diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-17 08:06:26 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-17 08:06:26 +0000 |
commit | fd888e850cf413955483bfb993aeeea5ea611289 (patch) | |
tree | 6148fed3d1f30272c48403f4cdefa59c2b7e1513 /debian/initramfs/conf-hook | |
parent | Adding upstream version 2:2.6.1. (diff) | |
download | cryptsetup-debian.tar.xz cryptsetup-debian.zip |
Adding debian version 2:2.6.1-4~deb12u2.debian/2%2.6.1-4_deb12u2debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/initramfs/conf-hook')
-rw-r--r-- | debian/initramfs/conf-hook | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/debian/initramfs/conf-hook b/debian/initramfs/conf-hook new file mode 100644 index 0000000..0b4389f --- /dev/null +++ b/debian/initramfs/conf-hook @@ -0,0 +1,44 @@ +# +# Configuration file for the cryptroot initramfs hook. +# + +# +# KEYFILE_PATTERN: ... +# +# The value of this variable is interpreted as a shell pattern. +# Matching key files from the crypttab(5) are included in the initramfs +# image. The associated devices can then be unlocked without manual +# intervention. (For instance if /etc/crypttab lists two key files +# /etc/keys/{root,swap}.key, you can set KEYFILE_PATTERN="/etc/keys/*.key" +# to add them to the initrd.) +# +# If KEYFILE_PATTERN if null or unset (default) then no key file is +# copied to the initramfs image. +# +# Note that the glob(7) is not expanded for crypttab(5) entries with a +# 'keyscript=' option. In that case, the field is not treated as a file +# name but given as argument to the keyscript. +# +# WARNING: +# * If the initramfs image is to include private key material, you'll +# want to create it with a restrictive umask in order to keep +# non-privileged users at bay. For instance, set UMASK=0077 in +# /etc/initramfs-tools/initramfs.conf +# * If you use cryptsetup-suspend, private key material inside the +# initramfs will be in memory during suspend period, defeating the +# purpose of cryptsetup-suspend. +# + +#KEYFILE_PATTERN= + +# +# ASKPASS: [ y | n ] +# +# Whether to include the askpass binary to the initramfs image. askpass +# is required for interactive passphrase prompts, and ASKPASS=y (the +# default) is implied when the hook detects that same device needs to be +# unlocked interactively (i.e., not via keyfile nor keyscript) at +# initramfs stage. Setting ASKPASS=n also skips `cryptroot-unlock` +# inclusion as it requires the askpass executable. + +#ASKPASS=y |