1 files changed, 44 insertions, 0 deletions

diff --git a/debian/initramfs/conf-hook b/debian/initramfs/conf-hook
new file mode 100644
index 0000000..0b4389f
--- /dev/null
+++ b/debian/initramfs/conf-hook
@@ -0,0 +1,44 @@
+#
+# Configuration file for the cryptroot initramfs hook.
+#
+
+#
+# KEYFILE_PATTERN: ...
+#
+# The value of this variable is interpreted as a shell pattern.
+# Matching key files from the crypttab(5) are included in the initramfs
+# image.  The associated devices can then be unlocked without manual
+# intervention.  (For instance if /etc/crypttab lists two key files
+# /etc/keys/{root,swap}.key, you can set KEYFILE_PATTERN="/etc/keys/*.key"
+# to add them to the initrd.)
+#
+# If KEYFILE_PATTERN if null or unset (default) then no key file is
+# copied to the initramfs image.
+#
+# Note that the glob(7) is not expanded for crypttab(5) entries with a
+# 'keyscript=' option.  In that case, the field is not treated as a file
+# name but given as argument to the keyscript.
+#
+# WARNING:
+# * If the initramfs image is to include private key material, you'll
+#   want to create it with a restrictive umask in order to keep
+#   non-privileged users at bay.  For instance, set UMASK=0077 in
+#   /etc/initramfs-tools/initramfs.conf
+# * If you use cryptsetup-suspend, private key material inside the
+#   initramfs will be in memory during suspend period, defeating the
+#   purpose of cryptsetup-suspend.
+#
+
+#KEYFILE_PATTERN=
+
+#
+# ASKPASS: [ y | n ]
+#
+# Whether to include the askpass binary to the initramfs image.  askpass
+# is required for interactive passphrase prompts, and ASKPASS=y (the
+# default) is implied when the hook detects that same device needs to be
+# unlocked interactively (i.e., not via keyfile nor keyscript) at
+# initramfs stage.  Setting ASKPASS=n also skips `cryptroot-unlock`
+# inclusion as it requires the askpass executable.
+
+#ASKPASS=y