[pkg-cryptsetup-devel] Bug#1092977: debian-installer: systemd-cryptsetup package not installed on encrypted system

Cyril Brulebois kibi at debian.org
Sat May 24 16:41:42 BST 2025 

Hi,

Pascal Hambourg <pascal at plouf.fr.eu.org> (2025-05-24):
> systemd-cryptsetup is included in netinst images but d-i does not
> install it. I guess Recommends: are ignored by debootstrap.

    kibi at tokyo:~/debian-installer/packages/debootstrap (master =)$ git grep Recommends
    debian/changelog:  * rules,control: adjust Recommends/Suggests to be appropriate on each
    debian/changelog:  * upgrade wget from Recommends to Depends, closes: #126799
    debian/control:Recommends: sopv | sqv | gpgv, mount, ${debootstrap:Recommends}
    debian/rules:   dh_gencontrol -- -Vdebootstrap:Recommends='$(RECOMMENDS)' -Vdebootstrap:Suggests='$(SUGGESTS)'

> > The LUKS volume containing the root filesystem is decrypted by the
> > initramfs which does not need systemd-cryptsetup.
> 
> systemd-cryptsetup is required to open encrypted volumes other than those
> which are already opened by the initramfs (/, /usr, hibernation swap). I
> believe this bug should be fixed before Trixie release so added it to the
> wiki wishlist.

Looking around, it seems we have many places using cryptsetup, very
likely via cryptsetup-udeb that's pulled by various packages:

    Reverse Depends: 
      partman-crypto-dm,cryptsetup-udeb
      cryptsetup-udeb:arm64,cryptsetup-udeb
      rescue-mode,cryptsetup-udeb

And I'm only spotting one place where cryptsetup makes its way into
/target, via partman-crypto's finish.d/crypto_aptinstall:

    if grep -q " device-mapper$" /proc/misc; then
        # We can't check the root node directly because root could be
        # on an LVM LV on top of an encrypted device
        if type dmsetup >/dev/null 2>&1 && \
    	   dmsetup table | cut -d' ' -f4 | grep -q "crypt" 2>/dev/null; then
    		apt-install cryptsetup-initramfs || true
    	fi
    fi

If we were to pull systemd-cryptsetup in the mix, should there by any
restrictions/checks before deciding to do so?

How are things between systemd-cryptsetup and cryptsetup itself? Is that
a peaceful cohabitation/cooperation, or is that going to look like some
competition, with race conditions and the like?

Looping in both maintainers for input.


Cheers,
-- 
Cyril Brulebois (kibi at debian.org)            <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20250524/46672a03/attachment.sig>

More information about the pkg-cryptsetup-devel mailing list