Change log for cryptsetup package in Debian
| 76 → 143 of 143 results | First • Previous • Next • Last |
cryptsetup (2:2.0.4-3) unstable; urgency=medium
[ Guilhem Moulin ]
* debian/initramfs/hooks/cryptroot:
+ Make _CRYPTTAB_* variables local to crypttab_find_and_print_entry().
(Closes: #907243.)
+ Silence the warning that honoring CRYPTSETUP="[y|n]" in the config is
deprecated when the variable is set to "y". (Keep the warning when it's
set to "n" though.) Closes: #908220.
* debian/functions: Make get_crypt_type() set variable CRYPTTAB_TYPE to the
type of crypt device ("luks" / "plain" / "tcrypt").
* debian/initramfs/scripts/local-top/cryptroot: Don't complain that
(successful) unlocking of a LUKS device doesn't yield a known file system.
The check is preserved for plain dm-crypt devices and tcrypt devices.
(Closes: #906283.)
* debian/control: Bump Standards-Version to 4.2.1 (no changes necessary).
* debian/doc/crypttab.xml: Improve formatting.
* debian/cryptsetup-run.lintian-overrides: Remove unused override
init.d-script-possible-missing-stop (x2).
* debian/libcryptsetup12.symbols: Add "Build-Depends-Package:
libcryptsetup-dev" field.
[ Helmut Grohne ]
* Fix FTCBFS: Supply $(CC) from dpkg's buildtools.mk. (Closes: #911042)
[ Dimitri John Ledkov ]
* Implement support for `cryptsetup --sector-size` in crypttab(5).
LP: #1776626.
-- Guilhem Moulin <email address hidden> Mon, 22 Oct 2018 17:45:35 +0200
cryptsetup (2:2.0.4-2) unstable; urgency=medium
* debian/cryptsetup-initramfs.preinst: Don't try to overwrite
/etc/cryptsetup-initramfs/conf-hook if that file doesn't exist. (The fix
for #905188 broke 2:2.0.4-1's instability on sid.) Closes: #905514.
* debian/control: Bump Standards-Version to 4.2.0 (no changes necessary).
-- Guilhem Moulin <email address hidden> Tue, 07 Aug 2018 17:25:30 +0200
cryptsetup (2:2.0.4-1) unstable; urgency=medium
* New upstream release. Add 'libblkid-dev' to Build-Depends since
libcryptsetup and utilities are now linked to libblkid.
* debian/cryptsetup-initramfs.preinst: Improve conffile ownership transfer
from 'cryptsetup' to 'cryptsetup-initramfs' to comply with Policy §10.7.3.
(Closes: #904926.)
-- Guilhem Moulin <email address hidden> Sun, 05 Aug 2018 04:59:10 +0800
cryptsetup (2:2.0.3-7) unstable; urgency=medium
* debian/scripts/gen-ssl-key: avoid storing temporary key file on disk.
* debian/initramfs/*, debian/scripts/*: improve quoting.
* debian/initramfs/cryptroot-unlock: Normalize paths before comparison.
This fixes usage on initramfs images with an usrmerge layout, such as
images made by mkinitramfs(8) from initramfs-tools-core 0.132. (Closes:
#904926.)
* debian/functions: crypttab_find_entry(), crypttab_foreach_entry(): return
gracefully if $TABFILE doesn't exist.
-- Guilhem Moulin <email address hidden> Mon, 30 Jul 2018 16:32:07 +0800
cryptsetup (2:2.0.3-6) unstable; urgency=medium
* debian/TODO.md: Remove mention of parent device detection for mdadm
(#629236) as it's fixed since 2:2.0.3-2.
* debian/README.gnupg, debian/TODO.md, debian/doc/crypttab.xml: minor typo
fixes.
* debian/rules, debian/patches/disable-internal-tests.patch: Remove patch to
add configure flag '--disable-internal-tests'. The internal test suite is
run by dh_auto_test(1), and it is skipped if DEB_BUILD_OPTIONS environment
variable contains the string "nocheck".
* debian/cryptdisks-functions, debian/initramfs/scripts/local-top/cryptroot:
When the 2nd column of a crypttab entry denodes a block special device,
resolve the device but don't convert it to /dev/block/$major:$minor.
(Closes: #903246.)
* debian/initramfs/hooks/cryptroot:
+ Treat null device numbers as invalid in resolve_device(), cf.
/Documentation/admin-guide/devices.txt in the kernel source tree.
+ generate_initrd_crypttab(): add '\n' to the local IFS since
get_resume_devno() prints one major:minor pair per line.
* debian/initramfs/scripts/local-{top,bottom}/cryptopensc:
+ Save process ID of the pcscd daemon at local-top stage, and kill it at
local-bottom stage. Thanks to Pascal Vibet for the patch.
(Closes: #903574.)
+ Fix path to the pcscd executable (the fix for #880750 was incomplete).
* debian/README.opensc: Remove mention of 'README.openct.gz' as it's gone
since 2:2.0.3-2.
* debian/scripts/decrypt_opensc: Fix plymouth prompt message (use
$CRYPTTAB_NAME not $crypttarget).
-- Guilhem Moulin <email address hidden> Fri, 13 Jul 2018 22:10:43 +0200
cryptsetup (2:2.0.3-5) unstable; urgency=medium
[ Jonas Meurer ]
* debian/askpass.c, debian/scripts/passdev.c, debian/rules:
+ Drop _BSD_SOURCE in favor of _DEFAULT_SOURCE
+ Drop c99 std, as the default is now higher than that
* debian/control:
+ Drop explicit dependencies on libgcrypt20 and libgpg-error0 from
libcryptsetup12. They're pulled in by ${shlibs:Depends} automatically.
[ Guilhem Moulin ]
* debian/initramfs/cryptroot-unlock: Keep looping forever (as long as the
disk is locked) if the CRYPTTAB_OPTION_tries variable is set to 0, cf.
crypttab(5).
* debian/doc/crypttab.xml: Clarify that the 'readonly' flag sets up a
read-only mapping. Cf. `cryptsetup --readonly`.
* debian/initramfs/hooks/cryptroot:
+ Fix generation of initrd crypttab(5) with `update-initramfs -u -v` for
key files matching $KEYFILE_PATTERN, or when a 'keyscript' is specified
in the crypttab options. Regression since 2:2.0.3-2. (Closes: #902733.)
+ Avoid processing entries multiple times in get_crypttab_entry(), which
could happen with 'keyscript=decrypt_derived' for instance.
+ Don't complain that the sysfs dir can't be found when the hook failed to
normalize the device (another warning is shown already).
+ If source device is mapped (for instance if it's a logical volume), put
its dm name into the initrd crypttab. LVM2's local-block script doesn't
work with UUIDs, and giving it a VG+LV is better anyway as we avoid to
activate all volumes at initramfs stage. (Closes: #902943.)
* debian/initramfs/conf-hook: Clarify that if KEYFILE_PATTERN if null or
unset then no key file is copied.
* debian/initramfs/*, debian/functions, debian/cryptdisks-functions:
+ Use major:minor device IDs internally, as this facilitate discovery of
sysfs directories, and we don't have to take care of the udev mangling.
+ Decode octal sequences when reading /etc/crypttab or /etc/fstab. This
means that key files and option values can contain blanks and special
characters encoded as octal sequences.
+ Refactor crypttab(5) parsing logic, to avoid duplication of boilerplate
code.
* debian/functions: If the key file is a symlink, warn about insecure
permissions of the target, not the link itself.
* debian/scripts/decrypt_derived: For devices with keys in the kernel
keyring (e.g., LUKS2 by default), refuse to derive anything.
* debian/patches/disable-internal-tests.patch: Add configure option
'--disable-internal-tests' to disable the internal test suite.
* debian/rules: Don't run upstream's internal test suite if
$DEB_BUILD_OPTIONS contains the string "skip-internal-tests". (Tests are
still run by default.)
* debian/cryptdisks-functions: Restore support for crypttab(5) entries with
regular files as source device. Regression since 2:2.0.3-2.
(Closes: #902879.)
* debian/control: Bump Standards-Version to 4.1.5 (no changes necessary).
-- Guilhem Moulin <email address hidden> Sat, 07 Jul 2018 01:47:57 +0200
cryptsetup (2:2.0.3-4) unstable; urgency=low
* debian/initramfs/hooks/cryptroot:
+ Fix typo in warning message. (Closes: #901971.)
+ sysfs_devdir(): don't croak when the normalized device pathname isn't of
the form /dev/$blk. This is the case in the Debian installer, where the
devtmpfs pseudo-filesystem exposes /dev/mapper/$name as a block device
instead of a symlink to /dev/dm-$index.
+ sysfs_devdir(): return /sys/dev/block/$maj:$min (a symlink pointing the
sysfs directory corresponding to the device) rather than /sys/block/$blk.
While the latter is present for mapped devices, it's not present for
block devices corresponding to disk partitions. See sysfs(5) for
details. (Closes: #902183.)
+ get_crypttab_entry(): skip (harmless) warning if blkid_tag() fails to
get the UUID of a dm-crypt device's slave (it's normal with plain
dm-crypt devices).
+ get_crypttab_entry(): don't warn that key file doesn't exist if it's
e.g., an existing character special device.
* debian/functions:unlock_mapping(): translate crypttab(5) option
'size=<size>' to `cryptsetup --key-size=<size>`, not `--size` (which
doesn't set the key size but the size of the device in number of 512 byte
sectors). Regression since 2:2.0.3-2. (Closes: #902245.)
* debian/initramfs/scripts/local-top/cryptroot, debian/cryptdisks-functions,
debian/initramfs/cryptroot-unlock: Fix off-by-one unlock count. Some
keyscripts (such as decrypt_keyctl) don't work properly if on first try
the CRYPTTAB_TRIED environment variable isn't set to 0. Regression since
2:2.0.3-2. (Closes: #902116.)
* debian/scripts/decrypt_keyctl: replace the source device path with the
mapped device name in messages, to match the new askpass behavior.
-- Guilhem Moulin <email address hidden> Sun, 24 Jun 2018 22:48:41 +0200
cryptsetup (2:2.0.3-3) unstable; urgency=low
[ Jonas Meurer ]
* debian/*: run wrap-and-sort(1)
* debian/control:
+ Add Conflicts and Breaks on 'cryptsetup-bin (<< 2:2.0.3-2)' to
cryptsetup-run. Needed since we moved luksformat between the
packages. (Closes: #901773)
+ Remove all traces of package 'cryptsetup-luks' from dependency
headers. This package has never been part of an official Debian
release and the time it existed is more than 12 years ago.
+ Remove Conflicts/Breaks headers from the split of cryptsetup into
cryptsetup/cryptsetup-bin in release 2:1.4.1-3. The conflicting
version is from Debian Wheezy, which means that there's three
releases in between. We don't support dist-upgrades with skipped
releases anyway.
+ Remove obsolete 'Breaks: hashalot (<< 0.3-2)' from cryptsetup-run.
+ Remove versioned depends of libcryptsetup12 on libgcrypt20 and
libgpg-error0. Both versions are satisfied since more than three
releases.
+ Remove versioned build-depends on docbook-xsl, dpkg-dev,
libdevmapper-dev, libgcrypt20-dev and libtool. All versions are
satisfied since more than three releases.
* debian/*: Change maintainer contact address to @alioth-lists.debian.net.
[ Guilhem Moulin ]
* debian/control: Replace 2:2.0.2-2 with 2:2.0.3-1 in Breaks/Replaces/Depends
fields. (2:2.0.2-2 was never released, the version we released after the
package split was 2:2.0.3-1.)
* debian/initramfs/cryptroot-script: exit immediately when
/lib/cryptsetup/functions is not present. (Closes: #901830.)
* debian/cryptsetup-run.prerm: use `dmsetup table --target crypt` to avoid
manually excluding mapped devices using another subsystem.
* d/initramfs/hooks/cryptroot:
+ Fix parser for cipher specifications in mapping table of crypt targets.
In particular, the cipher mode wasn't parsed properly, potentially
causing missing modules in initrd.img compiled with MODULES=dep.
Regression introduced in 2:2.0.3-2. (Closes: #901884.)
+ Print a warning when the mapping table specifies the cipher in kernel
crypto API format ("capi:" prefix). We don't support these yet.
-- Guilhem Moulin <email address hidden> Wed, 20 Jun 2018 17:22:36 +0200
cryptsetup (2:2.0.3-2) unstable; urgency=medium
The "nights are long in summer" cryptsetup sprint release :-)
Guilhem and Jonas hacked together for three days (and nights), refactored
almost all of the cryptsetup packages, squashed (at least) 19 bugs and
started work on several new features. Yay!
[ Guilhem Moulin ]
* cryptsetup-initramfs: Demote "Depends: console-setup, kbd" to Recommends:
(Closes: #901641.)
* debian/initramfs/*-hook: complete refactoring. Common functions are now in
/lib/cryptsetup/functions (source-able from shell scripts).
(Closes: #784881.)
* debian/initramfs/cryptroot-hook:
+ Use sysfs(5) block (resp. fs) hierarchies to detect slave dm-crypt
devices such as LVM2 on top of LUKS (resp. multiple device filesystems
such as btrfs). This approach is more robust than parsing the output of
`lvs` or `btrfs filesystem`.
+ Export relevant crypttab(5) snippet (for devices that need to be
unlocked at initramfs stage) to the initramfs' /cryptroot/crypttab.
+ Print a warning inviting the user to uninstall 'cryptsetup-initramfs'
if 1/ the CRYPTSETUP configuration option is unset or null (the
default), and 2/ the hook didn't detect any device to be unlocked at
initramfs stage. The benefit is two-fold: it guides users through the
package split, and warns them that their system might not reboot if the
hook script didn't work properly.
* Remove the 'decrypt_openct' keyscript since openct was last seen in
oldoldstable, cf. #760258 (ROM).
* debian/initramfs/cryptroot-script: refactoring, using functions from
/lib/cryptsetup/functions. (Closes: #720952, #826124.)
+ One can disable the cryptsetup initramfs scripts for a particular boot
by passing "cryptopts=" as kernel boot argument. (Closes: #873840.)
+ No longer sleep for a full minute after exceeding the maximum number of
unlocking tries. (This was added in 2:1.7.3-2 as an attempt to mitigate
CVE-2016-4484.) Instead, the script sleeps for 1 second after each failed
attempt in order to defeat online brute-force attacks. (Closes: #898495.)
* debian/README.initramfs: Remove mention that the initramfs scripts and the
crypsetup binary are using a different hash algorithm for plain dm-crypt
volumes. This is no longer true since 2:1.0.6~pre1+svn45-1, cf. #406317.
* debian/cryptdisks.functions:
+ Refactoring, using functions from /lib/cryptsetup/functions.
(Closes: #859953, #891219.)
+ Install to /lib/cryptsetup/cryptdisks-functions.
* crypttab(5):
+ Remove support for the 'precheck' option. The precheck for LUKS devices
is still hardcoded to `cryptsetup isLuks`; the script refuses to unlock
non-LUKS devices (plain dm-crypt and tcrypt devices) containing a known
filesystem (other that swap).
+ Don't ignore the 'plain' option: disable auto-detection and treat the
device as a plain dm-crypt device. (Closes: #886007.)
+ Add support for some option aliases to unify with systemd's crypttab(5)
options. Namely, 'read-only' is an alias for 'readonly', 'key-slot=' is
an alias for 'keyslot=', 'tcrypt-hidden' is an alias for 'tcrypthidden',
and 'tcrypt-veracrypt' is an alias for 'veracrypt'.
+ Add support for 'keyfile-size=' and 'keyfile-offset=' options.
(Closes: #849335.)
+ Source devices can now be specified using their PARTUUID or PARTLABEL,
similar to fstab(5).
* debian/scripts/cryptdisks_start: Add support for '-r'/'--readonly' switch
to setup readonly mappings. (Closes: #782843.)
* debian/scripts/cryptdisks_stop: Add support for closing multiple disks at
once. (Closes: #783194.)
[ Jonas Meurer ]
* debian/doc/crypttab.xml:
+ Add a section about the different crypttab formats of our package and
the systemd cryptsetup wrapper.
+ Document, which options are ignored by the initramfs scripts and which
are unsupported by the systemd implementation. (Closes: #714380)
+ Clarify documentation of option 'tries'. It also applies when using
keyscripts, not only with interactive passphrases. (Closes: #826127)
+ Make it obvious that in case a keyscript is configured, the third option
is passed as argument to the keyscript. Mention the optional requirement
to quote the value. (Closes: #826122)
+ Some minor wording improvements.
* debian/control, debian/combat: Bump debhelper compatibility level to 11.
* debian/rules:
+ Completely refactor the rules file, adapt to debhelper 11 style.
(Closes: #901713)
+ Run the upstream build-time testsuite thanks to dh_auto_test.
+ Move the luksformat script from cryptsetup-bin to cryptsetup-run.
+ Install the bug-script into all packages.
+ No longer install the sysvinit initscripts into cryptsetup-udeb.
+ Remove many old build and compile flags, debhelper takes care of most of
them nowadays.
-- Jonas Meurer <email address hidden> Mon, 18 Jun 2018 02:40:41 +0200
cryptsetup (2:2.0.3-1) unstable; urgency=medium
[ Guilhem Moulin ]
* Split cryptsetup package into cryptsetup-run (init scripts and libraries)
and cryptsetup-initramfs (initramfs integration). The 'cryptsetup'
package is now a transitional dummy package. (Closes: #783297.)
* debian/cryptsetup-run.preinst: remove logic for rm_conffile
/etc/udev/rules.d/z60_cryptsetup.rules, which was added for #493151 in
2:1.0.6-5.
* debian/cryptdisks.bash_completion: only complete cryptdisks_stop arguments
with crypttab(5) targets that already exist, and only complete
cryptdisks_start targets with crypttab(5) targets that don't exist yet.
(Closes: #827200.)
* debian/initramfs/cryptroot-hook:
+ use copy_file() from hook-functions to copy key files to the initrd.
This ensures that relevant messages are printed in verbose mode.
(Closes: #898516.)
+ remove backward compatibility support for setting CRYPTSETUP and
KEYFILE_PATTERN in /etc/initramfs-tools/initramfs.conf. Since 2:1.7.2-1
they should be set in /etc/cryptsetup-initramfs/conf-hook.
+ add 'algif_skcipher' kernel module to large initramfs (if the MODULES
variable isn't "dep"). That module is required for unlocking LUKS2
devices.
[ Jonas Meurer ]
* New upstream release 2.0.3
* debian/control:
- Bump standards-version to 4.1.4, no changes required
- Change my mail address to '<email address hidden>'
- Change Vcs links to the new repository on salsa.debian.org
* debian/README.source: minor improvements
* debian/doc/crypttab.xml: Fix typo in manpage
-- Jonas Meurer <email address hidden> Fri, 15 Jun 2018 15:32:16 +0200
cryptsetup (2:2.0.2-1) unstable; urgency=low
* New upstream release 2.0.2
* debian/initramfs/cryptroot-hook: copy libgcc_s.so.1 to the initrd, as
libargon2 (used by LUKS2 devices) uses pthread_cancel. (Closes: #890798.)
* debian/initramfs/cryptroot-script: create locking directory at initramfs
stage, before running the cryptsetup binary, which would create it
automatically but also spew a warning.
* debian/patches/Fix-loopaesOpen-for-keyfile-on-standard-input.patch:
removed as it was cherry-picked from upstream and included in 2.0.2.
* debian/libcryptsetup12.symbols: update with new crypt_token_is_assigned()
API function.
-- Guilhem Moulin <email address hidden> Sat, 17 Mar 2018 18:03:03 +0100
cryptsetup (2:2.0.1-1) unstable; urgency=low
* New upstream release 2.0.1:
- Use /run/cryptsetup as default for cryptsetup locking dir.
- Add missing symbols for new functions to debian/libcryptsetup12.symbols.
* debian/copyright: update copyright years.
* debian/patches: backport upstream's 8728ba08 to fix opening of loop-AES
devices using --key-file=-. (Closes: #888162.)
* debian/rules: replace `autoreconf -f -i` with `dh_autoreconf` and add
`dh_autoreconf_clean` to the "clean:" target. This bumps the minimum
debhelper version to 9.20160403~ in Build-Depends. (Closes: #888742.)
-- Guilhem Moulin <email address hidden> Sun, 11 Feb 2018 00:02:05 +0100
cryptsetup (2:2.0.0-1) unstable; urgency=low
[ Guilhem Moulin ]
* cryptsetup-bin: Install /usr/lib/tmpfiles.d/cryptsetup.conf to create the
LUKS2 locking directory /run/lock/cryptsetup. For sysVinit, this is taken
care of by the cryptdisks-early init file.
* Remove debian/patches/Use-system-libargon2.patch (applied upstream).
* debian/README.{source,gbp.conf}: Upgrade to latest upstream conventions.
* debian/control: Bump Standards-Version to 4.1.3 (remove verbatim copy of
CC0-1.0 license from debian/copyright).
* debian/rules: Fix symlink target of libcryptsetup.so in libcryptsetup-dev
package. Thanks to Alan Fung for the report and patch. (Closes: #885435.)
* debian/initramfs/cryptroot-{hook,script}: Add support for 'skip' and
'offset' crypttab(5) options in the initramfs script. Thanks to Pascal
Liehne for the report and patch. (Closes: #872342.)
[ Jonas Meurer ]
* debian/initramfs/cryptopensc-*: Install required libs and config files for
pcscd and use correct path to pcscd. Thanks to Martijn van de Streek for
bugreport and patch. (Closes: #880750)
-- Guilhem Moulin <email address hidden> Mon, 22 Jan 2018 00:25:52 +0100
| Deleted in experimental-release (Reason: None provided.) |
cryptsetup (2:2.0.0~rc1-1) experimental; urgency=low
* debian/rules: Compile with --enable-libargon2 to use system libargon2
instead of bundled version.
* debian/control: Bump Standards-Version to 4.1.1 (no changes necessary).
* debian/copyright: Update licensing information.
-- Guilhem Moulin <email address hidden> Wed, 01 Nov 2017 17:37:15 +0100
| Superseded in experimental-release |
cryptsetup (2:2.0.0~rc0-1) experimental; urgency=low
* New upstream release 2.0.0 RC0 (closes: #877566). Highlights include:
- Support for new on-disk LUKS2 format, offering authenticated disk
encrption (EXPERIMENTAL), memory-hard PBKDF (argon2), kernel keyring for
storage of key material, and more.
- New CLI `integritysetup` which can setup standalone dm-integrity devices.
- soname bump of libcryptsetup library.
* Rename library package from libcryptsetup4 to libcryptsetup12.
* Also remove deprecated upstart configuration files on upgrade and purge.
* debian/control: Bump Standards-Version to 4.1.0 (no changes necessary).
* debian/*: Apply wrap-and-sort(1).
-- Guilhem Moulin <email address hidden> Tue, 03 Oct 2017 03:37:36 +0200
cryptsetup (2:1.7.5-1) unstable; urgency=low
* New upstream release 1.7.5.
* cryptroot-unlock: When the standard input is a TTY, keep prompting for
passphrases until there are no more devices to unlock. (Closes: #866786)
* cryptsetup.prerm: Don't try to call `dmsetup table` to list dm-crypt
devices when the dm_mod module isn't loaded. (Closes: #870673)
* Rename upstream signing key from debian/upstream/signing-key.asc to
debian/upstream-signing-key.asc in order to avoid lintian error
orig-tarball-missing-upstream-signature" (we use the key to verify
signature on upstrem's git tags).
* Remove deprecated upstart configuration files: /etc/init/cryptdisks.conf
and /etc/init/cryptdisks-udev.conf. Cf. `lintian-info --tags
package-installs-deprecated-upstart-configuration`.
* debian/cryptsetup.{postinst,postrm}: Don't hard-code path to
update-initramfs(1).
* debian/rules: Include /usr/share/dpkg/pkg-info.mk to avoid parsing
dpkg-parsechangelog(1) output.
* debian/control: Bump Standards-Version to 4.0.0 (no changes necessary).
-- Guilhem Moulin <email address hidden> Thu, 14 Sep 2017 13:00:23 +0200
cryptsetup (2:1.7.3-4) unstable; urgency=high
[ Guilhem Moulin ]
* Drop obsolete update-rc.d parameters. Thanks to Michael Biebl for the
patch. (Closes: #847620)
* debian/copyright: Fix license mismatch (docs/examples/*
lib/crypto_backend/* lib/loopaes/* lib/tcrypt/* lib/verity/* python/* are
LGPL-2.1+ not GPL-2+). (Closes: #861802)
* debian/initramfs/cryptroot-hook: honor RESUME={none,auto} as documented in
initramfs.conf(5) by initramfs-tools >=0.129. (Closes: #861074)
-- Jonas Meurer <email address hidden> Tue, 09 May 2017 13:50:59 +0200
cryptsetup (2:1.7.3-3) unstable; urgency=medium
[ Jonas Meurer ]
* debian/scripts/decrypt_ssl: fix script to actually output the decrypted
key. Apparently this script has been broken since June 2008. Doesn't seem
like anybody is using it. Thanks to g1 for spotting and reporting the
error. (Closes: #844050)
* debian/initramfs/cryptroot-script:
+ limit the sleep after max passphrase attempts to devices for the rootfs.
This mitigates the negative impact in case of broken keyscripts etc.
+ add $crypttarget to each message to provide more context.
* debian/initramfs/cryptroot-hook: fix sanity check for key files on root
fs in get_device_opts(): detect if processed device is a root (parent)
device even for LVM setups. (closes: #842951)
* debian/README.initramfs: minor fix to the decrypt_derived keyscript
section: now that systemd is standard, 'cryptdisks_start' should be used
instead of '/etc/init.d/cryptdisks start'.
* debian/manpages/crypttab.xml: add a warning to the 'keyscript' option
that systemd doesn't support the option (yet) and mention the possible
workaround to process the devices in question in the initramfs.
[ Guilhem Moulin ]
* add debian/gbp.conf to set the upstream tag to "v%(version%.%_)s". As
this enables git-buildpackage >= 0.8.7 to automatically generate
orig.tar.gz, step nr. 5 is now removed from debian/README.source.
* debian/compat: bump debhelper compatibility version to 9.
* debian/initramfs/cryptroot-hook:
+ fix tab damage for consistency with the rest of the code
+ better warning for deprecated settings
+ fix sanity check for key files in get_device_opts(): print a warning if
the key file isn't on the root FS, or if the root device is not
encrypted, even for LVM setups.
+ fix sanity check for key files in get_device_opts(): print a warning if
the processed device is a resume device, even for LVM setups.
+ fix runtime error in get_lvm_deps() if the first argument is either
missing or the empty string.
+ reset IFS after processing $rootopts in get_device_opts(); the missing
linefeed in $IFS caused LVM logical volumes spaning over multiple PVs
not to have their parent devices detected correctly.
-- Jonas Meurer <email address hidden> Fri, 09 Dec 2016 01:18:17 +0100
cryptsetup (2:1.7.3-2) unstable; urgency=medium
[ Guilhem Moulin ]
* debian/README.Debian: update authorized_keys(5) path, incorrect since
2:1.7.2-1, for remote unlocking at initramfs stage using the dropbear SSH
server.
[ Jonas Meurer ]
* debian/initramfs/cryptroot-script: sleep after max passphrase attempts.
This mitigates local brute-force attacks and addresses CVE-2016-4484.
Thanks to Ismael Ripoll for discovery and report.
- decrease $count by one in tries loop if unlocking was successful.
- warn and sleep for 60 seconds if the maximum allowed attempts of
unlocking (configured with crypttab option tries, default=3) are
reached.
-- Jonas Meurer <email address hidden> Mon, 07 Nov 2016 11:34:41 +0100
cryptsetup (2:1.7.3-1) unstable; urgency=medium
* New upstream release 1.7.3.
* debian/rules: run dh_strip_nondeterminism(1p) in binary-arch rules to
make the package build more reproducible. Introduces a new Build-Depends
on dh-strip-nondeterminism. Thanks to Reiner Herrmann for bugreport and
patch. (Closes: #842581)
-- Jonas Meurer <email address hidden> Mon, 31 Oct 2016 22:00:52 +0100
cryptsetup (2:1.7.2-5) unstable; urgency=high
[ Guilhem Moulin ]
* debian/upstream/signing-key.asc: add upstream's armored OpenPGP key,
fingerprint 2A29 1824 3FDE 4664 8D06 86F9 D9B0 577B D93E 98FC.
* debian/watch: add "pgpsigurlmangle" option so uscan(1) can automatically
verify cryptographic signatures on release tarballs.
[ Jonas Meurer ]
* debian/initramfs/cryptroot-hook: only source crypt-hook from
/etc/cryptsetup-initramfs/ when present. (Closes: #841503)
-- Jonas Meurer <email address hidden> Fri, 21 Oct 2016 18:10:56 +0200
cryptsetup (2:1.7.2-4) unstable; urgency=high
[ Guilhem Moulin ]
* debian/initramfs/cryptroot-hook:
+ Fix warning printed for lvm devices backed by multiple dm-crypt nodes.
Regression introduced in 2:1.7.2-1. Thanks Zoltan Hidvegi, for the
patch. (Closes: #840480)
+ Don't escape all slash characters "/" in device paths of the form
/dev/by-label/..., only the label itself. Regression introduced in
2:1.7.2-2 as a fix for #839888.
-- Jonas Meurer <email address hidden> Thu, 13 Oct 2016 23:11:45 +0200
cryptsetup (2:1.7.2-3) unstable; urgency=medium
[ Guilhem Moulin ]
* debian/initramfs/cryptroot-conf: don't set CRYPTSETUP and KEYFILE_PATTERN,
so the (deprecated) values set in /etc/initramfs-tools aren't overridden
to the empty string by default. Regression introduced in 2:1.7.2-1.
(Closes: #839994.)
* debian/README.initramfs: fixed minor typo.
-- Jonas Meurer <email address hidden> Sat, 08 Oct 2016 00:01:25 +0200
cryptsetup (2:1.7.2-2) unstable; urgency=medium
* debian/cryptdisks.functions: fix a nasty typo in do_start that rendered
systems with sysVinit unbootable. Thanks to Marc Haber for bugreport and
patch (Closes: #839888)
-- Jonas Meurer <email address hidden> Thu, 06 Oct 2016 10:47:05 +0200
cryptsetup (2:1.7.2-1) unstable; urgency=medium
[ Jonas Meurer ]
* new upstream release 1.7.2. Highlights include:
- code now uses kernel crypto API backend according to new changes
introduced in mainline kernel. (in 1.7.1)
- cryptsetup now allows special "-" (standard input) keyfile handling
even for TCRYPT (TrueCrypt and VeraCrypt compatible) devices. (in 1.7.1)
- Support activation options for error handling modes in Linux kernel
dm-verity module. (in 1.7.2)
* debian/cryptdisks.functions: use '--key-file=-' again with the tcrypt
extension, now that upstream issue #269 is fixed.
* migrate the packaging repository from SVN to Git:
- debian/control: Update Vcs-* fields to point to the new git repository.
- debian/README.source: document new repository structure and release
handling.
* debian/README.Debian, debian/NEWS: minor typo fixes.
* debian/rules: run pod2man --release="$(DEB_VERSION). (Closes: #839352)
[ Guilhem Moulin ]
* debian/control: add self to uploaders.
* debian/cryptdisks.functions: when iterating through the crypttab, don't
abort after the first disk that fails to be closed. Regression introduced
2:1.7.0-1 when the filed is sourced under 'set -e'.
* debian/cryptdisks.functions: stop using `seq` since cryptsetup doesn't
depend on busybox. Instead, try again after 1, 2, 4, 8 and 16s when an
encrypted disk cannot be closed. (Closes: #811456)
* debian/cryptsetup.maintscript: add a "rm_conffile" directive to remove
conffile /etc/bash_completion.d/cryptdisks, obsolete since 2:1.7.0-1.
(Closes: #810227)
* debian/README.initramfs: fix typo s/initramfs-update/update-initramfs/.
Thanks, Stuart Prescott. (Closes: #827263)
* debian/rules: Add 'hardening=+pie' to DEB_BUILD_MAINT_OPTIONS to compile
ELF executables as PIEs.
* debian/control: Bump Standards-Version to 3.9.8 (no changes necessary).
* debian/cryptsetup.lintian-overrides: Remove unused lintian override
init.d-script-does-not-source-init-functions.
* Use /etc/crytsetup-initramfs/conf-hook for initramfs hook script
configuration. For backward compatibility setting CRYPTSETUP and
KEYFILE_PATTERN in /etc/initramfs-tools/initramfs.conf is still supported
for now, but causes the hook to print a warning.
This is done following the initramfs-tools maintainers' request (see
#807527) that hook and boot script configuration files be stored outside
the /etc/initramfs-tools directory. (Closes: #783393)
* Print a warning when private key material is to be included in the
initramfs image (ie, if $KEYFILE_PATTERN is not empty), and the image is
created with a permissive mode.
* Add Indonesian debconf templates translation. Thanks, Izharul Haq for the
patch. (Closes: #835158)
* debian/initramfs/cryptroot-hook: Avoid leading space in $rootdevs,
$resumedevs, etc.
* Support unlocking devices at initramfs stage using a key file stored on
the encrypted root FS. Note however that resume devices won't be unlocked
this way since the resume boot script is currently run before mounting the
root FS. (Closes: #776409)
* debian/initramfs/cryptroot-hook: Avoid undesired effects for target or
device names containing non-alphanumeric characters such as "." or "-":
+ replace `grep "^$x\b"` by `awk -vx="$x" '$1==x {print}'`; and
+ replace `echo "$x"` by printf '%s' "$x" when the argument might start
with a dash.
* debian/initramfs/cryptroot-{hook,script}, debian/cryptdisks.functions:
ensure slash characters "/" from device labels are escaped when
constructing symlinks under /dev/disk/by-label.
* debian/scripts/decrypt_gnupg:
+ Remove --no-mdc-warning to display a warning if the MDC integrity
protection is missing.
+ Replace "GnuPG key" by "gpg-encrypted key" in messages and
documentation.
* debian/initramfs/cryptgnupg-hook: Add support for multiple devices
encrypted using a gpg-encrypted key.
* debian/README.gnupg: Indicate that not the only the gpg-encrypted key for
the root FS is copied onto the initramfs, but also the ones for all
devices that need to be unlocked at initramfs stage.
* debian/initramfs/cryptroot-hook: Fix bug for device label starting with
"UUID=".
[ Helmut Grohne ]
* libcryptsetup-dev: move the .pc file to a multiarch location such that
cross-pkg-config can find it. (closes: #811545)
* Fix FTCBFS: Use host arch compiler for askpass as well. (closes: #811559)
-- Jonas Meurer <email address hidden> Wed, 05 Oct 2016 20:53:09 +0200
cryptsetup (2:1.7.0-2) unstable; urgency=medium
[ Guilhem Moulin ]
* Fix cryptsetup shutdown procedure on sysvinit, broken since 2:1.7.0-1 for
systems without active crypttab entry at the time fo the shutdown.
(Closes: #792552, #810380)
-- Jonas Meurer <email address hidden> Sun, 10 Jan 2016 18:45:20 +0100
cryptsetup (2:1.7.0-1) unstable; urgency=medium
[ Jonas Meurer ]
* new upstream release 1.7.0. Highlights include:
- cryptsetup TCRYPT mode now supports VeraCrypt devices (in 1.6.7)
- fix activation using (UNSECURE) ECB mode (in 1.6.7) (closes: #784129)
- properly support stdin "-" handling for luksAddKey for both new and old
keyfile parameters. (in 1.6.8)
- default hash function is now SHA256 (used in key derivation function
and anti-forensic splitter) (in 1.7.0)
* debian/cryptsetup.functions, debian/initramfs/cryptroot.{hook,script}: add
support for veracrypt option to cryptdisks initscript and cryptroot
initramfs script. (closes: #806290)
* debian/cryptdisks.functions: don't use '--key-file=-' with the tcrypt
extension. This fixes the tcrypt implementation in the initscript and
provides a workaround for upstream issue #269.
* debian/cryptsetup.bug-script: do not send potentially private information
without prior user confirmation in reportbug script. (Closes: #783298)
* debian/cryptsetup.apport: do not send potentially private information
without prior user confirmation in apport hook.
* debian/control, debian/NEWS: fix links to cryptsetup homepage/FAQ. Homepage
(and FAQ) moved from code.google.com to gitlab.com. (closes: #781674)
* debian/*: update hyperlinks to use https instead of http where appropriate.
* debian/rules, debian/post{inst,rm}: don't install cryptdisks_st{art,op}
symlinks to /usr/sbin if everything-in-usr directories scheme is used.
Thanks to Marco d'Itri for the patch. (closes: #767921)
* debian/scripts/luksformat: search for mkfs binaries in /usr/sbin, /usr/bin,
/sbin and /bin (default order in $PATH). This fixes luksformat for btrfs
filesystems. (closes: #805353)
* debian/dirs, debian/rules: install cryptdisks bash-completion script into
/usr/share/bash-completion/completions.
* debian/cryptdisks.functions: iterate over remaining open crypttab devices
in do_stop() in order to close dependent devices and don't freeze the
shutdown process. Thanks to Avatar for the patch. (closes: #792552)
* debian/rules: set V=1 in order to make build logs usable for blhc.
* debian/rules: set DEB_VERSION and DEB_DATE in a way to make cryptsetup
build reproducible. Thanks to Dhole and Valentin Lorentz for patches.
(closes: #780864, #794106)
* debian/cryptdisks.functions: bring the passphrase prompt in line with the
one from initramfs script in order to make the user experience more
consistent. (closes: #772943)
* debian/initramfs/cryptroot-script: move sanity checks of $cryptkeyscript
and potential expansion to '/lib/cryptsetup/askpass' to the beginning of
setup_mapping().
[ Guilhem Moulin ]
* debian/README.{Debian,remote}: remove dropbear-specific configuration and
point to dropbear-initramfs instead. Since version 2015.70-1, dropbear
ships dropbear-specific initramfs configuration and documentation in an
own binary package dropbear-initramfs. (closes: #801471)
* debian/initramfs/cryptroot-{hook,script}: add support for 'keyslot' option
to cryptroot initramfs script. (closes: #801479)
* debian/README.initramfs, debian/initramfs/cryptroot-hook: add support for
storing keyfiles directly in the initrd. (closes: #786578)
* debian/initramfs/cryptroot-hook: display a warning for invalid source
devices. (closes: #720515, #781955, #784435)
* debian/askpass.c: add plymouth support to the askpass helper command.
* debian/cryptdisks.functions, debian/initramfs/cryptroot-script: remove
special treatment of plymouth installations now that askpass supports
plymouth natively.
* debian/initramfs/cryptroot-unlock(-hook): add initramfs hook and script
to remotely unlock cryptroot devices. (closes: #782024, #697156)
-- Jonas Meurer <email address hidden> Thu, 07 Jan 2016 02:22:33 +0100
cryptsetup (2:1.6.6-5) unstable; urgency=high
* debian/cryptdisks.functions: fix the precheck for ubuntu+upstart
before invoking 'status cryptdisks-udev'. (closes: #773456)
* debian/cryptdisks.functions: fix the insufficient grep regex for
detecting a running cryptdisks-udev (upstart) init script.
-- Jonas Meurer <email address hidden> Thu, 22 Jan 2015 21:22:08 +0100
cryptsetup (2:1.6.6-4) unstable; urgency=medium
[ Simon McVittie ]
* debian/initramfs/cryptroot-script: decrypt /usr as well as / so that
split-/usr will work with initramfs-tools (>= 0.118). (closes: #767832)
[ Jonas Meurer ]
* debian/cryptdisks.funcctions: check for cryptdisks-udev initscript before
actually invoking 'status' on it. It's only useful in ubuntu+upstart
environment anyway. (closes: #764564)
* debian/askpas.c: fix systemd_read() to really strip trailing newline from
input. Thanks to Quentin Lefebvre for report and patch. (closes: #768407)
-- Jonas Meurer <email address hidden> Wed, 17 Dec 2014 14:24:41 +0100
cryptsetup (2:1.6.6-3) unstable; urgency=medium
* debian/initramfs/cryptroot-script: fix environment variable $CRYPTTAB_TRIED
to hold the number of actual tries instead of the number of maximum tries.
Thanks to Luc Maisonobe for debugging and the patch. (closes: #758788)
-- Jonas Meurer <email address hidden> Tue, 07 Oct 2014 19:51:36 +0200
cryptsetup (2:1.6.6-2) unstable; urgency=medium
* rename 'luksheader' option in crypttab to 'header', as it may be used for
different encryption modes later as well.
* add support for detached LUKS header to initramfs scripts. Thanks to Pablo
Santiago for the hint and DiagonalArg from Launchpad for patch suggestions.
(closes: #716652)
* fix support for truecrypt devices in initramfs scripts. Thanks to Lukas
Wunner for the patch. (closes: #748286)
* use blkid instead of fstype everywhere in cryptroot initramfs scripts.
Thanks to Pablo Santiago for the hint.
* debian/initramfs/cryptroot-hook: add support for 'initramfs' option to
crypttab. Thanks to Hugh Davenport for the patch. (closes: #697162)
* debian/initramfs/cryptroot-script: add support for multiple btrfs root
devices. This should fix the WARNING at mkinitramfs for unencrypted
btrfs root device(s) as well. Thanks to Jon Severinsson and Gerald Turner
for patches. (closes: #682751, #762268)
* debian/initramfs/cryptroot-script: skip missing device in initramfs after
dropping to the panic/emergency shell instead of looping in the panic
shell. Thanks to Cédric Barboiron for the patch. (closes: #762573)
* debian/initramfs/cryptroot-script: for LVM devices, don't set ROOT to
$NEWROOT in /etc/param.conf in case that /etc/param.conf already has ROOT
set. This is the case for flash-kernel devices. Thanks to Brandon Parker
for bugreport and patch. (closes: #759720)
* debian/initramfs/cryptroot-script: in slumber loop, retry vg_activate
every ten seconds. Fixes LVM on USB in cases that the USB device didn't
come up fast enough. (closes: #762032)
* fix package version number in debian/NEWS.
* bump standards-version to 3.9.6, no changes needed.
-- Jonas Meurer <email address hidden> Wed, 20 Aug 2014 19:59:03 +0200
cryptsetup (2:1.6.6-1) unstable; urgency=medium
* new upsream version 1.6.6.
* add versioned dependency on cryptsetup-bin to cryptsetup. (closes: #747670)
* change versioned build-depends on automake to >= 1.12 to reflect upstream
requirements. Thanks to Joel Johnson. (closes: #740688)
* build and link against libgcrypt20 (>= 1.6.1). Add note about whirlpool
bug in older libgcrypt releases and how to deal with it to debian/NEWS.
* add systemd support to askpass. Thanks to David Härdeman for the patch.
(closes: #742600, #755074)
* fix initramfs cryptroot hook to not include modules unconditionally. Thanks
to Dmitrijs Ledkovs for bugreport and patch. (closes: #714104)
* fix decrypt_keyctl script to ask again in case of wrong passphrase. Thanks
to Dmitriy Matrosov for bugreport and patch. (closes: #748368)
* incorporate changes from ubuntu package:
- don't hardcode paths to udevadm and udevsettle.
- restore terminal settings in askpass.c. (closes: #714942)
- migrate upstart jobs to new names.
-- Jonas Meurer <email address hidden> Tue, 04 Mar 2014 20:14:07 +0100
cryptsetup (2:1.6.4-4) unstable; urgency=medium
* really fix plain device opening in initramfs cryptroot script this time.
Thanks again to Dirk Griesbach for the patch. (closes: #740592)
-- Jonas Meurer <email address hidden> Mon, 03 Mar 2014 21:00:16 +0100
cryptsetup (2:1.6.4-3) unstable; urgency=medium
* fix plain device opening, broken by switch to new unified open command
in 1.6.4-1. Thanks to Dirk Griesbach for the patch. (closes: #740592)
* update italian debconf translations, thanks to Italian l10n team and
Francesca Ciceri. (closes: #740557)
* remove trailing whitespaces from text files.
* some minor packaging fixes thanks to lintian checks:
- fix VCS-* fields in debian/control to use canoncial URIs.
- remove empty directory from libcryptsetup4 package.
- add lintian-override for init.d-script-not-included-in-package.
-- Jonas Meurer <email address hidden> Sun, 02 Mar 2014 13:51:35 +0100
cryptsetup (2:1.6.4-2) unstable; urgency=medium * fix libcryptsetup.so symlink. Thanks to Michael Biebl. (closes: #740484) -- Jonas Meurer <email address hidden> Sun, 02 Mar 2014 01:33:39 +0100
cryptsetup (2:1.6.4-1) unstable; urgency=low
* new upstream version 1.6.4.
- minor fixes in cryptsetup manpage. (closes: #725131)
- by default verify new passphrase in luksChangeKey and luksAddKey
commands (closes: #728302)
- cryptsetup releases are released on kernel.org since 1.6.4. Change
debian/watch accordingly.
* use compiled defaults for cypher, keysize and hash in luksformat script
* improvements to docs (thanks to Christoph Anton Mitterer):
- small improvement to explanation for CRYPTTAB_TRIED environment variable
in crypttab manpage
- update cipher, size and hash settings in examples (closes: #714331)
- replace '/dev/hdX' devices with '/dev/sdX' in examples
- full path to keyscripts in /lib/cryptsetup/scripts not needed in examples
* update init and initramfs scripts to use new open syntax (closes: #714395)
* add scripts/local-block/cryptroot in order to support event based block
device handling. Thanks to Goswin von Brederlow (closes: #678692)
* add support for TCRYPT device handling to cryptdisks init and cryptroot
initramfs scripts. (closes: #722509)
* improve passphrase prompt in cryptroot initramfs script. Thanks to Joachim
Breitner. (closes: #728080)
* add support for detached luks header to cryptdisks init script. Thanks to
Ximin Luo. (closes: #716652)
* enhance docs about remote unlocking feature. Thanks to Karl O. Pinc.
(closes: #715487, #714952)
* update README.keyctl docs: since linux kernel 2.6.38, dm-crypt is not
single-threaded any longer. (closes: #714806)
* don't sleep between retries in cryptroot initramfs script. (closes: #715525)
* add multi-arch support. Thanks to Shawn Landden. (closes: #696008, #732099)
* suggest keyutils. Thanks to Nikolaus Rath. (closes: #734133, #735496)
* fix initramfs/cryptroot-hook to support more than one lvm source devices.
Thanks to Jens Reinsberger for the patch. (closes: #659688, #737686)
* bump standards-version to 3.9.5, no changes needed.
* override lintian false positives for init scripts:
- init.d-script-does-not-implement-optional-option status
- init.d-script-does-not-source-init-functions
-- Jonas Meurer <email address hidden> Fri, 28 Jun 2013 12:14:55 +0200
cryptsetup (2:1.6.1-1) unstable; urgency=low
[ Milan Broz ]
* new upstream version. (closes: #704827, 707997)
- default LUKS encryption mode is XTS (aes-xts-plain64) (closes: #714331)
- adds native support for Truecrypt and compatible on-disk format
- adds benchmark command
- adds cryptsetup-reencrypt, a tool to offline reencrypt LUKS device
- adds veritysetup, a tool for dm-verity block device verification module
* install docs/examples into docs at cryptsetup-dev package.
* fix compilation warnings in askpass.c.
[ Steve Langasek ]
* fix upstart jobs to not cause boot hangs when actually used in
conjunction with startpar. (closes: #694499, #677712).
* in connection with the above, make the cryptdisks-early job explicitly
wait for 'umountfs' on shutdown just like cryptdisks does; otherwise,
the teardown of the cryptdisks upstart job may cause the cryptdisks-early
init script run before we're done unmounting filesystems.
[ Jonas Meurer ]
* minor wording fixes to README.initramfs, suggested by intrigeri and Adam
D. Barrett.
* add bash-completion script for cryptdisks_{start,stop}. Thanks to Claudius
Hubig for providing a patch. (closes: #700777)
* support specifying key-slot in crypttab. Thanks to Kevin Locke for the
patch. (closes: #704470)
* remove evms support code from cryptroot initramfs script. (closes: #713918)
* fix location of keyscripts in initramfs documentation. (closes: #697446)
* fix a typo in decrypt_ssl script that prevented stdout from beeing
redirected to /dev/null. (closes: #700285)
* give full path to blkid in crytproot initramfs script. (closes: #697155)
* export number of previous tries from cryptroot and cryptdisks to
keyscript. Thanks to Laurens Blankers for the idea. Opens the possibility
to fallback after a given number of tries for keyscripts. (closes: #438481,
#471729, #697455)
* improve check for cpu hardware encryption support in initramfs cryptroot
hook. (closes: #714326)
-- Jonas Meurer <email address hidden> Fri, 28 Jun 2013 12:10:41 +0200
cryptsetup (2:1.4.3-4) unstable; urgency=medium
* change recommends for busybox to busybox | busybox-static. Thanks to
Armin Haas for the bugreport. (closes: #692151)
-- Jonas Meurer <email address hidden> Wed, 07 Nov 2012 16:12:25 +0100
cryptsetup (2:1.4.3-3) unstable; urgency=medium
* add recommends for 'kbd, console-setup' to cryptsetup package. Both are
necessary to support local keymap in initramfs. Thanks to Raphaël Hertzog
for the bugreport. (closes: #689722)
* move suggestion for 'initramfs-tools (>= 0.91) | linux-initramfs-tool,
busybox' to recommends. Both are required for encrypted root fs.
* remove suggestion for udev, most debian systems have it installed anyway.
* mention option to use UUID=<luks_uuid> for source device in crypttab(5).
Thanks to Felicitus for the bug report. (closes: #688786)
* add a paragraph in README.initramfs: Describe, why renaming the target
name is not supported for encrypted root devices. Thanks to Adam Lee for
bugreport and proposed workaround for this limitation. (closes: #671037)
* fix keyfile permission checks in cryptdisks init scripts to follow
symlinks. Thanks to intrigeri for the bugreport. (closes: #691517)
* fix owner group check for keyfile in cryptdisks init scripts to really
check owner group.
* update debconf translations:
- brasilian portuguese, thanks to Adriano Rafael Gomes. (closes: #685762)
- japanese, thanks to victory. (closes: #690784)
* fix typo in manpages: s/passphase/passphrase. Thanks to Milan Broz for
the bugreport. (closes: #684086)
-- Jonas Meurer <email address hidden> Thu, 01 Nov 2012 15:34:09 +0100
cryptsetup (2:1.4.3-2) unstable; urgency=medium
* fix the shared library symbols magic: so far, the symbols file for
libcryptsetup4 included just a wildcard for all exported symbols, with
libcrypsetup4 (>= 2:1.4) as minimum version. This was wrong. Symbols
that were added later need adjusted minimum versions. Thanks for the
great help in #debian-mentors. (closes: #677127)
* remove emtpy directory /lib from cryptsetup-bin package.
* compile askpass and passdev with CFLAGS, CPPFLAGS and LDFLAGS.
-- Jonas Meurer <email address hidden> Tue, 12 Jun 2012 21:26:18 +0200
cryptsetup (2:1.4.3-1) unstable; urgency=low
[ Jonas Meurer ]
* mention limitations for keyscripts in crypttab(5) manpage: keyscripts
must not depend on binaries/files which are part of the to-be-unlocked
device. (closes: #665494)
* bump versioned build-dependency on debhelper now that we install
upstart initscripts in debian as well.
* change versioned breaks/replaces for cryptsetup-bin on cryptsetup to
1.4.3-1~, fixing upgrades in debian.
[ Jean-Louis Dupond ]
* New upstream version. (closes: #670071)
- Fix keyslot removal (closes: #672299)
- Add -r to cryptsetup.8 (closes: #674027)
* Split up package in cryptsetup and cryptsetup-bin.
* I'm now co-maintainer (closes: #600777).
* Start cryptdisks-enable upstart job on 'or container', to let us
simplify the udevtrigger job.
* debian/cryptdisks.functions: handle the case where crypttab contains a
name for the source device that is not the kernel's preferred name for
it (as is the case for LVs). (Thanks Steve Langasek)
* debian/cryptdisks.functions: fix a race condition in some cases by
adding and udevadm settle before rename.
* debian/cryptdisks.functions: add UUID & LABEL support to do_start.
* debian/copyright: really fix lintian warning.
* debian/rules: also include upstart files in debian.
-- Jonas Meurer <email address hidden> Fri, 08 Jun 2012 13:42:51 +0200
cryptsetup (2:1.4.1-3) unstable; urgency=low
[ Jonas Meurer ]
* finally add back support for configuration of custom rootfs-devices through
the boot parameter 'root' to initramfs cryptroot script. Thanks a lot to
August Martin for the bugreport as well as continuously debugging and
providing patches. (closes: #546610)
* use blkid instead of fstype to detect the content of devices in initramfs
cryptroot script. Unfortunately fstype doesn't recognize md-raid devices,
which leads to errors with encrypted devices on top of software raid.
* check whether $NEWROOT already exists before actually invoking cryptsetup
in initramfs cryptroot script. (closes: #653241)
* fix conditions for prechecks at do_noluks() in cryptdisks.functions. Should
prevent data loss with encrypted swap in most cases. (closes: #652497)
* change default value for tmpfs and examples from ext2 to ext4.
* minor code cleanup.
* update debconf translations:
- russian, thanks to Yuri Kozlov. (closes: #661303)
- spanish, thanks to Camaleón. (closes: #661316)
[ Jean-Louis Dupond ]
* fix watch file.
* always add aesni module to initramfs if we have hardware aes support.
(closes: #639832).
* debian/copyright: fix lintain warning.
* add upstart scripts for ubuntu.
* silent warnings on kernels without kernel/{arch,crypto}.
* add crypttab_start_one_disk in function script to handle udev startup
in ubuntu.
* bump standards-version to 3.9.3, no changes needed.
-- Jonas Meurer <email address hidden> Wed, 11 Apr 2012 23:55:35 +0200
cryptsetup (2:1.4.1-2) unstable; urgency=low
* acknowledge NMU. Thanks to Michael Biebl. (closes: #659182)
* don't print error for non-encrypted rootfs in initramfs cryptroot hook.
Thanks to Jamie Heilman and Christoph Anton Mitterer for bugreports.
(closes: #659087, #659106)
* use dmsetup splitname to extract VG name from $node in initramfs cryptroot
hook. Thanks to Kai Weber for the bugreport, Milan Broz and Claudio
Imbrenda for suggestions and patches. (closes: #659235)
-- Jonas Meurer <email address hidden> Sun, 12 Feb 2012 15:51:11 +0100
cryptsetup (2:1.4.1-1) unstable; urgency=low
* new upstream release (1.4.0 + 1.4.1) (closes: #647851)
- fixes typo in german translation. (closes: #645528)
- remove patches, all incorporated upstream.
- soname bump, rename library package to libcryptsetup4
* check for busybox in initramfs cryptroot hook, and install the sed binary
in case it's either not installed or not activated. (closes: #591853)
* add checks for 'type $KEYSCRIPT' to initscripts cryptdisks.functions, and
to cryptroot initramfs script/hook. this adds support for keyscripts inside
$PATH. thanks to Ian Jackson for the suggestion. (closes: #597583)
* use argument '--sysinit' for vgchange in cryptroot initramfs script. Thanks
to Christoph Anton Mitterer for the suggestion.
* add option for discard/trim features to crypttab and initramfs scripts.
Thanks to intrigeri and Peter Colberg for patches. (closes: #648868)
* print $target on error in initramfs hook. Thanks to Daniel Hahler for the
bugreport. (closes: #648192)
* add a warning about using decrypt_derived keyscript for devices with
persistent data. Thanks to Arno Wagner for pointing this out.
* remove quotes from resume device candidates at get_resume_devs() in
initramfs hook script. Thanks to Johannes Rohr. (closes: #634017)
* support custom $TABFILE, thanks to Douglas Huff. (closes: #638317)
* fix get_lvm_deps() in initramfs cryptroot hook to add all physical volumes
of lvm volume group that contains the rootfs logical volume, even if the
rootfs is lv is not spread over all physical volumes. Thanks to Christian
Pernegger for bugreport and patch. (closes: #634109)
* debian/initramfs/cryptroot-script: Move check for maximum number of tries
behind the while loop, to make the warning appear in case that maximum
number of tries is reached. Thanks to Chistian Lamparter for bugreport and
patch. (closes: #646083)
* incorporate changes to package descriptions and debconf templates that
suggested by debian-l10n-english people. Special thanks go to Justin B Rye.
* acknowledge NMU, thanks a lot to Christian Perrier for his great work on
the i18n front. (closes: #633105, #641719, #641839, #641947, #642470,
#640056, #642540, #643633, #643962, #644853)
* add and update debconf translations:
- italian, thanks to Milo Casagrande, Francesca Ciceri. (closes: #656933)
- german, thanks to Erik Pfannenstein. (closes: #642147)
- spanish, thanks to Camaleón. (closes: #658360)
- russian, thanks to Yuri Kuzlov (closes: #654676)
* set architecture to linux-any, depends on linux kernel anyway. Thanks to
Christoph Egger. (closes: #638257)
* small updates to the copyright file.
* add targets build-indep and build-arch to debian/rules, thanks to lintian.
-- Jonas Meurer <email address hidden> Sun, 05 Feb 2012 03:17:59 +0100
cryptsetup (2:1.3.0-3.1) unstable; urgency=low
* Non-maintainer upload.
* Fix pending l10n issues. Debconf translations:
- French (Julien Patriarca). Closes: #633105
- Vietnamese (Hung Tran). Closes: #641719
- Portuguese (Miguel Figueiredo). Closes: #641839
- Russian (Yuri Kozlov). Closes: #641947
- Swedish (Martin Bagge / brother). Closes: #642470,#640056
- Czech (Michal Simunek). Closes: #642540
- Dutch; (Jeroen Schot). Closes: #643633
- Spanish; (Camaleón). Closes: #643962
- Danish (Joe Hansen). Closes: #644853
-- Christian Perrier <email address hidden> Sun, 25 Dec 2011 19:00:24 +0100
cryptsetup (2:1.3.0-3) unstable; urgency=low * drop the loopback magick from cryptdisks scripts. Mario 'Bitkoenig' Holbe pointed out, that auto-destruction support was added to the loopback driver with kernel 2.6.25. Given, that even lenny has a more recent kernel, support for kernels < 2.6.25 is not required any more. (closes: #626458) * add debconf question 'prerm/active-mappings' with priority high to prerm maintainer script. will warn about active dm-crypt mappings before the package is removed/purged. (closes: #626641) * add lintian-override for 'cryptsetup: no-debconf-config', as the debconf question in prerm doesn't require a debconf config script. * add debian/patches/03_create_fix_keyfile.patch. (closes: #626738) -- Jonas Meurer <email address hidden> Thu, 19 May 2011 20:50:08 +0200
Available diffs
- diff from 2:1.1.3-4 to 2:1.3.0-3 (279.6 KiB)
cryptsetup (2:1.3.0-2) unstable; urgency=low * fix changelog of 2:1.3.0-1 release, thanks to Thorsten Glaser for the hint -- Jonas Meurer <email address hidden> Thu, 12 May 2011 03:06:46 +0200
cryptsetup (2:1.3.0-1) unstable; urgency=low * NOT RELEASED YET * new upstream release - automatically allocates loopback device for container files. update the cryptdisks functions to only setup loopback device for kernel < 2.6.35. otherwise, let cryptsetup do the magic itself. *****TODO: TESTING***** - introduces maximum default keyfile size, see --help for value. manually set the keyfile size with --keyfile-size in order to overwrite the limit. - adds luksChangeKey command for changing passphrase/keyfile in one step - adds loopAES compatibility command loopaesOpen - remove d/patches/01_luksAddKey_return_code.patch, incorporated upstream * add gettext support to luksformat script. Thanks to intrigeri for initial patch, and adduser sources for implementation ideas. (closes: #558405) * fix KEYSCRIPT checks in cryptdisks.functions for empty values. * update REAMDE.gnupg and initramfs cryptgnupg hook script: - warn about keys being copied to initramfs. - fix the documentation to provide working examples. * update README.Debian and related documentation: - add a section about the 'special' keyscripts askpass and passdev (closes: #601314) - update several sections, remove reference to lenny * add debian/patches/01_create_fix_size.patch, to fix a regression in 1.2.0 where the size argument was ignored for create command (closes: #624828) * add debian/patches/02_manpage.patch, escapes minus signs in manpage * remove usplash support from cryptroot initramfs script, askpass and keyscripts, add plymouth support to keyscripts. (closes: #620923) * ignore options like cipher, hash, size, etc. for luks commands in cryptdisks. mention this in the crypttab manpage. (closes: #619249) * again check for existance of /lib/cryptsetup/cryptdisks.functions before sourcing it in cryptdisks(-early).init. required if cryptsetup is removed but not purged, where initscripts are still around. (closes: #625468) * bump standards-version to 3.9.2, no changes needed. * debian/libcryptsetup1.symbols: update, 1.3.0 adds new function symbols -- Jonas Meurer <email address hidden> Wed, 11 May 2011 14:45:42 +0200
| Published in squeeze-release |
cryptsetup (2:1.1.3-4squeeze2) stable-proposed-updates; urgency=low * fix changelog for cryptsetup 2:1.1.3-4squeeze1. -- Jonas Meurer <email address hidden> Thu, 10 Mar 2011 21:45:56 +0100
cryptsetup (2:1.2.0-2) unstable; urgency=low * upload to unstable. * fixes a ftbfs due to updated libgpg-error and libgcrypt11 build- dependencies. (closes: #614530) * install cryptkeyctl initramfs hook, needed for keyctl keyscript in initramfs, thanks to Maik Zumstrull (closes: #610750) * use 'egrep -c' instead of wc in cryptdisks_st* scripts, wc might not be available as it's located at /usr/bin. Thanks to Mario 'BitKoenig' Holbe for bugreport and patch. (closes: #611747) * add debian/patches/01_luksAddKey_return_code.patch, fixes the luksAddKey return code when the master key is used. (closes: #610366) * fix luksformat script to invoke usage() with --help. (closes: #612947) * add a paragraph about known upgrade issues to the crypttab manpage. this paragraph strongly suggests to configure cipher, hash and keysize for plain dm-crypt devices. (closes: #612452) * fix examples in crypttab manpage, cipher, hash and keysize should be configured for plain dm-crypt devices. * luksformat: invoke udevadm settle between mkfs.vfat and luksClose, to prevent possible race conditions. This is a workaround. (closes: #601886) * update lintian-overrides for new lintian from experimental. * fix spelling mistake in README.Debian thanks to lintian. * update short and long description for udebs to mention udeb and debian-installer. This satisfies lintian. * fix get_resume_device() in initramfs cryptroot hook script to add source device for decrypt_derived keyscript in case it's not the root device. Thanks to Robert Lange and mahashakti89 for bugreport. (closes: #592430) -- Jonas Meurer <email address hidden> Mon, 07 Mar 2011 23:52:13 +0100
| Deleted in experimental-release (Reason: None provided.) |
cryptsetup (2:1.2.0-1) experimental; urgency=low * new major upstream release (closes: #603804) - adds text version of FAQ - adds new options --use-random and --use-urandom for MK generation - fixes luksRemoveKey to not ask for remaining keyslot passphrase - no longer supports luksDelKey command (replaced by luksKillSlot) - no longer supports reload command, dmsetup reload should be used instead - adds support to change the UUID later (with --uuid cmd option) - adds --dump-master-key option for luksDump command - no luksOpen, luksFormat and create for open devices (closes: #600208) - remove debian/patches/01_manpage.patch, incorporated upstream - and many more changes, see upstream changelog for further information - update debian/libcryptsetup1.symbols * invoke update-initramfs at cryptsetup removal in order to not leave behind a broken initramfs. thanks to ubuntu for the hint. * link dynamically against libgcrypt11 and libgpg-error0 now that the libraries have been moved to /lib. add versioned depends for libcryptsetup1 on (libgcrypt >= 1.4.6-2) and libgpg-error0 (>= 1.10-0.1). * debian/initramfs/cryptroot-script: prereq 'cryptroot-prepare' added in order to support cryptroot to depend on custom initramfs scripts. thanks to Marc Haber for the suggestion. (closes: #601311) * debian/cryptdisks.functions: + fix check for ownership and permissions of $key to work with slighly different output of 'ls -l' with selinux enabled. (closes: #600522) + fix $TRIES implementation to support TRIES=0 again. (closes: #602501) * change 'echo -e' to 'printf' in debian/initramfs/cryptroot-script. thanks to checkbashisms script devscripts for spotting that bashism. * add a libcryptsetup1-udeb library package for debian-installer in order to satisfy cryptsetup-udeb dependencies with dynamically linked binary. Version the build-depends on libgcrypt11-dev to (>= 1.4.6-3), to satisfy udeb library dependencies. * change 'XC-Package-Type: udeb' to 'Package-Type: udeb' in debian/control * add debian/cryptsetup.apport from Ubuntu, install only for dist=Ubuntu. build-depends on dpkg-dev (>= 1.15.1) is required for this to work. -- Jonas Meurer <email address hidden> Sun, 16 Jan 2011 01:01:03 +0100
cryptsetup (2:1.1.3-4) unstable; urgency=high
* bump standards-version to 3.9.1, no changes required
* add patches/01_manpage_units: mention units (512b sectors) for -o option
in man page. (closes: #584174)
* move cryptdisks_st* scripts from /usr/sbin to /sbin, add symlinks for
compatibility reasons. thanks to Mario 'BitKoenig' Holbe. (closes: #589800)
* add decrypt_keyctl keyscript and initramfs hook from Michael Gebetsroither,
which supports to cache a passphrase for later use. (closes: #563961)
* invoke /sbin/lvm with full path in cryptroot initramfs script. thanks to
Bernd Zeimetz. (closes: #597648)
* print out a warning at initramfs cryptroot hook in case that detection of
canonical device failed. (closes: #594092)
* add manpage fixes, thanks to Stephen Gildea for patch. (closes: #598237)
* fix depreciated ext2 wrapper checkscript to succeed for ext2, ext3, ext4
and ext4dev filesystems. (closes: #595331)
* again remove duplicates from debian/NEWS.
* truncate trailing spaces for some variables at initramfs cryptroot hook.
* remove volume group -guessing magic from initramfs scripts and hooks,
instead activate all available lvm volume groups. thanks to Christoph
Anton Mitterer for the suggestion. (closes: #554506, #591626)
* remove /etc/bash_completion.d from debian/cryptsetup.dirs
* set urgency=high as this upload fixes two release-critical bugs.
-- Jonas Meurer <email address hidden> Thu, 04 Nov 2010 20:36:45 +0100
cryptsetup (2:1.1.3-3) unstable; urgency=low
* fix usage of new variable $DEFAULT_LOUD, and some cosmetical changes.
thanks to Mario 'BitKoenig' Holbe. (closes: #589029)
-- Jonas Meurer <email address hidden> Thu, 22 Jul 2010 12:56:01 +0200
cryptsetup (2:1.1.3-2) unstable; urgency=low
* introduce new $INITSTATE 'manual' for cryptdisks_st* scripts. that way,
noauto devices are processed again by cryptdisks_st* scripts.
(closes: #588697, #588698, #589153, #589798)
* introduce new variable $DEFAULT_LOUD. now the 'loud' option in crypttab
affects only the device in question. thanks to Mario 'BitKoenig' Holbe.
* introduce new crypttab option 'quiet' which overwrites and unsets the
'loud' option. thanks to Mario 'BitKoenig' Holbe. (closes: #589029)
-- Jonas Meurer <email address hidden> Wed, 21 Jul 2010 10:42:49 +0200
cryptsetup (2:1.1.3-1) unstable; urgency=low
* new upstream release:
- fix device alignment ioctl calls parameters for archs like ppc64.
- fix activate_by_* API calls to handle NULL device name as documented
- fix udev support for old libdevmapper with not compatible definition
* fix rm_lo_setup() in cryptdisks.functions for failed device setup. thanks
to Roger Pettersson. (closes: #581712)
* add X-Stop-After headers to cryptdisks(-early) initscripts. this fixes
shutdown process for system without encrypted rootfs at least. thanks to
Alfredo Finelli. (closes: #575652)
* more merges from ubuntu, thanks to and Steve Langasek (closes: #575024):
- debian/cryptdisk.functions: initially create the device under a temporary
name and rename it only at the end using 'dmsetup rename', to ensure that
upstart/mountall doesn't see our device before it's ready to go.
LP: #475936.
- cryptdisks.functions: do_tmp should mount under /var/run/cryptsetup for
changing the permissions of the filesystem root, not directly on /tmp,
since mounting on /tmp a) is racy, b) confuses mountall something fierce.
LP: #475936.
* fix manpage checkscripts documentation. clarify that both cryptdisks and
cryptroot invoke checkscripts. thanks Christoph Anton Mitterer.
* remove quotes from $KEYSCRIPT invokation, thanks Alexandre Rossi.
(closes: #585099)
* fix support for commandline options to mkfs in luksformat. thanks to Eduard
Bloch again for bugreport and patch. (closes: #585787)
* remove duplicates from debian/NEWS, thanks Steve Langasek (closes: 586019)
* improve documentation on environment variables in cryptdisks.default and
crypttab manpage. thanks Christoph Anton Mitterer. (closes: #585664)
* several improvements to (pre)check scripts, inspired by scripts from
Christoph Anton Mitterer (closes: #585418, #585496)
- checkscripts exit with error 1 if executables aren't available.
- ext2, swap and xfs scripts are depreciated and invoke blkid script.
- drop filtering of minix filesystem in blkid, util-linux 2.17.2 in debian
- remove *vol_id check scripts, vol_id isn't available in debian any longer
- don't use sed in *blkid check scripts any longer
* fix initramfs/cryptroot-hook to canonicalize $device in get_resume_devices
function. this should really weed out all duplicates. (closes: #586122),
and catch all udev/device-mapper symlink setups as well (closes: #554506)
* bash-completion file now in pck bash-completion (closes: #586299, #586162)
* add a paragraph about the boot order of init scripts to README.Debian,
describing the current catch-22 situation. (closes: #576646)
* initscripts and cryptdisks_st* no longer silently quit in case that include
file /lib/cryptsetup/cryptdisks.functions is missing. (closes: #587220)
* fix cryptdisks-early LSB headers to restore legacy boot sequence order.
mdadm-raid was started before cryptdisks-early. (closes: #587224)
* cryptdisks initscript now raises a warning for failed started devices, and
cryptdisks-early initscript raises a warning for failed stopped devices.
this makes the initscript actions far more transparent to users. same holds
for cryptdisks_st*. thanks to Christoph Anton Mitterer. (closes: #587222)
* remove lintian overrides init.d-script-should-depend-on-virtual-facility
as lintian lintian 2.4.2 has fixed #580082.
* bump standards-version to 3.9.0, remove version information from replaces/
provides/conflicts against cryptsetup-luks, change conflicts against
hashalot (<= 0.3-1) to breaks hashalot (<< 0.3-1) and add replaces.
* fix loads of typos, thanks to Christoph Anton Mitterer. (closes: #588068)
* update copyright years and list Milan Broz in debian/copyright
-- Jonas Meurer <email address hidden> Sat, 10 Jul 2010 14:32:40 +0200
cryptsetup (2:1.1.2-1) unstable; urgency=low
* new upstream release, changes include:
- Fix luksFormat/luksOpen reading passphrase from stdin and "-" keyfile.
(closes: #583397)
- Add verbose log level and move unlocking message there.
- Remove device even if underlying device disappeared (remove, luksClose).
(closes: #554600, #574126)
- Fix (deprecated) reload device command to accept new device argument.
* merged from ubuntu:
- if plymouth is present in the initramfs, use this directly, bypassing
the cryptsetup askpass script
- start usplash in initramfs, since we need it for fancy passphrase input
- Set FRAMEBUFFER=y in cryptroot-conf, to pull plymouth into the initramfs
- debian/initramfs/cryptroot-hook: Properly anchor our regexps when
grepping /etc/crypttab so that we don't incorrectly match device names
that are substrings of one another.
- debian/initramfs/cryptroot-script: Don't leak /conf/conf.d/cryptroot
file descriptor to subprocesses.
* sync list of supported filesystems in passdev.c and cryptpassdev-hook
* fix debian/watch file to work with updated code.google.com download page
* stop building and shipping static libs (closes: #583387, #583471)
* improve documentation on (pre)checks in manpage. (closes: #583568, #583567)
* remove xfs and ext2 check scripts documentation from crypttab manpage,
blkid script can be used. thanks Christoph Anton Mitterer (closes: #583570)
-- Jonas Meurer <email address hidden> Tue, 01 Jun 2010 15:37:50 +0200
cryptsetup (2:1.1.1-1) unstable; urgency=low
* new upstream release, changes include:
- detects and uses device-mapper udev support if available
- fix luksOpen reading of passphrase on stdin if "-" keyfile specified
- fix isLuks to initialise crypto backend (closes: #578979)
- fix luksClose operation for stacked DM devices
* remove all patches, they have all been merged upstream
* redirect output of copy_exec in add_device() from initramfs cryptroot
hook to stderr. fixes verbose run of mkinitramfs. (closes: #574163)
* acknowledge NMU. thanks to maximilian attems. (closes: #576488)
* change default for random key from /dev/random to /dev/urandom in
README.Debian, extend explanation. (closes: #579932)
* add comment to crypttab manpage about how to disable (pre)checks.
(closes: #574948)
* fix cryptdisks.functions to print cryptsource and crypttarget again at
the passphrase prompt. (closes: #578428)
* reorder build-depends, add pkg-config, change automake1.9 to automake
* add new lintian overrides
* switch to new dpkg source format "3.0 (quilt)", use upstream bzip tarball
* add ${misc:Depends} to depends for libcryptsetup-dev
* remove UID checks from initscripts, as these aren't meant to be invoked by
users anyway, and the UID checks introduced dependency on /usr filesystem.
* use grep -s for /etc/fstab in initramfs/cryptroot-hook. (closes: #580756)
* note that fs modules fore passdev devices need to be added to initramfs
in README.initramfs (closes: #580898)
* merged from ubuntu:
- Fix grammar error in debian/initramfs/cryptroot-script (closes: #581973)
* add busybox to suggests, thanks to martin michlmayr. (closes: #582914)
-- Jonas Meurer <email address hidden> Wed, 26 May 2010 23:38:01 +0200
cryptsetup (2:1.1.0-2.1) unstable; urgency=low
* Non-maintainer upload.
[ Martin Pitt ]
* debian/initramfs/cryptroot-script: (closes: #576488)
- Source /scripts/functions after checking for prerequisites.
- prereqs(): Do not assume we are running within initramfs, and calculate
relative path correctly.
-- maximilian attems <email address hidden> Thu, 08 Apr 2010 01:37:17 +0200
cryptsetup (2:1.1.0-2) unstable; urgency=low
* fix version in NEWS.Debian: 2:1.1.0~rc2-1 instead of 2:1.0.7-3.
* remove 'NOT RELEASED YET' from 2:1.1.0-1 changelog
* capitalize names in changelog
* mention the old default plain mode in changelog and NEWS, add a note that
debian-installer setups can ignore the warning, and warn for plain dm-crypt
mappings in crypttab that don't have set cipher, hash and size.
(closes: #573103, #573261)
-- Jonas Meurer <email address hidden> Tue, 16 Mar 2010 13:44:50 +0100
cryptsetup (2:1.1.0-1) unstable; urgency=low
* NOT RELEASED YET
* new upstream stable release (1.1.0), notable changes since rc2:
- default key size for LUKS changed from 128 to 256 bits
- default plain mode changed to aes-cbc-essiv:sha256
- key slot and key diggest iteration minimum set to 1000
- convert hash name to lower case in header
* update patch 02_manpage
* add more supported filesystems to passdev.c, isofs->iso9660. thanks to
Christoph Anton Mitterer. (closes: #557405)
* update to standards-version 3.8.4, no changes needed
* accept spaces in $opts at postinst script. (closes: #559184)
* set extended $PATH in cryptdisks.functions. thanks to christoph anton
mitterer. (closes: #557329)
* fix huge initramfs for archs which don't have kernel/arch directory.
thanks to martin michlmayr for bugreport and patch. (closes: #559510)
* support commandline options to mkfs in luksformat. thanks to eduard
bloch for bugreport and patch. (closes: #563975)
* extend error messages for evms setup in cryptroot-script
* add 03_luksAddKey.patch, to not verify unlocking passphrase in luksAddKey
command. (closes: #570418)
* add 04_crypto_init.patch, to properly initialise crypto backend in header
backup/restore commands.
* change build-dependency on cvs to new autopoint package (closes: #572463)
* rename decrypt_gpg keyscript to decrypt_gnupg, improve it based on ideas
by Christoph Anton Mitterer, mention the keyscript rename in NEWS.Debian.
Also, provide a initramfs cryptgnupg hook script. Thanks to Christoph
Anton Mitterer for bugreport and ideas. (closes: #560034)
* check for root privileges with '/usr/bin/id -u' in init scripts and
cryptdisks_{start|stop}. (closes: #563162)
-- Jonas Meurer <email address hidden> Mon, 08 Mar 2010 14:15:35 +0100
cryptsetup (2:1.1.0~rc2-1) unstable; urgency=low
* new upstream release candidate (1.1.0-rc2), highlights include:
- new libcryptsetup API (documented in libcryptsetup.h)
- luksHeaderBackup and luksHeaderRestore commands (closes: #533643)
- use libgcrypt, enables all gcrypt hash algorithms for LUKS through
-h luksFormat option (closes: #387159, #537385)
- new --master-key-file option for luksFormat and luksAddKey
- use dm-uuid for all crypt devices, contains device type and name now
(closes: #548988, #549870)
- command successful messages moved to verbose level (closes: #541805)
- several code changes to improve speed of luksOpen (closes: #536415)
- luksSuspend and luksResume commands
* remove unneeded patches 03_read_rework and 04_no_stderr_success, update
02_manpage for new upstream release candidate.
* update patch to comply with DEP-3 (http://dep.debian.net/deps/dep3/)
* fix initramfs/cryptroot-hook to support setups where /dev/mapper/ contains
symlinks to devices at /dev/dm-*. the lvm2/device-mapper packages had
defaults changed to this temporary. it has been fixed in a subsequent
upload of lvm2 in the meantime, but still it's not a bad idea to be
prepared for such setups in the future. that way cryproot now supports
/dev/dm-* devices as well. (closes: #532579, #544487, #544773)
* fix initscript dependencies both for cryptdisks and cryptdisks-early.
thanks to Petter Reinholdtsen for bugreport and patch. (closes: #548356)
* finally change default behaviour of initscripts/cryptroot-hook to include
all available crypto modules into the initramfs. this change should fix
any problems with cryto modules missing from the initramfs. announce the
change in NEWS.Debian. (closes: #547597)
* add error messages to lvm detecting code in initramfs/cryptroot-script
in order to make debugging easier. (closes: #541248)
* implement detection of devices which are required by decrypt_derived
keyscript in initscripts/cryptroot-hook. that way setups where encrypted
swap has the key derived from non-root partitions should support suspend/
resume as well. (closes: #475838)
* remove outdated documentation from the source package: CryptoRoot.HowTo,
CheckSystem.Doc
* mention in README.initramfs that busybox is required for cryptroot to work
* stop creating /etc/keys in postinst maintainer script.
* update build system to include library files again: (closes: #480157)
- split into three packages: cryptsetup, libcryptsetup1, libcryptsetup-dev
- rename preinst to cryptsetup.preinst, copy code to create /etc/crypttab
skeleton into cryptsetup-udeb.preinst.
- build with --enable-shared and --enable-static for libcryptsetup.a
- create debian/libcryptsetup1.symbols with help of dpkg-gensymbols
* add debian/cryptsetup.lintian-override for two false positives
* raise build-depends on debhelper and debian/compat for that reason
* update README.remote to work with latest dropbear package. thanks to
debian@x.ray.net.
* make all crypttab fields available to keyscripts as environment variables.
thanks to ludwig nussel from suse for idea and implmentation. document
this in crypttab(5) manpage. impelement the same environment variables in
initramfs cryptroot script.
* fix formatting errors in crypttab(5) manpage.
-- Jonas Meurer <email address hidden> Thu, 15 Oct 2009 19:26:14 +0200
cryptsetup (2:1.0.7-2) unstable; urgency=low
* add a paragraph to the cryptsetup manpage that mentions /proc/crypto as
source for available crypto ciphers, modes, hashs, keysizes, etc.
(closes: #518266)
* fix luksformat to check for mkfs.$fs both in /sbin and /usr/sbin. thanks
to Jon Dowland. (closes: #539734)
* mention era eriksson as author of the typo fixes for manpage (submitted as
bug #476624) in changelog of cryptsetup 2:1.0.6-3. (closes: #541344)
* bump standards-version to 3.8.3. no changes needed.
* add 04_no_stderr_success.patch, which adds an option to suppress success
messages to stderr. don't apply the patch as this already has been fixed
upstream in another way. next cryptsetup release will print the command
successfull message to stdout only if opt_verbose is set.
* add checkscripts blkid and un_blkid for the reason that vol_id will be
removed from udev soon. advertise the new scripts at all places that
mentioned vol_id or un_vol_id before.
* add /usr/share/bug/cryptsetup which adds /proc/cmdline, /etc/crypttab,
/etc/fstab and output of 'lsmod' to bugs against cryptsetup.
* add debian/README.remote, which describes how to setup a cryptroot system
with support for remote unlocking via ssh login into the initramfs. Thanks
to debian@x.ray.net for writing it down.
* update debian/copyright for current format from dep.debian.net/deps/dep5
* add chainiv, cryptomgr and krng to standard list of modules in initramfs
cryptroot hook. (closes: #541835)
* add a section describing LUKS header backups and related security
implications to README.Debian. a tool to automate this task should not be
distributed at all. (closes: #432150)
-- Jonas Meurer <email address hidden> Tue, 01 Sep 2009 12:38:02 +0200
cryptsetup (2:1.0.7-1) unstable; urgency=low
* new upstream release, highlights include (diff from ~rc1):
- allow removal of last slot in luksRemoveKey and luksKillSlot
- eject unsupported --offset and --skip options for luksFormat
* make passdev accept a timeout option, thanks to Evgeni Golov for the patch.
(closes: #502598)
* finally add the cryptsource delay implementation from ubuntu, as it seems
to workaround some issues where appearance of the root device takes longer
than expected. (closes: #488271)
* execute udev_settle before $cryptremove if $cryptcreate fails at
setup_mapping() in the initramfs cryptroot script. it seems like a short
delay and/or udev_settly is needed in between of 'cryptsetup create' and
'cryptsetup remove'. thanks to Gernot Schilling for the bugreport.
(closes: #529527)
* talk about /dev/urandom instead of /dev/random in crypttab manpage.
(closes: #537344)
* check for $IGNORE before check_key() in handle_crypttab_line_start()
* rewrite error code handling:
- return 1 for errors in handle_crypttab_line_{start|stop}
- handle_crypttab_line_... || true needed due to set -e in initscript
- check for exit code of handle_crypttab_line_{start<stop} in
cryptdisks_{start|stop}, exit with proper status code (closes: #524173)
* add a counter to the while loop in cryptdisks_{start|stop}, in order to
detect if $dst was not found in crypttab. (closes: #524485)
* check for keyscript in the new location in initramfs/cryptopensc-hook.
* add README.opensc to docs, thanks to Benjamin Kiessling for writing it.
(closes: #514538)
* add patches/03_rework_read.patch [rework write_blockwise() and
read_blockwise()], but don't apply it yet as it's still experimental.
applying it will increase the speed of luksOpen.
-- Jonas Meurer <email address hidden> Thu, 30 Jul 2009 17:41:16 +0200
| Superseded in sid-release |
cryptsetup (2:1.0.7~rc1-2) unstable; urgency=low
* flag the root device with rootdev option at /conf/conf.d/cryptroot in
initramfs hook, check for that flag before adding ROOT=$NEWROOT to
/conf/param.conf in initramfs script. that should prevent the initramfs
script from adding ROOT=$NEWROOT for resume devices. (closes: #535801)
-- Jonas Meurer <email address hidden> Wed, 15 Jul 2009 11:44:45 +0200
| Superseded in sid-release |
cryptsetup (2:1.0.7~rc1-1) unstable; urgency=low
* new upstream release candidate, highlights include:
- use better error messages if device doesn't exist or is already used by
other mapping (closes: #492926)
- check device size when loading LUKS header
- add some error hint if dm-crypt mapping failed (key size and kernel
version check for XTS and LRW mode for now) (closes: #494584)
- display device name when asking for password
- retain readahead of underlying device, if devmapper version supports it
- set UUID in device-mapper for LUKS devices
- define device-mapper crypt UUID maximal length and check for its size
- add some checks for error codes, fixes warning: ignoring return value...
- update LUKS homepage in manpage to code.google.com/p/cryptsetup
* patches/01_fix_make_distclean.patch: removed, incorporated upstream
* patches/02_manpage.patch: updated, mostly incorporated upstream
* remove invokation of ./setup-gettext.sh from debian/rules.
* set $PATH in checks/xfs. Required to make /usr/sbin/xfs_admin work at early
boot stage. Thanks to Stefan Bender. (closes: #525118)
* update path to docbook-xsl stylesheet in debian/rules to
/usr/share/xml/docbook/stylesheet/docbook-xsl/. Add versioned build-depends
to docbook-xsl (>= 1.74.3+dfsg) for that reason.
* fix bashisms in scripts/decrypt_opensc, thanks to Raphael Geissert.
(closes: #530060)
* fix UUID and LABEL handling for cryptroot, thanks to Kees Cook and ubuntu.
(closes: #522041)
* add ROOT=$NEWROOT to /conf/param.conf in cryptroot initramfs script. This
is required for lilo to find the correct root device. Thanks to Pyotr
Berezhkov and Christian Schaarschmidt. (closes: #511447, #511840)
* replace mini autogen.sh with autoreconf in debian/rules. Thanks to Bastian
Kleineidam. (closes: #522798)
* support escaped newlines in askpass.c, thanks to Kees Cook and ubuntu.
(closes: #528133)
* use the same passphrase prompt in init script and initramfs script
* mention the incoherent behaviour of cryptsetup create/luksOpen with invalid
passwords/keys in cryptsetup manpage. (closes: #529359)
* bump standards-version to 3.8.2, no changes required.
* add 'X-Interactive: true' LSB-header to initscripts.
* fix bash_completion script to use 'command ls'. that way it now works with
aliased ls as well. thanks to Daniel Dehennin. (closes: #535351)
-- Jonas Meurer <email address hidden> Sat, 04 Jul 2009 15:52:06 +0200
cryptsetup (2:1.0.6+20090405.svn49-1) unstable; urgency=low
* New upstream svn snapshot. Highlights include:
- Uses remapping to error target instead of calling udevsettle for
temporary crypt device. (closes: #514729, #498964, #521547)
- Removes lots of autoconf stuff as it's generated by autogen.sh anyway.
- Uses autopoint in build process, thus needs to Build-Depend on cvs.
- Fixes signal handler to proper close device.
- Wipes start of device before LUKS-formatting.
- Allows deletion of key slot with it's own key. (closes: #513596)
- Checks device mapper communication and gives proper error message in
case the communication fails. (closes: #507727)
* Update debian patches accordingly:
- Remove obsolete patches 01_gettext_package and 03_check_for_root
- Update patch 02_manpage
* Add missing newlines to some error messages in passdev.c. Thanks to
Christoph Anton Mitterer for bugreport and patch. (closes: #509067)
* Move keyscripts in initramfs from /keyscripts to /lib/cryptsetup/scripts
for the sake of consistency between initramfs and normal system. Document
this change in NEWS.Debian. (closes: #509066)
* Fix $LOUD in cryptdisks.init and cryptdisks.functions to take effect. Add
LOUD="yes" to cryptdisks_start. (closes: #513149)
* cryptdisks_{start,stop}: print error message if no entry is found in
crypttab for the given name.
* Actually fix watchfile to work with code.google.com.
* Update Homepage field to code.google.com URL. (closes: #516236)
* Fix location of ltmain.sh, build-depend on versioned libtool.
(closes: #521673, #522338)
* Some minor changes to make lintian happy:
- use set -e instead of /bin/sh -e in preinst.
- link to GPL v2 in debian/copyright
* Bump standards-version to 3.8.1, no changes needed.
* Fix a typo in NEWS.Debian. (closes: #522387)
* Taken from ubuntu:
- debian/checks/un_vol_id: dynamically build the "unknown volume type"
string, to allow for encrypted swap, (closes: #521789, #521469). Fix
sed to replace '/' with '\/' instead of '\\/' in device names.
- disable error message 'failed to setup lvm device' (LP 151532).
-- Jonas Meurer <email address hidden> Mon, 06 Apr 2009 08:49:14 +0200
cryptsetup (2:1.0.6-7) unstable; urgency=medium
* Add patches/01_gettext_package.patch: Remove -luks from GETTEXT_PACKAGE
in configure.in.
* Support keyfiles option in bash completion. Thanks to Stefan Goebel for
the patch. (closes: #499936)
* Update patches/02_manpage.patch: Fix the documnetation of default cipher
for LUKS mappings. (closes: #495832)
* Update debian/watch file to reflect the move of project home to
code.google.com.
* Check for $CRYPTDISKS_ENABLE in cryptdisks initscripts instead of
cryptdisks.functions. This way, cryptdisks_start/stop work even with
$CRYPTDISKS_ENABLE != "yes". Thanks to Pietro Abate. (closes: #506643)
* Add force-start to cryptdisks(-early).init in order to support starting
noauto devices manually. Thanks to Niccolo Rigacci. (closes: #505779)
* Document how to enable remote device unlocking via dropbear ssh server
in the initramfs during boot process. Thanks to Chris <debian@x.ray.net>
for the great work. (closes: #465902)
* Completely remove support and documentation of the timeout option,
document this in NEWS.Debian. (closes: #495509, #474120)
* Use exit instead of return in decrypt_ssl keyscript. Thanks to Rene Wagner.
(closes: #499704)
* Fix initramfs/cryptpassdev-hook to check for passdev instead of mountdev.
Thanks to Christoph Anton Mitterer.
* cryptdisks.functions:
- Search for keyscript in /lib/cryptdisks/scripts. the cryptoroot initramfs
script already supports keyscripts without path as argument. Thanks to
Christoph Anton Mitterer.
* README.initramfs:
- Remove the mention of bug #398302 from the section about suspend/resume,
as this bug has been fixes for some time now.
- Remove step 6 (mkswap) from the section about decrypt_derived, as it was
superfluous. Thanks to Helmut Grohe. (closes: #491867)
* Fix initramfs/cryptroot-script to use the lvm binary instead of vgchange.
Thanks to Marc Haber. (closes: #506536)
* Make get_lvm_deps() recursive in initramfs/cryptroot-hook. This is required
to detect the dm-crypt device in setups with more than one level of device
mapper mappings. For example if LVM is used with snapshots on top of the
dm-crypt mapping. Thanks to Christian Jaeger for bugreport and patch, Ben
Hutchings and Yves-Alexis Perez for help with debugging. (closes: #507721)
* urgency=medium due to several important fixes.
-- Jonas Meurer <email address hidden> Wed, 17 Dec 2008 21:25:45 +0100
cryptsetup (2:1.0.6-6) unstable; urgency=high
* Don't cat keyfile into pipe for do_noluks(). cryptsetup handles
--key-file=- different for luks and plain dm-crypt mappings. This time
really (closes: #493848). Thus again upload with urgency=high.
-- Jonas Meurer <email address hidden> Sat, 09 Aug 2008 13:36:31 +0200
| 76 → 143 of 143 results | First • Previous • Next • Last |
