[pkg-cryptsetup-devel] Bug#908220: cryptsetup-initramfs: Need a clean way to force cryptsetup in initramfs

Raphaƫl Hertzog hertzog at debian.org
Fri Sep 7 14:41:26 BST 2018 

Package: cryptsetup-initramfs
Version: 2:2.0.4-2
Severity: normal
User: devel at kali.org
Usertags: origin-kali

Hello,

In Kali we build a live image and we include cryptsetup by default so that
users can easily enable encrypted persistence following our instructions:
https://docs.kali.org/downloading/kali-linux-live-usb-persistence

However that no longer works... when the live image is created, there's
no encrypted device detected and you see that in the build log:

    update-initramfs: Generating /boot/initrd.img-4.17.0-kali3-amd64
    cryptsetup: WARNING: Couldn't determine root device
    cryptsetup: ERROR: Couldn't resolve device /dev/sdb4
    cryptsetup: WARNING: The initramfs image may not contain cryptsetup binaries 
	nor crypto modules. If that's on purpose, you may want to uninstall the 
	'cryptsetup-initramfs' package in order to disable the cryptsetup initramfs 
	integration and avoid this warning.

The only way that I found to force the inclusion of cryptsetup is by
setting CRYPTSETUP=y in /etc/cryptsetup-initramfs/conf-hook. But when you do that
you get another worrying warning:

    cryptsetup: WARNING: Honoring CRYPTSETUP=[y|n] will deprecated in the future. 
	Please uninstall the 'cryptsetup-initramfs' package if you don't want the 
	cryptsetup initramfs integration.

So what's the proper way to tell cryptsetup to put its files in the initramfs, no matter
what it detects, without generating a warning? Ideally I would like to
be able to do it by adding a supplementary file, not by modifying an existing
configuration file (as Debian policy forbids this).

Users very much dislike all those warnings and they report them to us in Kali... so
there must be a way to not get a warning. I would be more than happy if installing
cryptsetup-initramfs was sufficient. If the user doesn't want it in the initramfs, he
just removes the package.

Thank you for considering our request.

Related Kali tickets for reference:
https://bugs.kali.org/view.php?id=4945
https://bugs.kali.org/view.php?id=4719

-- Package-specific info:

-- System Information:
Debian Release: buster/sid
  APT prefers oldoldstable
  APT policy: (500, 'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.16.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cryptsetup-initramfs depends on:
ii  busybox                                 1:1.27.2-3
ii  cryptsetup-run                          2:2.0.4-2
ii  initramfs-tools [linux-initramfs-tool]  0.132

Versions of packages cryptsetup-initramfs recommends:
ii  console-setup  1.185
ii  kbd            2.0.4-4

cryptsetup-initramfs suggests no packages.

-- no debconf information

More information about the pkg-cryptsetup-devel mailing list