[pkg-cryptsetup-devel] Bug#839994: Bug#839994: Newest version prevent boot of full encrypted disk

Klaus Ethgen Klaus at Ethgen.de
Fri Oct 7 10:10:08 UTC 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Guilhem,

Am Fr den  7. Okt 2016 um 10:43 schrieb Guilhem Moulin:
> On Fri, 07 Oct 2016 at 10:20:08 +0100, Klaus Ethgen wrote:
> > However, it was not that easy to create the initramfs as the "most"
> > setting for MODULES do not include cryptsetup stuff and "dep" setting
> > does not work in a chroot.
> 
> Do you have CRYPTSETUP set in your /etc/initramfs-tools/initramfs.conf?

Ehem, no. The file has the following settings:
   MODULES=most
   BUSYBOX=y
   KEYMAP=n
   COMPRESS=gzip
   DEVICE=
   NFSROOT=auto

There is no mentioning about a "CRYPTSETUP" setting.

However, the "MODULES=most" setting gets overwritten in
/etc/initramfs-tools/conf.d/driver-policy to value "dep".

> This is an undocumented way of forcing cryptsetup initramfs integration.
> As of 2:1.7.2-1, the hook script configuration variable are to be set in
> /etc/crytsetup-initramfs/conf-hook, cf. the following changelog entry
> 
>   * Use /etc/crytsetup-initramfs/conf-hook for initramfs hook script
>     configuration.  For backward compatibility setting CRYPTSETUP and
>     KEYFILE_PATTERN in /etc/initramfs-tools/initramfs.conf is still supported
>     for now, but causes the hook to print a warning.
>     This is done following the initramfs-tools maintainers' request (see
>     #807527) that hook and boot script configuration files be stored outside
>     the /etc/initramfs-tools directory. (Closes: #783393)

Ah, in that file (/etc/cryptsetup-initramfs/conf-hook, not
/etc/crytsetup-initramfs/conf-hook) is a (empty) setting "CRYPTSETUP=".
This file is from yesterday, and was installed by today with the
upgrade.

However, that particulare problem was only about including cryptsetup
out of the chroot from a recovery grml stick.

The current implementation following some documenations I had in the
past. The main key is a file "initramfs-tools/conf.d/diskkey" with the
following content:
   KEYFILE_PATTERN="/etc/security/disk.key"
   export KEYFILE_PATTERN
   UMASK=0077

And the crypttab entry:
   _sda1 UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx /etc/security/disk.key luks,discard

Gruß
   Klaus
- -- 
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <Klaus at Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-----BEGIN PGP SIGNATURE-----
Comment: Charset: ISO-8859-1

iQGcBAEBCgAGBQJX93RzAAoJEKZ8CrGAGfas1OAL/1bIF/GXGVttJJTP+qW13guw
77cvr53oSFtMAMXQOJf7aPwEAf6iJI9emobPiq9r/pTZYuJkoYiNrDFnpE/LEtpq
/yEAxYzt2y3HWdsWe+2MmHhisy1AKKNFAtBOmKtiL1FSDVzZo26RD4CwRPVTp4RU
iQmeOzgImh3/DzDJKxfd/l8IWoazEMlRMQwLdZzvfC1/E845F3bYJIXQVtRvyIra
xC7+eBrLjoExTJ/2HJs8/rorKDuy9rO/KpAZF3bGvq3A00xiKyDqBdb4SViOGbLB
GZGmkO6ymph5Pae/qH2Tq/hgIQoNTOq69cNf6IlQQ6V7toy0FLu65nFSyoRuSUBT
SDl7DDXVyfoJ+gNCHWAFyZrNpsg2eGDvTh84wr7xrPcg7/4jajx8SlmgCVZTALOR
HLC8mqkdwGWlAMA7In63j5+dezRYMPAyTc1BR1QmsMlH2SlCyVIPXIkKLQO1A9LP
X1w0L/fCKjs67RXPju9fosTOjS8+n7wANnMaJKxNsA==
=x+ek
-----END PGP SIGNATURE-----

More information about the pkg-cryptsetup-devel mailing list