. resume non-initramfs devices outside chroot</member>
+ <member>6. thaw groups, start udev, run (systemd) post-suspend scripts</member>
+ <member>7. Unmount the tmpfs and re-enable swap</member>
+ </simplelist>
+ </member>
+ <member>
+ A systemd unit drop-in file that overrides the Exec property of
+ <filename class="devicefile">systemd-suspend.service</filename> so that
+ it invokes the script <command>cryptsetup-suspend-wrapper</command>.
+ </member>
+ </simplelist>
+ </simpara>
+ </refsect1>
+
+ <refsect1 id="cryptsetup-suspend.see_also">
+ <title>SEE ALSO</title>
+ <simpara>
+ <emphasis>cryptsetup</emphasis>(8), <emphasis>crypttab</emphasis>(5)
+ </simpara>
+ </refsect1>
+
+ <refsect1 id="cryptsetup-suspend.author">
+ <title>AUTHOR</title><simpara>This manual page was written by Jonas Meurer
+ &lt;jonas@freesources.org&gt; in December 2019.
+ </simpara>
+ </refsect1>
+
+</refentry>
diff --git a/debian/doc/crypttab.xml b/debian/doc/crypttab.xml
new file mode 100644
index 0000000..c6077a7
--- /dev/null
+++ b/debian/doc/crypttab.xml
@@ -0,0 +1,772 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "/usr/share/xml/docbook/schema/dtd/4.2/docbookx.dtd">
+
+<refentry id="file.crypttab">
+
+ <xi:include href="variables.xml"
+ xpointer="xpointer(/refentry/refentryinfo)"
+ xmlns:xi="http://www.w3.org/2001/XInclude"/>
+
+ <refmeta>
+ <refentrytitle>crypttab</refentrytitle>
+ <manvolnum>5</manvolnum>
+ <xi:include href="variables.xml"
+ xpointer="xpointer(/refentry/refmeta/*)"
+ xmlns:xi="http://www.w3.org/2001/XInclude"/>
+ </refmeta>
+
+ <refnamediv>
+ <refname>crypttab</refname>
+ <refpurpose>static information about encrypted filesystems</refpurpose>
+ </refnamediv>
+
+ <refsect1 id="crypttab.description">
+ <title>DESCRIPTION</title>
+ <simpara>
+ The file <filename>/etc/crypttab</filename> contains descriptive
+ information about encrypted devices. <filename>crypttab</filename>
+ is only read by programs (e.g.
+ <command moreinfo="refentry">cryptdisks_start</command> and
+ <command moreinfo="refentry">cryptdisks_stop</command>),
+ and not written; it is the duty of the system
+ administrator to properly create and maintain this file.
+ <filename>crypttab</filename> entries are treated sequentially, so their
+ order matters (dependencies need to listed first).
+ </simpara>
+ <simpara>
+ Each encrypted device is described on a separate line. Fields on each line
+ are separated by tabs or spaces. Lines starting with '#' are comments, and blank
+ lines are ignored.
+ Octal sequences <code>\0</code><emphasis>num</emphasis> within a field are
+ decoded, which can be used for values containing spaces or special characters.
+ A backslash which doesn't start an octal sequence yields undefined behavior.
+ </simpara>
+ <simpara>
+ The first field, <emphasis>target</emphasis>, describes the mapped
+ device name. It must be a plain filename without any directory components.
+ A mapped device which encrypts/decrypts data to/from the <emphasis>source
+ device</emphasis> will be created at
+ <filename class="devicefile">/dev/mapper/target</filename> by
+ <command moreinfo="refentry">cryptsetup</command>.
+ </simpara>
+ <simpara>
+ The second field, <emphasis>source device</emphasis>, describes either the
+ block special device or file that contains the encrypted data. Instead of
+ giving the <emphasis>source device</emphasis> explicitly, the UUID
+ (resp. LABEL, PARTUUID and PARTLABEL) is supported as well, using <quote>UUID=&lt;uuid&gt;</quote>
+ (resp. <quote>LABEL=&lt;label&gt;</quote>, <quote>PARTUUID=&lt;partuuid&gt;</quote>
+ and <quote>PARTLABEL=&lt;partlabel&gt;</quote>).
+ </simpara>
+ <simpara>
+ The third field, <emphasis>key file</emphasis>, describes the file to use
+ as a key for decrypting the data of the <emphasis>source device</emphasis>.
+ In case of a <emphasis>keyscript</emphasis>, the value of this field is
+ given as argument to the keyscript.
+ Note that the <emphasis>entire</emphasis> key file will be used as the
+ passphrase; the passphrase must <emphasis>not</emphasis> be followed by a
+ newline character.
+ </simpara>
+ <simpara>
+ It can also be a device name (e.g.
+ <filename class="devicefile">/dev/urandom</filename>), note however that
+ LUKS requires a persistent key and therefore does <emphasis>not</emphasis>
+ support random data keys.
+ </simpara>
+ <simpara>
+ If the <emphasis>key file</emphasis> is the string
+ <emphasis>none</emphasis>, a passphrase will be read interactively from the
+ console. In this case, the options check, checkargs and tries may be
+ useful.
+ </simpara>
+ <simpara>
+ The fourth field, <emphasis>options</emphasis>, is an optional comma-separated
+ list of options and/or flags describing the device type (<emphasis>luks</emphasis>,
+ <emphasis>tcrypt</emphasis>, <emphasis>bitlk</emphasis>, <emphasis>fvault2</emphasis>,
+ or <emphasis>plain</emphasis> which is also the default) and cryptsetup options
+ associated with the encryption process.
+ The supported options are described below.
+ For plain dm-crypt devices the <emphasis>cipher</emphasis>, <emphasis>hash</emphasis>
+ and <emphasis>size</emphasis> options are required.
+ Some options can be changed on active mappings using
+ <command>cryptsetup refresh [&lt;options&gt;] &lt;name&gt;</command>.
+ Furthermore some options can be permanently written into metadata of LUKS2
+ headers using cryptsetup's <emphasis>--persistent</emphasis> flag.
+ </simpara>
+ <simpara>
+ Note that the first three fields are required and that a missing field will lead
+ to unspecified behaviour.
+ </simpara>
+ </refsect1>
+
+ <refsect1 id="crypttab.implementations">
+ <title>ON DIFFERENT CRYPTTAB FORMATS</title>
+ <simpara>
+ Please note that there are several independent cryptsetup wrappers with
+ their own <emphasis>crypttab</emphasis> format. This manpage covers
+ Debian's implementation for <emphasis>initramfs</emphasis> scripts and
+ <emphasis>SysVinit</emphasis> init scripts. <emphasis>systemd</emphasis>
+ brings its own <emphasis>crypttab</emphasis> implementation.
+ We try to cover the differences between the <emphasis>systemd</emphasis> and
+ our implementation in this manpage, but if in doubt, better check the
+ <emphasis>systemd</emphasis>
+ <citerefentry><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ manpage, e.g. online at
+ <ulink url="https://www.freedesktop.org/software/systemd/man/crypttab.html"/>.
+ </simpara>
+ </refsect1>
+
+ <refsect1 id="crypttab.options">
+ <title>OPTIONS</title>
+ <variablelist>
+
+ <varlistentry>
+ <term><emphasis>cipher</emphasis>=&lt;cipher&gt;</term>
+ <listitem>
+ <simpara>
+ Encryption algorithm (ignored for LUKS and TCRYPT devices). See
+ <command>cryptsetup -c</command>.
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>size</emphasis>=&lt;size&gt;</term>
+ <listitem>
+ <simpara>
+ Encryption key size (ignored for LUKS and TCRYPT devices). See
+ <command>cryptsetup -s</command>.
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>sector-size</emphasis>=&lt;bytes&gt;</term>
+ <listitem>
+ <simpara>
+ Sector size. See
+ <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ for possible values and the default value of this option.
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>hash</emphasis>=&lt;hash&gt;</term>
+ <listitem>
+ <simpara>
+ Hash algorithm (ignored for LUKS and TCRYPT devices). See
+ <command>cryptsetup -h</command>.
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>offset</emphasis>=&lt;offset&gt;</term>
+ <listitem>
+ <simpara>
+ Start offset (ignored for LUKS and TCRYPT devices). Uses
+ <emphasis role="strong">cryptsetup -o</emphasis>.
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>skip</emphasis>=&lt;skip&gt;</term>
+ <listitem>
+ <simpara>
+ Skip sectors at the beginning (ignored for LUKS and TCRYPT devices).
+ Uses <emphasis role="strong">cryptsetup -p</emphasis>.
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>keyfile-offset</emphasis>=&lt;keyfile-offset&gt;</term>
+ <listitem>
+ <simpara>
+ Specifies the number of bytes to skip at the start of the key file.
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>keyfile-size</emphasis>=&lt;keyfile-size&gt;</term>
+ <listitem>
+ <simpara>
+ Specifies the maximum number of bytes to read from the key file.
+ The default is to read the whole file up to the compiled-in maximum,
+ that can be queried with <emphasis role="strong">cryptsetup --help</emphasis>.
+ This option is ignored for plain dm-crypt devices, as the key file
+ size is then given by the encryption key size (option
+ <emphasis>size</emphasis>).
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>keyslot</emphasis>=&lt;slot&gt;, <emphasis>key-slot</emphasis>=&lt;slot&gt;</term>
+ <listitem>
+ <simpara>
+ Key slot (ignored for non-LUKS devices). See <command>cryptsetup
+ -S</command>.
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>header</emphasis>=&lt;path&gt;</term>
+ <listitem>
+ <simpara>
+ Detached header file (ignored for plain dm-crypt devices). See
+ <command>cryptsetup --header</command>.
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>verify</emphasis></term>
+ <listitem>
+ <simpara>
+ Verify password. Uses <emphasis role="strong">cryptsetup -y</emphasis>.
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>readonly</emphasis>, <emphasis>read-only</emphasis></term>
+ <listitem>
+ <simpara>Set up a read-only mapping.</simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>tries</emphasis>=&lt;num&gt;</term>
+ <listitem>
+ <simpara>Try to unlock the device &lt;num&gt; before failing. It's
+ particularly useful when using a passphrase or a
+ <emphasis>keyscript</emphasis> that asks for interactive input. If you
+ want to disable retries, pass <quote>tries=1</quote>. Default is
+ <quote>3</quote>. Setting <quote>tries=0</quote> means infinitive
+ retries.
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>discard</emphasis></term>
+ <listitem>
+ <simpara>Allow using of discards (TRIM) requests for device.</simpara>
+ <simpara>Starting with Debian 10 (Buster), this option is added per
+ default to new dm-crypt devices by the Debian Installer. If you
+ don't care about leaking access patterns (filesystem type, used
+ space) and don't have hidden truecrypt volumes inside this volume,
+ then it should be safe to enable this option. See the following
+ warning for further information.</simpara>
+ <simpara><emphasis role="strong">WARNING</emphasis>: Assess the
+ specific security risks carefully before enabling this option.
+ For example, allowing discards on encrypted devices may lead to
+ the leak of information about the ciphertext device (filesystem
+ type, used space etc.) if the discarded blocks can be located
+ easily on the device later.</simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>luks</emphasis></term>
+ <listitem>
+ <simpara>Force LUKS mode. When this mode is used, the following options
+ are ignored since they are provided by the LUKS header on the device:
+ <emphasis>cipher=</emphasis>, <emphasis>hash=</emphasis>,
+ <emphasis>size=</emphasis></simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>plain</emphasis></term>
+ <listitem>
+ <simpara>Force plain encryption mode.</simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>bitlk</emphasis></term>
+ <listitem>
+ <simpara>
+ Force BITLK (Windows BitLocker-compatible) mode.
+ WARNING: <emphasis>crypttab</emphasis> support is currently experimental.
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>fvault2</emphasis></term>
+ <listitem>
+ <simpara>
+ Force Apple's FileVault2 mode.
+ Only the (legacy) FileVault2 format based on Core Storage and HFS+
+ filesystem (introduced in MacOS X 10.7 Lion) is currently supported;
+ the new version of FileVault based on the APFS filesystem used in
+ recent macOS versions is not supported.
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>tcrypt</emphasis></term>
+ <listitem>
+ <simpara>Use TrueCrypt encryption mode. When this mode is used, the
+ following options are ignored since they are provided by the TrueCrypt
+ header on the device or do not apply: <emphasis>cipher=</emphasis>,
+ <emphasis>hash=</emphasis>, <emphasis>keyfile-offset=</emphasis>,
+ <emphasis>keyfile-size=</emphasis>, <emphasis>size=</emphasis></simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>veracrypt</emphasis>, <emphasis>tcrypt-veracrypt</emphasis></term>
+ <listitem>
+ <simpara>
+ Use VeraCrypt extension to TrueCrypt device. Only useful in
+ conjunction with <emphasis>tcrypt</emphasis> option (ignored for
+ non-TrueCrypt devices).
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>tcrypthidden</emphasis>, <emphasis>tcrypt-hidden</emphasis></term>
+ <listitem>
+ <simpara>
+ Use hidden TCRYPT header (ignored for non-TCRYPT devices).
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>same-cpu-crypt</emphasis></term>
+ <listitem>
+ <simpara>
+ Perform encryption using the same cpu that IO was submitted on.
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>submit-from-crypt-cpus</emphasis></term>
+ <listitem>
+ <simpara>
+ Disable offloading writes to a separate thread after encryption.
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>no-read-workqueue</emphasis>, <emphasis>no-write-workqueue</emphasis></term>
+ <listitem>
+ <simpara>
+ Bypass dm-crypt internal workqueue and process read or write requests synchronously.
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>swap</emphasis></term>
+ <listitem>
+ <simpara>
+ Run <command moreinfo="refentry">mkswap</command> on the created device.
+ </simpara>
+ <simpara>
+ This option is ignored for <emphasis>initramfs</emphasis> devices.
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>tmp</emphasis>[=&lt;tmpfs&gt;]</term>
+ <listitem>
+ <simpara>
+ Run <command moreinfo="refentry">mkfs</command> with filesystem type
+ &lt;tmpfs&gt; (or ext4 if omitted) on the created device.
+ </simpara>
+ <simpara>
+ This option is ignored for <emphasis>initramfs</emphasis> devices.
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>check</emphasis>[=&lt;check&gt;]</term>
+ <listitem>
+ <simpara>Check the content of the target device by a suitable program; if
+ the check fails, the device is closed immediately. The program is being
+ run with decrypted volume (target device) as first positional argument and,
+ if the <emphasis>checkargs</emphasis> option is used, its value as second
+ argument. See the CHECKSCRIPTS section for more information.
+ </simpara>
+ <simpara>The program is either specified by full path or relative to
+ <filename class="directory">/lib/cryptsetup/checks/</filename>.
+ If omitted, then the value of $CRYPTDISKS_CHECK set in
+ <filename>/etc/default/cryptdisks</filename> is used
+ (<filename>blkid</filename> by default).
+ </simpara>
+ <simpara>
+ This option is specific to the Debian <emphasis>crypttab</emphasis>
+ format. It's not supported by <emphasis>systemd</emphasis>.
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>checkargs</emphasis>=&lt;arguments&gt;</term>
+ <listitem>
+ <simpara>Give &lt;arguments&gt; as the second argument to the check
+ script. See the CHECKSCRIPTS section for more information.
+ </simpara>
+ </listitem>
+ <simpara>
+ This option is specific to the Debian <emphasis>crypttab</emphasis>
+ format. It's not supported by <emphasis>systemd</emphasis>.
+ </simpara>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>initramfs</emphasis></term>
+ <listitem>
+ <simpara>The initramfs hook processes the root device, any resume devices
+ and any devices with the <emphasis>initramfs</emphasis> option set. These
+ devices are processed within the initramfs stage of boot. As an example,
+ that allows the use of remote unlocking using dropbear.
+ </simpara>
+ <simpara>
+ This option is specific to the Debian <emphasis>crypttab</emphasis>
+ format. It's not supported by <emphasis>systemd</emphasis>.
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>noearly</emphasis></term>
+ <listitem>
+ <simpara>The cryptsetup init scripts are invoked twice during the boot
+ process - once before lvm, raid, etc. are started and once again after
+ that. Sometimes you need to start your encrypted disks in a special
+ order. With this option the device is ignored during the first invocation
+ of the cryptsetup init scripts.
+ </simpara>
+ <simpara>
+ This option is ignored for <emphasis>initramfs</emphasis> devices and
+ specific to the Debian <emphasis>crypttab</emphasis> format. It's not
+ supported by <emphasis>systemd</emphasis>.
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>noauto</emphasis></term>
+ <listitem>
+ <simpara>Entirely ignore the device at the boot process. It's still
+ possible to map the device manually using cryptdisks_start.
+ </simpara>
+ <simpara>
+ This option is ignored for <emphasis>initramfs</emphasis> devices and
+ specific to the Debian <emphasis>crypttab</emphasis> format. It's not
+ supported by <emphasis>systemd</emphasis>.
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>loud</emphasis></term>
+ <listitem>
+ <simpara>Be loud. Print warnings if a device does not exist.
+ This option overrides the option <emphasis>quiet</emphasis>.</simpara>
+ <simpara>
+ This option is ignored for <emphasis>initramfs</emphasis> devices and
+ specific to the Debian <emphasis>crypttab</emphasis> format. It's not
+ supported by <emphasis>systemd</emphasis>.
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>quiet</emphasis></term>
+ <listitem>
+ <simpara>Be quiet. Don't print warnings if a device does not exist.
+ This option overrides the option <emphasis>loud</emphasis>.</simpara>
+ <simpara>
+ This option is ignored for <emphasis>initramfs</emphasis> devices and
+ specific to the Debian <emphasis>crypttab</emphasis> format. It's not
+ supported by <emphasis>systemd</emphasis>.
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>keyscript</emphasis>=&lt;path&gt;</term>
+ <listitem>
+ <simpara>
+ The executable at the indicated path is executed with the value of the
+ <emphasis>third field</emphasis> as only argument. The keyscript's standard
+ output is passed to cryptsetup as decyption key. Its exit status is currently
+ ignored, but no assumption should be made in that regard.
+ When used in initramfs, the executable either needs to be self-contained
+ (i.e. doesn't rely on any external program which is not present in the
+ initramfs environment) or the dependencies have to added to the initramfs
+ image by other means.
+ The program is either specified by full path or relative to
+ <filename class="directory">/lib/cryptsetup/scripts/</filename>.
+ </simpara>
+ <simpara>
+ LIMITATIONS: All binaries and files on which the keyscript depends must
+ be available at the time of execution. Special care needs to be taken for
+ encrypted filesystems like /usr or /var. As an example, unlocking
+ encrypted /usr must not depend on binaries from /usr/(s)bin.
+ </simpara>
+ <simpara>
+ This option is specific to the Debian <emphasis>crypttab</emphasis>
+ format. It's not supported by <emphasis>systemd</emphasis>.
+ </simpara>
+ <simpara>
+ WARNING: With systemd as init system, this option might be ignored. At
+ the time this is written (December 2016), the systemd cryptsetup helper
+ doesn't support the keyscript option to /etc/crypttab. For the time
+ being, the only option to use keyscripts along with systemd is to force
+ processing of the corresponding crypto devices in the initramfs. See the
+ 'initramfs' option for further information.
+ </simpara>
+ <para>
+ All fields of the appropriate crypttab entry are available to the
+ keyscript as exported environment variables:
+ <variablelist>
+
+ <varlistentry>
+ <term>CRYPTTAB_NAME, _CRYPTTAB_NAME</term>
+ <listitem><para>
+ The target name (after resp. before octal sequence decoding).
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>CRYPTTAB_SOURCE, _CRYPTTAB_SOURCE</term>
+ <listitem><para>
+ The source device (after resp. before octal sequence decoding and device resolution).
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>CRYPTTAB_KEY, _CRYPTTAB_KEY</term>
+ <listitem><para>
+ The value of the third field (after resp. before octal sequence decoding).
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>CRYPTTAB_OPTIONS, _CRYPTTAB_OPTIONS</term>
+ <listitem><para>
+ A list of exported crypttab options (after resp. before octal sequence decoding).
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>CRYPTTAB_OPTION_&lt;option&gt;</term>
+ <listitem><para>
+ The value of the appropriate crypttab option, with value set to 'yes'
+ in case the option is merely a flag.
+ For option aliases, such as 'readonly' and 'read-only', the
+ variable name refers to the first alternative listed (thus
+ 'CRYPTTAB_OPTION_readonly' in that case).
+ If the crypttab option name contains '-' characters, then they
+ are replaced with '_' in the exported variable name. For
+ instance, the value of the 'CRYPTTAB_OPTION_keyfile_offset'
+ environment variable is set to the value of the
+ 'keyfile-offset' crypttab option.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>CRYPTTAB_TRIED</term>
+ <listitem><para>
+ Number of previous tries since start of cryptdisks (counts until
+ maximum number of tries is reached).
+ </para></listitem>
+ </varlistentry>
+
+ </variablelist>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id="crypttab.checkscripts">
+ <title>CHECKSCRIPTS</title>
+ <variablelist>
+
+ <varlistentry>
+ <term><emphasis>blkid</emphasis></term>
+ <listitem>
+ <simpara>Checks for any known filesystem. Supports a filesystem type as
+ argument via &lt;checkargs&gt;:
+ </simpara>
+ <itemizedlist>
+ <listitem><para>
+ no checkargs - succeeds if any valid filesystem is found on the device.
+ </para></listitem>
+ <listitem><para>
+ "none" - succeeds if no valid filesystem is found on the device.
+ </para></listitem>
+ <listitem><para>
+ "ext4" [or another filesystem type like xfs, swap, crypto_LUKS, ...] -
+ succeeds if ext4 filesystem is found on the device.
+ </para></listitem>
+ </itemizedlist>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>un_blkid</emphasis></term>
+ <listitem>
+ <simpara>Checks for no known filesystem. Supports a filesystem type as
+ argument via &lt;checkargs&gt;:
+ </simpara>
+ <itemizedlist>
+ <listitem><para>
+ no checkargs - succeeds if no valid filesystem is found on the device.
+ </para></listitem>
+ <listitem><para>
+ "ext4" [or another filesystem type like xfs, swap, crypto_LUKS, ...] -
+ succeeds if no ext4 filesystem is found on the device.
+ </para></listitem>
+ </itemizedlist>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id="crypttab.examples">
+ <title>EXAMPLES</title>
+ <para>
+ <screen>
+# Encrypted swap device
+cswap /dev/sda6 /dev/urandom plain,cipher=aes-xts-plain64,size=256,hash=sha1,swap
+
+# Encrypted LUKS disk with interactive password, identified by its UUID, discard enabled
+cdisk0 UUID=12345678-9abc-def012345-6789abcdef01 none luks,discard
+
+# Encrypted TCRYPT disk with interactive password, discard enabled
+tdisk0 /dev/sr0 none tcrypt,discard
+
+# Encrypted ext4 disk with interactive password, discard enabled
+# - retry 5 times if the check fails
+cdisk1 /dev/sda2 none plain,cipher=aes-xts-plain64,size=256,hash=sha1,check,checkargs=ext4,tries=5,discard
+
+# Encrypted disk with interactive password, discard enabled
+# - use a nondefault check script
+# - no retries
+cdisk2 /dev/sdc1 none plain,cipher=aes-xts-plain64,size=256,hash=sha1,check=customscript,tries=1,discard
+
+# Encrypted disk with interactive password, discard enabled
+# - Twofish as the cipher, RIPEMD-160 as the hash
+cdisk3 /dev/sda3 none plain,cipher=twofish,size=256,hash=ripemd160,discard
+ </screen>
+ </para>
+ </refsect1>
+
+ <refsect1 id="crypttab.environment">
+ <title>ENVIRONMENT</title>
+ <variablelist>
+
+ <varlistentry>
+ <term><emphasis>CRYPTDISKS_ENABLE</emphasis></term>
+ <listitem>
+ <simpara>
+ Set to <emphasis>yes</emphasis> to run cryptdisks initscripts at startup.
+ Set to <emphasis>no</emphasis> to disable cryptdisks initscripts. Default
+ is <emphasis>yes</emphasis>.
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>CRYPTDISKS_MOUNT</emphasis></term>
+ <listitem>
+ <simpara>Specifies the mountpoints that are mounted before cryptdisks is
+ invoked. Takes mountpoints configured in /etc/fstab as arguments. Separate
+ mountpoints by space.
+ This is useful for keys on removable devices, such as cdrom, usbstick,
+ flashcard, etc. Default is unset.
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><emphasis>CRYPTDISKS_CHECK</emphasis></term>
+ <listitem>
+ <simpara>Specifies the default checkscript to be run against the target
+ device, after cryptdisks has been invoked. The target device is passed as
+ the first and only argument to the checkscript. Takes effect if the
+ <emphasis>check</emphasis> option is given in crypttab with no value. See
+ documentation for <emphasis>check</emphasis> option above for more
+ information.
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id="crypttab.known_upgrade_issues">
+ <title>KNOWN UPGRADE ISSUES</title>
+ <simpara>
+ The upstream defaults for encryption cipher, hash and keysize have changed
+ several times in the past, and they're expected to change again in future,
+ for example if security issues arise.
+
+ On LUKS devices, the used settings are stored in the LUKS header, and thus
+ don't need to be configured in <filename>/etc/crypttab</filename>. For plain
+ dm-crypt devices, no information about used cipher, hash and keysize are
+ available at all.
+
+ Therefore we strongly suggest to configure the cipher, hash and keysize in
+ <filename>/etc/crypttab</filename> for plain dm-crypt devices, even if they
+ match the current default.
+ </simpara>
+ </refsect1>
+
+ <refsect1 id="crypttab.see_also">
+ <title>SEE ALSO</title>
+ <simplelist type="inline">
+ <member><command moreinfo="refentry">cryptsetup</command>(8)</member>
+ <member><command moreinfo="refentry">cryptdisks_start</command>(8)</member>
+ <member><command moreinfo="refentry">cryptdisks_stop</command>(8)</member>
+ <member><filename>/usr/share/doc/cryptsetup-initramfs/README.initramfs.gz</filename></member>
+ </simplelist>
+ </refsect1>
+
+ <refsect1 id="crypttab.author">
+ <title>AUTHOR</title>
+ <simpara>
+ This manual page was originally written by
+ <author>
+ <firstname>Bastian</firstname>
+ <surname>Kleineidam</surname>
+ </author>
+ <email>calvin@debian.org</email>
+ for the Debian distribution of cryptsetup. It has been further improved by
+ <author>
+ <firstname>Michael</firstname>
+ <surname>Gebetsroither</surname>
+ </author>
+ <email>michael.geb@gmx.at</email>,
+ <author>
+ <firstname>David</firstname>
+ <surname>Härdeman</surname>
+ </author>
+ <email>david@hardeman.nu</email>
+ and
+ <author>
+ <firstname>Jonas</firstname>
+ <surname>Meurer</surname>
+ </author>
+ <email>jonas@freesources.org</email>.
+ </simpara>
+ </refsect1>
+
+</refentry>
diff --git a/debian/doc/manpages.xml b/debian/doc/manpages.xml
new file mode 100644
index 0000000..4bd59bc
--- /dev/null
+++ b/debian/doc/manpages.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "/usr/share/xml/docbook/schema/dtd/4.2/docbookx.dtd">
+
+<reference>
+ <title>Manual Pages</title>
+ <xi:include href="cryptdisks_start.xml" xpointer="command.cryptdisks_start" xmlns:xi="http://www.w3.org/2001/XInclude"/>
+ <xi:include href="cryptdisks_stop.xml" xpointer="command.cryptdisks_stop" xmlns:xi="http://www.w3.org/2001/XInclude"/>
+ <xi:include href="cryptsetup-suspend.xml" xpointer="overview.cryptsetup-suspend" xmlns:xi="http://www.w3.org/2001/XInclude"/>
+ <xi:include href="crypttab.xml" xpointer="file.crypttab" xmlns:xi="http://www.w3.org/2001/XInclude"/>
+</reference>
diff --git a/debian/doc/pandoc/encrypted-boot.md b/debian/doc/pandoc/encrypted-boot.md
new file mode 100644
index 0000000..27d331b
--- /dev/null
+++ b/debian/doc/pandoc/encrypted-boot.md
@@ -0,0 +1,536 @@
+% Full disk encryption, including `/boot`: Unlocking LUKS devices from GRUB
+
+Introduction
+============
+
+So called “full disk encryption” is often a misnomer, because there is
+typically a separate plaintext partition holding `/boot`. For instance
+the Debian Installer does this in its “encrypted LVM” partitioning method.
+Since not all bootloaders are able to unlock LUKS devices, a plaintext
+`/boot` is the only solution that works for all of them.
+
+However, GRUB2 is (since Jessie) able to unlock LUKS devices with its
+[`cryptomount`](https://www.gnu.org/software/grub/manual/grub/html_node/cryptomount.html)
+command, which therefore enables encryption of the `/boot` partition as
+well: using that feature reduces the amount of plaintext data written to
+disk. It is especially interesting when GRUB is installed to a read-only
+media, for instance as [coreboot payload](https://doc.coreboot.org/payloads.html#grub2)
+flashed to a write-protected chip. On the other hand, it is *incompatible*
+with some other features that only enabled later at initramfs stage, such
+as splash screens or remote unlocking.
+
+Since enabling unlocking LUKS devices from GRUB [isn't exposed to the d-i
+interface](https://bugs.debian.org/814798) (as of Buster), people have
+come up with various custom workarounds. But as of Buster [`cryptsetup`(8)]
+defaults to a new [LUKS header format version](https://gitlab.com/cryptsetup/LUKS2-docs),
+which isn't supported by GRUB as of 2.04. **Hence the pre-Buster
+workarounds won't work anymore**. Until LUKS *version 2* support is
+[added to GRUB2](https://savannah.gnu.org/bugs/?55093), the device(s)
+holding `/boot` needs to be in *LUKS format version 1* to be unlocked from
+the boot loader.
+
+This document describes a generic way to unlock LUKS devices from GRUB
+for Debian Buster.
+
+
+Encrypting the device holding `/boot`
+=====================================
+
+There are two alternatives here:
+
+ * Either format an existing `/boot` partition to LUKS1; or
+ * Move `/boot` to the root file system. The root device(s) needs to
+ use LUKS version 1, but existing LUKS2 devices can be *converted*
+ (in-place) to LUKS1.
+
+These two alternatives are described in the two following sub-sections.
+
+We assume the system resides on a single drive `/dev/sda`, partitioned
+with d-i's “encrypted LVM” scheme:
+
+ root@debian:~# lsblk -o NAME,FSTYPE,MOUNTPOINT /dev/sda
+ NAME FSTYPE MOUNTPOINT
+ sda
+ ├─sda1 ext2 /boot
+ ├─sda2
+ └─sda5 crypto_LUKS
+ └─sda5_crypt LVM2_member
+ ├─debian--vg-root ext4 /
+ └─debian--vg-swap_1 swap [SWAP]
+
+*Note*: The partition layout of your system may differ.
+
+
+Formatting the existing `/boot` partition to LUKS1
+--------------------------------------------------
+
+Since the installer creates a separate (plaintext) `/boot` partition by
+default in its “encrypted LVM” partitioning method, the simplest
+solution is arguably to re-format it as LUKS1, especially if the root
+device is in LUKS2 format.
+
+That way other partitions, including the one holding the root file
+system, can remain in LUKS2 format and benefit from the *stronger
+security guaranties* and *convenience features* of the newer version:
+more secure (memory-hard) Key Derivation Function, backup header,
+ability to offload the volume key to the kernel keyring (thus preventing
+access from userspace), custom sector size, persistent flags, unattended
+unlocking via kernel keyring tokens, etc.
+
+Furthermore every command in this sub-section can be run from the main
+system: no need to reboot into a live CD or an initramfs shell.
+
+ 1. Before copying content of the `/boot` directory, remount it read-only
+ to make sure data is not modified while it's being copied.
+
+ root@debian:~# mount -oremount,ro /boot
+
+ 2. Archive the directory elsewhere (on another device), and unmount it
+ afterwards.
+
+ root@debian:~# install -m0600 /dev/null /tmp/boot.tar
+ <!-- -->
+ root@debian:~# tar -C /boot --acls --xattrs --one-file-system -cf /tmp/boot.tar .
+ <!-- -->
+ root@debian:~# umount /boot
+
+ (If `/boot` has sub-mountpoints, like `/boot/efi`, you'll need to
+ unmount them as well.)
+
+ 3. Optionally, wipe out the underlying block device (assumed to be
+ `/dev/sda1` in the rest of this sub-section).
+
+ root@debian:~# dd if=/dev/urandom of=/dev/sda1 bs=1M status=none
+ dd: error writing '/dev/sda1': No space left on device
+
+ 4. Format the underlying block device to LUKS1. (Note the `--type luks1`
+ in the command below, as Buster's [`cryptsetup`(8)] defaults to LUKS
+ version 2 for `luksFormat`.)
+
+ root@debian:~# cryptsetup luksFormat --type luks1 /dev/sda1
+
+ WARNING!
+ ========
+ This will overwrite data on /dev/sda1 irrevocably.
+
+ Are you sure? (Type uppercase yes): YES
+ Enter passphrase for /dev/sda1:
+ Verify passphrase:
+
+ 5. Add a corresponding entry to [`crypttab`(5)] with mapped device name
+ `boot_crypt`, and open it afterwards.
+
+ root@debian:~# uuid="$(blkid -o value -s UUID /dev/sda1)"
+ <!-- -->
+ root@debian:~# echo "boot_crypt UUID=$uuid none luks" | tee -a /etc/crypttab
+ <!-- -->
+ root@debian:~# cryptdisks_start boot_crypt
+ Starting crypto disk...boot_crypt (starting)...
+ Please unlock disk boot_crypt: ********
+ boot_crypt (started)...done.
+
+ 6. Create a file system on the mapped device. Assuming source device for
+ `/boot` is specified by its UUID in the [`fstab`(5)] -- which the
+ Debian Installer does by default -- reusing the old UUID avoids
+ editing the file.
+
+ root@debian:~# grep /boot /etc/fstab
+ # /boot was on /dev/sda1 during installation
+ UUID=c104749f-a0fa-406c-9e9a-3fc01f8e2f78 /boot ext2 defaults 0 2
+ <!-- -->
+ root@debian:~# mkfs.ext2 -m0 -U c104749f-a0fa-406c-9e9a-3fc01f8e2f78 /dev/mapper/boot_crypt
+ mke2fs 1.44.5 (15-Dec-2018)
+ Creating filesystem with 246784 1k blocks and 61752 inodes
+ Filesystem UUID: c104749f-a0fa-406c-9e9a-3fc01f8e2f78
+ […]
+
+ 7. Finally, mount `/boot` again from [`fstab`(5)], and copy the saved
+ tarball to the new (and now encrypted) file system.
+
+ root@debian:~# mount -v /boot
+ mount: /dev/mapper/boot_crypt mounted on /boot.
+ <!-- -->
+ root@debian:~# tar -C /boot --acls --xattrs -xf /tmp/boot.tar
+
+ (If `/boot` had sub-mountpoints, like `/boot/efi`, you'll need to
+ mount them back as well.)
+
+You can skip the next sub-section and go directly to [Enabling
+`cryptomount` in GRUB2]. Note that `init`(1) needs to unlock the
+`/boot` partition *again* during the boot process. See [Avoiding the
+extra password prompt] for details and a proposed workaround. (You'll
+need to substitute `/` resp. `sda5` with `/boot` resp. `sda1` in that
+section, however only steps 1-3 are relevant here: no need to copy the
+key file to the initramfs image since `/boot` can be unlocked and
+mounted later during the boot process.)
+
+
+Moving `/boot` to the root file system
+--------------------------------------
+
+The [previous sub-section][Formatting the existing `/boot` partition to LUKS1]
+described how to to re-format the `/boot` partition as LUKS1.
+Alternatively, it can be moved to the root file system, assuming the
+latter is not held by any LUKS2 device. (As shown below, LUKS2 devices
+created with default parameters can be “downgraded” to LUKS1.)
+
+The advantage of this method is that the original `/boot` partition can
+be preserved and used in case of *disaster recovery* (if for some reason
+the GRUB image is lacking the `cryptodisk` module and the original
+plaintext `/boot` partition is lost, you'd need to reboot into a live CD
+to recover). Moreover increasing the number of partitions *increases
+usage pattern visibility*: a separate `/boot` partition, even encrypted,
+will likely leak the fact that a kernel update took place to an attacker
+with access to both pre- and post-update snapshots.
+
+On the other hand, the downside of that method is that the root file
+system can't benefit from the nice LUKS2 improvements over LUKS1, some
+of which were listed above. Another (minor) downside is that space
+occupied by the former `/boot` partition (typically 256MiB) becomes
+unused and can't easily be reclaimed by the root file system.
+
+### Downgrading LUKS2 to LUKS1 ###
+
+Check the LUKS format version on the root device (assumed to be
+`/dev/sda5` in the rest of this sub-section):
+
+ root@debian:~# cryptsetup luksDump /dev/sda5 | grep -A1 "^LUKS"
+ LUKS header information
+ Version: 2
+
+Here the LUKS format version is 2, so the device needs to be *converted*
+to LUKS *version 1* to be able to unlock from GRUB. Unlike the rest of
+this document, conversion can't be done on an open device, so you'll
+need reboot into a live CD or an [initramfs shell]. (The `(initramfs)`
+prompt strings in this sub-section indicates commands that are executed
+from an initramfs shell.) Also, if you have valuable data in the root
+partition, then *make sure you have a backup* (at least of the LUKS
+header)!
+
+[initramfs shell]: https://wiki.debian.org/InitramfsDebug#Rescue_shell_.28also_known_as_initramfs_shell.29
+
+Run `cryptsetup convert --type luks1 DEVICE` to downgrade. However if
+the device was created with the default parameters then in-place
+conversion will fail:
+
+ (initramfs) cryptsetup convert --type luks1 /dev/sda5
+
+ WARNING!
+ ========
+ This operation will convert /dev/sda5 to LUKS1 format.
+
+
+ Are you sure? (Type uppercase yes): YES
+ Cannot convert to LUKS1 format - keyslot 0 is not LUKS1 compatible.
+
+This is because its first key slot uses Argon2 as Password-Based Key
+Derivation Function (PBKDF) algorithm:
+
+ (initramfs) cryptsetup luksDump /dev/sda5 | grep "PBKDF:"
+ PBKDF: argon2i
+
+Argon2 is a *memory-hard* function that was selected as the winner of
+the Password-Hashing Competition; LUKS2 devices use it by default for
+key slots, but LUKS1's only supported PBKDF algorithm is PBKDF2. Hence
+the key slot has to be converted to PBKDF2 prior to LUKS format version
+downgrade.
+
+ (initramfs) cryptsetup luksConvertKey --pbkdf pbkdf2 /dev/sda5
+ Enter passphrase for keyslot to be converted:
+
+Now that all key slots use the PBKDF2 algorithm, the device shouldn't
+have any LUKS2-only features left, and can be converted to LUKS1.
+
+ (initramfs) cryptsetup luksDump /dev/sda5 | grep "PBKDF:"
+ PBKDF: pbkdf2
+<!-- -->
+ (initramfs) cryptsetup convert --type luks1 /dev/sda5
+
+ WARNING!
+ ========
+ This operation will convert /dev/sda5 to LUKS1 format.
+
+
+ Are you sure? (Type uppercase yes): YES
+<!-- -->
+ (initramfs) cryptsetup luksDump /dev/sda5 | grep -A1 "^LUKS"
+ LUKS header information
+
+### Moving `/boot` to the root file system ###
+
+(The moving operation can be done from the normal system. No need to
+reboot into a live CD or an initramfs shell if the root file system
+resides in a LUKS1 device.)
+
+ 1. To ensure data is not modified while it's being copied, remount
+ `/boot` read-only.
+
+ root@debian:~# mount -oremount,ro /boot
+
+ 2. Recursively copy the directory to the root file system, and replace
+ the old `/boot` mountpoint with the new directory.
+
+ <!-- -->
+ root@debian:~# cp -axT /boot /boot.tmp
+ <!-- -->
+ root@debian:~# umount /boot
+ <!-- -->
+ root@debian:~# rmdir /boot
+ <!-- -->
+ root@debian:~# mv -T /boot.tmp /boot
+
+ (If `/boot` has sub-mountpoints, like `/boot/efi`, you'll need to
+ unmount them first, and then remount them once `/boot` has been
+ moved to the root file system.)
+
+ 3. Comment out the [`fstab`(5)] entry for the `/boot` mountpoint.
+ Otherwise at reboot `init`(1) will mount it and therefore shadow data
+ in the new `/boot` directory with data from the old plaintext
+ partition.
+
+ root@debian:~# grep /boot /etc/fstab
+ ## /boot was on /dev/sda1 during installation
+ #UUID=c104749f-a0fa-406c-9e9a-3fc01f8e2f78 /boot ext2 defaults 0 2
+
+
+Enabling `cryptomount` in GRUB2
+===============================
+
+Enable the feature and update the GRUB image:
+
+ root@debian:~# echo "GRUB_ENABLE_CRYPTODISK=y" >>/etc/default/grub
+<!-- -->
+ root@debian:~# update-grub
+<!-- -->
+ root@debian:~# grub-install /dev/sda
+
+If everything went well, `/boot/grub/grub.cfg` should contain `insmod
+cryptodisk` (and also `insmod lvm` if `/boot` is on a Logical Volume).
+
+*Note*: The PBKDF parameters are determined via benchmark upon key slot
+creation (or update). Thus they only makes sense if the environment in
+which the LUKS device is open matches (same CPU, same RAM size, etc.)
+the one in which it's been formatted. Unlocking from GRUB does count as
+an environment mismatch, because GRUB operates under tighter memory
+constraints and doesn't take advantage of all crypto-related CPU
+instructions. Concretely, that means unlocking a LUKS device from GRUB
+might take *a lot* longer than doing it from the normal system. Since
+GRUB's LUKS implementation isn't able to benchmark, you'll need to do it
+manually. It's easier for PBKDF2 as there is a single parameter to play
+with (iteration count) — while Argon2 has two (iteration count and
+memory) — and changing it affects the unlocking time linearly: for
+instance halving the iteration count would speed up unlocking by a
+factor of two. (And of course, making low entropy passphrases twice as
+easy to brute-force. There is a trade-off to be made here. Balancing
+convenience and security is the whole point of running PBKDF
+benchmarks.)
+
+ root@debian:~# cryptsetup luksDump /dev/sda1 | grep -B1 "Iterations:"
+ Key Slot 0: ENABLED
+ Iterations: 1000000
+<!-- -->
+ root@debian:~# cryptsetup luksChangeKey --pbkdf-force-iterations 500000 /dev/sda1
+ Enter passphrase to be changed:
+ Enter new passphrase:
+ Verify passphrase:
+
+(You can reuse the existing passphrase in the above prompts. Replace
+`/dev/sda1` with the LUKS1 volume holding `/boot`; in this document
+that's `/dev/sda1` if `/boot` resides on a separated encrypted
+partition, or `/dev/sda5` if `/boot` was moved to the root file system.)
+
+*Note*: `cryptomount` lacks an option to specify the key slot index to
+open. All active key slots are tried sequentially until a match is
+found. Running the PBKDF algorithm is a slow operation, so to speed up
+things you'll want the key slot to unlock at GRUB stage to be the first
+active one. Run the following command to discover its index.
+
+ root@debian:~# cryptsetup luksOpen --test-passphrase --verbose /dev/sda5
+ Enter passphrase for /dev/sda5:
+ Key slot 0 unlocked.
+ Command successful.
+
+
+Avoiding the extra password prompt
+==================================
+
+The device holding the kernel (and the initramfs image) is unlocked by
+GRUB, but the root device needs to be *unlocked again* at initramfs
+stage, regardless whether it's the same device or not. This is because
+GRUB boots with the given `vmlinuz` and initramfs images, but there is
+currently no way to securely pass cryptographic material (or Device
+Mapper information) to the kernel. Hence the Device Mapper table is
+initially empty at initramfs stage; in other words, all devices are
+locked, and the root device needs to be unlocked again.
+
+To avoid extra passphrase prompts at initramfs stage, a workaround is
+to *unlock via key files stored into the initramfs image*. Since the
+initramfs image now resides on an encrypted device, this still provides
+protection for data at rest. After all for LUK1 the volume key can
+already be found by userspace in the Device Mapper table, so one could
+argue that including key files to the initramfs image -- created with
+restrictive permissions -- doesn't change the threat model for LUKS1
+devices. Please note however that for LUKS2 the volume key is normally
+*offloaded to the kernel keyring* (hence no longer readable by
+userspace), while key files lying on disk are of course readable by
+userspace.
+
+ 1. Generate the shared secret (here with 512 bits of entropy as it's also
+ the size of the volume key) inside a new file.
+
+ root@debian:~# mkdir -m0700 /etc/keys
+ <!-- -->
+ root@debian:~# ( umask 0077 && dd if=/dev/urandom bs=1 count=64 of=/etc/keys/root.key conv=excl,fsync )
+ 64+0 records in
+ 64+0 records out
+ 64 bytes copied, 0.000698363 s, 91.6 kB/s
+
+ 2. Create a new key slot with that key file.
+
+ root@debian:~# cryptsetup luksAddKey /dev/sda5 /etc/keys/root.key
+ Enter any existing passphrase:
+ <!-- -->
+ root@debian:~# cryptsetup luksDump /dev/sda5 | grep "^Key Slot"
+ Key Slot 0: ENABLED
+ Key Slot 1: ENABLED
+ Key Slot 2: DISABLED
+ Key Slot 3: DISABLED
+ Key Slot 4: DISABLED
+ Key Slot 5: DISABLED
+ Key Slot 6: DISABLED
+ Key Slot 7: DISABLED
+
+ 3. Edit the [`crypttab`(5)] and set the third column to the key file path
+ for the root device entry.
+
+ root@debian:~# cat /etc/crypttab
+ root_crypt UUID=… /etc/keys/root.key luks,discard,key-slot=1
+
+ The unlock logic normally runs the PBKDF algorithm through each key
+ slot sequentially until a match is found. Since the key file is
+ explicitly targeting the second key slot, its index is specified with
+ `key-slot=1` in the [`crypttab`(5)] to save useless expensive PBKDF
+ computations and *reduce boot time*.
+
+ 4. In `/etc/cryptsetup-initramfs/conf-hook`, set `KEYFILE_PATTERN` to a
+ `glob`(7) expanding to the key path names to include to the initramfs
+ image.
+
+ root@debian:~# echo "KEYFILE_PATTERN=\"/etc/keys/*.key\"" >>/etc/cryptsetup-initramfs/conf-hook
+
+ 5. In `/etc/initramfs-tools/initramfs.conf`, set `UMASK` to a restrictive
+ value to avoid leaking key material. See [`initramfs.conf`(5)] for
+ details.
+
+ root@debian:~# echo UMASK=0077 >>/etc/initramfs-tools/initramfs.conf
+
+ 6. Finally re-generate the initramfs image, and double-check that it
+ 1/ has restrictive permissions; and 2/ includes the key.
+
+ root@debian:~# update-initramfs -u
+ update-initramfs: Generating /boot/initrd.img-4.19.0-4-amd64
+ <!-- -->
+ root@debian:~# stat -L -c "%A %n" /initrd.img
+ -rw------- /initrd.img
+ <!-- -->
+ root@debian:~# lsinitramfs /initrd.img | grep "^cryptroot/keyfiles/"
+ cryptroot/keyfiles/root_crypt.key
+
+ (`cryptsetup-initramfs` normalises and renames key files inside the
+ initramfs, hence the new file name.)
+
+Should be safe to reboot now :-) If all went well you should see a
+single passphrase prompt.
+
+
+Using a custom keyboard layout
+==============================
+
+GRUB uses the US keyboard layout by default. Alternative layouts for
+the LUKS passphrase prompts can't be loaded from `/boot` or the root
+file system, as the underlying devices haven't been mapped yet at that
+stage. If you require another layout to type in your passphrase, then
+you'll need to manually generate the core image using
+[`grub-mkimage`(1)]. A possible solution is to embed a memdisk
+containing the keymap inside the core image.
+
+ 1. Create a memdisk (in GNU tar format) with the desired keymap, for
+ instance dvorak's. (The XKB keyboard layout and variant passed to
+ `grub-kbdcomp`(1) are described in the [`setxkbmap`(1)] manual.)
+
+ root@debian:~# memdisk="$(mktemp --tmpdir --directory)"
+ <!-- -->
+ root@debian:~# grub-kbdcomp -o "$memdisk/keymap.gkb" us dvorak
+ <!-- -->
+ root@debian:~# tar -C "$memdisk" -cf /boot/grub/memdisk.tar .
+
+ 2. Generate an early configuration file to embed inside the image.
+
+ root@debian:~# uuid="$(blkid -o value -s UUID /dev/sda1)"
+ <!-- -->
+ root@debian:~# cat >/etc/early-grub.cfg <<-EOF
+ terminal_input --append at_keyboard
+ keymap (memdisk)/keymap.gkb
+ cryptomount -u ${uuid//-/}
+
+ set root=(cryptouuid/${uuid//-/})
+ set prefix=/grub
+ configfile grub.cfg
+ EOF
+
+ *Note*: This is for the case of a separate `/boot` partition. If
+ `/boot` resides on the root file system, then replace `/dev/sda1`
+ with `/dev/sda5` (the LUKS device holding the root file system) and
+ set `prefix=/boot/grub`; if it's in a logical volume you'll also
+ [need to set][GRUB device syntax] `root=(lvm/DMNAME)`.
+
+ *Note*: You might need to remove the first line if you use a USB
+ keyboard, or tweak it if GRUB doesn't see any PC/AT keyboard among its
+ available terminal input devices. Start by specifing `terminal_input`
+ in an interactive GRUB shell in order to determine the suitable input
+ device. (Choosing an incorrect device might prevent unlocking if no
+ input can be be entered.)
+
+ 3. Finally, manually create and install the GRUB image. Don't use
+ `grub-install`(1) here, as we need to pass an early configuration
+ and a ramdisk. Instead, use [`grub-mkimage`(1)] with suitable image
+ file name, format, and module list.
+
+ root@debian:~# grub-mkimage \
+ -c /etc/early-grub.cfg -m /boot/grub/memdisk.tar \
+ -o "$IMAGE" -O "$FORMAT" \
+ diskfilter cryptodisk luks gcry_rijndael gcry_sha256 \
+ memdisk tar keylayouts configfile \
+ at_keyboard usb_keyboard uhci ehci \
+ ahci part_msdos part_gpt lvm ext2
+
+ (Replace with `ahci` with a suitable module if the drive holding
+ `/boot` isn't a SATA drive supporting AHCI. Also, replace `ext2`
+ with a file system driver suitable for `/boot` if the file system
+ isn't ext2, ext3 or ext4.)
+
+ The value of `IMAGE` and `FORMAT` depend on whether GRUB is in EFI
+ or BIOS mode.
+
+ a. For EFI mode: `IMAGE="/boot/efi/EFI/debian/grubx64.efi"` and
+ `FORMAT="x86_64-efi"`.
+
+ b. For BIOS mode: `IMAGE="/boot/grub/i386-pc/core.img"`,
+ `FORMAT="i386-pc"` and set up the image as follows:
+
+ root@debian:~# grub-bios-setup -d /boot/grub/i386-pc /dev/sda
+
+ You can now delete the memdisk and the early GRUB configuration
+ file, but note that subquent runs of `grub-install`(1) will override
+ these changes.
+
+
+[`cryptsetup`(8)]: https://manpages.debian.org/cryptsetup.8.en.html
+[`crypttab`(5)]: https://manpages.debian.org/crypttab.5.en.html
+[`fstab`(5)]: https://manpages.debian.org/fstab.5.en.html
+[`initramfs.conf`(5)]: https://manpages.debian.org/initramfs.conf.5.en.html
+[`grub-mkimage`(1)]: https://manpages.debian.org/grub-mkimage.1.en.html
+[`setxkbmap`(1)]: https://manpages.debian.org/setxkbmap.1.en.html
+[GRUB device syntax]: https://www.gnu.org/software/grub/manual/grub/grub.html#Device-syntax
+
+ -- Guilhem Moulin <guilhem@debian.org>, Sun, 09 Jun 2019 16:35:20 +0200
diff --git a/debian/doc/pandoc/index.md b/debian/doc/pandoc/index.md
new file mode 100644
index 0000000..bd750c4
--- /dev/null
+++ b/debian/doc/pandoc/index.md
@@ -0,0 +1,24 @@
+Cryptsetup for Debian
+=====================
+
+The main documentation:
+
+* [Debian Cryptsetup README](README.Debian.html)
+* [Debian Cryptsetup Debugging README](README.debug.html)
+* [Cryptsetup Initramfs intregration README](README.initramfs.html)
+
+Detailed documentation of specific setups:
+
+* [Debian encrypted boot documentation](encrypted-boot.html)
+
+Documentation of some particular keyscripts:
+
+* [Cryptsetup GnuPG keyscript README](README.gnupg.html)
+* [Cryptsetup GnuPG smartcard keyscript README](README.gnupg-sc.html)
+* [Cryptsetup keyctl keyscript README](README.keyctl.html)
+* [Cryptsetup smartcard keyscript README](README.opensc.html)
+
+
+**Please note**: Some of the documentation might be outdated. We
+recommend to look at the date of the page footer. It gives an idea
+about when the docs last got written and/or updated.
diff --git a/debian/doc/pandoc/pandoc.css b/debian/doc/pandoc/pandoc.css
new file mode 100644
index 0000000..bb66ac5
--- /dev/null
+++ b/debian/doc/pandoc/pandoc.css
@@ -0,0 +1,77 @@
+body {
+ margin: auto;
+ padding-right: 1em;
+ padding-left: 1em;
+ margin-left: 2em;
+ border-left: 1px solid black;
+ color: black;
+ font-size: 100%;
+ line-height: 140%;
+ color: #333;
+}
+
+pre {
+ border: 1px dotted gray;
+ background-color: #ececec;
+ color: #1111111;
+ padding: 0.5em;
+ line-height: 1.42857143;
+ tab-size: 4;
+ -moz-tab-size: 4;
+}
+
+code {
+ font-family: monospace;
+}
+
+h1 a, h2 a, h3 a, h4 a, h5 a {
+ text-decoration: none;
+ color: #7a5ada;
+}
+h1, h2, h3, h4, h5 {
+ font-family: sans-serif;
+ font-weight: bold;
+ text-decoration: underline;
+ color: #7a5ada;
+}
+h1 {
+ font-size: 130%;
+}
+h2 {
+ font-size: 110%;
+}
+h3 {
+ font-size: 95%;
+}
+h4 {
+ font-size: 90%;
+ font-style: italic;
+}
+h5 {
+ font-size: 90%;
+ font-style: italic;
+}
+h1.title {
+ font-size: 200%;
+ font-weight: bold;
+ padding-top: 0.2em;
+ padding-bottom: 0.2em;
+ text-align: left;
+ border: none;
+}
+
+dt code {
+ font-weight: bold;
+}
+dd p {
+ margin-top: 0;
+}
+
+#TOC {
+ float: right;
+ width: 40%;
+ background: #eee;
+ font-size: 0.8em;
+ padding: 1em 2em;
+ margin: 0.0 0.5em 0.5em;
+}
diff --git a/debian/doc/variables.xml.in b/debian/doc/variables.xml.in
new file mode 100644
index 0000000..8ca89f2
--- /dev/null
+++ b/debian/doc/variables.xml.in
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "/usr/share/xml/docbook/schema/dtd/4.2/docbookx.dtd">
+
+<refentry>
+
+ <refmeta>
+ <refmiscinfo class="version">VERSION</refmiscinfo>
+ <refmiscinfo class="source">cryptsetup</refmiscinfo>
+ <refmiscinfo class="manual">cryptsetup manual</refmiscinfo>
+ </refmeta>
+
+ <refentryinfo>
+ <date>DATE</date>
+ </refentryinfo>
+
+</refentry>
diff --git a/debian/functions b/debian/functions
new file mode 100644
index 0000000..917abad
--- /dev/null
+++ b/debian/functions
@@ -0,0 +1,686 @@
+if [ "${0#/usr/share/initramfs-tools/hooks/}" != "$0" ] ||
+ [ "${0#/etc/initramfs-tools/hooks/}" != "$0" ]; then
+ # called from an initramfs-tools hook script
+ TABFILE="$DESTDIR/cryptroot/crypttab"
+elif [ "${0#/scripts/}" != "$0" ]; then
+ # called at initramfs stage from a boot script
+ TABFILE="/cryptroot/crypttab"
+ CRYPTROOT_COUNT_FILE="/run/cryptroot.initrd.cnt"
+else
+ TABFILE="${TABFILE-/etc/crypttab}"
+fi
+export DM_DEFAULT_NAME_MANGLING_MODE=hex # for dmsetup(8)
+
+# Logging helpers. Send the argument list to plymouth(1), or fold it
+# and print it to the standard error.
+cryptsetup_message() {
+ local IFS=' '
+ if [ "${0#/scripts/}" != "$0" ] && [ -x /bin/plymouth ] && plymouth --ping; then
+ plymouth message --text="cryptsetup: $*"
+ elif [ ${#*} -lt 70 ]; then
+ echo "cryptsetup: $*" >&2
+ else
+ # use busybox's fold(1) and sed(1) at initramfs stage
+ echo "cryptsetup: $*" | fold -s | sed '1! s/^/ /' >&2
+ fi
+ return 0
+}
+
+# crypttab_parse_options([--export], [--quiet], [--missing-path={ignore|warn|fail}])
+# Parse $_CRYPTTAB_OPTIONS, a comma-separated option string from the
+# crypttab(5) 4th column, and sets corresponding variables
+# CRYPTTAB_OPTION_<option>=<value> (which are added to the environment
+# if --export is set). If --path-exists isn't set to "ignore" (the
+# default), then options taking a file name, such as header=<path>,
+# need to point to an existing path, otherwise a warning is printed;
+# and an error is raised if the value is set to "fail".
+# For error and warning messages, CRYPTTAB_NAME, (resp. CRYPTTAB_KEY)
+# should be set to the (unmangled) mapped device name (resp. key
+# file).
+# Moreover CRYPTTAB_TYPE is set the device type.
+# Return 1 on parsing error, 0 otherwise (incl. if unknown options
+# were encountered).
+crypttab_parse_options() {
+ local quiet="n" export="n" missing_path="ignore"
+ while [ $# -gt 0 ]; do
+ case "$1" in
+ --quiet) quiet="y";;
+ --export) export="y";;
+ --missing-path=*) missing_path="${1#--missing-path=}";;
+ *) cryptsetup_message "WARNING: crypttab_parse_options(): unknown option $1"
+ esac
+ shift
+ done
+
+ local IFS=',' x OPTION VALUE
+ CRYPTTAB_TYPE=""
+ unset -v CRYPTTAB_OPTION_cipher \
+ CRYPTTAB_OPTION_size \
+ CRYPTTAB_OPTION_sector_size \
+ CRYPTTAB_OPTION_hash \
+ CRYPTTAB_OPTION_offset \
+ CRYPTTAB_OPTION_skip \
+ CRYPTTAB_OPTION_verify \
+ CRYPTTAB_OPTION_readonly \
+ CRYPTTAB_OPTION_discard \
+ CRYPTTAB_OPTION_plain \
+ CRYPTTAB_OPTION_luks \
+ CRYPTTAB_OPTION_tcrypt \
+ CRYPTTAB_OPTION_veracrypt \
+ CRYPTTAB_OPTION_bitlk \
+ CRYPTTAB_OPTION_fvault2 \
+ CRYPTTAB_OPTION_swap \
+ CRYPTTAB_OPTION_tmp \
+ CRYPTTAB_OPTION_check \
+ CRYPTTAB_OPTION_checkargs \
+ CRYPTTAB_OPTION_tries \
+ CRYPTTAB_OPTION_initramfs \
+ CRYPTTAB_OPTION_noearly \
+ CRYPTTAB_OPTION_noauto \
+ CRYPTTAB_OPTION_loud \
+ CRYPTTAB_OPTION_quiet \
+ CRYPTTAB_OPTION_keyscript \
+ CRYPTTAB_OPTION_keyslot \
+ CRYPTTAB_OPTION_header \
+ CRYPTTAB_OPTION_tcrypthidden \
+ CRYPTTAB_OPTION_same_cpu_crypt \
+ CRYPTTAB_OPTION_submit_from_crypt_cpus \
+ CRYPTTAB_OPTION_no_read_workqueue \
+ CRYPTTAB_OPTION_no_write_workqueue
+ # use $_CRYPTTAB_OPTIONS not $CRYPTTAB_OPTIONS as options values may
+ # contain '\054' which is decoded to ',' in the latter
+ for x in $_CRYPTTAB_OPTIONS; do
+ OPTION="${x%%=*}"
+ VALUE="${x#*=}"
+ if [ "$x" = "$OPTION" ]; then
+ unset -v VALUE
+ else
+ VALUE="$(printf '%b' "$VALUE")"
+ fi
+ if ! crypttab_validate_option; then
+ if [ "$quiet" = "n" ]; then
+ cryptsetup_message "ERROR: $CRYPTTAB_NAME: invalid value for '${x%%=*}' option, skipping"
+ fi
+ return 1
+ elif [ -z "${OPTION+x}" ]; then
+ continue
+ fi
+ if [ "$export" = "y" ]; then
+ export "CRYPTTAB_OPTION_$OPTION"="${VALUE-yes}"
+ else
+ eval "CRYPTTAB_OPTION_$OPTION"='${VALUE-yes}'
+ fi
+ done
+ IFS=" "
+
+ if ! _get_crypt_type; then # set CRYPTTAB_TYPE to the type of crypt device
+ CRYPTTAB_TYPE="plain"
+ if [ "$quiet" = "n" ]; then
+ cryptsetup_message "WARNING: $CRYPTTAB_NAME: couldn't determine device type," \
+ "assuming default ($CRYPTTAB_TYPE)."
+ fi
+ fi
+
+ if [ "$quiet" = "n" ] && [ -n "${CRYPTTAB_OPTION_header+x}" ] && [ "$CRYPTTAB_TYPE" != "luks" ]; then
+ cryptsetup_message "WARNING: $CRYPTTAB_NAME: Headers are only supported for LUKS devices."
+ fi
+ if [ "$CRYPTTAB_TYPE" = "plain" ]; then
+ # the compiled-in default for these are subject to change
+ options='cipher size'
+ if [ -n "${CRYPTTAB_OPTION_keyscript+x}" ] || [ "$CRYPTTAB_KEY" = "none" ]; then
+ options="$options hash" # --hash is being ignored in plain mode with keyfile specified
+ fi
+ for o in $options; do
+ if [ "$quiet" = "n" ] && eval [ -z "\${CRYPTTAB_OPTION_$o+x}" ]; then
+ cryptsetup_message "WARNING: Option '$o' missing in crypttab for plain dm-crypt" \
+ "mapping $CRYPTTAB_NAME. Please read /usr/share/doc/cryptsetup-initramfs/README.initramfs.gz and" \
+ "add the correct '$o' option to your crypttab(5)."
+ fi
+ done
+ fi
+}
+
+# crypttab_validate_option()
+# Validate $OPTION=$VALUE (or flag $OPTION if VALUE is unset). return
+# 1 on error, unsets OPTION for unknown or useless options.
+crypttab_validate_option() {
+ # option aliases
+ case "$OPTION" in
+ read-only) OPTION="readonly";;
+ key-slot) OPTION="keyslot";;
+ tcrypt-hidden) OPTION="tcrypthidden";;
+ tcrypt-veracrypt) OPTION="veracrypt";;
+ esac
+
+ # sanitize the option name so CRYPTTAB_OPTION_$OPTION is a valid variable name
+ local o="$OPTION"
+ case "$o" in
+ keyfile-offset) OPTION="keyfile_offset";;
+ keyfile-size) OPTION="keyfile_size";;
+ sector-size) OPTION="sector_size";;
+ same-cpu-crypt) OPTION="same_cpu_crypt";;
+ submit-from-crypt-cpus) OPTION="submit_from_crypt_cpus";;
+ no-read-workqueue) OPTION="no_read_workqueue";;
+ no-write-workqueue) OPTION="no_write_workqueue";;
+ esac
+
+ case "$o" in
+ # value must be a non-empty string
+ cipher|hash)
+ [ -n "${VALUE:+x}" ] || return 1
+ ;;
+ # value must be a non-empty string, and an existing path if --missing-path is set
+ header)
+ [ -n "${VALUE:+x}" ] || return 1
+ if [ "$missing_path" != "ignore" ]; then
+ if [ ! -e "$VALUE" ]; then
+ cryptsetup_message "WARNING: $CRYPTTAB_NAME: $VALUE does not exist";
+ [ "$missing_path" = "warn" ] || return 1
+ fi
+ fi
+ ;;
+ # numeric options >0
+ size|keyfile-size|sector-size)
+ if ! printf '%s' "${VALUE-}" | grep -Exq "0*[1-9][0-9]*"; then
+ return 1
+ fi
+ ;;
+ # numeric options >=0
+ offset|skip|tries|keyslot|keyfile-offset)
+ if ! printf '%s' "${VALUE-}" | grep -Exq "[0-9]+"; then
+ return 1
+ fi
+ ;;
+ tmp)
+ if [ -z "${VALUE+x}" ]; then
+ VALUE="ext4" # 'tmp flag'
+ elif [ -z "$VALUE" ]; then
+ return 1
+ fi
+ ;;
+ check)
+ if [ -z "${VALUE+x}" ]; then
+ if [ -n "${CRYPTDISKS_CHECK-}" ]; then
+ VALUE="$CRYPTDISKS_CHECK"
+ else
+ unset -v OPTION
+ return 0
+ fi
+ fi
+ if [ "${VALUE#/}" = "$VALUE" ]; then
+ VALUE="/lib/cryptsetup/checks/$VALUE"
+ fi
+ if [ ! -x "$VALUE" ] || [ ! -f "$VALUE" ]; then
+ return 1
+ fi
+ ;;
+ checkargs)
+ [ -n "${VALUE+x}" ] || return 1 # must have a value (possibly empty)
+ ;;
+ keyscript)
+ [ -n "${VALUE:+x}" ] || return 1 # must have a value
+ if [ "${VALUE#/}" = "$VALUE" ]; then
+ VALUE="/lib/cryptsetup/scripts/$VALUE"
+ fi
+ if [ ! -x "$VALUE" ] || [ ! -f "$VALUE" ]; then
+ return 1
+ fi
+ ;;
+ # and now the flags
+ verify) ;;
+ loud) ;;
+ quiet) ;;
+ initramfs) ;;
+ noearly) ;;
+ noauto) ;;
+ readonly) ;;
+ discard) ;;
+ plain) ;;
+ luks) ;;
+ swap) ;;
+ tcrypt) ;;
+ veracrypt) ;;
+ tcrypthidden) ;;
+ bitlk) ;;
+ fvault2) ;;
+ same-cpu-crypt) ;;
+ submit-from-crypt-cpus) ;;
+ no-read-workqueue) ;;
+ no-write-workqueue) ;;
+ *)
+ if [ "${quiet:-n}" = "n" ]; then
+ cryptsetup_message "WARNING: $CRYPTTAB_NAME: ignoring unknown option '$o'";
+ fi
+ unset -v OPTION
+ ;;
+ esac
+}
+
+# crypttab_resolve_source()
+# Resolve the CRYPTTAB_SOURCE variable, containing value of the second
+# field of a crypttab(5)-like file.
+# On error (non-existing source), CRYPTTAB_SOURCE is not changed and 1
+# is returned.
+crypttab_resolve_source() {
+ # return immediately if source is a regular file
+ [ ! -f "$CRYPTTAB_SOURCE" ] || return 0
+ # otherwise resolve the block device specification
+ local dev="$CRYPTTAB_SOURCE"
+ dev="$(_resolve_device_spec "$dev")" && CRYPTTAB_SOURCE="$dev" || return 1
+}
+
+# run_keyscript($tried_count)
+# exec()'ute `$CRYPTTAB_OPTION_keyscript "$CRYPTTAB_KEY"`.
+# If $CRYPTTAB_OPTION_keyscript is unset or null and $CRYPTTAB_KEY is
+# "none" (meaning the passphrase is to be read interactively from the
+# console), then use `/lib/cryptsetup/askpass` as keyscript with a
+# suitable prompt message instead.
+# Since the shell process is replaced with the $CRYPTTAB_OPTION_keyscript
+# program, run_keyscript() must be used on the left-hand side of a
+# pipe, or similar.
+run_keyscript() {
+ local keyscript keyscriptarg="$CRYPTTAB_KEY"
+ export CRYPTTAB_NAME CRYPTTAB_SOURCE CRYPTTAB_OPTIONS
+ export _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_OPTIONS
+ export CRYPTTAB_TRIED="$1"
+
+ if [ -n "${CRYPTTAB_OPTION_keyscript+x}" ] && \
+ [ "$CRYPTTAB_OPTION_keyscript" != "/lib/cryptsetup/askpass" ]; then
+ # 'keyscript' option is present: export its argument as $CRYPTTAB_KEY
+ export CRYPTTAB_KEY _CRYPTTAB_KEY
+ keyscript="$CRYPTTAB_OPTION_keyscript"
+ elif [ "$keyscriptarg" = "none" ]; then
+ # don't export the prompt message as CRYPTTAB_KEY
+ keyscript="/lib/cryptsetup/askpass"
+ keyscriptarg="Please unlock disk $CRYPTTAB_NAME: "
+ fi
+
+ exec "$keyscript" "$keyscriptarg"
+}
+
+# _get_crypt_type()
+# Set CRYPTTAB_TYPE to the mapping type, depending on its
+# $CRYPTTAB_OPTION_<option> values
+# Return a non-zero status if the mapping couldn't be determined
+_get_crypt_type() {
+ local s="$CRYPTTAB_SOURCE" t="" blk_t
+
+ if [ "${CRYPTTAB_OPTION_luks-}" = "yes" ]; then
+ t="luks"
+ elif [ "${CRYPTTAB_OPTION_tcrypt-}" = "yes" ]; then
+ t="tcrypt"
+ elif [ "${CRYPTTAB_OPTION_plain-}" = "yes" ]; then
+ t="plain"
+ elif [ "${CRYPTTAB_OPTION_bitlk-}" = "yes" ]; then
+ t="bitlk"
+ elif [ "${CRYPTTAB_OPTION_fvault2-}" = "yes" ]; then
+ t="fvault2"
+ elif [ -n "${CRYPTTAB_OPTION_header+x}" ]; then
+ # detached headers are only supported for LUKS devices
+ if [ -e "$CRYPTTAB_OPTION_header" ] && /sbin/cryptsetup isLuks -- "$CRYPTTAB_OPTION_header"; then
+ t="luks"
+ fi
+ elif [ -f "$s" ] || s="$(_resolve_device_spec "$CRYPTTAB_SOURCE")"; then
+ if /sbin/cryptsetup isLuks -- "$s"; then
+ t="luks"
+ elif blk_t="$(blkid -s TYPE -o value -- "$s")" && [ "$blk_t" = "BitLocker" ]; then
+ t="bitlk"
+ fi
+ fi
+
+ [ -n "$t" ] || return 1
+ CRYPTTAB_TYPE="$t"
+}
+
+# unlock_mapping([$keyfile])
+# Run cryptsetup(8) with suitable options and arguments to unlock
+# $CRYPTTAB_SOURCE and setup dm-crypt managed device-mapper mapping
+# $CRYPTTAB_NAME.
+unlock_mapping() {
+ local keyfile="${1:--}"
+
+ if [ "$CRYPTTAB_TYPE" = "luks" ] || [ "$CRYPTTAB_TYPE" = "tcrypt" ]; then
+ # ignored for LUKS and TCRYPT devices
+ unset -v CRYPTTAB_OPTION_cipher \
+ CRYPTTAB_OPTION_size \
+ CRYPTTAB_OPTION_hash \
+ CRYPTTAB_OPTION_offset \
+ CRYPTTAB_OPTION_skip
+ fi
+ if [ "$CRYPTTAB_TYPE" = "plain" ] || [ "$CRYPTTAB_TYPE" = "tcrypt" ]; then
+ unset -v CRYPTTAB_OPTION_keyfile_size
+ fi
+ if [ "$CRYPTTAB_TYPE" = "tcrypt" ]; then
+ # ignored for TCRYPT devices
+ unset -v CRYPTTAB_OPTION_keyfile_offset
+ else
+ # ignored for non-TCRYPT devices
+ unset -v CRYPTTAB_OPTION_veracrypt CRYPTTAB_OPTION_tcrypthidden
+ fi
+
+ if [ "$CRYPTTAB_TYPE" != "luks" ]; then
+ # ignored for non-LUKS devices
+ unset -v CRYPTTAB_OPTION_keyslot
+ fi
+
+ /sbin/cryptsetup -T1 \
+ ${CRYPTTAB_OPTION_header:+--header="$CRYPTTAB_OPTION_header"} \
+ ${CRYPTTAB_OPTION_cipher:+--cipher="$CRYPTTAB_OPTION_cipher"} \
+ ${CRYPTTAB_OPTION_size:+--key-size="$CRYPTTAB_OPTION_size"} \
+ ${CRYPTTAB_OPTION_sector_size:+--sector-size="$CRYPTTAB_OPTION_sector_size"} \
+ ${CRYPTTAB_OPTION_hash:+--hash="$CRYPTTAB_OPTION_hash"} \
+ ${CRYPTTAB_OPTION_offset:+--offset="$CRYPTTAB_OPTION_offset"} \
+ ${CRYPTTAB_OPTION_skip:+--skip="$CRYPTTAB_OPTION_skip"} \
+ ${CRYPTTAB_OPTION_verify:+--verify-passphrase} \
+ ${CRYPTTAB_OPTION_readonly:+--readonly} \
+ ${CRYPTTAB_OPTION_discard:+--allow-discards} \
+ ${CRYPTTAB_OPTION_veracrypt:+--veracrypt} \
+ ${CRYPTTAB_OPTION_keyslot:+--key-slot="$CRYPTTAB_OPTION_keyslot"} \
+ ${CRYPTTAB_OPTION_tcrypthidden:+--tcrypt-hidden} \
+ ${CRYPTTAB_OPTION_keyfile_size:+--keyfile-size="$CRYPTTAB_OPTION_keyfile_size"} \
+ ${CRYPTTAB_OPTION_keyfile_offset:+--keyfile-offset="$CRYPTTAB_OPTION_keyfile_offset"} \
+ ${CRYPTTAB_OPTION_same_cpu_crypt:+--perf-same_cpu_crypt} \
+ ${CRYPTTAB_OPTION_submit_from_crypt_cpus:+--perf-submit_from_crypt_cpus} \
+ ${CRYPTTAB_OPTION_no_read_workqueue:+--perf-no_read_workqueue} \
+ ${CRYPTTAB_OPTION_no_write_workqueue:+--perf-no_write_workqueue} \
+ --type="$CRYPTTAB_TYPE" --key-file="$keyfile" \
+ open -- "$CRYPTTAB_SOURCE" "$CRYPTTAB_NAME"
+}
+
+# resume_mapping([$keyfile])
+# Run cryptsetup(8) with suitable options and arguments to resume
+# $CRYPTTAB_NAME.
+resume_mapping() {
+ local keyfile="${1:--}"
+
+ /sbin/cryptsetup -T1 \
+ ${CRYPTTAB_OPTION_header:+--header="$CRYPTTAB_OPTION_header"} \
+ ${CRYPTTAB_OPTION_keyslot:+--key-slot="$CRYPTTAB_OPTION_keyslot"} \
+ ${CRYPTTAB_OPTION_keyfile_size:+--keyfile-size="$CRYPTTAB_OPTION_keyfile_size"} \
+ ${CRYPTTAB_OPTION_keyfile_offset:+--keyfile-offset="$CRYPTTAB_OPTION_keyfile_offset"} \
+ --type="$CRYPTTAB_TYPE" --key-file="$keyfile" \
+ luksResume "$CRYPTTAB_NAME"
+}
+
+# resume_device($device)
+# Resume $device with endless retries. Used by cryptsetup-suspend-wrapper.
+resume_device() {
+ local device="$1"
+ # check if device is really suspended
+ if [ "$(dmsetup info -c --noheadings -o suspended -- "$device" 2>/dev/null)" != "Suspended" ]; then
+ cryptsetup_message "ERROR: $device: device was not suspendend"
+ return 1
+ fi
+
+ if ! crypttab_find_entry "$device" || ! crypttab_parse_options --quiet; then
+ cryptsetup_message "ERROR: $device: not found in $TABFILE"
+ return 1
+ fi
+
+ if [ "$CRYPTTAB_TYPE" != "luks" ]; then
+ cryptsetup_message "ERROR: $CRYPTTAB_NAME: unable to resume non-LUKS device"
+ return 1
+ fi
+
+ # Loop endlessly until the resume command succeeded
+ while true; do
+ if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then
+ resume_mapping "$CRYPTTAB_KEY" && break || true
+ else
+ run_keyscript 1 | resume_mapping && break || true
+ fi
+ done
+}
+
+# crypttab_key_check()
+# Sanity checks for keyfile $CRYPTTAB_KEY. CRYPTTAB_NAME and
+# CRYPTTAB_OPTION_<option> must be set appropriately.
+crypttab_key_check() {
+ if [ ! -f "$CRYPTTAB_KEY" ] && [ ! -b "$CRYPTTAB_KEY" ] && [ ! -c "$CRYPTTAB_KEY" ] ; then
+ cryptsetup_message "WARNING: $CRYPTTAB_NAME: keyfile '$CRYPTTAB_KEY' not found"
+ return 0
+ fi
+
+ if [ "$CRYPTTAB_KEY" = "/dev/random" ] || [ "$CRYPTTAB_KEY" = "/dev/urandom" ]; then
+ if [ -n "${CRYPTTAB_OPTION_luks+x}" ] || [ -n "${CRYPTTAB_OPTION_tcrypt+x}" ]; then
+ cryptsetup_message "WARNING: $CRYPTTAB_NAME: has random data as key"
+ return 1
+ else
+ return 0
+ fi
+ fi
+
+ local mode="$(stat -L -c"%04a" -- "$CRYPTTAB_KEY")"
+ if [ $(stat -L -c"%u" -- "$CRYPTTAB_KEY") -ne 0 ] || [ "${mode%00}" = "$mode" ]; then
+ cryptsetup_message "WARNING: $CRYPTTAB_NAME: key file $CRYPTTAB_KEY has" \
+ "insecure ownership, see /usr/share/doc/cryptsetup/README.Debian.gz."
+ fi
+}
+
+# _resolve_device_spec($spec)
+# Resolve LABEL=<label>, UUID=<uuid>, PARTUUID=<partuuid> and
+# PARTLABEL=<partlabel> to a block special device. If $spec is
+# already a (link to a block special device) then it is echoed as is.
+# Return 1 if $spec doesn't correspond to a block special device.
+_resolve_device_spec() {
+ local spec="$1"
+ case "$spec" in
+ UUID=*|LABEL=*|PARTUUID=*|PARTLABEL=*)
+ # don't use /dev/disk/by-label/... to avoid gessing udev mangling
+ spec="$(blkid -l -t "$spec" -o device)" || spec=
+ ;;
+ esac
+ [ -b "$spec" ] && printf '%s\n' "$spec" || return 1
+}
+
+# dm_blkdevname($name)
+# Print the mapped device name, or return 1 if the the device doesn't exist.
+dm_blkdevname() {
+ local name="$1" dev
+ # /dev/mapper/$name isn't reliable due to udev mangling
+ if dev="$(dmsetup info -c --noheadings -o blkdevname -- "$name" 2>/dev/null)" &&
+ [ -n "$dev" ] && [ -b "/dev/$dev" ]; then
+ echo "/dev/$dev"
+ return 0
+ else
+ return 1
+ fi
+}
+
+# crypttab_find_entry([--quiet], $target)
+# Search in the crypttab(5) for the given $target, and sets the
+# variables CRYPTTAB_NAME, CRYPTTAB_SOURCE, CRYPTTAB_KEY and
+# CRYPTTAB_OPTIONS accordingly. (In addition _CRYPTTAB_NAME,
+# _CRYPTTAB_SOURCE, _CRYPTTAB_KEY and _CRYPTTAB_OPTIONS are set to the
+# unmangled values before decoding the escape sequence.) If there are
+# duplicates then only the first match is considered.
+# Return 0 if a match is found, and 1 otherwise.
+crypttab_find_entry() {
+ local target="$1" quiet="n" IFS
+ if [ "$target" = "--quiet" ] && [ $# -eq 2 ]; then
+ quiet="y"
+ target="$2"
+ fi
+
+ if [ -f "$TABFILE" ]; then
+ while IFS=" " read -r _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_KEY _CRYPTTAB_OPTIONS; do
+ if [ "${_CRYPTTAB_NAME#\#}" != "$_CRYPTTAB_NAME" ] || [ -z "$_CRYPTTAB_NAME" ]; then
+ # ignore comments and empty lines
+ continue
+ fi
+
+ # unmangle names
+ CRYPTTAB_NAME="$(printf '%b' "$_CRYPTTAB_NAME")"
+ if [ -z "$_CRYPTTAB_SOURCE" ] || [ -z "$_CRYPTTAB_KEY" ]; then
+ cryptsetup_message "WARNING: '$CRYPTTAB_NAME' is missing some arguments, see crypttab(5)"
+ continue
+ elif [ "$CRYPTTAB_NAME" = "$target" ]; then
+ CRYPTTAB_SOURCE="$( printf '%b' "$_CRYPTTAB_SOURCE" )"
+ CRYPTTAB_KEY="$( printf '%b' "$_CRYPTTAB_KEY" )"
+ CRYPTTAB_OPTIONS="$(printf '%b' "$_CRYPTTAB_OPTIONS")"
+ return 0
+ fi
+ done <"$TABFILE"
+ fi
+
+ if [ "$quiet" = "n" ]; then
+ cryptsetup_message "WARNING: target '$target' not found in $TABFILE"
+ fi
+ return 1
+}
+
+# crypttab_foreach_entry($callback)
+# Iterate through the crypttab(5) and run the given $callback for each
+# entry found. Variables CRYPTTAB_NAME, CRYPTTAB_SOURCE, CRYPTTAB_KEY
+# and CRYPTTAB_OPTIONS are set accordingly and available to the
+# $callback. (In addition _CRYPTTAB_NAME, _CRYPTTAB_SOURCE,
+# _CRYPTTAB_KEY and _CRYPTTAB_OPTIONS are set to the original values
+# before decoding the escape sequence.)
+# Return 0 if a match is found, and 1 otherwise.
+crypttab_foreach_entry() {
+ local callback="$1" IFS
+ local _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_KEY _CRYPTTAB_OPTIONS \
+ CRYPTTAB_NAME CRYPTTAB_SOURCE CRYPTTAB_KEY CRYPTTAB_OPTIONS
+
+ [ -f "$TABFILE" ] || return
+ while IFS=" " read -r _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_KEY _CRYPTTAB_OPTIONS <&9; do
+ if [ "${_CRYPTTAB_NAME#\#}" != "$_CRYPTTAB_NAME" ] || [ -z "$_CRYPTTAB_NAME" ]; then
+ # ignore comments and empty lines
+ continue
+ fi
+
+ # unmangle names
+ CRYPTTAB_NAME="$(printf '%b' "$_CRYPTTAB_NAME")"
+
+ if [ -z "$_CRYPTTAB_SOURCE" ] || [ -z "$_CRYPTTAB_KEY" ]; then
+ cryptsetup_message "WARNING: '$CRYPTTAB_NAME' is missing some arguments, see crypttab(5)"
+ continue
+ fi
+
+ CRYPTTAB_SOURCE="$( printf '%b' "$_CRYPTTAB_SOURCE" )"
+ CRYPTTAB_KEY="$( printf '%b' "$_CRYPTTAB_KEY" )"
+ CRYPTTAB_OPTIONS="$(printf '%b' "$_CRYPTTAB_OPTIONS")"
+
+ "$callback" 9<&-
+ done 9<"$TABFILE"
+}
+
+# _device_uuid($device)
+# Print the UUID attribute of given block special $device. Return 0
+# on success, 1 on error.
+_device_uuid() {
+ local device="$1" uuid
+ if uuid="$(blkid -s UUID -o value -- "$device")" && [ -n "$uuid" ]; then
+ printf '%s\n' "$uuid"
+ else
+ return 1
+ fi
+}
+
+# _resolve_device({$device | $spec})
+# Take a path to (or spec for) a block special device, and set DEV to
+# the (symlink to block) device, and MAJ (resp. MIN) to its major-ID
+# (resp. minor ID) decimal value. On error these variables are not
+# changed and 1 is returned.
+_resolve_device() {
+ local spec="$1" dev devno maj min
+ if dev="$(_resolve_device_spec "$spec")" &&
+ devno="$(stat -L -c"%t:%T" -- "$dev" 2>/dev/null)" &&
+ maj="${devno%:*}" && min="${devno#*:}" &&
+ [ "$devno" = "$maj:$min" ] && [ -n "$maj" ] && [ -n "$min" ] &&
+ maj=$(( 0x$maj )) && min=$(( 0x$min )) && [ $maj -gt 0 ]; then
+ DEV="$dev"
+ MAJ="$maj"
+ MIN="$min"
+ return 0
+ else
+ cryptsetup_message "ERROR: Couldn't resolve device $spec"
+ fi
+ return 1
+}
+
+# get_mnt_devno($mountpoint)
+# Print the major:minor device ID(s) holding the file system currently
+# mounted currenty mounted on $mountpoint.
+# Return 0 on success, 1 on error (if $mountpoint is not a mountpoint).
+get_mnt_devno() {
+ local wantmount="$1" devnos="" uuid dev IFS
+ local spec mountpoint fstype _ DEV MAJ MIN
+
+ while IFS=" " read -r spec mountpoint fstype _; do
+ # treat lines starting with '#' as comments; /proc/mounts
+ # doesn't seem to contain these but per procfs(5) the format of
+ # that file is analogous to fstab(5)'s
+ if [ "${spec#\#}" = "$spec" ] && [ -n "$spec" ] &&
+ [ "$(printf '%b' "$mountpoint")" = "$wantmount" ]; then
+ # take the last mountpoint if used several times (shadowed)
+ unset -v devnos
+ spec="$(printf '%b' "$spec")"
+ _resolve_device "$spec" || continue # _resolve_device() already warns on error
+ fstype="$(printf '%b' "$fstype")"
+ if [ "$fstype" = "btrfs" ]; then
+ # btrfs can span over multiple devices
+ if uuid="$(_device_uuid "$DEV")"; then
+ for dev in "/sys/fs/$fstype/$uuid/devices"/*/dev; do
+ devnos="${devnos:+$devnos }$(cat "$dev")"
+ done
+ else
+ cryptsetup_message "ERROR: $spec: Couldn't determine UUID"
+ fi
+ elif [ -n "$fstype" ]; then
+ devnos="$MAJ:$MIN"
+ fi
+ fi
+ done </proc/mounts
+
+ if [ -z "${devnos:+x}" ]; then
+ return 1 # not found
+ else
+ printf '%s' "$devnos"
+ fi
+}
+
+# foreach_cryptdev([--reverse], $callback, $maj:$min, [$maj:$min ..])
+# Run $callback on the (unmangled) name of each dm-crypt device
+# recursively holding $maj:$min (typically corresponding to an md,
+# linear, or dm-crypt device). Slaves that aren't dm-crypt devices
+# are ignored.
+# By default each device is processed after its *slaves*. If
+# --reverse is set then each device is processed after its *holders*
+# instead.
+foreach_cryptdev() {
+ local callback="$1" reverse="n" devno base
+ shift
+ if [ "$callback" = "--reverse" ]; then
+ reverse="y"
+ callback="$1"
+ shift
+ fi
+ for devno in "$@"; do
+ base="/sys/dev/block/$devno"
+ if [ ! -d "$base" ]; then
+ cryptsetup_message "ERROR: Couldn't find sysfs directory for $devno"
+ return 1
+ fi
+ _foreach_cryptdev "$base"
+ done
+}
+_foreach_cryptdev() {
+ local d="$1" devno maj min name t d2
+ [ "$reverse" = "y" ] && t="holders" || t="slaves"
+ [ -d "$d/$t" ] || return 0
+ for d2 in "$d/$t"/*; do
+ if [ -d "$d2" ] && d2="$(realpath -e -- "$d2")"; then
+ _foreach_cryptdev "$d2"
+ fi
+ done
+ if [ -d "$d/dm" ] && devno="$(cat "$d/dev")" &&
+ maj="${devno%:*}" && min="${devno#*:}" &&
+ [ "$devno" = "$maj:$min" ] && [ -n "$maj" ] && [ -n "$min" ] &&
+ [ "$(dmsetup info -c --noheadings -o subsystem -j "$maj" -m "$min")" = "CRYPT" ] &&
+ name="$(dmsetup info -c --noheadings -o unmangled_name -j "$maj" -m "$min")"; then
+ "$callback" "$name"
+ fi
+}
+
+# vim: set filetype=sh :
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..cb85cdd
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,11 @@
+[DEFAULT]
+debian-branch = debian/latest
+upstream-branch = upstream/latest
+compression = gzip
+pristine-tar = False
+
+[import-orig]
+upstream-vcs-tag = v%(version)s
+
+[pq]
+patch-numbers = False
diff --git a/debian/initramfs/conf-hook b/debian/initramfs/conf-hook
new file mode 100644
index 0000000..0b4389f
--- /dev/null
+++ b/debian/initramfs/conf-hook
@@ -0,0 +1,44 @@
+#
+# Configuration file for the cryptroot initramfs hook.
+#
+
+#
+# KEYFILE_PATTERN: ...
+#
+# The value of this variable is interpreted as a shell pattern.
+# Matching key files from the crypttab(5) are included in the initramfs
+# image. The associated devices can then be unlocked without manual
+# intervention. (For instance if /etc/crypttab lists two key files
+# /etc/keys/{root,swap}.key, you can set KEYFILE_PATTERN="/etc/keys/*.key"
+# to add them to the initrd.)
+#
+# If KEYFILE_PATTERN if null or unset (default) then no key file is
+# copied to the initramfs image.
+#
+# Note that the glob(7) is not expanded for crypttab(5) entries with a
+# 'keyscript=' option. In that case, the field is not treated as a file
+# name but given as argument to the keyscript.
+#
+# WARNING:
+# * If the initramfs image is to include private key material, you'll
+# want to create it with a restrictive umask in order to keep
+# non-privileged users at bay. For instance, set UMASK=0077 in
+# /etc/initramfs-tools/initramfs.conf
+# * If you use cryptsetup-suspend, private key material inside the
+# initramfs will be in memory during suspend period, defeating the
+# purpose of cryptsetup-suspend.
+#
+
+#KEYFILE_PATTERN=
+
+#
+# ASKPASS: [ y | n ]
+#
+# Whether to include the askpass binary to the initramfs image. askpass
+# is required for interactive passphrase prompts, and ASKPASS=y (the
+# default) is implied when the hook detects that same device needs to be
+# unlocked interactively (i.e., not via keyfile nor keyscript) at
+# initramfs stage. Setting ASKPASS=n also skips `cryptroot-unlock`
+# inclusion as it requires the askpass executable.
+
+#ASKPASS=y
diff --git a/debian/initramfs/conf-hooks.d/cryptsetup b/debian/initramfs/conf-hooks.d/cryptsetup
new file mode 100644
index 0000000..883c1ba
--- /dev/null
+++ b/debian/initramfs/conf-hooks.d/cryptsetup
@@ -0,0 +1,9 @@
+# This will setup non-us keyboards in early userspace,
+# necessary for punching in passphrases.
+KEYMAP=y
+
+# force busybox on initramfs
+BUSYBOX=y
+
+# and for systems using plymouth instead, use the new option
+FRAMEBUFFER=y
diff --git a/debian/initramfs/cryptroot-unlock b/debian/initramfs/cryptroot-unlock
new file mode 100644
index 0000000..dbc2ad0
--- /dev/null
+++ b/debian/initramfs/cryptroot-unlock
@@ -0,0 +1,196 @@
+#!/bin/busybox ash
+
+# Remotely unlock encrypted volumes.
+#
+# Copyright © 2015-2018 Guilhem Moulin <guilhem@debian.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+set -ue
+PATH=/sbin:/bin
+
+TIMEOUT=10
+PASSFIFO=/lib/cryptsetup/passfifo
+ASKPASS=/lib/cryptsetup/askpass
+UNLOCK_ALL=n
+
+[ -f /lib/cryptsetup/functions ] || return 0
+. /lib/cryptsetup/functions
+TABFILE="/cryptroot/crypttab"
+unset -v IFS
+
+if [ ! -f "$TABFILE" ] || [ "$TABFILE" -ot "/proc/1" ]; then
+ # Too early, init-top/cryptroot hasn't finished yet
+ echo "Try again later" >&2
+ exit 1
+fi
+
+# Print the list of PIDs the executed command of which is $exe.
+pgrep_exe() {
+ local exe pid
+ exe="$(readlink -f -- "$1" 2>/dev/null)" && [ -f "$exe" ] || return 0
+ ps -eo pid= | while read pid; do
+ [ "$(readlink -f "/proc/$pid/exe")" != "$exe" ] || printf '%d\n' "$pid"
+ done
+}
+
+# Return 0 if $pid has a file descriptor pointing to $name, and 1
+# otherwise.
+in_fds() {
+ local pid="$1" name fd
+ name="$(readlink -f -- "$2" 2>/dev/null)" && [ -e "$name" ] || return 1
+ for fd in $(find "/proc/$pid/fd" -type l); do
+ [ "$(readlink -f "$fd")" != "$name" ] || return 0
+ done
+ return 1
+}
+
+# Print the PID of the askpass process with a file descriptor opened to
+# /lib/cryptsetup/passfifo.
+get_askpass_pid() {
+ local pid
+ for pid in $(pgrep_exe "$ASKPASS"); do
+ if in_fds "$pid" "$PASSFIFO"; then
+ echo "$pid"
+ return 0
+ fi
+ done
+ return 1
+}
+
+# Print the number of configured crypt devices that have not been unlocked yet.
+count_locked_devices() {
+ local COUNT=0
+ crypttab_foreach_entry count_locked_devices_callback
+ printf '%d\n' "$COUNT"
+}
+count_locked_devices_callback() {
+ dm_blkdevname "$CRYPTTAB_NAME" >/dev/null || COUNT=$(( $COUNT + 1 ))
+}
+
+# Wait for askpass, then set $PID (resp. $BIRTH) to the PID (resp.
+# birth date) of the cryptsetup process with same $CRYPTTAB_NAME.
+wait_for_prompt() {
+ local pid timer num_locked_devices=-1 n
+
+ # wait for the fifo
+ while :; do
+ n=$(count_locked_devices)
+ if [ $n -eq 0 ]; then
+ # all configured devices have been unlocked, we're done
+ exit 0
+ elif [ $num_locked_devices -lt 0 ] || [ $n -lt $num_locked_devices ]; then
+ # reset $timer if a device was unlocked (for instance using
+ # a keyscript) while we were waiting
+ timer=$(( 10 * $TIMEOUT ))
+ fi
+ num_locked_devices=$n
+
+ if pid=$(get_askpass_pid) && [ -p "$PASSFIFO" ]; then
+ break
+ fi
+
+ usleep 100000
+ timer=$(( $timer - 1 ))
+ if [ $timer -le 0 ]; then
+ echo "Error: Timeout reached while waiting for askpass." >&2
+ exit 1
+ fi
+ done
+
+ # find the cryptsetup process with same $CRYPTTAB_NAME
+ local o v
+ for o in NAME TRIED OPTION_tries; do
+ if v="$(grep -z -m1 "^CRYPTTAB_$o=" "/proc/$pid/environ")"; then
+ eval "CRYPTTAB_$o"="\${v#CRYPTTAB_$o=}"
+ else
+ eval unset -v "CRYPTTAB_$o"
+ fi
+ done
+ if [ -z "${CRYPTTAB_NAME:+x}" ] || [ -z "${CRYPTTAB_TRIED:+x}" ]; then
+ return 1
+ fi
+ if ( ! crypttab_find_entry --quiet "$CRYPTTAB_NAME" ); then
+ # use a subshell to avoid polluting our enironment
+ echo "Error: Refusing to process unknown device $CRYPTTAB_NAME" >&2
+ exit 1
+ fi
+
+ for pid in $(pgrep_exe "/sbin/cryptsetup"); do
+ if grep -Fxqz "CRYPTTAB_NAME=$CRYPTTAB_NAME" "/proc/$pid/environ"; then
+ PID=$pid
+ BIRTH=$(stat -c"%Z" "/proc/$PID" 2>/dev/null) || break
+ return 0
+ fi
+ done
+
+ PID=
+ BIRTH=
+ return 1
+}
+
+# Wait until $PID no longer exists or has a birth date greater that
+# $BIRTH (ie was reallocated). Then return with exit value 0 if
+# /dev/mapper/$CRYPTTAB_NAME exists, and with exit value 1 if the
+# maximum number of tries exceeded. Otherwise (if the unlocking
+# failed), return with value 1.
+wait_for_answer() {
+ local timer=$(( 10 * $TIMEOUT )) b
+ while [ -d "/proc/$PID" ] && b=$(stat -c"%Z" "/proc/$PID" 2>/dev/null) && [ $b -le $BIRTH ]; do
+ usleep 100000
+ timer=$(( $timer - 1 ))
+ if [ $timer -le 0 ]; then
+ echo "Error: Timeout reached while waiting for PID $PID." >&2
+ exit 1
+ fi
+ done
+
+ if dm_blkdevname "$CRYPTTAB_NAME" >/dev/null; then
+ echo "cryptsetup: $CRYPTTAB_NAME set up successfully" >&2
+ [ "$UNLOCK_ALL" = y ] && return 0 || exit 0
+ elif [ $(( ${CRYPTTAB_TRIED:-0} + 1 )) -ge ${CRYPTTAB_OPTION_tries:-3} ] &&
+ [ ${CRYPTTAB_OPTION_tries:-3} -gt 0 ]; then
+ echo "cryptsetup: maximum number of tries exceeded for $CRYPTTAB_NAME" >&2
+ exit 1
+ else
+ echo "cryptsetup: cryptsetup failed, bad password or options?" >&2
+ return 1
+ fi
+}
+
+
+if [ -t 0 ] && [ -x "$ASKPASS" ]; then
+ # interactive mode on a TTY: keep trying until all configured devices have
+ # been unlocked or the maximum number of tries exceeded
+ UNLOCK_ALL=y
+ while :; do
+ # note: if the script is not killed before pivot_root it should
+ # exit on its own once $TIMEOUT is reached
+ if ! wait_for_prompt; then
+ usleep 100000
+ continue
+ fi
+ read -rs -p "Please unlock disk $CRYPTTAB_NAME: "; echo
+ printf '%s' "$REPLY" >"$PASSFIFO"
+ wait_for_answer || true
+ done
+else
+ # non-interactive mode: slurp the passphrase from stdin and exit
+ wait_for_prompt || exit 1
+ echo "Please unlock disk $CRYPTTAB_NAME"
+ cat >"$PASSFIFO"
+ wait_for_answer || exit 1
+fi
+
+# vim: set filetype=sh :
diff --git a/debian/initramfs/hooks/cryptgnupg b/debian/initramfs/hooks/cryptgnupg
new file mode 100644
index 0000000..dcb5248
--- /dev/null
+++ b/debian/initramfs/hooks/cryptgnupg
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+set -e
+
+PREREQ="cryptroot"
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case "$1" in
+ prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+. /lib/cryptsetup/functions
+
+if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/decrypt_gnupg" ] || [ ! -f "$TABFILE" ]; then
+ exit 0
+fi
+
+# Hooks for loading gnupg software and symmetrically encrypted key into
+# the initramfs
+copy_keys() {
+ crypttab_parse_options
+ if [ "${CRYPTTAB_OPTION_keyscript-}" = "/lib/cryptsetup/scripts/decrypt_gnupg" ]; then
+ if [ -f "$CRYPTTAB_KEY" ]; then
+ [ -f "$DESTDIR$CRYPTTAB_KEY" ] || copy_file keyfile "$CRYPTTAB_KEY" || RV=$?
+ else
+ cryptsetup_message "ERROR: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY"
+ RV=1
+ fi
+ fi
+}
+
+RV=0
+crypttab_foreach_entry copy_keys
+
+# install askpass and GnuPG
+copy_exec /lib/cryptsetup/askpass
+copy_exec /usr/bin/gpg
+exit $RV
diff --git a/debian/initramfs/hooks/cryptgnupg-sc b/debian/initramfs/hooks/cryptgnupg-sc
new file mode 100644
index 0000000..9e45000
--- /dev/null
+++ b/debian/initramfs/hooks/cryptgnupg-sc
@@ -0,0 +1,87 @@
+#!/bin/sh
+
+set -e
+
+PREREQ="cryptroot"
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case "$1" in
+ prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+. /lib/cryptsetup/functions
+
+if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/decrypt_gnupg-sc" ] || [ ! -f "$TABFILE" ]; then
+ exit 0
+fi
+
+# Hooks for loading gnupg software and encrypted key into the initramfs
+copy_keys() {
+ crypttab_parse_options
+ if [ "${CRYPTTAB_OPTION_keyscript-}" = "/lib/cryptsetup/scripts/decrypt_gnupg-sc" ]; then
+ if [ -f "$CRYPTTAB_KEY" ]; then
+ [ -f "$DESTDIR$CRYPTTAB_KEY" ] || copy_file keyfile "$CRYPTTAB_KEY" || RV=$?
+ else
+ cryptsetup_message "ERROR: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY"
+ RV=1
+ fi
+ fi
+}
+
+RV=0
+crypttab_foreach_entry copy_keys
+
+PUBRING="/etc/cryptsetup-initramfs/pubring.gpg"
+if [ ! -f "$PUBRING" ]; then
+ cryptsetup_message "WARNING: $PUBRING: No such file"
+else
+ [ -d "$DESTDIR/cryptroot/gnupghome" ] || mkdir -pm0700 "$DESTDIR/cryptroot/gnupghome"
+ # let gpg(1) create the keyring on the fly; we're not relying on its
+ # internals since it's the very same binary we're copying to the
+ # initramfs
+ /usr/bin/gpg --no-options --no-autostart --trust-model=always \
+ --quiet --batch --no-tty --logger-file=/dev/null \
+ --homedir="$DESTDIR/cryptroot/gnupghome" --import <"$PUBRING"
+ # make sure not to clutter the initramfs with backup keyrings
+ find "$DESTDIR/cryptroot" -name "*~" -type f -delete
+fi
+
+copy_exec /usr/bin/gpg
+copy_exec /usr/bin/gpg-agent
+copy_exec /usr/lib/gnupg/scdaemon
+copy_exec /usr/bin/gpgconf
+copy_exec /usr/bin/gpg-connect-agent
+
+if [ ! -x "$DESTDIR/usr/bin/pinentry" ]; then
+ if [ -x "/usr/bin/pinentry-curses" ]; then
+ pinentry="/usr/bin/pinentry-curses"
+ elif [ -x "/usr/bin/pinentry-tty" ]; then
+ pinentry="/usr/bin/pinentry-tty"
+ else
+ cryptsetup_message "ERROR: missing required binary pinentry-curses or pinentry-tty"
+ RV=1
+ fi
+ copy_exec "$pinentry"
+ ln -s "$pinentry" "$DESTDIR/usr/bin/pinentry"
+fi
+
+# #1028202: ncurses-base: move terminfo files from /lib/terminfo to
+# /usr/share/terminfo
+for d in "/usr/share/terminfo" "/lib/terminfo"; do
+ if [ -f "$d/l/linux" ]; then
+ if [ ! -f "$DESTDIR$d/l/linux" ]; then
+ copy_file terminfo "$d/l/linux" || RV=$?
+ fi
+ break
+ fi
+done
+
+exit $RV
diff --git a/debian/initramfs/hooks/cryptkeyctl b/debian/initramfs/hooks/cryptkeyctl
new file mode 100644
index 0000000..5ae6ae8
--- /dev/null
+++ b/debian/initramfs/hooks/cryptkeyctl
@@ -0,0 +1,30 @@
+#!/bin/sh
+
+set -e
+
+PREREQ="cryptroot"
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case "$1" in
+ prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+# Hooks for loading keyctl software into the initramfs
+
+# Check whether cryptroot hook has installed decrypt_keyctl script
+if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/decrypt_keyctl" ]; then
+ exit 0
+fi
+
+copy_exec /lib/cryptsetup/askpass
+copy_exec /bin/keyctl
+exit 0
diff --git a/debian/initramfs/hooks/cryptopensc b/debian/initramfs/hooks/cryptopensc
new file mode 100644
index 0000000..e0c5167
--- /dev/null
+++ b/debian/initramfs/hooks/cryptopensc
@@ -0,0 +1,62 @@
+#!/bin/sh
+
+set -e
+
+PREREQ="cryptroot"
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case "$1" in
+ prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+. /lib/cryptsetup/functions
+
+if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/decrypt_opensc" ] || [ ! -f "$TABFILE" ]; then
+ exit 0
+fi
+
+# Hooks for loading smartcard reading software into the initramfs
+copy_keys() {
+ crypttab_parse_options
+ if [ "${CRYPTTAB_OPTION_keyscript-}" = "/lib/cryptsetup/scripts/decrypt_opensc" ]; then
+ if [ -f "$CRYPTTAB_KEY" ]; then
+ [ -f "$DESTDIR$CRYPTTAB_KEY" ] || copy_file keyfile "$CRYPTTAB_KEY" || RV=$?
+ else
+ cryptsetup_message "ERROR: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY"
+ RV=1
+ fi
+ fi
+}
+
+RV=0
+crypttab_foreach_entry copy_keys
+
+# Install directories needed by smartcard reading daemon, command, and
+# key-script
+mkdir -p -- "$DESTDIR/etc/opensc" "$DESTDIR/usr/lib/pcsc" "$DESTDIR/var/run" "$DESTDIR/tmp"
+
+# Install pcscd daemon, drivers, conf file
+copy_exec /usr/sbin/pcscd
+
+cp -rt "$DESTDIR/usr/lib" /usr/lib/pcsc
+cp -t "$DESTDIR/etc" /etc/reader.conf || true
+cp -t "$DESTDIR/etc" /etc/libccid_Info.plist
+
+for so in $(ldconfig -p | sed -nr 's/^\s*(libusb-[0-9.-]+|libpcsclite)\.so\.[0-9]+\s.*=>\s*//p'); do
+ copy_exec "$so"
+done
+
+# Install opensc commands and conf file
+copy_exec /usr/bin/opensc-tool
+copy_exec /usr/bin/pkcs15-crypt
+cp -t "$DESTDIR/etc/opensc" /etc/opensc/opensc.conf
+
+exit $RV
diff --git a/debian/initramfs/hooks/cryptpassdev b/debian/initramfs/hooks/cryptpassdev
new file mode 100644
index 0000000..54492f0
--- /dev/null
+++ b/debian/initramfs/hooks/cryptpassdev
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+set -e
+
+PREREQ="cryptroot"
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case "$1" in
+ prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+# Hooks for adding filesystem modules to the initramfs when the passdev
+# keyscript is used
+
+# Check whether the passdev script has been included
+if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/passdev" ]; then
+ exit 0
+fi
+
+# The filesystem type of the removable device is probed at boot-time, so
+# we add a generous list of filesystems to include. This also helps with
+# recovery situation as including e.g. the vfat module might help a user
+# who needs to create a new cryptkey (using a backup of a keyfile) on
+# a windows-machine for example.
+
+# This list needs to be kept in sync with the one defined in passdev.c
+manual_add_modules ext4 ext3 ext2 vfat btrfs reiserfs xfs jfs ntfs iso9660 udf
+exit 0
+
diff --git a/debian/initramfs/hooks/cryptroot b/debian/initramfs/hooks/cryptroot
new file mode 100644
index 0000000..c16f7c2
--- /dev/null
+++ b/debian/initramfs/hooks/cryptroot
@@ -0,0 +1,406 @@
+#!/bin/sh
+
+PREREQ=""
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case "$1" in
+ prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+. /lib/cryptsetup/functions
+TABFILE="/etc/crypttab"
+
+
+# crypttab_find_and_print_entry($target)
+# Find the crypttab(5) entry for the given (unmangled) $target and
+# print it - preserving the mangling - to FD nr. 3; but only if the
+# target has not already been processed during an earlier function
+# call. (Processed target names are stored in
+# $DESTDIR/cryptroot/targets.)
+# Return 0 on success, 1 on error.
+crypttab_find_and_print_entry() {
+ local target="$1"
+ local _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_KEY _CRYPTTAB_OPTIONS
+ if ! grep -Fxqz -e "$target" -- "$DESTDIR/cryptroot/targets"; then
+ printf '%s\0' "$target" >>"$DESTDIR/cryptroot/targets"
+ crypttab_find_entry "$target" || return 1
+ crypttab_parse_options --missing-path=warn || return 1
+ crypttab_print_entry
+ fi
+}
+
+# crypttab_print_entry()
+# Print an unmangled crypttab(5) entry to FD nr. 3, using CRYPTTAB_*
+# and _CRYPTTAB_* values.
+# _CRYPTTAB_SOURCE is replaced with UUID=<uuid> if possible (eg, for
+# LUKS), unless the value starts with /dev/disk/by- or /dev/mapper/,
+# or is already a device specification (such as LABEL= or PARTUUID=).
+# If the entry uses the 'decrypt_derived' keyscript, the other
+# crypttab(5) entries it depends on are (recursively) printed before
+# hand.
+# Various checks are performed on the key and crypttab options, but no
+# parsing is done so it's the responsibility of the caller to call
+# crypttab_parse_options().
+# Return 0 on success, 1 on error.
+crypttab_print_entry() {
+ local DEV MAJ MIN uuid keyfile
+ if _resolve_device "$CRYPTTAB_SOURCE"; then
+ if [ "$(dmsetup info -c --noheadings -o devnos_used -- "$CRYPTTAB_NAME" 2>/dev/null)" != "$MAJ:$MIN" ]; then
+ cryptsetup_message "ERROR: $CRYPTTAB_NAME: Source mismatch"
+ elif [ "${_CRYPTTAB_SOURCE#[A-Za-z]*=}" = "$_CRYPTTAB_SOURCE" ] && \
+ [ "${CRYPTTAB_SOURCE#/dev/disk/by-}" = "$CRYPTTAB_SOURCE" ] && \
+ [ "${CRYPTTAB_SOURCE#/dev/mapper/}" = "$CRYPTTAB_SOURCE" ] && \
+ uuid="$(_device_uuid "$DEV")"; then
+ _CRYPTTAB_SOURCE="UUID=$uuid"
+ fi
+ # on failure _resolve_device() prints a warning and we try our
+ # luck with the unchanged _CRYPTTAB_SOURCE value
+ fi
+
+ # if keyscript is set, the "key" is just an argument to the script
+ if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then
+ crypttab_key_check || return 1
+ case "$CRYPTTAB_KEY" in
+ $KEYFILE_PATTERN)
+ mkdir -pm0700 -- "$DESTDIR/cryptroot/keyfiles"
+ # $CRYPTTAB_NAME can't contain '/' (even after unmangling)
+ keyfile="/cryptroot/keyfiles/$CRYPTTAB_NAME.key"
+ if [ ! -f "$DESTDIR$keyfile" ] && ! copy_file keyfile "$CRYPTTAB_KEY" "$keyfile"; then
+ cryptsetup_message "WARNING: couldn't copy keyfile $CRYPTTAB_KEY"
+ fi
+ _CRYPTTAB_KEY="/cryptroot/keyfiles/$_CRYPTTAB_NAME.key" # preserve mangled name
+ ;;
+ *)
+ if [ "$usage" = rootfs ]; then
+ cryptsetup_message "WARNING: Skipping root target $CRYPTTAB_NAME: uses a key file"
+ return 1
+ elif [ "$usage" = resume ]; then
+ cryptsetup_message "WARNING: Resume target $CRYPTTAB_NAME uses a key file"
+ fi
+ if [ -L "$CRYPTTAB_KEY" ] && keyfile="$(readlink -- "$CRYPTTAB_KEY")" &&
+ [ "${keyfile#/}" != "$keyfile" ]; then
+ cryptsetup_message "WARNING: Skipping target $CRYPTTAB_NAME: key file is a symlink with absolute target"
+ return 1
+ elif [ -f "$CRYPTTAB_KEY" ] && [ "$(stat -L -c"%m" -- "$CRYPTTAB_KEY" 2>/dev/null)" != "/" ]; then
+ cryptsetup_message "WARNING: Skipping target $CRYPTTAB_NAME: key file is not on the root FS"
+ return 1
+ fi
+ if [ ! -e "$CRYPTTAB_KEY" ]; then
+ cryptsetup_message "WARNING: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY"
+ else
+ _CRYPTTAB_KEY="/FIXME-initramfs-rootmnt$_CRYPTTAB_KEY" # preserve mangled name
+ fi
+ esac
+ fi
+
+ if [ -n "${CRYPTTAB_OPTION_keyscript+x}" ]; then
+ copy_exec "$CRYPTTAB_OPTION_keyscript"
+ elif [ "$CRYPTTAB_KEY" = "none" ]; then
+ ASKPASS="y"
+ fi
+ if [ "${CRYPTTAB_OPTION_keyscript-}" = "/lib/cryptsetup/scripts/decrypt_derived" ]; then
+ # (recursively) list first the device to derive the key from (so
+ # the boot scripts unlock it first); since _CRYPTTAB_* are local
+ # to crypttab_find_and_print_entry() the new value won't
+ # override the new ones
+ crypttab_find_and_print_entry "$CRYPTTAB_KEY"
+ fi
+ printf '%s %s %s %s\n' \
+ "$_CRYPTTAB_NAME" "$_CRYPTTAB_SOURCE" "$_CRYPTTAB_KEY" "$_CRYPTTAB_OPTIONS" >&3
+}
+
+# get_resume_devno()
+# Return the device ID(s) used for system suspend/hibernate.
+get_resume_devno() {
+ local dev filename
+
+ # uswsusp
+ for filename in /etc/uswsusp.conf /etc/suspend.conf; do
+ [ -e "$filename" ] || continue
+ dev="$(sed -nr '/^resume device\s*[:=]\s*/ {s///p;q}' "$filename")"
+ if [ -n "$dev" ] && [ "$dev" != "<path_to_resume_device_file>" ]; then
+ # trim quotes
+ dev="$(printf '%s' "$dev" | sed -re 's/^"(.*)"\s*$/\1/' -e "s/^'(.*)'\\s*$/\\1/")"
+ _print_devno "$(printf '%b' "$dev")" # unmangle
+ fi
+ done
+
+ # regular swsusp
+ dev="$(sed -nr 's,^(.*\s)?resume=(\S+)(\s.*)?$,\2,p' /proc/cmdline)"
+ _print_devno "$(printf '%b' "$dev")" # unmangle
+
+ # initramfs-tools >=0.129
+ dev="${RESUME:-auto}"
+ if [ "$dev" != none ]; then
+ if [ "$dev" = auto ]; then
+ # next line from /usr/share/initramfs-tools/hooks/resume
+ dev="$(grep ^/dev/ /proc/swaps | sort -rnk3 | head -n 1 | cut -d " " -f 1)"
+ fi
+ _print_devno "$(printf '%b' "$dev")" # unmangle
+ fi
+}
+_print_devno() {
+ local DEV MAJ MIN # locally scope the 3 variables _resolve_device() sets
+ if [ -n "$1" ] && _resolve_device "$1"; then
+ printf '%d:%d\n' "$MAJ" "$MIN"
+ fi
+}
+
+# crypttab_print_initramfs_entry()
+# Print a crypttab(5) entry - unless it was already processed - if it
+# has the 'initramfs' option set.
+crypttab_print_initramfs_entry() {
+ local usage=
+ if ! grep -Fxqz -e "$CRYPTTAB_NAME" -- "$DESTDIR/cryptroot/targets" &&
+ crypttab_parse_options --quiet &&
+ [ "${CRYPTTAB_OPTION_initramfs-no}" = "yes" ]; then
+ printf '%s\0' "$CRYPTTAB_NAME" >>"$DESTDIR/cryptroot/targets"
+ crypttab_print_entry
+ fi
+}
+
+# generate_initrd_crypttab()
+# Generate the crypttab(5) snippet that is relevant at initramfs
+# stage. (Devices that aren't required at initramfs stage are
+# ignored.)
+generate_initrd_crypttab() {
+ local devnos usage IFS="$(printf '\t\n ')"
+ mkdir -- "$DESTDIR/cryptroot"
+ true >"$DESTDIR/cryptroot/targets"
+
+ {
+ if devnos="$(get_mnt_devno /)"; then
+ usage=rootfs foreach_cryptdev crypttab_find_and_print_entry $devnos
+ else
+ cryptsetup_message "WARNING: Couldn't determine root device"
+ fi
+
+ if devnos="$(get_resume_devno)"; then
+ usage=resume foreach_cryptdev crypttab_find_and_print_entry $devnos
+ fi
+
+ if devnos="$(get_mnt_devno /usr)"; then
+ usage="" foreach_cryptdev crypttab_find_and_print_entry $devnos
+ fi
+
+ # add crypttab entries with the 'initramfs' option set
+ crypttab_foreach_entry crypttab_print_initramfs_entry
+ } 3>"$DESTDIR/cryptroot/crypttab"
+ rm -f "$DESTDIR/cryptroot/targets"
+}
+
+# populate_CRYPTO_HASHES()
+# Find out which crypto hashes are required for a crypttab(5) entry,
+# and append them to the CRYPTO_HASHES variable.
+populate_CRYPTO_HASHES() {
+ local hash source newline="
+"
+
+ if crypttab_parse_options --quiet && [ -n "${CRYPTTAB_OPTION_header+x}" ]; then
+ source="$CRYPTTAB_OPTION_header"
+ else
+ source="$(_resolve_device_spec "$CRYPTTAB_SOURCE")" || source=""
+ fi
+
+ if [ ! -e "$source" ]; then
+ # missing source device or detached header, can't determine hashing function(s)
+ hash="@@UNKNOWN@@"
+ elif [ "$CRYPTTAB_TYPE" = "luks" ]; then
+ # using --dump-json-metadata would be more robust for LUKS2 but
+ # we also have to support LUKS1 hence have to parse luksDump output
+ hash="$(/sbin/cryptsetup luksDump -- "$source" | sed -nr 's/^\s*(AF hash|Hash|Hash spec)\s*:\s*//Ip')"
+ elif [ "$CRYPTTAB_TYPE" = "plain" ]; then
+ # --hash is being ignored when opening via key file
+ if [ "$CRYPTTAB_KEY" = "none" ] && [ -z "${CRYPTTAB_OPTION_keyscript+x}" ]; then
+ hash="${CRYPTTAB_OPTION_hash-ripemd160}" # default password hashing as of cryptsetup 2.5
+ fi
+ else
+ hash="" # or hash="@@UNKNOWN@@"?
+ fi
+
+ if [ -n "$hash" ]; then
+ CRYPTO_HASHES="${CRYPTO_HASHES:+$CRYPTO_HASHES$newline}$hash"
+ fi
+}
+
+# populate_CRYPTO_MODULES()
+# Find out which crypto modules are required for a crypttab(5) entry,
+# and append them to the CRYPTO_MODULES variable.
+populate_CRYPTO_MODULES() {
+ local cipher iv
+
+ # cf. dmsetup(8) and https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt
+ cipher="$(dmsetup table --target crypt -- "$CRYPTTAB_NAME" | cut -d' ' -f4)"
+ if [ -z "$cipher" ]; then
+ cryptsetup_message "WARNING: Couldn't determine cipher modules to load for $CRYPTTAB_NAME"
+ elif [ "${cipher#capi:}" = "$cipher" ]; then
+ # direct specification "cipher[:keycount]-chainmode-ivmode[:ivopts]"
+ CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }${cipher%%[-:]*}" # cipher
+ cipher="${cipher#"${cipher%%-*}-"}" # chainmode-ivmode[:ivopts]"
+ CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }${cipher%-*}" # chainmode
+ iv="${cipher##*-}" # ivmode[:ivopts]"
+ CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }${iv%%:*}" # ivmode
+ if [ "${iv#*:}" != "$iv" ]; then
+ CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }${iv#*:}" # ivopts
+ fi
+ else
+ # kernel crypto API format "capi:cipher_api_spec-ivmode[:ivopts]", since linux 4.12
+ cipher="${cipher#capi:}"
+ cryptsetup_message "WARNING: Couldn't determine cipher modules to load for $CRYPTTAB_NAME" \
+ "(kernel crypto API format isn't supported yet)"
+ fi
+}
+
+# add_modules($glob, $moduledir, [$moduledir ..])
+# Add modules matching under the given $moduledir(s), the name of
+# which matching $glob.
+# Return 0 if any module was found found, 1 if not.
+add_modules() {
+ local glob="$1" found=n
+ shift
+ for mod in $(find -H "$@" -name "$glob.ko*" -type f -printf '%f\n'); do
+ manual_add_modules "${mod%%.*}"
+ found=y
+ done
+ [ "$found" = y ] && return 0 || return 1
+}
+
+# add_crypto_modules($name, [$name ..])
+# Determine kernel module name and add to initramfs.
+add_crypto_modules() {
+ local mod
+ for mod in "$@"; do
+ # We have several potential sources of modules (in order of preference):
+ #
+ # a) /lib/modules/$VERSION/kernel/arch/$ARCH/crypto/$mod-$specific.ko
+ # b) /lib/modules/$VERSION/kernel/crypto/$mod_generic.ko
+ # c) /lib/modules/$VERSION/kernel/crypto/$mod.ko
+ #
+ # and (currently ignored):
+ #
+ # d) /lib/modules/$VERSION/kernel/drivers/crypto/$specific-$mod.ko
+ add_modules "$mod-*" "$MODULESDIR"/kernel/arch/*/crypto || true
+ add_modules "${mod}_generic" "$MODULESDIR/kernel/crypto" \
+ || add_modules "$mod" "$MODULESDIR/kernel/crypto" \
+ || true
+ done
+}
+
+# copy_libssl_legacy_library()
+# Copy ossl-modules/legacy.so (from libssl library) to initramfs if needed.
+# OpenSSL 3.0 moved support for some crypto hashes into legacy.so.
+# See https://launchpad.net/bugs/1979159
+copy_libssl_legacy_library() {
+ local libcryptodir CRYPTO_HASHES=""
+
+ libcryptodir="$(env --unset=LD_PRELOAD ldd /sbin/cryptsetup | sed -nr '/.*=>\s*(\S+)\/libcrypto\.so\..*/ {s//\1/p;q}')"
+ [ -d "$libcryptodir" ] || return
+
+ crypttab_foreach_entry populate_CRYPTO_HASHES
+ # See https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html#Hashing-Algorithms-Message-Digests
+ if printf '%s\n' "$CRYPTO_HASHES" | grep -Fxq -e @@UNKNOWN@@ -e ripemd160 -e whirlpool; then
+ # legacy hashes are used so legacy.so needs to be copied to the initramfs
+ # (assume ossl-modules/legacy.so is relative to the linked libcrypto.so)
+ copy_exec "$libcryptodir/ossl-modules/legacy.so" || true
+ fi
+}
+
+# See #1032221: newer libargon2 are built with glibc ≥2.34 hence no
+# longer links libpthread. This in turns means that initramfs-tool's
+# copy_exec() is no longer able to detect pthread_*() need and thus
+# doesn't copy libgcc_s.so anymore. So we need to do it manually
+# instead.
+copy_libgcc_argon2() {
+ local libdir rv=0
+ libdir="$(env --unset=LD_PRELOAD ldd /sbin/cryptsetup | sed -nr '/.*=>\s*(\S+)\/libargon2\.so\..*/ {s//\1/p;q}')"
+ copy_libgcc "$libdir" || rv=$?
+ if [ $rv -ne 0 ]; then
+ # merged-/usr mismatch, see #1032518
+ if [ "${libdir#/usr/}" != "$libdir" ]; then
+ libdir="${libdir#/usr}"
+ else
+ libdir="/usr/${libdir#/}"
+ fi
+ copy_libgcc "$libdir" && rv=0 || rv=$?
+ fi
+ return $rv
+}
+
+
+#######################################################################
+# Begin real processing
+
+unset -v ASKPASS KEYFILE_PATTERN
+ASKPASS="y"
+KEYFILE_PATTERN=
+
+# Load the hook config
+if [ -f "/etc/cryptsetup-initramfs/conf-hook" ]; then
+ . /etc/cryptsetup-initramfs/conf-hook
+fi
+
+if [ -n "$KEYFILE_PATTERN" ]; then
+ case "${UMASK:-$(umask)}" in
+ 0[0-7]77) ;;
+ *) cryptsetup_message "WARNING: Permissive UMASK (${UMASK:-$(umask)})." \
+ "Private key material within the initrd might be left unprotected."
+ ;;
+ esac
+fi
+
+CRYPTO_MODULES=
+if [ -r "$TABFILE" ]; then
+ generate_initrd_crypttab
+ TABFILE="$DESTDIR/cryptroot/crypttab"
+ crypttab_foreach_entry populate_CRYPTO_MODULES
+ copy_libssl_legacy_library
+fi
+
+# add required components
+manual_add_modules dm_mod
+manual_add_modules dm_crypt
+
+copy_exec /sbin/cryptsetup
+copy_exec /sbin/dmsetup
+copy_libgcc_argon2
+
+[ "$ASKPASS" = n ] || copy_exec /lib/cryptsetup/askpass
+
+# We need sed. Either via busybox or as standalone binary.
+if [ "$BUSYBOX" = n ] || [ -z "$BUSYBOXDIR" ]; then
+ copy_exec /bin/sed
+fi
+
+# detect whether the host CPU has AES-NI support
+if grep -Eq '^flags\s*:(.*\s)?aes(\s.*)?$' /proc/cpuinfo; then
+ CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }aesni"
+else
+ # workaround for #883595/#901884 (xts depends on ecb)
+ CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }ecb"
+fi
+
+# add userspace crypto module (only required for opening LUKS2 devices
+# we add the module unconditionally as it's the default format)
+CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }algif_skcipher"
+
+if [ "$MODULES" = most ]; then
+ for d in "$MODULESDIR"/kernel/arch/*/crypto; do
+ copy_modules_dir "${d#"$MODULESDIR/"}"
+ done
+ copy_modules_dir "kernel/crypto"
+else
+ if [ "$MODULES" != "dep" ]; then
+ # with large initramfs, we always add a basic subset of modules
+ add_crypto_modules aes cbc chainiv cryptomgr krng sha256 xts
+ fi
+ add_crypto_modules $(printf '%s' "${CRYPTO_MODULES-}" | tr ' ' '\n' | sort -u)
+fi
+copy_file library /lib/cryptsetup/functions /lib/cryptsetup/functions
diff --git a/debian/initramfs/hooks/cryptroot-unlock b/debian/initramfs/hooks/cryptroot-unlock
new file mode 100644
index 0000000..06fe976
--- /dev/null
+++ b/debian/initramfs/hooks/cryptroot-unlock
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+prereqs()
+{
+ # cryptroot-unlock needs to be run last among crypt* since other hooks might include askpass
+ local req script
+ for req in "${0%/*}"/crypt*; do
+ script="${req##*/}"
+ if [ "$script" != "${0##*/}" ]; then
+ printf '%s\n' "$script"
+ fi
+ done
+}
+
+case "$1" in
+ prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+if [ ! -f "$DESTDIR/lib/cryptsetup/askpass" ]; then
+ # cryptroot-unlock is useless without askpass
+ exit 0
+fi
+
+. /usr/share/initramfs-tools/hook-functions
+if [ ! -f "$DESTDIR/bin/cryptroot-unlock" ] &&
+ ! copy_file script /usr/share/cryptsetup/initramfs/bin/cryptroot-unlock /bin/cryptroot-unlock; then
+ echo "ERROR: Couldn't copy /bin/cryptroot-unlock" >&2
+ exit 1
+fi
+
+if [ -f /etc/initramfs-tools/etc/motd ]; then
+ copy_file text /etc/initramfs-tools/etc/motd /etc/motd
+else
+ cat >>"$DESTDIR/etc/motd" <<- EOF
+ To unlock root partition, and maybe others like swap, run \`cryptroot-unlock\`.
+ EOF
+fi
diff --git a/debian/initramfs/scripts/local-block/cryptroot b/debian/initramfs/scripts/local-block/cryptroot
new file mode 100644
index 0000000..89c2b1c
--- /dev/null
+++ b/debian/initramfs/scripts/local-block/cryptroot
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+PREREQ=""
+
+prereqs()
+{
+ echo $PREREQ
+}
+
+case $1 in
+# get pre-requisites
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+if [ -x /scripts/local-top/cryptroot ]; then
+ export CRYPTROOT_STAGE="local-block"
+ exec /scripts/local-top/cryptroot
+fi
diff --git a/debian/initramfs/scripts/local-bottom/cryptgnupg-sc b/debian/initramfs/scripts/local-bottom/cryptgnupg-sc
new file mode 100644
index 0000000..47be70b
--- /dev/null
+++ b/debian/initramfs/scripts/local-bottom/cryptgnupg-sc
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+PREREQ=""
+
+prereqs() {
+ echo "$PREREQ"
+}
+
+case $1 in
+ prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+if [ -x /usr/bin/gpgconf ] && [ -d "/cryptroot/gnupghome" ]; then
+ gpgconf --homedir="/cryptroot/gnupghome" --kill all
+fi
diff --git a/debian/initramfs/scripts/local-bottom/cryptopensc b/debian/initramfs/scripts/local-bottom/cryptopensc
new file mode 100644
index 0000000..4de8f48
--- /dev/null
+++ b/debian/initramfs/scripts/local-bottom/cryptopensc
@@ -0,0 +1,32 @@
+#!/bin/sh
+
+set -e
+
+PREREQ=""
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case $1 in
+ prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+# Hook for stopping smartcard reading software
+
+if [ ! -x /usr/sbin/pcscd ]; then
+ exit 0
+fi
+
+. /scripts/functions
+
+if PID="$(cat /run/pcscd.pid)" 2>/dev/null &&
+ [ "$(readlink -f "/proc/$PID/exe")" = "/usr/sbin/pcscd" ]; then
+ log_begin_msg "Stopping pcscd"
+ kill -TERM "$PID"
+ log_end_msg
+fi
diff --git a/debian/initramfs/scripts/local-bottom/cryptroot b/debian/initramfs/scripts/local-bottom/cryptroot
new file mode 100644
index 0000000..945739f
--- /dev/null
+++ b/debian/initramfs/scripts/local-bottom/cryptroot
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+PREREQ=""
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+# If we reached this stage, we do have a rootfs mounted
+# so let's clean-up cryptroot setup mess...
+[ -f /lib/cryptsetup/functions ] || return 0
+. /lib/cryptsetup/functions
+
+rm -f -- "$CRYPTROOT_COUNT_FILE"
diff --git a/debian/initramfs/scripts/local-top/cryptopensc b/debian/initramfs/scripts/local-top/cryptopensc
new file mode 100644
index 0000000..344acc6
--- /dev/null
+++ b/debian/initramfs/scripts/local-top/cryptopensc
@@ -0,0 +1,37 @@
+#!/bin/sh
+
+set -e
+
+PREREQ=""
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case $1 in
+ prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+# Hook for starting smartcard reading software
+
+if [ ! -x /usr/sbin/pcscd ]; then
+ exit 0
+fi
+
+. /scripts/functions
+
+# Start pcscd daemon normally:
+# start-stop-daemon --start --quiet \
+# --pidfile /run/pcscd.pid \
+# --exec /usr/sbin/pcscd
+# Alternatively, start pcscd daemon in foreground so that it's pretty colored
+# output may be seen on the console, useful for watching error messages since
+# pcscd uses syslog which is not available (use --error or --critical to filter
+# out debug message clutter):
+# /usr/sbin/pcscd --error --foreground &
+/usr/sbin/pcscd --foreground &
+echo $! >/run/pcscd.pid
diff --git a/debian/initramfs/scripts/local-top/cryptroot b/debian/initramfs/scripts/local-top/cryptroot
new file mode 100644
index 0000000..90b521b
--- /dev/null
+++ b/debian/initramfs/scripts/local-top/cryptroot
@@ -0,0 +1,239 @@
+#!/bin/sh
+
+PREREQ="cryptroot-prepare"
+
+#
+# Standard initramfs preamble
+#
+prereqs()
+{
+ # Make sure that cryptroot is run last in local-top
+ local req
+ for req in "${0%/*}"/*; do
+ script="${req##*/}"
+ if [ "$script" != "${0##*/}" ]; then
+ printf '%s\n' "$script"
+ fi
+ done
+}
+
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /scripts/functions
+
+[ -f /lib/cryptsetup/functions ] || return 0
+. /lib/cryptsetup/functions
+
+
+# wait_for_source()
+# Wait for encrypted $CRYPTTAB_SOURCE . Set $CRYPTTAB_SOURCE
+# to its normalized device name when it shows up;
+# return 1 if timeout.
+wait_for_source() {
+ wait_for_udev 10
+
+ if crypttab_resolve_source; then
+ # the device is here already, no need to loop
+ return 0
+ fi
+
+ # If the source device hasn't shown up yet, give it a little while
+ # to allow for asynchronous device discovery (e.g. USB).
+ #
+ # We also need to take into account RAID or other devices that may
+ # only be available on local-block stage. So, wait 5 seconds upfront,
+ # in local-top; if that fails, end execution relying on local-block
+ # invocations. Allow $ROOTDELAY/4 invocations with 1s sleep times (with
+ # a minimum of 20 invocations), and if after that we still fail, then it's
+ # really time to give-up. Variable $initrd_cnt tracks the re-invocations.
+ #
+ # Part of the lines below has been taken from initramfs-tools
+ # scripts/local's local_device_setup(), as suggested per
+ # https://launchpad.net/bugs/164044 .
+
+ local slumber=5
+ if [ "${CRYPTROOT_STAGE-}" = "local-block" ]; then
+ slumber=1
+ fi
+
+ cryptsetup_message "Waiting for encrypted source device $CRYPTTAB_SOURCE..."
+
+ while [ $slumber -gt 0 ]; do
+ sleep 1
+
+ if crypttab_resolve_source; then
+ wait_for_udev 10
+ return 0
+ fi
+
+ slumber=$(( $slumber - 1 ))
+ done
+ return 1
+}
+
+# setup_mapping()
+# Set up a crypttab(5) mapping defined by $CRYPTTAB_NAME,
+# $CRYPTTAB_SOURCE, $CRYPTTAB_KEY, $CRYPTTAB_OPTIONS.
+setup_mapping() {
+ local dev initrd_cnt
+
+ # We control here the number of re-invocations of this script from
+ # local-block - the heuristic is $ROOTDELAY/4, with a minimum of 20.
+
+ if [ -f "$CRYPTROOT_COUNT_FILE" ]; then
+ initrd_cnt="$(cat <"$CRYPTROOT_COUNT_FILE")"
+ else
+ initrd_cnt="${ROOTDELAY:-180}"
+ initrd_cnt=$(( initrd_cnt/4 ))
+ if [ $initrd_cnt -lt 20 ]; then
+ initrd_cnt=20
+ fi
+ echo "$initrd_cnt" >"$CRYPTROOT_COUNT_FILE"
+ fi
+
+ # The same target can be specified multiple times
+ # e.g. root and resume lvs-on-lvm-on-crypto
+ if dm_blkdevname "$CRYPTTAB_NAME" >/dev/null; then
+ return 0
+ fi
+
+ crypttab_parse_options --export --missing-path=fail || return 1
+
+ if ! wait_for_source; then
+ if [ $initrd_cnt -eq 0 ]; then
+ # we've given up
+ if [ -n "$panic" ]; then
+ panic "ALERT! encrypted source device $CRYPTTAB_SOURCE does not exist, can't unlock $CRYPTTAB_NAME."
+ else
+ # let the user fix matters if they can
+ echo " ALERT! encrypted source device $CRYPTTAB_SOURCE does not exist, can't unlock $CRYPTTAB_NAME."
+ echo " Check cryptopts=source= bootarg: cat /proc/cmdline"
+ echo " or missing modules, devices: cat /proc/modules; ls /dev"
+ panic "Dropping to a shell."
+ fi
+ return 1 # can't continue because environment is lost
+ else
+ initrd_cnt=$(( initrd_cnt - 1 ))
+ echo "$initrd_cnt" >"$CRYPTROOT_COUNT_FILE"
+ return 0 # allow some attempts on local-block stage
+ fi
+ fi
+
+ # our `cryptroot-unlock` script searches for cryptsetup processes
+ # with a given CRYPTTAB_NAME it their environment
+ export CRYPTTAB_NAME
+
+ if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ]; then
+ # no keyscript: interactive unlocking, or key file
+
+ if [ "${CRYPTTAB_KEY#/FIXME-initramfs-rootmnt/}" != "$CRYPTTAB_KEY" ]; then
+ # skip the mapping for now if the root FS is not mounted yet
+ sed -rn 's/^\s*[^#[:blank:]]\S*\s+(\S+)\s.*/\1/p' /proc/mounts | grep -Fxq -- "$rootmnt" || return 1
+ # substitute the "/FIXME-initramfs-rootmnt/" prefix by the real root FS mountpoint otherwise
+ CRYPTTAB_KEY="$rootmnt/${CRYPTTAB_KEY#/FIXME-initramfs-rootmnt/}"
+ fi
+
+ if [ "$CRYPTTAB_KEY" != "none" ]; then
+ if [ ! -e "$CRYPTTAB_KEY" ]; then
+ cryptsetup_message "ERROR: Skipping target $CRYPTTAB_NAME: non-existing key file $CRYPTTAB_KEY"
+ return 1
+ fi
+ # try only once if we have a key file
+ CRYPTTAB_OPTION_tries=1
+ fi
+ fi
+
+ local count=0 maxtries="${CRYPTTAB_OPTION_tries:-3}" fstype vg rv
+ while [ $maxtries -le 0 ] || [ $count -lt $maxtries ]; do
+ if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then
+ # unlock via keyfile
+ unlock_mapping "$CRYPTTAB_KEY"
+ else
+ # unlock interactively or via keyscript
+ run_keyscript "$count" | unlock_mapping
+ fi
+ rv=$?
+ count=$(( $count + 1 ))
+
+ if [ $rv -ne 0 ]; then
+ cryptsetup_message "ERROR: $CRYPTTAB_NAME: cryptsetup failed, bad password or options?"
+ sleep 1
+ continue
+ elif ! dev="$(dm_blkdevname "$CRYPTTAB_NAME")"; then
+ cryptsetup_message "ERROR: $CRYPTTAB_NAME: unknown error setting up device mapping"
+ return 1
+ fi
+
+ if ! fstype="$(get_fstype "$dev")" || [ "$fstype" = "unknown" ]; then
+ if [ "$CRYPTTAB_TYPE" != "luks" ]; then
+ # bad password for plain dm-crypt device? or mkfs not run yet?
+ cryptsetup_message "ERROR: $CRYPTTAB_NAME: unknown fstype, bad password or options?"
+ wait_for_udev 10
+ /sbin/cryptsetup remove -- "$CRYPTTAB_NAME"
+ sleep 1
+ continue
+ fi
+ fi
+
+ cryptsetup_message "$CRYPTTAB_NAME: set up successfully"
+ wait_for_udev 10
+ return 0
+ done
+
+ cryptsetup_message "ERROR: $CRYPTTAB_NAME: maximum number of tries exceeded"
+ exit 1
+}
+
+
+#######################################################################
+# Begin real processing
+
+mkdir -p /cryptroot # might not exist yet if the main system has no crypttab(5)
+
+# Do we have any kernel boot arguments?
+if ! grep -qE '^(.*\s)?cryptopts=' /proc/cmdline; then
+ # ensure $TABFILE exists and has a mtime greater than the boot time
+ # (existing $TABFILE is preserved)
+ touch -- "$TABFILE"
+else
+ # let the read builtin unescape the '\' as GRUB substitutes '\' by '\\' in the cmdline
+ tr ' ' '\n' </proc/cmdline | sed -n 's/^cryptopts=//p' | while IFS= read cryptopts; do
+ # skip empty values (which can be used to disable the initramfs
+ # scripts for a particular boot, cf. #873840)
+ [ -n "$cryptopts" ] || continue
+ unset -v target source key options
+
+ IFS=","
+ for x in $cryptopts; do
+ case "$x" in
+ target=*) target="${x#target=}";;
+ source=*) source="${x#source=}";;
+ key=*) key="${x#key=}";;
+ *) options="${options+$options,}$x";;
+ esac
+ done
+
+ if [ -z "${source:+x}" ]; then
+ cryptsetup_message "ERROR: Missing source= value in kernel parameter cryptopts=$cryptopts"
+ else
+ # preserve mangling
+ printf '%s %s %s %s\n' "${target:-cryptroot}" "$source" "${key:-none}" "${options-}"
+ fi
+ done >"$TABFILE"
+fi
+
+# Do we have any settings from the $TABFILE?
+if [ -s "$TABFILE" ]; then
+ # Create locking directory before invoking cryptsetup(8) to avoid warnings
+ mkdir -pm0700 /run/cryptsetup
+ modprobe -q dm_crypt
+
+ crypttab_foreach_entry setup_mapping
+fi
+
+exit 0
diff --git a/debian/libcryptsetup-dev.docs b/debian/libcryptsetup-dev.docs
new file mode 100644
index 0000000..8806d7b
--- /dev/null
+++ b/debian/libcryptsetup-dev.docs
@@ -0,0 +1 @@
+docs/examples
diff --git a/debian/libcryptsetup-dev.install b/debian/libcryptsetup-dev.install
new file mode 100644
index 0000000..edf075c
--- /dev/null
+++ b/debian/libcryptsetup-dev.install
@@ -0,0 +1,3 @@
+lib/${DEB_HOST_MULTIARCH}/*.so
+lib/${DEB_HOST_MULTIARCH}/pkgconfig/*.pc /usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig/
+usr/include/*.h
diff --git a/debian/libcryptsetup12-udeb.install b/debian/libcryptsetup12-udeb.install
new file mode 100644
index 0000000..db6f744
--- /dev/null
+++ b/debian/libcryptsetup12-udeb.install
@@ -0,0 +1 @@
+lib/${DEB_HOST_MULTIARCH}/*.so.*
diff --git a/debian/libcryptsetup12.install b/debian/libcryptsetup12.install
new file mode 100644
index 0000000..db6f744
--- /dev/null
+++ b/debian/libcryptsetup12.install
@@ -0,0 +1 @@
+lib/${DEB_HOST_MULTIARCH}/*.so.*
diff --git a/debian/libcryptsetup12.lintian-overrides b/debian/libcryptsetup12.lintian-overrides
new file mode 100644
index 0000000..fc6d52e
--- /dev/null
+++ b/debian/libcryptsetup12.lintian-overrides
@@ -0,0 +1,3 @@
+# See reasoning at #843932 ('dev-pkg-without-shlib-symlink' was renamed
+# to 'lacks-unversioned-link-to-shared-library')
+lacks-unversioned-link-to-shared-library example: usr/lib/x86_64-linux-gnu/libcryptsetup.so [lib/x86_64-linux-gnu/libcryptsetup.so.12.*]
diff --git a/debian/libcryptsetup12.symbols b/debian/libcryptsetup12.symbols
new file mode 100644
index 0000000..f124910
--- /dev/null
+++ b/debian/libcryptsetup12.symbols
@@ -0,0 +1,139 @@
+libcryptsetup.so.12 libcryptsetup12 #MINVER#
+* Build-Depends-Package: libcryptsetup-dev
+ CRYPTSETUP_2.0@CRYPTSETUP_2.0 2:2.0
+ CRYPTSETUP_2.4@CRYPTSETUP_2.4 2:2.4
+ CRYPTSETUP_2.5@CRYPTSETUP_2.5 2:2.5
+ CRYPTSETUP_2.6@CRYPTSETUP_2.6 2:2.6
+ crypt_activate_by_keyfile@CRYPTSETUP_2.0 2:1.4
+ crypt_activate_by_keyfile_offset@CRYPTSETUP_2.0 2:1.4.3
+ crypt_activate_by_keyring@CRYPTSETUP_2.0 2:2.0
+ crypt_activate_by_keyfile_device_offset@CRYPTSETUP_2.0 2:2.0.1
+ crypt_activate_by_passphrase@CRYPTSETUP_2.0 2:1.4
+ crypt_activate_by_signed_key@CRYPTSETUP_2.0 2:2.3
+ crypt_activate_by_token@CRYPTSETUP_2.0 2:2.0
+ crypt_activate_by_token_pin@CRYPTSETUP_2.4 2:2.4
+ crypt_activate_by_volume_key@CRYPTSETUP_2.0 2:1.4
+ crypt_keyslot_add_by_keyfile_device_offset@CRYPTSETUP_2.0 2:2.0.1
+ crypt_benchmark@CRYPTSETUP_2.0 2:1.6
+ crypt_benchmark_pbkdf@CRYPTSETUP_2.0 2:2.0
+ crypt_convert@CRYPTSETUP_2.0 2:2.0
+ crypt_deactivate@CRYPTSETUP_2.0 2:1.4
+ crypt_deactivate_by_name@CRYPTSETUP_2.0 2:2.0
+ crypt_dump@CRYPTSETUP_2.0 2:1.4
+ crypt_dump_json@CRYPTSETUP_2.4 2:2.4
+ crypt_format@CRYPTSETUP_2.0 2:1.4
+ crypt_format@CRYPTSETUP_2.4 2:2.4
+ crypt_free@CRYPTSETUP_2.0 2:1.4
+ crypt_get_active_device@CRYPTSETUP_2.0 2:1.4
+ crypt_get_active_integrity_failures@CRYPTSETUP_2.0 2:2.0.3
+ crypt_get_cipher@CRYPTSETUP_2.0 2:1.4
+ crypt_get_cipher_mode@CRYPTSETUP_2.0 2:1.4
+ crypt_get_compatibility@CRYPTSETUP_2.0 2:2.3
+ crypt_get_data_offset@CRYPTSETUP_2.0 2:1.4
+ crypt_get_default_type@CRYPTSETUP_2.0 2:2.1
+ crypt_get_device_name@CRYPTSETUP_2.0 2:1.4
+ crypt_get_dir@CRYPTSETUP_2.0 2:1.4
+ crypt_get_integrity_info@CRYPTSETUP_2.0 2:2.0
+ crypt_get_iv_offset@CRYPTSETUP_2.0 2:1.4
+ crypt_get_label@CRYPTSETUP_2.5 2:2.5
+ crypt_get_metadata_device_name@CRYPTSETUP_2.0 2:2.1
+ crypt_get_metadata_size@CRYPTSETUP_2.0 2:2.1
+ crypt_get_pbkdf_default@CRYPTSETUP_2.0 2:2.0.3
+ crypt_get_pbkdf_type@CRYPTSETUP_2.0 2:2.0
+ crypt_get_pbkdf_type_params@CRYPTSETUP_2.0 2:2.1
+ crypt_get_rng_type@CRYPTSETUP_2.0 2:1.4
+ crypt_get_sector_size@CRYPTSETUP_2.0 2:2.0
+ crypt_get_subsystem@CRYPTSETUP_2.5 2:2.5
+ crypt_get_type@CRYPTSETUP_2.0 2:1.4
+ crypt_get_uuid@CRYPTSETUP_2.0 2:1.4
+ crypt_get_verity_info@CRYPTSETUP_2.0 2:1.5
+ crypt_get_volume_key_size@CRYPTSETUP_2.0 2:1.4
+ crypt_header_backup@CRYPTSETUP_2.0 2:1.4
+ crypt_header_is_detached@CRYPTSETUP_2.4 2:2.4
+ crypt_header_restore@CRYPTSETUP_2.0 2:1.4
+ crypt_init@CRYPTSETUP_2.0 2:1.4
+ crypt_init_by_name@CRYPTSETUP_2.0 2:1.4
+ crypt_init_by_name_and_header@CRYPTSETUP_2.0 2:1.4
+ crypt_init_data_device@CRYPTSETUP_2.0 2:2.1
+ crypt_keyfile_device_read@CRYPTSETUP_2.0 2:2.0.1
+ crypt_keyfile_read@CRYPTSETUP_2.0 2:2.0
+ crypt_keyslot_add_by_key@CRYPTSETUP_2.0 2:2.0
+ crypt_keyslot_add_by_keyfile@CRYPTSETUP_2.0 2:1.4
+ crypt_keyslot_add_by_keyfile_offset@CRYPTSETUP_2.0 2:1.4.3
+ crypt_keyslot_add_by_keyslot_context@CRYPTSETUP_2.6 2:2.6
+ crypt_keyslot_add_by_passphrase@CRYPTSETUP_2.0 2:1.4
+ crypt_keyslot_add_by_volume_key@CRYPTSETUP_2.0 2:1.4
+ crypt_keyslot_area@CRYPTSETUP_2.0 2:1.6
+ crypt_keyslot_change_by_passphrase@CRYPTSETUP_2.0 2:1.6
+ crypt_keyslot_context_free@CRYPTSETUP_2.6 2:2.6
+ crypt_keyslot_context_get_error@CRYPTSETUP_2.6 2:2.6
+ crypt_keyslot_context_get_type@CRYPTSETUP_2.6 2:2.6
+ crypt_keyslot_context_init_by_keyfile@CRYPTSETUP_2.6 2:2.6
+ crypt_keyslot_context_init_by_passphrase@CRYPTSETUP_2.6 2:2.6
+ crypt_keyslot_context_init_by_token@CRYPTSETUP_2.6 2:2.6
+ crypt_keyslot_context_init_by_volume_key@CRYPTSETUP_2.6 2:2.6
+ crypt_keyslot_context_set_pin@CRYPTSETUP_2.6 2:2.6
+ crypt_keyslot_destroy@CRYPTSETUP_2.0 2:1.4
+ crypt_keyslot_get_encryption@CRYPTSETUP_2.0 2:2.1
+ crypt_keyslot_get_key_size@CRYPTSETUP_2.0 2:2.0.3
+ crypt_keyslot_get_pbkdf@CRYPTSETUP_2.0 2:2.1
+ crypt_keyslot_get_priority@CRYPTSETUP_2.0 2:2.0
+ crypt_keyslot_max@CRYPTSETUP_2.0 2:1.4
+ crypt_keyslot_set_encryption@CRYPTSETUP_2.0 2:2.1
+ crypt_keyslot_set_priority@CRYPTSETUP_2.0 2:2.0
+ crypt_keyslot_status@CRYPTSETUP_2.0 2:1.4
+ crypt_load@CRYPTSETUP_2.0 2:1.4
+ crypt_log@CRYPTSETUP_2.0 2:1.4
+ crypt_logf@CRYPTSETUP_2.4 2:2.4
+ crypt_memory_lock@CRYPTSETUP_2.0 2:1.4
+ crypt_metadata_locking@CRYPTSETUP_2.0 2:2.0
+ crypt_persistent_flags_get@CRYPTSETUP_2.0 2:2.0
+ crypt_persistent_flags_set@CRYPTSETUP_2.0 2:2.0
+ crypt_reencrypt@CRYPTSETUP_2.0 2:2.2
+ crypt_reencrypt_init_by_keyring@CRYPTSETUP_2.0 2:2.2
+ crypt_reencrypt_init_by_passphrase@CRYPTSETUP_2.0 2:2.2
+ crypt_reencrypt_run@CRYPTSETUP_2.4 2:2.4
+ crypt_reencrypt_status@CRYPTSETUP_2.0 2:2.2
+ crypt_repair@CRYPTSETUP_2.0 2:1.4.3
+ crypt_resize@CRYPTSETUP_2.0 2:1.4
+ crypt_resume_by_keyfile@CRYPTSETUP_2.0 2:1.4
+ crypt_resume_by_keyfile_device_offset@CRYPTSETUP_2.0 2:2.0.1
+ crypt_resume_by_keyfile_offset@CRYPTSETUP_2.0 2:1.4.3
+ crypt_resume_by_passphrase@CRYPTSETUP_2.0 2:1.4
+ crypt_resume_by_token_pin@CRYPTSETUP_2.5 2:2.5
+ crypt_resume_by_volume_key@CRYPTSETUP_2.0 2:2.3
+ crypt_safe_alloc@CRYPTSETUP_2.0 2:2.3
+ crypt_safe_free@CRYPTSETUP_2.0 2:2.3
+ crypt_safe_memzero@CRYPTSETUP_2.0 2:2.3
+ crypt_safe_realloc@CRYPTSETUP_2.0 2:2.3
+ crypt_set_compatibility@CRYPTSETUP_2.0 2:2.3
+ crypt_set_confirm_callback@CRYPTSETUP_2.0 2:1.4
+ crypt_set_data_device@CRYPTSETUP_2.0 2:1.4
+ crypt_set_data_offset@CRYPTSETUP_2.0 2:2.1
+ crypt_set_debug_level@CRYPTSETUP_2.0 2:1.4
+ crypt_set_iteration_time@CRYPTSETUP_2.0 2:1.4.1
+ crypt_set_label@CRYPTSETUP_2.0 2:2.0
+ crypt_set_log_callback@CRYPTSETUP_2.0 2:1.4
+ crypt_set_metadata_size@CRYPTSETUP_2.0 2:2.1
+ crypt_set_pbkdf_type@CRYPTSETUP_2.0 2:2.0
+ crypt_set_rng_type@CRYPTSETUP_2.0 2:1.4
+ crypt_set_uuid@CRYPTSETUP_2.0 2:1.4
+ crypt_status@CRYPTSETUP_2.0 2:1.4
+ crypt_suspend@CRYPTSETUP_2.0 2:1.4
+ crypt_token_assign_keyslot@CRYPTSETUP_2.0 2:2.0
+ crypt_token_external_disable@CRYPTSETUP_2.4 2:2.4
+ crypt_token_external_path@CRYPTSETUP_2.4 2:2.4
+ crypt_token_is_assigned@CRYPTSETUP_2.0 2:2.0.2
+ crypt_token_json_get@CRYPTSETUP_2.0 2:2.0
+ crypt_token_json_set@CRYPTSETUP_2.0 2:2.0
+ crypt_token_luks2_keyring_get@CRYPTSETUP_2.0 2:2.0
+ crypt_token_luks2_keyring_set@CRYPTSETUP_2.0 2:2.0
+ crypt_token_max@CRYPTSETUP_2.4 2:2.4
+ crypt_token_register@CRYPTSETUP_2.0 2:2.0
+ crypt_token_status@CRYPTSETUP_2.0 2:2.0
+ crypt_token_unassign_keyslot@CRYPTSETUP_2.0 2:2.0
+ crypt_volume_key_get@CRYPTSETUP_2.0 2:1.4
+ crypt_volume_key_get_by_keyslot_context@CRYPTSETUP_2.6 2:2.6
+ crypt_volume_key_keyring@CRYPTSETUP_2.0 2:2.0
+ crypt_volume_key_verify@CRYPTSETUP_2.0 2:1.4
+ crypt_wipe@CRYPTSETUP_2.0 2:2.0
diff --git a/debian/not-installed b/debian/not-installed
new file mode 100644
index 0000000..22b45e1
--- /dev/null
+++ b/debian/not-installed
@@ -0,0 +1,2 @@
+lib/${DEB_HOST_MULTIARCH}/libcryptsetup.la
+lib/${DEB_HOST_MULTIARCH}/cryptsetup/libcryptsetup-token-ssh.la
diff --git a/debian/patches/Check-for-physical-memory-available-also-in-PBKDF-benchma.patch b/debian/patches/Check-for-physical-memory-available-also-in-PBKDF-benchma.patch
new file mode 100644
index 0000000..2032283
--- /dev/null
+++ b/debian/patches/Check-for-physical-memory-available-also-in-PBKDF-benchma.patch
@@ -0,0 +1,74 @@
+From: Milan Broz <gmazyland@gmail.com>
+Date: Mon, 3 Apr 2023 13:31:16 +0200
+Subject: Check for physical memory available also in PBKDF benchmark.
+
+Origin: https://gitlab.com/cryptsetup/cryptsetup/-/commit/7893c33d71cde09e240234c484c6c468f22c2fe7
+Bug: https://gitlab.com/cryptsetup/cryptsetup/-/issues/802#note_1328592911
+Bug-Debian: https://bugs.debian.org/1028250
+---
+ lib/internal.h | 1 +
+ lib/utils_benchmark.c | 9 +++++++++
+ lib/utils_pbkdf.c | 4 ++--
+ 3 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/lib/internal.h b/lib/internal.h
+index 98095fa..f261cae 100644
+--- a/lib/internal.h
++++ b/lib/internal.h
+@@ -89,6 +89,7 @@ int crypt_benchmark_pbkdf_internal(struct crypt_device *cd,
+ struct crypt_pbkdf_type *pbkdf,
+ size_t volume_key_size);
+ const char *crypt_get_cipher_spec(struct crypt_device *cd);
++uint32_t pbkdf_adjusted_phys_memory_kb(void);
+
+ /* Device backend */
+ struct device;
+diff --git a/lib/utils_benchmark.c b/lib/utils_benchmark.c
+index 728e4df..a0326ce 100644
+--- a/lib/utils_benchmark.c
++++ b/lib/utils_benchmark.c
+@@ -101,6 +101,7 @@ int crypt_benchmark_pbkdf(struct crypt_device *cd,
+ {
+ int r, priority;
+ const char *kdf_opt;
++ uint32_t memory_kb;
+
+ if (!pbkdf || (!password && password_size))
+ return -EINVAL;
+@@ -113,6 +114,14 @@ int crypt_benchmark_pbkdf(struct crypt_device *cd,
+
+ log_dbg(cd, "Running %s(%s) benchmark.", pbkdf->type, kdf_opt);
+
++ memory_kb = pbkdf_adjusted_phys_memory_kb();
++ if (memory_kb < pbkdf->max_memory_kb) {
++ log_dbg(cd, "Not enough physical memory detected, "
++ "PBKDF max memory decreased from %dkB to %dkB.",
++ pbkdf->max_memory_kb, memory_kb);
++ pbkdf->max_memory_kb = memory_kb;
++ }
++
+ crypt_process_priority(cd, &priority, true);
+ r = crypt_pbkdf_perf(pbkdf->type, pbkdf->hash, password, password_size,
+ salt, salt_size, volume_key_size, pbkdf->time_ms,
+diff --git a/lib/utils_pbkdf.c b/lib/utils_pbkdf.c
+index d8f41c7..b2d4fa0 100644
+--- a/lib/utils_pbkdf.c
++++ b/lib/utils_pbkdf.c
+@@ -61,7 +61,7 @@ const struct crypt_pbkdf_type *crypt_get_pbkdf_type_params(const char *pbkdf_typ
+ return NULL;
+ }
+
+-static uint32_t adjusted_phys_memory(void)
++uint32_t pbkdf_adjusted_phys_memory_kb(void)
+ {
+ uint64_t free_kb, memory_kb = crypt_getphysmemory_kb();
+
+@@ -258,7 +258,7 @@ int init_pbkdf_type(struct crypt_device *cd,
+ }
+
+ if (cd_pbkdf->max_memory_kb) {
+- memory_kb = adjusted_phys_memory();
++ memory_kb = pbkdf_adjusted_phys_memory_kb();
+ if (cd_pbkdf->max_memory_kb > memory_kb) {
+ log_dbg(cd, "Not enough physical memory detected, "
+ "PBKDF max memory decreased from %dkB to %dkB.",
diff --git a/debian/patches/Print-warning-when-keyslot-requires-more-memory-than-avai.patch b/debian/patches/Print-warning-when-keyslot-requires-more-memory-than-avai.patch
new file mode 100644
index 0000000..91bab91
--- /dev/null
+++ b/debian/patches/Print-warning-when-keyslot-requires-more-memory-than-avai.patch
@@ -0,0 +1,49 @@
+From: Milan Broz <gmazyland@gmail.com>
+Date: Tue, 28 Feb 2023 14:18:10 +0100
+Subject: Print warning when keyslot requires more memory than available
+
+This warning is displayed only if maximum memory was adjusted:
+no swap, not enough memory, but is not printed if user set keyslot
+memory cost above default limit intentionally.
+
+In the latter case we have to check all available memory and guess
+if swap is enough - this is not job af cryptsetup and also
+it should not excessively parse any /sys files during keyslot open.
+
+Origin: https://gitlab.com/cryptsetup/cryptsetup/-/commit/27f8e5c08f0e0054225c9a2b1eda5b4200d4565b
+Bug: https://gitlab.com/cryptsetup/cryptsetup/-/issues/802#note_1287298872
+Bug-Debian: https://bugs.debian.org/1032734
+---
+ lib/luks2/luks2_keyslot_luks2.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/lib/luks2/luks2_keyslot_luks2.c b/lib/luks2/luks2_keyslot_luks2.c
+index 491dcad..3be1135 100644
+--- a/lib/luks2/luks2_keyslot_luks2.c
++++ b/lib/luks2/luks2_keyslot_luks2.c
+@@ -307,7 +307,7 @@ static int luks2_keyslot_get_key(struct crypt_device *cd,
+ char *volume_key, size_t volume_key_len)
+ {
+ struct volume_key *derived_key = NULL;
+- struct crypt_pbkdf_type pbkdf;
++ struct crypt_pbkdf_type pbkdf, *cd_pbkdf;
+ char *AfKey = NULL;
+ size_t AFEKSize;
+ const char *af_hash = NULL;
+@@ -360,6 +360,16 @@ static int luks2_keyslot_get_key(struct crypt_device *cd,
+ goto out;
+ }
+
++ /*
++ * Print warning when keyslot requires more memory than available
++ * (if maximum memory was adjusted - no swap, not enough memory),
++ * but be silent if user set keyslot memory cost above default limit intentionally.
++ */
++ cd_pbkdf = crypt_get_pbkdf(cd);
++ if (cd_pbkdf->max_memory_kb && pbkdf.max_memory_kb > cd_pbkdf->max_memory_kb &&
++ pbkdf.max_memory_kb <= DEFAULT_LUKS2_MEMORY_KB)
++ log_std(cd, _("Warning: keyslot operation could fail as it requires more than available memory.\n"));
++
+ /*
+ * If requested, serialize unlocking for memory-hard KDF. Usually NOOP.
+ */
diff --git a/debian/patches/Try-to-avoid-OOM-killer-on-low-memory-systems-without-swa.patch b/debian/patches/Try-to-avoid-OOM-killer-on-low-memory-systems-without-swa.patch
new file mode 100644
index 0000000..b8f81b9
--- /dev/null
+++ b/debian/patches/Try-to-avoid-OOM-killer-on-low-memory-systems-without-swa.patch
@@ -0,0 +1,163 @@
+From: Milan Broz <gmazyland@gmail.com>
+Date: Mon, 20 Feb 2023 16:45:36 +0100
+Subject: Try to avoid OOM killer on low-memory systems without swap.
+
+Benchmark for memory-hard KDF is tricky, seems that relying
+on maximum half of physical memory is not enough.
+
+Let's allow only free physical available space if there is no swap.
+This should not cause changes on normal systems, at least.
+
+Origin: https://gitlab.com/cryptsetup/cryptsetup/-/commit/899bad8c06957a94a198d1eaa293ed8db205f1de
+Bug: https://gitlab.com/cryptsetup/cryptsetup/-/issues/802
+Bug-Debian: https://bugs.debian.org/1028250
+---
+ lib/internal.h | 2 ++
+ lib/utils.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++
+ lib/utils_pbkdf.c | 11 ++++++++++-
+ tests/api-test-2.c | 12 ++++++++----
+ 4 files changed, 67 insertions(+), 5 deletions(-)
+
+diff --git a/lib/internal.h b/lib/internal.h
+index b5cb4e3..98095fa 100644
+--- a/lib/internal.h
++++ b/lib/internal.h
+@@ -168,6 +168,8 @@ int crypt_uuid_cmp(const char *dm_uuid, const char *hdr_uuid);
+ size_t crypt_getpagesize(void);
+ unsigned crypt_cpusonline(void);
+ uint64_t crypt_getphysmemory_kb(void);
++uint64_t crypt_getphysmemoryfree_kb(void);
++bool crypt_swapavailable(void);
+
+ int init_crypto(struct crypt_device *ctx);
+
+diff --git a/lib/utils.c b/lib/utils.c
+index bfcf60d..e9d5b5b 100644
+--- a/lib/utils.c
++++ b/lib/utils.c
+@@ -59,6 +59,53 @@ uint64_t crypt_getphysmemory_kb(void)
+ return phys_memory_kb;
+ }
+
++uint64_t crypt_getphysmemoryfree_kb(void)
++{
++ long pagesize, phys_pages;
++ uint64_t phys_memoryfree_kb;
++
++ pagesize = sysconf(_SC_PAGESIZE);
++ phys_pages = sysconf(_SC_AVPHYS_PAGES);
++
++ if (pagesize < 0 || phys_pages < 0)
++ return 0;
++
++ phys_memoryfree_kb = pagesize / 1024;
++ phys_memoryfree_kb *= phys_pages;
++
++ return phys_memoryfree_kb;
++}
++
++bool crypt_swapavailable(void)
++{
++ int fd;
++ ssize_t size;
++ char buf[4096], *p;
++ uint64_t total;
++
++ if ((fd = open("/proc/meminfo", O_RDONLY)) < 0)
++ return true;
++
++ size = read(fd, buf, sizeof(buf));
++ close(fd);
++ if (size < 1)
++ return true;
++
++ if (size < (ssize_t)sizeof(buf))
++ buf[size] = 0;
++ else
++ buf[sizeof(buf) - 1] = 0;
++
++ p = strstr(buf, "SwapTotal:");
++ if (!p)
++ return true;
++
++ if (sscanf(p, "SwapTotal: %" PRIu64 " kB", &total) != 1)
++ return true;
++
++ return total > 0;
++}
++
+ void crypt_process_priority(struct crypt_device *cd, int *priority, bool raise)
+ {
+ int _priority, new_priority;
+diff --git a/lib/utils_pbkdf.c b/lib/utils_pbkdf.c
+index 4d7e18d..d8f41c7 100644
+--- a/lib/utils_pbkdf.c
++++ b/lib/utils_pbkdf.c
+@@ -63,7 +63,7 @@ const struct crypt_pbkdf_type *crypt_get_pbkdf_type_params(const char *pbkdf_typ
+
+ static uint32_t adjusted_phys_memory(void)
+ {
+- uint64_t memory_kb = crypt_getphysmemory_kb();
++ uint64_t free_kb, memory_kb = crypt_getphysmemory_kb();
+
+ /* Ignore bogus value */
+ if (memory_kb < (128 * 1024) || memory_kb > UINT32_MAX)
+@@ -75,6 +75,15 @@ static uint32_t adjusted_phys_memory(void)
+ */
+ memory_kb /= 2;
+
++ /*
++ * Never use more that available free space on system without swap.
++ */
++ if (!crypt_swapavailable()) {
++ free_kb = crypt_getphysmemoryfree_kb();
++ if (free_kb > (64 * 1024) && free_kb < memory_kb)
++ return free_kb;
++ }
++
+ return memory_kb;
+ }
+
+diff --git a/tests/api-test-2.c b/tests/api-test-2.c
+index 824ae65..923165c 100644
+--- a/tests/api-test-2.c
++++ b/tests/api-test-2.c
+@@ -2802,7 +2802,8 @@ static void Pbkdf(void)
+ OK_(strcmp(pbkdf->type, default_luks2_pbkdf));
+ OK_(strcmp(pbkdf->hash, default_luks1_hash));
+ EQ_(pbkdf->time_ms, default_luks2_iter_time);
+- EQ_(pbkdf->max_memory_kb, adjusted_pbkdf_memory());
++ GE_(pbkdf->max_memory_kb, 64 * 1024);
++ GE_(adjusted_pbkdf_memory(), pbkdf->max_memory_kb);
+ EQ_(pbkdf->parallel_threads, _min(cpus_online(), default_luks2_parallel_threads));
+ // set and verify argon2 type
+ OK_(crypt_set_pbkdf_type(cd, &argon2));
+@@ -2827,7 +2828,8 @@ static void Pbkdf(void)
+ OK_(strcmp(pbkdf->type, default_luks2_pbkdf));
+ OK_(strcmp(pbkdf->hash, default_luks1_hash));
+ EQ_(pbkdf->time_ms, default_luks2_iter_time);
+- EQ_(pbkdf->max_memory_kb, adjusted_pbkdf_memory());
++ GE_(pbkdf->max_memory_kb, 64 * 1024);
++ GE_(adjusted_pbkdf_memory(), pbkdf->max_memory_kb);
+ EQ_(pbkdf->parallel_threads, _min(cpus_online(), default_luks2_parallel_threads));
+ // try to pass illegal values
+ argon2.parallel_threads = 0;
+@@ -2858,14 +2860,16 @@ static void Pbkdf(void)
+ OK_(strcmp(pbkdf->type, default_luks2_pbkdf));
+ OK_(strcmp(pbkdf->hash, default_luks1_hash));
+ EQ_(pbkdf->time_ms, default_luks2_iter_time);
+- EQ_(pbkdf->max_memory_kb, adjusted_pbkdf_memory());
++ GE_(pbkdf->max_memory_kb, 64 * 1024);
++ GE_(adjusted_pbkdf_memory(), pbkdf->max_memory_kb);
+ EQ_(pbkdf->parallel_threads, _min(cpus_online(), default_luks2_parallel_threads));
+ crypt_set_iteration_time(cd, 1);
+ OK_(crypt_load(cd, CRYPT_LUKS, NULL));
+ OK_(strcmp(pbkdf->type, default_luks2_pbkdf));
+ OK_(strcmp(pbkdf->hash, default_luks1_hash));
+ EQ_(pbkdf->time_ms, 1);
+- EQ_(pbkdf->max_memory_kb, adjusted_pbkdf_memory());
++ GE_(pbkdf->max_memory_kb, 64 * 1024);
++ GE_(adjusted_pbkdf_memory(), pbkdf->max_memory_kb);
+ EQ_(pbkdf->parallel_threads, _min(cpus_online(), default_luks2_parallel_threads));
+ CRYPT_FREE(cd);
+
diff --git a/debian/patches/Use-only-half-of-detected-free-memory-on-systems-without-.patch b/debian/patches/Use-only-half-of-detected-free-memory-on-systems-without-.patch
new file mode 100644
index 0000000..caf47ce
--- /dev/null
+++ b/debian/patches/Use-only-half-of-detected-free-memory-on-systems-without-.patch
@@ -0,0 +1,43 @@
+From: Milan Broz <gmazyland@gmail.com>
+Date: Mon, 17 Apr 2023 13:41:17 +0200
+Subject: Use only half of detected free memory on systems without swap.
+
+As tests shows, limiting used Argon2 memory to free memory on
+systems without swap is still not enough.
+Use just half of it, this should bring needed margin while
+still use Argon2.
+
+Note, for very-low memory constrained systems user should
+avoid memory-hard PBKDF (IOW manually select PBKDF2), we
+do not do this automatically.
+
+Origin: https://gitlab.com/cryptsetup/cryptsetup/-/commit/6721d3a8b29b13fe88aeeaefe09d457e99d1c6fa
+Bug: https://gitlab.com/cryptsetup/cryptsetup/-/issues/802#note_1328592911
+Bug-Debian: https://bugs.debian.org/1028250
+---
+ lib/utils_pbkdf.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/lib/utils_pbkdf.c b/lib/utils_pbkdf.c
+index b2d4fa0..7399bd2 100644
+--- a/lib/utils_pbkdf.c
++++ b/lib/utils_pbkdf.c
+@@ -76,10 +76,17 @@ uint32_t pbkdf_adjusted_phys_memory_kb(void)
+ memory_kb /= 2;
+
+ /*
+- * Never use more that available free space on system without swap.
++ * Never use more that half of available free memory on system without swap.
+ */
+ if (!crypt_swapavailable()) {
+ free_kb = crypt_getphysmemoryfree_kb();
++
++ /*
++ * Using exactly free memory causes OOM too, use only half of the value.
++ * Ignore small values (< 64MB), user should use PBKDF2 in such environment.
++ */
++ free_kb /= 2;
++
+ if (free_kb > (64 * 1024) && free_kb < memory_kb)
+ return free_kb;
+ }
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..f64f6f7
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,4 @@
+Try-to-avoid-OOM-killer-on-low-memory-systems-without-swa.patch
+Print-warning-when-keyslot-requires-more-memory-than-avai.patch
+Check-for-physical-memory-available-also-in-PBKDF-benchma.patch
+Use-only-half-of-detected-free-memory-on-systems-without-.patch
diff --git a/debian/po/POTFILES.in b/debian/po/POTFILES.in
new file mode 100644
index 0000000..1b3a296
--- /dev/null
+++ b/debian/po/POTFILES.in
@@ -0,0 +1 @@
+[type: gettext/rfc822deb] cryptsetup.templates
diff --git a/debian/po/cs.po b/debian/po/cs.po
new file mode 100644
index 0000000..2797fd8
--- /dev/null
+++ b/debian/po/cs.po
@@ -0,0 +1,53 @@
+# Czech PO debconf template translation of cryptsetup.
+# Copyright (C) 2010 Michal Simunek <michal.simunek@gmail.com>
+# This file is distributed under the same license as the cryptsetup package.
+# Michal Simunek <michal.simunek@gmail.com>, 2011.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup 2:1.3.0-4\n"
+"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n"
+"POT-Creation-Date: 2018-06-18 01:42+0200\n"
+"PO-Revision-Date: 2011-09-23 17:31+0200\n"
+"Last-Translator: Michal Simunek <michal.simunek@gmail.com>\n"
+"Language-Team: Czech <debian-l10n-czech@lists.debian.org>\n"
+"Language: cs\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=utf-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "Continue with cryptsetup removal?"
+msgstr "Pokračovat v odstraňování cryptsetup?"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "This system has unlocked dm-crypt devices: ${cryptmap}"
+msgstr "Tento systém má odemčená zařízení dm-crypt: ${cryptmap}"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"If these devices are managed with cryptsetup, you might be unable to lock "
+"the devices after the package removal, though other tools can be used for "
+"managing dm-crypt devices. Any system shutdown or reboot will lock the "
+"devices."
+msgstr ""
+"Jsou-li tato zařízení spravována s cryptsetup, nebudete je moci po "
+"odstranění balíčku uzamknout i přes to, že ke správě zařízení dm-crypt lze "
+"použít i jiné nástroje. Jakékoli vypnutí či restart systému tato zařízení "
+"uzamkne."
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"Do not choose this option if you want to lock the dm-crypt devices before "
+"package removal."
+msgstr ""
+"Chcete-li před odstraněním balíčku zařízení dm-crypt uzamknout, tuto možnost "
+"nevybírejte."
diff --git a/debian/po/da.po b/debian/po/da.po
new file mode 100644
index 0000000..aacbd8b
--- /dev/null
+++ b/debian/po/da.po
@@ -0,0 +1,53 @@
+# Danish translation cryptsetup.
+# Copyright (C) 2011 cryptsetup & nedenstående oversættere.
+# This file is distributed under the same license as the cryptsetup package.
+# Joe Hansen <joedalton2@yahoo.dk>, 2011.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup\n"
+"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n"
+"POT-Creation-Date: 2018-06-18 01:42+0200\n"
+"PO-Revision-Date: 2011-10-09 17:30+01:00\n"
+"Last-Translator: Joe Hansen <joedalton2@yahoo.dk>\n"
+"Language-Team: Danish <debian-l10n-danish@lists.debian.org>\n"
+"Language: da\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "Continue with cryptsetup removal?"
+msgstr "Fortsæt med fjernelsen af cryptsetup?"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "This system has unlocked dm-crypt devices: ${cryptmap}"
+msgstr "Dette system har frigjort dm-crypt-enheder: ${cryptmap}"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"If these devices are managed with cryptsetup, you might be unable to lock "
+"the devices after the package removal, though other tools can be used for "
+"managing dm-crypt devices. Any system shutdown or reboot will lock the "
+"devices."
+msgstr ""
+"Hvis disse enheder håndteres med cryptsetup, vil du måske ikke kunne låse "
+"enhederne efter pakkefjernelsen, dog kan andre værktøjer bruges til at "
+"håndtere dm-crypt-enheder. Alle systemnedlukninger eller genstarter vil låse "
+"enhederne."
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"Do not choose this option if you want to lock the dm-crypt devices before "
+"package removal."
+msgstr ""
+"Vælg ikke denne indstilling hvis du ønsker at låse dm-crypt-enhederne før "
+"pakkefjernelse."
diff --git a/debian/po/de.po b/debian/po/de.po
new file mode 100644
index 0000000..c5fefef
--- /dev/null
+++ b/debian/po/de.po
@@ -0,0 +1,55 @@
+# GERMAN TRANSLATION OF CRYPTSETUP.
+# Copyright (C) 2011 Erik Pfannenstein
+# This file is distributed under the same license as the cryptsetup package.
+# Erik Pfannenstein <debianignatz@gmx.de>, 2011.
+msgid ""
+msgstr ""
+"Project-Id-Version: 1.3.0-4\n"
+"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n"
+"POT-Creation-Date: 2018-06-18 01:42+0200\n"
+"PO-Revision-Date: 2011-09-15 22:10+0200\n"
+"Last-Translator: Erik Pfannenstein <debianignatz@gmx.de>\n"
+"Language-Team: debian-l10n-german@lists.debian.org\n"
+"Language: de\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+"X-Generator: Virtaal 0.7.0\n"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "Continue with cryptsetup removal?"
+msgstr "Mit der Entfernung von Cryptsetup fortfahren?"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "This system has unlocked dm-crypt devices: ${cryptmap}"
+msgstr "Dieses System verfügt über entsperrte dm-crypt-Geräte: ${cryptmap}"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"If these devices are managed with cryptsetup, you might be unable to lock "
+"the devices after the package removal, though other tools can be used for "
+"managing dm-crypt devices. Any system shutdown or reboot will lock the "
+"devices."
+msgstr ""
+"Wenn diese Geräte über Cryptsetup verwaltet werden, werden Sie nach der "
+"Entfernung des Pakets möglicherweise nicht mehr in der Lage sein, sie zu "
+"sperren, obwohl für die Handhabung von dm-crypt-verschlüsselten Geräten auch "
+"andere Werkzeuge bereit stehen. Jedes Herunterfahren oder Neustarten wird "
+"die Geräte sperren."
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"Do not choose this option if you want to lock the dm-crypt devices before "
+"package removal."
+msgstr ""
+"Wählen Sie diese Option nicht, wenn Sie die dm-crypt-verschlüsselten Geräte "
+"vor der Entfernung des Pakets sperren wollen."
diff --git a/debian/po/es.po b/debian/po/es.po
new file mode 100644
index 0000000..847c3f0
--- /dev/null
+++ b/debian/po/es.po
@@ -0,0 +1,88 @@
+# cryptsetup po-debconf translation to Spanish
+# Copyright (C) 2010 Software in the Public Interest
+# This file is distributed under the same license as the cryptsetup package.
+#
+# Changes:
+# - Initial translation
+# Camaleón <noelamac@gmail.com>, 2011
+#
+# - Updates
+#
+#
+# Traductores, si no conocen el formato PO, merece la pena leer la
+# documentación de gettext, especialmente las secciones dedicadas a este
+# formato, por ejemplo ejecutando:
+# info -n '(gettext)PO Files'
+# info -n '(gettext)Header Entry'
+#
+# Equipo de traducción al español, por favor lean antes de traducir
+# los siguientes documentos:
+#
+# - El proyecto de traducción de Debian al español
+# https://www.debian.org/intl/spanish/
+# especialmente las notas y normas de traducción en
+# http://www.debian.org/intl/spanish/notas
+#
+# - La guía de traducción de po's de debconf:
+# /usr/share/doc/po-debconf/README-trans
+# o https://www.debian.org/intl/l10n/po-debconf/README-trans
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup 2:1.4.1-2\n"
+"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n"
+"POT-Creation-Date: 2018-06-18 01:42+0200\n"
+"PO-Revision-Date: 2012-02-22 15:11+0100\n"
+"Last-Translator: Camaleón <noelamac@gmail.com>\n"
+"Language-Team: Debian Spanish <debian-l10n-spanish@lists.debian.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "Continue with cryptsetup removal?"
+msgstr "¿Desea continuar con la eliminación de cryptsetup?"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "This system has unlocked dm-crypt devices: ${cryptmap}"
+msgstr ""
+"Este sistema tiene los siguientes dispositivos dm-crypt desbloqueados: "
+"${cryptmap}"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"If these devices are managed with cryptsetup, you might be unable to lock "
+"the devices after the package removal, though other tools can be used for "
+"managing dm-crypt devices. Any system shutdown or reboot will lock the "
+"devices."
+msgstr ""
+"Si estos dispositivos se administran con cryptsetup es posible que no pueda "
+"bloquearlos si elimina el paquete, aunque puede usar otras herramientas para "
+"administrar los dispositivos dm-crypt. Apagar o reiniciar el sistema "
+"bloqueará los dispositivos."
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"Do not choose this option if you want to lock the dm-crypt devices before "
+"package removal."
+msgstr ""
+"No seleccione esta opción si quiere bloquear los dispositivos dm-crypt antes "
+"de eliminar el paquete."
+
+#~ msgid ""
+#~ "In case you want to lock the dm-crypt devices before package removal, say "
+#~ "no here, and continue with removal after all dm-crypt devices have been "
+#~ "locked."
+#~ msgstr ""
+#~ "Si quiere bloquear los dispositivos dm-crypt antes de eliminar el "
+#~ "paquete, seleccione «no» en este apartado y continúe con la eliminación "
+#~ "después de que se hayan bloqueado todos los dispositivos dm-crypt."
diff --git a/debian/po/fr.po b/debian/po/fr.po
new file mode 100644
index 0000000..618f380
--- /dev/null
+++ b/debian/po/fr.po
@@ -0,0 +1,62 @@
+# Translation to French of cryptsetup debconf templates.
+# Copyright (C) 2011 Debian French l10n team <debian-l10n-french@lists.debian.org>
+# This file is distributed under the same license as the cryptsetup package.
+# Julien Patriarca <patriarcaj@gmail.com>, 2011.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup VERSION\n"
+"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n"
+"POT-Creation-Date: 2018-06-18 01:42+0200\n"
+"PO-Revision-Date: 2011-09-15 15:04+0100\n"
+"Last-Translator: Julien Patriarca <patriarcaj@gmail.com>\n"
+"Language-Team: FRENCH <debian-l10n-french@lists.debian.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "Continue with cryptsetup removal?"
+msgstr "Poursuivre la suppression de cryptsetup ?"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "This system has unlocked dm-crypt devices: ${cryptmap}"
+msgstr "Ce système a déverrouillé des périphériques dm-crypt : ${cryptmap}"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"If these devices are managed with cryptsetup, you might be unable to lock "
+"the devices after the package removal, though other tools can be used for "
+"managing dm-crypt devices. Any system shutdown or reboot will lock the "
+"devices."
+msgstr ""
+"Si ces périphériques sont gérés avec cryptsetup, il pourrait devenir "
+"impossible de les verrouiller après la suppression du paquet. Cependant, "
+"d'autres outils existent pour gérer des périphériques dm-crypt. Dans tous "
+"les cas, un arrêt ou redémarrage du système verrouillera les périphériques."
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"Do not choose this option if you want to lock the dm-crypt devices before "
+"package removal."
+msgstr ""
+"Ne sélectionnez pas cette option si vous souhaitez verrouiller les "
+"périphériques dm-crypt avant la suppression du paquet."
+
+#~ msgid ""
+#~ "In case you want to lock the dm-crypt devices before package removal, say "
+#~ "no here, and continue with removal after all dm-crypt devices have been "
+#~ "locked."
+#~ msgstr ""
+#~ "Refusez la suppression du paquet si vous souhaitez préalablement "
+#~ "verrouiller les périphériques dm-crypt et poursuivez-la après que tous "
+#~ "les périphériques dm-crypt ont été déverrouillés."
diff --git a/debian/po/id.po b/debian/po/id.po
new file mode 100644
index 0000000..8aa9d71
--- /dev/null
+++ b/debian/po/id.po
@@ -0,0 +1,57 @@
+# Translation of cryptsetup debconf templates to Indonesian
+# Copyright (C) 2016 L10N Debian Indonesian <debian-l10n-indonesian@lists.debian.org>
+# This file is distributed under the same license as the cryptsetup package.
+# Translator:
+# Izharul Haq <atoz.chevara@yahoo.com>, 2016.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup VERSION\n"
+"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n"
+"POT-Creation-Date: 2018-06-18 01:42+0200\n"
+"PO-Revision-Date: 2016-08-22 20:21+0700\n"
+"Last-Translator: Izharul Haq <atoz.chevara@yahoo.com>\n"
+"Language-Team: L10N Debian Indonesian <debian-l10n-indonesian@lists.debian."
+"org>\n"
+"Language: id\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Generator: Poedit 1.6.10\n"
+"Plural-Forms: nplurals=1; plural=0;\n"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "Continue with cryptsetup removal?"
+msgstr "Lanjutkan dengan penghapusan cryptsetup?"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "This system has unlocked dm-crypt devices: ${cryptmap}"
+msgstr "Sistem ini telah membuka perangkat dm-crypt: ${cryptmap}"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"If these devices are managed with cryptsetup, you might be unable to lock "
+"the devices after the package removal, though other tools can be used for "
+"managing dm-crypt devices. Any system shutdown or reboot will lock the "
+"devices."
+msgstr ""
+"Jika perangkat ini dikelola dengan cryptsetup, anda mungkin tidak dapat "
+"mengunci perangkat setelah penghapusan paket, meskipun perkakas lainnya "
+"dapat digunakan untuk mengelola perangkat dm-crypt. Setiap sistem dimatikan "
+"atau dijalankan ulang akan mengunci perangkat."
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"Do not choose this option if you want to lock the dm-crypt devices before "
+"package removal."
+msgstr ""
+"Jangan memilih opsi ini jika anda ingin mengunci perangkat dm-crypt sebelum "
+"penghapusan paket."
diff --git a/debian/po/it.po b/debian/po/it.po
new file mode 100644
index 0000000..ecd9ca2
--- /dev/null
+++ b/debian/po/it.po
@@ -0,0 +1,53 @@
+# Italian translation of debconf template for cryptsetup package.
+# Copyright (C) 2011 Jonas meurer
+# This file is distributed under the same license as the cryptsetup package.
+# Francesca Ciceri <madamezou@zouish.org>, 2012-2014
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup\n"
+"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n"
+"POT-Creation-Date: 2018-06-18 01:42+0200\n"
+"PO-Revision-Date: 2014-03-02 21:33+0100\n"
+"Last-Translator: Francesca Ciceri <madamezou@zouish.org>\n"
+"Language-Team: Italian <debian-l10n-italian@lists.debian.org>\n"
+"Language: Italian\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "Continue with cryptsetup removal?"
+msgstr "Continuare con la rimozione di cryptsetup?"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "This system has unlocked dm-crypt devices: ${cryptmap}"
+msgstr "I seguenti device dm-crypt sono sbloccati: ${cryptmap}"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"If these devices are managed with cryptsetup, you might be unable to lock "
+"the devices after the package removal, though other tools can be used for "
+"managing dm-crypt devices. Any system shutdown or reboot will lock the "
+"devices."
+msgstr ""
+"Se questi device erano gestiti con cryptsetup, si potrebbe essere "
+"impossibilitati a bloccarli nuovamente dopo la rimozione del pacchetto. "
+"Tuttavia, esistono altri strumenti per gestire i device dm-crypt. Lo "
+"spegnimento o il riavvio del sistema bloccheranno i device."
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"Do not choose this option if you want to lock the dm-crypt devices before "
+"package removal."
+msgstr ""
+"Non scegliere questa opzione se si desidera bloccare i device dm-crypt prima "
+"della rimozione del pacchetto."
diff --git a/debian/po/ja.po b/debian/po/ja.po
new file mode 100644
index 0000000..74f7d05
--- /dev/null
+++ b/debian/po/ja.po
@@ -0,0 +1,54 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the PACKAGE package.
+# victory <victory.deb@gmail.com>, 2012.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup\n"
+"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n"
+"POT-Creation-Date: 2018-06-18 01:42+0200\n"
+"PO-Revision-Date: 2012-06-17 00:27+09:00\n"
+"Last-Translator: victory <victory.deb@gmail.com>\n"
+"Language-Team: Japanese <debian-japanese@lists.debian.org>\n"
+"Language: ja\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "Continue with cryptsetup removal?"
+msgstr "cryptsetup の削除を続行しますか?"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "This system has unlocked dm-crypt devices: ${cryptmap}"
+msgstr ""
+"このシステムにはロックされていない dm-crypt デバイスがあります: ${cryptmap}"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"If these devices are managed with cryptsetup, you might be unable to lock "
+"the devices after the package removal, though other tools can be used for "
+"managing dm-crypt devices. Any system shutdown or reboot will lock the "
+"devices."
+msgstr ""
+"cryptsetup により管理されているデバイスがある場合、パッケージ削除後にデバイス"
+"をロックできなくなる可能性がありますが、他のツールを使って dm-crypt デバイス"
+"を管理することができます。システムのシャットダウンや再起動が発生するとデバイ"
+"スはロックされます。"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"Do not choose this option if you want to lock the dm-crypt devices before "
+"package removal."
+msgstr ""
+"パッケージ削除の前に dm-crypt デバイスをロックしたい場合はこのオプションを選"
+"択しないでください。"
diff --git a/debian/po/nl.po b/debian/po/nl.po
new file mode 100644
index 0000000..5c5bf81
--- /dev/null
+++ b/debian/po/nl.po
@@ -0,0 +1,54 @@
+# Dutch translation of cryptsetup debconf templates.
+# Copyright (C) 2011 THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the cryptsetup package.
+# Jeroen Schot <schot@a-eskwadraat.nl>, 2011.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup 2:1.3.0-4\n"
+"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n"
+"POT-Creation-Date: 2018-06-18 01:42+0200\n"
+"PO-Revision-Date: 2011-09-28 11:15+0200\n"
+"Last-Translator: Jeroen Schot <schot@a-eskwadraat.nl>\n"
+"Language-Team: Debian l10n Dutch <debian-l10n-dutch@lists.debian.org>\n"
+"Language: nl\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "Continue with cryptsetup removal?"
+msgstr "Doorgaan met het verwijderen van cryptsetup?"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "This system has unlocked dm-crypt devices: ${cryptmap}"
+msgstr ""
+"De volgende dm-crypt-apparaten op het systeem zijn ontgrendeld: ${cryptmap}"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"If these devices are managed with cryptsetup, you might be unable to lock "
+"the devices after the package removal, though other tools can be used for "
+"managing dm-crypt devices. Any system shutdown or reboot will lock the "
+"devices."
+msgstr ""
+"Als deze apparaten worden beheerd met cryptsetup kunt u ze mogelijk niet "
+"meer vergrendelen na het verwijderen van het pakket, hoewel dm-crypt-"
+"apparaten ook met andere hulpprogramma's kunnen worden beheerd. Het "
+"uitzetten of herstarten van het systeem zal deze apparaten vergrendelen."
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"Do not choose this option if you want to lock the dm-crypt devices before "
+"package removal."
+msgstr ""
+"Kies niet voor deze optie indien u de dm-crypt-apparaten wilt vergrendelen "
+"voor het verwijderen van het pakket."
diff --git a/debian/po/pt.po b/debian/po/pt.po
new file mode 100644
index 0000000..33d2e8e
--- /dev/null
+++ b/debian/po/pt.po
@@ -0,0 +1,53 @@
+# Portuguese translation for cryptsetup's package
+# Copyright (C) 2011 cryptsetup's copyright holder
+# This file is distributed under the same license as the cryptsetup package.
+# Miguel Figueiredo <elmig@debianpt.org>, 2011.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup\n"
+"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n"
+"POT-Creation-Date: 2018-06-18 01:42+0200\n"
+"PO-Revision-Date: 2011-09-16 18:48+0100\n"
+"Last-Translator: Miguel Figueiredo <elmig@debianpt.org>\n"
+"Language-Team: Portuguese <traduz@debianpt.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "Continue with cryptsetup removal?"
+msgstr "Continuar com a remoção do cryptsetup?"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "This system has unlocked dm-crypt devices: ${cryptmap}"
+msgstr "Este sistema tem dispositivos dm-crypt desbloqueados: ${cryptmap}"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"If these devices are managed with cryptsetup, you might be unable to lock "
+"the devices after the package removal, though other tools can be used for "
+"managing dm-crypt devices. Any system shutdown or reboot will lock the "
+"devices."
+msgstr ""
+"Se estes dispositivos forem geridos com o cryptsetup, poderá não ser capaz "
+"de bloquear os dispositivos após a remoção do pacote, apesar de poderem ser "
+"utilizadas outras ferramentas para gerir os dispositivos dm-crypt. Desligar "
+"ou reiniciar o sistema irá bloquear os dispositivos."
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"Do not choose this option if you want to lock the dm-crypt devices before "
+"package removal."
+msgstr ""
+"Não escolha esta opção se deseja bloquear os dispositivos dm-crypt antes da "
+"remoção do pacote."
diff --git a/debian/po/pt_BR.po b/debian/po/pt_BR.po
new file mode 100644
index 0000000..c9ba28a
--- /dev/null
+++ b/debian/po/pt_BR.po
@@ -0,0 +1,55 @@
+# Debconf translations for cryptsetup.
+# Copyright (C) 2011 THE cryptsetup'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the cryptsetup package.
+# Adriano Rafael Gomes <adrianorg@gmail.com>, 2011.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup\n"
+"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n"
+"POT-Creation-Date: 2018-06-18 01:42+0200\n"
+"PO-Revision-Date: 2011-10-09 17:56-0300\n"
+"Last-Translator: Adriano Rafael Gomes <adrianorg@gmail.com>\n"
+"Language-Team: Brazilian Portuguese <debian-l10n-portuguese@lists.debian."
+"org>\n"
+"Language: pt_BR\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "Continue with cryptsetup removal?"
+msgstr "Continuar com a remoção do cryptsetup?"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "This system has unlocked dm-crypt devices: ${cryptmap}"
+msgstr "Esse sistema tem dispositivos dm-crypt desbloqueados: ${cryptmap}"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"If these devices are managed with cryptsetup, you might be unable to lock "
+"the devices after the package removal, though other tools can be used for "
+"managing dm-crypt devices. Any system shutdown or reboot will lock the "
+"devices."
+msgstr ""
+"Se esses dispositivos são gerenciados com o cryptsetup, você pode não "
+"conseguir bloquear os dispositivos depois da remoção do pacote, embora "
+"outras ferramentas possam ser usadas para gerenciar dispositivos dm-crypt. "
+"Qualquer desligamento ou reinicialização do sistema bloqueará os "
+"dispositivos."
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"Do not choose this option if you want to lock the dm-crypt devices before "
+"package removal."
+msgstr ""
+"Não escolha essa opção se você quiser bloquear os dispositivos dm-crypt "
+"antes da remoção do pacote."
diff --git a/debian/po/ro.po b/debian/po/ro.po
new file mode 100644
index 0000000..59f4616
--- /dev/null
+++ b/debian/po/ro.po
@@ -0,0 +1,62 @@
+# Mesajele în limba română pentru pachetul cryptsetup.
+# Romanian translation of cryptsetup.
+# Copyright © 2023 THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the cryptsetup package.
+#
+# Remus-Gabriel Chelu <remusgabriel.chelu@disroot.org>, 2023.
+#
+# Cronologia traducerii fișierului „cryptsetup”:
+# Traducerea inițială, făcută de R-GC, pentru versiunea cryptsetup 2:2.6.1-1.
+# Actualizare a traducerii pentru versiunea Y, făcută de X, Y(anul).
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup 2:2.6.1-1\n"
+"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n"
+"POT-Creation-Date: 2018-06-18 01:42+0200\n"
+"PO-Revision-Date: 2023-02-13 10:03+0100\n"
+"Last-Translator: Remus-Gabriel Chelu <remusgabriel.chelu@disroot.org>\n"
+"Language-Team: Romanian <debian-l10n-romanian@lists.debian.org>\n"
+"Language: ro\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=3; plural=(n==1 ? 0 : n==0 || (n!=1 && n%100>=1 && "
+"n%100<=19) ? 1 : 2);\n"
+"X-Bugs: Report translation errors to the Language-Team address.\n"
+"X-Generator: Poedit 3.2.2\n"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "Continue with cryptsetup removal?"
+msgstr "Continuați cu eliminarea programului «cryptsetup»?"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "This system has unlocked dm-crypt devices: ${cryptmap}"
+msgstr "Acest sistem are dispozitive dm-crypt deblocate: ${cryptmap}"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"If these devices are managed with cryptsetup, you might be unable to lock the "
+"devices after the package removal, though other tools can be used for managing "
+"dm-crypt devices. Any system shutdown or reboot will lock the devices."
+msgstr ""
+"Dacă aceste dispozitive sunt gestionate cu «cryptsetup», este posibil să nu "
+"puteți bloca dispozitivele după eliminarea pachetului, deși alte instrumente "
+"pot fi utilizate pentru gestionarea dispozitivelor dm-crypt. Orice oprire sau "
+"repornire a sistemului va bloca dispozitivele."
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"Do not choose this option if you want to lock the dm-crypt devices before "
+"package removal."
+msgstr ""
+"Nu alegeți această opțiune dacă doriți să blocați dispozitivele dm-crypt "
+"înainte de a elimina pachetul."
diff --git a/debian/po/ru.po b/debian/po/ru.po
new file mode 100644
index 0000000..a24c4a6
--- /dev/null
+++ b/debian/po/ru.po
@@ -0,0 +1,64 @@
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the cryptsetup package.
+#
+# Yuri Kozlov <yuray@komyakino.ru>, 2011, 2012.
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup 2:1.4.1-2\n"
+"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n"
+"POT-Creation-Date: 2018-06-18 01:42+0200\n"
+"PO-Revision-Date: 2012-02-26 11:02+0400\n"
+"Last-Translator: Yuri Kozlov <yuray@komyakino.ru>\n"
+"Language-Team: Russian <debian-l10n-russian@lists.debian.org>\n"
+"Language: ru\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Generator: Lokalize 1.0\n"
+"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n"
+"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "Continue with cryptsetup removal?"
+msgstr "Продолжить удаление cryptsetup?"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "This system has unlocked dm-crypt devices: ${cryptmap}"
+msgstr "В системе имеются незаблокированные устройства dm-crypt: ${cryptmap}"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"If these devices are managed with cryptsetup, you might be unable to lock "
+"the devices after the package removal, though other tools can be used for "
+"managing dm-crypt devices. Any system shutdown or reboot will lock the "
+"devices."
+msgstr ""
+"Если эти устройства управляются с помощью cryptsetup, то вы не сможете "
+"заблокировать эти устройства после удаления пакета, хотя для управления "
+"устройствами dm-crypt можно использовать другие инструменты. При следующем "
+"выключении или перезагрузке машины устройства будут заблокированы."
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"Do not choose this option if you want to lock the dm-crypt devices before "
+"package removal."
+msgstr ""
+"Ответьте отрицательно, если хотите заблокировать устройства dm-crypt до "
+"удаления пакета."
+
+#~ msgid ""
+#~ "In case you want to lock the dm-crypt devices before package removal, say "
+#~ "no here, and continue with removal after all dm-crypt devices have been "
+#~ "locked."
+#~ msgstr ""
+#~ "Если вы хотите заблокировать устройства dm-crypt до удаления пакета, то "
+#~ "ответьте отрицательно и повторите удаление после того, как все устройства "
+#~ "dm-crypt будут заблокированы."
diff --git a/debian/po/sv.po b/debian/po/sv.po
new file mode 100644
index 0000000..1b73dbd
--- /dev/null
+++ b/debian/po/sv.po
@@ -0,0 +1,63 @@
+# Translation of cryptsetup debconf template to Swedish
+# Copyright (C) 2011 Martin Bagge <brother@bsnet.se>
+# This file is distributed under the same license as the cryptsetup package.
+#
+# Martin Bagge <brother@bsnet.se>, 2011
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup VERSION\n"
+"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n"
+"POT-Creation-Date: 2018-06-18 01:42+0200\n"
+"PO-Revision-Date: 2011-09-22 21:28+0100\n"
+"Last-Translator: Martin Bagge / brother <brother@bsnet.se>\n"
+"Language-Team: Swedish <debian-l10n-swedish@lists.debian.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Poedit-Language: Swedish\n"
+"X-Poedit-Country: Sweden\n"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "Continue with cryptsetup removal?"
+msgstr "Ska cryptsetup tas bort?"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "This system has unlocked dm-crypt devices: ${cryptmap}"
+msgstr "Detta system har olåsta dm-crypt-enheter: ${cryptmap}"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"If these devices are managed with cryptsetup, you might be unable to lock "
+"the devices after the package removal, though other tools can be used for "
+"managing dm-crypt devices. Any system shutdown or reboot will lock the "
+"devices."
+msgstr ""
+"Om dessa enheter hanteras av cryptsetup kan det innebära att dessa enheter "
+"inte kan låsas upp efter paketet tagits bort. Det finns dock andra verktyg "
+"för att hantera dm-crypt-enheter. Hur som helst så kommer enheterna att "
+"låsas när systemet stängs av eller startas om."
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"Do not choose this option if you want to lock the dm-crypt devices before "
+"package removal."
+msgstr ""
+"Välj inte detta alternativ om du vill låsa dm-crypt-enheter innan paketet "
+"tas bort."
+
+#~ msgid ""
+#~ "In case you want to lock the dm-crypt devices before package removal, say "
+#~ "no here, and continue with removal after all dm-crypt devices have been "
+#~ "locked."
+#~ msgstr ""
+#~ "Vill du låsa dm-crypt-enheterna innan paketet tas bort svara nej här och "
+#~ "fortsätt när alla dm-crypt-enheter har låsts."
diff --git a/debian/po/templates.pot b/debian/po/templates.pot
new file mode 100644
index 0000000..77fa52f
--- /dev/null
+++ b/debian/po/templates.pot
@@ -0,0 +1,48 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the cryptsetup package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup\n"
+"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n"
+"POT-Creation-Date: 2018-06-18 01:42+0200\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "Continue with cryptsetup removal?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "This system has unlocked dm-crypt devices: ${cryptmap}"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"If these devices are managed with cryptsetup, you might be unable to lock "
+"the devices after the package removal, though other tools can be used for "
+"managing dm-crypt devices. Any system shutdown or reboot will lock the "
+"devices."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"Do not choose this option if you want to lock the dm-crypt devices before "
+"package removal."
+msgstr ""
diff --git a/debian/po/vi.po b/debian/po/vi.po
new file mode 100644
index 0000000..abf3557
--- /dev/null
+++ b/debian/po/vi.po
@@ -0,0 +1,56 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup 2:1.3.0-4\n"
+"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n"
+"POT-Creation-Date: 2018-06-18 01:42+0200\n"
+"PO-Revision-Date: 2011-09-15 19:27+0700\n"
+"Last-Translator: Hung Tran <nguyentieuhau@gmail.com>\n"
+"Language-Team: debian-l10n-vietnamese <debian-l10n-vietnamese@lists.debian."
+"org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=utf-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Poedit-Language: Vietnamese\n"
+"X-Poedit-Country: Vietnam\n"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "Continue with cryptsetup removal?"
+msgstr "Tiếp tục việc gỡ bỏ cryptsetup?"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "This system has unlocked dm-crypt devices: ${cryptmap}"
+msgstr "Hệ thống này đã mở khóa những thiết bị dm-crypt: ${cryptmap}"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"If these devices are managed with cryptsetup, you might be unable to lock "
+"the devices after the package removal, though other tools can be used for "
+"managing dm-crypt devices. Any system shutdown or reboot will lock the "
+"devices."
+msgstr ""
+"Nếu các thiết bị này được quản lý với cryptsetup, có thể bạn sẽ không thể "
+"khóa các thiết bị sau khi gỡ bỏ gói ứng dụng, mặc dù các công cụ khác có thể "
+"được sử dụng để quản lý các thiết bị dm-crypt. Tắt hay khởi động lại hệ "
+"thống sẽ khóa các thiết bị."
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"Do not choose this option if you want to lock the dm-crypt devices before "
+"package removal."
+msgstr ""
+"Đừng chọn tùy chọn này nếu bạn muốn khóa các thiết bị dm-crypt trước khi gỡ "
+"bỏ gói ứng dụng."
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..757085c
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,100 @@
+#!/usr/bin/make -f
+
+# Uncomment this to turn on debhelper verbose mode.
+#export DH_VERBOSE=1
+
+# Set some custom build flags
+export DEB_BUILD_MAINT_OPTIONS = hardening=+bindnow,+pie
+DEB_CFLAGS_MAINT_APPEND = -Wall
+include /usr/share/dpkg/architecture.mk
+-include /usr/share/dpkg/buildtools.mk
+
+CONFFLAGS =
+
+# Used e.g. for manpages (to build them in a reprodicible way)
+include /usr/share/dpkg/pkg-info.mk
+DEB_DATE := $(strip $(shell LC_ALL=C date -u +%F -d@$(SOURCE_DATE_EPOCH)))
+
+%:
+ dh $@
+
+ifneq (,$(filter nodoc, $(DEB_BUILD_OPTIONS)))
+CONFFLAGS += --disable-asciidoc
+endif
+
+override_dh_auto_configure:
+ dh_auto_configure -- $(CONFFLAGS) \
+ --libdir=/lib/$(DEB_HOST_MULTIARCH) \
+ --sbindir=/sbin \
+ --with-tmpfilesdir=/usr/lib/tmpfiles.d \
+ --enable-libargon2 \
+ --enable-shared \
+ --enable-cryptsetup-reencrypt
+
+execute_after_dh_auto_build:
+ # build askpass and passdev keyscripts
+ $(CC) -o debian/askpass debian/askpass.c -Wall -Werror $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -pedantic
+ $(CC) -o debian/scripts/passdev debian/scripts/passdev.c -Wall -Werror $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -pedantic
+
+ # build suspend binary
+ $(CC) -o debian/scripts/suspend/cryptsetup-suspend debian/scripts/suspend/cryptsetup-suspend.c \
+ -Wall -Werror $(CFLAGS) $(CPPFLAGS) -I$(CURDIR)/lib $(LDFLAGS) -L$(CURDIR)/.libs -lcryptsetup -pedantic
+
+ifeq (,$(filter nodoc, $(DEB_BUILD_OPTIONS)))
+ # generate manpages
+ sed 's/VERSION/$(DEB_VERSION)/;s/DATE/$(DEB_DATE)/' \
+ debian/doc/variables.xml.in >debian/doc/variables.xml
+ xsltproc --nonet --xinclude -o debian/doc/ \
+ /usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl \
+ debian/doc/manpages.xml
+ pod2man --section=8 --center="Administrative commands" \
+ --release="$(DEB_VERSION)" debian/scripts/luksformat \
+ debian/doc/luksformat.8
+endif
+
+ # generate gettext po files (for luksformat)
+ $(MAKE) -C debian/scripts/po all luksformat.pot
+
+execute_before_dh_auto_test:
+ # tests/fake_token_path.so is built without global $(CFLAGS)
+ @echo "blhc: ignore-line-regexp: gcc\\s.*\\s\\.\\./tests/[0-9A-Za-z_-]+\\.c\\s.*"
+
+execute_after_dh_auto_install:
+ # install gettext po files (for luksformat)
+ $(MAKE) -C debian/scripts/po DESTDIR=$(CURDIR)/debian/cryptsetup-bin install
+
+execute_after_dh_install:
+ # install apport files when building on Ubuntu
+ifeq ($(shell dpkg-vendor --is Ubuntu && echo yes),yes)
+ mkdir -p $(CURDIR)/debian/cryptsetup/usr/share/apport/package-hooks
+ install -m 0644 debian/cryptsetup.apport \
+ $(CURDIR)/debian/cryptsetup/usr/share/apport/package-hooks/cryptsetup.py
+endif
+
+override_dh_installinit:
+ dh_installinit -pcryptsetup --no-start --name=cryptdisks
+ dh_installinit -pcryptsetup --no-start --name=cryptdisks-early
+
+execute_after_dh_auto_clean:
+ $(MAKE) -C debian/scripts/po update clean
+ if [ -f $(CURDIR)/debian/cryptsetup-initramfs.preinst.in ]; then \
+ mv -fT $(CURDIR)/debian/cryptsetup-initramfs.preinst.in $(CURDIR)/debian/cryptsetup-initramfs.preinst; \
+ fi
+
+override_dh_bugfiles:
+ dh_bugfiles -A
+
+execute_after_dh_fixperms-arch:
+ chmod 0755 debian/cryptsetup/lib/cryptsetup/checks/*
+ chmod 0755 debian/cryptsetup/lib/cryptsetup/scripts/decrypt_*
+ chmod 0755 debian/cryptsetup-suspend/lib/cryptsetup/scripts/suspend/cryptsetup-suspend-wrapper
+ chmod 0755 debian/cryptsetup-suspend/lib/systemd/system-shutdown/cryptsetup-suspend.shutdown
+ifeq (,$(filter noudeb, $(DEB_BUILD_PROFILES)))
+ chmod 0755 debian/cryptsetup-udeb/lib/cryptsetup/checks/*
+ chmod 0755 debian/cryptsetup-udeb/lib/cryptsetup/scripts/decrypt_*
+endif
+
+execute_after_dh_fixperms-indep:
+ chmod 0755 debian/cryptsetup-initramfs/usr/share/cryptsetup/initramfs/bin/*
+ chmod 0755 debian/cryptsetup-initramfs/usr/share/initramfs-tools/hooks/*
+ chmod 0755 debian/cryptsetup-initramfs/usr/share/initramfs-tools/scripts/*/*
diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml
new file mode 100644
index 0000000..118a91b
--- /dev/null
+++ b/debian/salsa-ci.yml
@@ -0,0 +1,63 @@
+---
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+ # Skip all DEP-8 tests except 'cryptroot-lvm': each 'cryptroot-*' test
+ # takes 20-30min on Salsa CI runners as they don't support KVM acceleration
+ # cf. https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/266 ,
+ # and other tests are skipped anyway since they require machine-level
+ # isolation which the runners currently don't provide.
+ # Running 'cryptroot-lvm' and 'cryptroot-legacy' only is significantly
+ # better than disabling the autopkgtest job altogether.
+ SALSA_CI_AUTOPKGTEST_ARGS: '--test-name=cryptroot-lvm --test-name=cryptroot-legacy'
+
+# Run reprotest job under 'nocheck' build profile. The job runs with
+# root privileges, which trigger extra tests within the upstream test
+# suite. Some of these extra tests want to interact with the kernel,
+# load modules, and create/remove loop devices, which is beyond the
+# scope of the reprotest job.
+reprotest:
+ extends: .test-reprotest
+ variables:
+ DEB_BUILD_OPTIONS: nocheck
+
+# Add a deploy stage for pages
+stages:
+ - provisioning
+ - build
+ - publish
+ - test
+ # would be better if we could extend the list rather than override it
+ - deploy
+
+pages:
+ image: debian:11
+ script:
+ - apt-get update
+ - apt-get -y install pandoc
+ - mkdir public
+ # install CSS file
+ - install -m0644 debian/doc/pandoc/pandoc.css public/pandoc.css
+ # install index.html
+ - ${PANDOC} -T "Debian Cryptsetup docs" -o public/index.html
+ debian/doc/pandoc/index.md
+ # install README.*.html files
+ - for readme in Debian debug gnupg gnupg-sc initramfs keyctl opensc; do
+ ${PANDOC} --toc -T "Debian Cryptsetup docs"
+ -o public/README.$readme.html debian/README.$readme; done
+ - ${PANDOC} -pNo public/encrypted-boot.html
+ debian/doc/pandoc/encrypted-boot.md
+ stage: deploy
+ artifacts:
+ paths:
+ - public
+ only:
+ # only run on debian/latest branch
+ refs:
+ - debian/latest
+ # only run when commit is tagged (to install docs on package releases only)
+ #variables:
+ # - $CI_COMMIT_TAG
+ variables:
+ PANDOC: 'pandoc -s -c pandoc.css -f markdown+smart -t html'
diff --git a/debian/scripts/cryptdisks_start b/debian/scripts/cryptdisks_start
new file mode 100644
index 0000000..623423f
--- /dev/null
+++ b/debian/scripts/cryptdisks_start
@@ -0,0 +1,63 @@
+#!/bin/sh
+
+# cryptdisks_start - wrapper around cryptsetup which parses
+# /etc/crypttab, just like mount parses /etc/fstab.
+
+# Initial code and (c) 2007 Jon Dowland <jon@alcopop.org>
+# License: GNU General Public License, v2 or any later
+# (https://www.gnu.org/copyleft/gpl.html)
+
+set -e
+
+. /lib/cryptsetup/cryptdisks-functions
+
+INITSTATE="manual"
+DEFAULT_LOUD="yes"
+FORCE_START="yes"
+
+usage() {
+ local rv="${1:-1}"
+ echo "Usage: $0 [-r|--readonly] <name> [.. <name>]" >&2
+ echo >&2
+ echo "reads $TABFILE and starts the mapping corresponding to <name>" >&2
+ exit $rv
+}
+
+CRYPTTAB_EXTRA_OPTIONS=
+while [ $# -gt 0 ]; do
+ case "$1" in
+ -r|--readonly) CRYPTTAB_EXTRA_OPTIONS="${CRYPTTAB_EXTRA_OPTIONS:+$CRYPTTAB_EXTRA_OPTIONS,}readonly";;
+ -h|--help|-\?) usage 0;;
+ --) shift; break;;
+ -*) echo "Error: unknown option '$1'" >&2; usage 1;;
+ *) break;;
+ esac
+ shift
+done
+[ $# -gt 0 ] || usage 1
+
+if [ $(id -u) -ne 0 ]; then
+ log_warning_msg "$0 needs root privileges"
+ exit 1
+fi
+
+log_action_begin_msg "Starting crypto disk"
+mount_fs
+
+rv=0
+for name in "$@"; do
+ if ! crypttab_find_entry --quiet "$name"; then
+ device_msg "$name" "failed, not found in crypttab"
+ rv=1
+ else
+ if [ -n "$CRYPTTAB_EXTRA_OPTIONS" ]; then
+ CRYPTTAB_OPTIONS="$CRYPTTAB_OPTIONS,$CRYPTTAB_EXTRA_OPTIONS"
+ _CRYPTTAB_OPTIONS="$_CRYPTTAB_OPTIONS,$CRYPTTAB_EXTRA_OPTIONS"
+ fi
+ setup_mapping || rv=$?
+ fi
+done
+umount_fs
+
+log_action_end_msg $rv
+exit $rv
diff --git a/debian/scripts/cryptdisks_stop b/debian/scripts/cryptdisks_stop
new file mode 100644
index 0000000..ea0faaf
--- /dev/null
+++ b/debian/scripts/cryptdisks_stop
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+# cryptdisks_stop - wrapper around cryptsetup which parses
+# /etc/crypttab, just like mount parses /etc/fstab.
+
+# Initial code stolen from cryptdisks_start by Jon Dowland <jon@alcopop.org>
+# Copyright (C) 2008 by Jonas Meurer <jonas@freesources.org>
+# License: GNU General Public License, v2 or any later
+# (https://www.gnu.org/copyleft/gpl.html)
+
+set -e
+
+if [ $# -lt 1 ]; then
+ echo "usage: $0 <name>" >&2
+ echo >&2
+ echo "reads /etc/crypttab and stops the mapping corresponding to <name>" >&2
+ exit 1
+fi
+
+. /lib/cryptsetup/cryptdisks-functions
+
+INITSTATE="manual"
+DEFAULT_LOUD="yes"
+
+if [ $(id -u) -ne 0 ]; then
+ log_warning_msg "$0 needs root privileges"
+ exit 1
+fi
+
+log_action_begin_msg "Stopping crypto disk"
+
+rv=0
+for name in "$@"; do
+ remove_mapping "$name" || rv=$?
+done
+
+log_action_end_msg $rv
+exit $rv
diff --git a/debian/scripts/decrypt_derived b/debian/scripts/decrypt_derived
new file mode 100644
index 0000000..0e1e418
--- /dev/null
+++ b/debian/scripts/decrypt_derived
@@ -0,0 +1,32 @@
+#!/bin/sh
+
+# WARNING: If you use the decrypt_derived keyscript for devices with
+# persistent data (i.e. not swap or temp devices), then you will lose
+# access to that data permanently if something damages the LUKS header
+# of the LUKS device you derive from. The same applies if you luksFormat
+# the device, even if you use the same passphrase(s). A LUKS header
+# backup, or better a backup of the data on the derived device may be
+# a good idea. See the Cryptsetup FAQ on how to do this right.
+
+if [ -z "$1" ]; then
+ echo "$0: must be executed with a crypto device as argument" >&2
+ exit 1
+fi
+
+unset -v keys count
+keys="$(dmsetup table --target crypt --showkeys -- "$1" 2>/dev/null | cut -s -d' ' -f5)"
+count="$(printf '%s' "$keys" | wc -l)"
+
+if [ -n "$keys" ] && [ $count -le 1 ]; then
+ if [ "${keys#:}" = "$keys" ]; then
+ printf '%s' "$keys"
+ exit 0
+ else
+ echo "$0: device $1 uses the kernel keyring" >&2
+ fi
+elif [ $count -eq 0 ]; then
+ echo "$0: device $1 doesn't exist or isn't a crypto device" >&2
+else
+ echo "$0: more than one device match" >&2
+fi
+exit 1
diff --git a/debian/scripts/decrypt_gnupg b/debian/scripts/decrypt_gnupg
new file mode 100644
index 0000000..18ab575
--- /dev/null
+++ b/debian/scripts/decrypt_gnupg
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+decrypt_gpg () {
+ echo "Performing GPG symmetric decryption ..." >&2
+ if ! /lib/cryptsetup/askpass "Enter passphrase for key $1: " | \
+ /usr/bin/gpg -q --batch --no-options \
+ --no-random-seed-file --no-default-keyring \
+ --keyring /dev/null --secret-keyring /dev/null \
+ --trustdb-name /dev/null --passphrase-fd 0 --decrypt -- "$1"; then
+ return 1
+ fi
+ return 0
+}
+
+if [ ! -x /usr/bin/gpg ]; then
+ echo "$0: /usr/bin/gpg is not available" >&2
+ exit 1
+fi
+
+if [ -z "$1" ]; then
+ echo "$0: missing key as argument" >&2
+ exit 1
+fi
+
+decrypt_gpg "$1"
+exit $?
diff --git a/debian/scripts/decrypt_gnupg-sc b/debian/scripts/decrypt_gnupg-sc
new file mode 100644
index 0000000..84eb62c
--- /dev/null
+++ b/debian/scripts/decrypt_gnupg-sc
@@ -0,0 +1,44 @@
+#!/bin/sh
+
+if [ -d "/cryptroot/gnupghome" ]; then
+ export GNUPGHOME="/cryptroot/gnupghome"
+fi
+
+run_gpg() {
+ gpg --no-options --trust-model=always "$@"
+}
+decrypt_gpg () {
+ local console _
+ if ! GPG_TTY="$(tty)"; then
+ read console _ </proc/consoles
+ GPG_TTY="/dev/$console"
+ fi
+ export GPG_TTY
+
+ if ! run_gpg --decrypt -- "$1"; then
+ return 1
+ fi
+ return 0
+}
+
+# `gpg-connect-agent LEARN /bye` is another (lighter) way, but it's
+# harder to retrieve the return code
+if ! run_gpg --batch --quiet --no-tty --card-status >/dev/null; then
+ echo "Please insert OpenPGP SmartCard..." >&2
+ until run_gpg --batch --quiet --no-tty --card-status; do
+ sleep 1
+ done >/dev/null 2>&1
+fi
+
+if [ ! -x /usr/bin/gpg ]; then
+ echo "$0: /usr/bin/gpg is not available" >&2
+ exit 1
+fi
+
+if [ -z "$1" ] || [ ! -f "$1" ]; then
+ echo "$0: missing key as argument" >&2
+ exit 1
+fi
+
+decrypt_gpg "$1"
+exit $?
diff --git a/debian/scripts/decrypt_keyctl b/debian/scripts/decrypt_keyctl
new file mode 100644
index 0000000..6032db0
--- /dev/null
+++ b/debian/scripts/decrypt_keyctl
@@ -0,0 +1,55 @@
+#!/bin/sh
+# decrypt_keyctl - to use in /etc/crypttab as keyscript
+# Allows to cache passwords for cryptdevices for 60s
+# The same password is used for for cryptdevices with the same identifier.
+# The keyfile parameter, which is the third field from /etc/crypttab, is
+# used as identifier in this keyscript.
+#
+# sample crypttab entries:
+# test1 /dev/sda1 test_pw luks,keyscript=decrypt_keyctl
+# test2 /dev/sda2 test_pw luks,keyscript=decrypt_keyctl
+# test3 /dev/sda3 test_other_pw luks,keyscript=decrypt_keyctl
+#
+# test1 and test2 have the same identifier thus test2 does not need a password
+# typed in manually
+
+die()
+{
+ echo "$@" >&2
+ exit 1
+}
+
+if [ -z "${CRYPTTAB_KEY:-}" ] || [ "$CRYPTTAB_KEY" = "none" ]; then
+ # store the passphrase in the key name used by systemd-ask-password
+ ID_="cryptsetup"
+else
+ # the keyfile given from crypttab is used as identifier in the keyring
+ # including the prefix "cryptsetup:"
+ ID_="cryptsetup:$CRYPTTAB_KEY"
+fi
+TIMEOUT_='60'
+ASKPASS_='/lib/cryptsetup/askpass'
+PROMPT_="Caching passphrase for ${CRYPTTAB_NAME}: "
+
+
+if ! KID_="$(keyctl search @u user "$ID_" 2>/dev/null)" || \
+ [ -z "$KID_" ] || [ "$CRYPTTAB_TRIED" -gt 0 ]; then
+ # key not found or wrong, ask the user
+ KEY_="$($ASKPASS_ "$PROMPT_")" || die "Error executing $ASKPASS_"
+ if [ -n "$KID_" ]; then
+ # I have cached wrong password and now i may use either `keyctl update`
+ # to update $KID_ or just unlink old key, and add new. With `update` i
+ # may hit "Key has expired", though. So i'll go "unlink and add" way.
+ keyctl unlink "$KID_" @u
+ KID_=""
+ fi
+ KID_="$(printf "%s" "$KEY_" | keyctl padd user "$ID_" @u)"
+ [ -n "$KID_" ] || die "Error adding passphrase to kernel keyring"
+ if ! keyctl timeout "$KID_" "$TIMEOUT_"; then
+ keyctl unlink "$KID_" @u
+ die "Error setting timeout on key ($KID_), removing"
+ fi
+else
+ echo "Using cached passphrase for ${CRYPTTAB_NAME}." >&2
+fi
+keyctl pipe "$KID_"
diff --git a/debian/scripts/decrypt_opensc b/debian/scripts/decrypt_opensc
new file mode 100644
index 0000000..b06fc98
--- /dev/null
+++ b/debian/scripts/decrypt_opensc
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+# Why not use "openct-tool rwait" instead of polling opensc-tool exit status?
+# Well openct daemon has to be running which interferes with pcscd since both
+# implement reader drivers, my particular CCID reader (SCM SCR331-LC1) doesn't
+# work with the CCID driver in openct, however it does work with pcscd.
+
+# Why not use "opensc-tool --wait" instead of polling opensc-tool exit status?
+# Although opensc-tool --help reports that there is a --wait option, it doesn't
+# seem to be implemented.
+
+check_card() {
+ cardfound=0
+
+ if /usr/bin/opensc-tool -n >/dev/null 2>&1; then
+ cardfound=1
+ fi
+}
+
+wait_card() {
+ check_card
+ if [ $cardfound = 0 ] ; then
+ echo "Waiting for Smart Card..." >&2
+ tries=0
+ while [ $cardfound = 0 ] && [ $tries -lt 60 ] ; do
+ sleep 1
+ check_card
+ tries=$(($tries + 1))
+ done
+ if [ $cardfound = 0 ] ; then
+ echo 'Failed to find Smart Card card!' >&2
+ exit 1
+ fi
+ fi
+}
+
+wait_card
+if [ -x /bin/plymouth ] && plymouth --ping; then
+ # Get pin number from plymouth
+ /usr/bin/pkcs15-crypt --decipher --input "$1" --pkcs1 --raw \
+ --pin "$(plymouth ask-for-password --prompt "Enter pin for $CRYPTTAB_NAME: ")"
+else
+ # Get pin number from console
+ /usr/bin/pkcs15-crypt --decipher --input "$1" --pkcs1 --raw </dev/console 2>/dev/console
+fi
+exit $?
diff --git a/debian/scripts/decrypt_ssl b/debian/scripts/decrypt_ssl
new file mode 100644
index 0000000..6664001
--- /dev/null
+++ b/debian/scripts/decrypt_ssl
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Script to decrypt the key which is encrypted with openssl.
+# See /usr/share/doc/cryptsetup/examples/gen-ssl-key to create such a key.
+#
+
+decrypt_ssl () {
+ echo "" >&2
+ echo "Decrypting ssl key $1..." >&2
+ if ! /usr/bin/openssl enc -aes-256-cbc -d -salt -in "$1" 2>/dev/null; then
+ return 1
+ fi
+ return 0
+}
+
+decrypt_ssl "$1"
+exit $?
diff --git a/debian/scripts/gen-ssl-key b/debian/scripts/gen-ssl-key
new file mode 100644
index 0000000..70a6fb3
--- /dev/null
+++ b/debian/scripts/gen-ssl-key
@@ -0,0 +1,22 @@
+#!/bin/sh
+#
+# script to generate a keyfile that is encrypted with openssl
+#
+# Written 2005 by Markus Nass <generalstone@gmx.net>
+# Improved 2006 by Jonas Meurer <jonas@freesources.org>
+# Further improved 2006 by Markus Nass <generalstone@gmx.net>
+
+usage() {
+ echo "Usage: $0 <key>"
+ exit 1
+}
+
+if [ -z "${1-}" ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
+ usage
+fi
+
+if [ -x /usr/bin/openssl ]; then
+ dd if=/dev/random bs=1c count=256 | openssl enc -aes-256-cbc -e -salt >"$1"
+else
+ echo "/usr/bin/openssl is not available" && exit 1
+fi
diff --git a/debian/scripts/luksformat b/debian/scripts/luksformat
new file mode 100644
index 0000000..ae17f79
--- /dev/null
+++ b/debian/scripts/luksformat
@@ -0,0 +1,133 @@
+#!/usr/bin/perl -w
+
+# luksformat - wrapper around LUKS-capable cryptsetup and mkfs for easy
+# creation of an encrypted device.
+#
+# (C) 2005 Canonical Ltd.
+# Author: Martin Pitt <martin.pitt@ubuntu.com>
+# License: GNU General Public License, v2 or any later
+# (https://www.gnu.org/copyleft/gpl.html)
+
+use Getopt::Long qw(:config pass_through);
+
+BEGIN {
+ eval 'use Locale::gettext';
+ if ($@) {
+ *gettext = sub { shift };
+ *textdomain = sub { "" };
+ *LC_MESSAGES = sub { 5 };
+ }
+ eval {
+ require POSIX;
+ import POSIX qw(setlocale);
+ };
+ if ($@) {
+ *setlocale = sub { return 1 };
+ }
+}
+
+setlocale(LC_MESSAGES, "");
+textdomain("luksformat");
+
+if ($> != 0) {
+ print STDERR gettext("This program needs to be started as root\n");
+ exit 1;
+}
+
+sub usage() {
+ print gettext("luksformat - Create and format an encrypted LUKS device
+Usage: luksformat [-t <file system>] <device> [ mkfs options ]\n\n");
+ exit 1;
+}
+
+# default file system
+$fs = 'vfat';
+exit 1 unless GetOptions ('t|type=s' => \$fs);
+
+GetOptions ('help', \$help);
+if (($#ARGV < 0) || ($help)) {
+ usage();
+}
+
+$device = shift(@ARGV);
+
+open(MOUNTS, "/proc/mounts");
+while (<MOUNTS>) {
+ die sprintf(gettext("Error: device mounted: %s\n"), $device) if (/\Q$device\E/)
+}
+
+if (-x "/usr/sbin/mkfs.$fs") {
+ $mkfs = "/usr/sbin/mkfs.$fs";
+}
+elsif (-x "/usr/bin/mkfs.$fs") {
+ $mkfs = "/usr/bin/mkfs.$fs";
+}
+elsif (-x "/sbin/mkfs.$fs") {
+ $mkfs = "/sbin/mkfs.$fs";
+}
+elsif (-x "/bin/mkfs.$fs") {
+ $mkfs = "/bin/mkfs.$fs";
+}
+else {
+ printf STDERR (gettext("Error: invalid file system: %s\n"), $fs);
+ exit 1;
+}
+
+# generate temporary mapped device name which is not yet used
+$name = "";
+for ($i = 1; $i < 100; $i++) {
+ if (! -e "/dev/mapper/luksformat$i") {
+ $name = "luksformat$i";
+ last;
+ }
+}
+
+$name or die sprintf(gettext("Error: could not generate temporary mapped device name"));
+
+# we do not need to be overly concerned with race conditions here, cryptsetup
+# will just fail if the name already exists now.
+printf (gettext("Creating encrypted device on %s...\n"), $device);
+if ((system 'cryptsetup', 'luksFormat', $device)) {
+ die sprintf(gettext("Could not create LUKS device %s"), $device);
+}
+
+print gettext("Please enter your passphrase again to verify it\n");
+if ((system 'cryptsetup', 'open', '--type', 'luks', $device, $name) != 0) {
+ print STDERR gettext("The passphrases you entered were not identical\n");
+ exit 1;
+}
+
+$result = system $mkfs, "/dev/mapper/$name", @ARGV;
+print "\n";
+system 'udevadm', 'settle', '--timeout=30';
+system 'cryptsetup', 'luksClose', $name;
+
+die sprintf(gettext("Could not format device with file system %s"), $fs) if $result;
+
+__END__
+
+=head1 NAME
+
+luksformat - Create and format an encrypted LUKS device
+
+=head1 SYNOPSIS
+
+B<luksformat> [B<-t> I<fstype>] I<device> [ mkfs options ]
+
+=head1 DESCRIPTION
+
+B<luksformat> is a wrapper around B<cryptsetup> and B<mkfs> which provides an
+easy interface for creating an encrypted device that follows the LUKS standard
+and for putting a file system onto the encrypted device.
+
+The default file system is B<vfat> since that is most commonly used on
+removable devices. However, you can specify any available file system with the
+B<-t> option.
+
+=head1 SEE ALSO
+
+L<cryptsetup(8)>, L<mkfs(8)>
+
+=head1 AUTHOR
+
+This program was written by Martin Pitt <martin.pitt@ubuntu.com>.
diff --git a/debian/scripts/passdev.c b/debian/scripts/passdev.c
new file mode 100644
index 0000000..845ccae
--- /dev/null
+++ b/debian/scripts/passdev.c
@@ -0,0 +1,286 @@
+/*
+ * passdev.c - waits for a given device to appear, mounts it and reads a
+ * key from it which is piped to stdout.
+ *
+ * Copyright (C) 2008 David Härdeman <david@hardeman.nu>
+ *
+ * This package is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This package is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this package; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+
+#define _DEFAULT_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <string.h>
+#include <fcntl.h>
+#include <sys/mount.h>
+
+static bool do_debug = false;
+
+static void
+debug(const char *fmt, ...)
+{
+ va_list ap;
+
+ if (!do_debug)
+ return;
+ va_start(ap, fmt);
+ vfprintf(stderr, fmt, ap);
+ va_end(ap);
+}
+
+static bool
+do_mount(const char *device, const char *dir)
+{
+ pid_t pid;
+ int status;
+ char *fstypes[] = { "ext4", "ext3", "ext2", "vfat", "btrfs", "reiserfs", "xfs", "jfs", "ntfs", "iso9660", "udf" };
+ int fsindex;
+
+ if (!device || !dir)
+ return false;
+
+ for (fsindex = 0;
+ fsindex < (sizeof(fstypes) / sizeof(fstypes[0]));
+ fsindex++)
+ {
+ pid = fork();
+ if (pid < 0) {
+ /* Error */
+ return false;
+ } else if (pid > 0) {
+ /* We're in the parent process */
+ do {
+ waitpid(pid, &status, 0);
+ } while (!WIFEXITED(status) && !WIFSIGNALED(status));
+ if (WIFEXITED(status) && WEXITSTATUS(status) == EXIT_SUCCESS)
+ return true;
+
+ /* Let's try another fstype */
+ continue;
+ } else {
+ /* We're in the child process */
+ debug("Mounting %s at %s\n", device, dir);
+ close(STDIN_FILENO);
+ close(STDOUT_FILENO);
+ close(STDERR_FILENO);
+ open("/dev/null", O_RDONLY, 0);
+ open("/dev/null", O_WRONLY, 0);
+ open("/dev/null", O_WRONLY, 0);
+ execl("/bin/mount", "/bin/mount", "-n", "-t",
+ fstypes[fsindex],
+ /*"ext4,ext3,ext2,vfat,btrfs,reiserfs,xfs,jfs,ntfs,iso9660,udf",*/
+ "-o", "noatime,nodiratime,nodev,noexec,nosuid,ro",
+ device, dir, (char *)NULL);
+
+ /* If execl works, we won't end up here */
+ exit(EXIT_FAILURE);
+ }
+ }
+
+ /* We've tried all fstypes with no luck */
+ return false;
+}
+
+int
+main(int argc, char **argv, char **envp)
+{
+ char *debugval;
+ char *devpath;
+ char *filepath;
+ struct stat st;
+ char *tmppath;
+ char tpath[] = "/tmp/passdev.XXXXXX";
+ char *keypath;
+ int fd;
+ size_t toread;
+ size_t bytesread;
+ char *keybuffer;
+ size_t towrite;
+ size_t byteswritten;
+ ssize_t bytes;
+ char *to;
+ int timeout = 0;
+ bool do_timeout = false;
+
+ /* We only take one argument */
+ if (argc != 2) {
+ fprintf(stderr, "Incorrect number of arguments\n");
+ goto error;
+ }
+
+ /* If DEBUG=1 is in the environment, enable debug messages */
+ debugval = getenv("DEBUG");
+ if (debugval && atoi(debugval) > 0)
+ do_debug = true;
+
+ /* Split string into device and path (and timeout) */
+ devpath = argv[1];
+ filepath = strchr(devpath, ':');
+ if (!filepath || !(*filepath) || !(*(filepath + 1))) {
+ fprintf(stderr, "Invalid key path\n");
+ goto error;
+ }
+ *filepath = '\0';
+ filepath++;
+ to = strchr(filepath, ':');
+ if (to && (*to) && (*(to + 1))) {
+ *to = '\0';
+ to++;
+ timeout = atoi(to);
+ if (timeout > 0)
+ do_timeout = true;
+ }
+ debug("Path is %p and filepath is %p\n", devpath, filepath);
+ if (do_timeout)
+ debug("Timeout is %i\n",timeout);
+
+ /* Wait until device is available */
+ if (access(devpath, F_OK)) {
+ debug("Waiting for %s\n", devpath);
+ while(access(devpath, F_OK)) {
+ sleep(1);
+ if (do_timeout) {
+ if (timeout <= 0)
+ break;
+ timeout--;
+ }
+ }
+ }
+
+ /* Make sure device is a blockdev */
+ if (stat(devpath, &st)) {
+ fprintf(stderr, "Unable to stat %s\n", devpath);
+ goto error;
+ } else if (!S_ISBLK(st.st_mode)) {
+ fprintf(stderr, "%s is no block device\n", devpath);
+ goto error;
+ }
+
+ /* Create a tmp dir where we mount the device */
+ tmppath = mkdtemp(tpath);
+ if (!tmppath) {
+ fprintf(stderr, "Failed to create temporary directory\n");
+ goto error;
+ }
+
+ /* Ok, mount it */
+ if (!do_mount(devpath, tmppath)) {
+ fprintf(stderr, "Failed to mount %s\n", devpath);
+ goto error_rmdir;
+ }
+
+ /* Generate the full path to the keyfile */
+ keypath = malloc(strlen(tmppath) + 1 + strlen(filepath) + 1);
+ if (!keypath) {
+ fprintf(stderr, "Failed to allocate memory\n");
+ goto error_umount;
+ }
+ sprintf(keypath, "%s/%s", tmppath, filepath);
+
+ /* Check that the keyfile exists */
+ if (access(keypath, F_OK)) {
+ fprintf(stderr, "Keyfile doesn't exist\n");
+ goto error_free;
+ }
+
+ /* Get the size of the keyfile */
+ if (stat(keypath, &st)) {
+ fprintf(stderr, "Unable to stat keyfile\n");
+ goto error_free;
+ }
+
+ /* Check the size of the keyfile */
+ if (st.st_size < 0) {
+ fprintf(stderr, "Invalid keyfile size\n");
+ goto error_free;
+ }
+ toread = (size_t)st.st_size;
+
+ /* Open the keyfile */
+ if ((fd = open(keypath, O_RDONLY)) < 0) {
+ fprintf(stderr, "Failed to open keyfile\n");
+ goto error_free;
+ }
+
+ /* Allocate a buffer for the keyfile contents */
+ keybuffer = malloc(toread);
+ if (!keybuffer) {
+ fprintf(stderr, "Failed to allocate memory\n");
+ goto error_close;
+ exit(EXIT_FAILURE);
+ }
+
+ /* Read the keyfile */
+ bytesread = 0;
+ while (bytesread < toread) {
+ bytes = read(fd, keybuffer + bytesread, toread - bytesread);
+ if (bytes <= 0) {
+ fprintf(stderr, "Failed to read entire key\n");
+ goto error_keybuffer;
+ }
+ bytesread += bytes;
+ }
+
+ /* Clean up */
+ close(fd);
+ free(keypath);
+ umount(tmppath);
+ rmdir(tmppath);
+
+ /* Write result */
+ byteswritten = 0;
+ towrite = toread;
+ while (byteswritten < towrite) {
+ bytes = write(STDOUT_FILENO, keybuffer + byteswritten,
+ towrite - byteswritten);
+ if (bytes <= 0) {
+ fprintf(stderr, "Failed to write entire key\n");
+ memset(keybuffer, 0, toread);
+ free(keybuffer);
+ goto error;
+ }
+ byteswritten += bytes;
+ }
+
+ /* Clean up */
+ memset(keybuffer, 0, toread);
+ free(keybuffer);
+
+ /* Done */
+ exit(EXIT_SUCCESS);
+
+ /* Error handling */
+error_keybuffer:
+ memset(keybuffer, 0, toread);
+ free(keybuffer);
+error_close:
+ close(fd);
+error_free:
+ free(keypath);
+error_umount:
+ umount(tmppath);
+error_rmdir:
+ rmdir(tmppath);
+error:
+ exit(EXIT_FAILURE);
+}
+
diff --git a/debian/scripts/po/Makefile b/debian/scripts/po/Makefile
new file mode 100644
index 0000000..9eb8acf
--- /dev/null
+++ b/debian/scripts/po/Makefile
@@ -0,0 +1,39 @@
+XGETTEXT = xgettext
+MSGFMT = msgfmt
+MSGMERGE = msgmerge
+
+LOCALEDIR = /usr/share/locale
+
+.SUFFIXES: .po .mo .pot
+
+%.mo: %.po
+ $(MSGFMT) -o $@ $<
+
+PO = $(wildcard *.po)
+LANG = $(basename $(PO))
+MO = $(addsuffix .mo,$(LANG))
+SOURCES = ../luksformat
+
+all: update $(MO)
+update: luksformat.pot
+ -@for po in $(PO); do \
+ echo -n "Updating $$po"; \
+ $(MSGMERGE) -U $$po luksformat.pot; \
+ done;
+
+luksformat.pot: $(SOURCES)
+ $(XGETTEXT) -c -L Perl -kgtx \
+ --msgid-bugs-address=pkg-cryptsetup-devel@alioth-lists.debian.net \
+ -o $@ $(SOURCES)
+
+install: all
+ for i in $(MO) ; do \
+ t=$(DESTDIR)/$(LOCALEDIR)/`basename $$i .mo`/LC_MESSAGES ;\
+ install -d $$t ;\
+ install -m 644 $$i $$t/luksformat.mo ;\
+ done
+
+clean:
+ $(RM) $(MO) *~
+
+.PHONY: update
diff --git a/debian/scripts/po/de.po b/debian/scripts/po/de.po
new file mode 100644
index 0000000..76c7f2f
--- /dev/null
+++ b/debian/scripts/po/de.po
@@ -0,0 +1,76 @@
+# German translations for cryptsetup package
+# German messages for luksformat in cryptsetup.
+# Copyright (C) 2011 THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the cryptsetup package.
+# Jonas Meurer <jonas@freesources.org>, 2011.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup 2:1.3.0-1\n"
+"Report-Msgid-Bugs-To: pkg-cryptsetup-devel@alioth-lists.debian.net\n"
+"POT-Creation-Date: 2015-12-09 13:09+0100\n"
+"PO-Revision-Date: 2011-03-08 19:40+0100\n"
+"Last-Translator: Jonas Meurer <jonas@freesources.org>\n"
+"Language-Team: German\n"
+"Language: de\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+
+#: ../luksformat:33
+msgid "This program needs to be started as root\n"
+msgstr "Dieses Programm muss als Benutzer root gestartet werden\n"
+
+#: ../luksformat:38
+msgid ""
+"luksformat - Create and format an encrypted LUKS device\n"
+"Usage: luksformat [-t <file system>] <device> [ mkfs options ]\n"
+"\n"
+msgstr ""
+"luksformat - LUKS-verschlüsselte Partition erstellen und formatieren\n"
+"Verwendung: luksformat [-t <Dateisystem>] <Partition> [ mkfs Optionen ]\n"
+"\n"
+
+#: ../luksformat:56
+#, perl-format
+msgid "Error: device mounted: %s\n"
+msgstr "Fehler: Partition ist eingebunden: %s\n"
+
+#: ../luksformat:72
+#, perl-format
+msgid "Error: invalid file system: %s\n"
+msgstr "Fehler: Ungültiges Dateisystem: %s\n"
+
+#: ../luksformat:85
+#, perl-format
+msgid "Error: could not generate temporary mapped device name"
+msgstr "Fehler: Erstellen einer temporären Partition schlug fehl"
+
+#. we do not need to be overly concerned with race conditions here, cryptsetup
+#. will just fail if the name already exists now.
+#: ../luksformat:89
+#, perl-format
+msgid "Creating encrypted device on %s...\n"
+msgstr "Erstelle verschlüsselte Partition auf %s...\n"
+
+#: ../luksformat:91
+#, perl-format
+msgid "Could not create LUKS device %s"
+msgstr "Erstellen der LUKS-Partition %s schlug fehl"
+
+#: ../luksformat:94
+msgid "Please enter your passphrase again to verify it\n"
+msgstr "Bitte zum verifizieren das Passwort erneut eingeben\n"
+
+#: ../luksformat:96
+msgid "The passphrases you entered were not identical\n"
+msgstr "Die eingegebenen Passwörter waren nicht identisch\n"
+
+#: ../luksformat:105
+#, perl-format
+msgid "Could not format device with file system %s"
+msgstr "Formatieren der Partition mit dem Dateisystem %s schlug fehl"
+
+#~ msgid "%s: %s"
+#~ msgstr "%s: %s"
diff --git a/debian/scripts/po/luksformat.pot b/debian/scripts/po/luksformat.pot
new file mode 100644
index 0000000..f6c1e56
--- /dev/null
+++ b/debian/scripts/po/luksformat.pot
@@ -0,0 +1,69 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"Report-Msgid-Bugs-To: pkg-cryptsetup-devel@alioth-lists.debian.net\n"
+"POT-Creation-Date: 2015-12-09 13:09+0100\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#: ../luksformat:33
+msgid "This program needs to be started as root\n"
+msgstr ""
+
+#: ../luksformat:38
+msgid ""
+"luksformat - Create and format an encrypted LUKS device\n"
+"Usage: luksformat [-t <file system>] <device> [ mkfs options ]\n"
+"\n"
+msgstr ""
+
+#: ../luksformat:56
+#, perl-format
+msgid "Error: device mounted: %s\n"
+msgstr ""
+
+#: ../luksformat:72
+#, perl-format
+msgid "Error: invalid file system: %s\n"
+msgstr ""
+
+#: ../luksformat:85
+#, perl-format
+msgid "Error: could not generate temporary mapped device name"
+msgstr ""
+
+#. we do not need to be overly concerned with race conditions here, cryptsetup
+#. will just fail if the name already exists now.
+#: ../luksformat:89
+#, perl-format
+msgid "Creating encrypted device on %s...\n"
+msgstr ""
+
+#: ../luksformat:91
+#, perl-format
+msgid "Could not create LUKS device %s"
+msgstr ""
+
+#: ../luksformat:94
+msgid "Please enter your passphrase again to verify it\n"
+msgstr ""
+
+#: ../luksformat:96
+msgid "The passphrases you entered were not identical\n"
+msgstr ""
+
+#: ../luksformat:105
+#, perl-format
+msgid "Could not format device with file system %s"
+msgstr ""
diff --git a/debian/scripts/suspend/cryptsetup-suspend-wrapper b/debian/scripts/suspend/cryptsetup-suspend-wrapper
new file mode 100644
index 0000000..953196c
--- /dev/null
+++ b/debian/scripts/suspend/cryptsetup-suspend-wrapper
@@ -0,0 +1,320 @@
+#!/bin/sh
+
+# Wrapper for cryptsetup-suspend(7)
+#
+# Copyright © 2019-2020 Tim <tim@systemli.org>
+# © 2019-2020 Jonas Meurer <jonas@freesources.org>
+# © 2020-2022 Guilhem Moulin <guilhem@debian.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+set -ue
+PATH="/usr/sbin:/usr/bin:/sbin:/bin"
+export PATH
+
+# import cryptsetup shell functions
+[ -f /lib/cryptsetup/functions ] || return 0
+. /lib/cryptsetup/functions
+
+INITRAMFS_MNT="/run/cryptsetup/cryptsetup-suspend-initramfs"
+SYSTEM_SLEEP_PATH="/lib/systemd/system-sleep"
+CONFIG_FILE="/etc/cryptsetup/suspend.conf"
+unset -v INITRAMFS_DIR
+
+read_config() {
+ # define defaults
+ export UNLOCK_SESSIONS="false"
+ export KEEP_INITRAMFS="false"
+
+ # read config file if it exists
+ # shellcheck source=/etc/cryptsetup/suspend.conf
+ [ -f "$CONFIG_FILE" ] && . "$CONFIG_FILE" || true
+}
+
+# run_dir ARGS...
+# Run all executable scripts in directory SYSTEM_SLEEP_PATH with arguments ARGS
+# mimic systemd behavior
+run_dir() {
+ [ -d "$SYSTEM_SLEEP_PATH" ] || return 0
+ find "$SYSTEM_SLEEP_PATH" -type f -executable -execdir {} "$@" \;
+}
+
+log_error() {
+ # arg1 should be message
+ echo "Error: $1" | systemd-cat -t cryptsetup-suspend -p err
+ echo "Error: $1" >&2
+}
+
+mount_initramfs() {
+ local k v u IFS MemAvailable=0 SwapFree=0 new="n"
+ # update-initramfs(8) hardcodes /boot also: there is a `-b bootdir`
+ # option but no config file to put it to
+ local INITRAMFS="/boot/initrd.img-$(uname -r)" p
+ if [ ! -f "$INITRAMFS" ]; then
+ log_error "No initramfs found at $INITRAMFS"
+ exit 1
+ fi
+
+ if [ -d "$INITRAMFS_MNT" ] && [ ! "$INITRAMFS" -ot "$INITRAMFS_MNT" ]; then
+ # need to unpack again: initramfs is newer than what we unpacked earlier
+ if mountpoint -q "$INITRAMFS_MNT"; then
+ umount "$INITRAMFS_MNT"
+ fi
+ rmdir "$INITRAMFS_MNT" || exit 1
+ fi
+
+ if [ ! -d "$INITRAMFS_MNT" ]; then
+ # we need at about 300 MiB on ubuntu, 200 on debian
+ # https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=34e431b0ae398fc54ea69ff85ec700722c9da773
+ while IFS=" " read -r k v u; do
+ # /proc/meminfo format is documented in proc(5)
+ case "$u" in
+ MB) u=1048576;;
+ kB) u=1024;;
+ *) u=1;;
+ esac
+ case "$k" in
+ "MemAvailable:") MemAvailable=$((v*u));;
+ "SwapFree:") SwapFree=$((v*u));;
+ esac
+ done </proc/meminfo
+ if [ $((MemAvailable+SwapFree)) -lt $((300*1024*1024)) ]; then
+ log_error "Not enough memory available. Please close some programs or add swap space to suspend successfully."
+ exit 1
+ fi
+
+ mkdir -m0700 "$INITRAMFS_MNT"
+ mount -t ramfs -o nodev,mode=0700 ramfs "$INITRAMFS_MNT"
+
+ # extract initrd.img to initramfs dir
+ unmkinitramfs "$INITRAMFS" "$INITRAMFS_MNT"
+ new="y"
+ fi
+
+ # unmkinitramfs(8) extracts microcode into folders "early*" and the actual initramfs into "main"
+ if [ -f "$INITRAMFS_MNT/sbin/cryptsetup" ]; then
+ INITRAMFS_DIR="$INITRAMFS_MNT"
+ elif [ -f "$INITRAMFS_MNT/main/sbin/cryptsetup" ]; then
+ INITRAMFS_DIR="$INITRAMFS_MNT/main"
+ else
+ log_error "Directory $INITRAMFS_MNT has unpected content" >&2
+ exit 1
+ fi
+
+ if [ "$new" = "y" ]; then
+ for p in /dev /proc /run /sys; do
+ if [ ! -d "$INITRAMFS_DIR$p" ]; then
+ mkdir -m0755 "$INITRAMFS_DIR$p"
+ fi
+ done
+
+ # copy our binary to ramdisk
+ install -m0755 -t "$INITRAMFS_DIR/bin" /lib/cryptsetup/scripts/suspend/cryptsetup-suspend
+
+ # copy all firmware files to ramdisk to prevent dead-lock
+ # see https://salsa.debian.org/mejo/cryptsetup-suspend/issues/38)
+ # TODO we should try to identify which firmwares need to be loaded
+ # and only copy those
+ if [ -d /lib/firmware ] && [ ! -d "$INITRAMFS_DIR/lib/firmware" ]; then
+ cp -dR -T -- /lib/firmware "$INITRAMFS_DIR/lib/firmware"
+ fi
+ fi
+
+ # from initramfs-tools-core's /usr/share/initramfs-tools/init
+ mount -t devtmpfs -o noexec,nosuid,mode=0755 udev "$INITRAMFS_DIR/dev"
+ mount -t proc -o nodev,noexec,nosuid proc "$INITRAMFS_DIR/proc"
+ mount -t ramfs -o nodev,noexec,nosuid,mode=0755 ramfs "$INITRAMFS_DIR/run"
+ mount -t sysfs -o nodev,noexec,nosuid sysfs "$INITRAMFS_DIR/sys"
+
+ [ -d "$INITRAMFS_DIR/dev/pts" ] || mkdir -m0755 "$INITRAMFS_DIR/dev/pts"
+ mount -t devpts -o noexec,nosuid,gid=5,mode=0620 devpts "$INITRAMFS_DIR/dev/pts" || true
+
+ # remount read-only, private and unbindable
+ mount -oremount,ro --make-rprivate --make-runbindable "$INITRAMFS_MNT"
+}
+
+umount_initramfs() {
+ if [ -d "${INITRAMFS_DIR-}" ]; then
+ umount -- "$INITRAMFS_DIR/dev/pts"
+ umount -- "$INITRAMFS_DIR/dev"
+ umount -- "$INITRAMFS_DIR/proc"
+ umount -- "$INITRAMFS_DIR/run"
+ umount -- "$INITRAMFS_DIR/sys"
+ fi
+ if [ "$KEEP_INITRAMFS" != "true" ] || [ -z "${INITRAMFS_DIR+x}" ]; then
+ # always unmount if we error out before setting INITRAMFS_DIR
+ umount -- "$INITRAMFS_MNT"
+ rmdir -- "$INITRAMFS_MNT"
+ fi
+}
+
+CGROUP_FREEZER=
+freeze_cgroup() {
+ local c="$1" v
+ # freeze cgroup if non-frozen
+ if [ -f "$c" ] && v="$(cat <"$c")" && [ $v -eq 0 ]; then
+ echo 1 >"$c"
+ CGROUP_FREEZER="$c${CGROUP_FREEZER:+" $CGROUP_FREEZER"}"
+ fi
+}
+freeze_cgroups() {
+ local mycgroup c
+
+ # freeze all machines/containers and user cgroups
+ freeze_cgroup "$hierarchy/machine.slice/cgroup.freeze"
+ freeze_cgroup "$hierarchy/user.slice/cgroup.freeze"
+
+ # get my second level cgroup
+ mycgroup="$(grep -m1 "^0::" /proc/self/cgroup | cut -sd/ -f3)"
+
+ # freeze all system cgroups except ours and systemd-suspend
+ for c in "$hierarchy"/system.slice/*/cgroup.freeze; do
+ if [ "$c" != "$hierarchy/system.slice/$mycgroup/cgroup.freeze" ] && \
+ [ "${c#"$hierarchy/system.slice/systemd-suspend."}" = "$c" ]; then
+ freeze_cgroup "$c"
+ fi
+ done
+
+ # freeze systemd itself
+ freeze_cgroup "$hierarchy/init.scope/cgroup.freeze"
+}
+
+thaw_cgroups() {
+ local c
+ for c in $CGROUP_FREEZER; do
+ echo 0 >"$c"
+ done
+}
+
+populate_ACTIVE_DEVICES() {
+ local DEV MAJ MIN
+ if ! dm_blkdevname "$CRYPTTAB_NAME" >/dev/null; then
+ # silently ignore unmapped devices
+ return 0
+ elif [ "$(dmsetup info --noheadings -c -o subsystem -- "$CRYPTTAB_NAME")" != "CRYPT" ]; then
+ cryptsetup_message "ERROR: $CRYPTTAB_NAME: Subsystem mismatch"
+ return 1
+ elif ! _resolve_device "$CRYPTTAB_SOURCE"; then
+ cryptsetup_message "ERROR: $CRYPTTAB_NAME: Missing source $CRYPTTAB_SOURCE"
+ return 1
+ elif [ "$(dmsetup info -c --noheadings -o devnos_used -- "$CRYPTTAB_NAME" 2>/dev/null)" != "$MAJ:$MIN" ]; then
+ cryptsetup_message "ERROR: $CRYPTTAB_NAME: Source mismatch"
+ return 1
+ fi
+
+ if ! crypttab_parse_options --quiet; then
+ cryptsetup_message "ERROR: $CRYPTTAB_NAME: Unable to parse options field"
+ return 1
+ elif [ "$CRYPTTAB_TYPE" != "luks" ]; then
+ # XXX does it even work with detached headers?
+ cryptsetup_message "WARNING: $CRYPTTAB_NAME: unable to suspend non-LUKS device"
+ return 0
+ fi
+
+ # XXX that's not robust since $CRYPTTAB_NAME might contain spaces or
+ # special characters; we need to create a NUL-delimited list in a
+ # file instead
+ ACTIVE_DEVICES="${ACTIVE_DEVICES:+"$ACTIVE_DEVICES "}$CRYPTTAB_NAME"
+}
+
+clean_up() {
+ # we always want to run through the whole cleanup
+ set +e
+
+ # thaw all frozen cgroups
+ thaw_cgroups
+
+ # Run post-suspend scripts
+ run_dir post suspend
+
+ umount_initramfs
+
+ # unlock sessions
+ if [ "$UNLOCK_SESSIONS" = "true" ]; then
+ loginctl unlock-sessions
+ fi
+}
+
+## Main script
+
+# check unified cgroups hierarchy
+# https://github.com/systemd/systemd/blob/master/docs/CGROUP_DELEGATION.md
+if [ -d /sys/fs/cgroup/system.slice ]; then
+ hierarchy="/sys/fs/cgroup"
+elif [ -d /sys/fs/cgroup/unified/system.slice ]; then
+ # hybrid cgroup hierarchy
+ hierarchy="/sys/fs/cgroup/unified"
+else
+ log_error "No unified cgroups hierarchy"
+ exit 1
+fi
+
+# check that not run as user
+# XXX: We should catch also cases where libpam-systemd is not installed
+if grep -Eq '^[0-9]+:[^:]*:/user\.slice/' /proc/self/cgroup; then
+ log_error "Don't run this script as user"
+ exit 1
+fi
+
+# always thaw cgroups, re-mount filesystems and remove initramfs at the end of the script
+trap clean_up EXIT
+
+read_config
+
+# extract temporary filesystem to switch to
+mount_initramfs
+
+# Run pre-suspend scripts
+run_dir pre suspend
+
+# populate list of active crypt devices
+ACTIVE_DEVICES=""
+crypttab_foreach_entry populate_ACTIVE_DEVICES
+
+# freeze all cgroups but us
+freeze_cgroups
+
+# No longer fail in case of errors
+set +e
+
+# change into ramdisk
+devices_remaining="$(chroot "$INITRAMFS_DIR" /bin/sh -c "
+ # suspend active luks devices (in reverse order) and system
+ /bin/cryptsetup-suspend --reverse $ACTIVE_DEVICES
+
+ TABFILE=\"/cryptroot/crypttab\"
+ . /lib/cryptsetup/functions
+
+ # resume active luks devices (only initramfs devices)
+ for dev in $ACTIVE_DEVICES; do
+ if crypttab_find_entry --quiet \"\$dev\"; then
+ DM_DISABLE_UDEV=y resume_device \"\$dev\" || sleep 5
+ else
+ # write remaining devices to FD3
+ printf \"%s \" \"\$dev\" >&3
+ fi
+ done
+" 3>&- 3>&1 >&2)"
+
+# resume remaining active luks devices (non-initramfs devices)
+for dev in $devices_remaining; do
+ if crypttab_find_entry --quiet "$dev"; then
+ # explicitely disable udev support, cf. #1020553
+ # XXX this is not ideal since udev might be required in some situations
+ # (detached header or key material on removable device comes to mind)
+ DM_DISABLE_UDEV=y resume_device "$dev" || true
+ else
+ log_error "'$dev' not found in /etc/crypttab"
+ fi
+done
diff --git a/debian/scripts/suspend/cryptsetup-suspend.c b/debian/scripts/suspend/cryptsetup-suspend.c
new file mode 100644
index 0000000..af1b6f6
--- /dev/null
+++ b/debian/scripts/suspend/cryptsetup-suspend.c
@@ -0,0 +1,225 @@
+/*
+ * Small program to LUKS suspend devices before system suspend
+ *
+ * Copyright: (c) 2018 Guilhem Moulin <guilhem@debian.org>
+ * (c) 2018-2020 Jonas Meurer <jonas@freesources.org>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdbool.h>
+#include <err.h>
+#include <errno.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+
+#include <libcryptsetup.h>
+
+#define SYSFS_POWER_SYNC_ON_SUSPEND "/sys/power/sync_on_suspend"
+#define SYSFS_POWER_STATE "/sys/power/state"
+
+void usage() {
+ printf("Usage: cryptsetup-suspend [-r|--reverse] <blkdev> [<blkdev> ...]\n"
+ " -r, --reverse process luks devices in reverse order\n\n");
+ exit(1);
+}
+
+/* Calculate free memory (MemAvailable + SwapFree) from /proc/meminfo */
+uint32_t get_mem_swap_avail_kb() {
+ FILE *meminfo = fopen("/proc/meminfo", "r");
+ if (meminfo == NULL)
+ err(EXIT_FAILURE, "couldn't open /proc/meminfo");
+
+ int mem_avail_kb, swap_free_kb = 0;
+ char line[256];
+ while (fgets(line, sizeof(line), meminfo)) {
+ if (strncmp(line, "MemAvailable", strlen("MemAvailable")) == 0) {
+ if (sscanf(line, "MemAvailable: %d kB", &mem_avail_kb) != 1)
+ errx(EXIT_FAILURE, "couldn't read MemAvailable from /proc/meminfo");
+ } else if (strncmp(line, "SwapFree", strlen("SwapFree")) == 0) {
+ if (sscanf(line, "SwapFree: %d kB", &swap_free_kb) != 1)
+ errx(EXIT_FAILURE, "couldn't read SwapFree from /proc/meminfo");
+ }
+ }
+ fclose(meminfo);
+
+ uint32_t mem_swap_avail_kb = mem_avail_kb + swap_free_kb;
+ if (mem_swap_avail_kb == 0)
+ errx(EXIT_FAILURE, "error reading available memory and swap from /proc/meminfo");
+
+ return mem_swap_avail_kb;
+}
+
+int main(int argc, char *argv[]) {
+ int rv = 0;
+ bool reverse = 0;
+ int d_size;
+ bool sync_on_suspend_reset = 0;
+ FILE *sos = NULL;
+
+ /* Process commandline arguments */
+ if (argc < 2) {
+ usage();
+ } else if ((strcmp(argv[1], "-r") == 0) || (strcmp(argv[1], "--reverse") == 0)) {
+ if (argc < 3)
+ usage();
+
+ reverse = 1;
+ d_size = argc-2;
+ } else {
+ d_size = argc-1;
+ }
+
+ /* Read in devices */
+ const char *devices[d_size];
+ if (!reverse) {
+ for (int i = 0; i < d_size; i++) {
+ devices[i] = argv[i+1];
+ }
+ } else {
+ for (int i = 0; i < d_size; i++) {
+ devices[i] = argv[argc-i-1];
+ }
+ }
+
+ /* Disable sync_on_suspend in Linux kernel
+ *
+ * Only available in Linux kernel >= 5.6 */
+ if (access(SYSFS_POWER_SYNC_ON_SUSPEND, W_OK) < 0) {
+ if (errno == ENOENT)
+ warnx("kernel too old, can't disable sync on suspend");
+ } else {
+ sos = fopen(SYSFS_POWER_SYNC_ON_SUSPEND, "r+");
+ if (!sos)
+ err(EXIT_FAILURE, "couldn't open sysfs file");
+
+ int sos_c = fgetc(sos);
+ if (fgetc(sos) == EOF)
+ err(EXIT_FAILURE, "couldn't read from file");
+
+ if (sos_c == '0') {
+ /* Already disabled */
+ } else if (sos_c == '1') {
+ sync_on_suspend_reset = 1;
+ if (fputc('0', sos) <= 0)
+ err(EXIT_FAILURE, "couldn't write to file");
+ } else {
+ errx(EXIT_FAILURE, "unexpected value from %s", SYSFS_POWER_SYNC_ON_SUSPEND);
+ }
+
+ fclose(sos);
+ }
+
+ /* Change process priority to -20 (highest) to avoid races between
+ * the LUKS suspend(s) and the suspend-on-ram. */
+ if (setpriority(PRIO_PROCESS, 0, -20) == -1)
+ warn("can't lower process priority to -20");
+
+ /* Get memory settings of keyslots from processed LUKS2 devices */
+ uint32_t argon2i_max_memory_kb = 0;
+ for (int i = 0; i < d_size; i++) {
+ struct crypt_device *cd = NULL;
+ if (crypt_init_by_name(&cd, devices[i])) {
+ warnx("couldn't init LUKS device %s", devices[i]);
+ rv = EXIT_FAILURE;
+ } else {
+ /* Only LUKS2 devices may use argon2i PBKDF */
+ if (strcmp(crypt_get_type(cd), CRYPT_LUKS2) != 0)
+ continue;
+ int ks_max = crypt_keyslot_max(crypt_get_type(cd));
+ for (int j = 0; j < ks_max; j++) {
+ crypt_keyslot_info ki = crypt_keyslot_status(cd, j);
+ /* Only look at active keyslots */
+ if (ki != CRYPT_SLOT_ACTIVE && ki != CRYPT_SLOT_ACTIVE_LAST)
+ continue;
+ struct crypt_pbkdf_type pbkdf_ki;
+ if (crypt_keyslot_get_pbkdf(cd, j, &pbkdf_ki) < 0) {
+ warn("couldn't get PBKDF for keyslot %d of device %s", j, devices[i]);
+ rv = EXIT_FAILURE;
+ } else {
+ if (pbkdf_ki.max_memory_kb > argon2i_max_memory_kb)
+ argon2i_max_memory_kb = pbkdf_ki.max_memory_kb;
+ }
+ }
+ }
+ crypt_free(cd);
+ }
+
+ /* Add some more memory to be on the safe side
+ * TODO: find a reasonable value */
+ argon2i_max_memory_kb += 2 * 1024; // 2MB
+
+ /* Check if we have enough memory available to prevent mlock() from
+ * triggering the OOM killer. */
+ uint32_t mem_swap_avail_kb = get_mem_swap_avail_kb();
+ if (argon2i_max_memory_kb > mem_swap_avail_kb) {
+ errx(EXIT_FAILURE, "Error: Available memory (%d kb) less than required (%d kb)",
+ mem_swap_avail_kb, argon2i_max_memory_kb);
+ }
+
+ /* Allocate and lock memory for later usage by LUKS resume in order to
+ * prevent swapping out after LUKS devices (which might include swap
+ * storage) have been suspended. */
+ fprintf(stderr, "Allocating and mlocking memory: %d kb\n", argon2i_max_memory_kb);
+ char *mem;
+ if (!(mem = malloc(argon2i_max_memory_kb)))
+ err(EXIT_FAILURE, "couldn't allocate enough memory");
+ if (mlock(mem, argon2i_max_memory_kb) == -1)
+ err(EXIT_FAILURE, "couldn't lock enough memory");
+ /* Fill the allocated memory to make sure it's really reserved even if
+ * memory pages are copy-on-write. */
+ size_t i;
+ size_t page_size = getpagesize();
+ for (i = 0; i < argon2i_max_memory_kb; i += page_size)
+ mem[i] = 0;
+
+ /* Do the final filesystem sync since we disabled sync_on_suspend in
+ * Linux kernel. */
+ sync();
+
+ for (int i = 0; i < d_size; i++) {
+ struct crypt_device *cd = NULL;
+ if (crypt_init_by_name(&cd, devices[i]) || crypt_suspend(cd, devices[i])) {
+ warnx("couldn't suspend LUKS device %s", devices[i]);
+ rv = EXIT_FAILURE;
+ }
+ crypt_free(cd);
+ }
+
+ fprintf(stderr, "Sleeping...\n");
+ FILE *s = fopen(SYSFS_POWER_STATE, "w");
+ if (!s)
+ err(EXIT_FAILURE, "failed to open %s", SYSFS_POWER_STATE);
+ if (fputs("mem", s) <= 0)
+ err(EXIT_FAILURE, "couldn't write to %s", SYSFS_POWER_STATE);
+ fclose(s);
+ fprintf(stderr, "Resuming...\n");
+
+ /* Restore original sync_on_suspend value */
+ if (sync_on_suspend_reset) {
+ sos = fopen(SYSFS_POWER_SYNC_ON_SUSPEND, "w");
+ if (!sos)
+ err(EXIT_FAILURE, "couldn't open sysfs file");
+ if (fputc('1', sos) <= 0)
+ err(EXIT_FAILURE, "couldn't write to file");
+ fclose(sos);
+ }
+
+ return rv;
+}
diff --git a/debian/scripts/suspend/cryptsetup-suspend.shutdown b/debian/scripts/suspend/cryptsetup-suspend.shutdown
new file mode 100644
index 0000000..f7d9f5d
--- /dev/null
+++ b/debian/scripts/suspend/cryptsetup-suspend.shutdown
@@ -0,0 +1,3 @@
+#!/bin/sh
+umount -R /run/cryptsetup/cryptsetup-suspend-initramfs
+rmdir /run/cryptsetup/cryptsetup-suspend-initramfs
diff --git a/debian/scripts/suspend/suspend.conf b/debian/scripts/suspend/suspend.conf
new file mode 100644
index 0000000..79b2287
--- /dev/null
+++ b/debian/scripts/suspend/suspend.conf
@@ -0,0 +1,10 @@
+# Caution: This file will be sourced by another script.
+# For security reasons, it should only be writable by root.
+
+# Automatically unlock user sessions after resume
+# UNLOCK_SESSIONS="false"
+
+# Keep unpacked initramfs in RAM to accelerate suspension (this setting
+# is ignored when the default initramfs image is newer than the
+# cached/unpacked image)
+# KEEP_INITRAMFS="false"
diff --git a/debian/scripts/suspend/systemd/cryptsetup-suspend.conf b/debian/scripts/suspend/systemd/cryptsetup-suspend.conf
new file mode 100644
index 0000000..10664cf
--- /dev/null
+++ b/debian/scripts/suspend/systemd/cryptsetup-suspend.conf
@@ -0,0 +1,12 @@
+[Service]
+# Protect against OOM killer. luksResume with Argon2 needs a lot of memory
+OOMScoreAdjust=-1000
+# Give us higher priority
+Nice=-10
+# override ExecStart of systemd-suspend.service
+ExecStart=
+# use VT 8 as workaround for https://gitlab.gnome.org/GNOME/gdm/issues/527
+# XXX on systems specifying the console= kernel parameter (such as a serial
+# port) we should probably honor it
+ExecStart=/bin/openvt -ws -c8 \
+ /lib/cryptsetup/scripts/suspend/cryptsetup-suspend-wrapper
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..163aaf8
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (quilt)
diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides
new file mode 100644
index 0000000..6c7d309
--- /dev/null
+++ b/debian/source/lintian-overrides
@@ -0,0 +1 @@
+very-long-line-length-in-source-file 1464 > 512 [lib/crypto_backend/argon2/LICENSE:23]
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..52752a3
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,133 @@
+# Run the installed binaries and libraries through the full upstream test suite.
+Features: test-name=upstream-testsuite
+Test-Command: make -C ./tests -f Makefile.localtest -j tests CRYPTSETUP_PATH=/sbin TESTSUITE_NOSKIP=y
+Depends: cryptsetup-bin,
+# to compile tests/*.c
+ gcc,
+ libcryptsetup-dev,
+ libdevmapper-dev,
+#
+# for hexdump(1)
+ bsdextrautils,
+# for dmsetup(8)
+ dmsetup,
+# for expect(1)
+ expect,
+# for jq(1)
+ jq,
+# for keyctl(1)
+ keyutils,
+# for modprobe(8) and rmmod(8)
+ kmod,
+# for free(1)
+ procps,
+# for uuencode(1)
+ sharutils,
+# for xxd(1)
+ xxd
+#
+# Use machine-level isolation since some extra tests want to interact
+# with the kernel, load modules, and create/remove loop devices
+Restrictions: allow-stderr, needs-root, isolation-machine, rw-build-tree
+
+# Run ./tests/ssh-test-plugin on its own since it has its own dependency set.
+Features: test-name=ssh-test-plugin
+Test-Command: cd ./tests && CRYPTSETUP_PATH=/sbin TESTSUITE_NOSKIP=y RUN_SSH_PLUGIN_TEST=y ./ssh-test-plugin
+Depends: cryptsetup-bin,
+ cryptsetup-ssh,
+ netcat-openbsd,
+ openssh-client,
+ openssh-server,
+ openssl,
+ sshpass
+Restrictions: needs-root, isolation-machine
+
+
+Tests: cryptdisks, cryptdisks.init
+Depends: cryptsetup, xxd
+Restrictions: allow-stderr, needs-root, isolation-machine
+
+# This test doesn't replace the cryptroot-* tests below which mock a
+# complete system incl. unlocking at initramfs stage, but it's also
+# significantly faster so we use it for crude checks of our initramfs
+# hook and the initramfs image itself.
+Tests: initramfs-hook
+Depends: cryptsetup-initramfs, e2fsprogs, zstd
+Restrictions: allow-stderr, needs-root, isolation-machine
+
+Tests: cryptroot-lvm, cryptroot-legacy
+# Only dependencies required to set the VM here are listed here;
+# cryptsetup is not listed since we only install it in the VM.
+Depends: cryptsetup-bin,
+ dosfstools [arm64 armhf],
+ fdisk,
+ genext2fs,
+ initramfs-tools-core,
+ libjson-perl,
+ lvm2,
+ qemu-efi-aarch64 [arm64],
+ qemu-efi-arm [armhf],
+ qemu-system-arm [arm64 armhf] | qemu-system-x86 [amd64 i386] | qemu-system,
+ udev
+# We only need root to create /dev/kvm, really. And while it works
+# locally and on debci, it doesn't work on salsa CI..
+Restrictions: allow-stderr, needs-root
+Architecture: amd64 i386
+
+Tests: cryptroot-md
+Depends: cryptsetup-bin,
+ dosfstools [arm64 armhf],
+ fdisk,
+ genext2fs,
+ initramfs-tools-core,
+ libjson-perl,
+ lvm2,
+ mdadm,
+ qemu-efi-aarch64 [arm64],
+ qemu-efi-arm [armhf],
+ qemu-system-arm [arm64 armhf] | qemu-system-x86 [amd64 i386] | qemu-system,
+ udev
+Restrictions: allow-stderr, needs-root
+Architecture: amd64 i386
+
+Tests: cryptroot-nested
+Depends: btrfs-progs,
+ cryptsetup-bin,
+ dosfstools [arm64 armhf],
+ fdisk,
+ genext2fs,
+ initramfs-tools-core,
+ libjson-perl,
+ lvm2,
+ mdadm,
+ qemu-efi-aarch64 [arm64],
+ qemu-efi-arm [armhf],
+ qemu-system-arm [arm64 armhf] | qemu-system-x86 [amd64 i386] | qemu-system,
+ udev
+Restrictions: allow-stderr, needs-root
+Architecture: amd64 i386
+
+Tests: cryptroot-sysvinit
+Depends: cryptsetup-bin,
+ dosfstools [arm64 armhf],
+ fdisk,
+ genext2fs,
+ initramfs-tools-core,
+ libjson-perl,
+ qemu-efi-aarch64 [arm64],
+ qemu-efi-arm [armhf],
+ qemu-system-arm [arm64 armhf] | qemu-system-x86 [amd64 i386] | qemu-system,
+ udev
+Restrictions: allow-stderr, needs-root
+Architecture: amd64 i386
+
+# Dummy test so that kernel updates trigger our other autopkgtests on debci
+Features: test-name=hint-testsuite-triggers
+Test-Command: false
+Depends: linux-image-generic,
+ linux-image-amd64 [amd64],
+ linux-image-arm64 [arm64],
+ linux-image-armmp-lpae [armhf],
+ linux-image-686-pae [i386]
+Restrictions: hint-testsuite-triggers
+Architecture: amd64 i386
diff --git a/debian/tests/cryptdisks b/debian/tests/cryptdisks
new file mode 100755
index 0000000..3d3223b
--- /dev/null
+++ b/debian/tests/cryptdisks
@@ -0,0 +1,764 @@
+#!/bin/bash
+
+set -eux
+PATH="/usr/bin:/bin:/usr/sbin:/sbin"
+export PATH
+
+TMPDIR="$AUTOPKGTEST_TMP"
+
+# wrappers
+luks1Format() {
+ cryptsetup luksFormat --batch-mode --type=luks1 \
+ --pbkdf-force-iterations=1000 \
+ "$@"
+}
+luks2Format() {
+ cryptsetup luksFormat --batch-mode --type=luks2 \
+ --pbkdf=argon2id --pbkdf-force-iterations=4 --pbkdf-memory=32 \
+ "$@"
+}
+diff() { command diff --color=auto --text "$@"; }
+
+# create disk image
+CRYPT_IMG="$TMPDIR/disk.img"
+CRYPT_DEV=""
+install -m0600 /dev/null "$TMPDIR/keyfile"
+disk_setup() {
+ local lo
+ for lo in $(losetup -j "$CRYPT_IMG" | cut -sd: -f1); do
+ losetup -d "$lo"
+ done
+ dd if="/dev/zero" of="$CRYPT_IMG" bs=1M count=64
+ CRYPT_DEV="$(losetup --find --show -- "$CRYPT_IMG")"
+}
+
+
+#######################################################################
+# make sure empty passphrases are NEVER accepted
+
+disk_setup
+! cryptsetup luksFormat "$CRYPT_DEV" </dev/null || exit 1
+! blkid -p "$CRYPT_DEV" || exit 1
+
+! echo -n "" | cryptsetup luksFormat "$CRYPT_DEV" - || exit 1
+! blkid -p "$CRYPT_DEV" || exit 1
+
+! cryptsetup luksFormat --batch-mode "$CRYPT_DEV" /dev/null || exit 1
+! blkid -p "$CRYPT_DEV" || exit 1
+
+! cryptsetup luksFormat --batch-mode "$CRYPT_DEV" </dev/null || exit 1
+! blkid -p "$CRYPT_DEV" || exit 1
+
+! echo -n "" | luks2Format "$CRYPT_DEV" - || exit 1
+! blkid -p "$CRYPT_DEV" || exit 1
+
+
+#######################################################################
+# LUKS
+
+# interactive
+disk_setup
+cat /proc/sys/kernel/random/uuid >"$TMPDIR/passphrase"
+luks2Format -- "$CRYPT_DEV" <"$TMPDIR/passphrase"
+t="$(blkid -s TYPE -o value -- "$CRYPT_DEV")"
+test "$t" = "crypto_LUKS"
+
+cat >/etc/crypttab <<-EOF
+ test0_crypt $CRYPT_DEV none
+EOF
+cryptdisks_start test0_crypt </dev/tty & pid=$!
+
+# check command line and environment
+until [ -p /lib/cryptsetup/passfifo ]; do sleep 1; done
+pid2="$(find /proc/[0-9]* -mindepth 1 -maxdepth 1 -name "exe" \
+ -execdir sh -euc 'diff -q -- "$0" /usr/lib/cryptsetup/askpass >/dev/null' {} \; \
+ -print 2>/dev/null | cut -sd/ -f3)"
+test -n "$pid2"
+printf '%s\0Please unlock disk %s: \0' /lib/cryptsetup/askpass test0_crypt >"$TMPDIR/cmdline"
+diff -u --label=a/cmdline --label=b/cmdline -- "$TMPDIR/cmdline" "/proc/$pid2/cmdline"
+tr '\n' '\0' >"$TMPDIR/environ" <<-EOF
+ CRYPTTAB_NAME=test0_crypt
+ CRYPTTAB_OPTIONS=
+ CRYPTTAB_SOURCE=$CRYPT_DEV
+ CRYPTTAB_TRIED=0
+ _CRYPTTAB_NAME=test0_crypt
+ _CRYPTTAB_OPTIONS=
+ _CRYPTTAB_SOURCE=$CRYPT_DEV
+EOF
+grep -Ez "^_?CRYPTTAB_" <"/proc/$pid2/environ" | sort -z | diff -u --label=a/environ --label=b/environ -- "$TMPDIR/environ" -
+
+# unlock device
+tr -d '\n' <"$TMPDIR/passphrase" >/lib/cryptsetup/passfifo # remove trailing newline
+wait $pid
+stty sane || true
+test -b /dev/mapper/test0_crypt
+
+# check default cipher (if it changes we probably want to update the doc and revise some scripts)
+cipher="$(dmsetup table --target=crypt test0_crypt | cut -d" " -f4)"
+test "$cipher" = "aes-xts-plain64"
+
+# make sure the kernel keyring is used by default for the encryption key
+key="$(dmsetup table --target=crypt test0_crypt | cut -d" " -f5)"
+test "${key:0:21}" = ":64:logon:cryptsetup:"
+
+cryptdisks_stop test0_crypt
+
+# remove trailing newline and unlock via key file
+tr -d '\n' <"$TMPDIR/passphrase" >"$TMPDIR/keyfile"
+cat >/etc/crypttab <<-EOF
+ test0_crypt $CRYPT_DEV $TMPDIR/keyfile
+EOF
+cryptdisks_start test0_crypt
+test -b /dev/mapper/test0_crypt
+cryptdisks_stop test0_crypt
+
+# special characters
+ln -sT -- keyfile "$TMPDIR/key fi:le"
+cat >/etc/crypttab <<-EOF
+ test0\\0045crypt $CRYPT_DEV $TMPDIR/key\\0040fi\\0072le
+EOF
+cryptdisks_start "test0%crypt"
+dmsetup table --target=crypt "test0%crypt" | cut -d" " -f5 | grep -F ":64:logon:cryptsetup:" # name in /dev/mapper is probably mangled
+cryptdisks_stop "test0%crypt"
+
+
+#######################################################################
+# cipher=, size= (plain)
+
+disk_setup
+head -c32 </dev/urandom >"$TMPDIR/keyfile"
+cat >/etc/crypttab <<-EOF
+ plain_crypt $CRYPT_DEV $TMPDIR/keyfile plain,cipher=twofish-cbc-essiv:sha256,size=256
+EOF
+
+cryptdisks_start plain_crypt
+test -b /dev/mapper/plain_crypt
+
+# check cipher
+cipher="$(dmsetup table --target=crypt plain_crypt | cut -d" " -f4)"
+test "$cipher" = "twofish-cbc-essiv:sha256"
+
+# check encryption key
+xxd -ps -c256 "$TMPDIR/keyfile" >"$TMPDIR/keyfile-hex"
+dmsetup table --target=crypt --showkeys plain_crypt | cut -d" " -f5 | \
+ diff --label=a/key --label=b/key "$TMPDIR/keyfile-hex" -
+
+cryptdisks_stop plain_crypt
+
+
+#######################################################################
+# sector-size=
+
+disk_setup
+cat >/etc/crypttab <<-EOF
+ sector_crypt $CRYPT_DEV /dev/urandom plain,cipher=aes-cbc-essiv:sha256,size=256,sector-size=4096
+EOF
+
+cryptdisks_start sector_crypt
+test -b /dev/mapper/sector_crypt
+
+dmsetup table --target=crypt sector_crypt | cut -d" " -f10- | grep -Fw "sector_size:4096"
+
+cryptdisks_stop sector_crypt
+
+
+#######################################################################
+# hash= (interactive, ignored with keyfile)
+
+disk_setup
+cat /proc/sys/kernel/random/uuid >"$TMPDIR/passphrase"
+cat >/etc/crypttab <<-EOF
+ hash_crypt $CRYPT_DEV none plain,cipher=aes-cbc-essiv:sha256,size=256,hash=sha256
+EOF
+
+cryptdisks_start hash_crypt </dev/tty & pid=$!
+until [ -p /lib/cryptsetup/passfifo ]; do sleep 1; done
+tr -d '\n' <"$TMPDIR/passphrase" >/lib/cryptsetup/passfifo # remove trailing newline
+wait $pid
+stty sane || true
+test -b /dev/mapper/hash_crypt
+
+# check encryption key
+tr -d '\n' <"$TMPDIR/passphrase" | sha256sum | cut -d" " -f1 >"$TMPDIR/passphrase-hash"
+dmsetup table --target=crypt --showkeys hash_crypt | cut -d" " -f5 | \
+ diff --label=a/key --label=b/key "$TMPDIR/passphrase-hash" -
+cryptdisks_stop hash_crypt
+
+
+#######################################################################
+# offset=, skip=
+
+offset=2048 # in 512 byte sectors
+skip=256 # in 512 byte sectors
+disk_setup
+cat >/etc/crypttab <<-EOF
+ offset_crypt $CRYPT_DEV /dev/urandom plain,cipher=aes-cbc-essiv:sha256,size=256,offset=$offset,skip=$skip
+EOF
+
+# having an existing file system before the offset has no effect (cf. #994056)
+dmsetup create hidden --table "0 $offset linear $CRYPT_DEV 0"
+mke2fs -t ext2 -m0 -Fq /dev/mapper/hidden
+u="$(blkid -p -s UUID -o value /dev/mapper/hidden)"
+dd if=/dev/mapper/hidden of="$TMPDIR/hidden.img" bs=512
+dmsetup remove hidden
+u2="$(blkid -p -s UUID -o value -- "$CRYPT_DEV")"
+test "$u" = "$u2"
+
+cryptdisks_start offset_crypt
+test -b /dev/mapper/offset_crypt
+
+# check offset and skip values
+offset2="$(dmsetup table --target=crypt offset_crypt | cut -d" " -f8)" && test $offset -eq $offset2
+skip2="$( dmsetup table --target=crypt offset_crypt | cut -d" " -f6)" && test $skip -eq $skip2
+
+# ensure that the first 2048 sectors (only) are left zeroed out
+dd if=/dev/zero of=/dev/mapper/offset_crypt bs=1M || true
+cryptdisks_stop offset_crypt
+
+dd if="$CRYPT_DEV" of="$TMPDIR/hidden2.img" bs=512 count="$offset"
+command diff -q -- "$TMPDIR/hidden.img" "$TMPDIR/hidden2.img" || exit 1
+! xxd -l32 -s$((offset*512)) -ps -c32 <"$CRYPT_DEV" | grep -Fxq 0000000000000000000000000000000000000000000000000000000000000000
+rm -f -- "$TMPDIR/hidden.img" "$TMPDIR/hidden2.img"
+
+
+#######################################################################
+# keyfile-offset=, keyfile-size=
+
+disk_setup
+head -c32 </dev/urandom >"$TMPDIR/keyfile"
+luks2Format -- "$CRYPT_DEV" "$TMPDIR/keyfile"
+install -m0600 /dev/null "$TMPDIR/keyfile2"
+
+# keyfile-offset=
+head -c1024 </dev/urandom >"$TMPDIR/keyfile2"
+cat "$TMPDIR/keyfile" >>"$TMPDIR/keyfile2"
+cat >/etc/crypttab <<-EOF
+ keyfile_crypt $CRYPT_DEV $TMPDIR/keyfile2 keyfile-offset=1024
+EOF
+cryptdisks_start keyfile_crypt
+test -b /dev/mapper/keyfile_crypt
+cryptdisks_stop keyfile_crypt
+
+# keyfile-size=
+cat "$TMPDIR/keyfile" >"$TMPDIR/keyfile2"
+head -c1024 </dev/urandom >>"$TMPDIR/keyfile2"
+cat >/etc/crypttab <<-EOF
+ keyfile_crypt $CRYPT_DEV $TMPDIR/keyfile2 keyfile-size=32
+EOF
+cryptdisks_start keyfile_crypt
+test -b /dev/mapper/keyfile_crypt
+cryptdisks_stop keyfile_crypt
+
+# keyfile-offset= + keyfile-size=
+head -c32 </dev/urandom >"$TMPDIR/keyfile2"
+cat "$TMPDIR/keyfile" >>"$TMPDIR/keyfile2"
+head -c32 </dev/urandom >>"$TMPDIR/keyfile2"
+cat >/etc/crypttab <<-EOF
+ keyfile_crypt $CRYPT_DEV $TMPDIR/keyfile2 keyfile-offset=32,keyfile-size=32
+EOF
+cryptdisks_start keyfile_crypt
+test -b /dev/mapper/keyfile_crypt
+cryptdisks_stop keyfile_crypt
+
+# make sure the key isn't valid without offset and size
+cat >/etc/crypttab <<-EOF
+ keyfile_crypt $CRYPT_DEV $TMPDIR/keyfile2
+EOF
+! cryptdisks_start keyfile_crypt
+test ! -b /dev/mapper/keyfile_crypt
+rm -vf -- "$TMPDIR/keyfile2"
+
+
+#######################################################################
+# key-slot=
+
+disk_setup
+head -c32 </dev/urandom >"$TMPDIR/keyfile"
+luks2Format --key-slot=0 -- "$CRYPT_DEV" "$TMPDIR/keyfile"
+
+install -m0600 /dev/null "$TMPDIR/keyfile2"
+head -c32 </dev/urandom >"$TMPDIR/keyfile2"
+cryptsetup luksAddKey --key-file="$TMPDIR/keyfile" \
+ --pbkdf=pbkdf2 --pbkdf-force-iterations=1000 \
+ --key-slot=1 -- "$CRYPT_DEV" "$TMPDIR/keyfile2"
+
+cryptsetup luksOpen --test-passphrase --key-file="$TMPDIR/keyfile" --key-slot=0 -- "$CRYPT_DEV"
+cryptsetup luksOpen --test-passphrase --key-file="$TMPDIR/keyfile2" --key-slot=1 -- "$CRYPT_DEV"
+
+# use slot #1 after trying #0
+cat >/etc/crypttab <<-EOF
+ keyslot_crypt $CRYPT_DEV $TMPDIR/keyfile2
+EOF
+cryptdisks_start keyslot_crypt
+test -b /dev/mapper/keyslot_crypt
+cryptdisks_stop keyslot_crypt
+
+# use wrong slot #0
+cat >/etc/crypttab <<-EOF
+ keyslot_crypt $CRYPT_DEV $TMPDIR/keyfile2 key-slot=0
+EOF
+! cryptdisks_start keyslot_crypt
+test ! -b /dev/mapper/keyslot_crypt
+
+# use right slot #1
+cat >/etc/crypttab <<-EOF
+ keyslot_crypt $CRYPT_DEV $TMPDIR/keyfile2 key-slot=1
+EOF
+cryptdisks_start keyslot_crypt
+test -b /dev/mapper/keyslot_crypt
+cryptdisks_stop keyslot_crypt
+rm -f -- "$TMPDIR/keyfile2"
+
+
+#######################################################################
+# header=
+
+disk_setup
+head -c32 </dev/urandom >"$TMPDIR/keyfile"
+luks2Format --header="$TMPDIR/crypt_img.hdr" -- "$CRYPT_DEV" "$TMPDIR/keyfile"
+test -f "$TMPDIR/crypt_img.hdr"
+
+# make sure the signature is on the header only
+t="$(blkid -s TYPE -o value -- "$TMPDIR/crypt_img.hdr")"
+test "$t" = "crypto_LUKS"
+! blkid -p -- "$CRYPT_DEV"
+
+# make sure we can't unlock without the header
+cat >/etc/crypttab <<-EOF
+ header_crypt $CRYPT_DEV $TMPDIR/keyfile luks
+EOF
+! cryptdisks_start header_crypt
+test ! -b /dev/mapper/header_crypt
+
+# unlock using the header
+cat >/etc/crypttab <<-EOF
+ header_crypt $CRYPT_DEV $TMPDIR/keyfile header=$TMPDIR/crypt_img.hdr
+EOF
+cryptdisks_start header_crypt
+test -b /dev/mapper/header_crypt
+cryptdisks_stop header_crypt
+rm -f -- "$TMPDIR/crypt_img.hdr"
+
+
+#######################################################################
+# readonly
+
+disk_setup
+head -c32 </dev/urandom >"$TMPDIR/keyfile"
+luks2Format -- "$CRYPT_DEV" "$TMPDIR/keyfile"
+
+# unlock readonly from crypttab(5)
+cat >/etc/crypttab <<-EOF
+ readonly_crypt $CRYPT_DEV $TMPDIR/keyfile readonly
+EOF
+cryptdisks_start readonly_crypt
+test -b /dev/mapper/readonly_crypt
+dm="$(readlink -e "/dev/mapper/readonly_crypt")"
+ro="$(< "/sys/block/${dm##*/}/ro")"
+test "$ro" -eq 1
+cryptdisks_stop readonly_crypt
+
+# unlock readonly with --readonly
+cat >/etc/crypttab <<-EOF
+ readonly_crypt $CRYPT_DEV $TMPDIR/keyfile
+EOF
+cryptdisks_start --readonly readonly_crypt
+test -b /dev/mapper/readonly_crypt
+dm="$(readlink -e "/dev/mapper/readonly_crypt")"
+ro="$(< "/sys/block/${dm##*/}/ro")"
+test "$ro" -eq 1
+cryptdisks_stop readonly_crypt
+
+# double check that default is read-write
+cryptdisks_start readonly_crypt
+test -b /dev/mapper/readonly_crypt
+dm="$(readlink -e "/dev/mapper/readonly_crypt")"
+ro="$(< "/sys/block/${dm##*/}/ro")"
+test "$ro" -eq 0
+cryptdisks_stop readonly_crypt
+
+
+#######################################################################
+# tries=
+
+disk_setup
+head -c32 </dev/urandom >"$TMPDIR/keyfile"
+luks2Format -- "$CRYPT_DEV" "$TMPDIR/keyfile"
+
+# fail after 3 tries default
+cat >/etc/crypttab <<-EOF
+ tries_crypt $CRYPT_DEV none
+EOF
+
+cryptdisks_start tries_crypt </dev/tty & pid=$!
+echo -n bad1 >/lib/cryptsetup/passfifo
+sleep 1
+echo -n bad2 >/lib/cryptsetup/passfifo
+sleep 1
+echo -n bad3 >/lib/cryptsetup/passfifo
+! wait $pid
+stty sane || true
+test ! -b /dev/mapper/tries_crypt
+
+# success on the 3rd try
+cryptdisks_start tries_crypt </dev/tty & pid=$!
+echo -n bad1 >/lib/cryptsetup/passfifo
+sleep 1
+echo -n bad2 >/lib/cryptsetup/passfifo
+sleep 1
+cat <"$TMPDIR/keyfile" >/lib/cryptsetup/passfifo
+wait $pid
+stty sane || true
+test -b /dev/mapper/tries_crypt
+cryptdisks_stop tries_crypt
+
+# force single try
+cat >/etc/crypttab <<-EOF
+ tries_crypt $CRYPT_DEV none tries=1
+EOF
+
+cryptdisks_start tries_crypt </dev/tty & pid=$!
+echo -n bad1 >/lib/cryptsetup/passfifo
+! wait $pid
+stty sane || true
+test ! -b /dev/mapper/tries_crypt
+
+cryptdisks_start tries_crypt </dev/tty & pid=$!
+cat <"$TMPDIR/keyfile" >/lib/cryptsetup/passfifo
+wait $pid
+stty sane || true
+test -b /dev/mapper/tries_crypt
+cryptdisks_stop tries_crypt
+
+
+#######################################################################
+# discard
+
+disk_setup
+head -c32 </dev/urandom >"$TMPDIR/keyfile"
+luks2Format -- "$CRYPT_DEV" "$TMPDIR/keyfile"
+
+cat >/etc/crypttab <<-EOF
+ flagopt_crypt $CRYPT_DEV $TMPDIR/keyfile discard
+EOF
+
+cryptdisks_start flagopt_crypt
+dmsetup table --target=crypt flagopt_crypt | cut -d" " -f10- | grep -Fw "allow_discards"
+cryptdisks_stop flagopt_crypt
+
+
+#######################################################################
+# same-cpu-crypt
+
+cat >/etc/crypttab <<-EOF
+ flagopt_crypt $CRYPT_DEV $TMPDIR/keyfile same-cpu-crypt
+EOF
+
+cryptdisks_start flagopt_crypt
+dmsetup table --target=crypt flagopt_crypt | cut -d" " -f10- | grep -Fw "same_cpu_crypt"
+cryptdisks_stop flagopt_crypt
+
+
+#######################################################################
+# submit-from-crypt-cpus
+
+cat >/etc/crypttab <<-EOF
+ flagopt_crypt $CRYPT_DEV $TMPDIR/keyfile submit-from-crypt-cpus
+EOF
+
+cryptdisks_start flagopt_crypt
+dmsetup table --target=crypt flagopt_crypt | cut -d" " -f10- | grep -Fw "submit_from_crypt_cpus"
+cryptdisks_stop flagopt_crypt
+
+
+#######################################################################
+# no-read-workqueue
+
+cat >/etc/crypttab <<-EOF
+ flagopt_crypt $CRYPT_DEV $TMPDIR/keyfile no-read-workqueue
+EOF
+
+cryptdisks_start flagopt_crypt
+dmsetup table --target=crypt flagopt_crypt | cut -d" " -f10- | grep -Fw "no_read_workqueue"
+cryptdisks_stop flagopt_crypt
+
+
+#######################################################################
+# no-write-workqueue
+
+cat >/etc/crypttab <<-EOF
+ flagopt_crypt $CRYPT_DEV $TMPDIR/keyfile no-write-workqueue
+EOF
+
+cryptdisks_start flagopt_crypt
+dmsetup table --target=crypt flagopt_crypt | cut -d" " -f10- | grep -Fw "no_write_workqueue"
+cryptdisks_stop flagopt_crypt
+
+
+#######################################################################
+# swap
+
+disk_setup
+cat >/etc/crypttab <<-EOF
+ swap_crypt $CRYPT_DEV /dev/urandom plain,cipher=aes-xts-plain64,size=256,swap
+EOF
+
+cryptdisks_start swap_crypt
+test -b /dev/mapper/swap_crypt
+
+t="$(blkid -s TYPE -o value /dev/mapper/swap_crypt)"
+test "$t" = "swap"
+cryptdisks_stop swap_crypt
+
+# refuse to proceed if the target contains a file system...
+head -c32 </dev/urandom >"$TMPDIR/keyfile"
+luks2Format -- "$CRYPT_DEV" "$TMPDIR/keyfile"
+
+cat >/etc/crypttab <<-EOF
+ swap_crypt $CRYPT_DEV $TMPDIR/keyfile swap
+ swap_crypt2 $CRYPT_DEV $TMPDIR/keyfile
+EOF
+cryptdisks_start swap_crypt2
+mke2fs -t ext4 -m0 -Fq /dev/mapper/swap_crypt2
+t="$(blkid -s TYPE -o value /dev/mapper/swap_crypt2)"
+test "$t" = "ext4"
+cryptdisks_stop swap_crypt2
+
+! cryptdisks_start swap_crypt
+test ! -b /dev/mapper/swap_crypt
+
+# ... unless that's already a swap device
+cryptdisks_start swap_crypt2
+mkswap -f /dev/mapper/swap_crypt2
+t="$(blkid -s TYPE -o value /dev/mapper/swap_crypt2)"
+test "$t" = "swap"
+u="$(blkid -s UUID -o value /dev/mapper/swap_crypt2)"
+cryptdisks_stop swap_crypt2
+
+cryptdisks_start swap_crypt
+test -b /dev/mapper/swap_crypt
+t="$(blkid -s TYPE -o value /dev/mapper/swap_crypt)"
+test "$t" = "swap"
+u2="$(blkid -s UUID -o value /dev/mapper/swap_crypt)"
+test "$u" != "$u2"
+cryptdisks_stop swap_crypt
+
+
+#######################################################################
+# tmp=
+
+disk_setup
+cat >/etc/crypttab <<-EOF
+ tmp_crypt $CRYPT_DEV /dev/urandom plain,cipher=aes-xts-plain64,size=256,tmp=ext2
+EOF
+
+# run mkfs.ext2
+cryptdisks_start tmp_crypt
+test -b /dev/mapper/tmp_crypt
+
+t="$(blkid -s TYPE -o value /dev/mapper/tmp_crypt)"
+test "$t" = "ext2"
+cryptdisks_stop tmp_crypt
+
+# default type is ext4
+cat >/etc/crypttab <<-EOF
+ tmp_crypt $CRYPT_DEV /dev/urandom plain,cipher=aes-xts-plain64,size=256,tmp
+EOF
+cryptdisks_start tmp_crypt
+t="$(blkid -s TYPE -o value /dev/mapper/tmp_crypt)"
+test "$t" = "ext4"
+cryptdisks_stop tmp_crypt
+
+
+#######################################################################
+# check=
+
+disk_setup
+cat >/etc/crypttab <<-EOF
+ check_crypt $CRYPT_DEV /dev/urandom plain,cipher=aes-xts-plain64,size=256
+EOF
+
+# precheck failed: $CRYPT_DEV contains a filesystem
+mke2fs -t ext4 -m0 -Fq -- "$CRYPT_DEV"
+t="$(blkid -s TYPE -o value -- "$CRYPT_DEV")"
+test "$t" = "ext4"
+! cryptdisks_start check_crypt
+test ! -b /dev/mapper/check_crypt
+
+# precheck failed: $CRYPT_DEV contains a filesystem at the given offset (cf. #994056)
+offset=2048
+disk_setup
+cat >/etc/crypttab <<-EOF
+ check_crypt $CRYPT_DEV /dev/urandom plain,cipher=aes-xts-plain64,size=256,offset=$offset
+EOF
+
+dmsetup create hidden --table "0 4096 linear $CRYPT_DEV $offset"
+mke2fs -t ext2 -m0 -Fq /dev/mapper/hidden
+u="$(blkid -p -s UUID -o value /dev/mapper/hidden)"
+dmsetup remove hidden
+u2="$(blkid -p -O$((offset*512)) -s UUID -o value -- "$CRYPT_DEV")"
+test "$u" = "$u2"
+t="$(blkid -p -O$((offset*512)) -s TYPE -o value -- "$CRYPT_DEV")"
+test "$t" = "ext2"
+
+! cryptdisks_start check_crypt
+test ! -b /dev/mapper/check_crypt
+
+# check failed: mapped device does not contain a known file system
+disk_setup
+head -c32 </dev/urandom >"$TMPDIR/keyfile"
+cat >/etc/crypttab <<-EOF
+ check_crypt $CRYPT_DEV $TMPDIR/keyfile plain,cipher=aes-xts-plain64,size=256,check
+ check_crypt2 $CRYPT_DEV $TMPDIR/keyfile plain,cipher=aes-xts-plain64,size=256
+EOF
+
+! cryptdisks_start check_crypt
+test ! -b /dev/mapper/check_crypt
+
+# success
+cryptdisks_start check_crypt2
+mke2fs -t ext4 -m0 -Fq /dev/mapper/check_crypt2
+u="$(blkid -s UUID -o value /dev/mapper/check_crypt2)"
+cryptdisks_stop check_crypt2
+cryptdisks_start check_crypt
+test -b /dev/mapper/check_crypt
+u2="$(blkid -s UUID -o value /dev/mapper/check_crypt)"
+test "$u" = "$u2"
+cryptdisks_stop check_crypt
+
+# custom check
+install -m0755 -- /dev/null "$TMPDIR/check"
+cat >"$TMPDIR/check" <<-EOF
+ #!/bin/bash
+ printf '%s\\0' "\$0" >"$TMPDIR/cmdline"
+ while [ \$# -gt 0 ]; do
+ printf '%s\\0' "\$1"
+ shift
+ done >>"$TMPDIR/cmdline"
+ exit 0
+EOF
+
+cat >/etc/crypttab <<-EOF
+ check_crypt $CRYPT_DEV $TMPDIR/keyfile plain,cipher=aes-xts-plain64,size=256,check=$TMPDIR/check
+EOF
+cryptdisks_start check_crypt
+dm="$(readlink -e "/dev/mapper/check_crypt")"
+cryptdisks_stop check_crypt
+printf '%s\0%s\0' "$TMPDIR/check" "$dm" >"$TMPDIR/cmdline2"
+diff -u --label=a/cmdline --label=b/cmdline -- "$TMPDIR/cmdline2" "$TMPDIR/cmdline"
+
+
+#######################################################################
+# checkargs=
+
+disk_setup
+head -c32 </dev/urandom >"$TMPDIR/keyfile"
+cat >/etc/crypttab <<-EOF
+ checkargs_crypt $CRYPT_DEV $TMPDIR/keyfile plain,cipher=aes-xts-plain64,size=256,check,checkargs=ext4
+ checkargs_crypt2 $CRYPT_DEV $TMPDIR/keyfile plain,cipher=aes-xts-plain64,size=256
+EOF
+
+# check failed: mapped device does not contain a known file system
+! cryptdisks_start checkargs_crypt
+test ! -b /dev/mapper/checkargs_crypt
+
+# check failed: mapped device is not ext4
+cryptdisks_start checkargs_crypt2
+mke2fs -t ext2 -m0 -Fq /dev/mapper/checkargs_crypt2
+cryptdisks_stop checkargs_crypt2
+! cryptdisks_start checkargs_crypt
+test ! -b /dev/mapper/checkargs_crypt
+
+# success
+cryptdisks_start checkargs_crypt2
+mke2fs -t ext4 -m0 -Fq /dev/mapper/checkargs_crypt2
+u="$(blkid -s UUID -o value /dev/mapper/checkargs_crypt2)"
+cryptdisks_stop checkargs_crypt2
+cryptdisks_start checkargs_crypt
+u2="$(blkid -s UUID -o value /dev/mapper/checkargs_crypt)"
+test "$u" = "$u2"
+test -b /dev/mapper/checkargs_crypt
+cryptdisks_stop checkargs_crypt
+
+# check failed: mapped device is not ext2
+sed -i "s/checkargs=ext4/checkargs=ext2/" /etc/crypttab
+! cryptdisks_start checkargs_crypt
+test ! -b /dev/mapper/checkargs_crypt
+
+# custom check
+cat >/etc/crypttab <<-EOF
+ checkargs_crypt $CRYPT_DEV $TMPDIR/keyfile plain,cipher=aes-xts-plain64,size=256,check=$TMPDIR/check,checkargs=foo\\0012b\\0011a\\0054r\\0040
+EOF
+cryptdisks_start checkargs_crypt
+dm="$(readlink -e "/dev/mapper/checkargs_crypt")"
+cryptdisks_stop checkargs_crypt
+printf '%s\0%s\0foo\nb\ta,r \0' "$TMPDIR/check" "$dm" >"$TMPDIR/cmdline2"
+diff -u --label=a/cmdline --label=b/cmdline -- "$TMPDIR/cmdline2" "$TMPDIR/cmdline"
+
+
+#######################################################################
+# noauto
+
+disk_setup
+head -c32 </dev/urandom >"$TMPDIR/keyfile"
+luks2Format -- "$CRYPT_DEV" "$TMPDIR/keyfile"
+
+cat >/etc/crypttab <<-EOF
+ noauto_crypt $CRYPT_DEV $TMPDIR/keyfile noauto
+EOF
+cryptdisks_start noauto_crypt
+test -b /dev/mapper/noauto_crypt
+cryptdisks_stop noauto_crypt
+
+
+#######################################################################
+# (custom) keyscript
+
+disk_setup
+head -c32 </dev/urandom >"$TMPDIR/keyfile"
+luks2Format -- "$CRYPT_DEV" "$TMPDIR/keyfile"
+
+KEYSCRIPT="$TMPDIR/decrypt_foo,bar
+b a z"
+
+# make sure we export CRYPTTAB_* as documented
+install -m0755 -- /dev/null "$KEYSCRIPT"
+cat >"$KEYSCRIPT" <<-EOF
+ #!/bin/bash
+ printf '%s\\0' "\$0" >"$TMPDIR/cmdline"
+ while [ \$# -gt 0 ]; do
+ printf '%s\\0' "\$1"
+ shift
+ done >>"$TMPDIR/cmdline"
+ install -m0600 "/proc/\$\$/environ" "$TMPDIR/environ"
+ cat <"$TMPDIR/keyfile"
+EOF
+
+# add extra unknown option (visible in $CRYPTTAB_OPTIONS but there is no $CRYPTTAB_OPTION_*)
+cat >/etc/crypttab <<-EOF
+ keyscript\\0045crypt $CRYPT_IMG foo\\0011bar\\0040baz nonexistent,keyscript=$TMPDIR/decrypt_foo\\0054bar\\0012b\\0040a\\0040z,luks
+EOF
+
+cryptdisks_start "keyscript%crypt"
+dmsetup table --target=crypt "keyscript%crypt" | cut -d" " -f5 | grep -F ":64:logon:cryptsetup:" # name in /dev/mapper is probably mangled
+cryptdisks_stop "keyscript%crypt"
+
+# compare command line
+printf '%s\0foo\tbar baz\0' "$KEYSCRIPT" >"$TMPDIR/cmdline2"
+diff -u --label=a/cmdline --label=b/cmdline -- "$TMPDIR/cmdline2" "$TMPDIR/cmdline"
+
+# compare environment
+tr '\n' '\0' <<-EOF | sed -rz "s|@@DECRYPT_FOOBAR@@|${KEYSCRIPT//$'\n'/"\\n"}|" >"$TMPDIR/environ2"
+ CRYPTTAB_KEY=foo bar baz
+ CRYPTTAB_NAME=keyscript%crypt
+ CRYPTTAB_OPTIONS=nonexistent,keyscript=@@DECRYPT_FOOBAR@@,luks
+ CRYPTTAB_OPTION_keyscript=@@DECRYPT_FOOBAR@@
+ CRYPTTAB_OPTION_luks=yes
+ CRYPTTAB_SOURCE=$CRYPT_IMG
+ CRYPTTAB_TRIED=0
+ _CRYPTTAB_KEY=foo\\0011bar\\0040baz
+ _CRYPTTAB_NAME=keyscript\\0045crypt
+ _CRYPTTAB_OPTIONS=nonexistent,keyscript=$TMPDIR/decrypt_foo\\0054bar\\0012b\\0040a\\0040z,luks
+ _CRYPTTAB_SOURCE=$CRYPT_IMG
+EOF
+grep -Ez "^_?CRYPTTAB_" <"$TMPDIR/environ" | sort -z | diff -u --label=a/environ --label=b/environ -- "$TMPDIR/environ2" -
diff --git a/debian/tests/cryptdisks.init b/debian/tests/cryptdisks.init
new file mode 100755
index 0000000..408c325
--- /dev/null
+++ b/debian/tests/cryptdisks.init
@@ -0,0 +1,84 @@
+#!/bin/bash
+
+set -eu
+PATH="/usr/bin:/bin:/usr/sbin:/sbin"
+export PATH
+
+if [ -d /run/systemd/system ]; then
+ export SYSTEMCTL_SKIP_REDIRECT="y"
+ # systemd masks cryptdisks.service and we can't unmask it because /etc/init.d is the only source
+ rm -f -- $(systemctl show -p FragmentPath --value cryptdisks.service)
+ systemctl daemon-reload
+fi
+
+# create 64M zero devices
+dmsetup create disk0 --table "0 $(( 64 * 2*1024)) zero"
+dmsetup create disk1 --table "0 $(( 64 * 2*1024)) zero"
+dmsetup create disk2 --table "0 $(( 64 * 2*1024)) zero"
+dmsetup create disk3 --table "0 $((128 * 2*1024)) zero"
+
+# join disk #1 and #2
+dmsetup create disk12 <<-EOF
+ 0 $((64 * 2*1024)) linear /dev/mapper/disk1 0
+ $((64 * 2*1024)) $((64 * 2*1024)) linear /dev/mapper/disk2 0
+EOF
+
+cipher="aes-cbc-essiv:sha256"
+size=32 # bytes
+cat >/etc/crypttab <<-EOF
+ crypt_disk0 /dev/mapper/disk0 /dev/urandom plain,cipher=$cipher,size=$((8*size))
+ crypt_disk0a /dev/mapper/crypt_disk0 /dev/urandom plain,cipher=$cipher,size=$((8*size))
+ crypt_disk12 /dev/mapper/disk12 /dev/urandom plain,cipher=$cipher,size=$((8*size))
+ crypt_disk3 /dev/mapper/disk3 /dev/urandom plain,cipher=$cipher,size=$((8*size))
+ crypt_disk3b /dev/mapper/crypt_disk3 /dev/urandom plain,cipher=$cipher,size=$((8*size)),offset=$(( 64 * 2*1024))
+ crypt_disk3b0 /dev/mapper/crypt_disk3b /dev/urandom plain,cipher=$cipher,size=$((8*size))
+EOF
+
+/etc/init.d/cryptdisks start
+
+# now add crypt_disk3a (preceeding crypt_disk3b) with a size limit (can't do that via crypttab but dmsetup allows it)
+dmsetup create crypt_disk3a --uuid "CRYPT-PLAIN-crypt_disk3a" --addnodeoncreate <<-EOF
+ 0 $((64 * 2*1024)) crypt $cipher $(xxd -l$size -ps -c256 </dev/urandom) 0 /dev/mapper/crypt_disk3 0
+EOF
+
+lsblk
+# disk0 253:0 0 64M 0 dm
+# └─crypt_disk0 253:5 0 64M 0 crypt
+# └─crypt_disk0a 253:6 0 64M 0 crypt
+# disk1 253:1 0 64M 0 dm
+# └─disk12 253:4 0 128M 0 dm
+# └─crypt_disk12 253:7 0 128M 0 crypt
+# disk2 253:2 0 64M 0 dm
+# └─disk12 253:4 0 128M 0 dm
+# └─crypt_disk12 253:7 0 128M 0 crypt
+#disk3 253:3 0 128M 0 dm
+#└─crypt_disk3 253:8 0 128M 0 crypt
+# ├─crypt_disk3b 253:9 0 64M 0 crypt
+# │ └─crypt_disk3b0 253:10 0 64M 0 crypt
+# └─crypt_disk3a 253:11 0 64M 0 dm
+
+# check device-mapper table (crypt target only)
+# https://gitlab.com/cryptsetup/cryptsetup/-/wikis/DMCrypt
+# <start_sector> <size> "crypt" <target mapping table> <cipher> <key> <iv_offset> <device path> <offset> [<#opt_params> <opt_params>]
+dmsetup table --target="crypt" >"$AUTOPKGTEST_TMP/table"
+sed -ri "s/\\s+0{$((2*size))}(\\s+[0-9]+)\\s+[0-9]+:[0-9]+(\s|$)/\\1\\2/" -- "$AUTOPKGTEST_TMP/table"
+LC_ALL=C sort -t: -k1,1 <"$AUTOPKGTEST_TMP/table" >"$AUTOPKGTEST_TMP/table2"
+
+diff -u --color=auto --label="a/table" --label="b/table" -- - "$AUTOPKGTEST_TMP/table2" <<-EOF
+ crypt_disk0: 0 $((64 * 2*1024)) crypt $cipher 0 0
+ crypt_disk0a: 0 $((64 * 2*1024)) crypt $cipher 0 0
+ crypt_disk12: 0 $((2*64 * 2*1024)) crypt $cipher 0 0
+ crypt_disk3: 0 $((128 * 2*1024)) crypt $cipher 0 0
+ crypt_disk3a: 0 $((64 * 2*1024)) crypt $cipher 0 0
+ crypt_disk3b: 0 $((64 * 2*1024)) crypt $cipher 0 $((64 * 2*1024))
+ crypt_disk3b0: 0 $((64 * 2*1024)) crypt $cipher 0 0
+EOF
+
+# close disks and ensure there no leftover devices
+/etc/init.d/cryptdisks stop
+dmsetup table --target="crypt" >"$AUTOPKGTEST_TMP/table"
+if [ -s "$AUTOPKGTEST_TMP/table" ]; then
+ echo "ERROR: leftover crypt devices" >&2
+ cat <"$AUTOPKGTEST_TMP/table"
+ exit 1
+fi
diff --git a/debian/tests/cryptroot-legacy b/debian/tests/cryptroot-legacy
new file mode 120000
index 0000000..2e34c2d
--- /dev/null
+++ b/debian/tests/cryptroot-legacy
@@ -0,0 +1 @@
+utils/cryptroot-common \ No newline at end of file
diff --git a/debian/tests/cryptroot-legacy.d/bottom b/debian/tests/cryptroot-legacy.d/bottom
new file mode 100644
index 0000000..8bf492f
--- /dev/null
+++ b/debian/tests/cryptroot-legacy.d/bottom
@@ -0,0 +1,9 @@
+umount "$ROOT/boot"
+umount "$ROOT"
+
+swapoff /dev/cryptvg/swap
+lvm vgchange -an "cryptvg"
+
+cryptsetup close "vda3_crypt"
+
+# vim: set filetype=sh :
diff --git a/debian/tests/cryptroot-legacy.d/config b/debian/tests/cryptroot-legacy.d/config
new file mode 100644
index 0000000..cff461c
--- /dev/null
+++ b/debian/tests/cryptroot-legacy.d/config
@@ -0,0 +1,14 @@
+PKGS_EXTRA+=( e2fsprogs ) # for fsck.ext4
+PKGS_EXTRA+=( lvm2 )
+PKGS_EXTRA+=( cryptsetup-initramfs )
+
+# disable AES and SHA instructions
+if [[ "$QEMU_CPU_MODEL" =~ ^(.*),\+aes(,.*)?$ ]]; then
+ QEMU_CPU_MODEL="${BASH_REMATCH[1]}${BASH_REMATCH[2]}"
+fi
+if [[ "$QEMU_CPU_MODEL" =~ ^(.*),\+sha-ni(,.*)?$ ]]; then
+ QEMU_CPU_MODEL="${BASH_REMATCH[1]}${BASH_REMATCH[2]}"
+fi
+QEMU_CPU_MODEL="$QEMU_CPU_MODEL,-aes,-sha-ni"
+
+# vim: set filetype=bash :
diff --git a/debian/tests/cryptroot-legacy.d/mock b/debian/tests/cryptroot-legacy.d/mock
new file mode 100755
index 0000000..b3b7d26
--- /dev/null
+++ b/debian/tests/cryptroot-legacy.d/mock
@@ -0,0 +1,32 @@
+#!/usr/bin/perl -T
+
+BEGIN {
+ require "./debian/tests/utils/mock.pm";
+ CryptrootTest::Mock::->import();
+}
+
+unlock_disk("topsecret");
+login("root");
+
+# make sure the root FS and swap are help by dm-crypt devices
+shell(q{cryptsetup luksOpen --test-passphrase /dev/vda3 <<<topsecret}, rv => 0);
+my $out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vda3});
+die unless $out =~ m#^`-vda3_crypt\s+crypt\s*$#m;
+die unless $out =~ m#^\s{2}[`|]-cryptvg-root\s+lvm\s+/\s*$#m;
+die unless $out =~ m#^\s{2}[`|]-cryptvg-swap\s+lvm\s+\[SWAP\]\s*$#m;
+
+# assume MODULES=dep won't add too many modules
+# XXX lsinitramfs doesn't work on /initrd.img with COMPRESS=zstd, cf. #1015954
+$out = shell(q{lsinitramfs /boot/initrd.img-`uname -r` | grep -Ec "^(usr/)?lib/modules/.*\.ko(\.[a-z]+)?$"});
+die "$out == 0 or $out > 50" unless $out =~ s/\r?\n\z// and $out =~ /\A([0-9]+)\z/ and $out > 0 and $out <= 50;
+
+# check cipher and key size
+$out = shell(q{dmsetup table --target crypt --showkeys vda3_crypt});
+die unless $out =~ m#\A0\s+\d+\s+crypt\s+aes-cbc-essiv:sha256\s+[0-9a-f]{64}\s#;
+
+# make sure hardware acceleration for AES isn't available
+$out = shell(q{cat /proc/crypto});
+die unless $out =~ m#^name\s*:.*\baes\b#mi;
+die if $out =~ m#^(?:name|driver)\s*:.*\b__(?:.*\b)?aes\b#mi;
+
+QMP::quit();
diff --git a/debian/tests/cryptroot-legacy.d/preinst b/debian/tests/cryptroot-legacy.d/preinst
new file mode 100644
index 0000000..ee76481
--- /dev/null
+++ b/debian/tests/cryptroot-legacy.d/preinst
@@ -0,0 +1,14 @@
+cat >/etc/crypttab <<-EOF
+ vda3_crypt UUID=$(blkid -s UUID -o value /dev/vda3) none luks,discard
+EOF
+
+cat >/etc/fstab <<-EOF
+ /dev/cryptvg/root / auto errors=remount-ro 0 1
+ /dev/cryptvg/swap none swap sw 0 0
+ UUID=$(blkid -s UUID -o value /dev/vda2) /boot auto defaults 0 2
+EOF
+
+# explicitely set MODULES=dep (yes it's the default, but doesn't hurt)
+echo "MODULES=dep" >/etc/initramfs-tools/conf.d/modules
+
+# vim: set filetype=sh :
diff --git a/debian/tests/cryptroot-legacy.d/setup b/debian/tests/cryptroot-legacy.d/setup
new file mode 100644
index 0000000..c7ab31f
--- /dev/null
+++ b/debian/tests/cryptroot-legacy.d/setup
@@ -0,0 +1,46 @@
+# LVM-on-LUKS2 layout from an old system: pre-2013 cryptsetup defaults,
+# no AES hardware acceleration (and MODULES=dep)
+
+sfdisk --append /dev/vda <<-EOF
+ unit: sectors
+
+ start=$((64*1024*2)), size=$((128*1024*2)), type=${GUID_TYPE_Linux_FS}
+ start=$(((64+128)*1024*2)), type=${GUID_TYPE_LUKS}
+EOF
+udevadm settle
+
+# Use pre-2013 (<1.6.0) defaults: LUKS1, aes-cbc-essiv:sha256 cipher, 256bits key
+# <1.6.0 default hash was sha1 but we use legacy hash ripemd160 here to test OpenSSL's
+# legacy.so
+echo -n "topsecret" >/rootfs.key
+cryptsetup luksFormat --batch-mode \
+ --key-file=/rootfs.key \
+ --type=luks1 \
+ --pbkdf-force-iterations=1000 \
+ --cipher="aes-cbc-essiv:sha256" \
+ --hash="ripemd160" \
+ --key-size=256 \
+ -- /dev/vda3
+cryptsetup luksOpen --key-file=/rootfs.key --allow-discards \
+ -- /dev/vda3 "vda3_crypt"
+udevadm settle
+
+lvm pvcreate /dev/mapper/vda3_crypt
+lvm vgcreate "cryptvg" /dev/mapper/vda3_crypt
+lvm lvcreate -Zn --size 64m --name "swap" "cryptvg"
+lvm lvcreate -Zn -l100%FREE --name "root" "cryptvg"
+lvm vgchange -ay "cryptvg"
+lvm vgmknodes
+udevadm settle
+
+mke2fs -Ft ext4 /dev/cryptvg/root
+mount -t ext4 /dev/cryptvg/root "$ROOT"
+
+mkdir "$ROOT/boot"
+mke2fs -Ft ext2 -m0 /dev/vda2
+mount -t ext2 /dev/vda2 "$ROOT/boot"
+
+mkswap /dev/cryptvg/swap
+swapon /dev/cryptvg/swap
+
+# vim: set filetype=sh :
diff --git a/debian/tests/cryptroot-lvm b/debian/tests/cryptroot-lvm
new file mode 120000
index 0000000..2e34c2d
--- /dev/null
+++ b/debian/tests/cryptroot-lvm
@@ -0,0 +1 @@
+utils/cryptroot-common \ No newline at end of file
diff --git a/debian/tests/cryptroot-lvm.d/bottom b/debian/tests/cryptroot-lvm.d/bottom
new file mode 100644
index 0000000..8bf492f
--- /dev/null
+++ b/debian/tests/cryptroot-lvm.d/bottom
@@ -0,0 +1,9 @@
+umount "$ROOT/boot"
+umount "$ROOT"
+
+swapoff /dev/cryptvg/swap
+lvm vgchange -an "cryptvg"
+
+cryptsetup close "vda3_crypt"
+
+# vim: set filetype=sh :
diff --git a/debian/tests/cryptroot-lvm.d/config b/debian/tests/cryptroot-lvm.d/config
new file mode 100644
index 0000000..ac595b0
--- /dev/null
+++ b/debian/tests/cryptroot-lvm.d/config
@@ -0,0 +1,10 @@
+PKGS_EXTRA+=( e2fsprogs ) # for fsck.ext4
+PKGS_EXTRA+=( dbus ) # for systemctl(1)
+PKGS_EXTRA+=( lvm2 )
+PKGS_EXTRA+=( cryptsetup-initramfs cryptsetup-suspend )
+
+QEMU_MEMORY="size=512M"
+GUEST_POWERCYCLE=1 # boot again after hibernation
+DRIVE_SIZES=( "3G" ) # need a big enough swap to accomodate the memory
+
+# vim: set filetype=bash :
diff --git a/debian/tests/cryptroot-lvm.d/mock b/debian/tests/cryptroot-lvm.d/mock
new file mode 100755
index 0000000..f57e42f
--- /dev/null
+++ b/debian/tests/cryptroot-lvm.d/mock
@@ -0,0 +1,49 @@
+#!/usr/bin/perl -T
+
+BEGIN {
+ require "./debian/tests/utils/mock.pm";
+ CryptrootTest::Mock::->import();
+}
+
+my $POWERCYCLE_COUNT = $ARGV[0];
+
+unlock_disk("topsecret");
+
+if ($POWERCYCLE_COUNT == 0) {
+ login("root");
+
+ # make sure the root FS and swap are help by dm-crypt devices
+ shell(q{cryptsetup luksOpen --test-passphrase /dev/vda3 <<<topsecret}, rv => 0);
+ my $out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vda3});
+ die unless $out =~ m#^`-vda3_crypt\s+crypt\s*$#m;
+ die unless $out =~ m#^\s{2}[`|]-cryptvg-root\s+lvm\s+/\s*$#m;
+ die unless $out =~ m#^\s{2}[`|]-cryptvg-swap\s+lvm\s+\[SWAP\]\s*$#m;
+
+ # create a stamp in memory, hibernate (suspend on disk) and thaw
+ shell(q{echo hello >/dev/shm/foo.stamp});
+ hibernate();
+}
+else {
+ expect($SERIAL => qr/(?:^|\s)?PM: (?:hibernation: )?hibernation exit\r\n/m);
+ # no need to relogin, we get the shell as we left it
+ shell(q{grep -Fx hello </dev/shm/foo.stamp}, rv => 0);
+
+ # briefly suspend
+ suspend();
+
+ # make sure wakeup yields a cryptsetup prompt
+ wakeup();
+ expect($SERIAL => qr/(?:^|\s)?PM: suspend exit\r\n/m);
+ unlock_disk("topsecret");
+
+ # consume PS1 to make sure we're at a shell prompt
+ expect($CONSOLE => qr/\A $PS1 \z/aamsx);
+ my $out = shell(q{dmsetup info -c --noheadings -omangled_name,suspended --separator ' '});
+ die if grep !/[:[:blank:]]Active$/i, split(/\r?\n/, $out);
+
+ # test I/O on the root file system
+ shell(q{cp -vT /dev/shm/foo.stamp /cryptroot.stamp});
+ shell(q{grep -Fx hello </cryptroot.stamp}, rv => 0);
+
+ QMP::quit();
+}
diff --git a/debian/tests/cryptroot-lvm.d/postinst b/debian/tests/cryptroot-lvm.d/postinst
new file mode 100644
index 0000000..b9ffe35
--- /dev/null
+++ b/debian/tests/cryptroot-lvm.d/postinst
@@ -0,0 +1,17 @@
+mkdir /etc/systemd/system/systemd-suspend.service.d
+cat >/etc/systemd/system/systemd-suspend.service.d/zz-cryptsetup-suspend-mock.conf <<-EOF
+ # override the command and don't call openvt(1) here since VT8 isn't
+ # available from the mocking logic -- we use /dev/console instead
+
+ [Service]
+ StandardInput=tty
+ StandardOutput=inherit
+ StandardError=inherit
+ TTYPath=/dev/console
+ TTYReset=yes
+
+ ExecStart=
+ ExecStart=/lib/cryptsetup/scripts/suspend/cryptsetup-suspend-wrapper
+EOF
+
+# vim: set filetype=sh :
diff --git a/debian/tests/cryptroot-lvm.d/preinst b/debian/tests/cryptroot-lvm.d/preinst
new file mode 100644
index 0000000..650b9b6
--- /dev/null
+++ b/debian/tests/cryptroot-lvm.d/preinst
@@ -0,0 +1,14 @@
+cat >/etc/crypttab <<-EOF
+ vda3_crypt PARTUUID=$(blkid -s PARTUUID -o value /dev/vda3) none luks,discard
+EOF
+
+cat >/etc/fstab <<-EOF
+ /dev/cryptvg/root / auto errors=remount-ro 0 1
+ /dev/cryptvg/swap none swap sw 0 0
+ UUID=$(blkid -s UUID -o value /dev/vda2) /boot auto defaults 0 2
+EOF
+
+mkdir -p /etc/initramfs-tools/conf.d
+echo "RESUME=/dev/cryptvg/swap" >/etc/initramfs-tools/conf.d/resume
+
+# vim: set filetype=sh :
diff --git a/debian/tests/cryptroot-lvm.d/setup b/debian/tests/cryptroot-lvm.d/setup
new file mode 100644
index 0000000..890bbb6
--- /dev/null
+++ b/debian/tests/cryptroot-lvm.d/setup
@@ -0,0 +1,45 @@
+# Simple LVM-on-LUKS2 layout -- more or less emulates what one gets out
+# of d-i with the "encrypted LVM" partioning method.
+
+# create two new partitions for /boot and LUKS respectively (the first
+# one is always used for BIOS/EFI and never exceeds sector 64*1024*2)
+sfdisk --append /dev/vda <<-EOF
+ unit: sectors
+
+ start=$((64*1024*2)), size=$((128*1024*2)), type=${GUID_TYPE_Linux_FS}
+ start=$(((64+128)*1024*2)), type=${GUID_TYPE_LUKS}
+EOF
+udevadm settle
+
+# initialize a new LUKS partition and open it
+echo -n "topsecret" >/rootfs.key
+cryptsetup luksFormat --batch-mode \
+ --key-file=/rootfs.key \
+ --type=luks2 \
+ --pbkdf=argon2id \
+ --pbkdf-force-iterations=4 \
+ --pbkdf-memory=32 \
+ -- /dev/vda3
+cryptsetup luksOpen --key-file=/rootfs.key --allow-discards \
+ -- /dev/vda3 "vda3_crypt"
+udevadm settle
+
+lvm pvcreate /dev/mapper/vda3_crypt
+lvm vgcreate "cryptvg" /dev/mapper/vda3_crypt
+lvm lvcreate -Zn --size 1024m --name "swap" "cryptvg"
+lvm lvcreate -Zn -l100%FREE --name "root" "cryptvg"
+lvm vgchange -ay "cryptvg"
+lvm vgmknodes
+udevadm settle
+
+mke2fs -Ft ext4 /dev/cryptvg/root
+mount -t ext4 /dev/cryptvg/root "$ROOT"
+
+mkdir "$ROOT/boot"
+mke2fs -Ft ext2 -m0 /dev/vda2
+mount -t ext2 /dev/vda2 "$ROOT/boot"
+
+mkswap /dev/cryptvg/swap
+swapon /dev/cryptvg/swap
+
+# vim: set filetype=sh :
diff --git a/debian/tests/cryptroot-md b/debian/tests/cryptroot-md
new file mode 120000
index 0000000..2e34c2d
--- /dev/null
+++ b/debian/tests/cryptroot-md
@@ -0,0 +1 @@
+utils/cryptroot-common \ No newline at end of file
diff --git a/debian/tests/cryptroot-md.d/bottom b/debian/tests/cryptroot-md.d/bottom
new file mode 100644
index 0000000..a771c91
--- /dev/null
+++ b/debian/tests/cryptroot-md.d/bottom
@@ -0,0 +1,15 @@
+umount "$ROOT/boot"
+umount "$ROOT"
+
+swapoff /dev/md1
+mdadm --stop /dev/md1
+cryptsetup close "vda3_crypt"
+cryptsetup close "vdb3_crypt"
+
+swapoff /dev/cryptvg/swap
+lvm vgchange -an "cryptvg"
+mdadm --stop /dev/md2
+cryptsetup close "vda4_crypt"
+cryptsetup close "vdb4_crypt"
+
+# vim: set filetype=sh :
diff --git a/debian/tests/cryptroot-md.d/config b/debian/tests/cryptroot-md.d/config
new file mode 100644
index 0000000..0c9e5ff
--- /dev/null
+++ b/debian/tests/cryptroot-md.d/config
@@ -0,0 +1,7 @@
+PKGS_EXTRA+=( e2fsprogs ) # for fsck.ext4
+PKGS_EXTRA+=( lvm2 mdadm )
+PKGS_EXTRA+=( cryptsetup-initramfs )
+
+DRIVE_SIZES=( "1536M" "1536M" )
+
+# vim: set filetype=bash :
diff --git a/debian/tests/cryptroot-md.d/mock b/debian/tests/cryptroot-md.d/mock
new file mode 100755
index 0000000..51f8c9c
--- /dev/null
+++ b/debian/tests/cryptroot-md.d/mock
@@ -0,0 +1,41 @@
+#!/usr/bin/perl -T
+
+BEGIN {
+ require "./debian/tests/utils/mock.pm";
+ CryptrootTest::Mock::->import();
+}
+
+my %passphrases;
+$passphrases{$_} = $_ foreach qw/vda3_crypt vda4_crypt vdb3_crypt vdb4_crypt/;
+unlock_disk(\%passphrases) for 1 .. scalar(%passphrases);
+
+# check that the above was done at initramfs stage
+expect($SERIAL => qr#\bRunning /scripts/init-bottom\s*\.\.\. #);
+
+login("root");
+
+# make sure the root FS and swap are help by dm-crypt devices
+shell(q{cryptsetup luksOpen --test-passphrase /dev/vda3 <<<vda3_crypt}, rv => 0);
+shell(q{cryptsetup luksOpen --test-passphrase /dev/vda4 <<<vda4_crypt}, rv => 0);
+shell(q{cryptsetup luksOpen --test-passphrase /dev/vdb3 <<<vdb3_crypt}, rv => 0);
+shell(q{cryptsetup luksOpen --test-passphrase /dev/vdb4 <<<vdb4_crypt}, rv => 0);
+
+my $out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vda3});
+die unless $out =~ m#^`-vda3_crypt\s+crypt\s*$#m;
+die unless $out =~ m#^ `-md1\s+raid0\s+\[SWAP\]\s*$#m;
+
+$out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vdb3});
+die unless $out =~ m#^`-vdb3_crypt\s+crypt\s*$#m;
+die unless $out =~ m#^ `-md1\s+raid0\s+\[SWAP\]\s*$#m;
+
+$out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vda4});
+die unless $out =~ m#^`-vda4_crypt\s+crypt\s*$#m;
+die unless $out =~ m#^ [`|]-cryptvg-swap\s+lvm\s+\[SWAP\]\s*$#m;
+die unless $out =~ m#^ [`|]-cryptvg-root\s+lvm\s+/\s*$#m;
+
+$out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vdb4});
+die unless $out =~ m#^`-vdb4_crypt\s+crypt\s*$#m;
+die unless $out =~ m#^ [`|]-cryptvg-swap\s+lvm\s+\[SWAP\]\s*$#m;
+die unless $out =~ m#^ [`|]-cryptvg-root\s+lvm\s+/\s*$#m;
+
+QMP::quit();
diff --git a/debian/tests/cryptroot-md.d/preinst b/debian/tests/cryptroot-md.d/preinst
new file mode 100644
index 0000000..84bfa7a
--- /dev/null
+++ b/debian/tests/cryptroot-md.d/preinst
@@ -0,0 +1,20 @@
+# intentionally mix UUID= and /dev
+cat >/etc/crypttab <<-EOF
+ vda3_crypt UUID=$(blkid -s UUID -o value /dev/vda3) none discard
+ vda4_crypt UUID=$(blkid -s UUID -o value /dev/vda4) none discard
+ vdb3_crypt /dev/vdb3 none discard
+ vdb4_crypt /dev/vdb4 none discard
+EOF
+
+cat >/etc/fstab <<-EOF
+ /dev/cryptvg/root / auto errors=remount-ro 0 1
+ /dev/cryptvg/swap none swap sw 0 0
+ /dev/md1 none swap sw 0 0
+ UUID=$(blkid -s UUID -o value /dev/md0) /boot auto defaults 0 2
+EOF
+
+# force unlocking /dev/md1 holders (/dev/vd[ab]3) at initramfs stage
+mkdir -p /etc/initramfs-tools/conf.d
+echo "RESUME=/dev/md1" >/etc/initramfs-tools/conf.d/resume
+
+# vim: set filetype=sh :
diff --git a/debian/tests/cryptroot-md.d/setup b/debian/tests/cryptroot-md.d/setup
new file mode 100644
index 0000000..a8f49ed
--- /dev/null
+++ b/debian/tests/cryptroot-md.d/setup
@@ -0,0 +1,84 @@
+# Rather convoluted LVM-on-MD-on-LUKS2 layout with 2 swap areas, /boot
+# on RAID1, SWAP0 on RAID0, LVM on RAID1 and 4 independently encrypted
+# partitions decrypt at early boot stage:
+
+# NAME TYPE MOUNTPOINTS
+# vda disk
+# ├─vda1 part
+# ├─vda2 part
+# │ └─md0 raid1 /boot
+# ├─vda3 part
+# │ └─vda3_crypt crypt
+# │ └─md1 raid0 [SWAP]
+# └─vda4 part
+# └─vda4_crypt crypt
+# └─md2 raid1
+# ├─cryptvg-swap lvm [SWAP]
+# └─cryptvg-root lvm /
+# vdb disk
+# ├─vdb1 part
+# ├─vdb2 part
+# │ └─md0 raid1 /boot
+# ├─vdb3 part
+# │ └─vdb3_crypt crypt
+# │ └─md1 raid0 [SWAP]
+# └─vdb4 part
+# └─vdb4_crypt crypt
+# └─md2 raid1
+# ├─cryptvg-swap lvm [SWAP]
+# └─cryptvg-root lvm /
+
+sfdisk --append /dev/vda <<-EOF
+ unit: sectors
+
+ start=$((64*1024*2)), size=$((128*1024*2)), type=${GUID_TYPE_Linux_FS}
+ start=$(((64+128)*1024*2)), size=$((64*1024*2)), type=${GUID_TYPE_LUKS}
+ start=$(((64+128+64)*1024*2)), type=${GUID_TYPE_LUKS}
+EOF
+udevadm settle
+
+# copy vda's partition table onto vdb
+sfdisk -d /dev/vda | sfdisk /dev/vdb
+udevadm settle
+
+for d in vda3 vda4 vdb3 vdb4; do
+ echo -n "${d}_crypt" >/keyfile
+ cryptsetup luksFormat --batch-mode \
+ --key-file=/keyfile \
+ --type=luks2 \
+ --pbkdf=argon2id \
+ --pbkdf-force-iterations=4 \
+ --pbkdf-memory=32 \
+ -- "/dev/$d"
+ cryptsetup luksOpen --key-file=/keyfile --allow-discards \
+ -- "/dev/$d" "${d}_crypt"
+ udevadm settle
+done
+
+mdadm --create /dev/md0 --metadata=default --level=1 --raid-devices=2 /dev/vda2 /dev/vdb2
+mdadm --create /dev/md1 --metadata=default --level=0 --raid-devices=2 /dev/mapper/vda3_crypt /dev/mapper/vdb3_crypt
+mdadm --create /dev/md2 --metadata=default --level=1 --raid-devices=2 /dev/mapper/vda4_crypt /dev/mapper/vdb4_crypt
+udevadm settle
+
+lvm pvcreate /dev/md2
+lvm vgcreate "cryptvg" /dev/md2
+lvm lvcreate -Zn --size 64m --name "swap" "cryptvg"
+lvm lvcreate -Zn -l100%FREE --name "root" "cryptvg"
+lvm vgchange -ay "cryptvg"
+lvm vgmknodes
+udevadm settle
+
+
+mke2fs -Ft ext4 /dev/cryptvg/root
+mount -t ext4 /dev/cryptvg/root "$ROOT"
+
+mkdir "$ROOT/boot"
+mke2fs -Ft ext2 -m0 /dev/md0
+mount -t ext2 /dev/md0 "$ROOT/boot"
+
+mkswap /dev/cryptvg/swap
+swapon /dev/cryptvg/swap
+mkswap /dev/md1
+swapon /dev/md1
+
+# vim: set filetype=sh :
diff --git a/debian/tests/cryptroot-nested b/debian/tests/cryptroot-nested
new file mode 120000
index 0000000..2e34c2d
--- /dev/null
+++ b/debian/tests/cryptroot-nested
@@ -0,0 +1 @@
+utils/cryptroot-common \ No newline at end of file
diff --git a/debian/tests/cryptroot-nested.d/bottom b/debian/tests/cryptroot-nested.d/bottom
new file mode 100644
index 0000000..9c2e07a
--- /dev/null
+++ b/debian/tests/cryptroot-nested.d/bottom
@@ -0,0 +1,17 @@
+umount "$ROOT/boot"
+umount "$ROOT/home"
+umount "$ROOT/usr"
+umount "$ROOT/var"
+umount "$ROOT"
+
+swapoff /dev/mapper/testvg-lv0_crypt
+cryptsetup close "testvg-lv0_crypt"
+cryptsetup close "vdd_crypt"
+
+cryptsetup close "md0_crypt"
+mdadm --stop /dev/md0
+
+cryptsetup close "testvg-lv1_crypt"
+lvm vgchange -an "testvg"
+
+# vim: set filetype=sh :
diff --git a/debian/tests/cryptroot-nested.d/config b/debian/tests/cryptroot-nested.d/config
new file mode 100644
index 0000000..995200c
--- /dev/null
+++ b/debian/tests/cryptroot-nested.d/config
@@ -0,0 +1,7 @@
+PKGS_EXTRA+=( btrfs-progs lvm2 mdadm )
+PKGS_EXTRA+=( cryptsetup-initramfs )
+
+# /dev/mapper/testvg-lv1_crypt and /dev/vdc are both 1G and used in RAID1 mode
+DRIVE_SIZES=( "1G" "264M" "1G" "512M" )
+
+# vim: set filetype=bash :
diff --git a/debian/tests/cryptroot-nested.d/mock b/debian/tests/cryptroot-nested.d/mock
new file mode 100755
index 0000000..cccb35f
--- /dev/null
+++ b/debian/tests/cryptroot-nested.d/mock
@@ -0,0 +1,44 @@
+#!/usr/bin/perl -T
+
+BEGIN {
+ require "./debian/tests/utils/mock.pm";
+ CryptrootTest::Mock::->import();
+}
+
+my %passphrases;
+$passphrases{$_} = $_ foreach qw/testvg-lv0_crypt testvg-lv1_crypt md0_crypt vdd_crypt/;
+unlock_disk(\%passphrases) for 1 .. scalar(%passphrases);
+
+# check that the above was done at initramfs stage
+expect($SERIAL => qr#\bRunning /scripts/init-bottom\s*\.\.\. #);
+
+login("root");
+
+# make sure the root FS and swap are help by dm-crypt devices
+shell(q{cryptsetup luksOpen --test-passphrase /dev/md0 <<<md0_crypt}, rv => 0);
+shell(q{cryptsetup luksOpen --test-passphrase /dev/vdd <<<vdd_crypt}, rv => 0);
+shell(q{cryptsetup luksOpen --test-passphrase /dev/testvg/lv1 <<<testvg-lv1_crypt}, rv => 0);
+
+my $out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vda3});
+die unless $out =~ m#^[`|]-testvg-lv0\s+lvm\s*$#m;
+die unless $out =~ m#^[| ] `-testvg-lv0_crypt\s+crypt\s+\[SWAP\]\s*$#m;
+die unless $out =~ m#^[`|]-testvg-lv1\s+lvm\s*$#m;
+die unless $out =~ m#^[| ] `-testvg-lv1_crypt\s+crypt\s*$#m;
+die unless $out =~ m#^[| ] `-md0\s+raid1\s*$#m;
+die unless $out =~ m#^[| ] `-md0_crypt\s+crypt(?:\s+/(?:home|usr|var)?)?\s*$#m;
+
+$out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vdb});
+die unless $out =~ m#^`-testvg-lv1\s+lvm\s*$#m;
+die unless $out =~ m#^ `-testvg-lv1_crypt\s+crypt\s*$#m;
+die unless $out =~ m#^ `-md0\s+raid1\s*$#m;
+die unless $out =~ m#^ `-md0_crypt\s+crypt(?:\s+/(?:home|usr|var)?)?\s*$#m;
+
+$out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vdc});
+die unless $out =~ m#^`-md0\s+raid1\s*$#m;
+die unless $out =~ m#^ `-md0_crypt\s+crypt(?:\s+/(?:home|usr|var)?)?\s*$#m;
+
+$out = shell(q{btrfs filesystem show /});
+die unless $out =~ m#^\s*devid\s+1\s.*\s/dev/mapper/vdd_crypt\s*$#m;
+die unless $out =~ m#^\s*devid\s+2\s.*\s/dev/mapper/md0_crypt\s*$#m;
+
+QMP::quit();
diff --git a/debian/tests/cryptroot-nested.d/preinst b/debian/tests/cryptroot-nested.d/preinst
new file mode 100644
index 0000000..c5f576b
--- /dev/null
+++ b/debian/tests/cryptroot-nested.d/preinst
@@ -0,0 +1,21 @@
+# check both UUID= and /dev/mapper/NAME sources for testvg-*_crypt to test for regressions a la #902943
+cat >/etc/crypttab <<-EOF
+ md0_crypt UUID=$(blkid -s UUID -o value /dev/md0) none
+ vdd_crypt UUID=$(blkid -s UUID -o value /dev/vdd) none
+ testvg-lv0_crypt /dev/mapper/testvg-lv0 none plain,cipher=aes-cbc-essiv:sha256,size=256,hash=ripemd160
+ testvg-lv1_crypt UUID=$(blkid -s UUID -o value /dev/testvg/lv1) none
+EOF
+
+cat >/etc/fstab <<-EOF
+ /dev/mapper/vdd_crypt / btrfs compress=lzo,subvol=@ 0 1
+ /dev/mapper/vdd_crypt /home btrfs compress=lzo,subvol=@home 0 2
+ /dev/mapper/vdd_crypt /usr btrfs compress=lzo,subvol=@usr 0 2
+ /dev/mapper/vdd_crypt /var btrfs compress=lzo,subvol=@var 0 2
+ UUID=$(blkid -s UUID -o value /dev/vda2) /boot ext2 defaults 0 2
+ /dev/mapper/testvg-lv0_crypt none swap sw 0 0
+EOF
+
+mkdir -p /etc/initramfs-tools/conf.d
+echo "RESUME=/dev/mapper/testvg-lv0_crypt" >/etc/initramfs-tools/conf.d/resume
+
+# vim: set filetype=sh :
diff --git a/debian/tests/cryptroot-nested.d/setup b/debian/tests/cryptroot-nested.d/setup
new file mode 100644
index 0000000..6fb6ccd
--- /dev/null
+++ b/debian/tests/cryptroot-nested.d/setup
@@ -0,0 +1,107 @@
+# Unrealistic (and frankly stupid) layout with a complex block device
+# stack involving multi-device btrfs and btrfs subvolumes, LUKS-on-MD,
+# MD-on-LUKS and LUKS-on-LVM incl. nested dm-crypt volumes:
+
+# NAME TYPE MOUNTPOINTS
+# vda disk
+# ├─vda1 part
+# ├─vda2 part /boot
+# └─vda3 part
+# ├─testvg-lv0 lvm
+# │ └─testvg-lv0_crypt crypt [SWAP]
+# └─testvg-lv1 lvm
+# └─testvg-lv1_crypt crypt
+# └─md0 raid1
+# └─md0_crypt crypt /, /home, /usr, /var
+# vdb disk
+# └─testvg-lv1 lvm
+# └─testvg-lv1_crypt crypt
+# └─md0 raid1
+# └─md0_crypt crypt /, /home, /usr, /var
+# vdc disk
+# └─md0 raid1
+# └─md0_crypt crypt /, /home, /usr, /var
+# vdd disk
+# └─vdd_crypt crypt /, /home, /usr, /var
+
+sfdisk --append /dev/vda <<-EOF
+ unit: sectors
+
+ start=$((64*1024*2)), size=$((128*1024*2)), type=${GUID_TYPE_Linux_FS}
+ start=$(((64+128)*1024*2)), type=${GUID_TYPE_LUKS}
+EOF
+udevadm settle
+
+lvm pvcreate /dev/vda3
+lvm pvcreate /dev/vdb
+lvm vgcreate "testvg" /dev/vda3 /dev/vdb
+lvm lvcreate -Zn --size 64m --name "lv0" "testvg"
+lvm lvcreate -Zn --size 1024m --name "lv1" "testvg"
+lvm vgchange -ay "testvg"
+lvm vgmknodes
+udevadm settle
+
+echo -n "testvg-lv0_crypt" >/keyfile
+cryptsetup open --batch-mode \
+ --type=plain \
+ --cipher="aes-cbc-essiv:sha256" \
+ --key-size=256 \
+ --hash="ripemd160" \
+ -- "/dev/testvg/lv0" "testvg-lv0_crypt" </keyfile
+udevadm settle
+
+echo -n "testvg-lv1_crypt" >/keyfile
+cryptsetup luksFormat --batch-mode \
+ --key-file=/keyfile \
+ --type=luks1 \
+ --pbkdf-force-iterations=1000 \
+ -- "/dev/testvg/lv1"
+cryptsetup luksOpen --key-file=/keyfile --allow-discards \
+ -- "/dev/testvg/lv1" "testvg-lv1_crypt"
+udevadm settle
+
+mdadm --create /dev/md0 --metadata=default --level=1 --raid-devices=2 \
+ /dev/mapper/testvg-lv1_crypt /dev/vdc
+udevadm settle
+
+for d in md0 vdd; do
+ echo -n "${d}_crypt" >/keyfile
+ cryptsetup luksFormat --batch-mode \
+ --key-file=/keyfile \
+ --type=luks2 \
+ --pbkdf=argon2id \
+ --pbkdf-force-iterations=4 \
+ --pbkdf-memory=32 \
+ -- "/dev/$d"
+ cryptsetup luksOpen --key-file=/keyfile --allow-discards \
+ -- "/dev/${d}" "${d}_crypt"
+ udevadm settle
+done
+
+# create multi-device btrfs filesystem for the root FS; we list /dev/mapper/vdd_crypt
+# first since it's smaller and we want data to span across both devices
+mkfs.btrfs -d single /dev/mapper/vdd_crypt /dev/mapper/md0_crypt
+
+# create subvolumes
+mount -t btrfs -o compress=lzo,device=/dev/mapper/md0_crypt /dev/mapper/vdd_crypt "$ROOT"
+btrfs subvol create "$ROOT/@"
+btrfs subvol create "$ROOT/@usr"
+btrfs subvol create "$ROOT/@var"
+btrfs subvol create "$ROOT/@home"
+umount "$ROOT"
+
+# now mount the subvolumes
+mount -t btrfs -o compress=lzo,device=/dev/mapper/md0_crypt,subvol="@" /dev/mapper/vdd_crypt "$ROOT"
+for s in home usr var; do
+ mkdir -m0755 "$ROOT/$s"
+ mount -t btrfs -o compress=lzo,device=/dev/mapper/md0_crypt,subvol="@$s" /dev/mapper/vdd_crypt "$ROOT/$s"
+done
+
+mkdir "$ROOT/boot"
+mke2fs -Ft ext2 -m0 /dev/vda2
+mount -t ext2 /dev/vda2 "$ROOT/boot"
+
+mkswap /dev/mapper/testvg-lv0_crypt
+swapon /dev/mapper/testvg-lv0_crypt
+
+# vim: set filetype=sh :
diff --git a/debian/tests/cryptroot-run b/debian/tests/cryptroot-run
new file mode 100755
index 0000000..6656bca
--- /dev/null
+++ b/debian/tests/cryptroot-run
@@ -0,0 +1,135 @@
+#!/bin/bash
+
+# Wrapper for cryptroot-* DEP-8 tests (outside autopkgtest harness)
+# This is mostly useful for local tests on the maintainers' machine,
+# such as expensive tests we don't want to overload debci with.
+#
+# Usage: d/t/cryptroot-run [TESTNAME ..]
+#
+# Copyright © 2022 Guilhem Moulin <guilhem@debian.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+set -ue
+PATH="/usr/bin:/bin"
+export PATH
+
+if [ -n "${AUTOPKGTEST_TMP+x}" ]; then
+ echo "ERROR: This script is a test wrapper not an autopkgtest" >&2
+ exit 1
+fi
+
+# git-buildpackages's 'export-dir' option (XXX hardcoding this is not ideal)
+EXPORT_DIR="${XDG_CACHE_HOME:-"$HOME/.cache"}/build-area"
+
+RV=0
+TESTDIR="$(dirname -- "$0")"
+declare -a TESTNAMES=() TIME=() CODE=()
+
+# determine path to the .changes file and extract .deb file list from it
+DEB_VERSION="$(dpkg-parsechangelog -SVersion)"
+DEB_SOURCE="$(dpkg-parsechangelog -SSource)"
+DEB_BUILD_ARCHITECTURE="$(dpkg-architecture -qDEB_BUILD_ARCH)"
+if [[ "$DEB_VERSION" =~ ^[0-9]+:(.+)$ ]]; then
+ DEB_VERSION_NOEPOCH="${BASH_REMATCH[1]}"
+else
+ DEB_VERSION_NOEPOCH="$DEB_VERSION"
+fi
+
+CHANGES_FILE="${DEB_SOURCE}_${DEB_VERSION_NOEPOCH}_${DEB_BUILD_ARCHITECTURE}.changes"
+PKG_DIR="$(mktemp --tmpdir --directory "$DEB_SOURCE.XXXXXXXXXX")"
+trap "rm -rf -- \"$PKG_DIR\"" EXIT INT TERM
+
+if [ ! -f "$EXPORT_DIR/$CHANGES_FILE" ]; then
+ echo "ERROR: $EXPORT_DIR/$CHANGES_FILE: No such file" >&2
+ exit 1
+elif grep -qFxe "-----BEGIN PGP SIGNED MESSAGE-----" <"$EXPORT_DIR/$CHANGES_FILE"; then
+ gpgv --keyring=/dev/null --output="$PKG_DIR/$CHANGES_FILE" <"$EXPORT_DIR/$CHANGES_FILE" 2>/dev/null || true
+else
+ cp -T -- "$EXPORT_DIR/$CHANGES_FILE" "$PKG_DIR/$CHANGES_FILE"
+fi
+
+declare -a EXTRA_PKGS
+EXTRA_PKGS=( $(sed -nr '/^Files:/I {:l;n; /^\S/q; s/^\s.*\s(\S+\.deb)$/\1/p; b l }' "$PKG_DIR/$CHANGES_FILE") )
+if [ ${#EXTRA_PKGS[@]} -eq 0 ]; then
+ echo "ERROR: Couldn't extract .deb list from $CHANGES_FILE" >&2
+ exit 1
+fi
+
+# create temporary repository to expose locally-built .deb to cryptroot-* tests
+for deb in "${EXTRA_PKGS[@]}"; do
+ ln -st "$PKG_DIR" -- "$EXPORT_DIR/$deb" || exit 1
+done
+
+( cd "$PKG_DIR" && apt-ftparchive packages . >./Packages && apt-ftparchive release . >./Release )
+EXTRA_REPO="deb file:$PKG_DIR /"
+
+runtest() {
+ local rv=0 ts_start ts_stop
+ if [ -f "$t" ] && [ -d "$t.d" ]; then
+ t="${t#"$TESTDIR/"}"
+ echo ">>> Running $t..."
+ ts_start="$(printf "%(%s)T")"
+ "$TESTDIR/$t" "$EXTRA_REPO" </dev/null || rv=$?
+ ts_stop="$(printf "%(%s)T")"
+
+ if [ $rv -ne 0 ] && [ $RV -eq 0 -o $rv -lt $RV ]; then
+ RV=$rv
+ fi
+
+ TESTNAMES+=( "$t" )
+ TIME+=( $((ts_stop - ts_start)) )
+ CODE+=( $rv )
+ fi
+}
+
+
+if [ $# -eq 0 ]; then
+ for t in "$TESTDIR"/cryptroot-*; do
+ runtest "$t"
+ done
+else
+ for t in "$@"; do
+ if [ "${t#*/}" = "$t" ]; then
+ t="$TESTDIR/cryptroot-${t#cryptroot-}"
+ fi
+ runtest "$t"
+ done
+fi
+
+# show summary with test exit codes and elapsed time
+echo ==============================================================================
+print_sgr() {
+ local n="$1" msg="$2" fmt
+ [ -t 1 ] && fmt="\\x1B[${n}m%s\\x1B[0m" || fmt="%s"
+ printf " $fmt" "$msg"
+}
+for (( i = 0; i < ${#TESTNAMES[@]}; i++ )); do
+ printf "%s" "${TESTNAMES[i]}"
+ if [ ${CODE[i]} -eq 0 ]; then
+ print_sgr "1;32" "PASSED"
+ elif [ ${CODE[i]} -eq 77 ]; then
+ print_sgr "1;36" "SKIPPED"
+ elif [ ${CODE[i]} -eq 124 ]; then
+ print_sgr "1;31" "FAILED"
+ printf " (timeout)"
+ else
+ print_sgr "1;31" "FAILED"
+ printf " (with status %d)" ${CODE[i]}
+ fi
+ printf " after %d seconds\\n" ${TIME[i]}
+done
+echo ==============================================================================
+
+exit $RV
diff --git a/debian/tests/cryptroot-sysvinit b/debian/tests/cryptroot-sysvinit
new file mode 120000
index 0000000..2e34c2d
--- /dev/null
+++ b/debian/tests/cryptroot-sysvinit
@@ -0,0 +1 @@
+utils/cryptroot-common \ No newline at end of file
diff --git a/debian/tests/cryptroot-sysvinit.d/bottom b/debian/tests/cryptroot-sysvinit.d/bottom
new file mode 100644
index 0000000..13d5190
--- /dev/null
+++ b/debian/tests/cryptroot-sysvinit.d/bottom
@@ -0,0 +1,9 @@
+umount "$ROOT/boot"
+umount "$ROOT"
+
+swapoff /dev/mapper/vda4_crypt
+
+cryptsetup close "vda4_crypt"
+cryptsetup close "vda5_crypt"
+
+# vim: set filetype=sh :
diff --git a/debian/tests/cryptroot-sysvinit.d/config b/debian/tests/cryptroot-sysvinit.d/config
new file mode 100644
index 0000000..f6b7392
--- /dev/null
+++ b/debian/tests/cryptroot-sysvinit.d/config
@@ -0,0 +1,5 @@
+PKGS_EXTRA+=( e2fsprogs ) # for fsck.ext4
+PKGS_EXTRA+=( cryptsetup-initramfs cryptsetup )
+PKG_INIT="sysvinit-core"
+
+# vim: set filetype=bash :
diff --git a/debian/tests/cryptroot-sysvinit.d/mock b/debian/tests/cryptroot-sysvinit.d/mock
new file mode 100755
index 0000000..b729022
--- /dev/null
+++ b/debian/tests/cryptroot-sysvinit.d/mock
@@ -0,0 +1,31 @@
+#!/usr/bin/perl -T
+
+BEGIN {
+ require "./debian/tests/utils/mock.pm";
+ CryptrootTest::Mock::->import();
+}
+
+unlock_disk("topsecret");
+login("root");
+
+# make sure the root FS, swap, and /home are help by dm-crypt devices
+shell(q{cryptsetup luksOpen --test-passphrase /dev/vda5 <<<topsecret}, rv => 0);
+my $out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vda3});
+die unless $out =~ m#\Avda3\s.*\r?\n^`-vda3_crypt\s+crypt\s+/home\s*\r?\n\z#m;
+
+$out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vda4});
+die unless $out =~ m#\Avda4\s.*\r?\n^`-vda4_crypt\s+crypt\s+\[SWAP\]\s*\r?\n\z#m;
+
+$out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vda5});
+die unless $out =~ m#\Avda5\s.*\r?\n^`-vda5_crypt\s+crypt\s+/\s*\r?\n\z#m;
+
+# make sure only vda5 is processed at initramfs stage
+# XXX unmkinitramfs doesn't work on /initrd.img with COMPRESS=zstd, cf. #1015954
+shell(q{unmkinitramfs /boot/initrd.img-`uname -r` /tmp/initramfs});
+shell(q{grep -E '^vd\S+_crypt\s' </tmp/initramfs/cryptroot/crypttab >/tmp/out});
+shell(q{grep -E '^vda5_crypt\s' </tmp/out}, rv => 0);
+shell(q{grep -Ev '^vda5_crypt\s' </tmp/out}, rv => 1);
+
+# don't use QMP::quit() here since we want to run our init scripts in
+# shutdown phase
+poweroff();
diff --git a/debian/tests/cryptroot-sysvinit.d/postinst b/debian/tests/cryptroot-sysvinit.d/postinst
new file mode 100644
index 0000000..d65e21d
--- /dev/null
+++ b/debian/tests/cryptroot-sysvinit.d/postinst
@@ -0,0 +1,15 @@
+install -m0600 /dev/null /etc/homefs.key
+head -c512 /dev/urandom >/etc/homefs.key
+cryptsetup luksFormat --batch-mode \
+ --key-file=/etc/homefs.key \
+ --type=luks2 \
+ --pbkdf=argon2id \
+ --pbkdf-force-iterations=4 \
+ --pbkdf-memory=32 \
+ -- /dev/vda3
+cryptsetup luksOpen --key-file=/etc/homefs.key --allow-discards \
+ -- /dev/vda3 "vda3_crypt"
+mke2fs -Ft ext4 /dev/mapper/vda3_crypt
+cryptsetup close "vda3_crypt"
+
+# vim: set filetype=sh :
diff --git a/debian/tests/cryptroot-sysvinit.d/preinst b/debian/tests/cryptroot-sysvinit.d/preinst
new file mode 100644
index 0000000..05157ca
--- /dev/null
+++ b/debian/tests/cryptroot-sysvinit.d/preinst
@@ -0,0 +1,16 @@
+cat >/etc/crypttab <<-EOF
+ vda3_crypt /dev/vda3 /etc/homefs.key luks,discard
+ vda4_crypt /dev/vda4 /dev/urandom plain,cipher=aes-xts-plain64,size=256,discard,swap
+ vda5_crypt UUID=$(blkid -s UUID -o value /dev/vda5) none luks,discard
+EOF
+
+cat >/etc/fstab <<-EOF
+ /dev/mapper/vda3_crypt /home auto defaults 0 2
+ /dev/mapper/vda4_crypt none swap sw 0 0
+ /dev/mapper/vda5_crypt / auto errors=remount-ro 0 1
+ UUID=$(blkid -s UUID -o value /dev/vda2) /boot auto defaults 0 2
+EOF
+
+echo "RESUME=none" >/etc/initramfs-tools/conf.d/resume
+
+# vim: set filetype=sh :
diff --git a/debian/tests/cryptroot-sysvinit.d/setup b/debian/tests/cryptroot-sysvinit.d/setup
new file mode 100644
index 0000000..f8598a6
--- /dev/null
+++ b/debian/tests/cryptroot-sysvinit.d/setup
@@ -0,0 +1,43 @@
+# Separate encrypted root FS and /home partitions, and transient swap --
+# the latter two are not unlocked at initramfs stage but later in the
+# boot process. This environment also uses sysvinit as PID1 so we can
+# test our init scripts.
+
+sfdisk --append /dev/vda <<-EOF
+ unit: sectors
+
+ start=$((64*1024*2)), size=$((128*1024*2)), type=${GUID_TYPE_Linux_FS}
+ start=$(((64+128)*1024*2)), size=$((64*1024*2)), type=${GUID_TYPE_LUKS}
+ start=$(((64+128+64)*1024*2)), size=$((64*1024*2)), type=${GUID_TYPE_DMCRYPT}
+ start=$(((64+128+64+64)*1024*2)), type=${GUID_TYPE_LUKS}
+EOF
+udevadm settle
+
+# initialize a new LUKS partition and open it
+echo -n "topsecret" >/rootfs.key
+cryptsetup luksFormat --batch-mode \
+ --key-file=/rootfs.key \
+ --type=luks2 \
+ --pbkdf=argon2id \
+ --pbkdf-force-iterations=4 \
+ --pbkdf-memory=32 \
+ -- /dev/vda5
+cryptsetup luksOpen --key-file=/rootfs.key --allow-discards \
+ -- /dev/vda5 "vda5_crypt"
+udevadm settle
+
+cryptsetup open --type=plain --key-file=/dev/urandom --allow-discards \
+ -- /dev/vda4 "vda4_crypt"
+udevadm settle
+
+mke2fs -Ft ext4 /dev/mapper/vda5_crypt
+mount -t ext4 /dev/mapper/vda5_crypt "$ROOT"
+
+mkdir "$ROOT/boot"
+mke2fs -Ft ext2 -m0 /dev/vda2
+mount -t ext2 /dev/vda2 "$ROOT/boot"
+
+mkswap /dev/mapper/vda4_crypt
+swapon /dev/mapper/vda4_crypt
+
+# vim: set filetype=sh :
diff --git a/debian/tests/initramfs-hook b/debian/tests/initramfs-hook
new file mode 100755
index 0000000..4171102
--- /dev/null
+++ b/debian/tests/initramfs-hook
@@ -0,0 +1,267 @@
+#!/bin/bash
+
+set -eux
+PATH="/usr/bin:/bin:/usr/sbin:/sbin"
+export PATH
+
+TMPDIR="$AUTOPKGTEST_TMP"
+
+# wrappers
+luks1Format() {
+ cryptsetup luksFormat --batch-mode --type=luks1 \
+ --pbkdf-force-iterations=1000 \
+ "$@"
+}
+luks2Format() {
+ cryptsetup luksFormat --batch-mode --type=luks2 \
+ --pbkdf=argon2id --pbkdf-force-iterations=4 --pbkdf-memory=32 \
+ "$@"
+}
+diff() { command diff --color=auto --text "$@"; }
+
+# create disk image
+CRYPT_IMG="$TMPDIR/disk.img"
+CRYPT_DEV=""
+install -m0600 /dev/null "$TMPDIR/keyfile"
+disk_setup() {
+ local lo
+ for lo in $(losetup -j "$CRYPT_IMG" | cut -sd: -f1); do
+ losetup -d "$lo"
+ done
+ dd if="/dev/zero" of="$CRYPT_IMG" bs=1M count=64
+ CRYPT_DEV="$(losetup --find --show -- "$CRYPT_IMG")"
+}
+
+# custom initramfs-tools configuration (to speed things up -- we use
+# COMPRESS=zstd since it's reasonably fast and COMPRESS=none is not
+# supported)
+mkdir "$TMPDIR/initramfs-tools"
+mkdir "$TMPDIR/initramfs-tools/conf.d" \
+ "$TMPDIR/initramfs-tools/scripts" \
+ "$TMPDIR/initramfs-tools/hooks"
+cat >"$TMPDIR/initramfs-tools/initramfs.conf" <<-EOF
+ COMPRESS=zstd
+ MODULES=list
+ RESUME=none
+ UMASK=0077
+EOF
+
+INITRD_IMG="$TMPDIR/initrd.img"
+INITRD_DIR="$TMPDIR/initrd"
+cleanup_initrd_dir() {
+ local d
+ for d in dev proc sys; do
+ mountpoint -q "$INITRD_DIR/$d" && umount "$INITRD_DIR/$d" || true
+ done
+ rm -rf --one-file-system -- "$INITRD_DIR"
+}
+trap cleanup_initrd_dir EXIT INT TERM
+
+mkinitramfs() {
+ local d
+ command mkinitramfs -d "$TMPDIR/initramfs-tools" -o "$INITRD_IMG"
+ # `mkinitramfs -k` would be better but we can't set $DESTDIR in advance
+ cleanup_initrd_dir
+ command unmkinitramfs "$INITRD_IMG" "$INITRD_DIR"
+ for d in dev proc sys; do
+ mkdir -p "$INITRD_DIR/$d"
+ mount --bind "/$d" "$INITRD_DIR/$d"
+ done
+}
+check_initrd_crypttab() {
+ local rv=0 err="${1+": $1"}"
+ diff --label=a/cryptroot/crypttab --label=b/cryptroot/crypttab \
+ --unified --ignore-space-change \
+ -- - "$INITRD_DIR/cryptroot/crypttab" || rv=$?
+ if [ $rv -ne 0 ]; then
+ printf "ERROR$err in file %s line %d\\n" "${BASH_SOURCE[0]}" ${BASH_LINENO[0]} >&2
+ exit 1
+ fi
+}
+
+
+#######################################################################
+# make sure /cryptroot/crypttab is empty when nothing needs to be unclocked early
+
+disk_setup
+cat /proc/sys/kernel/random/uuid >"$TMPDIR/passphrase"
+luks2Format -- "$CRYPT_DEV" <"$TMPDIR/passphrase"
+cryptsetup luksOpen "$CRYPT_DEV" test0_crypt <"$TMPDIR/passphrase"
+cat >/etc/crypttab <<-EOF
+ test0_crypt $CRYPT_DEV none
+EOF
+
+mkinitramfs
+# make sure cryptsetup exists and doesn't crash (for instance due to missing libraries) in initrd
+chroot "$INITRD_DIR" cryptsetup --version
+test -f "$INITRD_DIR/lib/cryptsetup/askpass" || exit 1
+check_initrd_crypttab </dev/null
+
+
+#######################################################################
+# 'initramfs' crypttab option
+
+cat >/etc/crypttab <<-EOF
+ test0_crypt $CRYPT_DEV none initramfs
+EOF
+
+mkinitramfs
+chroot "$INITRD_DIR" cryptsetup luksOpen --test-passphrase "$CRYPT_DEV" <"$TMPDIR/passphrase"
+cryptsetup close test0_crypt
+check_initrd_crypttab <<-EOF
+ test0_crypt UUID=$(blkid -s UUID -o value "$CRYPT_DEV") none initramfs
+EOF
+
+
+#######################################################################
+# KEYFILE_PATTERN
+
+disk_setup
+cat /proc/sys/kernel/random/uuid >"$TMPDIR/passphrase"
+luks2Format -- "$CRYPT_DEV" <"$TMPDIR/passphrase"
+cryptsetup luksOpen "$CRYPT_DEV" test1_crypt <"$TMPDIR/passphrase"
+cat >/etc/crypttab <<-EOF
+ test1_crypt $CRYPT_DEV $TMPDIR/keyfile initramfs
+EOF
+
+echo KEYFILE_PATTERN="$TMPDIR/keyfile" >>/etc/cryptsetup-initramfs/conf-hook
+tr -d '\n' <"$TMPDIR/passphrase" >"$TMPDIR/keyfile"
+mkinitramfs
+check_initrd_crypttab <<-EOF
+ test1_crypt UUID=$(blkid -s UUID -o value "$CRYPT_DEV") /cryptroot/keyfiles/test1_crypt.key initramfs
+EOF
+test -f "$INITRD_DIR/cryptroot/keyfiles/test1_crypt.key" || exit 1
+chroot "$INITRD_DIR" cryptsetup luksOpen --test-passphrase --key-file="/cryptroot/keyfiles/test1_crypt.key" "$CRYPT_DEV"
+cryptsetup close test1_crypt
+
+
+#######################################################################
+# ASKPASS
+
+disk_setup
+cat /proc/sys/kernel/random/uuid >"$TMPDIR/passphrase"
+luks2Format -- "$CRYPT_DEV" <"$TMPDIR/passphrase"
+cryptsetup luksOpen "$CRYPT_DEV" test2_crypt <"$TMPDIR/passphrase"
+cat >/etc/crypttab <<-EOF
+ test2_crypt $CRYPT_DEV none initramfs
+EOF
+
+# interactive unlocking forces ASKPASS=y
+echo ASKPASS=n >/etc/cryptsetup-initramfs/conf-hook
+mkinitramfs
+test -f "$INITRD_DIR/lib/cryptsetup/askpass" || exit 1
+
+# check that unlocking via keyscript doesn't copy askpass
+cat >/etc/crypttab <<-EOF
+ test2_crypt $CRYPT_DEV foobar initramfs,keyscript=passdev
+EOF
+mkinitramfs
+! test -f "$INITRD_DIR/lib/cryptsetup/askpass" || exit 1
+test -f "$INITRD_DIR/lib/cryptsetup/scripts/passdev" || exit 1
+
+# check that unlocking via keyfile doesn't copy askpass
+echo KEYFILE_PATTERN="$TMPDIR/keyfile" >>/etc/cryptsetup-initramfs/conf-hook
+tr -d '\n' <"$TMPDIR/passphrase" >"$TMPDIR/keyfile"
+cat >/etc/crypttab <<-EOF
+ test2_crypt $CRYPT_DEV $TMPDIR/keyfile initramfs
+EOF
+mkinitramfs
+! test -f "$INITRD_DIR/lib/cryptsetup/askpass" || exit 1
+chroot "$INITRD_DIR" cryptsetup luksOpen --test-passphrase --key-file="/cryptroot/keyfiles/test2_crypt.key" "$CRYPT_DEV"
+cryptsetup close test2_crypt
+
+
+#######################################################################
+# legacy ciphers and hashes
+# see https://salsa.debian.org/cryptsetup-team/cryptsetup/-/merge_requests/31
+
+# LUKS2, blowfish
+disk_setup
+cat /proc/sys/kernel/random/uuid >"$TMPDIR/passphrase"
+luks2Format --cipher="blowfish" -- "$CRYPT_DEV" <"$TMPDIR/passphrase"
+cryptsetup luksOpen "$CRYPT_DEV" test3_crypt <"$TMPDIR/passphrase"
+echo "test3_crypt UUID=$(blkid -s UUID -o value "$CRYPT_DEV") none initramfs" >/etc/crypttab
+mkinitramfs
+legacy_so="$(find "$INITRD_DIR" -xdev -type f -path "*/ossl-modules/legacy.so")"
+test -z "$legacy_so" || exit 1 # legacy ciphers don't need legacy.so
+chroot "$INITRD_DIR" cryptsetup luksOpen --test-passphrase "$CRYPT_DEV" <"$TMPDIR/passphrase"
+cryptsetup close test3_crypt
+
+# plain, blowfish + ripemd160 (ignored due to keyfile)
+disk_setup
+head -c32 /dev/urandom >"$TMPDIR/keyfile"
+cryptsetup open --type=plain --cipher="blowfish" --key-file="$TMPDIR/keyfile" --size=256 --hash="ripemd160" "$CRYPT_DEV" test3_crypt
+mkfs.ext2 -m0 /dev/mapper/test3_crypt
+echo "test3_crypt $CRYPT_DEV $TMPDIR/keyfile plain,cipher=blowfish,hash=ripemd160,size=256,initramfs" >/etc/crypttab
+mkinitramfs
+legacy_so="$(find "$INITRD_DIR" -xdev -type f -path "*/ossl-modules/legacy.so")"
+test -z "$legacy_so" || exit 1 # don't need legacy.so here
+volume_key="$(dmsetup table --target crypt --showkeys -- test3_crypt | cut -s -d' ' -f5)"
+test -n "$volume_key" || exit 1
+cryptsetup close test3_crypt
+chroot "$INITRD_DIR" /scripts/local-top/cryptroot
+test -b /dev/mapper/test3_crypt || exit 1
+volume_key2="$(dmsetup table --target crypt --showkeys -- test3_crypt | cut -s -d' ' -f5)"
+test "$volume_key" = "$volume_key2" || exit 1
+cryptsetup close test3_crypt
+
+# plain, ripemd160
+disk_setup
+cat /proc/sys/kernel/random/uuid >"$TMPDIR/passphrase"
+cryptsetup open --type=plain --cipher="aes-cbc-essiv:sha256" --size=256 --hash="ripemd160" "$CRYPT_DEV" test3_crypt <"$TMPDIR/passphrase"
+echo "test3_crypt $CRYPT_DEV none plain,cipher=aes-cbc-essiv:sha256,hash=ripemd160,size=256,initramfs" >/etc/crypttab
+mkinitramfs
+legacy_so="$(find "$INITRD_DIR" -xdev -type f -path "*/ossl-modules/legacy.so")"
+test -n "$legacy_so" || exit 1 # checks that we have legacy.so (positive check for the above)
+volume_key="$(dmsetup table --target crypt --showkeys -- test3_crypt | cut -s -d' ' -f5)"
+test -n "$volume_key" || exit 1
+cryptsetup close test3_crypt
+chroot "$INITRD_DIR" cryptsetup open --type=plain --cipher="aes-cbc-essiv:sha256" --size=256 --hash="ripemd160" "$CRYPT_DEV" test3_crypt <"$TMPDIR/passphrase"
+test -b /dev/mapper/test3_crypt || exit 1
+volume_key2="$(dmsetup table --target crypt --showkeys -- test3_crypt | cut -s -d' ' -f5)"
+test "$volume_key" = "$volume_key2" || exit 1
+cryptsetup close test3_crypt
+
+# LUKS1, whirlpool
+disk_setup
+cat /proc/sys/kernel/random/uuid >"$TMPDIR/passphrase"
+luks1Format --hash="whirlpool" -- "$CRYPT_DEV" <"$TMPDIR/passphrase"
+cryptsetup luksOpen "$CRYPT_DEV" test3_crypt <"$TMPDIR/passphrase"
+echo "test3_crypt $CRYPT_DEV none initramfs" >/etc/crypttab
+mkinitramfs
+chroot "$INITRD_DIR" cryptsetup luksOpen --test-passphrase "$CRYPT_DEV" <"$TMPDIR/passphrase"
+cryptsetup close test3_crypt
+
+# LUKS2, ripemd160
+disk_setup
+cat /proc/sys/kernel/random/uuid >"$TMPDIR/passphrase"
+luks2Format --hash="ripemd160" -- "$CRYPT_DEV" <"$TMPDIR/passphrase"
+cryptsetup luksOpen "$CRYPT_DEV" test3_crypt <"$TMPDIR/passphrase"
+echo "test3_crypt $CRYPT_DEV none initramfs" >/etc/crypttab
+mkinitramfs
+chroot "$INITRD_DIR" cryptsetup luksOpen --test-passphrase "$CRYPT_DEV" <"$TMPDIR/passphrase"
+cryptsetup close test3_crypt
+
+# LUKS2 (detached header), ripemd160
+disk_setup
+cat /proc/sys/kernel/random/uuid >"$TMPDIR/passphrase"
+luks2Format --hash="ripemd160" --header="$TMPDIR/header.img" -- "$CRYPT_DEV" <"$TMPDIR/passphrase"
+cryptsetup luksOpen --header="$TMPDIR/header.img" "$CRYPT_DEV" test3_crypt <"$TMPDIR/passphrase"
+echo "test3_crypt $CRYPT_DEV none header=$TMPDIR/header.img,initramfs" >/etc/crypttab
+mkinitramfs
+cp -T "$TMPDIR/header.img" "$INITRD_DIR/cryptroot/header.img"
+chroot "$INITRD_DIR" cryptsetup luksOpen --header="/cryptroot/header.img" --test-passphrase "$CRYPT_DEV" <"$TMPDIR/passphrase"
+cryptsetup close test3_crypt
+rm -f "$TMPDIR/header.img"
+
+# LUKS2 (detached header, missing), ripemd160
+disk_setup
+cat /proc/sys/kernel/random/uuid >"$TMPDIR/passphrase"
+luks2Format --hash="ripemd160" --header="$TMPDIR/header.img" -- "$CRYPT_DEV" <"$TMPDIR/passphrase"
+cryptsetup luksOpen --header="$TMPDIR/header.img" "$CRYPT_DEV" test3_crypt <"$TMPDIR/passphrase"
+echo "test3_crypt $CRYPT_DEV none header=/nonexistent,initramfs" >/etc/crypttab
+mkinitramfs
+cp -T "$TMPDIR/header.img" "$INITRD_DIR/cryptroot/header.img"
+chroot "$INITRD_DIR" cryptsetup luksOpen --header="/cryptroot/header.img" --test-passphrase "$CRYPT_DEV" <"$TMPDIR/passphrase"
+cryptsetup close test3_crypt
+rm -f "$TMPDIR/header.img"
diff --git a/debian/tests/utils/cryptroot-common b/debian/tests/utils/cryptroot-common
new file mode 100755
index 0000000..a7df37f
--- /dev/null
+++ b/debian/tests/utils/cryptroot-common
@@ -0,0 +1,537 @@
+#!/bin/bash
+
+# Base test file for cryptroot testing in KVM guests
+#
+# Copyright © 2021-2022 Guilhem Moulin <guilhem@debian.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+set -eu
+
+TESTNAME="$(basename -- "$0")"
+TESTDIR="$(dirname -- "$0")"
+INTERACTIVE="n" # set to "y" to interact with the guest instead of mocking the session
+export TESTNAME TESTDIR
+
+declare -a EXTRA_REPOS=( "$@" ) # blindly append any extra arguments to sources.list
+START_TIME="$(printf "%(%s)T")"
+
+# Try to create /dev/kvm if missing, for instance in a chroot where /dev isn't managed by udev.
+# Then we can drop root privileges and run the rest of the script as a normal user
+if uid="$(id -u)" && [ $uid -eq 0 ]; then
+ if [ ! -c /dev/kvm ] && mknod -m0600 /dev/kvm c 10 232; then
+ echo "INFO: Created character special file /dev/kvm" >&2
+ fi
+ if [ -z "${AUTOPKGTEST_NORMAL_USER-}" ]; then
+ echo "WARN: \$AUTOPKGTEST_NORMAL_USER is empty or unset, preserving root privileges!" >&2
+ else
+ chown --from="root" -- "$AUTOPKGTEST_NORMAL_USER:" "$AUTOPKGTEST_TMP"
+ if [ -c /dev/kvm ]; then
+ if getent group kvm >/dev/null && chgrp -c kvm /dev/kvm; then
+ # kvm group is created by udev.postinst
+ chmod -c 0660 /dev/kvm
+ usermod -a -G kvm -- "$AUTOPKGTEST_NORMAL_USER"
+ else
+ chown -c -- "$AUTOPKGTEST_NORMAL_USER" "/dev/kvm"
+ fi
+ fi
+ echo "INFO: Dropping root privileges: re-executing as user '$AUTOPKGTEST_NORMAL_USER'" >&2
+ exec runuser -u "$AUTOPKGTEST_NORMAL_USER" -- "$0" "$@"
+ exit 1
+ fi
+fi
+
+set -x
+PATH="/usr/bin:/bin"
+export PATH
+
+if [ -t 1 ]; then
+ # set VT100 autowrap mode (DECAWM)
+ printf '\033[?7h'
+fi
+
+# get src:cryptsetup current version and distribution
+DEB_VERSION="$(dpkg-parsechangelog -SVERSION)"
+DEB_DISTRIBUTION="$(dpkg-parsechangelog -SDistribution)"
+DEB_BUILD_ARCHITECTURE="$(dpkg-architecture -qDEB_BUILD_ARCH)"
+DEB_BUILD_ARCH_BITS="$(dpkg-architecture -qDEB_BUILD_ARCH_BITS)"
+if [ "$DEB_DISTRIBUTION" = "UNRELEASED" ]; then
+ # take Distribution from the previous entry instead
+ DEB_DISTRIBUTION="$(dpkg-parsechangelog -o1 -c1 -SDistribution)" || DEB_DISTRIBUTION="unstable"
+ echo "WARN: Using Distribution: $DEB_DISTRIBUTION instead of UNRELEASED" >&2
+fi
+
+# determine suitable values for the APT repository Origin (for
+# autopkgtests) and URI (used outside autopkgtests) fields
+load_os_release() {
+ local os_release # see os-release(5)
+ [ -e "/etc/os-release" ] && os_release="/etc/os-release" || os_release="/usr/lib/os-release"
+ . "$os_release"
+}
+case "${DISTRIBUTOR_ID:="$(load_os_release && printf "%s" "${ID,,[A-Z]}")"}" in
+ debian) APT_REPO_ORIGIN="Debian"; APT_REPO_URI="http://deb.debian.org/debian";;
+ # suitable values for derivative can be added here
+ *) echo "ERROR: Unknown distributor ID '$DISTRIBUTOR_ID', can't extract APT origin" >&2;
+ exit 1;;
+esac
+
+# QEMU command and default options
+unset QEMU_MACHINE_TYPE QEMU_ACCEL QEMU_CPU_MODEL QEMU_SMP QEMU_MEMORY BOOT
+if [ -c /dev/kvm ] && dd if=/dev/kvm count=0 status=none; then
+ QEMU_ACCEL="kvm"
+else
+ echo "WARN: KVM is not available, guests will be slow!" >&2
+fi
+case "$DEB_BUILD_ARCHITECTURE" in
+ # see `kvm -machine help` and `kvm -cpu help`
+ amd64|i386)
+ BOOT="bios"
+ if [ "$DEB_BUILD_ARCHITECTURE" = "amd64" ]; then
+ QEMU_SYSTEM_CMD="qemu-system-x86_64"
+ else
+ QEMU_SYSTEM_CMD="qemu-system-$DEB_BUILD_ARCHITECTURE"
+ fi
+ QEMU_MACHINE_TYPE="q35"
+ if [ "${QEMU_ACCEL-}" = "kvm" ]; then
+ QEMU_CPU_MODEL="kvm$DEB_BUILD_ARCH_BITS,+aes,+sha-ni"
+ else
+ QEMU_CPU_MODEL="qemu$DEB_BUILD_ARCH_BITS,-svm,-vmx"
+ fi
+ ;;
+ arm64)
+ BOOT="efi"
+ QEMU_SYSTEM_CMD="qemu-system-aarch64"
+ QEMU_MACHINE_TYPE="virt"
+ QEMU_CPU_MODEL="cortex-a72"
+ ;;
+ armhf)
+ BOOT="efi"
+ QEMU_SYSTEM_CMD="qemu-system-arm"
+ QEMU_MACHINE_TYPE="virt"
+ QEMU_CPU_MODEL="cortex-a15"
+ ;;
+ *) echo "ERROR: Unknown architecture $DEB_BUILD_ARCHITECTURE" >&2; exit 1;;
+esac
+
+if ! command -v "$QEMU_SYSTEM_CMD" >/dev/null; then
+ echo "ERROR: Couldn't find $QEMU_SYSTEM_CMD in PATH" >&2
+ exit 1
+fi
+
+CPU_COUNT="$(getconf _NPROCESSORS_ONLN)" && [ -n "$CPU_COUNT" ] || CPU_COUNT=0
+if [ $CPU_COUNT -ge 8 ]; then
+ QEMU_SMP="cpus=4"
+elif [ $CPU_COUNT -ge 4 ]; then
+ QEMU_SMP="cpus=2"
+else
+ QEMU_SMP="cpus=1"
+fi
+
+MEM_AVAIL="$(awk '/MemAvailable/ { printf "%.0f \n", $2/1024^2 }' </proc/meminfo)" && [ -n "$MEM_AVAIL" ] || MEM_AVAIL=0
+if [ $MEM_AVAIL -gt 2 ] && [ $DEB_BUILD_ARCH_BITS -gt 32 ]; then
+ QEMU_MEMORY="size=2G"
+else
+ QEMU_MEMORY="size=1G"
+fi
+
+# number of times to powercycle the guest
+GUEST_POWERCYCLE=0
+
+# kernel flavor
+case "$DEB_BUILD_ARCHITECTURE" in
+ # see `ssh $porterbox.debian.org uname -r`
+ amd64) KERNEL_ARCH="amd64";;
+ arm64) KERNEL_ARCH="arm64";;
+ armhf) KERNEL_ARCH="armmp-lpae";;
+ i386) KERNEL_ARCH="686-pae";;
+ *) echo "ERROR: Unknown architecture $DEB_BUILD_ARCHITECTURE" >&2; exit 1;;
+esac
+
+# at the very least we need a boot loader, a kernel, and an init system
+case "$BOOT" in
+ bios) PKG_BOOTLOADER="grub-pc";;
+ efi) PKG_BOOTLOADER="grub-efi";;
+ *) echo "ERROR unknown boot method '$BOOT'" >&2; exit 1;;
+esac
+PKG_KERNEL="linux-image-$KERNEL_ARCH"
+PKG_INIT="systemd-sysv" # default pid1
+MERGED_USR="" # use default layout for the target version
+declare -a PKGS_EXTRA=() DRIVE_SIZES=( "2G" )
+PKGS_EXTRA+=( "zstd" ) # default initrd compression, see #976054
+
+if [ -f "$TESTDIR/$TESTNAME.d/config" ]; then
+ . "$TESTDIR/$TESTNAME.d/config" || exit 1
+fi
+
+if [ -n "${AUTOPKGTEST_TMP+x}" ] || [ ! -t 0 ] || [ ! -t 1 ]; then
+ INTERACTIVE="n"
+fi
+
+unset EFI_CODE EFI_VARS
+if [ "$BOOT" = "efi" ]; then
+ case "$DEB_BUILD_ARCHITECTURE" in
+ amd64|i386)
+ efi_fw_pkg="ovmf"
+ EFI_CODE="/usr/share/OVMF/OVMF_CODE.fd"
+ EFI_VARS="/usr/share/OVMF/OVMF_VARS.fd"
+ ;;
+ arm64)
+ efi_fw_pkg="qemu-efi-aarch64"
+ EFI_CODE="/usr/share/AAVMF/AAVMF_CODE.fd"
+ EFI_VARS="/usr/share/AAVMF/AAVMF_VARS.fd"
+ ;;
+ armhf)
+ efi_fw_pkg="qemu-efi-arm"
+ EFI_CODE="/usr/share/AAVMF/AAVMF32_CODE.fd"
+ EFI_VARS="/usr/share/AAVMF/AAVMF32_VARS.fd"
+ ;;
+ *) echo "ERROR: Unknown architecture $DEB_BUILD_ARCHITECTURE for EFI boot" >&2; exit 1;;
+ esac
+ for p in "$EFI_CODE" "$EFI_VARS"; do
+ if [ ! -f "$p" ]; then
+ echo "Couldn't find $p, is the '$efi_fw_pkg' package installed?" >&2
+ exit 1
+ fi
+ done
+fi
+
+case "${DEB_DISTRIBUTION%%-*}" in
+ etch|lenny|squeeze|wheezy|jessie|stretch|buster|bullseye)
+ if [ -z "$MERGED_USR" ]; then
+ MERGED_USR="no"
+ fi
+ ;;
+ *) if [ -z "$MERGED_USR" ]; then
+ MERGED_USR="yes"
+ elif [ "$MERGED_USR" = "no" ]; then
+ # #978636: Debian 12 (codename Bookworm) should only support merged-/usr layout
+ echo "WARN: this system is not supported! (unmerged-/usr)" >&2
+ fi
+ ;;
+esac
+
+# pin versions for all packages in PKGS_EXTRA that are part of this source package
+declare -a MYPKGS
+MYPKGS=( $(sed -nr 's/^Package:\s*//Ip' debian/control) )
+for i in "${!PKGS_EXTRA[@]}"; do
+ [ "${PKGS_EXTRA[i]%[=/]*}" = "${PKGS_EXTRA[i]}" ] || continue
+ for mypkg in "${MYPKGS[@]}"; do
+ if [ "${PKGS_EXTRA[i]}" = "$mypkg" ]; then
+ PKGS_EXTRA[i]="${PKGS_EXTRA[i]}=$DEB_VERSION"
+ fi
+ done
+done
+
+unset QEMU_PID
+TEMPDIR="$(mktemp --tmpdir="${AUTOPKGTEST_TMP:-"${TMPDIR:-/tmp}"}" --directory "$TESTNAME.XXXXXXXXXX")"
+teardown() {
+ local rv=$? ts
+ if [ -n "${QEMU_PID+x}" ]; then
+ kill $QEMU_PID || true
+ fi
+ rm -rf -- "$TEMPDIR"
+ trap - EXIT
+
+ # try to fix terminal
+ [ ! -t 1 ] || printf '\033[?7h'
+
+ ts="$(printf "%(%s)T")"
+ rv=${1-$rv}
+ printf "Result for test '%s': exit status %s, runtime %d seconds\\n" "$TESTNAME" $rv $((ts - START_TIME))
+
+ exit $rv
+}
+trap "teardown" EXIT
+trap "teardown 1" INT TERM
+
+# set up APT for the testbed
+setup_apt() {
+ # we need a new cache to reliably determine essential and extra packages
+ APT_CACHE="$TEMPDIR/apt/cache"
+ APT_LISTS="$TEMPDIR/apt/lists"
+ mkdir -- "$TEMPDIR/apt" "$APT_CACHE" "$APT_LISTS"
+ ln -s "cache/archives" "$TEMPDIR/apt/pool"
+ touch "$TEMPDIR/apt/status"
+
+ if [ -n "${AUTOPKGTEST_TMP-}" ]; then
+ # reuse existing sources.list
+ apt-get indextargets \
+ --format "\$(TARGET_OF) \$(REPO_URI) \$(RELEASE) \$(COMPONENT)" \
+ "Target-Of: deb" "Identifier: Packages" "Origin: $APT_REPO_ORIGIN" \
+ >"$TEMPDIR/apt/sources.list"
+ # local autopkgtest repo has Repo-URI: file:/tmp/autopkgtest.XXXXXX/binaries/ ,
+ # Release: (empty) and no Component:
+ apt-get indextargets \
+ --format "\$(TARGET_OF) \$(REPO_URI) /" \
+ "Target-Of: deb" "Identifier: Packages" "Trusted: Yes" "Release: " \
+ >>"$TEMPDIR/apt/sources.list"
+ else
+ # generate new sources.list
+ case "$DEB_DISTRIBUTION" in
+ experimental) cat <<-EOF
+ deb $APT_REPO_URI unstable main
+ deb $APT_REPO_URI experimental main
+ EOF
+ ;;
+ *-security) cat <<-EOF
+ deb $APT_REPO_URI ${DEB_DISTRIBUTION%-security} main
+ deb $APT_REPO_URI-security $DEB_DISTRIBUTION main
+ EOF
+ ;;
+ *-*) cat <<-EOF
+ deb $APT_REPO_URI ${DEB_DISTRIBUTION%%-*} main
+ deb $APT_REPO_URI $DEB_DISTRIBUTION main
+ EOF
+ ;;
+ *) cat <<-EOF
+ deb $APT_REPO_URI $DEB_DISTRIBUTION main
+ EOF
+ ;;
+ esac >"$TEMPDIR/apt/sources.list"
+ fi
+
+ local apt_repo
+ for apt_repo in "${EXTRA_REPOS[@]}"; do
+ printf "%s\\n" "$apt_repo" >>"$TEMPDIR/apt/sources.list"
+ done
+
+ # replace file: URIs with copy: as we rely on --download-only copying .deb files to APT's cache
+ sed -ri 's/^(deb\S*)\s+\[([^]]+)\]\s+file:/\1 [\2,trusted=yes] copy:/;
+ s/^(deb\S*)\s+file:/\1 [trusted=yes] copy:/' \
+ -- "$TEMPDIR/apt/sources.list"
+
+ apt-update
+}
+
+# wrapper arround `apt-get install --download-only`
+# (we don't use `--print-uris` since it doesn't include what's been
+# included already)
+apt-download() {
+ _apt get install --download-only "$@"
+}
+apt-update() {
+ _apt get -o Acquire::Languages="none" update
+}
+apt-show() {
+ _apt cache show "$@"
+}
+_apt() {
+ local cmd="$1"
+ shift
+ env -i DEBIAN_FRONTEND="noninteractive" \
+ "apt-$cmd" \
+ -o APT::Architecture="$DEB_BUILD_ARCHITECTURE" \
+ -o APT::Architectures="$DEB_BUILD_ARCHITECTURE" \
+ -o APT::Get::Assume-Yes=true \
+ -o APT::Install-Recommends=false \
+ -o Dir::Cache="$APT_CACHE" \
+ -o Dir::Etc::SourceList="$TEMPDIR/apt/sources.list" \
+ -o Dir::Etc::SourceParts="" \
+ -o Dir::State::Lists="$APT_LISTS" \
+ -o Dir::State::Status="$TEMPDIR/apt/status" \
+ ${AUTOPKGTEST_TMP+-o Dir::Etc::Preferences="/etc/apt/preferences" -o Dir::Etc::PreferencesParts="/etc/apt/preferences.d/"} \
+ "$@"
+}
+
+
+# create a disk image with essential and extra packages
+create_debian_img() {
+ local img="$1" dir size deb usr_is_merged
+
+ dir="$(mktemp --tmpdir="$TEMPDIR" --directory debian.XXXXXXXXXX)"
+ mkdir -- "$dir/dists" "$dir/pool"
+
+ # TODO remove this once Bookworm is released, assuming
+ # init-system-helpers no longer has "Depends: usrmerge | usr-is-merged"
+ [ "$MERGED_USR" = "yes" ] && usr_is_merged="usr-is-merged" || usr_is_merged=""
+
+ # apt considers itself essential so we explicitely exclude it for stage1
+ mkdir -- "$dir/__stage1__"
+ apt-download -- "?and(?essential, ?not(?exact-name(apt)))" ${usr_is_merged:+"$usr_is_merged"}
+ for deb in "$APT_CACHE"/archives/*.deb; do
+ ln -sT "../pool/${deb##*/}" "$dir/__stage1__/${deb##*/}"
+ done
+
+ # useless for stage1
+ rm -f "$dir"/__stage1__/usr-is-merged_*.deb "$dir"/__stage1__/usrmerge_*.deb
+
+ mkdir -- "$dir/__essential__"
+ apt-download -- "?essential" "apt" ${usr_is_merged:+"$usr_is_merged"}
+ for deb in "$APT_CACHE"/archives/*.deb; do
+ ln -sT "../pool/${deb##*/}" "$dir/__essential__/${deb##*/}"
+ done
+
+ makedist "$dir"
+ extract_kernel "$TEMPDIR/linux-image"
+
+ # for `dpkg --update-avail`
+ ( cd "$dir/__essential__" && dpkg-scanpackages . >./Packages )
+
+ size="$(du -sb -- "$dir")"
+ size=$(( ${size%%[!0-9]*} / 1000 )) # approx 97% (1000/1024) full
+ genext2fs -qm0 -B 1024 -b "$size" -d "$dir" -L "debian_dist" "$img"
+ rm -rf -- "$dir"
+}
+makedist() {
+ local basedir="$1"
+ local distdir="$basedir/dists"
+ apt-download -- "?essential" "apt" ${usr_is_merged:+"$usr_is_merged"} \
+ "$PKG_BOOTLOADER" "$PKG_KERNEL" "$PKG_INIT" \
+ "${PKGS_EXTRA[@]}"
+ rm -f -- "$APT_CACHE/archives/$PKG_KERNEL"_*.deb # remove the generic .deb (only keep its dependency with versioned ABI)
+ for deb in "$APT_CACHE"/archives/*.deb; do
+ # assume no file conflicts and override existing .debs
+ ln -ft "$basedir/pool" -- "$deb"
+ done
+ ( cd "$APT_CACHE" && dpkg-scanpackages ../pool >"$distdir/Packages" )
+}
+
+# extract kernel to $TEMPDIR/linux-image and sets KERNEL_VERSION
+extract_kernel() {
+ local destdir="$1" deb_version_regex kernel_deb_regex
+ deb_version_regex="[0-9][A-Za-z0-9.+:~-]*" # per deb-version(7)
+ # we use may a kernel version other than what we're running, however the arch much be the same
+ kernel_deb_regex="linux-image-[0-9][a-z0-9.+-]*-${KERNEL_ARCH}_${deb_version_regex}_${DEB_BUILD_ARCHITECTURE}.deb"
+ KERNEL_DEB="$(find -P "$APT_CACHE/archives" -mindepth 1 -maxdepth 1 \
+ -regextype egrep -regex ".*/$kernel_deb_regex" -type f -printf "%P\\n" | \
+ sort -Vt_ -k2 | tail -n1)"
+ KERNEL_VERSION="${KERNEL_DEB#linux-image-*}"
+ KERNEL_VERSION="${KERNEL_VERSION%%_*}"
+
+ # extract the kernel of the .deb we downloaded
+ if [ ! -f "$APT_CACHE/archives/$KERNEL_DEB" ]; then
+ echo "ERROR: Couldn't find .deb for target kernel $KERNEL_VERSION" >&2
+ exit 1
+ fi
+
+ mkdir "$destdir"
+ dpkg-deb --fsys-tarfile "$APT_CACHE/archives/$KERNEL_DEB" | tar -C "$destdir" -xf- \
+ "./boot/vmlinuz-$KERNEL_VERSION" \
+ "./lib/modules/$KERNEL_VERSION"
+ ln -T -- "$destdir/boot/vmlinuz-$KERNEL_VERSION" "$TEMPDIR/vmlinuz-$KERNEL_VERSION"
+}
+
+# make sure the desired version of the package is available in the testbed
+setup_apt
+if ! apt-show "cryptsetup-bin=$DEB_VERSION" >"$TEMPDIR/out" || [ ! -s "$TEMPDIR/out" ]; then
+ apt-show -a "cryptsetup-bin" || true
+ echo "ERROR: Cannot find version $DEB_VERSION of package cryptsetup-bin" >&2
+ exit 1
+fi
+
+DEBIAN_IMG="$TEMPDIR/$DEB_DISTRIBUTION-$DEB_BUILD_ARCHITECTURE.img"
+create_debian_img "$DEBIAN_IMG"
+
+case "$DEB_BUILD_ARCHITECTURE" in
+ arm64|armhf) CONSOLE="ttyAMA0";;
+ *) CONSOLE="ttyS0";;
+esac
+
+env PACKAGES="$PKG_BOOTLOADER linux-image-$KERNEL_VERSION $PKG_INIT ${PKGS_EXTRA[*]}" \
+ BOOT="$BOOT" \
+ CONSOLE="$CONSOLE" \
+ ARCH="$DEB_BUILD_ARCHITECTURE" \
+ MERGED_USR="$MERGED_USR" \
+ "$TESTDIR/utils/mkinitramfs" "$TEMPDIR/linux-image" "$KERNEL_VERSION" "$TEMPDIR/initrd.img-$KERNEL_VERSION"
+rm -rf -- "$TEMPDIR/apt" "$TEMPDIR/linux-image" # don't need that anymore
+
+declare -a QEMU_COMMON_ARGS=(
+ -no-user-config
+ -nodefaults
+ -name "autopkgtest-cryptsetup-$TESTNAME"
+ -machine "${QEMU_MACHINE_TYPE:+"type=$QEMU_MACHINE_TYPE,"}${QEMU_ACCEL:+"accel=$QEMU_ACCEL,"}graphics=off"
+ ${QEMU_CPU_MODEL:+-cpu "$QEMU_CPU_MODEL"}
+ ${QEMU_SMP:+-smp "$QEMU_SMP"}
+ ${QEMU_MEMORY:+-m "$QEMU_MEMORY"}
+ -vga none
+ -display none
+ -object "rng-random,id=rng0,filename=/dev/urandom" -device "virtio-rng-pci,rng=rng0"
+ -boot "order=c,strict=on"
+)
+
+for ((i=0; i < ${#DRIVE_SIZES[@]}; i++)); do
+ drive_img="$TEMPDIR/drive$i.img"
+ fallocate -l "${DRIVE_SIZES[i]}" "$drive_img"
+ QEMU_COMMON_ARGS+=(
+ -drive "file=$drive_img,format=raw,cache=unsafe,if=virtio,index=$i,media=disk"
+ )
+done
+
+if [ "$BOOT" = "efi" ]; then
+ # $EFI_VARS needs to be writable so guests can update their variables
+ install -Tm0644 -- "$EFI_VARS" "$TEMPDIR/efivars.fd"
+ QEMU_COMMON_ARGS+=(
+ -drive "file=$EFI_CODE,format=raw,if=pflash,unit=0,read-only=on"
+ -drive "file=$TEMPDIR/efivars.fd,format=raw,if=pflash,unit=1"
+ )
+fi
+
+LOGDIR="$TEMPDIR"
+SOCKETDIR="$TEMPDIR"
+if [ "$INTERACTIVE" != "y" ]; then
+ QEMU_COMMON_ARGS+=(
+ -device "virtio-serial"
+ -chardev "socket,id=hvc0,path=$SOCKETDIR/hvc0,server=on,wait=off,logfile=$LOGDIR/hvc0.log,logappend=on"
+ -device "virtconsole,chardev=hvc0"
+ )
+fi
+
+declare QEMU_STDIO_ARGS=(
+ # setup is always fully unattended
+ -chardev "stdio,id=char0,mux=on,logfile=$LOGDIR/qemu.log,logappend=on"
+ -serial "chardev:char0"
+ -mon "chardev=char0,mode=readline"
+)
+if [ "$INTERACTIVE" != "y" ] || [ -n "${AUTOPKGTEST_TMP+x}" ]; then
+ # XXX if KVM is detected we could reduce the timeout to 300s or so
+ QEMU_TIMEOUT="y"
+ exec </dev/null
+else
+ QEMU_TIMEOUT=""
+fi
+
+QEMU_DEBIANIMG_DRIVE="file=$DEBIAN_IMG,format=raw,if=virtio,readonly=on,media=cdrom"
+${QEMU_TIMEOUT:+timeout 3600s} "$QEMU_SYSTEM_CMD" \
+ "${QEMU_COMMON_ARGS[@]}" "${QEMU_STDIO_ARGS[@]}" \
+ -drive "$QEMU_DEBIANIMG_DRIVE" \
+ -kernel "$TEMPDIR/vmlinuz-$KERNEL_VERSION" \
+ -append "console=$CONSOLE,115200n8" \
+ -initrd "$TEMPDIR/initrd.img-$KERNEL_VERSION" \
+ || exit $?
+
+if [ "$INTERACTIVE" = "y" ]; then
+ for ((i=0; i <= GUEST_POWERCYCLE; i++)); do
+ "$QEMU_SYSTEM_CMD" \
+ "${QEMU_COMMON_ARGS[@]}" "${QEMU_STDIO_ARGS[@]}" \
+ -netdev "user,id=net0" -device "virtio-net-pci,netdev=net0"
+ done
+else
+ for ((i=0; i <= GUEST_POWERCYCLE; i++)); do
+ ${QEMU_TIMEOUT:+timeout 900s} "$QEMU_SYSTEM_CMD" \
+ "${QEMU_COMMON_ARGS[@]}" \
+ -chardev "socket,id=mon0,path=$SOCKETDIR/mon0,server=on,wait=off,logfile=$LOGDIR/mon0.log,logappend=on" \
+ -mon "chardev=mon0,mode=control" \
+ -chardev "socket,id=ttyS0,path=$SOCKETDIR/ttyS0,server=on,wait=on,logfile=$LOGDIR/ttyS0.log,logappend=on" \
+ -serial "chardev:ttyS0" \
+ &
+ QEMU_PID=$!
+ "$TESTDIR/$TESTNAME.d/mock" "$i" "$SOCKETDIR" || exit 1
+ wait $QEMU_PID && rv=0 || rv=$?
+ unset QEMU_PID
+ [ $rv -eq 0 ] || exit $rv
+ done
+fi
+
+echo "PASSED"
+exit 0
diff --git a/debian/tests/utils/debootstrap b/debian/tests/utils/debootstrap
new file mode 100755
index 0000000..258be5a
--- /dev/null
+++ b/debian/tests/utils/debootstrap
@@ -0,0 +1,125 @@
+#!/bin/sh
+
+# Debootstrap a target system
+#
+# Copyright © 2021-2022 Guilhem Moulin <guilhem@debian.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+set -eu
+PATH="/usr/sbin:/usr/bin:/sbin:/bin"
+export PATH
+
+ESSENTIAL="/media/__essential__"
+TEMPDIR="$(mktemp --tmpdir --directory "debootstrap.XXXXXXXXXX")"
+trap "rm -rf -- \"$TEMPDIR\"" EXIT INT TERM
+
+sed -rn "/^Package:\\s*/I {s///;s/$/ install/p}" "$ESSENTIAL/Packages" >"$TEMPDIR/Packages.sel"
+
+install -m0644 /dev/null "/var/lib/dpkg/status"
+dpkg --update-avail "$ESSENTIAL/Packages"
+dpkg --set-selections <"$TEMPDIR/Packages.sel"
+
+mkdir -- "$TEMPDIR/dpkg"
+mkdir -- "$TEMPDIR/dpkg/files" "$TEMPDIR/dpkg/depends" "$TEMPDIR/dpkg/pre-depends"
+
+# extract metadata (package names, file names, Depends and Pre-Depends
+# for easier processing)
+for deb in "$ESSENTIAL"/*.deb; do
+ pkg=$(dpkg-deb --show --showformat="\${Package}" "$deb")
+ case "$pkg" in
+ # special case: base-files Pre-Depends on awk but we only have mawk (or gawk)
+ mawk|gawk) pkg="awk";;
+ esac
+ printf "%s\\n" "$pkg" >>"$TEMPDIR/dpkg/avail"
+ printf "%s\\n" "$deb" >"$TEMPDIR/dpkg/files/$pkg"
+ dpkg-deb --show --showformat="\${Pre-Depends}\\n" "$deb" >"$TEMPDIR/predeps"
+ dpkg-deb --show --showformat="\${Depends}\\n" "$deb" >"$TEMPDIR/deps"
+ sed -ri "s/,\\s*/\\n/g" -- "$TEMPDIR/predeps" "$TEMPDIR/deps"
+ sed -i "s/[[:blank:]:].*//; /^[[:blank:]]*$/d" -- "$TEMPDIR/predeps" "$TEMPDIR/deps"
+ mv -T -- "$TEMPDIR/predeps" "$TEMPDIR/dpkg/pre-depends/$pkg"
+ mv -T -- "$TEMPDIR/deps" "$TEMPDIR/dpkg/depends/$pkg"
+done
+
+if [ -L /bin ] && [ -L /sbin ] && [ -L /lib ]; then
+ # TODO remove this once Bookworm is released, assuming
+ # init-system-helpers no longer has "Depends: usrmerge | usr-is-merged"
+ sed -i "s/^usrmerge$/usr-is-merged/" -- "$TEMPDIR/dpkg/depends/init-system-helpers"
+fi
+
+# recursively append dependencies to $OUT; abort and return 1 if one of
+# the (recursive) dependency has an unsatisfied Pre-Depends
+resolve_deps() {
+ local pkg="$1" dep
+ while read -r dep; do
+ if grep -Fxq -e "$dep" <"$TEMPDIR/dpkg/avail"; then
+ # $pkg has an unsatisfied Pre-Depends, can't proceed further
+ return 1
+ fi
+ done <"$TEMPDIR/dpkg/pre-depends/$pkg"
+ while read -r dep; do
+ if grep -Fxq -e "$dep" <"$TEMPDIR/dpkg/avail" && ! grep -Fxq -e "$dep" <"$OUT"; then # break cycles
+ printf "%s\\n" "$dep" >>"$OUT"
+ resolve_deps "$dep" || return $?
+ fi
+ done <"$TEMPDIR/dpkg/depends/$pkg"
+ return 0
+}
+
+# dump to $OUT a list of packages that can be installed (only packages
+# without unsatisfied pre-dependencies, and typically packages that are
+# pre-dependencies of other packages) -- using `dpkg --predep-package`
+# would be convenient but it doesn't work with recursive dependencies,
+# cf. #539133
+can_install_next() {
+ local pkg
+ while read -r pkg; do
+ printf "%s\\n" "$pkg" >"$OUT"
+ if resolve_deps "$pkg"; then
+ return 0
+ fi
+ done <"$TEMPDIR/dpkg/avail"
+
+ echo "PANIC: No remaining dependencies are satisfiable!" >&2
+ cat <"$TEMPDIR/dpkg/avail" >&2
+ exit 1
+}
+
+# keep going until all available packages are installed
+OUT="$TEMPDIR/pkg.list"
+XARGS_IN="$TEMPDIR/deb.list"
+while [ -s "$TEMPDIR/dpkg/avail" ]; do
+ can_install_next || exit 1
+
+ echo -n ">>> Installing: " >&2
+ paste -sd" " <"$OUT" >&2
+
+ while read -r pkg; do
+ cat "$TEMPDIR/dpkg/files/$pkg"
+ done <"$OUT" >"$XARGS_IN"
+ xargs -a"$XARGS_IN" -d"\\n" dpkg -i
+
+ grep -Fx -vf "$OUT" <"$TEMPDIR/dpkg/avail" >"$TEMPDIR/dpkg/avail.new" || true
+ mv -T -- "$TEMPDIR/dpkg/avail.new" "$TEMPDIR/dpkg/avail"
+done
+
+echo apt apt >/var/lib/dpkg/cmethopt
+echo "deb [trusted=yes] file:/media/dists /" >/etc/apt/sources.list
+cat >/etc/apt/apt.conf.d/99debootstrap <<-EOF
+ Acquire::Languages "none";
+ APT::Install-Recommends "false";
+ APT::Install-Suggests "false";
+EOF
+
+apt-get -oAcquire::Languages="none" -oAPT::Sandbox::User="root" -qq update
diff --git a/debian/tests/utils/init b/debian/tests/utils/init
new file mode 100755
index 0000000..242a0c5
--- /dev/null
+++ b/debian/tests/utils/init
@@ -0,0 +1,273 @@
+#!/bin/sh
+
+# PID1 at initramfs stage
+#
+# Copyright © 2021-2022 Guilhem Moulin <guilhem@debian.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+set -eux
+PATH="/usr/sbin:/usr/bin:/sbin:/bin"
+export PATH
+
+trap "echo \"ALERT! Couldn't setup system, dropping to a shell.\" >&2; sh -i" 0
+
+# set VT100 autowrap mode again (QEMU might mess the terminal up)
+printf '\033[?7h'
+
+mount -t devtmpfs -o noexec,nosuid,mode=0755 udev /dev
+
+mkdir /dev/pts /proc /run /sys
+mount -t devpts -o noexec,nosuid,gid=5,mode=0620 devpts /dev/pts
+mount -t proc -o nodev,noexec,nosuid proc /proc
+mount -t tmpfs -o nodev,noexec,nosuid,size=5%,mode=0755 tmpfs /run
+mount -t sysfs -o nodev,noexec,nosuid sysfs /sys
+
+modprobe virtio_rng # /dev/hwrng (avoid entropy starvation)
+modprobe virtio_pci
+modprobe virtio_blk # /dev/vd[a-z]
+modprobe virtio_console # /dev/hvc[0-7]
+
+# start udevd
+/lib/systemd/systemd-udevd --daemon
+udevadm trigger --type=subsystems --action=add
+udevadm trigger --type=devices --action=add
+udevadm settle
+
+. /init.conf
+
+# https://en.wikipedia.org/wiki/GUID_Partition_Table#Partition_type_GUIDs
+GUID_TYPE_MBR="024DEE41-33E7-11D3-9D69-0008C781F39F" # MBR partition scheme
+GUID_TYPE_EFI="C12A7328-F81F-11D2-BA4B-00A0C93EC93B" # EFI boot partition
+GUID_TYPE_BIOS_boot="21686148-6449-6E6F-744E-656564454649" # BIOS boot partition
+GUID_TYPE_Linux_FS="0FC63DAF-8483-4772-8E79-3D69D8477DE4" # Linux filesystem data
+GUID_TYPE_LUKS="CA7D7CCB-63ED-4C53-861C-1742536059CC" # LUKS partition
+GUID_TYPE_DMCRYPT="7FFEC5C9-2D00-49B7-8941-3EA10A5586B7" # Plain dm-crypt partition
+GUID_TYPE_LVM="E6D6D379-F507-44C2-A23C-238F2A3DF928" # Logical Volume Manager partition
+GUID_TYPE_RAID="A19D880F-05FC-4D3B-A006-743F0F84911E" # RAID partition
+
+if [ "$BOOT" = "bios" ]; then
+ BOOT_PARTITION_SIZE=2
+ BOOT_PARTITION_TYPE="$GUID_TYPE_BIOS_boot"
+elif [ "$BOOT" = "efi" ]; then
+ BOOT_PARTITION_SIZE=63
+ BOOT_PARTITION_TYPE="$GUID_TYPE_EFI"
+else
+ echo "ERROR unknown boot method '$BOOT'" >&2
+ exit 1
+fi
+
+# format the target disk and create a BIOS/EFI partition
+sfdisk /dev/vda <<-EOF
+ label: gpt
+ unit: sectors
+
+ start=$((1024*2)), size=$((BOOT_PARTITION_SIZE*1024*2)), type=$BOOT_PARTITION_TYPE
+EOF
+udevadm settle
+
+ROOT="/target"
+mkdir -m0755 "$ROOT"
+# /init.setup is expected to create the root filesystem of the target
+# system and mount it (alongside other filesystems) on $ROOT
+. /init.setup
+udevadm settle
+
+# inspired by debootstrap's /usr/share/debootstrap/functions
+if [ "$MERGED_USR" = "yes" ]; then
+ case "$ARCH" in
+ amd64) libdir="lib32 lib64 libx32";;
+ i386) libdir="lib64 libx32";;
+ mips|mipsel) libdir="lib32 lib64";;
+ mips64*|mipsn32*) libdir="lib32 lib64 libo32";;
+ loongarch64*) libdir="lib32 lib64";;
+ powerpc) libdir="lib64";;
+ ppc64) libdir="lib32 lib64";;
+ ppc64el) libdir="lib64";;
+ s390x) libdir="lib32";;
+ sparc) libdir="lib64";;
+ sparc64) libdir="lib32 lib64";;
+ x32) libdir="lib32 lib64 libx32";;
+ *) libdir="";;
+ esac
+ for dir in bin sbin lib $libdir; do
+ ln -s "usr/$dir" "$ROOT/$dir"
+ mkdir -p "$ROOT/usr/$dir"
+ done
+fi
+
+mkdir /media
+DEBIAN_DIST="$(blkid -l -t LABEL="debian_dist" -o device)"
+mount -t ext2 -o ro "$DEBIAN_DIST" /media
+for pkg in /media/__stage1__/*.deb; do
+ dpkg-deb --fsys-tarfile "$pkg" | tar -C "$ROOT" -xf - --keep-directory-symlink
+done
+
+# setup hosts(5) and hostname(5)
+echo "$HOSTNAME" >"$ROOT/etc/hostname"
+echo "127.0.0.1 localhost $HOSTNAME" >"$ROOT/etc/hosts"
+
+# EFI
+if [ "$BOOT" = "efi" ]; then
+ modprobe efivarfs
+ mount -t efivarfs efivarfs /sys/firmware/efi/efivars
+
+ mkfs.vfat -F 32 /dev/vda1
+ mkdir "$ROOT/boot/efi"
+ mount -t vfat /dev/vda1 "$ROOT/boot/efi"
+
+ cat >>"$ROOT/etc/fstab" <<-EOF
+ UUID=$(blkid -s UUID -o value /dev/vda1) /boot/efi auto defaults 0 2
+ EOF
+fi
+
+# bind mount pseudo and temporary filesystems to "$ROOT"
+mount -no bind /dev "$ROOT/dev"
+mount -no bind /proc "$ROOT/proc"
+mount -no bind /sys "$ROOT/sys"
+mount -t tmpfs -o nodev,noexec,nosuid,size=5%,mode=0755 tmpfs "$ROOT/run"
+
+# prevent any services from starting during package installation, taken
+# from debootstrap(8)
+cat >"$ROOT/usr/sbin/policy-rc.d" <<-EOF
+ #!/bin/sh
+ exit 101
+EOF
+chmod +x "$ROOT/usr/sbin/policy-rc.d"
+
+mv "$ROOT/sbin/start-stop-daemon" "$ROOT/sbin/start-stop-daemon.REAL"
+cat >"$ROOT/sbin/start-stop-daemon" <<-EOF
+ #!/bin/sh
+ echo
+ echo "Warning: Fake start-stop-daemon called, doing nothing"
+EOF
+chmod +x "$ROOT/usr/sbin/policy-rc.d" "$ROOT/sbin/start-stop-daemon"
+
+DEBIAN_FRONTEND="noninteractive"
+DEBCONF_NONINTERACTIVE_SEEN="true"
+export DEBIAN_FRONTEND DEBCONF_NONINTERACTIVE_SEEN
+
+# debootstrap the target system
+mkdir "$ROOT/media"
+mount -no move /media "$ROOT/media"
+cp -p /debootstrap "$ROOT/debootstrap"
+chroot "$ROOT" /debootstrap
+rm -f "$ROOT/debootstrap"
+
+# use MODULES=dep (if it works with fewer modules then it also works
+# with the default MODULES=most)
+mkdir -p "$ROOT/etc/initramfs-tools/conf.d"
+echo "MODULES=dep" >"$ROOT/etc/initramfs-tools/conf.d/modules"
+
+cp /init.preinst "$ROOT/init.preinst"
+chroot "$ROOT" /bin/sh -eux /init.preinst
+rm -f "$ROOT/init.preinst"
+udevadm settle
+
+# install extra packages
+chroot "$ROOT" apt-get -oAPT::Sandbox::User="root" install --yes $PACKAGES
+rm -f "$ROOT/etc/apt/sources.list"
+
+# configure and install GRUB
+cat >"$ROOT/etc/default/grub" <<-EOF
+ GRUB_DEFAULT=0
+ GRUB_TIMEOUT=0
+ GRUB_CMDLINE_LINUX_DEFAULT=""
+ GRUB_CMDLINE_LINUX="console=$CONSOLE,115200n8"
+ GRUB_DISABLE_RECOVERY=true
+ GRUB_TERMINAL="console serial"
+ GRUB_SERIAL_COMMAND="serial --speed=115200"
+EOF
+chroot "$ROOT" grub-install --no-floppy --modules=part_gpt /dev/vda
+chroot "$ROOT" update-grub
+
+chroot "$ROOT" busybox passwd -d root # make root account passwordless
+
+# show some system info right after login to ease troubleshooting
+cat >"$ROOT/root/.profile" <<-EOF
+ run_verbose() {
+ printf "\\\`%s\\\` output:\\\\n" "\$*"
+ "\$@"
+ }
+ stty cols 150
+ run_verbose dmsetup table
+ run_verbose lsblk
+ run_verbose df -h
+EOF
+
+cat >"$ROOT/root/.inputrc" <<-EOF
+ # disabled bracketed paste mode
+ set enable-bracketed-paste off
+EOF
+
+if [ -d "$ROOT/etc/systemd/system" ]; then
+ # systemd
+ if [ -c "$ROOT/dev/hvc0" ]; then
+ # serial-getty@ttyS0.service is automatically enabled due to the console= kernel parameter
+ ln -s "/dev/null" "$ROOT/etc/systemd/system/serial-getty@ttyS0.service"
+ ln -s "/lib/systemd/system/serial-getty@.service" \
+ "$ROOT/etc/systemd/system/getty.target.wants/serial-getty@hvc0.service"
+ fi
+
+ # mask all timer units
+ for t in "$ROOT"/lib/systemd/system/*.timer; do
+ test -f "$t" || continue
+ ln -s "/dev/null" "$ROOT/etc/systemd/system/${t##*/}"
+ done
+
+ # mask systemd-firstboot.service
+ ln -s "/dev/null" "/root/etc/systemd/system/systemd-firstboot.service"
+fi
+
+if [ -f "$ROOT/etc/inittab" ]; then
+ # sysvinit
+ if [ -c "$ROOT/dev/hvc0" ]; then
+ echo "h0:2345:respawn:/sbin/agetty -8 -L 115200 hvc0 linux"
+ else
+ echo "S0:23:respawn:/sbin/getty -8 -L 115200 $CONSOLE linux"
+ fi >>"$ROOT/etc/inittab"
+fi
+
+if [ -f /init.postinst ]; then
+ cp /init.postinst "$ROOT/init.postinst"
+ chroot "$ROOT" /bin/sh -eux /init.postinst
+ rm -f "$ROOT/init.postinst"
+fi
+
+# allow service startup again
+mv "$ROOT/sbin/start-stop-daemon.REAL" "$ROOT/sbin/start-stop-daemon"
+rm "$ROOT/usr/sbin/policy-rc.d"
+
+# unmount pseudo filesystems from the target system
+umount "$ROOT/dev"
+umount "$ROOT/proc"
+umount "$ROOT/sys"
+
+if [ "$BOOT" = "efi" ]; then
+ umount "$ROOT/boot/efi"
+fi
+umount "$ROOT/media"
+umount "$ROOT/run"
+
+# /init.bottom is expected to umount $ROOT and its submounts
+ROOT="$ROOT" sh -eux /init.bottom
+
+# stop udevd
+udevadm control --exit
+
+# exiting this script yields "Kernel panic - not syncing: Attempted to
+# kill init!", so give the asyncronous SysRq trigger a chance to power
+# off (sending a racy C-d would still trigger a panic but we don't care)
+echo o >/proc/sysrq-trigger
+exec cat >/dev/null
diff --git a/debian/tests/utils/mkinitramfs b/debian/tests/utils/mkinitramfs
new file mode 100755
index 0000000..6bc70f4
--- /dev/null
+++ b/debian/tests/utils/mkinitramfs
@@ -0,0 +1,159 @@
+#!/bin/sh
+
+# Generate an initramfs image, much like mkinitramfs(8) but simpler
+#
+# Copyright © 2021-2022 Guilhem Moulin <guilhem@debian.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+set -eu
+PATH="/usr/sbin:/usr/bin:/sbin:/bin"
+export PATH
+
+unset DEBUG
+EXTRACT_DIR="$1"
+KERNEL_VERSION="$2"
+INITRD="$3"
+
+UTILS="$(dirname -- "$0")"
+DESTDIR="$(mktemp --directory -- "$INITRD.XXXXXXXXXX")"
+trap "rm -r${DEBUG:+v}f -- \"$DESTDIR\"" EXIT INT TERM
+
+# from /usr/sbin/mkinitramfs: create usr-merged filesystem layout, to
+# avoid duplicates if the host filesystem is usr-merged
+for d in /bin /lib* /sbin; do
+ [ -d "$d" ] || continue
+ mkdir -p "$DESTDIR/usr$d"
+ ln -sT "usr$d" "$DESTDIR$d"
+done
+
+install -m0755 "$UTILS/init" "$DESTDIR/init"
+install -m0755 "$UTILS/debootstrap" "$DESTDIR/debootstrap"
+cat >"$DESTDIR/init.conf" <<- EOF
+ HOSTNAME="$TESTNAME"
+ export HOSTNAME
+ PACKAGES="$PACKAGES"
+ BOOT="$BOOT"
+ CONSOLE="$CONSOLE"
+ ARCH="$ARCH"
+ MERGED_USR="$MERGED_USR"
+EOF
+
+for p in setup preinst postinst bottom; do
+ # setup: sourced after creating the BIOS or EFI boot partition
+ # preinst: run in chroot after debootstrap, but before installing extra packages
+ # postinst: optionally run in chroot after installing extra packages
+ # bottom: last thing to run before shutdown
+ if [ -f "$TESTDIR/$TESTNAME.d/$p" ]; then
+ install -m0755 "$TESTDIR/$TESTNAME.d/$p" "$DESTDIR/init.$p"
+ fi
+done
+
+MODULES="dm_crypt ext4 btrfs raid0 raid1"
+if [ "$BOOT" = "efi" ]; then
+ MODULES="$MODULES efivarfs nls_ascii nls_cp437 vfat"
+fi
+
+depmod -ab "$EXTRACT_DIR" "$KERNEL_VERSION"
+for kmod in virtio_console virtio_blk virtio_pci virtio_rng \
+ "$EXTRACT_DIR/lib/modules/$KERNEL_VERSION"/kernel/arch/*/crypto/*.ko* \
+ "$EXTRACT_DIR/lib/modules/$KERNEL_VERSION"/kernel/crypto/*.ko* \
+ $MODULES; do
+ kmod="${kmod##*/}"
+ modprobe -aid "$EXTRACT_DIR" -S "$KERNEL_VERSION" --show-depends "${kmod%%.*}"
+done | while read -r insmod kmod _; do
+ [ "$insmod" = "insmod" ] || continue
+ kmod_rel="${kmod#"$EXTRACT_DIR/lib/modules/$KERNEL_VERSION/"}"
+ if [ ! -f "$kmod" ] || [ "${kmod_rel#kernel/}" = "$kmod_rel" ]; then
+ echo "Error: Unexpected modprobe output: $insmod $kmod" >&2
+ exit 1
+ fi
+ mkdir -p "$DESTDIR/lib/modules/$KERNEL_VERSION/${kmod_rel%/*}"
+ ln -f${DEBUG:+v}T -- "$kmod" "$DESTDIR/lib/modules/$KERNEL_VERSION/$kmod_rel"
+done
+
+ln -t "$DESTDIR/lib/modules/$KERNEL_VERSION" -- \
+ "$EXTRACT_DIR/lib/modules/$KERNEL_VERSION/modules.order" \
+ "$EXTRACT_DIR/lib/modules/$KERNEL_VERSION/modules.builtin"
+depmod -wab "$DESTDIR" "$KERNEL_VERSION"
+
+verbose="${DEBUG-}"
+. /usr/share/initramfs-tools/hook-functions # for copy_exec()
+if [ -f "$TESTDIR/$TESTNAME.d/mkinitramfs" ]; then
+ . "$TESTDIR/$TESTNAME.d/mkinitramfs"
+fi
+
+copy_exec /bin/cp
+copy_exec /bin/rm
+copy_exec /bin/chmod
+
+copy_exec /sbin/modprobe
+copy_exec /sbin/blkid
+copy_exec /sbin/sfdisk
+copy_exec /sbin/mkswap
+copy_exec /sbin/swapon
+copy_exec /sbin/swapoff
+copy_exec /sbin/cryptsetup
+copy_exec /sbin/dmsetup
+copy_exec /usr/bin/dpkg-deb
+copy_exec /bin/tar
+
+# assume ossl-modules/legacy.so and libgcc_s.so are relative to the linked libcryptsetup.so
+libdir="$(env --unset=LD_PRELOAD ldd /sbin/cryptsetup | sed -nr '/.*=>\s*(\S+)\/libcryptsetup\.so\..*/ {s//\1/p;q}')"
+copy_exec "$libdir/ossl-modules/legacy.so" || true
+copy_libgcc "$libdir"
+
+for p in /sbin/cryptsetup /sbin/lvm /sbin/mdadm /sbin/mke2fs /sbin/mkfs.btrfs /bin/btrfs; do
+ if [ -x "$p" ]; then
+ copy_exec "$p"
+ fi
+done
+
+if [ "$BOOT" = "efi" ]; then
+ if [ ! -x "/sbin/mkfs.vfat" ]; then
+ echo "Couldn't find mkfs.vfat, is the 'dosfstools' package installed?" >&2
+ exit 1
+ fi
+ copy_exec /sbin/mkfs.vfat
+fi
+
+cp -pLt "$DESTDIR/lib" /lib/klibc-*.so
+for cmd in cat chroot ln ls mkdir mount mv sh umount uname; do
+ exe="/usr/lib/klibc/bin/$cmd"
+ if [ ! -f "$exe" ] || [ ! -x "$exe" ]; then
+ echo "No such executable: $exe" >&2
+ exit 1
+ fi
+ copy_exec "$exe" /bin
+done
+
+# copy udevd and (some of) its rules
+copy_exec /lib/systemd/systemd-udevd
+copy_exec /bin/udevadm
+
+mkdir -p -- "$DESTDIR/etc/udev" "$DESTDIR/lib/udev/rules.d"
+cat >"$DESTDIR/etc/udev/udev.conf" <<-EOF
+ udev_log=info
+ resolve_names=never
+EOF
+for rules in 50-udev-default.rules 55-dm.rules 60-block.rules \
+ 60-persistent-storage.rules 60-persistent-storage-dm.rules \
+ 63-md-raid-arrays.rules 95-dm-notify.rules; do
+ if [ -e "/lib/udev/rules.d/$rules" ]; then
+ cp -T "/lib/udev/rules.d/$rules" "$DESTDIR/lib/udev/rules.d/$rules"
+ fi
+done
+
+cd "$DESTDIR"
+find . -print0 | cpio -o0 -R 0:0 -H newc --quiet ${DEBUG:+--verbose} >"$INITRD"
diff --git a/debian/tests/utils/mock.pm b/debian/tests/utils/mock.pm
new file mode 100644
index 0000000..10db3e6
--- /dev/null
+++ b/debian/tests/utils/mock.pm
@@ -0,0 +1,347 @@
+# Mock terminal interaction on a guest system
+#
+# Copyright © 2021-2022 Guilhem Moulin <guilhem@debian.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+use v5.14.2;
+use warnings;
+use strict;
+
+our ($SERIAL, $CONSOLE, $MONITOR);
+our $PS1 = qr/root\@[\-\.0-9A-Z_a-z]+ : [~\/][\-\.\/0-9A-Z_a-z]* [\#\$]\ /aax;
+
+package CryptrootTest::Utils;
+
+use Socket qw/PF_UNIX SOCK_STREAM SOCK_CLOEXEC SOCK_NONBLOCK SHUT_RD SHUT_WR/;
+use Errno qw/EINTR ENOENT ECONNREFUSED/;
+use Time::HiRes ();
+
+my (%SOCKET, %BUFFER, $WBITS, $RBITS);
+
+BEGIN {
+ ($SERIAL, $CONSOLE, $MONITOR) = qw/ttyS0 hvc0 mon0/;
+ my $dir = $ARGV[1] =~ m#\A(/\p{Print}+)\z# ? $1 : die "Invalid base directory\n"; # untaint
+ my $epoch = Time::HiRes::time();
+ foreach my $id ($SERIAL, $CONSOLE, $MONITOR) {
+ my $path = $dir . "/" . $id;
+ my $sockaddr = Socket::pack_sockaddr_un($path) // die;
+ socket(my $socket, PF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) or die "socket: $!";
+
+ until (connect($socket, $sockaddr)) {
+ if ($! == EINTR) {
+ # try again immediatly if connect(2) was interrupted by a signal
+ } elsif (($! == ENOENT or $! == ECONNREFUSED) and Time::HiRes::time() - $epoch < 30) {
+ # wait a bit to give QEMU time to create the socket and mark it at listening
+ Time::HiRes::usleep(100_000);
+ } else {
+ die "connect($path): $!";
+ }
+ }
+
+ my $fd = fileno($socket) // die;
+ vec($WBITS, $fd, 1) = 1;
+ vec($RBITS, $fd, 1) = 1;
+ $SOCKET{$id} = $socket;
+ $BUFFER{$id} = "";
+ }
+}
+
+sub read_data($) {
+ my $bits = shift;
+ while (my ($chan, $fh) = each %SOCKET) {
+ next unless vec($bits, fileno($fh), 1); # nothing to read here
+ my $n = sysread($fh, my $buf, 4096) // die "read: $!";
+ if ($n > 0) {
+ STDOUT->printflush($buf);
+ $BUFFER{$chan} .= $buf;
+ } else {
+ #print STDERR "INFO done reading from $chan\n";
+ shutdown($fh, SHUT_RD) or die "shutdown: $!";
+ vec($RBITS, fileno($fh), 1) = 0;
+ }
+ }
+}
+
+sub expect(;$$) {
+ my ($chan, $prompt) = @_;
+
+ my $buffer = defined $chan ? \$BUFFER{$chan} : undef;
+ if (defined $buffer and $$buffer =~ $prompt) {
+ $$buffer = $' // die;
+ return %+;
+ }
+
+ while(unpack("b*", $RBITS) != 0) {
+ my $rout = $RBITS;
+ while (select($rout, undef, undef, undef) == -1) {
+ die "select: $!" unless $! == EINTR; # try again immediately if select(2) was interrupted
+ }
+ read_data($rout);
+ if (defined $buffer and $$buffer =~ $prompt) {
+ $$buffer = $' // die;
+ return %+;
+ }
+ }
+ #print STDERR "INFO done reading\n";
+}
+
+sub write_data($$%) {
+ my $chan = shift;
+ my $data = shift;
+
+ my %options = @_;
+ $options{echo} //= 1;
+ $options{eol} //= "\r";
+ $options{reol} //= "\r\n";
+ my $wdata = $data . $options{eol};
+
+ my $wfh = $SOCKET{$chan} // die;
+ my $wfd = fileno($wfh) // die;
+ vec(my $win, $wfd, 1) = 1;
+
+ for (my $offset = 0, my $length = length($wdata); $offset < $length;) {
+ my $wout = $win;
+ while (select(undef, $wout, undef, undef) == -1) {
+ die "select: $!" unless $! == EINTR; # try again immediately if select(2) was interrupted
+ }
+ if (vec($wout, $wfd, 1)) {
+ my $n = syswrite($wfh, $wdata, $length - $offset, $offset) // die "write: $!";
+ $offset += $n;
+ }
+ }
+
+ my $rdata = $options{echo} ? $data : "";
+ $rdata .= $options{reol};
+
+ if ($rdata ne "") {
+ my $buf = \$BUFFER{$chan};
+ my $rfh = $SOCKET{$chan} // die;
+ my $rfd = fileno($rfh) // die;
+ vec(my $rin, $rfd, 1) = 1;
+
+ my $rlen = length($rdata);
+ while($rlen > 0) {
+ my $rout = $rin;
+ while (select($rout, undef, undef, undef) == -1) {
+ die "select: $!" unless $! == EINTR; # try again immediately if select(2) was interrupted
+ }
+ read_data($rout);
+
+ my $got = substr($$buf, 0, $rlen);
+ my $n = length($got);
+ if ($got eq substr($rdata, -$rlen, $n)) {
+ $$buf = substr($$buf, $n); # consume the command
+ $rlen -= $n;
+ } else {
+ my $a = substr($rdata, 0, -$rlen) . substr($rdata, -$rlen, $n);
+ my $b = substr($rdata, 0, -$rlen) . $got;
+ s/[^\p{Graph} ]/"\\x".unpack("H*",$&)/ge foreach ($a, $b);
+ die "Wanted \"$a\", got \"$b\"";
+ }
+ }
+ }
+}
+
+package CryptrootTest::Mock;
+
+use Exporter qw/import/;
+BEGIN {
+ our @EXPORT = qw/
+ unlock_disk
+ login
+ shell
+ suspend
+ wakeup
+ hibernate
+ poweroff
+ expect
+ /;
+}
+
+*expect = \&CryptrootTest::Utils::expect;
+*write_data = \&CryptrootTest::Utils::write_data;
+
+sub unlock_disk($) {
+ my $passphrase = shift;
+ my %r = expect($SERIAL => qr/\A(?:.*(?:\r\n|\.\.\. ))?Please unlock disk (?<name>\p{Graph}+): \z/aams);
+ if ((my $ref = ref($passphrase)) ne "") {
+ my $name = $r{name};
+ unless (defined $name) {
+ undef $passphrase;
+ } elsif ($ref eq "CODE") {
+ $passphrase = $passphrase->($name);
+ } elsif ($ref eq "HASH") {
+ $passphrase = $passphrase->{$name};
+ } else {
+ die "Unsupported reference $ref";
+ }
+ }
+ die "Unable to unlock, aborting.\n" unless defined $passphrase;
+ write_data($SERIAL => $passphrase, echo => 0, reol => "\r");
+}
+
+sub login($;$) {
+ my ($username, $password) = @_;
+ expect($CONSOLE => qr/\r\ncryptroot-[[:alnum:]._-]+ login: \z/aams);
+ write_data($CONSOLE => $username, reol => "\r");
+
+ if (defined $password) {
+ expect($CONSOLE => qr/\A[\r\n]*Password: \z/aams);
+ write_data($CONSOLE => $username, echo => 0, reol => "\r");
+ }
+
+ # consume motd(5) or similar
+ expect($CONSOLE => qr/\r\n $PS1 \z/aamsx);
+}
+
+sub shell($%);
+sub shell($%) {
+ my $command = shift;
+ my %options = @_;
+
+ write_data($CONSOLE => $command);
+ my %r = expect($CONSOLE => qr/\A (?<out>.*) $PS1 \z/aamsx);
+ my $out = $r{out};
+
+ if (exists $options{rv}) {
+ my $rv = shell(q{echo $?});
+ unless ($rv =~ s/\r?\n\z// and $rv =~ /\A[0-9]+\z/ and $rv == $options{rv}) {
+ my @loc = caller;
+ die "ERROR: Command \`$command\` exited with status $rv != $options{rv}",
+ " at line $loc[2] in $loc[1]\n";
+ }
+ }
+ return $out;
+}
+
+# enter S3 sleep state (suspend to ram aka standby)
+sub suspend() {
+ write_data($CONSOLE => q{systemctl suspend});
+ # while the command is asynchronous the system might suspend before
+ # we have a chance to read the next $PS1
+
+ # wait for the SUSPEND event
+ QMP::wait_for_event("SUSPEND");
+
+ # double check that the guest is indeed suspended
+ my $resp = QMP::command(q{query-status});
+ die unless defined $resp->{status} and $resp->{status} eq "suspended" and
+ defined $resp->{running} and $resp->{running} == JSON::false();
+}
+
+sub wakeup() {
+ my $r = QMP::command(q{system_wakeup});
+ die if %$r;
+
+ # wait for the WAKEUP event
+ QMP::wait_for_event("WAKEUP");
+
+ # double check that the guest is indeed running
+ my $resp = QMP::command(q{query-status});
+ die unless defined $resp->{status} and $resp->{status} eq "running" and
+ defined $resp->{running} and $resp->{running} == JSON::true();
+}
+
+# enter S4 sleep state (suspend to disk aka hibernate)
+sub hibernate() {
+ # an alternative is to send {"execute":"guest-suspend-disk"} on the
+ # guest agent socket, but we don't want to require qemu-guest-agent
+ # on the guest so this will have to do
+ write_data($CONSOLE => q{systemctl hibernate});
+ # while the command is asynchronous the system might hibernate
+ # before we have a chance to read the next $PS1
+ QMP::wait_for_event("SUSPEND_DISK");
+ expect();# wait for QEMU to terminate
+}
+
+sub poweroff() {
+ # XXX would be nice to use the QEMU monitor here but the guest
+ # doesn't seem to respond to system_powerdown QMP commands
+ write_data($CONSOLE => q{poweroff});
+ # while the command is asynchronous the system might shutdown
+ # before we have a chance to read the next $PS1
+ QMP::wait_for_event("SHUTDOWN");
+ expect(); # wait for QEMU to terminate
+}
+
+
+package QMP;
+
+# QMP protocol
+# https://qemu.readthedocs.io/en/latest/interop/qemu-qmp-ref.html
+
+use JSON ();
+
+# read and decode a QMP server line
+sub getline() {
+ my %r = CryptrootTest::Utils::expect($MONITOR => qr/\A(?<str>.+?)\r\n/m);
+ my $str = $r{str} // die;
+ return JSON::->new->decode($str);
+}
+
+# send a QMP command and optional arguments
+sub command($;$) {
+ my ($command, $arguments) = @_;
+ my $cmd = { execute => $command };
+ $cmd->{arguments} = $arguments if defined $arguments;
+
+ $cmd = JSON::->new->encode($cmd);
+ STDOUT->printflush($cmd . "\n");
+ CryptrootTest::Utils::write_data($MONITOR => $cmd, eol => "\r\n", echo => 0, reol => "");
+
+ while(1) {
+ my $resp = QMP::getline() // next;
+ # ignore unsolicited server responses (such as events)
+ return $resp->{return} if exists $resp->{return};
+ }
+}
+
+# wait for the QMP greeting line
+my @CAPABILITIES;
+sub greeting() {
+ my $greeting = QMP::getline() // die;
+ $greeting = $greeting->{QMP} // die;
+ @CAPABILITIES = @{$greeting->{capabilities}} if defined $greeting->{capabilities};
+}
+
+# negotiate QMP capabilities
+sub capabilities(@) {
+ my $r = QMP::command(qmp_capabilities => {enable => \@_});
+ die if %$r;
+}
+
+BEGIN {
+ # https://gitlab.com/qemu-project/qemu/-/blob/master/docs/interop/qmp-spec.txt sec 4
+ QMP::greeting();
+ QMP::capabilities();
+}
+
+sub wait_for_event($) {
+ my $event_name = shift;
+ while(1) {
+ my $resp = QMP::getline() // next;
+ return if exists $resp->{event} and $resp->{event} eq $event_name;
+ }
+}
+
+sub quit() {
+ # don't use QMP::command() here since we might never receive a response
+ my $cmd = JSON::->new->encode({ execute => "quit" });
+ STDOUT->printflush($cmd . "\n");
+ CryptrootTest::Utils::write_data($MONITOR => $cmd, eol => "\r\n", echo => 0, reol => "");
+ CryptrootTest::Utils::expect(); # wait for QEMU to terminate
+}
+
+1;
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..abb325c
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,6 @@
+Bug-Database: https://gitlab.com/cryptsetup/cryptsetup/-/issues
+Bug-Submit: https://gitlab.com/cryptsetup/cryptsetup/-/issues/new
+Repository: https://gitlab.com/cryptsetup/cryptsetup.git
+Repository-Browse: https://gitlab.com/cryptsetup/cryptsetup
+FAQ: https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions
+Security-Contact: https://gitlab.com/cryptsetup/cryptsetup/-/blob/HEAD/SECURITY.md
diff --git a/debian/upstream/signing-key.asc b/debian/upstream/signing-key.asc
new file mode 100644
index 0000000..a3b5a8f
--- /dev/null
+++ b/debian/upstream/signing-key.asc
@@ -0,0 +1,51 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBE94p38BEADZRET8y1gVxlfDk44/XwBbFjC7eM6EanyCuivUPMmPwYDo9qRe
+y0JdOGhWhAZeutGGxsKliozmeTL25Z6wWICu2oeY+ZfbgJQYHFeQ01NVwoYy57hh
+ytZw/6IMLFRcIaWSHd7oNdneQg6mVJcGdA/BOX68uo3RKSHj6Q8GoQ54F/NpCotz
+VcP1ORpVJ5ptyG0x6OZm5Esn61pKE979wcHsz7EzcDYl+3MS63gZm+O3D1u80bUM
+mBUlxyEiC5jo5ksTFheA8m/5CAPQtxzYvgezYlLLS3nkxaq2ERK5DhvMv0NktXSu
+tfWQsOI5WLjG7UWStwAnO2W+CVZLcnZV0K6OKDaFbCj4ovg5HV0FyQZknN2O5Qbx
+esNlNWkMOJAnnX6c/zowO7jq8GCpa3oJl3xxmwFbCZtH4z3fEVw0wAFc2JlnufR4
+dhaax9fhNoUJ4OSVTi9zqstxhEyywkazakEvAYwOlC5+1FKoc9UIvApAGvgcTJGT
+Op7MuHptHGwWvGZEaJqcsqoy7rsYPxtDQ7bJuJJblzGIUxWAl8qsUsF8M4ISxBkf
+fcUYiR0wh1luUhXFo2rRTKT+Ic/nJDE66Ee4Ecn9+BPlNODhlEG1vk62rhiYSnyz
+y5MAUhUlstDxuEjYK+NGd2aYH0VANZalqlUZFTEdOdA6NYROxkYZVsVtXQARAQAB
+tCBNaWxhbiBCcm96IDxnbWF6eWxhbmRAZ21haWwuY29tPokCPgQTAQIAKAUCT3in
+fwIbAwUJEswDAAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ2bBXe9k+mPxp
+bg//ZWDcQVNAKOWCviNnNvT315WbDrjsJ6FApF83hB52qQO9tvjb5ZY54794uwof
+idOqi0XFoLkoLyiJkkvc3Q9SnM89hyhzrxnh2ym4rUr4cL6F9e99uC656er4telM
+bg9OSPR2iNuqsAzyMhOGMEnnm97YQ2QWOnvbC8QgoQB5VvF3nZMgqTPTxctlUfc7
+t4BlGcIBLG0oINUNDf441KAXgMP05kVK0CDQd02CTPok2Qshbg6aw56eSSUTB4aq
+ZM8St1ySJ2ccMDRC9mCqcNFtuuPyAAJAJFmEvlxahd0BA0mwV3ce38JBbTqs5k0X
+2JVljHObgnfp3WDtuY8Lj0u8KvN0CAYJhRuhY40fARh8EPfkNvIx/740ueexsUBW
+3N1/lCeABaOKtu11kVUxvDxaFRQc2I5vl/sZMunSjJQQiwrWNbrwZgidwkHzvizm
+LjdgHgCJeEC+tu1qifTCOllufvXagjYmrH4hm/Qz6+91lLksrHooxp3nAcN78d5/
+E4reamx0+DleOJ2yD1UeP2wUDdB23OQU3ipVDYwIuIvDWiZSIVwXyDLhuc64ti4t
+ScUGfucEKMER1eLTJ+zILHZ9R4K7C2BhEGSAyxkeeX/Z8pLNOJ1RdU+B+ZFNXuIH
+LJbgrAiOOqr07WPbvRT1LvO/w/4m31D9Kalc4Jyqn9+pjtm5Ag0ET3infwEQAN6E
+dXyfw9xr56CJ1asnQ1PSxpzEGlUsEHvn4wcufyC8KN6VGUlR3WinlaGvOICzvYOi
+S06E6PqKDEgbbApBh2//6Ihk1OynS0y4hYepJi+pstdXoiud6NQSNQlcFjCfI8Wz
+AT3rensVLmwc3HgRW5qqt5Vc+EWdg9cylZ48QdPyo3WyOd2pyL+yqNZPjMGijE8z
+vzurwZiO9aBkJCjulqXMs1YyyIqfTxKQ1GCUQq4SoIQXjD8HvgJ7T/TpuDf9wFhe
+onGqxiJpxb02LMEdkPgugKIgG6iOFplzrsySyoiJsGa0mJ0n0O6rXQxl1mK/zdfg
+vm4CPDujbgINnIxRxPescCVYcmjM8kTlGYJuKp4GgbwbwkCISs4retaAXiP3a2f3
+eSaJc5SnWWa3JqH5ogkEWvuezjNxW5fMpBWszdQEsgnsdlK37V+aB5oWnnkZRlWk
+1YhGwL1ODz+EZzSsGlkIr7BYakK3xRYbxVfQkUr7EeqruXohSOnPAowePYAXCigC
+fWvIJMlrPLIOD2GOy9eV3UZ/JDn/7YPfFAjNb0gVdpqBCQNH/fP2ePC0FzW+3YL1
+UbR+qMAEbKbFepycg75LbC08jFuQVvauDQta4EAvBkF460PoskCzcMuREntjMxip
+B6IMSoOD74tcGYfUp6/kcgdEaqyK8214couO/u8HABEBAAGJAiUEGAECAA8FAk94
+p38CGwwFCRLMAwAACgkQ2bBXe9k+mPzIRA//bAf0Ng8dJ+IgydRtdT9X2xYKyukk
+A3HlrOImOoA4Thrv/HVe7U28AkiQt2DxOmNZYIV0BqvL+dWAD1HYCdQgsgVWVLpr
+sFfqOYHnAWKsdqyNZHtPC9J6drnwv0vcER0dtDJjMDP4MJMTa4JNjNJYb29WfbIm
+viDRtIcVujYFoZK2ZBa1Ec7yPfk4CsyE+Y3Qh9Gy8Z08NrrxIn+MVATBbocKs7j1
+JAvkFk+o1grGnw3NTXnB8gEygAKHHyUgzr5Nyn5qJ28EZr7Vc1FP2lUiKv0JBcHT
+/9vVXJ1Grd+VF2cwYftMWRKR66lTaUS2BX0ta6IQQSj8nSRsoKapRniCfTm1D4I1
+6j9bOoEfFdVsMkcrYFtfhq97qgR8gZtVCJkrX2CARZ+a1J+NP/erASd6M1A3n3aM
+F3xBFfFsotzPplmhzExCYwuOCWIBfPerUQh1MughvG/oT8ZapR6x/EVE+K90J10X
+pPi8VMi/3QRC5DpCin3Kc14WAE4uEbyUWLKb3PmfmZaS6qFaJNtf2TyZodT0ACgu
+v9Xs4el0j8FRaCqLvEZS4rKLNxb8EY3Z4LC61QfyAbg5P114muVZ4ro8dzhZ0zwk
+ZLGeEsYPsQpLo6XPT/32PP8aHn/KKX+KM7ouCEhVeWszR20BMK6sxTBR+4aNqSKC
+dgr42jrtvzRmJp4=
+=E79s
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/debian/watch b/debian/watch
new file mode 100644
index 0000000..dabcd8b
--- /dev/null
+++ b/debian/watch
@@ -0,0 +1,6 @@
+version=4
+options="mode=git,pgpmode=gittag, \
+ uversionmangle=s/-(alpha|beta|rc)(\d*)$/~$1$2/, \
+ compression=gzip" \
+ https://gitlab.com/cryptsetup/cryptsetup.git \
+ refs/tags/v?@ANY_VERSION@