summaryrefslogtreecommitdiffstats
path: root/debian/initramfs/conf-hook
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-17 08:06:26 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-17 08:06:26 +0000
commitfd888e850cf413955483bfb993aeeea5ea611289 (patch)
tree6148fed3d1f30272c48403f4cdefa59c2b7e1513 /debian/initramfs/conf-hook
parentAdding upstream version 2:2.6.1. (diff)
downloadcryptsetup-debian.tar.xz
cryptsetup-debian.zip
Adding debian version 2:2.6.1-4~deb12u2.debian/2%2.6.1-4_deb12u2debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/initramfs/conf-hook')
-rw-r--r--debian/initramfs/conf-hook44
1 files changed, 44 insertions, 0 deletions
diff --git a/debian/initramfs/conf-hook b/debian/initramfs/conf-hook
new file mode 100644
index 0000000..0b4389f
--- /dev/null
+++ b/debian/initramfs/conf-hook
@@ -0,0 +1,44 @@
+#
+# Configuration file for the cryptroot initramfs hook.
+#
+
+#
+# KEYFILE_PATTERN: ...
+#
+# The value of this variable is interpreted as a shell pattern.
+# Matching key files from the crypttab(5) are included in the initramfs
+# image. The associated devices can then be unlocked without manual
+# intervention. (For instance if /etc/crypttab lists two key files
+# /etc/keys/{root,swap}.key, you can set KEYFILE_PATTERN="/etc/keys/*.key"
+# to add them to the initrd.)
+#
+# If KEYFILE_PATTERN if null or unset (default) then no key file is
+# copied to the initramfs image.
+#
+# Note that the glob(7) is not expanded for crypttab(5) entries with a
+# 'keyscript=' option. In that case, the field is not treated as a file
+# name but given as argument to the keyscript.
+#
+# WARNING:
+# * If the initramfs image is to include private key material, you'll
+# want to create it with a restrictive umask in order to keep
+# non-privileged users at bay. For instance, set UMASK=0077 in
+# /etc/initramfs-tools/initramfs.conf
+# * If you use cryptsetup-suspend, private key material inside the
+# initramfs will be in memory during suspend period, defeating the
+# purpose of cryptsetup-suspend.
+#
+
+#KEYFILE_PATTERN=
+
+#
+# ASKPASS: [ y | n ]
+#
+# Whether to include the askpass binary to the initramfs image. askpass
+# is required for interactive passphrase prompts, and ASKPASS=y (the
+# default) is implied when the hook detects that same device needs to be
+# unlocked interactively (i.e., not via keyfile nor keyscript) at
+# initramfs stage. Setting ASKPASS=n also skips `cryptroot-unlock`
+# inclusion as it requires the askpass executable.
+
+#ASKPASS=y