Change log for cryptsetup package in Debian
| 1 → 75 of 143 results | First • Previous • Next • Last |
cryptsetup (2:2.7.2-2) unstable; urgency=medium
* Update standards version to 4.7.0, no changes needed.
* d/crontrol: cryptsetup-initramfs: Add Breaks: libcryptsetup12 (<<
2:2.7.2-1) since the hook assumes libcryptsetup.so.12 is not linked with
libargon2.so. (Closes: #1068849)
* d/t/utils/mkinitramfs: Remove obsolete copy_libgcc() call.
-- Guilhem Moulin <email address hidden> Mon, 15 Apr 2024 00:51:12 +0200
cryptsetup (2:2.7.2-1) unstable; urgency=medium
* New bugfix upstream release.
+ Fix various issues with OPAL devices.
* Use OpenSSL's own argon2 implementation rather than libargon2. This drops
libargon2 from (Build-)Depends and bumps the minimum required OpenSSL
version to 3.2.
* d/control: cryptsetup Depends: Bump minimum cryptsetup-bin version to
2:2.7.2-1 as the wrapper no longer contain workarounds for libargon2 and
libgcc_s.
* d/copyright: Update licensing information to reflect upstream's
relicensing of its FAQ and an older miscellaneous script.
-- Guilhem Moulin <email address hidden> Tue, 09 Apr 2024 15:18:49 +0200
cryptsetup (2:2.7.1-1) unstable; urgency=medium
* New bugfix upstream release.
[ Guilhem Moulin ]
* d/functions: get_mnt_devno(): Speed up execution time on large
/proc/mounts.
* d/t/cryptroot-*: Fix DEP-8 tests when the kernel .deb installs modules in
/usr/lib/modules not /lib/modules, such as
linux-image-6.6.15-686-pae_6.6.15-2_i386.deb.
* d/cryptsetup.lintian-overrides: Remove unused overrides.
[ Helmut Grohne ]
* /lib/cryptsetup/askpass: Coordinated move to /usr for DEP17
(Closes: #1060270)
-- Guilhem Moulin <email address hidden> Sat, 09 Mar 2024 23:05:42 +0100
| Deleted in experimental-release (Reason: None provided.) |
cryptsetup (2:2.7.1-1+exp) experimental; urgency=medium * New bugfix upstream release. -- Guilhem Moulin <email address hidden> Thu, 07 Mar 2024 17:47:40 +0100
| Superseded in experimental-release |
cryptsetup (2:2.7.0-1+exp2) experimental; urgency=medium
* d/functions: get_mnt_devno(): Speed up execution time on large
/proc/mounts.
* d/t/cryptroot-*: Fix DEP-8 tests when the kernel .deb installs modules in
/usr/lib/modules not /lib/modules, such as
linux-image-6.6.15-686-pae_6.6.15-2_i386.deb.
* d/control: Adjust versioned cryptsetup-nuke-password Conflicts from
<4+nmu2~ to <5~.
-- Guilhem Moulin <email address hidden> Sun, 03 Mar 2024 23:53:40 +0100
cryptsetup (2:2.7.0-1) unstable; urgency=medium
* Upload to unstable.
* Revert "d/gbp.conf: Set ‘debian-branch = debian/experimental’."
* Revert "Use OpenSSL's own argon2 implementation" (since sid doesn't have
OpenSSL 3.2 yet).
* Revert "d/control: cryptsetup Depends: Bump minimum cryptsetup-bin version
to 2.7~."
* Revert "d/cryptsetup.lintian-overrides: Ignore ‘conflicts-with-version
cryptsetup-nuke-password’."
* Revert "d/cryptsetup.lintian-overrides: Remove unused overrides."
* Revert "/lib/cryptsetup/askpass: coordinated move to /usr for DEP17"
-- Guilhem Moulin <email address hidden> Mon, 26 Feb 2024 12:50:46 +0100
| Superseded in experimental-release |
cryptsetup (2:2.7.0-1+exp) experimental; urgency=medium
* New upstream release.
[ Guilhem Moulin ]
* d/control: cryptsetup Depends: Bump minimum cryptsetup-bin version to 2.7~.
* d/control: Build-Depends: Replace pkg-config with pkgconf.
* d/cryptsetup-suspend.lintian-overrides: Remove alien tag.
* d/cryptsetup.lintian-overrides: Remove unused overrides.
* d/cryptsetup.lintian-overrides: Add override ‘conflicts-with-version
cryptsetup-nuke-password’.
* d/t/cryptroot-*: Fix DEP-8 tests with QEMU 8.2.
[ Helmut Grohne ]
* /lib/cryptsetup/askpass: coordinated move to /usr for DEP17.
(Closes: #1060270)
-- Guilhem Moulin <email address hidden> Mon, 26 Feb 2024 11:57:19 +0100
| Published in bookworm-release |
cryptsetup (2:2.6.1-4~deb12u2) bookworm; urgency=medium
[ Michael Biebl ]
* cryptsetup-suspend-wrapper: Don't error out on missing
/lib/systemd/system-sleep directory as systemd 254.1-3 and later no longer
ship empty directories. (Closes: #1050606)
[ Kevin Locke ]
* cryptsetup-initramfs: Add support for compressed kernel modules, which is
the default as linux-image 6.6.4-1~exp1. (Closes: #1036049, #1057441)
[ Guilhem Moulin ]
* add_modules(): Change suffix drop logic to match initramfs-tools.
* Fix DEP-8 tests with kernels shipping compressed modules.
* d/salsa-ci.yml: Set RELEASE=bookworm.
-- Guilhem Moulin <email address hidden> Mon, 18 Dec 2023 03:41:04 +0100
| Superseded in experimental-release |
cryptsetup (2:2.7.0~rc1-1) experimental; urgency=medium
* New upstream release candidate.
* d/gbp.conf: Set ‘debian-branch = debian/experimental’.
* Add new DEP-8 test to check crypto backend flags. (And whether system
libargon2 is used.)
* OpenSSL's own argon2 implementation rather than libargon2. This requires
OpenSSL 3.2 or later.
-- Guilhem Moulin <email address hidden> Wed, 20 Dec 2023 18:28:36 +0100
| Superseded in experimental-release |
cryptsetup (2:2.7.0~rc0-2) experimental; urgency=medium Rebuild for experimental. -- Guilhem Moulin <email address hidden> Tue, 05 Dec 2023 21:11:42 +0100
cryptsetup (2:2.6.1-6) unstable; urgency=medium
[ Kevin Locke ]
* cryptsetup-initramfs: Add support from compressed kernel modules.
(Closes: #1036049, #1057441)
[ Guilhem Moulin ]
* d/tests: Replace `passwd --delete` with `busybox passwd -d`.
* add_modules(): Change suffix drop logic to match initramfs-tools.
* Fix DEP-8 tests with kernels shipping compressed modules.
-- Guilhem Moulin <email address hidden> Tue, 05 Dec 2023 17:48:58 +0100
| Superseded in experimental-release |
cryptsetup (2:2.7.0~rc0-1) experimental; urgency=medium
* New upstream release candidate 2.7.0:
+ Add support for (opt-in) hardware OPAL disk encryption.
+ plain mode: Set default cipher to aes-xts-plain64 and password hashing
to sha256. This is a backward incompatible change for plain mode when
relying on the defaults. It doesn't affect LUKS volumes. Defaults for
plain mode should not be relied upon anyway; for many releases the
Debian wrappers found in the ‘cryptsetup’ binary package spew a loud
warning when ‘cipher=’ or ‘hash=’ are not explicitly specified in the
crypttab(5) options of plain devices. The cryptsetup(8) executable now
issue such a warning as well.
+ Allow activation (open), luksResume, and luksAddKey to use the volume
key stored in a keyring.
+ Allow one to store volume key to a user-specified keyring in open and
luksResume commands.
* Update d/libcryptsetup12.symbols.
* Remove d/patches applied upstream.
* Update debian/* to reflect current cipher and hash for plain mode.
* d/tests: Replace `passwd --delete` with `busybox passwd -d`.
-- Guilhem Moulin <email address hidden> Wed, 29 Nov 2023 17:19:10 +0100
cryptsetup (2:2.6.1-5) unstable; urgency=medium
[ Guilhem Moulin ]
* d/control: Drop cryptsetup-run transitional binary package.
(Closes: #1038285)
[ Michael Biebl ]
* cryptsetup-suspend-wrapper: Don't error out on missing
/lib/systemd/system-sleep directory, which was removed from the systemd
package. (Closes: #1050606)
-- Guilhem Moulin <email address hidden> Sun, 27 Aug 2023 12:24:57 +0200
| Superseded in bookworm-release |
cryptsetup (2:2.6.1-4~deb12u1) bookworm; urgency=medium * Rebuild for Bookworm. -- Guilhem Moulin <email address hidden> Fri, 21 Apr 2023 00:54:29 +0200
cryptsetup (2:2.6.1-4) unstable; urgency=medium
* Backport upstream MR !498, see #1028250:
+ 7893c33d: Check for physical memory available also in PBKDF benchmark.
+ 6721d3a8: Use only half of detected free memory on systems without swap.
-- Guilhem Moulin <email address hidden> Thu, 20 Apr 2023 23:46:08 +0200
cryptsetup (2:2.6.1-3) unstable; urgency=medium
[ Guilhem Moulin ]
* initramfs hook: Fix copy_libgcc_argon2() on non merged-/usr systems.
(Closes: #1032518)
* Backport upstream MR !490, see #1028250:
+ 27f8e5c0: Try to avoid OOM killer on low-memory systems without swap
+ 899bad8c: Print warning when keyslot requires more memory than available
* d/t/initramfs-hook: Pass `-xdev` to `find "$INITRD_DIR"` in order to solve
a race condition in that autopkgtest.
[ Remus-Gabriel Chelu ]
* Add Romanian debconf templates translation. (Closes: #1031497)
-- Guilhem Moulin <email address hidden> Mon, 13 Mar 2023 23:43:50 +0100
cryptsetup (2:2.6.1-2) unstable; urgency=medium
* initramfs hook: Explicitly call copy_libgcc(). The recent libargon2-1
upgrade is built with glibc ≥2.34 hence no longer links libpthread. This
in turns means that initramfs-tool's copy_exec() is no longer able to
detect pthread_*() need and thus doesn't copy libgcc_s.so anymore. So we
need to do it manually instead. Closes: #1032221
-- Guilhem Moulin <email address hidden> Thu, 02 Mar 2023 05:01:53 +0100
cryptsetup (2:2.6.1-1) unstable; urgency=medium
* New upstream bugfix release.
* d/README.Debian: Explicitly set cswap1's device type to 'plain'.
(Closes: #1025136)
* d/control: Update standards version to 4.6.2, no changes needed.
* d/clean: Add some gitignore(5)'d files. (Closes: #1026838)
* cryptgnupg-sc hook: Look terminfo file in /usr/share/terminfo in adition
to /lib/terminfo, see #1028202. (Closes: 1028234)
* d/copyright: Bump copyright years.
-- Guilhem Moulin <email address hidden> Fri, 10 Feb 2023 00:50:42 +0100
cryptsetup (2:2.6.0-2) unstable; urgency=low
* libcryptsetup-dev: Add 'Depends: libargon2-dev, libblkid-dev,
libdevmapper-dev, libjson-c-dev, libssl-dev, uuid-dev' to account for
libcryptsetup.pc's Requires.private. Closes: #1025054.
-- Guilhem Moulin <email address hidden> Tue, 29 Nov 2022 15:42:25 +0100
cryptsetup (2:2.6.0-1) unstable; urgency=low * New upstream release 2.6.0. -- Guilhem Moulin <email address hidden> Tue, 29 Nov 2022 01:20:38 +0100
| Deleted in experimental-release (Reason: None provided.) |
cryptsetup (2:2.6.0~rc0-1) experimental; urgency=medium
* New upstream release candidate 2.6.0, introducing support for handling
macOS FileVault2 devices (FVAULT2). The new version of FileVault based on
the APFS filesystem used in recent macOS versions is currently not
supported: only the (legacy) FileVault2 format based on Core Storage and
HFS+ filesystem (introduced in MacOS X 10.7 Lion) is supported. Moreover
header formatting and changes are not supported; cryptsetup never changes
the metadata on the device.
* Update d/copyright for 2:2.6.0~rc0-1.
* Ship cryptsetup-fvault2Dump(8) and cryptsetup-fvault2Open(8) to
cryptsetup-bin binary package.
* Update d/libcryptsetup12.symbols for 2:2.6.0~rc0-1.
* Add 'fvault2' flag to crypttab(5) to force detection of Apple's FileVault2
volumes.
* d/rules: Add new target execute_before_dh_auto_test so blhc ignores
compilations of tests/*.c.
* d/u/metadata: Set 'Security-Contact' upstream metadata field.
-- Guilhem Moulin <email address hidden> Sat, 19 Nov 2022 17:30:40 +0100
cryptsetup (2:2.5.0-6) unstable; urgency=medium
* d/t/cryptroot-*: Mask systemd-firstboot.service.
* d/t/cryptroot-*: Use camel case for apt.conf(5) settings.
* d/t/cryptroot-*: _apt(): Sort apt.conf(5) settings.
* d/t/cryptroot-*: Honor apt_preferences(5) settings under autopkgtest.
* d/t/cryptroot-*: init: bind mount temporary filesystems to fix
autopkgtests with systemd 252. (Closes: #1022970)
-- Guilhem Moulin <email address hidden> Fri, 28 Oct 2022 19:30:14 +0200
cryptsetup (2:2.5.0-5) unstable; urgency=medium
* d/t/cryptroot-*: Bump setup timeout to 3600s so autopkgtests don't fail on
debci runners lacking KVM support.
-- Guilhem Moulin <email address hidden> Tue, 04 Oct 2022 20:01:50 +0200
cryptsetup (2:2.5.0-4) unstable; urgency=medium
* suspend.conf: Improve description and typofix.
* d/t/cryptroot-*: Fix race condition between creating new partition and
using them.
* d/t/cryptroot-*: Fail the test after a reasonable timeout.
(Closes: #1020714)
* d/t/cryptroot-*: setup_apt(): Add 'Identifier: Packages' to `apt-get
indextargets` filter.
* cryptsetup-suspend-wrapper: Explicitly disable udev support when resuming.
(Closes: #1020553)
* d/t/cryptroot-*: Pin versions for all packages in PKGS_EXTRA that are part
of src:cryptsetup.
-- Guilhem Moulin <email address hidden> Tue, 04 Oct 2022 01:14:30 +0200
cryptsetup (2:2.5.0-3) unstable; urgency=low
* d/t/cryptroot-*: Disable VGA card on the guest.
* d/t/cryptroot-*: Communicate with guests on /dev/hvc0 and remove
console=hvc0 from the kernel command line to get a noise-free channel.
* d/t/cryptroot-*: poweroff(): Use poweroff(8) not `echo o
>/proc/sysrq-trigger`.
* d/t/cryptroot-*: hibernate(): Use systemctl(1) not `echo disk
>/sys/power/state`.
* d/t/cryptroot-*: Use a separate logfile for each communication channel.
* Refactor d/t/utils/mock.pm and add QMP support; this adds 'Depends:
libjson-perl' to cryptroot-* autopkgtests.
* d/t/cryptroot-*: Use the QMP "quit" command to destroy guests early.
* d/t/cryptroot-*: Start getty on /dev/hvc0 only (not /dev/ttyS0) in
non-interactive mode.
* d/t/cryptroot-*: Remove console=tty0 from the kernel command line.
* d/t/cryptroot-*: Mask all timer units to avoid cluttering test
environments with background jobs.
* d/t/cryptroot-lvm: Also test cryptsetup-suspend (enter to and resume from
S3 state).
* d/t/cryptroot-*: Simplify login prompt regex.
* d/t/cryptroot-*: Use $' when consuming input buffers.
* Salsa CI: Include recipes/debian.yml.
* Salsa CI: Remove redundant variable RELEASE=unstable.
* Salsa CI: Re-enable autopkgtest job with partial coverage.
* cryptsetup-suspend-wrapper: Improve quoting.
* cryptsetup-suspend-wrapper: Use crypttab_find_entry()'s return status.
* d/copyright: Improve wording.
* d/copyright: Fix license for d/scripts/suspend/cryptsetup-suspend.c .
* Add license headers for d/scripts/suspend/*.
* Relicense own code from GPLv2+ to GPLv3+.
* cryptsetup-suspend-wrapper: Don't bindmount temporary filesystems.
* cryptsetup-suspend-wrapper: Improve $INITRAMFS_DIR detection and cleanup.
* cryptsetup-suspend-wrapper: Improve TODO comment.
* d/t/cryptroot-*: Add a network device in interactive mode.
* d/t/cryptroot-lvm: Test I/O on the root FS after wakeup to make sure the
device is not suspended.
* cryptsetup-suspend-wrapper: Harden chroot environment: mount ramfs
read-only and with the 'nodev' option, make it unbindable, and use a
restrictive root mode.
* initramfs hook: Remove duplicate unmangling.
* initramfs hook: populate_CRYPTO_HASHES(): Add missing call to
crypttab_parse_options().
* d/functions: crypttab_parse_options(): Always reset $CRYPTTAB_TYPE.
* cryptsetup-suspend-wrapper: Ignore $KEEP_INITRAMFS if a newer initrd is
detected.
* d/functions: resume_device(): Fix resuming by keyscript.
* d/functions: Refactor resume_device() and freeze_cgroups().
* cryptsetup-suspend-wrapper: Don't copy /lib/firmware if it already exists
in the initrd.
* cryptsetup-suspend-wrapper: Don't treat udevd specially as luksResume now
appears to work when udevd is still frozen.
* cryptsetup-suspend-wrapper: Populate ACTIVE_DEVICES via callback.
* cryptsetup-suspend-wrapper: Use FD3 to list remaining devices.
* d/t/utils/debootstrap: Strip colon and suffix from package (Pre-)Depends.
* d/t/utils/debootstrap: Remove obsolete comment and Pre-Depends.
* d/t/cryptroot-*: Manually create merged-/usr layout and install
usr-is-merged.
-- Guilhem Moulin <email address hidden> Sun, 18 Sep 2022 23:01:46 +0200
cryptsetup (2:2.5.0-2) unstable; urgency=low
[ Matthias Klose ]
* Add support for 'noudeb' build profile. (Closes: #983318)
[ Christoph Anton Mitterer ]
* initramfs hook: align busybox check on klibc-utils's hook.
[ Benjamin Drung ]
* initramfs hook: Fix broken compatibility with OpenSSL3 when cryptsetup
needs legacy hashes (currently ripemd160 and whirlpool). (LP: #1979159)
[ Guilhem Moulin ]
* New DEP-8 test for crude checks of the initramfs hook.
* Minor changes to the legacy.so inclusion logic.
* DEP-8: Add checks for OpenSSL's legacy.so inclusion.
* d/rules: Inspect DEB_BUILD_* with $(filter ,) not $(findstring ,).
* initramfs boot script: Remove custom LVM handling. Since 2.03.15-1 lvm2
doesn't ship an initramfs boot script anymore and relies solely on udev
rules instead. We therefore don't have to manually activate LVs/VGs
anymore, but cryptsetup-initramfs now conflicts with earlier lvm2
versions. (Closes: #928943)
* Override lintian tag 'conflicts-with-version' given the above.
* initramfs hook: Don't overwrite crypttab(5) source to /dev/mapper/$NAME
for mapped devices. (Closes: #1016455)
* initramfs hook: Preserve crypttab source specifications and devices
starting with /dev/disk/by- or /dev/mapper/.
* d/README.initramfs: Improve section about cryptopts= kernel parameter.
* d/Debian.README: Mention that systemd masks /etc/init.d/cryptdisks.
* Rename systemd_cryptsetup-suspend.conf to systemd/cryptsetup-suspend.conf.
* cryptsetup-suspend-wrapper: Fix grep calls in some corner cases such as
template cgroups.
* cryptsetup-suspend-wrapper: Avoid double slash in cgroup paths.
* cryptsetup-suspend-wrapper: Consolidate style.
(Closes: #1010708)
* d/t/cryptroot-*: Relax the kernel.deb regex to account for release
candidates.
* d/t/cryptroot-*: Add more partition type GUIDs.
* d/t/cryptroot-*: Improve sources.list(5) generation.
* d/t/cryptroot-*: Make APT repository Origin and URI configurable.
* d/t/cryptroot-*: Start udevd before setting up the guest.
* d/t/cryptroot-*: Use a separate /run partition when bootstrapping.
* Run `chmod +x d/t/cryptdisks d/t/utils/init` for consistency.
* d/t/cryptroot-*.d/config: Remove 'cryptsetup' from PKGS_EXTRA as it's only
needed for cryptroot-sysvinit.
* d/t/cryptroot-sysvinit: Rename 'rootfs.key' keyfile to 'homefs.key' which
better describes the purpose of the keyfile.
* d/t/cryptroot-*: Replace /target with '$ROOT'.
* d/t/cryptroot-*: Rename 'testvg' Volume Group to 'cryptvg'.
* d/t/cryptroot-*: Add note about testing cryptsetup-suspend.
* d/t: Add convenience wrapper script for local cryptroot-* test runs.
* New DEP-8 test for LVM-on-MD-on-LUKS2 layout backed by 4 independently
encrypted partitions (all unlocked at initramfs stage).
* New DEP-8 test for a complex nested block device stack.
* Salsa CI: Disable autopkgtest job for now.
-- Guilhem Moulin <email address hidden> Tue, 09 Aug 2022 01:40:50 +0200
cryptsetup (2:2.5.0-1) unstable; urgency=medium * d/copyright: Fix licence for tokens/ssh/cryptsetup-ssh.c. * Remove patches applied upstream. * Rename 'ssh-plugin-test' to 'ssh-test-plugin'. * Add DEP-8 tests for cryptroot unlocking at early boot stage. -- Guilhem Moulin <email address hidden> Fri, 29 Jul 2022 16:31:23 +0200
| Deleted in experimental-release (Reason: None provided.) |
cryptsetup (2:2.5.0~rc1-3) experimental; urgency=medium
* DEP-8: Add 'Features: test-name=' in order to name inline tests.
* d/t/control: Add 'Restrictions: rw-build-tree' to upstream-testsuite.
* d/control: Remove cryptsetup-reencrypt from cryptsetup-bin package
description since the utility was removed upstream in v2.5.0-rc1.
* d/changelog: Retroactively correct 2:2.4.0~rc0-1+exp1 entry.
* Update d/patches with what's landed upstream since v2.5.0-rc1.
* d/patches, d/rules: Pass $(LDFLAGS) when building fake_token_path.so and
no longer silence blhc(1) for test files.
* Move SSH token plugin stuff into new binary package 'cryptsetup-ssh'.
That plugin is arguably not useful for everyone and we can save the
'Depends: libssh-4' on cryptsetup-bin by moving cryptsetup-ssh(8) and
libcryptsetup-token-ssh.so to a separate package. Since LUKS2 SSH token
support was added after the Bullseye release, and since it is still in
experimental stage, we don't let cryptsetup-bin or cryptsetup depend on
the new binary package. Users who need that feature will need to install
it manually.
-- Guilhem Moulin <email address hidden> Thu, 21 Jul 2022 20:41:20 +0200
| Superseded in experimental-release |
cryptsetup (2:2.5.0~rc1-2) experimental; urgency=medium
* localtest: Treat skipped tests as failure for full coverage.
* d/watch: Add uversionmangle option for release candidates.
* unit-wipe-test: Skip DIO tests when the file system doesn't support
O_DIRECT. This is needed on the buildds where the source tree appears to
be on a tmpfs.
-- Guilhem Moulin <email address hidden> Fri, 15 Jul 2022 20:49:13 +0200
| Superseded in experimental-release |
cryptsetup (2:2.5.0~rc1-1) experimental; urgency=low
* New upstream release candidate 2.5.0. Highlights include:
+ Remove cryptsetup-reencrypt(8) executable, use `cryptsetup reencrypt`
instead (for both LUKS1 and LUKS2).
+ Split manual pages into per-action pages, for instance cryptsetup-open.8
which can be consulted with `man cryptsetup open`.
+ Add LUKS2 encryption removal support with `cryptsetup reencrypt
--decrypt`.
+ Preserve unknown metadata option (features implemented in more recent
cryptsetup releases) during reencryption.
* Salsa CI's deploy stage: Use a Bullseye image.
* Salsa CI's deploy stage: Use apt-get(8) not apt(8).
* Salsa CI's deploy stage: Replace `cp` with `install`.
* Salsa CI's reprotest job: Remove '--no-diffoscope' flag.
* Salsa CI's reprotest job: Update reason for running under 'nocheck' build
profile.
* d/README.source: Update text to reflect current practices.
* DEP-8: Run installed binaries and libraries through the full upstream test
suite (needs machine-level isolation).
* Retroactivately add NEWS.Debian for #949336.
* d/t/control: Add 'Depends: xxd' for 'Tests: cryptdisks' stanza.
* foreach_cryptdev(): Process each device *after* its slaves.
* do_stop(): Remove device holders beforehand. (Closes: #1006802)
* Fix space damage.
* d/u/metadata: Add FAQ URL.
* Refresh lintian overrides to accommodate lintian v2.115.
* d/control: New Build-Depends: asciidoctor (unless under 'nodoc' build
profile).
* d/cryptsetup.docs: Fix FAQ filename.
* Move usr/share/man/*/* glob to debian/*.manpages where it belongs.
* Update d/libcryptsetup12.symbols.
* Bump Standards-Version to 4.6.1 (no changes needed).
* Update d/copyright.
-- Guilhem Moulin <email address hidden> Fri, 15 Jul 2022 01:49:59 +0200
| Published in bullseye-release |
cryptsetup (2:2.3.7-1+deb11u1) bullseye-security; urgency=high
* New upstream security/bugfix release, with fixes for:
+ CVE-2021-4122: decryption through LUKS2 reencryption crash recovery.
(Closes: #1003686)
+ Key truncation for standalone dm-integrity devices using HMAC integrity
protection. (Closes: #949336)
* Update d/gbp.conf and d/salsa-ci.yml to use d/bullseye branch.
-- Guilhem Moulin <email address hidden> Tue, 01 Feb 2022 15:36:35 +0100
cryptsetup (2:2.4.3-1) unstable; urgency=high
[ Guilhem Moulin ]
* New upstream security release 2.4.3, with fix for CVE-2021-4122:
decryption through LUKS2 reencryption crash recovery. (Closes: #1003685,
#1003686)
* Remove cryptsetup-initramfs.preinst. (Closes: #1001063)
[ Christoph Anton Mitterer ]
* d/rules: don't expand here-document.
-- Guilhem Moulin <email address hidden> Thu, 13 Jan 2022 19:07:05 +0100
cryptsetup (2:2.4.2-1) unstable; urgency=high
* New upstream bugfix release 2.4.2.
* d/control: Replace Build-Depends on removed package libsepol1-dev with
libsepol-dev. (Closes: #999815)
* blkid/un_blkid checks: Ignore large offsets when converting from sectors
to bytes.
* crypttab(5): Formatting fix.
* Refresh d/copyright.
* Refresh lintian overrides to accommodate lintian v2.112.
-- Guilhem Moulin <email address hidden> Thu, 18 Nov 2021 17:15:08 +0100
cryptsetup (2:2.4.1-1) unstable; urgency=medium
[ Guilhem Moulin ]
* New upstream bugfix release 2.4.1.
* d/rules:
+ Use execute_after_dh_* from Debhelper compatibility level 13 when
relevant.
+ Skip documentation generation under nodoc profile.
+ Add new target execute_before_dh_auto_test so blhc ignores compilations
of tests/*.c.
* d/cryptsetup-initramfs.lintian-overrides: Refresh for lintian 2.107.0.
* crypttab(5):
+ Improve documentation about escape sequences.
+ Document that keyscript= can also take an absolute path.
(Closes: #994219)
+ Document that keyscript's exit status is ignored.
+ Various typo fixes and manpages improvements.
* initramfs: Add new hook configuration option ASKPASS=[Yn] to opt out from
askpass inclusion. (Closes: #994486)
* d/cryptsetup-initramfs.post*: Replace `which` with `command -v`.
* Merge debian/experimental branch and bring cryptsetup-suspend to sid.
* d/bash_completion: s/mawk/awk/. We're only using the POSIX subset so any
implementation should work. (Closes: #993374)
* Add DEP-8 tests for cryptdisks_start and cryptdisks_stop covering most of
d/functions and d/cryptdisks-functions. The testbed requires
'isolation-machine' restriction since we need to load kernel modules and
create loop devices.
* d/gbp.conf, d/watch: Explicitly use gzip compression.
[ Christoph Anton Mitterer ]
* d/functions: Export _CRYPTTAB_* to the keyscript's environment.
[ Lukas Schwaighofer ]
* initramfs: Honor activation/auto_activation_volume_list setting.
(Closes: #993725)
[ Thorsten Glaser ]
* blkid/un_blkid checks: Honor offset= option. (Closes: #994056)
-- Guilhem Moulin <email address hidden> Fri, 08 Oct 2021 14:27:03 +0200
| Deleted in experimental-release (Reason: None provided.) |
cryptsetup (2:2.4.0-1+exp1) experimental; urgency=medium
* Upload to experimental.
* d/rules: Prefix /lib/systemd/system-shutdown/cryptsetup-suspend.shutdown
with /usr to fix FTBS with debhelper 13.4; see #992469.
-- Guilhem Moulin <email address hidden> Thu, 19 Aug 2021 22:55:02 +0200
cryptsetup (2:2.4.0-1) unstable; urgency=low
[ Guilhem Moulin ]
* New upstream release.
* Salsa CI: Set SALSA_CI_BLHC_ARGS to avoid failing when *test* files are
built without the "right" LDFLAGS.
* Remove obsolete upstart configuration files on upgrade and purge.
(Closes: #990490)
* d/*.{pre,post}*: Explicitly exit with status code 0.
* d/copyright: Set field Upstream-Name.
* d/control: Bump Standards-Version to 4.5.1 (no changes necessary).
* d/control: Remove cryptsetup-run from cryptsetup's Recommends.
(Closes: #987769)
* d/control: Demote cryptsetup-initramfs from cryptsetup's Recommends to
Suggests. This concludes the package split started in 2:2.0.3-1 during
the Buster release cycle.
[ Ayla Ounce ]
* Add support for --perf_* flags to initramfs.
-- Guilhem Moulin <email address hidden> Thu, 19 Aug 2021 03:11:11 +0200
| Deleted in experimental-release (Reason: None provided.) |
cryptsetup (2:2.4.0~rc1-1+exp1) experimental; urgency=medium * New upstream release candidate. * d/copyright: update file. * d/cryptsetup.docs: Add upstream's README.md. * d/TODO.md: Remove implemented `luksSuspend` integration. -- Guilhem Moulin <email address hidden> Fri, 30 Jul 2021 02:37:32 +0200
| Superseded in experimental-release |
cryptsetup (2:2.4.0~rc0-1+exp1) experimental; urgency=medium
* New upstream release candidate 2.4.0. Highlights include:
+ Support for external libraries (plugins) for handling LUKS2 token
objects.
+ Experimental SSH token handler and cryptsetup-ssh(8) utility (both
shipped in the 'cryptsetup' binary package) as a demonstration of the
external LUKS2 token interface. This adds libssh-dev to build-depends.
+ Change default LUKS2 PBKDF to Argon2id from Argon2i.
+ Increase minimal memory cost for Argon2 benchmark to 64MiB (suggested
value in Argon2 RFC).
+ Autodetect optimal encryption sector size on LUKS2 format.
+ integritysetup: add integrity-recalculate-reset flag.
+ cryptsetup: retains keyslot number in luksChangeKey for LUKS2.
+ Add close --deferred and --cancel-deferred options.
-- Guilhem Moulin <email address hidden> Tue, 06 Jul 2021 10:18:17 +0200
| Superseded in experimental-release |
cryptsetup (2:2.3.6-1+exp1) experimental; urgency=medium * New upstream bugfix release. (Closes: #949336) -- Guilhem Moulin <email address hidden> Fri, 28 May 2021 22:54:20 +0200
cryptsetup (2:2.3.5-1) unstable; urgency=medium
* New upstream bugfix release. (Closes: #985581)
* d/watch: Monitor upstream tags rather than tarballs.
* d/gbp.conf: Set 'upstream-vcs-tag' to add upstream tag as additional
parent.
* Simplify d/README.source in accordance with the above.
* Rename d/upstream-signing-key.asc to d/upstream/signing-key.asc as uscan
is now able to verify git tags.
* encrypted-boot.md: Clarify how to solve double password prompt for the
device holding /boot.
* d/copyright: Update copyright year.
-- Guilhem Moulin <email address hidden> Fri, 02 Apr 2021 23:43:41 +0200
| Superseded in experimental-release |
cryptsetup (2:2.3.5-1+exp1) experimental; urgency=medium * Upload to experimental. -- Guilhem Moulin <email address hidden> Thu, 11 Mar 2021 23:36:01 +0100
cryptsetup (2:2.3.4-2) unstable; urgency=medium
[ Guilhem Moulin ]
* d/control: Remove Build-Depends: dh-exec. In compatibility level 13
Debhelper supports variable expansion, which was why we used dh-exec in
the first place.
* libcryptsetup-dev: Install libcryptsetup.so to /lib/$DEB_HOST_MULTIARCH
not /usr/lib/$DEB_HOST_MULTIARCH (closes: #978585), and override
subsequent lintian warning per #843932.
* d/*.install: Replace wildcard with $DEB_HOST_MULTIARCH for consistency.
* d/cryptsetup.lintian-overrides: Rename "init.d-script-does-not-implement-
optional-option $FOO status" tags to "init.d-script-does-not-implement-
status-option $FOO".
* Bump Standards-Version to 4.5.1 (no changes necessary).
* d/cryptdisks-functions: Rename left-over loop_cryptdevs() to
foreach_cryptdev(). Regression from 2:2.3.0-1. (Closes: #974591)
* Initramfs boot script: Drop `lvm vgchange`'s --ignoreskippedcluster flag
which is now a no-op.
* Make d/cryptsetup-initramfs.preinst mangling idempotent.
* Rename Debian resp. upstream branch to debian/latest resp. upstream/latest
for DEP-14 compliance.
* Rename d/gitlab-ci.yml to d/salsa-ci.yml.
* Consolidate d/gbp.conf.
* cryptsetup-initramfs now requires initramfs-tools 0.137 or later and no
longer copies libgcc_s.so.1 to the initrd since recent initramfs-tools
take care of it.
* Add libcryptsetup.la to debian/not-installed.
[ Guilherme G. Piccoli ]
* Initramfs boot script: Fix a deadlock when cryptroot would wait at
local-top stage for a device to appear, while the device would only be
created at local-block stage. This can be the case in dm-crypt-over-MD
scenario when booting the RAID array in degraded mode. (Closes: #933059)
[ Felix C. Stegerman ]
* Fix typo in README.gnupg-sc
-- Guilhem Moulin <email address hidden> Thu, 14 Jan 2021 19:16:40 +0100
| Superseded in experimental-release |
cryptsetup (2:2.3.4-2+exp1) experimental; urgency=medium * Upload to experimental. -- Guilhem Moulin <email address hidden> Thu, 14 Jan 2021 19:55:25 +0100
cryptsetup (2:2.3.4-1) unstable; urgency=high
* New upstream bugfix release, including fix for CVE-2020-14382:
possible out-of-bounds memory write while validating LUKS2 data
segments metadata on 32-bits platforms. (Closes: #969471)
-- Guilhem Moulin <email address hidden> Fri, 04 Sep 2020 00:30:40 +0200
| Superseded in experimental-release |
cryptsetup (2:2.3.4-1+exp1) experimental; urgency=medium * Upload to experimental. -- Guilhem Moulin <email address hidden> Fri, 04 Sep 2020 00:55:41 +0200
| Superseded in experimental-release |
cryptsetup (2:2.3.3-3+exp3) experimental; urgency=medium
* d/control: Make cryptsetup-suspend explicitly depend on
initramfs-tools-core as we use unmkinitramfs(8) in the wrapper.
* systemd-suspend.service override: Set OOMScoreAdjust to -1000 to
disable OOM killing of processes of the unit. Thanks, ಚಿರಾಗ್.
(Closes: #968569)
* d/doc/cryptsetup-suspend.xml: Document that key material included in the
initramfs image will remain unencrypted (see #969286).
-- Guilhem Moulin <email address hidden> Mon, 31 Aug 2020 00:09:10 +0200
| Superseded in experimental-release |
cryptsetup (2:2.3.3-3+exp2) experimental; urgency=medium
* d/control: Typofix in cryptsetup-suspend's long description.
(Closes: #968455)
* d/control: Make cryptsetup-suspend explicitly depend on kbd as we use
openvt(1) in the systemd-suspend.service override. (Closes: #969226)
* d/*: Run wrap-and-sort(1).
* d/scripts/suspend/cryptsetup-suspend-wrapper:
+ Parse /proc/meminfo in a single pass using shell builtins rather than
calling awk(1).
+ Use "/boot/initrd.img-$(uname -r)" as path to the initrd instead of
deriving it from the kernel command line. BOOT_IMAGE's value is
relative to the boot's loader viewpoint, which might differ from that of
the main system.
+ run_dir(): Prefer find(1)'s -execdir option over -exec.
+ Conditionally remove/copy firware into the initramfs image.
(Closes: #969270)
* d/rules: Build our scripts with `-Wall -Werror`.
* d/cryptsetup-suspend.{postinst,postrm}: Call `systemctl daemon-reload`,
which appears to be needed on upgrades. (dh_installsystemd(1) doesn't
support overrides so we manually copy snippet it would add.)
-- Guilhem Moulin <email address hidden> Sun, 30 Aug 2020 18:01:49 +0200
| Superseded in experimental-release |
cryptsetup (2:2.3.3-3+exp1) experimental; urgency=medium
* Add new binary package 'crypsetup-suspend', which implements support
to luksSuspend LUKS devices before ACPI S3 system suspend.
+ See the cryptsetup-suspend(7) manpage for further information.
-- Jonas Meurer <email address hidden> Wed, 12 Aug 2020 21:29:31 +0200
cryptsetup (2:2.3.3-2) unstable; urgency=medium
[ Helmut Grohne ]
* d/control: Annotate Build-Depends with <!nocheck>. (Closes: #964092)
[ Guilhem Moulin ]
* d/rules: Build with `--with-tmpfilesdir` to force installing
usr/lib/tmpfiles.d/cryptsetup.conf instead of picking the source from
scripts/cryptsetup.conf. This fixes FTBS in environments containing
systemd. (Closes: #968250)
* Add 'bitlk' flag in crypttab(5) to force detection of Windows BitLocker
volumes. (Closes: #967853)
-- Guilhem Moulin <email address hidden> Wed, 12 Aug 2020 00:22:59 +0200
cryptsetup (2:2.3.3-1) unstable; urgency=medium
[ Guilhem Moulin ]
* New upstream bugfix release.
* d/scripts/decrypt_derived: Remove useless call to `| tr -d '\n'`.
* d/control: Bump debhelper compatibility level to 13. Remove
debian/tmp/lib/$DEB_HOST_MULTIARCH/libcryptsetup.la as we don't install it
anywhere.
[ Rob Pilling ]
* d/scripts/decrypt_derived:
+ move an error message to standard error so it's not accidentally used as
a key
+ exit with a success code when successful
-- Guilhem Moulin <email address hidden> Thu, 04 Jun 2020 01:41:44 +0200
cryptsetup (2:2.3.2-1) unstable; urgency=medium
* New upstream release.
* debian/control: Set 'Rules-Requires-Root: no'.
* d/initramfs/hooks/cryptroot: Unconditionally copy 'ecb' kernel module
when the host CPU lacks AES-NI support. On such systems XTS needs ECB.
This is a work around for #883595 on kernels 4.10 and later.
(Closes: #901884)
-- Guilhem Moulin <email address hidden> Wed, 06 May 2020 16:22:01 +0200
cryptsetup (2:2.3.1-1) unstable; urgency=medium * New upstream release. * d/initramfs/hooks/cryptroot: Don't set unused variable LIBC_DIR. -- Guilhem Moulin <email address hidden> Tue, 24 Mar 2020 02:07:07 +0100
cryptsetup (2:2.3.0-1) unstable; urgency=low
* New upstream release, introducing support for BitLocker-compatible
devices (BITLK format) used in Windows systems.
WARNING: crypttab(5) support for these devices is currently *experimental*
and requires blkid from util-linux >=2.33 (i.e., Buster or later). These
devices currently have no keyword to use in the 4th field (unlike 'luks'
or 'plain'), the device type is inferred from the signature instead.
* crypttab(5): Make the 4th field (options) optional so we don't have to
introduce a new keyword for each new device type. (That field is also
optional in the systemd implementation.) Other fields (dm target name,
source device, and key file) remain required.
* Install cryptdisks_{start,stop} bash completion scripts to the right
path/name so they are loaded automatically. This was no longer the case
since 2:1.7.0-1. (Closes: #949623)
* d/*.install: Replace tabs with spaces.
* d/cryptdisks-functions: Fix broken $FORCE_START handling. Since
2:2.0.3-2 the SysV init scripts' "force-start" option was no longer
overriding noauto/noearly. (Closes: #933142)
* Move some functions to d/function from the initramfs hook.
* SysV init scripts: skip devices holding the root FS and/or /usr during the
shutdown phase; these file systems are still mounted at this point so any
attempt to gracefully close the underlying device(s) is bound to fail.
(Closes: #916649, #918008)
* Bump Standards-Version to 4.5.0 (no changes necessary).
-- Guilhem Moulin <email address hidden> Wed, 04 Mar 2020 00:48:19 +0100
cryptsetup (2:2.2.2-3) unstable; urgency=high
* initramfs hook: Workaround fix for the libgcc_s's source location.
(Closes: #950628, #939766.) See #950254 for the proper fix.
-- Guilhem Moulin <email address hidden> Tue, 04 Feb 2020 14:11:12 +0100
cryptsetup (2:2.2.2-2) unstable; urgency=medium
[ Guilhem Moulin ]
* d/initramfs/hooks/cryptroot: On initramfs images built with MODULES=dep,
include the IV generator found in the cipher specification when there is a
matching kernel module. On 5.4 kernels ESSIV isn't implemented in
dm_crypt anymore, but by a dedicated 'essiv' module which thus needs to be
available in order to unlock dm-crypt target using 'aes-cbc-essiv:sha256'.
Closes: #948593.
[ Debian Janitor ]
* Set debhelper-compat version in Build-Depends.
* Set upstream metadata fields: Bug-Database, Bug-Submit, Repository,
Repository-Browse.
-- Guilhem Moulin <email address hidden> Sat, 18 Jan 2020 20:53:19 +0100
cryptsetup (2:2.2.2-1) unstable; urgency=medium
* New upstream bugfix release.
* debian/control:
+ Add 'procps' to the Build-Depends since the upstream test suite uses
free(1).
+ Bump Standards-Version to 4.4.1 (no changes necessary).
-- Guilhem Moulin <email address hidden> Fri, 01 Nov 2019 19:32:36 +0100
| Published in buster-release |
cryptsetup (2:2.1.0-5+deb10u2) buster; urgency=medium
* Cherry pick upstream commit 8f8f0b32: Fix mapped segments overflow on
32bit architectures. Regression since 2:2.1.0-1. (Closes: #935702)
-- Guilhem Moulin <email address hidden> Mon, 26 Aug 2019 14:54:10 +0200
cryptsetup (2:2.2.1-1) unstable; urgency=medium * New upstream bugfix release. * Remove d/patches, applied upstream. -- Guilhem Moulin <email address hidden> Fri, 06 Sep 2019 13:28:55 +0200
cryptsetup (2:2.2.0-3) unstable; urgency=medium
* Cherry pick upstream commit 8f8f0b32: Fix mapped segments overflow on
32bit architectures. Regression since 2:2.1.0-1. (Closes: #935702)
-- Guilhem Moulin <email address hidden> Mon, 26 Aug 2019 12:53:45 +0200
cryptsetup (2:2.2.0-2) unstable; urgency=medium
* debian/control: Add 'Multi-Arch: foreign' tag to the transitional dummy
package 'crytsetup-run'.
* debian/control, debian/combat: Bump debhelper compatibility level to 12.
* debian/rules: Remove dh_makeshlibs(1) override; debhelper 12.3's auto
detection feature subsumes our use of --add-udeb=. This fixes FTBFS with
debhelper 12.5.
-- Guilhem Moulin <email address hidden> Wed, 21 Aug 2019 22:45:12 +0200
cryptsetup (2:2.2.0-1) unstable; urgency=medium
* New upstream release 2.2.0. Highlights include:
+ New LUKS2 online reencryption extension, allowing reencryption of
mounted LUKS2 devices.
+ Optional global serialization lock for memory hard PBKDF, to workaround
situations when multiple devices are unlocked in parallel, possibly
exhausting memory and triggering the OOM killer. (Cf. #924560.)
+ Add integritysetup support for bitmap mode (Linux >=5.2).
+ Reduce keyslots area size in luksFormat when the header device is too
small.
* Remove d/patches, applied upstream.
-- Guilhem Moulin <email address hidden> Thu, 15 Aug 2019 09:31:55 +0200
cryptsetup (2:2.1.0-8) unstable; urgency=medium
* encrypted-boot.md:
+ Clarify partition layout.
+ encrypted-boot.md: New section 'Using a custom keyboard layout'.
* d/gbp.conf: New section [export-orig] mirroring [buildpackage].
* d/gitlab-ci.yml: Add 'publish' stage and make yamllint(1) happy.
* d/patches: Backport upstream commit c03e3fe8 so libcryptsetup's
crypt_keyslot_add_by_volume_key() also works a on LUKS2 header where all
bound key slots were deleted, like it does for LUKS1. (Closes: #934715)
-- Guilhem Moulin <email address hidden> Wed, 14 Aug 2019 16:34:23 +0200
| Deleted in experimental-release (Reason: None provided.) |
cryptsetup (2:2.2.0~rc1-2) experimental; urgency=low
* Rebase changes from 2:2.1.0-6 and 2:2.1.0-7 to enable smooth upgrade path
from sid to experimental. (Closes: #933487)
* debian/*: Remove compatibility warnings regarding setting 'CRYPTSETUP' in
the initramfs hook configuration. The variable is no longer honored, and
cryptsetup is always integrated to the initramfs when the
'cryptsetup-initramfs' package is installed.
* debian/cryptsetup.NEWS: Mention the 'cryptsetup' and 'cryptsetup-run'
package swap.
* debian/control:
+ Swap 'cryptsetup' and 'cryptsetup-run' packages: the former now contains
init scripts, libraries, keyscripts, etc. while the latter is now a
transitional dummy package.
+ Remove obsolete cryptsetup.maintscript.
+ Bump Standards-Version to 4.4.0 (no changes necessary).
+ Add 'cryptsetup-initramfs' to 'cryptsetup's Recommends:, so upgrading
systems pull it automatically on upgrade. (cryptsetup <2:2.1.0-6 was a
dummy transitional package depending on cryptsetup-run and
cryptsetup-initramfs.) Thanks to David Prévot for the precious help!
Closes: #932643.
+ Add 'cryptsetup-run' to 'cryptsetup's Recommends. This avoids it being
removed by `apt upgrade --autoremove` from <2:2.1.0-6, thus avoids the
old cryptsetup-run's prerm script showing a scary (but moot) warning.
After upgrading the prerm script is gone and the package can be removed
without troubles, so we can get rid of it after Bullseye.
(Closes: #932625.)
* debian/initramfs/conf-hook: Clarify that KEYFILE_PATTERN isn't expanded
for crypttab(5) entries with a 'keyscript=' option. (Closes: #930696)
* debian/doc/crypttab.xml: Point to README.initramfs in the "See Also"
section. (Closes: #913233)
* cryptsetup-initramfs: Add loud warning upon "prerm remove" if there are
mapped crypt devices (like for cryptsetup.prerm).
-- Guilhem Moulin <email address hidden> Wed, 31 Jul 2019 20:52:24 +0200
cryptsetup (2:2.1.0-7) unstable; urgency=low
* debian/cryptsetup.NEWS: Mention the 'cryptsetup' and 'cryptsetup-run'
package swap.
* debian/control: Add 'cryptsetup-initramfs' to 'cryptsetup's Recommends:,
so upgrading systems pull it automatically on upgrade. (cryptsetup
<2:2.1.0-6 was a dummy transitional package depending on cryptsetup-run
and cryptsetup-initramfs.) Closes: #932643.
* debian/control: Add 'cryptsetup-run' to 'cryptsetup's Recommends. This
avoids it being removed by `apt upgrade --autoremove` from <2:2.1.0-6,
thus avoids the old cryptsetup-run's prerm script showing a scary (but
moot) warning. After upgrading the prerm script is gone and the package
can be removed without troubles, so we can get rid of it after Bullseye.
(Closes: #932625.)
* cryptsetup-initramfs: Add loud warning upon "prerm remove" if there are
mapped crypt devices (like for cryptsetup.prerm).
-- Guilhem Moulin <email address hidden> Sun, 21 Jul 2019 21:21:10 -0300
cryptsetup (2:2.1.0-6) unstable; urgency=low
* debian/control:
+ Add 'Multi-Arch: foreign' tags to 'cryptsetup-bin' and 'crytsetup-run',
as binaries from these packages are architecture independent.
(Closes: #930115)
+ Add 'Build-Depends: jq, xxd' as the jq(1) and xxd(1) executables are
required for some upstream tests (skipped if the executables are not
found in $PATH).
+ Swap 'cryptsetup' and 'cryptsetup-run' packages: the former now contains
init scripts, libraries, keyscripts, etc. while the latter is now a
transitional dummy package.
+ Remove obsolete cryptsetup.maintscript.
+ Bump Standards-Version to 4.4.0 (no changes necessary).
* debian/*:
+ Fix path names for /usr/share/doc/cryptsetup*/**. (Closes: #904916).
+ Remove compatibility warnings regarding setting 'CRYPTSETUP' in
the initramfs hook configuration. The variable is no longer honored,
and cryptsetup is always integrated to the initramfs when the
'cryptsetup-initramfs' package is installed.
* debian/doc/pandoc/encrypted-boot.md: Minor refactoring.
* debian/gitlab-ci.yml: Adapt pandoc flags to Debian 9 (pass '-S').
* debian/initramfs/conf-hook: Clarify that KEYFILE_PATTERN isn't expanded
for crypttab(5) entries with a 'keyscript=' option. (Closes: #930696)
* debian/doc/crypttab.xml: Point to README.initramfs in the "See Also"
section. (Closes: #913233)
-- Guilhem Moulin <email address hidden> Sat, 20 Jul 2019 22:15:04 -0300
| Superseded in experimental-release |
cryptsetup (2:2.2.0~rc1-1) experimental; urgency=low
* New /testing/ upstream release 2.2.0 RC0. Highlights include:
+ New LUKS2 online reencryption extension, allowing reencryption of
mounted LUKS2 devices.
+ Optional global serialization lock for memory hard PBKDF, to workaround
situations when multiple devices are unlocked in parallel, possibly
exhausting memory and triggering the OOM killer. (Cf. #924560.)
+ Add integritysetup support for bitmap mode (Linux >=5.2).
* debian/control:
+ Add 'Multi-Arch: foreign' tags to 'cryptsetup-bin' and 'crytsetup-run',
as binaries from these packages are architecture independent.
(Closes: #930115)
+ Add 'Build-Depends: jq, xxd' as the jq(1) and xxd(1) executables are
required for some upstream tests (skipped if the executables are not
found in $PATH).
* debian/*: Fix path names for /usr/share/doc/cryptsetup*/**.
(Closes: #904916).
* debian/doc/pandoc/encrypted-boot.md: Minor refactoring.
* debian/gitlab-ci.yml: Adapt pandoc flags to Debian 9 (pass '-S').
-- Guilhem Moulin <email address hidden> Sun, 16 Jun 2019 00:55:18 +0200
cryptsetup (2:2.1.0-5) unstable; urgency=medium
[ Jonas Meurer ]
* debian/README.*: Fix markdown formatting issues
* Copy https://wiki.debian.org/CryptsetupDebug to debian/README.debug
[ Guilhem Moulin ]
* d/README.Debian: New section "Unlocking LUKS devices from GRUB" pointing
to https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html .
-- Guilhem Moulin <email address hidden> Mon, 10 Jun 2019 14:51:15 +0200
cryptsetup (2:2.1.0-4) unstable; urgency=medium
[Guilhem Moulin]
* d/initramfs/hooks/cryptroot: Always add userspace crypto module
('algif_skcipher' kernel module) to the initramfs. This module is
required for required for opening LUKS2 devices, and since 2:2.0.2-2 it's
added to large initramfs (i.e., when the MODULES variable isn't set to
"dep"). It's now added regardless of the value of $MODULES, as 1/ LUKS2
is the default LUKS header format version; and 2/ we can't check at
initramfs creation time whether there are LUKS2 devices to be opened at
early boot stage (detached headers might not be present then).
Closes: #929616.
[Jonathan Dowland]
* Update package descriptions to reflect the move of luksformat from
cryptsetup-bin to cryptsetup-run. Closes: #928751.
-- Guilhem Moulin <email address hidden> Tue, 28 May 2019 17:04:16 +0200
| Superseded in experimental-release |
cryptsetup (2:2.2.0~rc0-1) experimental; urgency=low
* New /testing/ upstream release 2.2.0 RC0. Highlights include:
- New LUKS2 online reencryption extension, allowing reencryption of
mounted LUKS2 devices.
- Optional global serialization lock for memory hard PBKDF, to workaround
situations when multiple devices are unlocked in parallel, possibly
exhausting memory and triggering the OOM killer. (Cf. #924560.)
-- Guilhem Moulin <email address hidden> Mon, 06 May 2019 12:02:54 +0200
cryptsetup (2:2.1.0-3) unstable; urgency=medium
* d/scripts/decrypt_opensc: Fix standard output poisoning. Thanks to Nils
Mueller for the report and patch. (Closes: #926573.)
* d/initramfs/hooks/cryptopensc: Ensure that libpcsclite.so is copied to the
initramfs on non-usrmerge systems. (Closes: #928263.)
-- Guilhem Moulin <email address hidden> Tue, 30 Apr 2019 21:20:47 +0200
cryptsetup (2:2.1.0-2) unstable; urgency=medium
* debian/copyright:
+ Update copyright years.
+ Add OpenSSL linking exception, in accordance with upstream's "COPYING"
and "COPYING.LGPL" files. Since 2:2.1.0-1 the cryptsetup binaries and
library are linked against libssl, which is the new upstream default
backend for LUKS header processing.
* debian/askpass.c: in the console backend, clear stdin's end-of-file
indicator before calling getline() again. Thanks to Ken Milmore for the
detailed report and patch. (Closes: #921906.)
-- Guilhem Moulin <email address hidden> Thu, 28 Feb 2019 22:32:43 +0100
cryptsetup (2:2.1.0-1) unstable; urgency=medium
* New upstream release. Highlights include:
- The on-disk LUKS format version now defaults to LUKS2 (use `luksFormat
--type luks1` to use LUKS1 format). Closes: #919725.
- The cryptographic backend used for LUKS header processing is now libssl
instead of libgcrypt.
- LUKS' default key size is now 512 in XTS mode, half of which is used for
block encryption. XTS mode uses two internal keys, hence the previous
default key size (256) caused AES-128 to be used for block encryption,
while users were expecting AES-256.
[ Guilhem Moulin ]
* Add docs/Keyring.txt and docs/LUKS2-locking.txt to
/usr/share/doc/cryptsetup-run.
* debian/README.Debian: Mention that for non-persistent encrypted swap one
should also disable the resume device.
* debian/README.initramfs: Mention that keyscript=decrypt_derived normally
won't work with LUKS2 sources. (The volume key of LUKS2 devices is by
default offloaded to the kernel keyring service, hence not readable by
userspace.) Since 2:2.0.3-5 the keyscript loudly fails on such sources.
* decrypt_keyctl keyscript: Always use our askpass binary for password
prompt (fail instead of falling back to using stty or `read -s` if askpass
is not available). askpass and decrypt_keyctl are both shipped in our
'cryptsetup-run' and 'cryptsetup-udeb' binary packages, and the cryptsetup
and askpass binaries are added together to the initramfs image.
* decrypt_keyctl: Document the identifier used in the user keyring:
"cryptsetup:$CRYPTTAB_KEY", or merely "cryptsetup" if "$CRYPTTAB_KEY" is
empty or "none". The latter improves compatibility with gdm and
systemd-ask-password(1).
* debian/*: run wrap-and-sort(1).
* debian/doc/crypttab.xml: mention `cryptsetup refresh` and the `--persistent`
option flag.
* debian/control: Bump Standards-Version to 4.3.0 (no changes necessary).
[ Jonas Meurer ]
* Update docs about 'discard' option: Mention in manpage, that it's enabled
per default by Debian Installer. Give advice to add it to new devices in
/etc/crypttab and add it to crypttab example entries in the docs.
-- Guilhem Moulin <email address hidden> Sat, 09 Feb 2019 00:40:17 +0100
cryptsetup (2:2.0.6-1) unstable; urgency=medium
* New upstream bugfix release. Highlights include:
- Fix support of larger metadata areas in LUKS2 header.
- Fix checking of device size alignment and hash & AEAD algorithms to
avoid formatting devices that later cannot be activated.
- Fix cryptsetup-reencrypt interrupt handling.
- Allow Adiantum cipher construction (require Linux 4.21 or later).
-- Guilhem Moulin <email address hidden> Mon, 03 Dec 2018 20:16:07 +0100
cryptsetup (2:2.0.5-2) unstable; urgency=medium
* debian/initramfs/hooks/*: Skip call to copy_file() when the target already
exists (as the function return value 1 in the case).
* OpenPGP Smartcard support, based on work by Peter Lebbing and Erik
Nellessen. (Closes: #888916, #903163.)
* Move header presence check to crypttab_parse_options() from
unlock_mapping(). Having the presence checks in unlock_mapping() caused
dummy password prompts in interactive mode when the LUKS header file was
missing. Regression since 2:2.0.3-2. (Closes: #914458.)
-- Guilhem Moulin <email address hidden> Sat, 24 Nov 2018 18:34:42 +0100
cryptsetup (2:2.0.5-1) unstable; urgency=medium
* New upstream release.
* Remove d/patches/Disable-blockwise-compat-test-as-it-s-FS-dependent.patch
as the test suite no longer fails on misaligned I/O in O_DIRECT mode.
(Cf. upstream issue #403.)
-- Guilhem Moulin <email address hidden> Mon, 29 Oct 2018 12:21:00 +0100
| 1 → 75 of 143 results | First • Previous • Next • Last |
