--- cryptsetup-1.0.6.orig/debian/CheckSystem.Doc +++ cryptsetup-1.0.6/debian/CheckSystem.Doc @@ -0,0 +1,60 @@ +This is the documentation for implementing a robust check system into +/etc/init.d/cryptdisks + +checks marked with [default] are enabled per default. + +introduction +------------ + + - default checks are only necessary where one of OUR actions causes + dataloss. + - our checks must not cause any modifications to the underlying device. + - it should be possible to deactivate all default checks with options + in crypttab. (not sure whether the current situation reflects this) + +The only default checks which apply to all situations are: + * precheck: does the source device exist? [default] + * check: does the target device contain a known filesystem [default] + +Currently, three different branches exist: + +swap checks +----------- + + * precheck: + - check for all known filesystems on the device, skip if any is found [default] + - if none is found, check whether the source device is a swap partition. + skip if any other fs is found. [default] + * postcheck: + - does the target device conatin any filesystem type other than 'swap'? + fail in case. [default] + - does the target device contain a swap filesystem [not default, corner + cases exist. i.e. when a random key is used]. + use options "check=vol_id, checkargs=swap" for enabling this. + +note to swap: You may destroy data whenever setting the 'swap' flag. The + source partition, logical volume, whatever may contain data which + is lost after mkswap is run over it. Keep that in mind and double- + check whether the given source device is really the one you meant. + +plain dm-crypt checks +--------------------- + + * precheck: + - check for all known filesystems on the device, skip if one is found [default] + * postcheck: + - check what the user requested us to check [filesystem, lvm, ...] + + false: remove the dm-crypt device, retry as often as configured + +note to plain dm-crypt: The postcheck (for filesystem or whatever) is the only + way to verify that the given password/key is correct. + +luks checks +----------- + + - luks and a /dev/*random key are not compatible. disable this combination. + * precheck: + - check whether the device is a LUKS partition, skip if untrue [default] + * postcheck: + - check what the user requested us to check [filesystem, lvm, ...] + + false: just print a warning, the right password has been supplied --- cryptsetup-1.0.6.orig/debian/cryptdisks-early.init +++ cryptsetup-1.0.6/debian/cryptdisks-early.init @@ -0,0 +1,51 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: cryptdisks-early +# Required-Start: checkroot +# Required-Stop: umountroot +# Should-Start: udev devfsd +# Should-Stop: udev devfsd +# X-Start-Before: mdadm lvm2 evms +# Default-Start: S +# Default-Stop: 0 6 +# Short-Description: Setup early encrypted block devices. +# Description: +### END INIT INFO + +set -e + +INITSTATE="early" +LOUD="" + +if [ -r /lib/cryptsetup/cryptdisks.functions ]; then + . /lib/cryptsetup/cryptdisks.functions +else + exit 0 +fi + +case "$CRYPTDISKS_ENABLE" in +[Nn]*) + exit 0 + ;; +esac + +case "$1" in +start) + do_start + ;; +stop) + do_stop + ;; +restart|reload|force-reload) + do_stop + do_start + ;; +force-start) + FORCE_START="yes" + do_start + ;; +*) + echo "Usage: cryptdisks-early {start|stop|restart|reload|force-reload|force-start}" + exit 1 + ;; +esac --- cryptsetup-1.0.6.orig/debian/preinst +++ cryptsetup-1.0.6/debian/preinst @@ -0,0 +1,60 @@ +#! /bin/sh -e + +create_etc_keys() { + [ -d /etc/keys/ ] || mkdir -p /etc/keys/ +} + +create_crypttab() { + if [ ! -f /etc/crypttab ]; then + cat <<-EOC >/etc/crypttab + # + EOC + fi +} + +# Remove a no-longer used conffile +rm_conffile() { + PKGNAME="$1" + CONFFILE="$2" + if [ -e "$CONFFILE" ]; then + md5sum="`md5sum \"$CONFFILE\" | sed -e \"s/ .*//\"`" + old_md5sum="`dpkg-query -W -f='${Conffiles}' $PKGNAME | sed -n -e \"\\\\' $CONFFILE '{s/ obsolete$//;s/.* //p}\"`" + if [ "$md5sum" != "$old_md5sum" ]; then + echo "Obsolete conffile $CONFFILE has been modified by you." + echo "Saving as $CONFFILE.dpkg-bak ..." + mv -f "$CONFFILE" "$CONFFILE".dpkg-bak + else + echo "Removing obsolete conffile $CONFFILE ..." + rm -f "$CONFFILE" + fi + fi +} + +LASTVERSION="2:1.0.6-5" +case "$1" in + install) + create_etc_keys + create_crypttab + if dpkg --compare-versions "$2" le "$LASTVERSION"; then + rm_conffile cryptsetup "/etc/udev/rules.d/z60_cryptsetup.rules" + fi + ;; + + upgrade) + if dpkg --compare-versions "$2" le "$LASTVERSION"; then + rm_conffile cryptsetup "/etc/udev/rules.d/z60_cryptsetup.rules" + fi + ;; + + abort-upgrade) + ;; + + *) + echo "preinst called with unknown argument '$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# + +exit 0 --- cryptsetup-1.0.6.orig/debian/cryptdisks.default +++ cryptsetup-1.0.6/debian/cryptdisks.default @@ -0,0 +1,14 @@ +# Run cryptdisks at startup ? +CRYPTDISKS_ENABLE=Yes + +# Mountpoints to mount, before starting cryptsetup. This is useful for +# keyfiles on removable media. Seperate mountpoints by space. +CRYPTDISKS_MOUNT="" + +# Default check script, see /lib/cryptsetup/checks/ +# Takes effect, if the 'check' option is set in crypttab without a value +CRYPTDISKS_CHECK=vol_id + +# Default precheck script, see +# Takes effect, if the 'precheck' option is set in crypttab without a value +CRYPTDISKS_PRECHECK= --- cryptsetup-1.0.6.orig/debian/docs +++ cryptsetup-1.0.6/debian/docs @@ -0,0 +1,3 @@ +AUTHORS +debian/README.initramfs +debian/README.openct --- cryptsetup-1.0.6.orig/debian/rules +++ cryptsetup-1.0.6/debian/rules @@ -0,0 +1,162 @@ +#!/usr/bin/make -f + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +DEB_VERSION := $(strip $(shell LC_ALL=C dpkg-parsechangelog | \ + egrep '^Version:' | head -n1 | cut -f2 -d ' ' )) +DEB_DATE := $(strip $(shell LC_ALL=C dpkg-parsechangelog | \ + egrep '^Date:' | head -n1 | cut -f2- -d ' ' | \ + LC_ALL=C date --file=- +%F )) + +# These are used for cross-compiling and for saving the configure script +# from having to guess our platform (since we know it already) +export DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +export DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) + +ifeq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE)) + confflags += --build $(DEB_HOST_GNU_TYPE) +else + confflags += --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE) +endif + +CFLAGS = -Wall -g + +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) + CFLAGS += -O0 +else + CFLAGS += -O2 +endif +ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) + INSTALL_PROGRAM += -s +endif +ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) + NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) + MAKEFLAGS += -j$(NUMJOBS) +endif + +# Include quilt stuff. +include /usr/share/quilt/quilt.make + +configure: configure-stamp +configure-stamp: $(QUILT_STAMPFN) + dh_testdir + find -xtype f ! -name manifest > manifest + # mini autogen.sh + rm -f ltmain.sh + cp /usr/share/libtool/config/ltmain.sh ltmain.sh + libtoolize --force --copy + aclocal-1.9 + autoheader + automake-1.9 --add-missing --gnu + autoconf + CFLAGS="$(CFLAGS)" ./configure $(confflags) \ + --prefix=/usr \ + --sbindir=/sbin \ + --mandir=/usr/share/man + #--enable-static \ + find -xtype f > manifest.new + diff manifest manifest.new | grep '>' | cut -b3- > config.mess + touch $@ + +build: build-stamp +build-stamp: configure-stamp + dh_testdir + sed 's/VERSION/$(DEB_VERSION)/;s/DATE/$(DEB_DATE)/' \ + debian/doc/variables.xml.in > debian/doc/variables.xml + xsltproc --nonet --xinclude -o debian/doc/ \ + /usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl \ + debian/doc/manpages.xml + pod2man --section=8 --center="Administrative commands" --release="" debian/scripts/luksformat \ + debian/luksformat.8 + $(MAKE) + # cannot depend on libraries in /usr ! + # link dynamically, LP #62751 + gcc lib/.libs/*.o src/*.o luks/.libs/*.o -o src/cryptsetup.static \ + -lpopt -ldevmapper -luuid -lgcrypt -lgpg-error + gcc -Wall -pedantic -std=c99 debian/askpass.c -o debian/askpass + gcc -Wall -pedantic -std=c99 debian/passdev.c -o debian/scripts/passdev + touch $@ + +clean: unpatch + dh_testdir + dh_testroot + if test -f Makefile; then $(MAKE) clean; fi + if test -f config.mess; then rm -f `cat config.mess`; fi + rm -f debian/luksformat.8 + rm -f debian/doc/*.[0-9] debian/doc/variables.xml + rm -f debian/scripts/passdev + rm -f debian/askpass + rm -f config.mess + rm -rf autom4te.cache + rm -f src/cryptsetup.static + dh_clean configure-stamp build-stamp install-stamp + +install: install-stamp +install-stamp: build-stamp + dh_testdir + dh_testroot + dh_clean + dh_installdirs + mkdir -p $(CURDIR)/debian/cryptsetup-udeb/ + $(MAKE) DESTDIR=$(CURDIR)/debian/cryptsetup install + cp src/cryptsetup.static $(CURDIR)/debian/cryptsetup/sbin/cryptsetup + install -m 0644 debian/cryptdisks.functions $(CURDIR)/debian/cryptsetup/lib/cryptsetup/ + install -m 0755 debian/checks/* $(CURDIR)/debian/cryptsetup/lib/cryptsetup/checks/ + install -m 0755 debian/scripts/luksformat $(CURDIR)/debian/cryptsetup/usr/sbin/ + install -m 0755 debian/scripts/cryptdisks_start $(CURDIR)/debian/cryptsetup/usr/sbin/ + install -m 0755 debian/scripts/cryptdisks_stop $(CURDIR)/debian/cryptsetup/usr/sbin/ + install -m 0755 debian/scripts/decrypt_* $(CURDIR)/debian/cryptsetup/lib/cryptsetup/scripts/ + install -m 0755 debian/scripts/passdev $(CURDIR)/debian/cryptsetup/lib/cryptsetup/scripts/ + install -m 0755 debian/initramfs/cryptpassdev-hook \ + $(CURDIR)/debian/cryptsetup/usr/share/initramfs-tools/hooks/cryptpassdev + install -m 0755 debian/initramfs/cryptroot-hook \ + $(CURDIR)/debian/cryptsetup/usr/share/initramfs-tools/hooks/cryptroot + install -m 0755 debian/initramfs/cryptroot-script \ + $(CURDIR)/debian/cryptsetup/usr/share/initramfs-tools/scripts/local-top/cryptroot + install -m 0644 debian/initramfs/cryptroot-conf \ + $(CURDIR)/debian/cryptsetup/usr/share/initramfs-tools/conf-hooks.d/cryptsetup + install -m 0755 debian/initramfs/cryptopenct-hook \ + $(CURDIR)/debian/cryptsetup/usr/share/initramfs-tools/hooks/cryptopenct + install -m 0755 debian/initramfs/cryptopensc-hook \ + $(CURDIR)/debian/cryptsetup/usr/share/initramfs-tools/hooks/cryptopensc + install -m 0755 debian/initramfs/cryptopensc-script-local-top \ + $(CURDIR)/debian/cryptsetup/usr/share/initramfs-tools/scripts/local-top/cryptopensc + install -m 0755 debian/initramfs/cryptopensc-script-local-bottom \ + $(CURDIR)/debian/cryptsetup/usr/share/initramfs-tools/scripts/local-bottom/cryptopensc + install -m 0644 debian/bash_completion $(CURDIR)/debian/cryptsetup/etc/bash_completion.d/cryptsetup + install -m 0755 debian/askpass $(CURDIR)/debian/cryptsetup/lib/cryptsetup/askpass + rmdir $(CURDIR)/debian/cryptsetup/usr/lib/cryptsetup + touch $@ + +binary-indep: build install +# We have nothing to do by default. + +binary-arch: build install + dh_testdir + dh_testroot + dh_installchangelogs -a ChangeLog + dh_installdocs -a + dh_installexamples -a debian/scripts/gen-ssl-key + dh_installinit -a --no-start --name=cryptdisks-early --update-rcd-params="start 26 S . start 59 0 6 ." + dh_installinit -a --no-start --name=cryptdisks --update-rcd-params="start 28 S . start 48 0 6 ." + dh_installman -a debian/doc/crypttab.5 debian/doc/cryptdisks_start.8 debian/doc/cryptdisks_stop.8 debian/luksformat.8 + cp -a $(CURDIR)/debian/cryptsetup/etc $(CURDIR)/debian/cryptsetup-udeb/ + cp -a $(CURDIR)/debian/cryptsetup/lib $(CURDIR)/debian/cryptsetup-udeb/ + cp -a $(CURDIR)/debian/cryptsetup/sbin $(CURDIR)/debian/cryptsetup-udeb/ + # Get rid of libcryptsetup.so since it has no stable API. + # We instead statically link the relevant code + # into the cryptsetup executable, so the .so is not needed. + rm -rf $(CURDIR)/debian/cryptsetup/usr/lib + dh_strip -a + dh_compress -a + dh_fixperms -a + dh_makeshlibs -a + dh_installdeb -a + dh_shlibdeps -a + dh_gencontrol -a + dh_md5sums -a + dh_builddeb -a + +binary: binary-indep binary-arch +.PHONY: configure build clean install binary-indep binary-arch binary patch unpatch --- cryptsetup-1.0.6.orig/debian/control +++ cryptsetup-1.0.6/debian/control @@ -0,0 +1,43 @@ +Source: cryptsetup +Section: admin +Priority: optional +Maintainer: Ubuntu Core Developers +XSBC-Original-Maintainer: Debian Cryptsetup Team +Uploaders: Jonas Meurer +Build-Depends: debhelper (>= 5.0.0), libgcrypt11-dev, libdevmapper-dev (>= 2:1.02.24-4), libpopt-dev, uuid-dev, libselinux1-dev, libsepol1-dev, gettext, libtool, autoconf, automake1.9, quilt (>= 0.40), xsltproc, docbook-xml, docbook-xsl +Standards-Version: 3.8.0 +Homepage: http://luks.endorphin.org/ +Vcs-Bzr: https://code.launchpad.net/~ubuntu-core-dev/cryptsetup/ubuntu + +Package: cryptsetup +Architecture: any +Depends: ${shlibs:Depends}, dmsetup +Suggests: udev, initramfs-tools (>= 0.91) | linux-initramfs-tool, dosfstools +Conflicts: cryptsetup-luks (<= 1.0.1-8), hashalot (<= 0.3-1) +Replaces: cryptsetup-luks (<= 1.0.1-8) +Description: configures encrypted block devices + Cryptsetup provides a command-line interface for configuring encrypted + devices. This is done using the Linux kernel device mapper target + dm-crypt. This version of cryptsetup has integrated support for LUKS. + . + cryptsetup is backwards compatible with the on-disk format of cryptoloop, + but also supports more secure formats. This package includes support for + automatically configuring encrypted devices at boot time via the config + file /etc/crypttab. Additional features are cryptoroot support through + initramfs-tools and several supported ways to read a passphrase or key. + +Package: cryptsetup-udeb +Section: debian-installer +XC-Package-Type: udeb +Architecture: any +Depends: ${shlibs:Depends}, dmsetup-udeb +Description: configures encrypted block devices + Cryptsetup provides a command-line interface for configuring encrypted + devices. This is done using the Linux kernel device mapper target + dm-crypt. This version of cryptsetup has integrated support for LUKS. + . + cryptsetup is backwards compatible with the on-disk format of cryptoloop, + but also supports more secure formats. This package includes support for + automatically configuring encrypted devices at boot time via the config + file /etc/crypttab. Additional features are cryptoroot support through + initramfs-tools and several supported ways to read a passphrase or key. --- cryptsetup-1.0.6.orig/debian/bash_completion +++ cryptsetup-1.0.6/debian/bash_completion @@ -0,0 +1,124 @@ +# Bash command completion for cryptsetup + +have cryptsetup && +_cryptsetup() +{ + local cmd cur prev action actions luksactions argopts noargopts + + COMPREPLY=() + cur="${COMP_WORDS[COMP_CWORD]}" + prev="${COMP_WORDS[COMP_CWORD-1]}" + + actions="create remove status reload resize" + luksactions="luksFormat luksOpen luksClose luksAddKey luksDelKey luksUUID isLuks luksDump" + actions="$luksactions $actions" + + argopts="-c --cipher -h --hash -d --key-file -s --key-size -b --size" + argopts="$argopts -o --offset -p --skip -i --iter-time -q --batch-mode" + argopts="$argopts -t --timeout -T --tries" + noargopts="-y --verify-passphrase --readonly --version --align-payload" + + # complete file names for -d and --key-file + if [ "-d" = "$prev" -o "--key-file" = "$prev" ] ; then + COMPREPLY=( $(compgen -f -- "${cur}") ) + fi + + # If previous word was an option requiring an argument, can't complete + for argopt in $argopts ; do + if [ "$argopt" = "$prev" ] ; then + return + fi + done + + # If user typing an option, complete it + if [[ $cur == -* ]] ; then + COMPREPLY=( $(compgen -W "$argopts $noargopts" -- "$cur") ) + return + fi + + # See if we already have an action + action="" + for word in "${COMP_WORDS[@]}" ; do + for act in $actions ; do + if [ "$word" == "$act" ] ; then + action=$act + break + fi + done + + if [ -n "$action" ] ; then + break + fi + done + + # No action yet, complete it + if [ -z "$action" ] ; then + COMPREPLY=( $(compgen -W "$actions" -- "$cur") ) + return + fi + + # Completion based on action + case "$action" in + "create") + # create + if [ $COMP_CWORD -gt 1 ] && + [ ${COMP_WORDS[COMP_CWORD-2]} == "create" ] ; then + COMPREPLY=( $(compgen -f -X '!/dev*' -- "$cur") ) + fi + ;; + + "reload"|"remove"|"resize"|"status"|"luksClose") + # action + MAPPINGS="$(ls /dev/mapper | fgrep --invert-match control)" + OLDIFS="$IFS" + IFS=" +" + COMPREPLY=( $(compgen -W "$MAPPINGS" -- "$cur") ) + IFS="$OLDIFS" + ;; + + "luksDelKey") + # luksDelKey + if [ ${COMP_WORDS[COMP_CWORD-1]} == "luksDelKey" ] ; then + # Get name + MAPPINGS="$(ls /dev/mapper | fgrep --invert-match control)" + OLDIFS="$IFS" + IFS=" +" + COMPREPLY=( $(compgen -W "$MAPPINGS" -- "$cur") ) + IFS="$OLDIFS" + fi + ;; + + "luksAddKey"|"luksFormat") + # action [] + if [ ${COMP_WORDS[COMP_CWORD-1]} == "luksFormat" ] ; then + # Get name + MAPPINGS="$(ls /dev/mapper | fgrep --invert-match control)" + OLDIFS="$IFS" + IFS=" +" + COMPREPLY=( $(compgen -W "$MAPPINGS" -- "$cur") ) + IFS="$OLDIFS" + elif [ ${COMP_WORDS[COMP_CWORD-2]} == "luksFormat" ] ; then + # Get key file + COMPREPLY=( $(compgen -f -- "$cur") ) + fi + ;; + + "luksOpen") + # luksOpen + if [ ${COMP_WORDS[COMP_CWORD-1]} == "luksOpen" ] ; then + COMPREPLY=( $(compgen -f -X '!/dev*' -- "$cur") ) + fi + ;; + + "isLuks"|"luksDump"|"luksUUID") + # action + COMPREPLY=( $(compgen -f -X '!/dev*' -- "$cur") ) + ;; + esac +} +[ "$have" ] && complete -o filenames -F _cryptsetup cryptsetup + +# vim:set filetype=sh sts=4 sw=4: --- cryptsetup-1.0.6.orig/debian/changelog +++ cryptsetup-1.0.6/debian/changelog @@ -0,0 +1,1548 @@ +cryptsetup (2:1.0.6-7ubuntu4) jaunty; urgency=low + + * debian/askpass.c: also handle newline escape code in console prompt. + + -- Kees Cook Sun, 15 Feb 2009 08:57:05 -0800 + +cryptsetup (2:1.0.6-7ubuntu3) jaunty; urgency=low + + [ https://launchpad.net/~svenkata ] + * debian/checks/un_vol_id: dynamically build the "unknown volume type" + string, to allow for encrypted swap, LP: #316607 + + -- Dustin Kirkland Thu, 12 Feb 2009 16:57:30 -0600 + +cryptsetup (2:1.0.6-7ubuntu2) jaunty; urgency=low + + * debian/askpass.c: handle newline escape code in password prompt. + * debian/initramfs/cryptroot-script: add newline to split cryptroot + password prompt onto two lines for readability (LP: #326900). + + -- Kees Cook Sun, 08 Feb 2009 07:26:01 -0800 + +cryptsetup (2:1.0.6-7ubuntu1) jaunty; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/initramfs/cryptroot-script: + - must source /scripts/functions to get the log_*_msg() functions. + - wait for encrypted device to show up (LP 164044, 291752). + - disable error message 'failed to setup lvm device' (LP 151532). + - debian/rules: + - fix location of ltmain.sh (Ubuntu-specific until libtool 2.2.x is + in Debian unstable). + - link dynamically (LP 62751). + - add 04_fix_udevsettle_call.patch: fix path to binary for udevsettle. + * Revert versioned build-depency on libdevmapper-dev, since Ubuntu's + version is higher now. + + -- Kees Cook Tue, 06 Jan 2009 13:00:16 -0800 + +cryptsetup (2:1.0.6-7) unstable; urgency=medium + + * Add patches/01_gettext_package.patch: Remove -luks from GETTEXT_PACKAGE + in configure.in. + * Support keyfiles option in bash completion. Thanks to Stefan Goebel for + the patch. (closes: #499936) + * Update patches/02_manpage.patch: Fix the documnetation of default cipher + for LUKS mappings. (closes: #495832) + * Update debian/watch file to reflect the move of project home to + code.google.com. + * Check for $CRYPTDISKS_ENABLE in cryptdisks initscripts instead of + cryptdisks.functions. This way, cryptdisks_start/stop work even with + $CRYPTDISKS_ENABLE != "yes". Thanks to Pietro Abate. (closes: #506643) + * Add force-start to cryptdisks(-early).init in order to support starting + noauto devices manually. Thanks to Niccolo Rigacci. (closes: #505779) + * Document how to enable remote device unlocking via dropbear ssh server + in the initramfs during boot process. Thanks to Chris + for the great work. (closes: #465902) + * Completely remove support and documentation of the timeout option, + document this in NEWS.Debian. (closes: #495509, #474120) + * Use exit instead of return in decrypt_ssl keyscript. Thanks to Rene Wagner. + (closes: #499704) + * Fix initramfs/cryptpassdev-hook to check for passdev instead of mountdev. + Thanks to Christoph Anton Mitterer. + * cryptdisks.functions: + - Search for keyscript in /lib/cryptdisks/scripts. the cryptoroot initramfs + script already supports keyscripts without path as argument. Thanks to + Christoph Anton Mitterer. + * README.initramfs: + - Remove the mention of bug #398302 from the section about suspend/resume, + as this bug has been fixes for some time now. + - Remove step 6 (mkswap) from the section about decrypt_derived, as it was + superfluous. Thanks to Helmut Grohe. (closes: #491867) + * Fix initramfs/cryptroot-script to use the lvm binary instead of vgchange. + Thanks to Marc Haber. (closes: #506536) + * Make get_lvm_deps() recursive in initramfs/cryptroot-hook. This is required + to detect the dm-crypt device in setups with more than one level of device + mapper mappings. For example if LVM is used with snapshots on top of the + dm-crypt mapping. Thanks to Christian Jaeger for bugreport and patch, Ben + Hutchings and Yves-Alexis Perez for help with debugging. (closes: #507721) + * urgency=medium due to several important fixes. + + -- Jonas Meurer Wed, 17 Dec 2008 21:25:45 +0100 + +cryptsetup (2:1.0.6-6ubuntu2.1) intrepid-proposed; urgency=low + + * debian/initramfs/cryptroot-script: do not require that vol_id + can parse the encrypted device as valid (LP: #291752). + + -- Kees Cook Fri, 31 Oct 2008 13:10:06 -0700 + +cryptsetup (2:1.0.6-6ubuntu2) intrepid; urgency=low + + * Fixes for (LP: #272301) + * debian/initramfs/cryptroot-script: must source /scripts/functions to get + the log_*_msg() functions + * 04_fix_udevsettle_call.patch: fix path to binary for udevsettle + + -- Dustin Kirkland Fri, 19 Sep 2008 18:03:28 -0500 + +cryptsetup (2:1.0.6-6ubuntu1) intrepid; urgency=low + + * drop almost all ubuntu specific changes from the cryptsetup package, + because they have been merged in debian. Thanks a lot! + * merge from debian, remaining changes: + - remove versioned build-depency on libdevmapper-dev, we are using a + rather sophisticated loop for making sure the root filesystem appears. + * debian/rules: fix location of ltmain.sh + * don't exit usplash anymore in the init script. LP: #110970, #139363 + * Disable error message 'failed to setup lvm device'. It is harmless, and + caused by the fact that the udev rules provided by lvm2 are setting up + the lvm on their own. In debian the scripts here are responsible for this + but obviously fail in ubuntu. LP: #151532 + + -- Reinhard Tartler Sat, 30 Aug 2008 17:52:16 +0200 + +cryptsetup (2:1.0.6-6) unstable; urgency=high + + * Don't cat keyfile into pipe for do_noluks(). cryptsetup handles + --key-file=- different for luks and plain dm-crypt mappings. This time + really (closes: #493848). Thus again upload with urgency=high. + + -- Jonas Meurer Sat, 09 Aug 2008 13:36:31 +0200 + +cryptsetup (2:1.0.6-5) unstable; urgency=high + + * Fix watch file to not report -pre and -rc releases as superior. + * Remove the global var $SIZE from cryptdisks.functions again but keep the + extended value checks. + * Remove the udev rules file also in preinst, code taken from example at + http://wiki.debian.org/DpkgConffileHandling. Thanks Marco d'Itri. + (closes: #493151) + * Remove duplicated configuration of --key-file in $PARAMS at do_noluks(). + (closes: #493848). + * Invoke mount_fs() and umount_fs() in cryptdisks_start, add + log_action_begin_msg() and log_action_end_msg() to both cryptdisk_start + and cryptdisks_stop. + * Copy fd 3 code from do_start and do_stop to cryptdisks_start and + cryptdisks_stop to fix "keyscript | cryptsetup". (closes: #493622) + * This upload fixes two RC bugs, thus upload with severity=high. + + -- Jonas Meurer Wed, 06 Aug 2008 10:19:21 +0200 + +cryptsetup (2:1.0.6-4) unstable; urgency=medium + + [ David Härdeman ] + * Make sure $IGNORE is reset as necessary, patch by Thomas Luzat + (closes: #490199) + * Use askpass in init scripts as well (closes: #489033, #477203) + + [ Jonas Meurer ] + * Don't copy_exec libgcc1 in cryptopensc initramfs hook, as it's already + copied by copy_exec /usr/sbin/pcscd automaticly. Thanks to Evgeni Golov + . (closes: #490300) + * Remove the udev rules file again as the relevant rules are now provided + by dmsetup package which cryptsetup depends on. + * Add splashy support to askpass, thanks to John Hughes + for the patch. (closes: #492451) The support is limited to cryptroot + though, as splashy freezes for passphrase input dialogs from initscripts. + Document that in README.Debian. + * Now that askpass is used as keyscript for interactive mode, it's not + necessary to set cryptsetup parameter '--tries=$TRIES' and TRIES=1 for + interactive mode anymore in cryptdisks.functions. + * Implement special treatment for random passphrases now that we use + "--key-file=-" for all situations. Only necessary in do_noluks. + * Fix the passphrase prompt string in initramfs/cryptroot.script to use + $cryptsource instead of $cryptsources. + * Major documentation cleanup for lenny: + - Rewrite CryptoSwap.HowTo in README.Debian, remove CryptoSwap.HowTo. + - Refer to README.initramfs instead of CryptoRoot.HowTo for encrypted root + filesystem in README.Debian. + - Remove outdated docs CryptoRoot.HowTo, usbcrypto.udev and gen-old-ssl-key + as well as the decrypt_old_ssl keyscript. + - Remove debian/TODO, didn't have any useful content anyway. + - Fix section ''9. The "decrypt_derived" keyscript'': Add swap option to + the example line for crypttab and other minor fixes. Thanks to + Helmut Grohne . (closes: #491867) + * urgency=medium since important (#492451) and security (#477203) bugs get + fixed by this upload. + + -- Jonas Meurer Mon, 28 Jul 2008 00:21:44 +0200 + +cryptsetup (2:1.0.6-3) unstable; urgency=low + + [ Jonas Meurer ] + * Fix cryptdisks.functions to actually recognize the noauto option. Thanks + to Christian Pernegger (closes: #483882) + * Update patches/02_manpage.patch to fix two more typos, thanks to Bruno + Barrera Yever (closes: #476624) and to remove a + duplicate sentence. + * Rephrase "Enter password for $crypttarget" to "Enter password to unlock + the disk $cryptsource ($crypttarget)" in initramfs/cryptroot.script. + * Bump Standards-Version to 3.8.0: + - Add a README.source which references /usr/share/doc/quilt/README.source. + - Add support for debian build option parallel=n to debian/rules. + * Add a udev rules file to ignore temporary-cryptsetup-* devices, as + suggested in bug #467200. Thanks to Sam Morris . + * Transform debian/copyright into machine-readable code as proposed in + http://wiki.debian.org/Proposals/CopyrightFormat. Update and add several + copyright notices. + * Change reference to docbook xml v4.2 driver file from an online version + to a local one in the manpage files, as the build process should not + depend on internet access. Add docbook-xml to build-depends. Thanks to + Lucas Nussbaum . (closes: #487056) + + [ David Härdeman ] + * Hopefully fix askpass to properly handle console and usplash input + (closes: #477203) + * Clarify crypttab manpage (closes: #487246) + * Make regex work if keyfile has extended attributes, + https://launchpad.net/bugs/231339 (closes: #488131) + * Support comments in options part of crypttab (closes: #488128) + + -- Jonas Meurer Mon, 07 Jul 2008 00:30:07 +0200 + +cryptsetup (2:1.0.6-2ubuntu7) intrepid; urgency=low + + * reintroduce changes from 2:1.0.6-2ubuntu5 that have been accidentally + dropped in version 2:1.0.6-2ubuntu6. + + -- Reinhard Tartler Fri, 20 Jun 2008 15:15:54 +0200 + +cryptsetup (2:1.0.6-2ubuntu6) intrepid; urgency=low + + [ Kjell Braden ] + * load scripts/functions for log_{begin,end}_msg + * debian/initramfs/cryptroot-script: wait for the cryptsource, not the resulting mapped root device + * debian/initramfs/cryptroot-hook: copy binaries to the right directory + + [ Reinhard Tartler ] + * remove versioned build-depency on libdevmapper-dev, we are using a + rather sophisticated loop for making sure the root filesystem appears. + + -- Reinhard Tartler Wed, 18 Jun 2008 00:26:43 +0200 + +cryptsetup (2:1.0.6-2ubuntu5) intrepid; urgency=low + + * Okay, I give up. include preprocessed manpages and adapt + debian/rules to easily produce those. + ATTENTION: on subsequent uploads, make sure that the manpages are + available and up-to-date. + + -- Reinhard Tartler Sun, 15 Jun 2008 13:33:07 +0200 + +cryptsetup (2:1.0.6-2ubuntu4) intrepid; urgency=low + + * also use local dtd in debian/doc/variables.xml.in. + + -- Reinhard Tartler Sun, 15 Jun 2008 12:55:42 +0200 + +cryptsetup (2:1.0.6-2ubuntu3) intrepid; urgency=low + + * try harder to fix FTBFS. + + -- Reinhard Tartler Sun, 15 Jun 2008 11:42:54 +0200 + +cryptsetup (2:1.0.6-2ubuntu2) intrepid; urgency=low + + * build docbook documentation using local dtds instead of trying to + download them at buildtime. Fixes FTBFS. + + -- Reinhard Tartler Sun, 15 Jun 2008 11:12:28 +0200 + +cryptsetup (2:1.0.6-2ubuntu1) intrepid; urgency=low + + * Merge new debian version. Remaining changes: + - Add XSBC-Vcs-Bzr tag to indicate that this package is managed using + bzr on launchpad. + - debian/rules: cryptsetup is linked dynamically against libgcrypt and + libgpg-error. + - cryptdisks.functions: stop usplash on user input. LP #62751 + - Parse comments in lines not starting with '#', LP #185380 + - If the encrypted source device hasn't shown up yet, give it a + little while to deal with removable devices. LP #164044 + * Depend on race-free version of libdevmapper, thus making udevsettle + call from cryptsetup binary unnecessary. Dropping patch + debian/patches/06_run_udevsettle.patch + * remove patch from LP #73862, loading optimized modules has been solved + in debian in another way. + * cryptdisk.functions: remove spurious call to load_optimized_module. + LP: #239946 + * bugfix: make regex work if keyfile has extended attributes. LP: #231339. + * remove patch in cryptdisks.functions for rexecing the script itself for + ensuring that a tty is always available. (See LP #58794.) According to + Scott, this is not necessary anymore. + + -- Reinhard Tartler Sat, 14 Jun 2008 23:28:51 +0200 + +cryptsetup (2:1.0.6-2) unstable; urgency=low + + [ Jonas Meurer ] + * Taken from ubuntu: + - debian/scripts/luksformat: Use 256 bit key size by default. (LP: #78508) + - debian/patches/02_manpage.patch: Clarify default key sizes (128 for + luksFormat and 256 for create) in cryptsetup.8. (side-note in LP #78508) + * Use 'shred -uz' instead of 'rm -r' to remove a tempfile that contains a + key in gen-ssl-key example script. + + [ David Härdeman ] + * Misc bugfixes to askpass, make sure it is installed to the correct + location and is built using pedantic mode. + * Change the initramfs script to use askpass to prompt for + passphrases, this should hopefully fix #382375 and #465902 once it + is enabled in the init scripts as well. + * Add a keyscript called passdev which allows a keyfile to be + retrieved from a device which is first mounted, mainly useful to get + keyfiles off USB devices etc. + * Unbreak MODULES=dep booting (closes: #478268) + * Relax checks for suspend devices a bit (closes: #477658) + * Convert man pages to docbook. + + -- David Härdeman Mon, 26 May 2008 08:12:32 +0200 + +cryptsetup (2:1.0.6-1ubuntu4) intrepid; urgency=low + + [ Kjell Braden ] + * Fix configuration parsing (LP: #239808) + + [ Reinhard Tartler ] + * cryptroot-script: use 'echo' instead of 'log_begin_msg' (LP: #237723) + + -- Reinhard Tartler Fri, 13 Jun 2008 21:26:17 +0200 + +cryptsetup (2:1.0.6-1ubuntu3) intrepid; urgency=low + + * Parse comments in lines not starting with '#', LP: #185380 + * in cryptroot hook, don't rely on 'udevadm settle' to wait long enough + for the cryptdevice to appear. Reimplement the busy waiting loop found + while waiting for the root file system. Patch based on work by Swâmi + Petaramesh. LP: #164044 + * debian/crypdisks.functions: call 'env' with full path. LP: #178829. + + -- Reinhard Tartler Mon, 26 May 2008 22:12:32 +0200 + +cryptsetup (2:1.0.6-1ubuntu2) intrepid; urgency=low + + * Simplify the patch in debian/cryptdisks.functions that stops usplash + before asking for a passphrase. + + -- Reinhard Tartler Mon, 26 May 2008 20:18:14 +0200 + +cryptsetup (2:1.0.6-1ubuntu1) intrepid; urgency=low + + * Merge new debian version. Remaining changes: + - cryptsetup is linked dynamically against libgcrypt and libgpg-error. + - stop usplash on user input. LP #62751 + - debian/cryptdisks.functions: Always output and read from the console. + LP #58794. + - Add XSBC-Vcs-Bzr tag to indicate that this package is managed using + bzr on launchpad. + - debian/initramfs/cryptroot-hook: LP #73862 + Added patch to install aes optimized cypher module + - try to load optimized cypher module in cryptsetup.functions as well, + because cryptroot-hook is only executed when we really have a + cryptoroot. + * other ubuntu changes have been merged into debian. Please report bugs + if you believe some patches have been dropped. + * removed 07_typos_fix.patch, has been reviewed and applied upstream. + + -- Reinhard Tartler Sun, 25 May 2008 22:52:30 +0200 + +cryptsetup (2:1.0.6-1) unstable; urgency=low + + [ Jonas Meurer ] + * new upstream release + - reload option is depreciated and a warning is printed. (closes: #428288) + * convert patch system from dpatch to quilt. + * enhance the information regarding the default hash setting in NEWS.Debian. + Thanks to Ross Boylan . + * change author of keyslot patch to Marc Merlin in changelog, thanks to + U. Kuehn for raising that issue. + * doing some debian/rules redesign and cleanup, speeds up the build process. + * ignore devices with the noauto option early enough to prevent any checks + on them. Thanks to Joachim Breitner (closes: #464672) + * update debian/copyright to actually mention copyright, thanks lintian. + * change script=$(basename $req) to script=${req##*/} in initramfs cryptroot + script. Thanks to Adeodato Simó . (closes: #466240) + * change test ... -a ... to [ ... ] && [ ... ] in the check scripts. + * add support for tries option to initramfs scripts. Thanks to Helmut Grohne + . (closes: #430158, #469869) Use --tries=1 for + cryptsetup in the initramfs script. Document the difference between + initscript and initramfs for tries=0 in the crypttab manpage. + * add, build and install askpass.c, a helper program by David Härdeman. The + idea is to use it for passphrase prompt in the initramfs script. + + [ David Härdeman ] + * Work with LABEL=, UUID= and symlinks in /etc/fstab (closes: #466175) + * Improve module loading in initramfs hook so that the newer as well + as arch specific crypto drivers are taken into consideration + (closes: #464673) + * Depend on race-free version of libdevmapper, thus making udevsettle + call from cryptsetup binary unnecessary. Also change call to + udevsettle in initramfs script (which is still useful as it related + to the source device) to optionally use udevadm if present (closes: + #456326). + + -- Jonas Meurer Mon, 31 Mar 2008 15:58:35 +0200 + +cryptsetup (2:1.0.6~pre1+svn45-1) unstable; urgency=low + + * New upstream svn snapshot: + - Adds typo fixes by Justin Pryzby to cryptsetup.8 + manpage. + - Mentions luksKillSlot in the manpage. Thanks to Alexander Heinlein + . (closes: #459206) + - Adds the patch by Marc Merlin to support explicit + key slots for luksFormat and luksAddKey. Thanks to U. Kuehn, who figured + out that this patch wasn't applied even though changelog said so. + - Supports adding new keys to active devices again. Thanks to Tobias Frost + for the bugreport. (closes: #460409) + * Add support for a custom filesystem for /tmp. Patch provided by + Hans-Peter Oeri . + * Add X-Start-Before headers to cryptdisks and cryptdisks-early initscripts. + Thanks to Petter Reinholdtsen for report and patch. + (closes: #458944) + * Add support for a noauto option to cryptdisks. Thanks to U Kuehn + for the idea. + * Add typo fixes by Justin Pryzby to crypttab.5 + manpage. (closes: #460994) + * Add a cryptdisks_stop script, corresponding to cryptdisks_start. Thanks to + Joachim Breitner for the idea. (closes: #459832) + * Change log_progress_msg to log_action_msg in cryptdisks.functions. That + way a newline is printed after the start of every device. Thanks to Frans + Pop for the bugreport. (closes: #461548) + * Add bash_completition script provided by Kevin Locke . + (closes: #423591) + * Fix a spelling error in the package description: linux -> Linux. + * Fix bashisms in cryptdisks_{start,stop} found by Raphael Geissert + . + * Change the default hash in initramfs scripts from sha256 to ripemd160 for + consistency with cryptsetup default. Add information about that to + NEWS.Debian. Thanks to martin f krafft . + (closes: #406317) + + -- Jonas Meurer Wed, 30 Jan 2008 09:01:52 +0100 + +cryptsetup (2:1.0.6~pre1-1) unstable; urgency=low + + [ Jonas Meurer ] + * New upstream alpha release 1.0.6~pre1: + - [01_crypt_luksFormat_libcryptsetup.dpatch] removed, applied upstream + - [02_manpage.dpatch] likewise + - [04_fix_unused_or_unitialized_variables.dpatch] likewise + - [05_segfault_at_nonexisting_device.dpatch] likewise + - [06_run_udevsettle.dpatch] update for new upstream + * Disable 03_check_for_root.dpatch. As Ludwig Nussel mentioned on + dm-crypt@saout.de, cryptsetup 1.0.5 already prints out meaningfull errors + if expected permissions are not available. Therefore the check for uid == + 0 is superfluous. + * [06_run_udevsettle.dpatch] Run udevsettle after device-mapper device + creation. Fixes issues with temporary device files in /dev/mapper. Patch + by Reinhard Tartler from Ubuntu. (closes: #444914) + * Add support for offset and skip options to cryptdisks/crypttab. Thanks to + Marc-Jano Knopp. (closes: #446674) + * Update the long description in debian/control. Don't mention kernel 2.6.4 + any longer, remove references to /usr/share/doc/cryptsetup/CryptoRoot.HowTo + and mkinitrd. + * Add noearly option to cryptdisks/crypttab, which causes cryptdisks-early + to ignore the entry. Thanks to Joerg Jaspert (closes: #423102) + * Change log_progress_msg "$dst (started)" to device_msg "$dst" "started" in + cryptdisks.functions. Makes console output of cryptdisks more consistent. + * Add cryptdisks_start and patch to cryptdisks.functions by Jon Dowland. + Also add a manpage for cryptdisks_start(8). (closes: #447159) + * Add load_optimized_module() function to cryptdisks.functions. Initial idea + by Reinhard Tartler from Ubuntu, enhanced by David Härdeman. + (closes: #445186) + * Add support for UUID=.. device strings to initramfs cryptroot-hook. Thanks + to Reinhard Tartler from Ubuntu for the patch. (closes: #445189) + * Support UUID=... and LABEL=... device strings in /etc/crypttab. Thanks + to Martin Pitt from Ubuntu for the patch. (closes: #445189) + * Add Vcs-Browser and Vcs-Svn fields to debian/control. + * Fix debian/rules to not fail to build if autom4te.cache is left behind + from a previous incomplete build. Patch again taken from Ubuntu. + * Mention in the crypttab manpage that files are allowed as source. In that + case they are mounted as loopback device automatically. Thanks to + Michal Cihar (closes: #451909) + * At stopping dm-crypt devices really remove the corresponding loopback + device if one has been used. Thanks to Rene Pavlik for report and to David + Härdeman, who had the idea for the fix. (closes: #451916) + * Also remove loopback devices if the cryptsetup device setup fails. + * Document a possible deadlock if cryptsetup is invoked as a 'run programm' + in a udev role. This i related to the invokation of udevsettle in + cryptsetup. Thanks to Dick Middleton for reporting and debugging. + (closes: #444914) + * Move umount_fs() from handle_crypttab_line() to the end of do_start(). + * Bump Standards-Version to 3.7.3.0. No changes needed. + * Remove unused litian-override file + * Remove --build $(DEB_BUILD_GNU_TYPE) and --host $(DEB_HOST_GNU_TYPE) from + invocation of ./configure, as they are already included in $(confflags). + + -- Jonas Meurer Thu, 06 Dec 2007 15:56:05 +0100 + +cryptsetup (2:1.0.5-2ubuntu12) hardy; urgency=low + + * added debian/patches/07_typos_fix.dpatch: fixed typos in man pages. (LP: #164181) + + -- Bruno Barrera Yever Mon, 07 Apr 2008 18:43:05 -0500 + +cryptsetup (2:1.0.5-2ubuntu11) hardy; urgency=low + + * debian/initramfs/cryptroot-script: Do show the disk name after all, since + some people use multiple encrypted partitions as LVM PVs. (LP: #201413) + + -- Martin Pitt Sun, 06 Apr 2008 11:54:41 -0600 + +cryptsetup (2:1.0.5-2ubuntu10) hardy; urgency=low + + * debian/initramfs/cryptroot-script: Do not mention the name of the + encrypted device. It is just technobabble anyway (sda4_crypt), and there + is just one root partition ever, so it is not needed to tell apart + different partitions. From a security POV, someone who can change your + initramfs to boot a different root partition can just as well change the + strings, too. (LP: #201413) + + -- Martin Pitt Wed, 02 Apr 2008 15:51:53 +0200 + +cryptsetup (2:1.0.5-2ubuntu9) hardy; urgency=low + + * debian/scripts/luksformat: Use 256 bit key size by default. + (LP: #78508) + * debian/patches/02_manpage.dpatch: Clarify default key sizes (128 for + luksFormat and 256 for create) in cryptsetup.8. (side-note in LP #78508) + + -- Martin Pitt Wed, 27 Feb 2008 17:43:46 +0100 + +cryptsetup (2:1.0.5-2ubuntu8) hardy; urgency=low + + * Fix -x calls and access() call. + + -- Scott James Remnant Fri, 14 Dec 2007 16:54:53 +0000 + +cryptsetup (2:1.0.5-2ubuntu7) hardy; urgency=low + + * debian/initramfs/cryptroot-script: call udevadm instead of udevsettle + * debian/patches/06_call_udevsettle.dpatch: likewise + + -- Scott James Remnant Fri, 14 Dec 2007 16:11:36 +0000 + +cryptsetup (2:1.0.5-2ubuntu6) hardy; urgency=low + + * Make cryptsetup understand devices specified by UUID=... or LABEL= + in crypttab. (LP: #153597) + + -- Andrea Colangelo Mon, 29 Oct 2007 18:22:51 +0100 + +cryptsetup (2:1.0.5-2ubuntu5) hardy; urgency=low + + * reenable additional udevsettle calls in cryptroot hook from + https://launchpad.net/bugs/85640, LP: #132373. + * change maintainer to ubuntu-core-dev. + * use Vcs-Bzr instead of XSCB-Vcs-Bzr header in debian/control. + + -- Reinhard Tartler Thu, 08 Nov 2007 23:52:19 +0100 + +cryptsetup (2:1.0.5-2ubuntu4) hardy; urgency=low + + * reapply changes from version 2:1.0.5-2ubuntu2, got dropped with last + upload. Sorry, pitti. + * convert patch to lib/libdevmapper.c to a dpatch. + + -- Reinhard Tartler Sun, 04 Nov 2007 21:42:43 +0100 + +cryptsetup (2:1.0.5-2ubuntu3) hardy; urgency=low + + * RELIABILY FIX: lib/libdevmapper.c: Ensure that pending device creation + events are being processed by calling /sbin/udevsettle. Patch based on + OpenSUSE bug #285478, LP: #132373. + * Based on the change above, the patch from LP #85640 is no longer needed. + dropping the relevant parts. + * Fix debian/rules to not fail to build if autom4te.cache is left behind + from a previous incomplete build. + + -- Reinhard Tartler Fri, 02 Nov 2007 20:53:31 +0100 + +cryptsetup (2:1.0.5-2ubuntu2) gutsy; urgency=low + + * debian/initramfs/cryptroot-script: + - If the supplied password worked, remove the prompt from usplash again, + so that the user has some visual feedback that everything is alright. + (LP: #151305) + - Do not show the UUID device node of the outer physical device. It is + scary ("/dev/disk/by-uuid/1234yadayada") and displaying it does not + improve security at all: If attackers can tamper with your initramfs, + they can also change the prompt, and if the UUID of the physical device + changes, then booting will not even get that far. Now it is a much more + friendly "Enter passphrase for sda5_crypt:" which is still technical, + but it's necessary to point out which device will be unlocked in case + there are several. + + -- Martin Pitt Thu, 11 Oct 2007 19:51:58 +0200 + +cryptsetup (2:1.0.5-2ubuntu1) gutsy; urgency=low + + * Merge new debian version. Remaining changes: + - cryptsetup is linked dynamically against libgcrypt and libgpg-error. + This will break systems where /usr is a separate encrypted filesystem + but not have other bad consequences (in particular, systems with + encrypted root are still fine). The upsides include better + security supportability and smaller packages. + - libcryptsetup.so et al removed from the binary packages. They have + no stable ABI and are not suitable for use by other packages, and + were in violation of library policies etc. They're not needed since + the cryptsetup executable statically contains the relevant parts of + libcryptsetup. + - cryptdisks.functions: remove #!/bin/bash as it isn't a script + by itself; it's only sourced by other scripts. This gets rid + of the lintian warning `script-not-executable' for this file. + - stop usplash on user input. LP #62751 + - Always output and read from the console. LP #58794. + - Add XSBC-Vcs-Bzr tag to indicate that this package is managed using + bzr on launchpad. + - Bump libgcrypt11 build-dependency again to 1.2.4-2ubuntu2 to eliminate + libnsl linkage; + - debian/initramfs/cryptroot-hook: (LP: #73862) + Added patch to install aes optimized cypher module + - try to load optimized cypher module in cryptsetup.functions as well, + because cryptroot-hook is only executed when we really have a + cryptoroot. + - apply patch from pitti for allowing UUIDs in /etc/crypttab. + This allowes crypted PVs! LP: #144390. + - remove README.ubuntu, since it contains old and obsolete information. + + -- Reinhard Tartler Tue, 02 Oct 2007 21:31:28 +0200 + +cryptsetup (2:1.0.5-2) unstable; urgency=low + + [ Jonas Meurer ] + * Add libselinux1-dev and libsepol1-dev to build-depends. Detected by + the build daemon from hell by Steinar H. Gunderson. Thanks to Manoj + Srivastava for advice. + * Fix the watchfile + * Fix cryptopensc-hook to honor key=none. Thanks to Daniel Baumann + (closes: #436434) + * Remove outdated README.html and example usbcrypto.* scripts from + documentation. Add example usbcrypto.udev script. Thanks to Volker Sauer + for the update. (closes: #409775) + * Document that stdin is read different with '--key-file=-' than without. + Thanks to Marc Haber. (closes: #418450) + * Document that --timeout is useless in conjunction with --key-file. Thanks + Alexander Zangerl. (closes: #421693) + * [03_check_for_root.dpatch] Check for UID == 0 before actually doing + something. Thanks to Benjamin Seidenberg. (closes: #401766) + * [04_fix_unused_or_unitialized_variables.dpatch] Fix some gcc warnings + about unused or unitialized variables. Thanks to Ludwig Nussel for the + patch. + * [05_segfault_at_nonexisting_device.dpatch] Fix segfault when trying to + open a non existing device. Thanks to Ludwig Nussel for the patch. + (closes: #438198) + * Add CFLAGS="$(CFLAGS)" before ./configure invocation in debian/rules. + This way CFLAGS are passed to the configure script. Thanks to Gordon + Farquharson for the patch. (closes: #438450) + * Add a warning about missing hash option in crypttab to initramfs + cryptoroot hook. Thanks to Sebastian Leske for the patch. + (closes: #438169) + * Add support for openct using data objects on a smartcard as key. Thanks to + Daniel Baumann for patch and documentation. + (closes: #438473) + * Polish opensc_decrypt and openct_decrypt. + * Add initramfs patch by maximilian attems. Bump depends on initramfs-tools + to (>= 0.91). (closes: #441428) + * several cleanups to make lintian happy: + - remove #!/bin/sh from cryptsetup.functions as it is not executable. + - remove unused-override configure-generated-file-in-source config.log. + - add some hyphen fixes to patches/02_manpage.dpatch + * Filter out the detection of filesystem type 'minix' in checks vol_id and + un_vol_id if checking for any valid filesystem. The minix fs signature + seems short enough to be detected erroneously by /lib/udev/vol_id. + Thanks to Fredrik Olofsson and arno for the bugreport. (closes: #411784) + * Add Homepage field to debian/control. + + -- Jonas Meurer Mon, 24 Sep 2007 15:42:06 +0200 + +cryptsetup (2:1.0.5-1ubuntu5) UNRELEASED; urgency=low + + * apply patch from pitti for allowing UUIDs in /etc/crypttab. + This allowes crypted PVs! LP: #144390. + * remove README.ubuntu, since it contains old and obsolete information. + + -- Reinhard Tartler Tue, 02 Oct 2007 19:59:24 +0200 + +cryptsetup (2:1.0.5-1ubuntu4) gutsy; urgency=low + + [ Stephan Hermann ] + * debian/initramfs/cryptroot-hook: (LP: #73862) + - Added patch to install aes optimized cypher module + + [ Reinhard Tartler ] + * re-applying old patch to new package version + * try to load optimized cypher module in cryptsetup.functions as well, + because cryptroot-hook is only executed when we really have a + cryptoroot. + + -- Reinhard Tartler Thu, 27 Sep 2007 19:38:48 +0200 + +cryptsetup (2:1.0.5-1ubuntu3) gutsy; urgency=low + + * Bump libgcrypt11 build-dependency again to 1.2.4-2ubuntu2 to eliminate + libnsl linkage; should finally produce a usable cryptsetup binary for + the udeb. + + -- Colin Watson Wed, 19 Sep 2007 15:28:52 +0100 + +cryptsetup (2:1.0.5-1ubuntu2) gutsy; urgency=low + + * Bump libgcrypt11 build-dependency to 1.2.4-2ubuntu1 and rebuild for + proper udeb dependencies. + + -- Colin Watson Wed, 19 Sep 2007 01:37:02 +0100 + +cryptsetup (2:1.0.5-1ubuntu1) gutsy; urgency=low + + * Merge new debian version. Remaining changes: + - cryptsetup is linked dynamically against libgcrypt and libgpg-error. + This will break systems where /usr is a separate encrypted filesystem + but not have other bad consequences (in particular, systems with + encrypted root are still fine). The upsides include better + security supportability and smaller packages. + - libcryptsetup.so et al removed from the binary packages. They have + no stable ABI and are not suitable for use by other packages, and + were in violation of library policies etc. They're not needed since + the cryptsetup executable statically contains the relevant parts of + libcryptsetup. + - cryptdisks.functions: remove #!/bin/bash as it isn't a script + by itself; it's only sourced by other scripts. This gets rid + of the lintian warning `script-not-executable' for this file. + - stop usplash on user input. LP #62751 + - Always output and read from the console. LP #58794. + * Add XSBC-Vcs-Bzr tag to indicate that this package is managed using + bzr on launchpad. + * UVF exception request granted by Scott Kitterman and Chuck Short + LP: #138295 + + -- Reinhard Tartler Sat, 08 Sep 2007 19:04:54 +0200 + +cryptsetup (2:1.0.5-1) unstable; urgency=low + + [ Jonas Meurer ] + * New upstream release, nearly identical to svn snapshot svn29. + * Fix watch file to use cryptsetup instead of cryptsetup-luks. + * Add 01_crypt_luksFormat_libcryptsetup.dpatch - rename luksInit to + luksFormat in libcryptsetup.h. + * Merge some ubuntu changes: + - make luksformat check if filesystem is already mounted to prevent a + strange error message. + - modprobe dm-mod in cryptsetup.functions. + - wait for udev to be settled in initramfs script. + + [ David Härdeman ] + * Allow other crypto devices to be setup even if one fails. + (closes: #423100) + * Remove an incorrect warning in postinst. + + -- Jonas Meurer Fri, 27 Jul 2007 04:59:33 +0200 + +cryptsetup (2:1.0.4+svn29-1ubuntu6) gutsy; urgency=low + + * Add notes by Ilkka Tuohela in a new file debian/README.ubuntu + + -- Reinhard Tartler Sat, 08 Sep 2007 18:43:56 +0200 + +cryptsetup (2:1.0.4+svn29-1ubuntu5) gutsy; urgency=low + + * cryptsetup is linked dynamically against libgcrypt and libgpg-error. + This will break systems where /usr is a separate encrypted filesystem + but not have other bad consequences (in particular, systems with + encrypted root are still fine). The upsides include better + security supportability and smaller packages. + * libcryptsetup.so et al removed from the binary packages. They have + no stable ABI and are not suitable for use by other packages, and + were in violation of library policies etc. They're not needed since + the cryptsetup executable statically contains the relevant parts of + libcryptsetup. + * cryptdisks.functions: remove #!/bin/bash as it isn't a script + by itself; it's only sourced by other scripts. This gets rid + of the lintian warning `script-not-executable' for this file. + + -- Ian Jackson Fri, 31 Aug 2007 12:05:33 +0100 + +cryptsetup (2:1.0.4+svn29-1ubuntu4) gutsy; urgency=low + + * s/$CRYPTCMD/cryptsetup/ in debian/cryptdisks.functions + (LP: #115617) + + -- Reinhard Tartler Tue, 29 May 2007 17:04:05 +0200 + +cryptsetup (2:1.0.4+svn29-1ubuntu3) gutsy; urgency=low + + * make luksformat check if filesystem is already mounted to prevent a + strange error message. thanks to mvo for the patch (LP: #116633) + * remove file debian/initramfs-cryptroot-script from source. it is not + installed anywhere, and a leftover from the last merge. + * add missing hunk of cryptsetup.functions compared to debian package. + * reapply http://librarian.launchpad.net/7329604/bug85640.debdiff to + debian/initramfs/cryptroot-script, since stgraber's patch has been + lost in the last merge. (LP: #85640) + + -- Reinhard Tartler Tue, 29 May 2007 15:02:57 +0200 + +cryptsetup (2:1.0.4+svn29-1ubuntu2) gutsy; urgency=low + + * modprobe dm-mod from cryptsetup.functions. (LP: #64625, #91405) + + -- Reinhard Tartler Tue, 29 May 2007 13:31:39 +0200 + +cryptsetup (2:1.0.4+svn29-1ubuntu1) gutsy; urgency=low + + * Merge from Debian unstable. Remaining Ubuntu changes: + - stop usplash on user input. Ubuntu: #62751 + - Always output and read from the console. Ubuntu: #58794. + - Wait for Udev to be ready to avoid partition non-detection. (LP: #85640) + * Modify Maintainer value to match Debian-Maintainer-Field Spec + + -- Andrea Veri Sun, 6 May 2007 22:33:25 +0200 + +cryptsetup (2:1.0.4+svn29-1) unstable; urgency=low + + * New upstream svn snapshot with several bugfixes + - remove 01_tries_fix.dpatch, added upstream + + -- Jonas Meurer Wed, 02 May 2007 02:48:37 +0200 + +cryptsetup (2:1.0.4+svn26-3) unstable; urgency=low + + * Add cryptdevice name to prompt before actually starting it. Thanks + to Joerg Jaspert. (closes: #421803) + + -- Jonas Meurer Wed, 02 May 2007 01:05:22 +0200 + +cryptsetup (2:1.0.4+svn26-2) unstable; urgency=low + + [ David Härdeman ] + * Fix typo in crypttab(5), the ext checkscript is called ext2, not + ext3. (closes: #410390) + * Use the initramfs-tools keymap support instead of our own (requires + initramfs-tools >= 0.87) + * Add support for usplash password prompt (closes: #397981) + * Remove the "ssl" and "gpg" options which are supported by keyscripts + since October 2006 (see NEWS for details). + * Spring cleaning of cryptdisks.functions, now supports multiple tries + for keyscripts and uses lsb logging. (closes: #420105, #383808) + + [ Jonas Meurer ] + * Add 01_tries_fix.dpatch, makes the --tries commandline option work + again. (closes: #414326, #412064) + * Document the un_vol_id check script, remove the swap check script from + documentation. The swap check indeed is rather useless, thanks to Frank + Engler . The script itself is kept + for compability issues. (closes: #406837) + * Add smartcard keyscript and initramfs-tools hooks/scripts. This adds + support for disk encryption with smartcards, even for root disks. + Thanks a lot to Gerald Turner for the patch and a + smartcard reader for testing this. (closes: #416528) + * update copyright file: change "program" to "package", and mention GPL + version 2. add a full disclaimer. + * Add "--showkeys" to the dmsetup invocation in decrypt_derived script. + (closes: #420399) + * Fixes in cryptdisks.functions: + - Don't suppress error messages at mount and unmount and don't break + if 'mount $point' fails. + - Fix handling of checks and prechecks, the vars somehow where mixed + - Really use $CHECKARGS if it's defined + - Rename "stopped" to "stopping" for devices which are shutdown at + 'cryptdisks stop' (show a difference to already stopped devices). + + -- Jonas Meurer Sat, 28 Apr 2007 20:45:50 +0200 + +cryptsetup (2:1.0.4+svn26-1ubuntu2) feisty; urgency=low + + * Wait for Udev to be ready to avoid partition non-detection. (LP: #85640) + + -- Stéphane Graber Thu, 14 Apr 2007 10:03:41 +0200 + +cryptsetup (2:1.0.4+svn26-1ubuntu1) feisty; urgency=low + + * merge debian changes. Remaining ubuntu changes: + - stop usplash on user input. Ubuntu: #62751 + - Always output and read from the console. Ubuntu: #58794. + + -- Reinhard Tartler Sat, 3 Feb 2007 21:30:03 +0100 + +cryptsetup (2:1.0.4+svn26-1) unstable; urgency=high + + [ Jonas Meurer ] + * New upstream svn snapshot 1.0.4+svn26 + - contains a slightly modified patch by Rob Walker + to fix a sector size error. (closes: #403075) + - fixes a LUKS header corruption on arm, which downgrades bug + #403426 from critical to important. + - prevents password retrying with I/O errors. + * handle chainmode/essiv "plain" correctly in initramfs hook. + Thanks to Leonard Norrgard. (closes: #402417) + * remove 'rm -rf m4' from a clean target in debian/rules. + * urgency=high to get this into etch. + + [ David Härdeman ] + * Document the difference in default hash functions between the + initramfs scripts and the plain cryptsetup binary. (closes: #398429) + * Verify symlinks for source devices when initramfs is generated and + correct if necessary. (closes: #405301) + + -- Jonas Meurer Tue, 9 Jan 2007 21:53:06 +0100 + +cryptsetup (2:1.0.4+svn16-2) unstable; urgency=high + + [ David Härdeman ] + * Add cbc to standard list of modules. Thanks to Michael Olbrich + . (closes: #401370) + * Fix support for crypto-on-evms. Thanks to Enrico Gatto + . (closes: #402417) + + [ Jonas Meurer ] + * urgency=high to get this into etch. + + -- Jonas Meurer Thu, 14 Dec 2006 01:41:40 +0100 + +cryptsetup (2:1.0.4+svn16-1) unstable; urgency=medium + + [ David Härdeman ] + * Support adding separate blockcipher modules to initramfs image + (necessary for kernels >= 2.6.19) + * Hashing was previously not done correctly when decrypt_derived was used + + [ Jonas Meurer ] + * Add new upstream patch 02_luks_var_keysize.dpatch. Cryptsetup no longer + segfaults with unsupported keysize. (closes: #381973) + * Urgency medium as we really want these fixes in etch. + + -- Jonas Meurer Tue, 28 Nov 2006 18:17:12 +0100 + +cryptsetup (2:1.0.4-8ubuntu2) feisty; urgency=low + + * fix and improve initramfs hook: terminate usplash if running, since + adequate secure text input is not possible with usplash ATM + * usplash support: Terminate usplash before asking a password. + Closes https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/62751 + + -- Reinhard Tartler Wed, 24 Jan 2007 22:43:28 +0100 + +cryptsetup (2:1.0.4-8ubuntu1) feisty; urgency=low + + * merge debian changes, remaining patches: + - Always output and read from the console. Ubuntu: #58794. + * other changes have been merged or do noy apply anymore + * read password via usplash if available in initramfs for rootfs. based on a patch from + Swen Thümmler (Thanks for that!) Ubuntu #62751 + * read password from initscript via usplash if running. should fix the + rest of Ubuntu #62751. Only problem with that patch: It asks only once + for the password! improvements welcome! + + -- Reinhard Tartler Sun, 19 Nov 2006 20:04:19 +0100 + +cryptsetup (2:1.0.4-8) unstable; urgency=high + + [ Jonas Meurer ] + * Add 'set -e' and 'if ...; then ... fi' to cryptdisks-early as well. + + [ David Härdeman ] + * Make sure that a failed modprobe does not break with 'set -e'. + (closes: #398799) + + -- Jonas Meurer Thu, 16 Nov 2006 16:59:35 +0100 + +cryptsetup (2:1.0.4-7) unstable; urgency=low + + [ David Härdeman ] + * Do not try to configure resume devices which we cant get the key for + and also try harder to find resume devices. + (closes: #397887, #397888) + * Kill some more bashisms. + * Only try three times per crypto device in initramfs scripts to avoid + unbootable systems if a swap partition can't be setup. + * Added decrypt_derived keyscript and improved documentation of latest + changes, see README.initramfs for details. + + -- Jonas Meurer Tue, 14 Nov 2006 16:27:51 +0100 + +cryptsetup (2:1.0.4-6) unstable; urgency=high + + [ David Härdeman ] + * Improve LVM dependency checks in initramfs hook. Thanks to Loïc + Minier for the patch. (closes: #397633, #397651) + + -- Jonas Meurer Thu, 9 Nov 2006 13:55:48 +0100 + +cryptsetup (2:1.0.4-5) unstable; urgency=high + + [ David Härdeman ] + * Make sure that duplicate entries in initramfs do not block the boot + (closes: #397454) + * Do not check for the presence of a key if the keyscript option is + set (closes: #397450) + + -- Jonas Meurer Tue, 7 Nov 2006 18:03:41 +0100 + +cryptsetup (2:1.0.4-4) unstable; urgency=high + + [ David Härdeman ] + * Readd and document the kernel boot argument "cryptopts" due to user + demand + * Implement support for multiple device setup in initramfs. + (closes: #394136, #382280) + * Remove bashisms. (closes: #396092) + * Fix FTBFS by altering dpatch so that it is applied to Makefile.in.in + before configure is executed. (closes: #396126) + + [ Jonas Meurer ] + * Only warn for insecure keyfile mode/owner. Add some information about + insecure keys in README.Debian. (closes: #395357, #394134) + + -- Jonas Meurer Fri, 3 Nov 2006 02:22:49 +0100 + +cryptsetup (2:1.0.4-3) unstable; urgency=medium + + [ Jonas Meurer ] + * Suggest dosfstools. Needed for the default settings in luksformat. Thanks + to Loïc Minier . (closes: #393473) + * Suggest initramfs-tools (>= 0.60) | linux-initramfs-tool as well. + * Still urgency=medium for the same reasons + + [ David Härdeman ] + * Change the previous fix for #388871 to use the original patch from + Loïc Minier . This also removes the bogus UTF8 char. + (closes: #393895) + + -- Jonas Meurer Wed, 18 Oct 2006 23:03:47 +0200 + +cryptsetup (2:1.0.4-2) unstable; urgency=medium + + [ Jonas Meurer ] + * Fix postinst, use 'elif [ -z $foo] || [ -z $bar ]; then ...' + * Fix a typo in cryptdisks.functions, change $opt to $opts for more + consistency with the postinst script. + * Fix mount_fs() in cryptdisks.functions to actually do what we want it to + do. Up to now, the initscript stopped if a mountpoint failed to mount. + * urgency=medium to get cryptsetup 1.0.4 into etch + + -- Jonas Meurer Tue, 17 Oct 2006 16:16:02 +0200 + +cryptsetup (2:1.0.4-1) unstable; urgency=low + + [ David Härdeman ] + * Always update the current initramfs when a new version is installed + * Move the double-ssl decryption into a keyscript and change the ssl + option to use that script instead + * Move the gpg key decryption into a keyscript and change the gpg + option to use that script instead + * Clean up cryptdisks.functions + * Let initramfs-tools know that we need busybox in the initramfs image + * Fix bogus error message from initramfs hook, based on patch by + Loïc Minier . (closes: #388871) + * Remove the undocumented kernel boot argument "cryptopts" + * Always add some crypto modules/tools to the initramfs image unless + MODULES=dep. (closes: #389835) + * Update README.initramfs. + * Add checks and warnings that the ssl and gpg options are going away + in favour of the keyscript option + * Fix the decrypt_ssl script (closes: #390514) + + [ Jonas Meurer ] + * New upstream release. + - [01_terminal_output.dpatch] removed, finally went upstream + - [02_docs_tries.dpatch] removed, went upstream + - [03_fix_build_error.dpatch] renamed to 01_fix_build_error.dpatch + * Fix SYNOPSIS in crypttab(5) manpage to show all arguments as mandatory. + Thanks to Michael Steinfurth. + * Check in postinst for entries with missing arguments in /etc/crypttab. + Warn is one is found. Thanks to Michael Steinfurth (closes: #388083) + * Fix pretest for encrypted swap. Allow unencrypted swap on the source + device. Thanks to Dennis Furey. (closes: #387158) + * Fix posttest for encrypted swap. Don't skip if a swap filesystem is found + on the target device. Thanks to Sam Couter. (closes: #385317) + * Use 'set -e' and 'if [ -r ]; then ...; fi' in init script. Thanks + to Goswin Brederlow. (closes: #390354) + * change '... > &2' to ... >&2' in cryptdisks.functions + + -- Jonas Meurer Mon, 16 Oct 2006 19:22:41 +0200 + +cryptsetup (2:1.0.4~rc2-1) unstable; urgency=low + + [ Jonas Meurer ] + * Add some more german translations to de.po. + * Add a note to NEWS.Debian where the fix for #376393 is explained. thanks + to Robert Bihlmeyer for the report. (closes: #379719) + * Allow swap filesystems to be overwritten when the swap flag is set. thanks + to Raphaël Quinet for the report. (closes: #379771) + * Update to upstream 1.0.4-rc2. (closes: #378422, #379726, closes: #379723) + * removed patches 03-05, merged upstream. + * [01_terminal_output.dpatch] updated for new upstream. + * [02_docs_tries.dpatch] updated for new upstream, to fix luksDelKey + documentation and to give more information about the keysize. + (closes: #379084) + + [ David Härdeman ] + * Make sure that README.initramfs is included in the package (closes + #380048) + * Replace panic calls in cryptsetup script with exit 1 to match the + behaviour of other scripts. The regular initramfs script will panic + later when root isn't detected anyway + * Make all four fields in crypttab mandatory (closes: #370180, + #376941) + * Add UTF8 keyboard input support to initramfs image (closes: #379737) + * Add a keyscript option (closes: #370302, #375913) + * [03_fix_build_error.dpatch] patch po/Makefile with more recent + gettext implementation. + + + -- Jonas Meurer Mon, 4 Sep 2006 03:55:35 +0200 + +cryptsetup (2:1.0.3-3ubuntu3) edgy; urgency=low + + * Always output and read from the console. Ubuntu: #58794. + + -- Scott James Remnant Thu, 21 Sep 2006 03:05:18 +0100 + +cryptsetup (2:1.0.3-3ubuntu2) edgy; urgency=low + + * Load the dm-crypt module on startup. Ubuntu: #53475. + + -- Scott James Remnant Wed, 23 Aug 2006 11:53:49 +0200 + +cryptsetup (2:1.0.3-3ubuntu1) edgy; urgency=low + + * Sync with Debian: + Remaining Ubuntu Changes + + debian/cryptdisks.functions: + - Tell usplash to quit if we ask for a passphrase + + -- Sebastian Dröge Tue, 11 Jul 2006 20:03:27 +0200 + +cryptsetup (2:1.0.3-3) unstable; urgency=low + + [ Jonas Meurer ] + * revert the change that for swap devices the vol_id check is run by + default. if the swap partition is encrypted with a random key, the check + will always fail. thanks to Mika Bostrom + (closes: #371135, #371160, #377434) + * fix the vol_id checkscript to do what it's expected to do. + * add the un_vol_id checkscript, which does the reverse of vol_id. + * use 'check=un_vol_id, checkargs=swap' for swap devices per default. + * added do_close function to cryptdisks.functions, as do_swap needs to use + it. up to now, 'cryptsetup remove' was invoked regardless whether the + device contains a LUKS partition or not. this is fixed now too. + * allow custom check scripts. check only if $CHECK exists in + /lib/cryptsetup/checks/ and use the given value as full path otherwise. + * make precheck for no_luks mandatory, fail if any known filesystem is + found. + * update crypttab manpage to reflect the checksystem changes. added an own + section for check scripts. update the CheckSystem documentation. + * update and simplify the gen-ssl-key script, thanks to Markus Nass + + * move gen-ssl-key, decrypt_ssl and luksformat to debian/scripts in the + source. + * add new directory /lib/cryptsetup/scripts/ for key decryption scripts like + decrypt_ssl and decrypt_gpg. + * add 05_fix_pointer_and_int_comparison.dpatch, fixes compiler warnings on + 64bit architectures. Thanks to David Härdeman for the patch. + * revert the order of do_start and do_stop at 'cryptdisks restart'. thanks + to Hans Peter Wiedau for pointing out that silly typo. + (closes: #377591) + + [ David Härdeman ] + * Support root-on-crypto-on-lvm in the initramfs scripts without + having to change the root variable (closes: #371846) + * If possible, load correct keymap in the initramfs image before any + password prompts (closes: #376393) + + -- Jonas Meurer Mon, 10 Jul 2006 20:01:02 +0200 + +cryptsetup (2:1.0.3-2) unstable; urgency=low + + [ David Härdeman ] + * Add patch by Arjan Oosting + (closes: #369575) + * add new check 'vol_id', which uses /lib/udev/vol_id from udev and supports + checks for any known filesystem type. implement a new option checkargs in + cryptdisks for that. suggest udev. closes one half of #370302. thanks to + Markus Nass and Darvid Härdeman for the suggestion. + * always check for a swap partition before running mkswap + * updated README.Debian, Checksystem.Doc and crypttab.5.txt accordingly. + * drop usage of strings from swap check, as it is in /usr/bin. thanks to + Markus Nass. + + -- Jonas Meurer Mon, 5 Jun 2006 18:27:07 +0200 + +cryptsetup (2:1.0.3-1) unstable; urgency=low + + [ Jonas Meurer ] + * new upstream release, 1.0.3 final + - Add alignPayload patch by Peter Palfrader (closes: #358388) + - meaningful exitcodes and password retrying by Johannes Weißl + (closes: #359277) + * add 01_terminal_timeout.dpatch from Andres Salomon . + - gets rid of getpass(), which is obsolete according to manpage + - restores the terminal state before doing the timeout (closes: #364153) + * add 02_docs_tries.dpatch, to describe --tries in the cryptsetup manpage. + * add 03_stdin_input.dpatch from David Härdeman , + fixes input from stdin, accepts input with more than 32 characters + (closes: #364529, #365333) + * add 04_status_exit_codes.dpatch from David Härdeman , + fixes the exit codes of 'cryptsetup status' + * provide a cryptsetup-udeb package (closes: #358422) + * remove debian/luksformat.8 in clean target (closes: #358386) + * fix update-rc.d arguments to start cryptdisks in rc0 and rc6. + it is not really started [but stopped], but still the links need to be + named S48cryptdisks. otherwise it will be invoked before umountfs. + * add initramfs cryptroot functionality, thanks to David Härdeman + for the patch (closes: #358452) + * rename /lib/cryptsetup/init_functions to cryptdisks.functions + * move most of /etc/init.d/cryptdisks to cryptdisks.functions. + /etc/init.d/cryptdisks now does not much more than importing + cryptdisks.functions. required for running two seperate cryptdisks + initscripts. + * split the cryptdisks initscript into cryptdisks-early and cryptdisks. + actually both scripts do the same except having slightly different output. + the early script is run before lvm/evms/... are started, and the other one + after they are started. (closes: #363007) + * add support for mount to cryptdisks. this makes it possible to use + keyfiles from removable media. see the crypttab.5 manpage for more + information. + * use upstream cryptsetup tries option instead of the shell code in + cryptdisks. rename cryptdisks 'retry' option to 'tries'. + * document the fact, that the default settings in /etc/default/cryptdisks + take only effect if the relevant option is set without a value in + crypttab. add the environment section to crypttab.5.txt (closes: #364203) + * update the TODO list. + * update crypdisks.default + * run do_swap and do_tmp. Thanks to Riku Voipio + (closes: #365633) + * bump Standards-Version to 3.7.2.0, no changes needed + + [ David Härdeman ] + * add lvm capabilities to initramfs scripts (closes: #362564) + * add cryptsetup.postinst which executes update-initramfs when + cryptsetup is first installed (not on upgrades) + + -- Jonas Meurer Sat, 13 May 2006 19:45:08 +0200 + +cryptsetup (2:1.0.2+1.0.3-rc3-1) unstable; urgency=low + + [ Jonas Meurer ] + * new upstream release candidate: + - fixes sector size of the temporary mapping (closes: #355156) + - more verbose error logging (closes: #353755, #356288, #258376) + - upstream accepted my patches to the manpage + * fixed spelling error in README.Debian + * removed debian/cryptsetup.sgml, outdated + * ran ispell against doc files in debian/, fixed many typos + * change /usr/share/cryptsetup to /lib/cryptsetup in crypttab.5.txt + (closes: #354910) + * add --build (and maybe even --host) to configure flags, for + cross-compiling + * remove debian/luksformat.8 in clean target + * fix bashism in cryptdisks. thanks to Michal Politowski + (closes: #356484) + * add support for openssl encrypted keys, based on a patch by General Stone + (closes: #350615) + * add some code to support gnupg encrypted keys, some parts are missing. + + -- Jonas Meurer Fri, 17 Mar 2006 00:42:41 +0100 + +cryptsetup (2:1.0.2+1.0.3-rc2-1) unstable; urgency=low + + [ Jonas Meurer ] + * new upstream version 1.0.3-rc2, fixing issues with devmapper + * new upstream version 1.0.3-rc1, doesn't use essiv per default + * new upstream version (1.0.2) released + - add --timeout option for interactive usage + - add --batch-mode option to suppress input verifications + * install local cryptsetup.8 copy instead of the upstream manpage + - mention --readonly as possible option to luksOpen (closes: #353753) + - mention --batch-mode, --timeout, --version + - transform remaining option hyphens from '-' to '\-' + * merged ubuntu patches: + - modify cryptdisks init script to use lsb functions + - add luksformat and a manpage + * removed postinst and postrm, empty scripts + * added a README.Debian and a TODO + * added a NEWS file for Debian, and explain both the upstream transition + from plain cryptsetup to cryptsetup-luks, and the check options for + crypttab. + * install manpages using dh_installman, not with install + * updated CryptoRoot.HowTo, mention /etc/mkinitrd/modules and different + linux-image versions. (closes: #344867) + * removed needless debian/hack + * added debian/watch + * bumped debhelper compat level to 5, add versioned depends on + debhelper (>> 5.0.0) + * update debian/cryptsetup.8 to mention batch-mode and timeout + * updated cryptdisks + - modify init script to use lsb functions, at least where possible + - updated comments for cryptdisks.default + - moved option parsing and setup of loopback devices to seperate functions. + added a new include file /lib/cryptsetup/init_functions with functions + parse_opts, lo_setup, check_key, do_luks, do_noluks, do_swap, do_tmp + - always check for the source device exists before running cryptsetup + - hardcode precheck for LUKS to use 'cryptsetup isLuks'. this is much safer + than allowing other random prechecks, as it manifests that the source + device actually is a LUKS partition. + - don't remove the LUKS device when postcheck fails, as the supplied + password/key is correct anyway. + - use the new 'timeout' commandline option of cryptsetup instead of an + external wrapper + - be silent for not existing devices per default. Implement the loud + option for crypttab to warn if a device does not exist. + - remerge postchecks and prechecks into checks. + - don't disable swap & luks combination, instead disable luks with + /dev/random, /dev/urandom or /dev/hwrandom as key. + - run parse_opts before check_key, to know whether we use luks or not + + [ Michael Gebetsroither ] + * converted crypttab.sgml to asciidoc + * added dependencies for asciidoc to manpage conversion + * added developer documentation for a robust checksystem into cryptdisks + + -- Jonas Meurer Sun, 26 Feb 2006 20:04:49 +0100 + +cryptsetup (2:1.0.1-16) unstable; urgency=low + + [ Jonas Meurer ] + * already fixed in 2:1.0.1-14: binaries xor and delay from + usbcrypto.mkinitrd don't exist in debian. replaces with a perl script + and /bin/sleep. thanks to wesley terpstra for the help. + (closes: #324353) + * clean cryptdisks from bashisms (closes: #350360) + * check for /usr/bin/timeout before using it in cryptdisks. First, it's + only available when /usr is mounted, and that is not definitive when + cryptdisks is run at boot time. Second, timeout is a non-essential + debian package, and not neccecarily installed. The usage of + /usr/bin/timeout in any case is only a temporary workaround. + * move /usr/share/cryptsetup to /lib/cryptsetup, as the checks need to be + available at boot time, before local filesystems (like i.e. /usr) are + mounted. + * replace RETRY=`expr $RETRY - 1` with RETRY=$(($RETRY-1)), as expr is in + /usr/bin. + * install init.d script and default file with dh_installinit + (closes: #350548) + * don't build-depend on cvs + + -- Jonas Meurer Mon, 30 Jan 2006 17:54:50 +0100 + +cryptsetup (2:1.0.1-15) unstable; urgency=low + + [ Jonas Meurer ] + * rebuilt with -sa, to include the sources into upload + + -- Jonas Meurer Fri, 27 Jan 2006 18:18:46 +0100 + +cryptsetup (2:1.0.1-14) unstable; urgency=low + + [ Jonas Meurer ] + * added a configurable timeout option for interactive password + prompt. set the default timeout to 180 seconds in + /etc/default/cryptdisks, and documented the crypttab option in + the crypttab manpage. (closes: #328961) + * fixed the default "precheck" and "postcheck" options, currently + no useful precheck exists, so no default here. + * removed the dummy cryptsetup-luks package, ftpmaster complains + about it. + + [ Michael Gebetsroither ] + * make small fixes to CryptoSwap.HowTo + * added postcheck for swap (closes: #342079) + + -- Jonas Meurer Fri, 27 Jan 2006 12:59:10 +0100 + +cryptsetup (2:1.0.1-13) unstable; urgency=low + + * split the "check" in a "precheck" and a "postcheck" option + - adds the possibility to check the source device before creating the + decrypted target device, useful for things like swap. + + -- Jonas Meurer Sun, 22 Jan 2006 21:24:06 +0100 + +cryptsetup (2:1.0.1-12) unstable; urgency=low + + * correctly parse options in cryptdisks (closes: #304399) + * remove the moduledir /usr/lib/cryptsetup from the deb, it's + empty anyway (closes: #334648) + * replace /usr/local/bin/delay with /bin/sleep in usbcrypto.mkinitrd + * cosmetical changes to /etc/crypttab + * add "check" and "retry" options to cryptdisks script, + thanks to A Mennucc . (closes: #290626) + + -- Jonas Meurer Sun, 22 Jan 2006 19:46:18 +0100 + +cryptsetup (2:1.0.1-11) unstable; urgency=low + + * include sources although the debian revision is not -1 + + -- Jonas Meurer Sun, 22 Jan 2006 16:35:12 +0100 + +cryptsetup (2:1.0.1-10) unstable; urgency=low + + * introduce an epoch to make upgrade happen + + -- Jonas Meurer Sun, 22 Jan 2006 09:02:47 +0100 + +cryptsetup (1.0.1-9) unstable; urgency=low + + * rename the package to cryptsetup, provide a dummy cryptsetup-luks package + * initial upload to debian + + -- Jonas Meurer Sun, 22 Jan 2006 08:06:25 +0100 + +cryptsetup-luks (1.0.1-8) unstable; urgency=low + + * use upstream tarball as orig.tar.gz and keep debian changes in diff.gz + * change to use dpatch + * adjust build environment to work with upstream sources, and without + autogen.sh + * merge fixes for debian scripts from cryptsetup. + * keep cryptsetup manpage untouched, as merging cryptsetup and + cryptsetup-luks manpages is rather complex. + * set mandir to /usr/share/man for configure + * add a lintian-override file + + -- Jonas Meurer Sun, 22 Jan 2006 06:48:30 +0100 + +cryptsetup-luks (1.0.1-7) unstable; urgency=high + + * make cryptsetup create work again (patch for lib/libdevmapper.c) + + -- Michael Gebetsroither Sat, 21 Jan 2006 14:39:36 +0100 + +cryptsetup-luks (1.0.1-6) unstable; urgency=low + + * recompile for new libdevmapper + + -- Michael Gebetsroither Tue, 10 Jan 2006 15:10:17 +0100 + +cryptsetup-luks (1.0.1-5) unstable; urgency=low + + * improved documentation for /etc/crypttab + + -- Michael Gebetsroither Mon, 7 Nov 2005 17:05:20 +0100 + +cryptsetup-luks (1.0.1-4) unstable; urgency=low + + * added luks option for /etc/crypttab (thx to Fabian Thorns + for the initial patch) + + -- Michael Gebetsroither Thu, 3 Nov 2005 19:22:59 +0100 + +cryptsetup-luks (1.0.1-3) unstable; urgency=low + + * completly switched to luks upstream + + -- Michael Gebetsroither Thu, 11 Aug 2005 22:14:16 +0200 + +cryptsetup-luks (1.0.1-2) unstable; urgency=low + + * fixed build dependencies + + -- Michael Gebetsroither Mon, 20 Jun 2005 22:30:38 +0200 + +cryptsetup-luks (1.0.1-1) unstable; urgency=low + + * synced with luks upstream + + -- Michael Gebetsroither Mon, 20 Jun 2005 16:22:53 +0200 + +cryptsetup-luks (1.0-5) unstable; urgency=low + + * fixed a small typo in the manpage + + -- Michael Gebetsroither Sat, 23 Apr 2005 11:06:31 +0200 + +cryptsetup-luks (1.0-4) unstable; urgency=low + + * cleand source-tree for submitting a wishlist report into debian BTS + + -- Michael Gebetsroither Tue, 19 Apr 2005 18:44:13 +0200 + +cryptsetup-luks (1.0-3) unstable; urgency=low + + * updatet dependencies (libdevmapper1.00 => libdevmapper1.01) + + -- Michael Gebetsroither Tue, 19 Apr 2005 13:51:10 +0200 + +cryptsetup-luks (1.0-2) unstable; urgency=low + + * replaced original debian cryptsetup manpage with manpage from + cryptsetup-luks + + -- Michael Gebetsroither Sun, 3 Apr 2005 13:33:55 +0200 + +cryptsetup-luks (1.0-1) unstable; urgency=low + + * new upstream release + + -- Michael Gebetsroither Sat, 2 Apr 2005 23:29:43 +0200 + +cryptsetup-luks (0.993-3) unstable; urgency=low + + * fixed dependencis + + -- Michael Gebetsroither Sun, 13 Feb 2005 01:28:11 +0100 + +cryptsetup-luks (0.993-2) unstable; urgency=low + + * fixed a few source problems + * fixed post/pre install scripts + + -- Michael Gebetsroither Sat, 12 Feb 2005 16:18:07 +0100 + +cryptsetup-luks (0.993-1) unstable; urgency=low + + * synced with luks upstream + + -- Michael Gebetsroither Sat, 12 Feb 2005 15:50:21 +0100 + +cryptsetup-luks (0.992-5) unstable; urgency=low + + * fixed a few problems in den debian source package + + -- Michael Gebetsroither Sat, 12 Feb 2005 04:22:30 +0100 + +cryptsetup-luks (0.992-4) unstable; urgency=low + + * debianized the package + * cleand up build system + + -- Michael Gebetsroither Sat, 12 Feb 2005 00:12:43 +0100 + +cryptsetup-luks (0.992-3) unstable; urgency=low + + * Fixed typo + + -- Michael Gebetsroither Fri, 11 Feb 2005 18:38:42 +0100 + +cryptsetup-luks (0.992-2) unstable; urgency=low + + * Added note within description + + -- Michael Gebetsroither Fri, 11 Feb 2005 18:21:03 +0100 + +cryptsetup-luks (0.992-1) unstable; urgency=low + + * "integrated LUKS" support (very messy hack) + + -- Michael Gebetsroither Thu, 10 Feb 2005 18:16:21 +0100 + --- cryptsetup-1.0.6.orig/debian/copyright +++ cryptsetup-1.0.6/debian/copyright @@ -0,0 +1,52 @@ +Format-Specification: http://wiki.debian.org/Proposals/CopyrightFormat +Debianized-By: Milan Kocian +Debianized-Date: Thu, 18 Mar 2004 09:28:18 +0100. +Original-Source: http://clemens.endorphin.org/LUKS + +Files: debian/askpass.c, debian/passdev.c +Copyright: © 2008 David Härdeman +License: GPL-2+ + +Files: debian/scripts/cryptdisks_start +Copyright: © 2007 Jon Dowland +License: GPL-2+ + +Files: debian/scripts/cryptdisks_stop +Copyright: © 2008 Jonas Meurer +License: GPL-2+ + +Files: debian/scripts/luksformat +Copyright: © 2005 Canonical Ltd. +License: GPL-2+ + +Files: debian/* +Copyright: © 2004-2005 Wesley W. Terpstra + © 2005-2006 Michael Gebetsroither + © 2006-2008 David Härdeman + © 2005-2008 Jonas Meurer +License: GPL-2+ + +Files: luks/sha/* +Copyright: © 2002 Dr Brian Gladman, Worcester, UK +License: GPL-any + +Files: * +Copyright: © 2004 Christophe Saout + © 2004-2008 Clemens Fruhwirth +License: GPL-2+ + This package is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + . + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this package; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + . + On Debian systems, the complete text of the GNU General + Public License can be found in `/usr/share/common-licenses/GPL'. --- cryptsetup-1.0.6.orig/debian/askpass.c +++ cryptsetup-1.0.6/debian/askpass.c @@ -0,0 +1,728 @@ +/* + * askpass.c - prompts a user for a passphrase using any suitable method + * and prints the result to stdout. + * + * Copyright (C) 2008 David Härdeman + * + * This package is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This package is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this package; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + + +#define _GNU_SOURCE +#define _BSD_SOURCE +#define _POSIX_C_SOURCE 1 +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define DEBUG 0 + +#define ARRAY_SIZE(x) (sizeof(x)/sizeof(x[0])) + +static bool disable_method(const char *method); + +/***************************************************************************** + * Utility functions * + *****************************************************************************/ +static void +debug(const char *fmt, ...) +{ + va_list ap; + static bool first = true; + static FILE *dbgfile; + + if (!DEBUG) + return; + + if (first) { + first = false; + dbgfile = fopen("/tmp/askpass.debug", "a"); + } + + if (!dbgfile) + return; + + va_start(ap, fmt); + vfprintf(dbgfile, fmt, ap); + va_end(ap); +} + +static void +usage(const char *arg0, const char *errmsg) +{ + if (errmsg) + fprintf(stderr, "Error: %s\nUsage: %s PROMPT\n", errmsg, arg0); + else + fprintf(stderr, "Usage: %s PROMPT\n", arg0); + exit(EXIT_FAILURE); +} + +static void +fifo_common_finish(int fd, char **buf, size_t *used, size_t *size) +{ + if (fd >= 0) + close(fd); + + if (!*buf) + return; + + memset(*buf, '\0', *size); + free(*buf); + *buf = NULL; + *used = 0; + *size = 0; +} + +static bool +fifo_common_read(int fd, char **buf, size_t *used, size_t *size) +{ + ssize_t result; + +again: + if ((*size - *used) == 0) { + *size += 4096; + *buf = realloc(*buf, *size); + if (!*buf) { + *size = 0; + *used = 0; + debug("Failed to allocate memory for passphrase\n"); + return false; + } + } + +reread: + result = read(fd, *buf + *used, *size - *used); + + if (result < 0) { + if (errno == EAGAIN) + return false; + if (errno == EINTR) + goto reread; + debug("Error when reading from fifo\n"); + return false; + } + + debug("Read %i bytes from fifo\n", (int)result); + *used += result; + + if (result == 0) + return true; + + goto again; +} + + +/***************************************************************************** + * usplash functions * + *****************************************************************************/ +#define USPLASH_WRITE_FIFO "/dev/.initramfs/usplash_fifo" +#define USPLASH_READ_FIFO "/dev/.initramfs/usplash_outfifo" +static size_t usplashused = 0; +static size_t usplashsize = 0; +static char *usplashbuf = NULL; +static bool usplashwaiting = false; + +static bool +usplash_command(const char *cmd) +{ + int wrfd; + ssize_t len; + size_t towrite = strlen(cmd) + 1; + size_t written = 0; + + wrfd = open(USPLASH_WRITE_FIFO, O_WRONLY | O_NONBLOCK); + if (wrfd < 0) + return false; + + while (written < towrite) { + len = write(wrfd, cmd + written, towrite - written); + if (len <= 0) + break; + written += len; + } + + close(wrfd); + if (written != towrite) + return false; + else + return true; +} + +static pid_t * +pidlist(const char *target, size_t *retlen) +{ + pid_t *plist = NULL; + size_t plistlen = 0; + pid_t pid; + DIR *pdir; + FILE *fp; + struct dirent *d; + char path[256]; + char buf[256]; + char *tmp; + + pdir = opendir("/proc"); + if (!pdir) + goto out; + + while ((d = readdir(pdir)) != NULL) { + pid = (pid_t)atoi(d->d_name); + if (!pid) + continue; + + snprintf(path, sizeof(path), "/proc/%s/cmdline", d->d_name); + + fp = fopen(path, "r"); + if (!fp) + continue; + + tmp = fgets(buf, sizeof(buf), fp); + fclose(fp); + if (!tmp) + continue; + + tmp = strrchr(buf, '/'); + if (tmp) + tmp++; + else + tmp = buf; + + if (strcmp(tmp, target)) + continue; + + plistlen++; + plist = realloc(plist, plistlen * sizeof(pid_t)); + if (!plist) { + debug("realloc failed"); + plistlen = 0; + plist = NULL; + goto out; + } + + plist[plistlen - 1] = pid; + } + +out: + if (pdir) + closedir(pdir); + *retlen = plistlen; + return plist; +} + +static bool +chvt(int vtnum) +{ + int fd; + bool rv = false; + + fd = open("/dev/console", O_RDWR); + if (fd < 0) + goto out; + + if (ioctl(fd, VT_ACTIVATE, vtnum)) + goto out; + + if (ioctl(fd, VT_WAITACTIVE, vtnum)) + goto out; + + rv = true; +out: + if (fd >= 0) + close(fd); + return rv; +} + +static size_t +killall(pid_t *plist, size_t plistlen, int sig) +{ + pid_t pid; + int i; + size_t signalled = 0; + + for (i = 0; i < plistlen; i++) { + pid = plist[i]; + if (pid == 0) + continue; + + debug("Signalling %i\n", (int)pid); + if (kill(pid, sig) == 0) + signalled++; + else + plist[i] = 0; + } + + return signalled; +} + +static void +usplash_finish(int fd) +{ + pid_t *plist; + size_t plistlen; + + debug("usplash_finish\n"); + if (usplashwaiting) { + /* This is ugly, but we need to unwedge usplash if a different + * method has been used to provide the passphrase and usplash + * is still waiting for user input. Sending a newline to + * usplash's console did not seem to provide a reliable + * method and this should only be needed in exceptional + * cases anyway. + */ + debug("Unwedging usplash\n"); + /* Changing the VT will normally terminate usplash */ + chvt(1); + sleep(1); + + /* Get a list of remaining usplash procs (if any) to kill */ + plist = pidlist("usplash", &plistlen); + if (plistlen > 0) { + if (killall(plist, plistlen, SIGTERM) > 0) { + sleep(2); + killall(plist, plistlen, SIGKILL); + } + } + usplashwaiting = false; + } else { + usplash_command("TIMEOUT 15"); + } + + fifo_common_finish(fd, &usplashbuf, &usplashused, &usplashsize); +} + +static bool +usplash_read(int fd, char **buf, size_t *size) +{ + debug("In usplash_read\n"); + if (fifo_common_read(fd, &usplashbuf, &usplashused, &usplashsize)) { + while (usplashused > 0 && + ((usplashbuf[usplashused - 1] == '\n') || + (usplashbuf[usplashused - 1] == '\0'))) { + usplashused--; + usplashbuf[usplashused] = '\0'; + debug("Correcting usplash read length\n"); + } + *buf = usplashbuf; + *size = usplashused; + usplashwaiting = false; + return true; + } + + return false; +} + +static int +usplash_prepare(const char *prompt) +{ + int rdfd = -1; + int usplash_cmd_len = strlen("TEXT-URGENT"); + int cmd_input_max = strlen(prompt) + usplash_cmd_len + 2; + char cmd_input[cmd_input_max]; + char *prompt_ptr = prompt; + char *newline = NULL; + + if (!usplash_command("TIMEOUT 0")) + return -1; + + /* handle any non-literal embedded newlines in prompt */ + while ( (newline = strstr(prompt_ptr,"\\n")) != NULL ) { + /* Calculate length of string leading up to newline. */ + int line_len = newline - prompt_ptr; + /* Add text-urgent length, space, and NULL. */ + line_len += usplash_cmd_len + 2; + + /* Even though line_len can never be larger than + cmd_input_max, check it anyway. */ + if (line_len > cmd_input_max) + return -1; + + /* Force trimming of prompt to location of newline. */ + snprintf(cmd_input, line_len, "TEXT-URGENT %s", prompt_ptr); + if (!usplash_command(cmd_input)) + return -1; + + /* Skip over newline. */ + prompt_ptr = newline + 2; + } + + snprintf(cmd_input, cmd_input_max, "INPUTQUIET %s", prompt_ptr); + if (!usplash_command(cmd_input)) + return -1; + + rdfd = open(USPLASH_READ_FIFO, O_RDONLY | O_NONBLOCK); + /* If usplash is enabled, disable console */ + if (rdfd >= 0) { + disable_method("console"); + usplashwaiting = true; + } + + return rdfd; +} + +/***************************************************************************** + * splashy functions * + *****************************************************************************/ + +/* It might be better style to just do a popen of splashy_update ? */ + +#define SPLASHY_SOCK "\0/splashy" +static size_t splashyused = 0; +static size_t splashysize = 0; +static char *splashybuf = NULL; + +static int +splashy_prepare(const char *prompt) +{ + int fd; + struct sockaddr addr = {AF_UNIX, SPLASHY_SOCK}; + struct iovec iov[2]; + + if ((fd = socket (PF_UNIX, SOCK_STREAM, 0)) == -1) { + return -1; + } + + if (connect (fd, &addr, sizeof addr) == -1) { + close (fd); + return -1; + } + + iov[0].iov_base = "getpass "; + iov[0].iov_len = strlen ("getpass "); + iov[1].iov_base = prompt; + iov[1].iov_len = strlen (prompt) + 1; + + if (writev (fd, iov, 2) == -1) { + close (fd); + return -1; + } + + /* Shutdown write? */ + + return fd; +} + +static bool +splashy_read(int fd, char **buf, size_t *size) +{ + debug("In splashy_read\n"); + if (fifo_common_read(fd, &splashybuf, &splashyused, &splashysize)) { + *buf = splashybuf; + *size = splashyused; + return true; + } + + return false; +} + + +static void +splashy_finish(int fd) +{ + fifo_common_finish (fd, &splashybuf, &splashyused, &splashysize); +} + +/***************************************************************************** + * fifo functions * + *****************************************************************************/ +#define FIFO_PATH "/lib/cryptsetup/passfifo" +static size_t fifoused = 0; +static size_t fifosize = 0; +static char *fifobuf = NULL; + +static void +fifo_finish(int fd) +{ + fifo_common_finish(fd, &fifobuf, &fifoused, &fifosize); +} + +static bool +fifo_read(int fd, char **buf, size_t *size) +{ + debug("In fifo_read\n"); + if (fifo_common_read(fd, &fifobuf, &fifoused, &fifosize)) { + *buf = fifobuf; + *size = fifoused; + return true; + } + + return false; +} + +static int +fifo_prepare(const char *prompt) +{ + int ret; + + ret = mkfifo(FIFO_PATH, 0600); + if (ret && errno != EEXIST) + return -1; + + return open(FIFO_PATH, O_RDONLY | O_NONBLOCK); +} + +/***************************************************************************** + * console functions * + *****************************************************************************/ +#define CONSOLE_PATH "/dev/console" +static struct termios term_old; +static bool term_set = false; +static char *consolebuf = NULL; +static size_t consolebuflen = 0; + +static void +console_finish(int fd) +{ + if (consolebuf) { + memset(consolebuf, '\0', consolebuflen); + free(consolebuf); + consolebuf = NULL; + consolebuflen = 0; + } + + if (!term_set || fd < 0) + return; + + term_set = false; + tcsetattr(fd, TCSAFLUSH, &term_old); + fprintf(stderr, "\n"); + klogctl(7, NULL, 0); +} + +bool +console_read(int fd, char **buf, size_t *size) +{ + ssize_t nread; + + /* Console is in ICANON mode so we'll get entire lines */ + nread = getline(&consolebuf, &consolebuflen, stdin); + + if (nread < 0) + return NULL; + + /* Strip trailing newline, if any */ + if (nread > 0 && consolebuf[nread - 1] == '\n') { + nread--; + consolebuf[nread] = '\0'; + } + + *size = nread; + *buf = consolebuf; + + return true; +} + +static int +console_prepare(const char *prompt) +{ + struct termios term_new; + char *prompt_ptr = prompt; + char *newline = NULL; + + if (!isatty(STDIN_FILENO)) { + if (access(CONSOLE_PATH, R_OK | W_OK)) { + debug("No access to console device " CONSOLE_PATH "\n"); + return -1; + } + + if (!freopen(CONSOLE_PATH, "r", stdin) || + !freopen(CONSOLE_PATH, "a", stdout) || + !freopen(CONSOLE_PATH, "a", stderr) || + !isatty(STDIN_FILENO)) { + debug("Failed to open console\n"); + return -1; + } + } + + if (tcgetattr(STDIN_FILENO, &term_old)) { + debug("Failed to get terminal settings\n"); + return -1; + } + + term_new = term_old; + term_new.c_lflag &= ~ECHO; + term_new.c_lflag |= ICANON; + + if (tcsetattr(STDIN_FILENO, TCSAFLUSH, &term_new)) { + debug("Failed to disable echoing\n"); + return -1; + } + + /* handle any non-literal embedded newlines in prompt */ + while ( (newline = strstr(prompt_ptr,"\\n")) != NULL ) { + /* Calculate length of string leading up to newline. */ + int line_len = newline - prompt_ptr; + + /* Force trimming of prompt to location of newline. */ + if (fwrite(prompt_ptr, line_len, 1, stderr) < 1 || + fwrite("\n", 1, 1, stderr) < 1) { + debug("Failed to print prompt\n"); + tcsetattr(STDIN_FILENO, TCSAFLUSH, &term_old); + return -1; + } + + /* Skip over newline. */ + prompt_ptr = newline + 2; + } + if (fputs(prompt_ptr, stderr) < 0) { + debug("Failed to print prompt\n"); + tcsetattr(STDIN_FILENO, TCSAFLUSH, &term_old); + return -1; + } + + /* Disable printk to console */ + klogctl(6, NULL, 0); + term_set = true; + return STDIN_FILENO; +} + +/***************************************************************************** + * main functions * + *****************************************************************************/ + +struct method { + const char *name; + int (*prepare)(const char *prompt); + bool (*read)(int fd, char **buf, size_t *size); + void (*finish)(int fd); + bool active; + bool enabled; + int fd; +}; + +static struct method methods[] = { + { "usplash", usplash_prepare, usplash_read, usplash_finish, false, true, -1 }, + { "splashy", splashy_prepare, splashy_read, splashy_finish, false, true, -1 }, + { "fifo", fifo_prepare, fifo_read, fifo_finish, false, true, -1 }, + { "console", console_prepare, console_read, console_finish, false, true, -1 } +}; + +static bool +disable_method(const char *method) +{ + int i; + bool result = false; + + debug("Disabling method %s\n", method ? method : "ALL"); + + for (i = 0; i < ARRAY_SIZE(methods); i++) { + /* A NULL method means all methods should be disabled */ + if (method && strcmp(methods[i].name, method)) + continue; + if (!methods[i].enabled) + continue; + if (methods[i].active) + methods[i].finish(methods[i].fd); + + methods[i].active = false; + methods[i].fd = -1; + methods[i].enabled = false; + result = true; + } + + return result; +} + +int +main(int argc, char **argv, char **envp) +{ + char *pass = NULL; + size_t passlen = 0; + int i; + int nfds; + fd_set fds; + int ret; + bool done = false; + sigset_t sigset; + + if (argc != 2) + usage(argv[0], "incorrect number of arguments"); + + sigfillset(&sigset); + sigprocmask(SIG_BLOCK, &sigset, NULL); + + for (i = 0; i < ARRAY_SIZE(methods); i++) { + if (!methods[i].enabled) + continue; + debug("Enabling method %s\n", methods[i].name); + methods[i].fd = methods[i].prepare(argv[1]); + if (methods[i].fd < 0) + methods[i].active = false; + else + methods[i].active = true; + } + + while (!done) { + nfds = 0; + FD_ZERO(&fds); + for (i = 0; i < ARRAY_SIZE(methods); i++) { + if (!methods[i].enabled || methods[i].fd < 0) + continue; + debug("method %i has fd %i and name %s\n", i, methods[i].fd, methods[i].name); + FD_SET(methods[i].fd, &fds); + if (methods[i].fd + 1 > nfds) + nfds = methods[i].fd + 1; + } + + if (nfds == 0) { + debug("All methods disabled\n"); + exit(EXIT_FAILURE); + } + + debug("Starting select with nfds %i\n", nfds); + ret = select(nfds, &fds, NULL, NULL, NULL); + + if (ret <= 0) { + if (ret == 0 || errno == EINTR) + continue; + debug("Select failed\n"); + disable_method(NULL); + exit(EXIT_FAILURE); + } + + for (i = 0; i < ARRAY_SIZE(methods); i++) { + if (!methods[i].enabled || methods[i].fd < 0) + continue; + if (!FD_ISSET(methods[i].fd, &fds)) + continue; + if (methods[i].read(methods[i].fd, &pass, &passlen) && pass) { + done = true; + break; + } + } + } + + debug("Writing %i bytes to stdout\n", (int)passlen); + write(STDOUT_FILENO, pass, passlen); + disable_method(NULL); + exit(EXIT_SUCCESS); +} + --- cryptsetup-1.0.6.orig/debian/dirs +++ cryptsetup-1.0.6/debian/dirs @@ -0,0 +1,13 @@ +/etc/bash_completion.d +/etc/default +/etc/init.d +/lib/cryptsetup/checks +/lib/cryptsetup/scripts +/sbin +/usr/sbin +/usr/share/initramfs-tools/hooks +/usr/share/initramfs-tools/scripts/local-top +/usr/share/initramfs-tools/scripts/local-bottom +/usr/share/initramfs-tools/conf-hooks.d +/usr/share/man/man5 +/usr/share/man/man8 --- cryptsetup-1.0.6.orig/debian/README.openct +++ cryptsetup-1.0.6/debian/README.openct @@ -0,0 +1,133 @@ +openct with cryptsetup and luks in Debian +----------------------------------------- + +This is a overview on how you can make use of cryptsetup with your smartcard +device supported by openct. Please make sure that your smartcard reader or token +is supposed to be operated with openct and not with opensc or pcscd. You can get +some information about the supported hardware by openct at the following +homepage: + + + +This example is based on the ability of openct to store arbitrary data objects +on the smartcard. Note that you therefore have to use openct in version 0.6.12 +or newer, any versions before 0.6.12 do not properly support data objects. + +Although this use case was done with the Aladdin eToken PRO 32k, an USB crypto +token, this is a generic approach which works the same way with all supported +smartcard devices by openct. + +First of all, you should plug in your crypto token into USB or whatever +interface it uses and initalize the reader with the following command (as root): + + # openct-control init + +To check if your reader has been detected, you can run: + + # openct-tool list + +This should give you a similar result to this: + + 0 Aladdin eToken PRO + +If you do not see any reader listed, you have a problem and should read again +about the supported hardware on and make +sure you have the required support (e.g. USB) compiled into your kernel needed +to connect to your token. If you use a precompiled kernel from Debian, +everything is already built kernelwise and you probably only need to load the +module. + +In case you want to erase your previously used smartcard, you can do that by +executing the following command: + + # pkcs15-init --erase-card + +To setup the smartcard, you need to do the following: + + # pkcs15-init --create-pkcs15 + +Caution: You are beeing asked about the 'Security Officer PIN' and the 'User +unblocking PIN'. Although both of these pins are optional and can be left empty, +you should never do this: In case the personal user pin is typed wrong for a +given number (mostly three times), the smartcard is locked and can only be +unlocked with the user unblocking pin. If you even mistype the user unblocking +pin for a given number (mostly three times), the smartcard is locked and can +only be unlocked with the security officer pin, which is the most superior pin +in this hierarchy. With an unset (empty) security officer pin or user unblocking +pin, depending on the smartcard, an attacker can have unlimited tries to crack +your personal user pin, or, an attacker can simply make the smarcard unusable as +it cannot be unlocked anymore at all. + +To create a new identity on the smartcard, do the following: + + # pkcs15-init --store-pin --auth-id 01 --label "Daniel Baumann" + +If you have already one or more identities, you certainly want to bump the +auth-id here, and normally, the label used to describe the identify is the +persons first and last name. + +As we want to use the smartcard with luks, we first need to get some random +data: + + # dd if=/dev/random of=data.txt bs=1 count=32 + +And we store that random data as a data object to the private section of the +smartcard with: + + # pkcs15-init --store-data data.txt --auth-id 01 + +As of the time of writing, openct version 0.6.12 is available and does not +support labeling different data objects. Once this gets fixed in openct +upstream, you can store multiple data objects to the smartcard (create them by +appending '--label foo' to the above command and replace foo with the label you +want to use). + +Then, read the random data from the smartcard in order... + + # pkcs15-tool --read-data-object pkcs15-init -o /proc/self/fd/3 3>&1 1>/dev/null 2>&1 + # pkcs15-tool --read-data-object pkcs15-init -o key.txt 1>/dev/null 2>&1 + +...to import that output to luks as a valid key (assumed that /dev/sda5 is your +encrypted partition): + + # cryptsetup luksAddKey /dev/sda5 key.txt + +To tell cryptsetup to let you authenticate with the openct backend, you need to +pass the respective decrypt script to it as a parameter in /etc/crypttab +(assumed that /dev/sda5 is your encrypted partition): + + sda5_crypt /dev/sda5 none luks,keyscript=/lib/cryptsetup/scripts/decrypt_openct + +At the moment all data objects have the same label 'pkcs15-init'. Once openct +supports labeling data objects, you can pass the respective label to openct with +the key parameter in /etc/crypttab like this: + + sda5_crypt /dev/sda5 none luks,keyscript=/lib/cryptsetup/scripts/decrypt_openct,key=foo + +For the time beeing, 'pkcs15-init' is passed to openct when no key is specified. + +Don't forget to backup key.txt to a save place and remove the temporary files +afterwards: + + # shred -uz key.txt data.txt + +Caution: cryptsetup as of version 1.0.5-1 does not support fallback to passphrase +if smartcard authentification fails (bee it three times wrong pin or not +compatible/not detected smartcard reader). That means, that for testing +purposes, it is recommended to keep an initrd image in /boot available which +does *not* use openct or opensc for authentification, so that you can change +your bootloader configuration on the fly if something does not work out as +expected. Therefore, copy your current initrd (the .bak backups from +initramfs-tools can maybe get overwritten by update-initramfs during the setup +of openct, so it is better to be on the save side): + + # cp /boot/initrd.img-`uname -r` /boot/initrd.img-`uname -r`.temp + +If you have completed all the steps upto now, you can update your initramfs +image with: + + # update-initramfs -u -k `uname -r` + +and reboot your machine. + + -- Daniel Baumann Wed, 22 Aug 2007 10:36:00 +0200 --- cryptsetup-1.0.6.orig/debian/passdev.c +++ cryptsetup-1.0.6/debian/passdev.c @@ -0,0 +1,268 @@ +/* + * passdev.c - waits for a given device to appear, mounts it and reads a + * key from it which is piped to stdout. + * + * Copyright (C) 2008 David Härdeman + * + * This package is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This package is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this package; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + + +#define _BSD_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +static bool do_debug = false; + +static void +debug(const char *fmt, ...) +{ + va_list ap; + + if (!do_debug) + return; + va_start(ap, fmt); + vfprintf(stderr, fmt, ap); + va_end(ap); +} + +static bool +do_mount(const char *device, const char *dir) +{ + pid_t pid; + pid_t wpid; + int status; + char *fstypes[] = { "ext3", "ext2", "vfat", "reiserfs", "xfs", "isofs", "udf" }; + int fsindex; + + if (!device || !dir) + return false; + + for (fsindex = 0; + fsindex < (sizeof(fstypes) / sizeof(fstypes[0])); + fsindex++) + { + pid = fork(); + if (pid < 0) { + /* Error */ + return false; + } else if (pid > 0) { + /* We're in the parent process */ + do { + wpid = waitpid(pid, &status, 0); + } while (!WIFEXITED(status) && !WIFSIGNALED(status)); + if (WIFEXITED(status) && WEXITSTATUS(status) == EXIT_SUCCESS) + return true; + + /* Let's try another fstype */ + continue; + } else { + /* We're in the child process */ + debug("Mounting %s at %s\n", device, dir); + close(STDIN_FILENO); + close(STDOUT_FILENO); + close(STDERR_FILENO); + open("/dev/null", O_RDONLY, 0); + open("/dev/null", O_WRONLY, 0); + open("/dev/null", O_WRONLY, 0); + execl("/bin/mount", "/bin/mount", "-n", "-t", + fstypes[fsindex], + /*"ext3,ext2,vfat,reiserfs,xfs,isofs,udf",*/ + "-o", "noatime,nodiratime,nodev,noexec,nosuid,ro", + device, dir, (char *)NULL); + + /* If execl works, we won't end up here */ + exit(EXIT_FAILURE); + } + } + + /* We've tried all fstypes with no luck */ + return false; +} + +int +main(int argc, char **argv, char **envp) +{ + char *debugval; + char *devpath; + char *filepath; + struct stat st; + char *tmppath; + char tpath[] = "/tmp/passdev.XXXXXX"; + char *keypath; + int fd; + size_t toread; + size_t bytesread; + char *keybuffer; + size_t towrite; + size_t byteswritten; + ssize_t bytes; + + /* We only take one argument */ + if (argc != 2) { + fprintf(stderr, "Incorrect number of arguments"); + goto error; + } + + /* If DEBUG=1 is in the environment, enable debug messages */ + debugval = getenv("DEBUG"); + if (debugval && atoi(debugval) > 0) + do_debug = true; + + /* Split string into device and path */ + devpath = argv[1]; + filepath = strchr(devpath, ':'); + if (!filepath || !(*filepath) || !(*(filepath + 1))) { + fprintf(stderr, "Invalid key path"); + goto error; + } + *filepath = '\0'; + filepath++; + debug("Path is %p and filepath is %p\n", devpath, filepath); + + /* Wait until device is available */ + if (access(devpath, F_OK)) { + debug("Waiting for %s\n", devpath); + while(access(devpath, F_OK)) + sleep(1); + } + + /* Make sure device is a blockdev */ + if (stat(devpath, &st)) { + fprintf(stderr, "Unable to stat %s\n", devpath); + goto error; + } else if (!S_ISBLK(st.st_mode)) { + fprintf(stderr, "%s is no block device\n", devpath); + goto error; + } + + /* Create a tmp dir where we mount the device */ + tmppath = mkdtemp(tpath); + if (!tmppath) { + fprintf(stderr, "Failed to create temporary directory\n"); + goto error; + } + + /* Ok, mount it */ + if (!do_mount(devpath, tmppath)) { + fprintf(stderr, "Failed to mount %s\n", devpath); + goto error_rmdir; + } + + /* Generate the full path to the keyfile */ + keypath = malloc(strlen(tmppath) + 1 + strlen(filepath) + 1); + if (!keypath) { + fprintf(stderr, "Failed to allocate memory\n"); + goto error_umount; + } + sprintf(keypath, "%s/%s", tmppath, filepath); + + /* Check that the keyfile exists */ + if (access(keypath, F_OK)) { + fprintf(stderr, "Keyfile doesn't exist\n"); + goto error_free; + } + + /* Get the size of the keyfile */ + if (stat(keypath, &st)) { + fprintf(stderr, "Unable to stat keyfile\n"); + goto error_free; + } + + /* Check the size of the keyfile */ + if (st.st_size < 0) { + fprintf(stderr, "Invalid keyfile size\n"); + goto error_free; + } + toread = (size_t)st.st_size; + + /* Open the keyfile */ + if ((fd = open(keypath, O_RDONLY)) < 0) { + fprintf(stderr, "Failed to open keyfile\n"); + goto error_free; + } + + /* Allocate a buffer for the keyfile contents */ + keybuffer = malloc(toread); + if (!keybuffer) { + fprintf(stderr, "Failed to allocate memory\n"); + goto error_close; + exit(EXIT_FAILURE); + } + + /* Read the keyfile */ + bytesread = 0; + while (bytesread < toread) { + bytes = read(fd, keybuffer + bytesread, toread - bytesread); + if (bytes <= 0) { + fprintf(stderr, "Failed to read entire key\n"); + goto error_keybuffer; + } + bytesread += bytes; + } + + /* Clean up */ + close(fd); + free(keypath); + umount(tmppath); + rmdir(tmppath); + + /* Write result */ + byteswritten = 0; + towrite = toread; + while (byteswritten < towrite) { + bytes = write(STDOUT_FILENO, keybuffer + byteswritten, + towrite - byteswritten); + if (bytes <= 0) { + fprintf(stderr, "Failed to write entire key\n"); + memset(keybuffer, 0, toread); + free(keybuffer); + goto error; + } + byteswritten += bytes; + } + + /* Clean up */ + memset(keybuffer, 0, toread); + free(keybuffer); + + /* Done */ + exit(EXIT_SUCCESS); + + /* Error handling */ +error_keybuffer: + memset(keybuffer, 0, toread); + free(keybuffer); +error_close: + close(fd); +error_free: + free(keypath); +error_umount: + umount(tmppath); +error_rmdir: + rmdir(tmppath); +error: + exit(EXIT_FAILURE); +} + --- cryptsetup-1.0.6.orig/debian/CryptoRoot.HowTo +++ cryptsetup-1.0.6/debian/CryptoRoot.HowTo @@ -0,0 +1,97 @@ +******** +* NOTE * +******** + +This procedure describes how to setup an encrypted root fs using +initrd-tools and cryptsetup. + +initrd-tools are no longer supported (for kernels > 2.6.12), and +if you are going to setup an encrypted root file system, you are +probably better off following the instructions in README.initramfs +which describes a similar procedure but for initramfs-tools which +support more recent 2.6 kernels. + +If you wish to perform a Debian installation to an encrypted root, +you might be interested in using a version of Debian Installer +with partman-crypto (experimental at the time of writing), which +will install the system and setup cryptsetup and initramfs-tools. + +************ +* END NOTE * +************ + +To setup cryptoroot you will need several things: + - an existing /boot partition + - a boot loader pointing at /boot (i recommend grub) + - a standard debian kernel + - an encrypted partition for the root filesystem + - a /etc/crypttab describing the root filesystem + - a /etc/fstab referring to the encrypted device mapper name + +Step by step: + +# Enter run-level 1 +init 1 + +# Install a standard debian linux kernel (>= 2.6.4) and the initrd-tools +# packages, replace 2.6.12-1 with the kernel version you'd like to install, +# and 386 with whatever architecture you have (such as k8) +apt-get install initrd-tools linux-image-2.6.12-1-386 + +# Edit /etc/crypttab and add the following line +# Replace /dev/hda4 with your backing device (lvm is ok, as is raid) +root /dev/hda4 none cipher=aes-cbc-essiv:sha256 + +# Note: Specifying this cipher and IV generation through the "cipher=" +# parameter mode avoids the watermark attack mentioned in README.html. +# However, unlike the default parameters, it creates an encrypted +# partition that is incompatible with the old cryptoloop implementation. +# If that matters to you, omit the cipher specification (and live with +# the watermark attack). + +# Start the encrypted root filesystem +/etc/init.d/cryptdisks start + +# Enter a password for the filesystem when prompted +my_boot_password + +# Now, setup a filesystem (/dev/mapper/root is always the encrypted disk) +mkfs.ext3 /dev/mapper/root + +# Mount the device for initialization +mount /dev/mapper/root /mnt + +# Copy your root filesystem into place +cp -axv / /mnt + +# Edit the new root's /mnt/etc/fstab to add the line +/dev/mapper/root / ext3 defaults 0 1 +# Remove whatever the old root filesystem line was + +# Enter the new root filesystem +chroot /mnt /bin/bash + +# Mount your core filesystems (/usr, /var, etc) +mount sysfs /sys -t sysfs +mount proc /proc -t proc +mount /dev/??? /boot + +# Prepare mkinitrd to create the initrd. Add the following lines to +# /etc/mkinitrd/modules (varies depending on the cipher you use): +sha256 +aes_i586 + +# Setup the initrd (change 2.6.12-1-386 to the correct value, just as above) +mkinitrd -o /boot/initrd.img-2.6.12-1-386 + +# Configure your boot loader to use /dev/mapper/root for the root filesystem +# If you are using grub, you can test boot without changing your old setup + +# Re-run your boot-loader setup program if needed (lilo) +# Reboot! + +# If all works out, you will be prompted for a password at boot-up + +# You can now add entries in /etc/crypttab for other partitions. +# Note that since /etc/keys is encrypted, it is ok to keep keys for the other +# partitions in this directory. This is _NOT_ ok for unencrypted root. --- cryptsetup-1.0.6.orig/debian/cryptdisks.functions +++ cryptsetup-1.0.6/debian/cryptdisks.functions @@ -0,0 +1,633 @@ +# +# This file is for inclusion with +# . /lib/cryptsetup/cryptdisks.functions +# and should not be executed directly. + +PATH="/sbin:/bin" +TABFILE=/etc/crypttab +CRYPTDISKS_ENABLE="Yes" + +#set -x + +# Sanity checks +[ -x /sbin/cryptsetup ] || exit 0 +[ -f "$TABFILE" ] || exit 0 + +. /lib/lsb/init-functions + +if [ -r /etc/default/cryptdisks ]; then + . /etc/default/cryptdisks +fi + +MOUNT="$CRYPTDISKS_MOUNT" + +# Parses the option field from the crypttab file +parse_opts () { + local opts opt IFS PARAM VALUE + + # Strip comments - https://bugs.launchpad.net/bugs/185380 + opts=$(echo -n $1 | sed 's/ *#.*//') + LOUD="" + PARAMS="" + CHECK="" + CHECKARGS="" + PRECHECK="" + TRIES="3" + TMPFS="" + MAKESWAP="" + USELUKS="" + KEYSCRIPT="" + IGNORE="" + + # Parse the options field, convert to cryptsetup parameters + # and construct the command line + IFS=',' + for opt in $opts; do + PARAM=$(echo "$opt" | sed 's/=.*//') + VALUE=$(echo "$opt" | sed '/=/!d;s/^.*=//') + + case "$PARAM" in + readonly) + PARAMS="$PARAMS -r" + ;; + cipher) + if [ -z "$VALUE" ]; then + log_warning_msg "$dst: no value for cipher option, skipping" + return 1 + fi + PARAMS="$PARAMS -c $VALUE" + ;; + size) + if [ -z "$VALUE" ] || echo "$VALUE" | grep -q "^[[:digit:]]\+$" && [ "$VALUE" -gt 0 ]; then + PARAMS="$PARAMS -s $VALUE" + else + log_warning_msg "$dst: option size used with an incorrect argument, skipping" + return 1 + fi + ;; + hash) + if [ -z "$VALUE" ]; then + log_warning_msg "$dst: no value for hash option, skipping" + return 1 + fi + PARAMS="$PARAMS -h $VALUE" + ;; + offset) + if [ -z "$VALUE" ]; then + log_warning_msg "$dst: no value for offset option, skipping" + return 1 + fi + PARAMS="$PARAMS -o $VALUE" + ;; + skip) + if [ -z "$VALUE" ]; then + log_warning_msg "$dst: no value for skip option, skipping" + return 1 + fi + PARAMS="$PARAMS -p $VALUE" + ;; + verify) + PARAMS="$PARAMS -y" + ;; + check) + if [ -z "$VALUE" ]; then + VALUE="$CRYPTDISKS_CHECK" + fi + if [ -x "$VALUE" ]; then + CHECK="$VALUE" + elif [ -x "/lib/cryptsetup/checks/$VALUE" ]; then + CHECK="/lib/cryptsetup/checks/$VALUE" + else + log_warning_msg "check $VALUE is not an executable script, skipping" + return 1 + fi + ;; + checkargs) + if [ -n "$VALUE" ]; then + CHECKARGS="$VALUE" + fi + ;; + precheck) + if [ -z "$VALUE" ]; then + VALUE="$CRYPTDISKS_PRECHECK" + fi + if [ -x "$VALUE" ]; then + PRECHECK="$VALUE" + elif [ -x "/lib/cryptsetup/checks/$VALUE" ]; then + PRECHECK="/lib/cryptsetup/checks/$VALUE" + else + log_warning_msg "precheck $VALUE is not an executable script, skipping" + return 1 + fi + ;; + tries) + if echo "$VALUE" | grep -q "^[[:digit:]]\+$" && [ "$VALUE" -gt 0 ]; then + TRIES="$VALUE" + else + log_warning_msg "$dst: option tries used with an incorrect argument - forced to $TRIES" + fi + ;; + swap) + MAKESWAP="yes" + SWCHECK="/lib/cryptsetup/checks/un_vol_id" + SWCHECKARGS="swap" + ;; + tmp) + if [ -z "$VALUE" ]; then + TMPFS="ext2" + else + TMPFS="$VALUE" + fi + ;; + luks) + USELUKS="yes" + ;; + noearly) + if [ "$INITSTATE" = "early" ]; then + IGNORE="yes" + fi + ;; + noauto) + if [ -n "$INITSTATE" ]; then + IGNORE="yes" + fi + ;; + loud) + LOUD="yes" + ;; + keyscript) + if [ -n "$KEYSCRIPT" ]; then + log_warning_msg "$dst: multiple key decryption options are not allowed together, skipping" + return 1 + elif [ -x "$VALUE" ]; then + KEYSCRIPT="$VALUE" + elif [ -x "/lib/cryptsetup/scripts/$VALUE" ]; then + KEYSCRIPT="/lib/cryptsetup/scripts/$VALUE" + elif [ -z "$VALUE" ]; then + log_warning_msg "$dst: no value for keyscript option, skipping" + return 1 + else + log_warning_msg "script $VALUE is not an executable script, skipping" + return 1 + fi + ;; + esac + done + + return 0 +} + +# Set up loopback devices +lo_setup () { + #local loopdev + + if [ ! -f "$src" ]; then + return 0 + fi + + if [ ! -x /sbin/losetup ]; then + return 1 + fi + + if ! grep -q "[[:space:]]loop$" /proc/devices; then + modprobe -qb loop > /dev/null 2>&1 || return 1 + fi + + loopdev=$(losetup -f 2> /dev/null) || return 1 + + losetup "$loopdev" "$src" || return 1 + src="$loopdev" + return 0 +} + +rm_lo_setup () { + if [ ! -f "$src" ]; then + return 0 + fi + + if [ -n "$loopdev" ]; then + losetup -d "$loopdev" || return 1 + fi + return 0 +} + +# Sanity check for keys +check_key () { + local GMODE OMODE OWNER GROUP + + # If the keyscript option is set, the "key" is just an argument to + # the keyscript and not necessarily a file + if [ -n "$KEYSCRIPT" ]; then + return 0 + fi + + if [ -z "$key" ] || [ "$key" = "none" ]; then + key="" + return 0 + fi + + if [ ! -e "$key" ]; then + log_warning_msg "$dst: keyfile not found" + return 1 + fi + + # stat is unfortunately in /usr/bin... + OMODE=$(ls -l "$key" | sed 's/[[:space:]].*//;s/^.\{7\}//') + GMODE=$(ls -l "$key" | sed 's/[[:space:]].*//;s/^.\{4\}\(.\{3\}\).*/\1/') + GROUP=$(ls -l "$key" | sed 's/^.\{11\}[^[:space:]]* [^[:space:]]* \([^[:space:]]*\).*/\1/') + # regex needs to work if keyfile has xattrs - https://launchpad.net/bugs/231339 + OWNER=$(ls -l "$key" | sed 's/^.\{10\}[+]\?.[^[:space:]]* \([^[:space:]]*\).*/\1/') + + # LUKS requires a persistent key, /dev/*random is not supported + if [ "$USELUKS" = "yes" ] && [ "$key" != "${key%random}" ]; then + log_warning_msg "$dst: LUKS does not work with random data as key" + return 1 + fi + + # Check owner + if [ "$OWNER" != "root" ]; then + log_warning_msg "$dst: INSECURE OWNER FOR $key, see /usr/share/doc/cryptsetup/README.Debian." + fi + + # If key is random, we're done + if [ "$key" != "${key%random}" ]; then + return 0 + fi + + # Check group and other permissions + if [ "$OMODE" != "---" ] || [ "$GROUP" != "root" ] && [ "$GMODE" != "---" ]; then + log_warning_msg "$dst: INSECURE MODE FOR $key, see /usr/share/doc/cryptsetup/README.Debian." + fi + + return 0 +} + +# Setup a luks mapping +do_luks () { + local tried keyscriptarg + tried=0 + keyscriptarg="" + + if ! cryptsetup isLuks "$src" >/dev/null 2>&1; then + log_warning_msg "$dst: device '$src' is not a LUKS partition, skipping" + return 1 + fi + + if [ -n "$KEYSCRIPT" ]; then + # keyscript => "key" is just an argument to the keyscript + keyscriptarg="$key" + key="-" + elif [ -z "$key" ]; then + # no keyscript, no key => password + keyscriptarg="Enter passphrase to unlock the disk $src ($dst): " + key="-" + KEYSCRIPT="/lib/cryptsetup/askpass" + elif [ "$key" != "${key%/dev/*}" ]; then + # no keyscript, device key => special treatment + keyscriptarg="" + key="$key" + KEYSCRIPT="" + else + # no keyscript, key => file input + keyscriptarg="$key" + key="-" + KEYSCRIPT="cat" + fi + + PARAMS="$PARAMS --key-file=$key" + + while [ "$tried" -lt "$TRIES" ]; do + if [ -n "$KEYSCRIPT" ]; then + if "$KEYSCRIPT" "$keyscriptarg" | cryptsetup $PARAMS luksOpen "$src" "$dst"; then + break + fi + else + if cryptsetup $PARAMS luksOpen "$src" "$dst"; then + break + fi + fi + + tried=$(( $tried + 1 )) + if [ "$tried" -ge "$TRIES" ]; then + return 1 + fi + done + + if [ -n "$CHECK" ] && ! "$CHECK" "/dev/mapper/$dst" $CHECKARGS; then + log_warning_msg "$dst: the check for '/dev/mapper/$dst' failed" + cryptsetup luksClose "$dst" + return 1 + fi + + return 0 +} + +# Setup a regular mapping +do_noluks () { + local pre_out tried keyscriptarg + tried=0 + keyscriptarg="" + + if [ -z "$PRECHECK" ]; then + PRECHECK="/lib/cryptsetup/checks/un_vol_id" + fi + + if ! pre_out=$("$PRECHECK" "$src" 2> /dev/null) && \ + [ "$MAKESWAP" != "yes" ] && \ + ! /lib/cryptsetup/checks/vol_id "$src" swap >/dev/null; then + log_warning_msg "$dst: the precheck for '$src' failed: $pre_out" + return 1 + fi + + if [ -n "$KEYSCRIPT" ]; then + # keyscript => "key" is just an argument to the keyscript + keyscriptarg="$key" + key="-" + elif [ -z "$key" ]; then + # no keyscript, no key => password + keyscriptarg="Enter passphrase to unlock the disk $src ($dst): " + key="-" + KEYSCRIPT="/lib/cryptsetup/askpass" + else + # no keyscript, key => file input + keyscriptarg="" + key="$key" + KEYSCRIPT="" + fi + + PARAMS="$PARAMS --key-file=$key" + + while [ "$tried" -lt "$TRIES" ]; do + if [ -n "$KEYSCRIPT" ]; then + "$KEYSCRIPT" "$keyscriptarg" | cryptsetup $PARAMS create "$dst" "$src" + else + cryptsetup $PARAMS create "$dst" "$src" + fi + + if [ -z "$CHECK" ] || "$CHECK" "/dev/mapper/$dst" $CHECKARGS; then + break + else + log_warning_msg "$dst: the check for '/dev/mapper/$dst' failed - maybe the password is wrong" + cryptsetup remove "$dst" + fi + + tried=$(( $tried + 1 )) + if [ "$tried" -ge "$TRIES" ]; then + return 1 + fi + done + + return 0 +} + +# Premounts file systems +mount_fs () { + local point + MOUNTED="" + + for point in $MOUNT; do + if mount "$point" >/dev/null; then + MOUNTED="$MOUNTED $point" + fi + done +} + +# Postunmounts file systems +umount_fs () { + local point + + for point in $MOUNTED; do + umount "$point" >/dev/null + done +} + +# Prepares swap partitions using random keys +do_swap () { + local swap_out + + if [ "$MAKESWAP" != "yes" ] || [ ! -b "/dev/mapper/$dst" ]; then + return 0 + fi + + if swap_out=$(/lib/cryptsetup/checks/un_vol_id "/dev/mapper/$dst" 2> /dev/null) || \ + /lib/cryptsetup/checks/vol_id "/dev/mapper/$dst" swap > /dev/null 2>&1; then + mkswap "/dev/mapper/$dst" > /dev/null 2>&1 + else + log_warning_msg "$dst: the check for '/dev/mapper/$dst' failed. /dev/mapper/$dst contains data: $swap_out" + do_close + return 1 + fi + + return 0 +} + +# Prepares tmp partitions using random keys +do_tmp () { + if [ "x$TMPFS" = "x" ] || [ ! -b "/dev/mapper/$dst" ]; then + return 0 + fi + + mkfs -t $TMPFS -q "/dev/mapper/$dst" > /dev/null 2>&1 || return 1 + mount -t $TMPFS "/dev/mapper/$dst" /tmp || return 1 + chmod 1777 /tmp + umount /tmp + return 0 +} + +# Removes a mapping +do_close () { + local found IFS opt + + found="no" + IFS=',' + for opt in $opts; do + if [ "$opt" = "luks" ]; then + found="yes" + break + fi + done + + if [ "$found" = "yes" ]; then + cryptsetup luksClose "$dst" + else + cryptsetup remove "$dst" + fi + return $? +} + +load_optimized_module () { + local module optmodule + module="$1" + + optmodule=$(find "/lib/modules/$(uname -r)/kernel/arch" -name "${module}*.ko" 2> /dev/null) + if [ -n "$optmodule" ] && [ "$(echo -n "$optmodule" | wc -l)" -eq 1 ]; then + modprobe "$optmodule" 2>/dev/null && return 0 + fi + + modprobe "$module" 2>/dev/null || return 1 + return 0 +} + +# Sets up all entries in crypttab +handle_crypttab_line_start () { + dst=$1 + src=$2 + key=$3 + opts=$4 + + # Make sure that all fields are present + if [ -z "$dst" ]; then + continue + elif [ -z "$src" ] || [ -z "$key" ] || [ -z "$opts" ]; then + device_msg "$dst" "skipped, missing parameters" + continue + fi + + # parse UUID= symlinks + if [ "${src#UUID=}" != "$src" ]; then + src="/dev/disk/by-uuid/${src#UUID=}" + elif [ "${src#LABEL=}" != "$src" ]; then + src="/dev/disk/by-label/${src#LABEL=}" + fi + + # Do the preparatory steps + if ! parse_opts "$opts"; then + device_msg "$dst" "invalid opts" + continue + elif ! check_key; then + device_msg "$dst" "invalid key" + continue + elif ! lo_setup; then + device_msg "$dst" "loopback failed" + fi + + # Ignore noauto devices + if [ "$IGNORE" = "yes" ] && [ -z "$FORCE_START" ]; then + device_msg "$dst" "ignored" + continue + fi + + # Make sure source device exists + if [ ! -r "$src" ]; then + if [ "$LOUD" = "yes" ]; then + device_msg "$dst" "skipped, device $src does not exist" + fi + continue + fi + + # Make sure that target device doesn't exist + if [ -b "/dev/mapper/$dst" ]; then + device_msg "$dst" "running" + continue + fi + + # All checks passed, do the real setup + log_action_msg "$dst (starting)" + result="ok" + if [ "$USELUKS" = "yes" ]; then + do_luks || result="fail" + else + do_noluks || result="fail" + fi + + # Finish up + if [ "$result" != "ok" ]; then + rm_lo_setup + device_msg "$dst" "failed" + else + do_swap + do_tmp + device_msg "$dst" "started" + fi + + return 0 +} + +handle_crypttab_line_stop () { + dst=$1 + src=$2 + key=$3 + opts=$4 + + if [ ! -b "/dev/mapper/$dst" ]; then + device_msg "$dst" "stopped" + continue + fi + + opencount=$(dmsetup info -c --noheadings -o open "$dst" 2> /dev/null || true) + if [ -z "$opencount" ]; then + device_msg "$dst" "error" + continue + elif [ "$opencount" != "0" ]; then + device_msg "$dst" "busy" + continue + fi + + #major=$(dmsetup info -c --noheadings -o major "$dst" 2> /dev/null || true) + #minor=$(dmsetup info -c --noheadings -o minor "$dst" 2> /dev/null || true) + src_major=$(dmsetup deps "$dst" 2> /dev/null | sed -e 's/^.*(\([0-9]*\), [0-9]*)$/\1/g' || true) + src_minor=$(dmsetup deps "$dst" 2> /dev/null | sed -e 's/^.*([0-9]*, \([0-9]*\))$/\1/g' || true) + + if [ -z "$src_major" ] || [ -z "$src_minor" ]; then + device_msg "$dst" "error" + continue + fi + + do_close + + # Detach loopback device, if attached + if [ "$src_major" = "7" ]; then + loopdev="/dev/loop${src_minor}" + if ! rm_lo_setup; then + device_msg "$dst" "detaching loopback failed" + continue + fi + fi + + device_msg "$dst" "stopping" + + return 0 +} + +do_start () { + local dst src key opts result + + modprobe -qb dm-mod || true + modprobe -qb dm-crypt || true + dmsetup mknodes > /dev/null 2>&1 || true + log_action_begin_msg "Starting $INITSTATE crypto disks" + mount_fs + + egrep -v "^[[:space:]]*(#|$)" "$TABFILE" | while read dst src key opts; do + handle_crypttab_line_start "$dst" "$src" "$key" "$opts" <&3 + done 3<&1 + umount_fs + + log_action_end_msg 0 +} + +# Removes all mappings in crypttab +do_stop () { + local dst src key opts opencount major minor loopmajor + + dmsetup mknodes + log_action_begin_msg "Stopping $INITSTATE crypto disks" + loopmajor=$(grep "[[:space:]]*loop$" /proc/devices | sed 's/^[[:space:]]*//;s/[[:space:]].*//') + + egrep -v "^[[:space:]]*(#|$)" "$TABFILE" | while read dst src key opts; do + handle_crypttab_line_stop "$dst" "$src" "$key" "$opts" <&3 + done 3<&1 + + log_action_end_msg 0 +} + +# Convenience function to handle $VERBOSE +device_msg () { + local dst msg + dst="$1" + msg="$2" + + if [ "$VERBOSE" != "no" ]; then + log_action_cont_msg "$dst ($msg)" + fi +} --- cryptsetup-1.0.6.orig/debian/NEWS +++ cryptsetup-1.0.6/debian/NEWS @@ -0,0 +1,127 @@ +cryptsetup (2:1.0.6-7) unstable; urgency=medium + + Support for the timeout option has been removed from cryptdisks initscripts + in order to support splash screens and remote shells in boot process. + The implementation had been unclean and produced many anyway. + If you used the timeout option on headless systems without physical access, + then it's a much cleaner solution anyway, to use the 'noauto' option in + /etc/crypttab, and start the encrypted devices manually with + '/etc/init.d/cryptdisks force-start'. + Another approach is to start a minimal ssh-server in the initramfs and unlock + the encrypted devices after connecting to it. This even supports encrypted + root filesystems for headless server systems. + For more information, please see /usr/share/docs/cryptsetup/README.Debian.gz + + -- Jonas Meurer Tue, 16 Dec 2008 18:37:16 +0100 + +cryptsetup (2:1.0.6-4) unstable; urgency=medium + + The obsolete keyscript decrypt_old_ssl and the corresponding example script + gen-old-ssl-key have been removed from the package. If you're still using + them, either save a local backup of /lib/cryptsetup/scripts/decrypt_old_ssl + and put it back after the upgrade finished, or migrate your setup to use + keyscripts that are still supported. + + -- Jonas Meurer Sun, 27 Jul 2008 16:22:57 +0200 + +cryptsetup (2:1.0.6~pre1+svn45-1) unstable; urgency=low + + The default hash used by the initramfs cryptroot scripts has been changed + from sha256 to ripemd160 for consistency with the cryptsetup default. If you + have followed the recommendation to configure the hash in /etc/crypttab this + change will have no effect on you. + + If you set up disk encryption on your system using the Debian installer + and/or if you use LUKS encryption, everything is already set up correctly + and you don't need to do anything. + If you did *not* use the Debian installer and if you have encrypted devices + which do *not* use LUKS, you must make sure that the relevant entries in + /etc/crypttab contain a hash= setting. + + -- Jonas Meurer Tue, 29 Jan 2008 11:46:57 +0100 + +cryptsetup (2:1.0.5-2) unstable; urgency=low + + The vol_id and un_vol_id check scripts no longer regard minix as a valid + filesystem, since random data can be mistakenly identified as a minix + filesystem due to an inadequate signature length. + + If you use minix filesystems, you should not rely on prechecks anymore. + + -- Jonas Meurer Mon, 10 Sep 2007 14:39:44 +0200 + +cryptsetup (2:1.0.4+svn16-1) unstable; urgency=high + + The --key-file=- argument has changed. If a --hash parameter is passed, it + will now be honored. This means that the decrypt_derived keyscript will in + some situations create a different key than previously meaning that any swap + partitions that rely on the script will have to be recreated. To emulate the + old behaviour, make sure that you pass "--hash=plain" to cryptsetup. + + -- David Härdeman Tue, 21 Nov 2006 21:29:50 +0100 + +cryptsetup (2:1.0.4-7) unstable; urgency=low + + The cryptsetup initramfs scripts now also tries to detect swap + partitions used for software suspend (swsusp/suspend2/uswsusp) and + to set them up during the initramfs stage. See README.initramfs for + more details. + + -- David Härdeman Mon, 13 Nov 2006 19:27:02 +0100 + +cryptsetup (2:1.0.4-1) unstable; urgency=low + + The ssl and gpg options in /etc/crypttab have been deprecated in + favour of the keyscripts option. The options will still work, but + generate warnings. You should change any lines containing these + options to use keyscript=/lib/cryptsetup/scripts/decrypt_old_ssl or + keyscript=/lib/cryptsetup/scripts/decrypt_gpg instead as support + will be completely removed in the future. + + -- David Härdeman Mon, 16 Oct 2006 00:00:12 +0200 + +cryptsetup (2:1.0.3-4) unstable; urgency=low + + Up to now, the us keymap was loaded at the passphrase prompt in the boot + process and ascii characters were always used. With this upload this is + fixed, meaning that the correct keymap is loaded and the keyboard is + (optionally) set to UTF8 mode before the passphrase prompt. + + This may result in your password not working any more in the boot process. + In this case, you should add a new key with cryptsetup luksAddKey with your + correct keymap loaded. + + Additionally, all four fields are now mandatory in /etc/crypttab. An entry + which does not contain all fields will be ignored. It is recommented to + set cipher, size and hash anyway, as defaults may change in the future. + + If you didn't set any of these settings yet, then you should add + cipher=aes-cbc-plain,size=128,hash=ripemd160 + to the the options in /etc/crypttab. See man crypttab(5) for more details. + + -- David Härdeman Sat, 19 Aug 2006 18:08:40 +0200 + +cryptsetup (2:1.0.2+1.0.3-rc2-2) unstable; urgency=low + + The crypttab 'retry' has been renamed to 'tries' to reflect upstreams + functionality. Default is 3 tries now, even if the option is not given. + See the crypttab.5 manpage for more information. + + -- Jonas Meurer Fri, 28 Apr 2006 17:42:15 +0200 + +cryptsetup (2:1.0.2+1.0.3-rc2-1) unstable; urgency=low + + Since release 2:1.0.1-9, the cryptsetup package uses cryptsetup-luks as + upstream source. This is a enhanced version of plain cryptsetup which + includes support for the LUKS extension, a standard on-disk format for + hard disk encryption. Plain dm-crypt (as provided by the old cryptsetup + package) is still available, thus backwards compatibility is given. + Nevertheless it is recommended to update your encrypted partitions to + LUKS, as this implementation is more secure than the plain dm-crypt. + + Another major change is the check option for crypttab. It allows to + configure checks that are run after cryptsetup has been invoked, and + prechecks to be run against the source device before cryptsetup has been + invoked. See man crypttab(5) or README.Debian for more information. + + -- Jonas Meurer Fri, 3 Feb 2006 13:41:35 +0100 --- cryptsetup-1.0.6.orig/debian/cryptdisks.init +++ cryptsetup-1.0.6/debian/cryptdisks.init @@ -0,0 +1,51 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: cryptdisks +# Required-Start: checkroot cryptdisks-early +# Required-Stop: umountroot cryptdisks-early +# Should-Start: udev devfsd raid2 mdadm lvm2 evms +# Should-Stop: udev devfsd raid2 mdadm lvm2 evms +# X-Start-Before: checkfs +# Default-Start: S +# Default-Stop: 0 6 +# Short-Description: Setup remaining encrypted block devices. +# Description: +### END INIT INFO + +set -e + +INITSTATE="remaining" +LOUD="yes" + +if [ -r /lib/cryptsetup/cryptdisks.functions ]; then + . /lib/cryptsetup/cryptdisks.functions +else + exit 0 +fi + +case "$CRYPTDISKS_ENABLE" in +[Nn]*) + exit 0 + ;; +esac + +case "$1" in +start) + do_start + ;; +stop) + do_stop + ;; +restart|reload|force-reload) + do_stop + do_start + ;; +force-start) + FORCE_START="yes" + do_start + ;; +*) + echo "Usage: cryptdisks {start|stop|restart|reload|force-reload|force-start}" + exit 1 + ;; +esac --- cryptsetup-1.0.6.orig/debian/README.initramfs +++ cryptsetup-1.0.6/debian/README.initramfs @@ -0,0 +1,194 @@ +1. Introduction +--------------- +Kernels more recent than 2.6.12 have dropped support for devfs, which +means that initrd-tools can no longer be used to boot into an encrypted +root partition. Instead, a similar functionality has been developed for +use with an initramfs-image. + + +2. A fresh installation +----------------------- +If you plan to perform a completely new installation of Debian onto a +machine and to do so using an encrypted root partition, you might want +to consider using a version of Debian Installer with partman-crypto +(see http://wiki.debian.org/DebianInstaller/PartmanCrypto). + +The installation will then take care of all the details and perform the +necessary configuration for you, meaning that you should not have to +read the rest of this document to get a machine with an encrypted +root fs up and running. + +However, if you are not planning to perform a new installation from scratch, +the following information might be useful to you. + + +3. Requirements +--------------- +In order to boot from an encrypted root fs, you need an initramfs-image +which includes the necessary kernel modules and scripts to setup +the root device after the kernel has been initialized, but before the rest +of the operating system is booted. + +To do so, you need two partitions: +- an unencrypted /boot partition +- an encrypted / partition + +In addition, you need to have initramfs-tools installed. + +NOTE: You should make sure that your swap partition is either encrypted, or +that you are using a swap file on an encrypted partition, as crypto keys and +other sensitive information might otherwise be written out to the swap +partition in unencrypted form. + + +4. Setup (regular dm-crypt) +--------------------------- +First of all, you must edit /etc/crypttab and add a line describing your +root device, for example: + + cryptroot /dev/hda2 none cipher=aes-cbc-essiv:sha256,size=256,hash=sha256 + +This will allow cryptsetup to create /dev/mapper/cryptroot from the +encrypted partition /dev/hda2 during boot. + +In addition, you must also make sure that the root device is listed in +/etc/fstab, for example: + + /dev/mapper/cryptroot / ext3 defaults 0 1 + +This will allow the initramfs support scripts to know which of the devices +in the crypttab that is the root device. + +After doing these changes, you should regenerate the initramfs by running +"initramfs-update -u", then make sure that your boot loader is configured +to feed the initramfs to the kernel when booting. The kernel root argument +should also be changed to /dev/mapper/cryptroot. + +Now, reboot the machine, and if everything is correctly configured, you +should be given a prompt to type in the passphrase for the encrypted +root partition before the boot can continue. + +NOTE: the initramfs scripts default to using the sha256 hash function while +the plain cryptsetup binary defaults to using the ripemd160 hash function. +In order to ensure that the crypto setup works in a consistant manner, you +should make sure that the hash function is specified in the /etc/crypttab file +if you are using regular dm-crypt (with LUKS the hash function to use is stored +in the LUKS header). + + +5. Setup (using LUKS) +--------------------- +If you are using the LUKS feature of cryptsetup, the above setup recipe should +still apply, but since most options can be derived from the information stored +in the LUKS header on-disk, the line to add to /etc/crypttab should look +something like this: + + cryptroot /dev/sda2 none luks + + +6. Exotic key types +------------------- +The above examples assume that you use a regular passphrase as the key to the +encrypted filesystem. However, if you wish to make use of more complex setups +(such as root-key-on-usb-memory), you can create a script which does all the +steps necessary to retrieve the key and then prints it to stdout. + +Then add a keyscript=/path/to/your/script.sh to the options (fourth column) in +the above mentioned /etc/crypttab line, so that it looks something like this: + + cryptroot /dev/sda2 none luks,keyscript=/usr/local/sbin/cryptkey + +Next, regenerate your initramfs image. This will copy the script into the +initramfs image under the /keyscripts/ directory. + +NOTE: there is a limited set of tools available when the script is executing +as part of the initramfs bootup, you have to make sure that you do not use +any tools which are not available or your script, and therefore boot, will +fail. + + +7. "cryptopts" boot argument +---------------------------- +In general, you should use the above approach with a line describing your +root partition in /etc/crypttab and /etc/fstab. However, if for some reason +you wish to override the settings that are derived from these files and +stored in the initramfs image, you can use the "cryptopts" boot argument +(this *only* works for the root partition). + +The format of cryptopts is: +cryptopts==,=... + +Beside the "hash", "size", "cipher" and "lvm" options that correspond to the +same options in the fourth field of /etc/crypttab, the options "target", +"source" and "key" are also supported. They correspond to the first, second +and third field of /etc/crypttab, respectively. See the crypttab man page +for further details. + +Several "cryptopts" boot arguments can also be specified in case more than +one mapping needs to be setup in the initramfs stage of the boot. + +Example boot arguments: +root=/dev/mapper/crypt0 cryptopts=target=crypt0,source=/dev/hda1,cipher=twofish + +8. Resume device support +------------------------ +The initramfs scripts will also try to automatically determine the devices, +if any, that are used for software suspend (swsusp, suspend2 or uswsusp) and +to set them up during the initramfs stage in order to allow suspend and resume +in combination with encryption to keep the resume image safe from potential +attackers. + +If your resume device and your root partition use two different cryptsetup +mappings, you might want to use the "decrypt_derived" keyscript as described +below. + +9. The "decrypt_derived" keyscript +---------------------------------- +Assume that you have two entries in /etc/crypttab: + +cryptroot /dev/hda1 none luks +cryptswap /dev/hda2 none luks + +If cryptswap is used as your suspend/resume device, you'd normally need to +enter two different passphrases during the boot, but the "decrypt_derived" +script can generate the key for the second mapping using a hash of the key +for the first mapping. + +In short, you'll need to do something like the following to take advantage +of the decrypt_derived script: + +1) swapoff -a +2) cryptsetup luksClose cryptswap +3) edit /etc/crypttab and change the cryptswap line to e.g.: +cryptswap /dev/hda2 cryptroot cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,keyscript=/lib/cryptsetup/scripts/decrypt_derived,swap +4) /etc/init.d/cryptdisks start +5) Make sure that /dev/mapper/cryptswap has been created +6) swapon -a +7) (optional) update-initramfs -u + +After you've followed the above steps, your swap device should be setup +automatically after the root device has been setup during the boot stage. + +Note: If you don't use suspend device support, it's better to use completely +random keys for your encrypted swap device. See the section '2. Encrypted +swap partition(s)' in /usr/share/doc/cryptsetup/README.Debian for information +on how to setup this. + +10. The "passdev" keyscript +---------------------------- +If you have a keyfile on a removable device (e.g. a USB-key), you can use the +passdev keyscript. It will wait for the device to appear, mount it read-only, +read the key and then unmount the device. + +The "key" part of /etc/crypttab will be interpreted as :, it is +strongly recommended that you use one of the persistent device names from +/dev/disk/*, e.g. /dev/disk/by-label/myusbkey. + +This is an example of a suitable line in cryptsetup: +cryptroot /dev/hda2 /dev/disk/by-label/myusbkey:/keys/root.key cipher=aes-cbc-essiv:sha256,size=256,hash=plain,keyscript=/lib/cryptsetup/scripts/passdev + +The above line would cause the boot to pause until /dev/disk/by-label/myusbkey +appears in the fs, then mount that device and use the file /keys/root.key +on the device as the key (without any hashing) as the key for the fs. + +-- David Härdeman --- cryptsetup-1.0.6.orig/debian/README.Debian +++ cryptsetup-1.0.6/debian/README.Debian @@ -0,0 +1,213 @@ +Cryptsetup for Debian +--------------------- + + Table of Contents + + 1. Introduction into Cryptsetup for Debian + + 2. Encrypted swap partition(s) + + 3. Insecure mode/owner for keys + + 4. Cryptsetup and udev + + 5. The 'check' option + + 6. Cryptsetup and Splashy + + 7. Remotely unlock encrypted rootfs + + 8. Credits + + +1. Introduction into Cryptsetup for Debian +------------------------------------------ + + Cryptsetup is a command-line interface for configuring encrypted block +devices via dm-crypt, a kernel device-mapper target. +The Debian cryptsetup package provides the initscript /etc/init.d/cryptdisks +and a configuration file /etc/crypttab for automatically configuring +encrypted devices at boot time. See man crypttab(5) for more information. + + The /sbin/luksformat script provides a simple interface for creating an +encrypted device that follows the LUKS standard and for putting a file system +onto the encrypted device. See man luksformat(8) for more information. + + If you wish to perform a Debian installation to an encrypted root, you might +be interested in using a version of Debian Installer with partman-crypto, +which will install the system and setup cryptsetup and initramfs-tools. + + For instructions about how to encrypt your root filesystem and integrate +cryptsetup into initramfs on a running system, see + /usr/share/doc/cryptsetup/README.initramfs.gz. + +For instructions about how to encrypt your swap partition(s), see below. + + +2. Encrypted swap partition(s) +------------------------------ + + An encrypted swap partition prevents spying on plaintext secrets (passwords) +that may be written to disk when memory is swapped to disk. + + To encrypt your swap partitions, you'll first have to deactivate your swap: + +swapoff -a + + You'll have to add an entry for every swap partition in /etc/crypttab. Be +sure toeplace the source device (here /dev/hda9) with your swap devices: +# +cswap1 /dev/hda9 /dev/random swap,cipher=aes-cbc-essiv:sha256,size=256,hash=sha256 + + Now you need to change the swap devices in /etc/fstab to the encrypted swap +device names (/dev/mapper/cswap1 in this example). + +# +/dev/hda9 none swap sw 0 0 + +becomes + +# +/dev/mapper/cswap1 none swap sw 0 0 + + + Finally, you need to start the cryptsetup swap devices and reactivate swap: + +/etc/init.d/cryptdisks start +swapon -a + + That's it! You have a crypted swap device. Note that /dev/random as source +for your keyfile in /etc/crypttab might not generate enough random bytes. +If you're in doubt, you can use the (less secure) device /dev/urandom instead. + + Read the crypttab(5) manpage for more information, for example options to use +a different encryption algorithm than the default. + + +3. Insecure mode/owner for keys +------------------------------- + + Any key that is stored somewhere to be used with cryptsetup should have the +mode 400 (-r--------) and owner/group root. This way only root has permissions +to read the file. 'chown root.root keyfile' and 'chmod 400 keyfile' will do +the trick for you. + + If a key is stored on a vfat filesystem (very common for removable media), +chmod and chown will not work. The vfat filesytem (and several others too) +does not support file permissions and ownership. Instead, you should use the +uid, gid and umask options in /etc/fstab to ensure secure permissions for the +key. + + As an example, assume that /dev/sdg2 is the removable media containing +keyfiles on a vfat filesystem and that it is going to be mounted on +/media/flash0. The configuration in /etc/fstab should then be something +like this: + +# +/dev/sdg2 /media/flash0 vfat uid=0,gid=0,umask=277 0 0 + + If you are using udev, it might be a good idea to use the /dev/disk/by-label +links instead of /dev/sdg2 as the link will work no matter in which order the +media is inserted and detected. + + +4. Cryptsetup and udev +---------------------- + + As a workaround for some yet-to-be-fixed race condition in kernel, +device-mapper or udev, cryptsetup currently runs udevsettle. + + This leads to problems if you invoke cryptsetup as part of a udev rule. +udevsettle waits until queued kernel/udev events are processed and the +'run programs' have finished. Due to cryptsetup itself being a 'run +program' in this case, this ends in a deadlock. + + Therefore cryptsetup should be detached directly after invocation in this +case, so that it runs asynchronously. + + +5. The 'check' option +--------------------- + + The 'check' option in crypttab allows to configure checks to be run against +the target device after cryptsetup has been invoked. +The default check 'vol_id' can check for any known filesystem type, as it uses +vol_id from udev. you can check for a particular filesystem by giving for +example 'checkargs=ext2' or 'checkargs=swap' as an option in /etc/crypttab. + + The 'precheck' option is for configuring checks to be run against the source +device before cryptsetup has been invoked. They are only available for plain +cryptsetup devices. LUKS devices have a hardcoded precheck that uses the +'isLuks' command of cryptsetup. +As there is no way to check a device for plain cryptsetup data, you can only +check for data that should not be on the device. for example the check could +search for common filesystems on the device, and abort if it finds any. +As this will never really ensure that no data is lost, the package doesn't +provide such a check. +Another example for a precheck could be to check the partition table id. For +a device that shall be used as swap partition, it could verify that only +partitions with type 'swap' (82) are used for encrypted swap. + + Please send us your checks, if you write new ones. If they are generally +useful, we will include them in the package. + + See man crypttab(5) for more information about the checksystem. + + +6. Cryptsetup and Splashy +------------------------- + + Splashy support in cryptsetup is currently somehow limited. Splashy is known +to freeze at the password dialog for encrypted non-root filesystems. Only the +password dialog for the encrypted root filesystem works. + + It seems like splashy freezes for any input dialog in initscripts while +input dialogs at initramfs stage seem to work. This leads to the assumption +that the bug is somewhere in splashy and neither in cryptsetups initscripts +nor in askpass, the keyscript that is responsible for cryptsetups passphrase +input dialogs. + + +7. Remotely unlock encrypted rootfs +----------------------------------- + + Thanks to Chris it's possible to install a dropbear ssh +server into the initramfs, connect to this ssh server during execution of +initramfs early in the boot process, and unlock encrypted devices - even the +root device - before the boot process continues. + + This way it is possible to use an encrypted root filesystem on headless +systems where no physical access is available during boot process. + + Unfortunately dropbear 0.52-1 is required for this to work. As this version +is not incuded in lenny, you'll have to install it manually. Thankfully this +version configures everything automatically, so all you have to do after +installing dropbear on the remote system, is to copy the root ssh keyfile from +/etc/initramfs/root/ssh/id_rsa to your local system: + +$ scp remote.system.com:/etc/initramfs/root/ssh/id_rsa remote_rsa + + Now the remote system should start dropbear automatically during initramfs +excecution at the boot process. You can login into the initramfs via ssh + +$ ssh -i remote_rsa -l root remote.system.com + + and echo the passphrase to a fifo file on the remote system: + +# echo -n "my_secret_passphrase" > /lib/cryptsetup/passfifo + + That's it. Now that the encrypted root device is unlocked, the remote system +should continue with the boot process. + + +8. Credits +---------- + + People who contributed to documentation for the Debian cryptsetup package: + +Jonas Meurer +David Härdeman +Bastian Kleineidam +Michael Gebetsroither + + -- Jonas Meurer , Sun, 27 Jul 2008 17:02:56 +0200 --- cryptsetup-1.0.6.orig/debian/compat +++ cryptsetup-1.0.6/debian/compat @@ -0,0 +1 @@ +5 --- cryptsetup-1.0.6.orig/debian/watch +++ cryptsetup-1.0.6/debian/watch @@ -0,0 +1,2 @@ +version=3 +opts="uversionmangle=s/luks-//;s/-pre/~pre/;s/-rc/~rc/" http://cryptsetup.googlecode.com/files/cryptsetup-(.*)\.tar\.bz2 --- cryptsetup-1.0.6.orig/debian/cryptsetup.postinst +++ cryptsetup-1.0.6/debian/cryptsetup.postinst @@ -0,0 +1,61 @@ +#! /bin/sh + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-deconfigure' `in-favour' +# `removing' +# + +case "$1" in + configure) + if [ -x /usr/sbin/update-initramfs ]; then + update-initramfs -u + fi + + # Do a number of checks on the currently installed crypttab + egrep -v "^[[:space:]]*(#|$)" /etc/crypttab | while read dst src key opts; do + if [ -z "$dst" ]; then + continue + elif [ -z "$src" ] || [ -z "$key" ] || [ -z "$opts" ]; then + # All fields must be present + echo "WARNING: $dst in /etc/crypttab is missing some arguments, see man cryptab(5)." >&2 + continue + else + # Some options are deprecated + while [ -n "$opts" ]; do + opt=$(echo $opts | sed "s/,.*//") + opts=${opts##$opt} + opts=${opts##,} + + if [ "$opt" = "ssl" ]; then + echo "WARNING: $dst in /etc/crypttab uses the deprecated ssl option, see man crypttab(5)." >&2 + elif [ "$opt" = "gpg" ]; then + echo "WARNING: $dst in /etc/crypttab uses the deprecated gpg option, see man crypttab(5)." >&2 + fi + done + fi + + done + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 --- cryptsetup-1.0.6.orig/debian/README.source +++ cryptsetup-1.0.6/debian/README.source @@ -0,0 +1,2 @@ +This package uses quilt for its patch management, see +/usr/share/doc/quilt/README.source if you are unfamiliar with it. --- cryptsetup-1.0.6.orig/debian/checks/un_vol_id +++ cryptsetup-1.0.6/debian/checks/un_vol_id @@ -0,0 +1,33 @@ +#!/bin/sh +# this script depends on /lib/udev/vol_id from the udev package + +# usage: un_vol_id +# may be any device that should be checked. +# if no is given, the check fails for any valid filesystem +# if is given, the check fails when a filesystem type +# is found on the device. + +# note that the 'minix' fs is filtered out if checking for any valid fs, +# as it has been reported that this fs my be detected erroneously by vol_id. + +if test ! -x "/lib/udev/vol_id"; then + echo " - WARNING: vol_id from udev is not available, impossible to run checks." + exit 0 +fi + +dev=$1 +fs=$2 + +vol_id=`/lib/udev/vol_id -t $dev 2>&1` + +# vol_id output if $dev has an unknown filesystem +pattern=`echo $dev | sed 's/\//\\\\\//g'` +unknown=`/lib/udev/vol_id -t /dev/null 2>&1 | sed "s/\/dev\/null/$pattern/g"` + +if [ "$vol_id" != "$unknown" ] && [ "$vol_id" != "minix" ] && [ -z "$fs" ]; then + echo " - The device $dev contains a valid filesystem type $vol_id." + exit 1 +elif [ -n "$fs" ] && [ "$vol_id" = "$fs" ]; then + echo " - The device $dev contains a filesystem type $fs." + exit 1 +fi --- cryptsetup-1.0.6.orig/debian/checks/xfs +++ cryptsetup-1.0.6/debian/checks/xfs @@ -0,0 +1,10 @@ +#!/bin/sh +#thanks Martin Steigerwald + +ulimit -c 0 +if /usr/sbin/xfs_admin -l $1 2>/dev/null 1>&2; then + exit 0 +else + echo " - The device $1 does not contain a valid XFS filesystem." + exit 1 +fi --- cryptsetup-1.0.6.orig/debian/checks/ext2 +++ cryptsetup-1.0.6/debian/checks/ext2 @@ -0,0 +1,8 @@ +#!/bin/sh + +if /sbin/e2label $1 2>/dev/null 1>&2; then + exit 0 +else + echo " - The device $1 does not contain a valid EXT2 or EXT3 filesystem." + exit 1 +fi --- cryptsetup-1.0.6.orig/debian/checks/vol_id +++ cryptsetup-1.0.6/debian/checks/vol_id @@ -0,0 +1,37 @@ +#!/bin/sh +# this script depends on /lib/udev/vol_id from the udev package + +# usage: vol_id +# may be any device that should be checked. +# if no is given, the check fails if no valid filesystem is found. +# if is given, the check fails when no filesystem type +# is found on the device. if is 'none', the check fails if any +# know filesystem is found. + +# note that the 'minix' fs is filtered out if checking for any valid fs, +# as it has been reported that this fs my be detected erroneously by vol_id. + +if test ! -x "/lib/udev/vol_id"; then + echo " - WARNING: vol_id from udev is not available, impossible to run checks." + exit 0 +fi + +dev=$1 +fs=$2 + +vol_id=`/lib/udev/vol_id -t $dev 2>&1` + +# vol_id output if $dev has an unknown filesystem +pattern=`echo $dev | sed 's/\//\\\\\//g'` +unknown=`/lib/udev/vol_id -t /dev/null 2>&1 | sed "s/\/dev\/null/$pattern/g"` + +if [ "$vol_id" = "$unknown" ] && [ -z "$fs" ]; then + echo " - The device $dev does not contain a known filesystem." + exit 1 +elif [ "$vol_id" != "$unknown" ] && [ "$vol_id" != "minix" ] && [ "$fs" = "none" ]; then + echo " - The device $dev contains a valid filesystem type $vol_id." + exit 1 +elif [ -n "$fs" ] && [ "$vol_id" != "$fs" ]; then + echo " - The device $dev does not contain a filesystem type $fs." + exit 1 +fi --- cryptsetup-1.0.6.orig/debian/checks/swap +++ cryptsetup-1.0.6/debian/checks/swap @@ -0,0 +1,10 @@ +#!/bin/sh + +ulimit -c 0 +if dd if="$1" bs=4k count=1 2>/dev/null | grep -E '(SWAPSPACE2)|(SWAP_SPACE)' >/dev/null; then + exit 0 +else + echo " - The device $1 is not a valid SWAP partition." + exit 1 +fi + --- cryptsetup-1.0.6.orig/debian/doc/cryptdisks_start.xml +++ cryptsetup-1.0.6/debian/doc/cryptdisks_start.xml @@ -0,0 +1,54 @@ + + + + + + + + + cryptdisks_start + 8 + + + + + cryptdisks_start + wrapper around cryptsetup which parses /etc/crypttab. + + + + + cryptdisks_start + <name> + + + + + DESCRIPTION + + cryptdisks_start is a wrapper around + cryptsetup which parses + /etc/crypttab just like the initscript + /etc/init.d/cryptdisks does, and starts the dm-crypt mapping which + corresponds to <name>. + + + + + SEE ALSO + + cryptsetup(8), crypttab(5) + + + + + AUTHORThis manual page was written by Jonas Meurer + <mejo@debian.org> in December 2007. + + + + --- cryptsetup-1.0.6.orig/debian/doc/manpages.xml +++ cryptsetup-1.0.6/debian/doc/manpages.xml @@ -0,0 +1,9 @@ + + + + + Manual Pages + + + + --- cryptsetup-1.0.6.orig/debian/doc/cryptdisks_stop.xml +++ cryptsetup-1.0.6/debian/doc/cryptdisks_stop.xml @@ -0,0 +1,54 @@ + + + + + + + + + cryptdisk_stop + 8 + + + + + cryptdisks_stop + wrapper around cryptsetup which parses /etc/crypttab. + + + + + cryptdisks_stop + <name> + + + + + DESCRIPTION + + cryptdisks_stop is a wrapper around + cryptsetup which parses + /etc/crypttab just like the initscript + /etc/init.d/cryptdisks does, and stops the dm-crypt mapping which corresponds + to <name>. + + + + + SEE ALSO + + cryptsetup(8), crypttab(5) + + + + + AUTHORThis manual page was written by Jonas Meurer + <mejo@debian.org> in January 2008. + + + + --- cryptsetup-1.0.6.orig/debian/doc/variables.xml.in +++ cryptsetup-1.0.6/debian/doc/variables.xml.in @@ -0,0 +1,16 @@ + + + + + + + VERSION + cryptsetup + cryptsetup manual + + + + DATE + + + --- cryptsetup-1.0.6.orig/debian/doc/crypttab.xml +++ cryptsetup-1.0.6/debian/doc/crypttab.xml @@ -0,0 +1,412 @@ + + + + + + + + + crypttab + 5 + + + + + crypttab + static information about encrypted filesystems + + + + DESCRIPTION + + The file /etc/crypttab contains descriptive + information about encrypted filesystems. crypttab + is only read by programs, and not written; it is the duty of the system + administrator to properly create and maintain this file. Each filesystem is + described on a separate line; fields on each line are separated by tabs or + spaces. Lines starting with # are comments, empty lines are + ignored. The order of records in crypttab is important + because the init scripts sequentially iterate through + crypttab doing their thing. + + + The first field, target, describes the mapped + device name. It must be a plain filename without any directory components. + A mapped device which encrypts/decrypts data to/from the source + device will be created at + /dev/mapper/target by + cryptsetup. + + + The second field, source device, describes either the + block special device or file (which will be automatically mounted as a loop + device) that should hold the encrypted data. + + + The third field, key file, describes the file to use + as a key for decrypting the data of the source device. + It can also be a device name (e.g. + /dev/random), note however that + LUKS requires a persistent key and therefore does not + support random data keys. + + + If the key file is the string none, + a passphrase will be read interactively from the console. In this case, the + options precheck, check, checkargs and tries may be useful. + + + The fourth field, options, describes the cryptsetup + options associated with the encryption process. At minimum, the field should + contain the string luks or the + cipher, hash and + size options. + + + Options are in the format: key=value + [,key=value …]. The + supported options are described below. + + + Note that all four fields are mandatory and that a missing field will lead + to unspecified behaviour. + + + + + OPTIONS + + + cipher=<cipher> + + + Encryption algorithm. See cryptsetup -c. + + + + + + size=<size> + + + Encryption key size. See cryptsetup -s. + + + + + + hash=<hash> + + + Hash algorithm. See cryptsetup -h. + + + + + + offset=<offset> + + + Start offset. Uses cryptsetup -o. + + + + + + skip=<skip> + + + Skip sectors at the beginning. Uses cryptsetup -p. + + + + + + verify + + + Verify password. Uses cryptsetup -y. + + + + + + readonly + + The backing device is read-only (eg: a dvd). + + + + + luks + + Use device with luks extensions. + + + + + swap + + + Run mkswap on the created device. + + + + + + tmp=<tmpfs> + + + Run mkfs with filesystem type + <tmpfs> on the created device. Default is ext2. + + + + + + precheck=<precheck> + + Check the source device by suitable program; if the check fails, + the device is not created; <precheck> is a script to check the + source device. The sourcedevice is given as an argument to the script. + + + + + + check=<check> + + Check the content of the device by a suitable program; if the + check fails, the device is removed. If a program is provided as an + argument, it is run, giving the decrypted volume (target device) as the + first argument, and the value of the checkargs option as the second + argument. Cryptdisks searches for the given program in + /lib/cryptsetup/checks/. + Default is vol_id. + + + + + + checkargs=<arguments> + + Give <arguments> as the second argument to the check + script. See the CHECKSCRIPTS section for more information. + + + + + + tries=<num> + + The input of the passphrase is tried <num> times in case + of failure. If you want to disable retries, pass tries=1. + Default is 3. For the root device, tries=0 enables + infinitive retries due to a special case in the initramfs scripts. + + + + + + noearly + + The cryptsetup init scripts are invoked twice during the boot + process - once before lvm, evms, raid, etc. are started and once again + after that. Sometimes you need to start your encrypted disks in a special + order. With this option the device is ignored during the first invokation + of the cryptsetup init scripts. + + + + + + noauto + + Entirely ignore the device at the boot process. It's still + possible to map the device manually using cryptdisks_start. + + + + + + loud + + Be loud. Print warnings if a device does not exist. + + + + + keyscript=<path> + + + The executable at the indicated path is executed with the + key file from the third field of the crypttab as its + only argument and the output is used as the key. This also works with + encrypted root filesystems via initramfs if the executable is + self-contained (i.e. an executable which does not rely on any external + program which is not present in the initramfs environment). + + + + + + + + CHECKSCRIPTS + + + vol_id + + Checks for any known filesystem. Supports a filesystem type as + argument via<checkargs>:no checkargs - succeeds if any valid + filesystem is found on the device."none" - succeeds if no valid + filesystem is found on the device."ext3" [or any other filesystem type + like xfs, swap, crypto_LUKS, whatever] - succeedsif an ext3 [or another + given] filesystem type is found on the device. + + + + + + un_vol_id + + Checks for no known filesystem. Supports a filesystem type as + argument via<checkargs>:no checkargs - succeeds if no valid + filesystem is found on the device."ext3" [or any other filesystem type + like xfs, swap, crypto_LUKS, whatever] - succeedsif no ext3 [or another + given] filesystem type is found on the device. + + + + + + ext2 + + Checks for a valid ext2/ext3 filesystem. + + + + + xfs + + Checks for a valid xfs filesystem. + + + + + + + EXAMPLES + + +# Encrypted swap device +cswap /dev/sda6 /dev/random swap + +# Encrypted luks disk with interactive password +cdisk0 /dev/hda1 none luks + +# Encrypted ext2 disk with interactive password +# - retry 5 times if the check fails +cdisk1 /dev/sda2 none checkargs=ext2,tries=5 + +# Encrypted disk with interactive password +# - use a nondefault check script +# - no retries +cdisk2 /dev/hdc1 none check=customscript,tries=1 + +# Encrypted disk with interactive password +# - twofish as the cipher +cdisk3 /dev/sda3 none cipher=twofish + + + + + + ENVIRONMENT + + + CRYPTDISKS_ENABLE + + + Set to yes to run cryptdisks at startup. Set to + no to disable cryptdisks. + + + + + + CRYPTDISKS_MOUNT + + Specifies the mountpoints that are mounted before cryptdisks is + invoked. Useful for keys on removable devices, such as cdrom, usbstick, + flashcard, etc. + + + + + + CRYPTDISKS_CHECK + + Specifies the checkscript to be run against the target device, + after cryptdisks has been invoked. The target device is passed as the + first and only argument to the checkscript. Takes effect if the + check option is given in crypttab with no value. + + + + + + CRYPTDISKS_PRECHECK + + Specifies the checkscript to be run against the source device, + before cryptdisks has been invoked. The source device is given as the + first and only argument to the checkscript. Takes effect if the + precheck option is given in crypttab with no value. + + + + + + + + SEE ALSO + + cryptsetup(8) + /etc/crypttab + + + + + AUTHOR + + This manual page was originally written by + + Bastian + Kleineidam + + calvin@debian.org + for the Debian distribution of cryptsetup. It has been further improved by + + Michael + Gebetsroither + + michael.geb@gmx.at, + + Jonas + Meurer + + jonas@freesources.org + and + + David + Härdeman + + david@hardeman.nu. + + + + --- cryptsetup-1.0.6.orig/debian/patches/04_fix_udevsettle_call.patch +++ cryptsetup-1.0.6/debian/patches/04_fix_udevsettle_call.patch @@ -0,0 +1,12 @@ +diff -uprN cryptsetup-1.0.6/lib/libdevmapper.c cryptsetup-1.0.6.new/lib/libdevmapper.c +--- cryptsetup-1.0.6/lib/libdevmapper.c 2008-09-19 18:01:47.757717590 -0500 ++++ cryptsetup-1.0.6.new/lib/libdevmapper.c 2008-09-19 17:26:42.937831000 -0500 +@@ -18,7 +18,7 @@ + + #define CRYPT_TARGET "crypt" + +-#define UDEVSETTLE "/sbin/udevsettle" ++#define UDEVSETTLE "/sbin/udevadm settle" + + static void run_udevsettle(void) + { --- cryptsetup-1.0.6.orig/debian/patches/02_manpage.patch +++ cryptsetup-1.0.6/debian/patches/02_manpage.patch @@ -0,0 +1,52 @@ +## 02_manpage.patch +## by Martin Pitt and others +## +## several documentation and typo fixes. + +--- a/man/cryptsetup.8 ++++ b/man/cryptsetup.8 +@@ -1,4 +1,4 @@ +-.TH CRYPTSETUP "8" "March 2005" "cryptsetup 1.0.3" "Maintainance Commands" ++.TH CRYPTSETUP "8" "March 2005" "cryptsetup 1.0.6" "Maintenance Commands" + .SH NAME + cryptsetup - setup cryptographic volumes for dm-crypt (including LUKS extension) + .SH SYNOPSIS +@@ -87,7 +87,7 @@ + specifies hash to use for password hashing. This option is only relevant for the "create" action. The hash string is passed to libgcrypt, so all hashes accepted by gcrypt are supported. Default is "ripemd160". + .TP + .B "\-\-cipher, \-c" +-set cipher specification string. Usually, this is "aes-cbc-plain". For pre-2.6.10 kernels, use "aes-plain" as they don't understand the new cipher spec strings. To use ESSIV, use "aes-cbc-essiv:sha256". ++set cipher specification string. For plain dm-crypt mappings, the default is "aes-cbc-plain", for LUKS mappings it's "aes-cbc-essiv:sha256". For pre-2.6.10 kernels, use "aes-plain" as they don't understand the new cipher spec strings. To use ESSIV, use "aes-cbc-essiv:sha256". + .TP + .B "\-\-verify-passphrase, \-y" + query for passwords twice. Useful when creating a (regular) mapping for the first time, or when running \fIluksFormat\fR. +@@ -101,7 +101,7 @@ + For LUKS operations that add key material, this options allows to you specify which key slot is selected for the new key. This option can be used for luksFormat and luksAddKey. + .TP + .B "\-\-key-size, \-s" +-set key size in bits. Has to be a multiple of 8 bits. The key size is limited by the used cipher. See output of /proc/crypto for more information. Can be used for \fIcreate\fR or \fIluksFormat\fR, all other LUKS actions will ignore this flag, as the key-size is specified by the partition header. Default is 128. ++set key size in bits. Has to be a multiple of 8 bits. The key size is limited by the used cipher. See output of /proc/crypto for more information. Can be used for \fIcreate\fR or \fIluksFormat\fR, all other LUKS actions will ignore this flag, as the key-size is specified by the partition header. Default is 128 for \fIluksFormat\fR and 256 for \fIcreate\fR. + .TP + .B "\-\-size, \-b" + force the size of the underlying device in sectors. +@@ -136,9 +136,9 @@ + Show the version. + + .SH NOTES ON PASSWORD PROCESSING +-\fIFrom a file descriptor or a terminal\fR: Password processing is new-line sensitive, meaning the reading will stop after encountering \\n. It will process the read material (without newline) with the default hash or the hash given by \-\-hash. After hashing, it will be cropped to the key size given by \-s (default 256 bits). ++\fIFrom a file descriptor or a terminal\fR: Password processing is new-line sensitive, meaning the reading will stop after encountering \\n. It will process the read material (without newline) with the default hash or the hash given by \-\-hash. After hashing, it will be cropped to the key size given by \-s. + +-\fIFrom stdin\fR: Reading will continue until EOF (so using e.g. /dev/random as stdin will not work), with the trailing newline stripped. After that the read data will be hashed with the default hash or the hash given by \-\-hash and the result will be cropped to the keysize given by \-s (default 256 bits). If "plain" is used as an argument to the hash option, the input data will not be hashed. Instead it will be zero padded (if shorter than the keysize) or truncated (if longer than the keysize) and used directly as the key. ++\fIFrom stdin\fR: Reading will continue until EOF (so using e.g. /dev/random as stdin will not work), with the trailing newline stripped. After that the read data will be hashed with the default hash or the hash given by \-\-hash and the result will be cropped to the keysize given by \-s. If "plain" is used as an argument to the hash option, the input data will not be hashed. + Instead, it will be zero padded (if shorter than the keysize) or truncated (if longer than the keysize) and used directly as the key. No warning will be given if the amount of data read from stdin is less than the keysize. + + \fIFrom a key file\fR: It will be cropped to the size given by \-s. If there is insufficient key material in the key file, cryptsetup will quit with an error. +@@ -156,7 +156,7 @@ + For any password creation action (luksAddKey, or luksFormat), the user may specify how much the time the password processing should consume. + Increasing the time will lead to a more secure password, but also will take luksOpen longer to complete. The default setting of one second is sufficient for good security. + .SH NOTES ON PASSWORDS +-Mathematic can't be bribed. Make sure you keep your passwords safe. There are a few nice tricks for constructing a fallback, when suddenly out of (or after being) blue, your brain refuses to cooperate. These fallbacks are possible with LUKS, as it's only possible with LUKS to have multiple passwords. ++Mathematics can't be bribed. Make sure you keep your passwords safe. There are a few nice tricks for constructing a fallback, when suddenly out of (or after being) blue, your brain refuses to cooperate. These fallbacks are possible with LUKS, as it's only possible with LUKS to have multiple passwords. + .SH AUTHORS + cryptsetup is written by Christophe Saout + .br --- cryptsetup-1.0.6.orig/debian/patches/series +++ cryptsetup-1.0.6/debian/patches/series @@ -0,0 +1,4 @@ +01_gettext_package.patch +02_manpage.patch +#03_check_for_root.patch +04_fix_udevsettle_call.patch --- cryptsetup-1.0.6.orig/debian/patches/01_gettext_package.patch +++ cryptsetup-1.0.6/debian/patches/01_gettext_package.patch @@ -0,0 +1,16 @@ +## 01_gettext_package.patch +## by Jonas Meurer +## +## remove -luks from GETTEXT_PACKAGE in configure.in + +--- a/configure.in ++++ b/configure.in +@@ -45,7 +45,7 @@ + + dnl ========================================================================== + +-GETTEXT_PACKAGE=cryptsetup-luks ++GETTEXT_PACKAGE=cryptsetup + AC_SUBST(GETTEXT_PACKAGE) + AC_DEFINE_UNQUOTED(GETTEXT_PACKAGE,"$GETTEXT_PACKAGE", + [Definition for the gettext package name]) --- cryptsetup-1.0.6.orig/debian/patches/03_check_for_root.patch +++ cryptsetup-1.0.6/debian/patches/03_check_for_root.patch @@ -0,0 +1,27 @@ +## 03_check_for_root.patch +## by Jonas Meurer +## +## check for UID == 0 before actually doing anything. + +--- a/src/cryptsetup.c ++++ b/src/cryptsetup.c +@@ -6,6 +6,8 @@ + #include + #include + #include ++#include ++#include + + #include + #include +@@ -431,6 +433,10 @@ + + int main(int argc, char **argv) + { ++ if (geteuid() != 0) { ++ fprintf(stderr, _("You have to be root to use cryptsetup!\n")); ++ return EXIT_FAILURE; ++ } + static char *popt_tmp; + static struct poptOption popt_help_options[] = { + { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL }, --- cryptsetup-1.0.6.orig/debian/initramfs/cryptroot-hook +++ cryptsetup-1.0.6/debian/initramfs/cryptroot-hook @@ -0,0 +1,487 @@ +#!/bin/sh + +PREREQ="" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions + +get_root_device() { + local device mount type options dump pass + + if [ ! -r /etc/fstab ]; then + return 1 + fi + + grep '^[^#]' /etc/fstab | \ + while read device mount type options dump pass; do + if [ "$mount" = "/" ]; then + echo "$device" + return + fi + done +} + +get_resume_devices() { + local device opt count dupe candidates devices + candidates="" + + # First, get a list of potential resume devices + + # uswsusp + if [ -e /etc/uswsusp.conf ]; then + device=$(sed -rn 's/^resume device[[:space:]]*[:=][[:space:]]*// p' /etc/uswsusp.conf) + if [ -n "$device" ]; then + candidates="$candidates $device" + fi + fi + + # uswsusp - again... + if [ -e /etc/suspend.conf ]; then + device=$(sed -rn 's/^resume device[[:space:]]*[:=][[:space:]]*// p' /etc/suspend.conf) + if [ -n "$device" ]; then + candidates="$candidates $device" + fi + fi + + # regular swsusp + for opt in $(cat /proc/cmdline); do + case $opt in + resume=*) + device="${opt#resume=}" + candidates="$candidates $device" + ;; + esac + done + + # initramfs-tools + if [ -e /etc/initramfs-tools/conf.d/resume ]; then + device=$(sed -rn 's/^RESUME[[:space:]]*=[[:space:]]*// p' /etc/initramfs-tools/conf.d/resume) + if [ -n "$device" ]; then + candidates="$candidates $device" + fi + fi + + # Now check the sanity of all candidates + devices="" + count=0 + for device in $candidates; do + # Weed out clever defaults + if [ "$device" = "" ]; then + continue + fi + + # Weed out duplicates + dupe=0 + for opt in $devices; do + if [ "$device" = "$opt" ]; then + dupe=1 + fi + done + if [ $dupe -eq 1 ]; then + continue + fi + + # This device seems ok + devices="$devices $device" + count=$(( $count + 1 )) + done + + if [ $count -gt 1 ]; then + echo "cryptsetup: WARNING: found more than one resume device candidate:" >&2 + for device in $devices; do + echo " $device" >&2 + done + fi + + if [ $count -gt 0 ]; then + echo $devices + fi + + return 0 +} + +node_is_in_crypttab() { + local node + node="$1" + + grep -q ^$node /etc/crypttab + return $? +} + +get_lvm_deps() { + local node deps maj min depnode + node="$1" + + if [ -z $node ]; then + echo "cryptsetup: WARNING: get_lvm_deps - invalid arguments" >&2 + return 1 + fi + + if ! deps=$(dmsetup deps "$node" 2> /dev/null | sed 's/[^:]*: *//;s/[ (]//g;s/)/ /g'); then + echo "cryptsetup: WARNING: failed to find deps for $node" >&2 + return 1 + fi + + # We should now have a list of major,minor pairs, e.g. "3,2 3,3" + for dep in $deps; do + maj=${dep%,*} + min=${dep#*,} + depnode=$(dmsetup ls | sed -n "s/\\([^ ]*\\) *($maj, $min)/\\1/p" | sed -e "s/[ \t]*$//") + if [ -z "$depnode" ]; then + continue + fi + if [ "$(dmsetup table "$depnode" 2> /dev/null | cut -d' ' -f3)" != "crypt" ]; then + get_lvm_deps "$depnode" + continue + fi + echo "$depnode" + done + + return 0 +} + +get_device_opts() { + local target source link extraopts rootopts opt + target="$1" + extraopts="$2" + KEYSCRIPT="" + OPTIONS="" + + if [ -z "$target" ]; then + echo "cryptsetup: WARNING: get_device_opts - invalid arguments" >&2 + return 1 + fi + + opt=$( grep ^$target /etc/crypttab | head -1 | sed 's/[[:space:]]\+/ /g' ) + source=$( echo $opt | cut -d " " -f2 ) + key=$( echo $opt | cut -d " " -f3 ) + rootopts=$( echo $opt | cut -d " " -f4- ) + + if [ -z "$opt" ] || [ -z "$source" ] || [ -z "$key" ] || [ -z "$rootopts" ]; then + echo "cryptsetup: WARNING: invalid line in /etc/crypttab - $opt" >&2 + return 1 + fi + + # Sanity checks for $source + if [ -h "$source" ]; then + link=$(readlink -nqe "$source") + if [ -z "$link" ]; then + echo "cryptsetup: WARNING: $source is a dangling symlink" >&2 + return 1 + fi + + if [ "$link" != "${link#/dev/mapper/}" ]; then + echo "cryptsetup: NOTE: using $link instead of $source for $target" >&2 + source="$link" + fi + fi + + # Sanity checks for $key + if [ "$key" = "/dev/random" ] || [ "$key" = "/dev/urandom" ]; then + echo "cryptsetup: WARNING: target $target has a random key, skipped" >&2 + return 1 + fi + + if [ -n "$extraopts" ]; then + rootopts="$extraopts,$rootopts" + fi + + # We have all the basic options, let's go trough them + OPTIONS="target=$target,source=$source,key=$key" + local IFS=", " + unset HASH_FOUND + unset LUKS_FOUND + for opt in $rootopts; do + case $opt in + cipher=*) + OPTIONS="$OPTIONS,$opt" + ;; + hash=*) + OPTIONS="$OPTIONS,$opt" + HASH_FOUND=1 + ;; + size=*) + OPTIONS="$OPTIONS,$opt" + ;; + lvm=*) + OPTIONS="$OPTIONS,$opt" + ;; + keyscript=*) + opt=${opt#keyscript=} + if [ ! -x "/lib/cryptsetup/scripts/$opt" ] && [ ! -x "$opt" ]; then + echo "cryptsetup: WARNING: target $target has an invalid keyscript, skipped" >&2 + return 1 + fi + KEYSCRIPT="$opt" + OPTIONS="$OPTIONS,keyscript=/keyscripts/$(basename "$opt")" + ;; + tries=*) + OPTIONS="$OPTIONS,$opt" + ;; + luks) + LUKS_FOUND=1 + ;; + *) + # Presumably a non-supported option + ;; + esac + done + + # Warn for missing hash option, unless we have a LUKS partition + if [ -z "$HASH_FOUND" ] && [ -z "$LUKS_FOUND" ]; then + echo "WARNING: Option hash missing in crypttab for target $target, assuming ripemd160." >&2 + echo " If this is wrong, this initramfs image will not boot." >&2 + echo " Please read /usr/share/doc/cryptsetup/README.initramfs.gz and add" >&2 + echo " the correct hash option to your /etc/crypttab." >&2 + fi + + # If keyscript is set, the "key" is just an argument to the script + if [ "$key" != "none" ] && [ -z "$KEYSCRIPT" ]; then + echo "cryptsetup: WARNING: target $target uses a key file, skipped" >&2 + return 1 + fi +} + +get_device_modules() { + local node value cipher blockcipher ivhash + node="$1" + + # Check the ciphers used by the active root mapping + value=$(dmsetup table "$node" | cut -d " " -f4) + cipher=$(echo "$value" | cut -d ":" -f1 | cut -d "-" -f1) + blockcipher=$(echo "$value" | cut -d ":" -f1 | cut -d "-" -f2) + ivhash=$(echo "$value" | cut -d ":" -s -f2) + + if [ -n "$cipher" ]; then + echo "$cipher" + else + return 1 + fi + + if [ -n "$blockcipher" ] && [ "$blockcipher" != "plain" ]; then + echo "$blockcipher" + fi + + if [ -n "$ivhash" ] && [ "$ivhash" != "plain" ]; then + echo "$ivhash" + fi + return 0 +} + +canonical_device() { + local dev altdev + dev="$1" + + altdev="${dev#LABEL=}" + if [ "$altdev" != "$dev" ]; then + dev="/dev/disk/by-label/$altdev" + fi + + altdev="${dev#UUID=}" + if [ "$altdev" != "$dev" ]; then + dev="/dev/disk/by-uuid/$altdev" + fi + + if [ -h "$dev" ]; then + dev=$(readlink -e "$dev") + fi + + altdev="${dev#/dev/mapper/}" + if [ "$altdev" != "$dev" ]; then + echo "$altdev" + return 0 + fi + + return 1 +} + +add_device() { + local node nodes opts lastopts i count + nodes="$1" + opts="" # Applied to all nodes + lastopts="" # Applied to last node + + if [ -z "$nodes" ]; then + return 0 + fi + + # Check that it is a node under /dev/mapper/ + nodes=$(canonical_device "$nodes") || return 0 + + # Can we find this node in crypttab + if ! node_is_in_crypttab "$nodes"; then + # dm node but not in crypttab, is it a lvm device backed by dm-crypt nodes? + lvmnodes=$(get_lvm_deps "$nodes") || return 1 + + # not backed by any dm-crypt nodes; stop here + if [ -z "$lvmnodes" ]; then + return 0 + fi + + # It is a lvm device! + lastopts="lvm=$nodes" + nodes="$lvmnodes" + fi + + # Prepare to setup each node + count=$(echo "$nodes" | wc -w) + i=1 + for node in $nodes; do + # Prepare the additional options + if [ $i -eq $count ]; then + if [ -z "$opts" ]; then + opts="$lastopts" + else + opts="$opts,$lastopts" + fi + fi + + # Get crypttab root options + if ! get_device_opts "$node" "$opts"; then + continue + fi + echo "$OPTIONS" >> "$DESTDIR/conf/conf.d/cryptroot" + + # If we have a keyscript, make sure it is included + if [ -n "$KEYSCRIPT" ]; then + if [ ! -d "$DESTDIR/keyscripts" ]; then + mkdir "$DESTDIR/keyscripts" + fi + + if [ -e "/lib/cryptsetup/scripts/$KEYSCRIPT" ]; then + copy_exec "/lib/cryptsetup/scripts/$KEYSCRIPT" /keyscripts + elif [ -e "$KEYSCRIPT" ]; then + copy_exec "$KEYSCRIPT" /keyscripts + else + echo "cryptsetup: WARNING: failed to find keyscript $KEYSCRIPT" >&2 + continue + fi + fi + + # Calculate needed modules + modules=$(get_device_modules $node | sort | uniq) + if [ -z "$modules" ]; then + echo "cryptsetup: WARNING: failed to determine cipher modules to load for $node" >&2 + continue + fi + echo dm_mod + echo dm_crypt + echo "$modules" + + i=$(( $i + 1 )) + done + + return 0 +} + +add_crypto_modules() { + local mod file altmod found genericfound + mod="$1" + found="" + genericfound="" + + if [ -z "$mod" ]; then + return 1 + fi + + # We have several potential sources of modules (in order of preference): + # + # a) /lib/modules/$VERSION/kernel/arch/$ARCH/crypto/$mod-$specific.ko + # b) /lib/modules/$VERSION/kernel/crypto/$mod_generic.ko + # c) /lib/modules/$VERSION/kernel/crypto/$mod.ko + # + # and (currently ignored): + # + # d) /lib/modules/$VERSION/kernel/drivers/crypto/$specific-$mod.ko + + for file in $(find "$MODULESDIR/kernel/arch/" -name "$mod-*.ko"); do + altmod="${file##*/}" + altmod="${altmod%.ko}" + manual_add_modules "$altmod" + found="yes" + done + + for file in $(find "$MODULESDIR/kernel/crypto/" -name "${mod}_generic.ko"); do + altmod="${file##*/}" + altmod="${altmod%.ko}" + manual_add_modules "$altmod" + found="yes" + genericfound="yes" + done + + if [ -z "$genericfound" ]; then + for file in $(find "$MODULESDIR/kernel/crypto/" -name "${mod}.ko"); do + altmod="${file##*/}" + altmod="${altmod%.ko}" + manual_add_modules "$altmod" + found="yes" + done + fi + + if [ -z "$found" ]; then + return 1 + fi + + return 0 +} + +# +# Begin real processing +# + +setup="no" +rootdev="" +resumedevs="" + +# Find the root and resume device(s) +if [ -r /etc/crypttab ]; then + rootdev=$(get_root_device) + if [ -z "$rootdev" ]; then + echo "cryptsetup: WARNING: could not determine root device from /etc/fstab" >&2 + fi + resumedevs=$(get_resume_devices) +fi + +# Load the config opts and modules for each device +for dev in $rootdev $resumedevs; do + if ! modules=$(add_device "$dev"); then + echo "cryptsetup: FAILURE: could not determine configuration for $dev" >&2 + continue + fi + + setup="yes" + for mod in $modules; do + add_crypto_modules $mod + done +done + +# With large initramfs, we always add a basic subset of modules +if [ "$MODULES" != "dep" ]; then + for mod in aes sha256 cbc; do + add_crypto_modules $mod + done +fi + +# See if we need to add the basic components +if [ "$MODULES" != "dep" ] || [ "$setup" = "yes" ]; then + for mod in dm_mod dm_crypt; do + manual_add_modules $mod + done + + copy_exec /sbin/cryptsetup + copy_exec /sbin/dmsetup + copy_exec /lib/cryptsetup/askpass +fi + +exit 0 --- cryptsetup-1.0.6.orig/debian/initramfs/cryptopensc-script-local-bottom +++ cryptsetup-1.0.6/debian/initramfs/cryptopensc-script-local-bottom @@ -0,0 +1,30 @@ +#!/bin/sh + +set -e + +PREREQ="" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in + prereqs) + prereqs + exit 0 + ;; +esac + +. /scripts/functions + +# Hook for stopping smartcard reading software + +if [ ! -e /sbin/pcscd ]; then + exit 0 +fi + +# Start pcscd daemon nomrally. If it was started in foregound, chances are +# it'll harmlessly complain about missing /var/run/pcscd* files due to the root +# filessytem being remounted. +start-stop-daemon --stop --quiet --pidfile /var/run/pcscd.pid --name pcscd --- cryptsetup-1.0.6.orig/debian/initramfs/cryptroot-script +++ cryptsetup-1.0.6/debian/initramfs/cryptroot-script @@ -0,0 +1,340 @@ +#!/bin/sh + +# source for log_*_msg() functions, see LP: #272301 +. /scripts/functions + +# +# Standard initramfs preamble +# +prereqs() +{ + # Make sure that cryptroot is run last in local-top + for req in /scripts/local-top/*; do + script=${req##*/} + if [ $script != cryptroot ]; then + echo $script + fi + done +} + +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + + +# +# Helper functions +# +message() +{ + if [ -p /dev/.initramfs/usplash_outfifo ] && [ -x /sbin/usplash_write ]; then + usplash_write "TEXT-URGENT $@" + else + echo "$@" >&2 + fi + return 0 +} + +udev_settle() +{ + # Wait for udev to be ready, see https://launchpad.net/bugs/85640 + if [ -x /sbin/udevadm ]; then + /sbin/udevadm settle --timeout=30 + elif [ -x /sbin/udevsettle ]; then + /sbin/udevsettle --timeout=30 + fi + return 0 +} + +parse_options() +{ + local cryptopts + cryptopts="$1" + + if [ -z "$cryptopts" ]; then + return 1 + fi + + # Defaults + cryptcipher=aes-cbc-essiv:sha256 + cryptsize=256 + crypthash=ripemd160 + crypttarget=cryptroot + cryptsource="" + cryptlvm="" + cryptkeyscript="" + cryptkey="" # This is only used as an argument to an eventual keyscript + crypttries=3 + + local IFS=" ," + for x in $cryptopts; do + case $x in + hash=*) + crypthash=${x#hash=} + ;; + size=*) + cryptsize=${x#size=} + ;; + cipher=*) + cryptcipher=${x#cipher=} + ;; + target=*) + crypttarget=${x#target=} + ;; + source=*) + cryptsource=${x#source=} + if [ ${cryptsource#UUID=} != $cryptsource ]; then + cryptsource="/dev/disk/by-uuid/${cryptsource#UUID=}" + elif [ ${cryptsource#LABEL=} != $cryptsource ]; then + cryptsource="/dev/disk/by-label/${cryptsource#LABEL=}" + fi + ;; + lvm=*) + cryptlvm=${x#lvm=} + ;; + keyscript=*) + cryptkeyscript=${x#keyscript=} + ;; + key=*) + if [ "${x#key=}" != "none" ]; then + cryptkey=${x#key=} + fi + ;; + tries=*) + crypttries="${x#tries=}" + case "$crypttries" in + *[![:digit:].]*) + crypttries=3 + ;; + esac + ;; + esac + done + + if [ -z "$cryptsource" ]; then + message "cryptsetup: source parameter missing" + return 1 + fi + return 0 +} + +activate_vg() +{ + local vg + vg="${1#/dev/mapper/}" + + # Sanity checks + if [ ! -x /sbin/lvm ] || [ "$vg" = "$1" ]; then + return 1 + fi + + # Make sure that the device contains at least one dash + if [ "${vg%%-*}" = "$vg" ]; then + return 1 + fi + + # Split volume group from logical volume. + vg=$(echo ${vg} | sed -e 's#\(.*\)\([^-]\)-[^-].*#\1\2#') + + # Reduce padded --'s to -'s + vg=$(echo ${vg} | sed -e 's#--#-#g') + + lvm vgchange -ay ${vg} + return $? +} + +activate_evms() +{ + local dev module + dev="${1#/dev/evms/}" + + # Sanity checks + if [ ! -x /sbin/evms_activate ] || [ "$dev" = "$1" ]; then + return 1 + fi + + # Load modules used by evms + for module in dm-mod linear raid0 raid1 raid10 raid5 raid6; do + modprobe -q $module + done + + # Activate it + /sbin/evms_activate + return $? +} + +setup_mapping() +{ + local opts count cryptcreate cryptremove NEWROOT + opts="$1" + + if [ -z "$opts" ]; then + return 0 + fi + + parse_options "$opts" || return 1 + + if [ -n "$cryptkeyscript" ] && [ ! -x "$cryptkeyscript" ]; then + message "cryptsetup: error - script \"$cryptkeyscript\" missing" + return 1 + fi + + # The same target can be specified multiple times + # e.g. root and resume lvs-on-lvm-on-crypto + if [ -e "/dev/mapper/$crypttarget" ]; then + return 0 + fi + + modprobe -q dm_crypt + + # Make sure the cryptsource device is available + if [ ! -e $cryptsource ]; then + activate_vg $cryptsource + activate_evms $cryptsource + fi + + # If the encrypted source device hasn't shown up yet, give it a + # little while to deal with removable devices + + # the following lines below have been taken from + # /usr/share/initramfs-tools/scripts/local, as suggested per + # https://launchpad.net/bugs/164044 + if [ ! -e "$cryptsource" ]; then + log_begin_msg "Waiting for encrypted source device..." + + # Default delay is 180s + if [ -z "${ROOTDELAY}" ]; then + slumber=180 + else + slumber=${ROOTDELAY} + fi + if [ -x /sbin/usplash_write ]; then + /sbin/usplash_write "TIMEOUT ${slumber}" || true + fi + + slumber=$(( ${slumber} * 10 )) + while [ ! -e "$cryptsource" ]; do + /bin/sleep 0.1 + slumber=$(( ${slumber} - 1 )) + [ ${slumber} -gt 0 ] || break + done + + if [ ${slumber} -gt 0 ]; then + log_end_msg 0 + else + log_end_msg 1 || true + fi + if [ -x /sbin/usplash_write ]; then + /sbin/usplash_write "TIMEOUT 15" || true + fi + fi + + # We've given up, but we'll let the user fix matters if they can + while [ ! -e "${cryptsource}" ]; do + echo " Check cryptopts=source= bootarg cat /proc/cmdline" + echo " or missing modules, devices: cat /proc/modules ls /dev" + panic -r "ALERT! ${cryptsource} does not exist. Dropping to a shell!" + done + + # Prepare commands + if /sbin/cryptsetup isLuks $cryptsource > /dev/null 2>&1; then + cryptcreate="/sbin/cryptsetup -T 1 luksOpen $cryptsource $crypttarget" + else + cryptcreate="/sbin/cryptsetup -T 1 -c $cryptcipher -s $cryptsize -h $crypthash create $crypttarget $cryptsource" + fi + cryptremove="/sbin/cryptsetup remove $crypttarget" + NEWROOT="/dev/mapper/$crypttarget" + + # Try to get a satisfactory password $crypttries times + count=0 + while [ $crypttries -le 0 ] || [ $count -lt $crypttries ]; do + count=$(( $count + 1 )) + + if [ $count -gt 1 ]; then + sleep 3 + fi + + if [ $crypttries -gt 0 ] && [ $count -gt $crypttries ]; then + message "cryptsetup: maximum number of tries exceeded for $crypttarget" + return 1 + fi + + if [ -z "$cryptkeyscript" ]; then + cryptkeyscript="/lib/cryptsetup/askpass" + cryptkey="Unlocking the disk $cryptsource ($crypttarget)\nEnter passphrase: " + fi + + + if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \ + $cryptkeyscript "$cryptkey" | $cryptcreate --key-file=- ; then + message "cryptsetup: cryptsetup failed, bad password or options?" + continue + fi + + if [ ! -e "$NEWROOT" ]; then + message "cryptsetup: unknown error setting up device mapping" + return 1 + fi + + FSTYPE='' + eval $(fstype < "$NEWROOT") + + # See if we need to setup lvm on the crypto device + if [ "$FSTYPE" = "lvm" ] || [ "$FSTYPE" = "lvm2" ]; then + if [ -z "$cryptlvm" ]; then + message "cryptsetup: lvm fs found but no lvm configured" + return 1 + elif ! activate_vg "/dev/mapper/$cryptlvm"; then + # disable error message, LP: #151532 + #message "cryptsetup: failed to setup lvm device" + return 1 + fi + + NEWROOT="/dev/mapper/$cryptlvm" + eval $(fstype < "$NEWROOT") + fi + + if [ -z "$FSTYPE" ] || [ "$FSTYPE" = "unknown" ]; then + message "cryptsetup: unknown fstype, bad password or options?" + $cryptremove + continue + fi + + message "cryptsetup: $crypttarget setup successfully" + break + done + + udev_settle + return 0 +} + +# +# Begin real processing +# + +# Do we have any kernel boot arguments? +found='' +for opt in $(cat /proc/cmdline); do + case $opt in + cryptopts=*) + found=yes + setup_mapping "${opt#cryptopts=}" + ;; + esac +done + +if [ -n "$found" ]; then + exit 0 +fi + +# Do we have any settings from the /conf/conf.d/cryptroot file? +if [ -r /conf/conf.d/cryptroot ]; then + while read mapping <&3; do + setup_mapping "$mapping" + done 3< /conf/conf.d/cryptroot +fi + +exit 0 --- cryptsetup-1.0.6.orig/debian/initramfs/cryptopensc-hook +++ cryptsetup-1.0.6/debian/initramfs/cryptopensc-hook @@ -0,0 +1,60 @@ +#!/bin/sh + +set -e + +PREREQ="cryptroot" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in + prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions + +# Hooks for loading smartcard reading software into the initramfs + +# Check whether cryptroot hook has installed decrypt_opensc script +if [ ! -x ${DESTDIR}/keyscripts/decrypt_opensc ] ; then + exit 0 +fi + +# Install cryptroot key files into initramfs +keys=$(sed 's/^\(.*,\|\)key=//; s/,.*//' ${DESTDIR}/conf/conf.d/cryptroot) + +if [ "${keys}" != "none" ]; then + if [ -z "${keys}" ]; then + echo $0: Missing key files in ${DESTDIR}/conf/conf.d/cryptroot >&2 + cat ${DESTDIR}/conf/conf.d/cryptroot >&2 + exit 1 + fi + for key in ${keys} ; do + if [ ! -d ${DESTDIR}/$(dirname ${key}) ] ; then + mkdir -p ${DESTDIR}/$(dirname ${key}) + fi + cp ${key} ${DESTDIR}/${key} + done +fi + +# Install directories needed by smartcard reading daemon, command, and +# key-script +for dir in etc/opensc usr/lib/pcsc var/run tmp ; do + if [ ! -d ${DESTDIR}/${dir} ] ; then mkdir -p ${DESTDIR}/${dir} ; fi +done + +# Install pcscd daemon, drivers, conf file, and include libgcc as well since +# pcscd utilizes pthread_cancel +copy_exec /usr/sbin/pcscd +cp -r /usr/lib/pcsc ${DESTDIR}/usr/lib +cp /etc/reader.conf ${DESTDIR}/etc + +# Install opensc commands and conf file +copy_exec /usr/bin/opensc-tool +copy_exec /usr/bin/pkcs15-crypt +cp /etc/opensc/opensc.conf ${DESTDIR}/etc/opensc --- cryptsetup-1.0.6.orig/debian/initramfs/cryptpassdev-hook +++ cryptsetup-1.0.6/debian/initramfs/cryptpassdev-hook @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +PREREQ="cryptroot" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions + +# Hooks for adding filesystem modules to the initramfs when the passdev +# keyscript is used + +# Check whether the passdev script has been included +if [ ! -x "${DESTDIR}/keyscripts/passdev" ]; then + exit 0 +fi + +# The filesystem type of the removable device is probed at boot-time, so +# we add a generous list of filesystems to include. This also helps with +# recovery situation as including e.g. the vfat module might help a user +# who needs to create a new cryptkey (using a backup of a keyfile) on +# a windows-machine for example. + +# This list needs to be kept in sync with the one defined in passdev.c +for fs in ext3 ext2 vfat reiserfs xfs isofs udf; do + manual_add_modules "$fs" > /dev/null 2>&1 || true +done +exit 0 + --- cryptsetup-1.0.6.orig/debian/initramfs/cryptopensc-script-local-top +++ cryptsetup-1.0.6/debian/initramfs/cryptopensc-script-local-top @@ -0,0 +1,36 @@ +#!/bin/sh + +set -e + +PREREQ="" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in + prereqs) + prereqs + exit 0 + ;; +esac + +. /scripts/functions + +# Hook for starting smartcard reading software + +if [ ! -e /sbin/pcscd ]; then + exit 0 +fi + +# Start pcscd daemon nomrally: +# start-stop-daemon --start --quiet \ +# --pidfile /var/run/pcscd.pid \ +# --exec /sbin/pcscd +# Alternatively, start pcscd daemon in foreground so that it's pretty colored +# output may be seen on the console, useful for watching error messages since +# pcscd uses syslog which is not available (use --error or --critical to filter +# out debug message clutter): +# /sbin/pcscd --error --foreground & +/sbin/pcscd --foreground & --- cryptsetup-1.0.6.orig/debian/initramfs/cryptopenct-hook +++ cryptsetup-1.0.6/debian/initramfs/cryptopenct-hook @@ -0,0 +1,61 @@ +#!/bin/sh + +set -e + +PREREQ="cryptroot" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in + prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions + +# Hooks for loading smartcard reading software into the initramfs + +# Check whether cryptroot hook has installed decrypt_openct script +if [ ! -x ${DESTDIR}/keyscripts/decrypt_openct ] ; then + exit 0 +fi + +# Install cryptroot key files into initramfs +keys=$(sed 's/^\(.*,\|\)key=//; s/,.*//' ${DESTDIR}/conf/conf.d/cryptroot) + +if [ "${keys}" != "none" ] +then + if [ -z "${keys}" ] ; then + echo $0: Missing key files in ${DESTDIR}/conf/conf.d/cryptroot >&2 + cat ${DESTDIR}/conf/conf.d/cryptroot >&2 + exit 1 + fi + for key in ${keys} ; do + if [ ! -d ${DESTDIR}/$(dirname ${key}) ] ; then + mkdir -p ${DESTDIR}/$(dirname ${key}) + fi + cp ${key} ${DESTDIR}/${key} + done +fi + +# Install directories needed by smartcard reading daemon, command, and +# key-script +for dir in etc etc/init.d etc/udev/rules.d lib/udev usr/bin usr/sbin var/run/openct tmp ; do + if [ ! -d ${DESTDIR}/${dir} ] ; then mkdir -p ${DESTDIR}/${dir} ; fi +done + +# Install openct tools, drivers, conf file +cp /etc/openct.conf ${DESTDIR}/etc/ +cp /etc/udev/rules.d/z60_openct.rules ${DESTDIR}/etc/udev/rules.d/ +cp /lib/udev/openct_pcmcia ${DESTDIR}/lib/udev/ +cp /lib/udev/openct_serial ${DESTDIR}/lib/udev/ +cp /lib/udev/openct_usb ${DESTDIR}/lib/udev/ +copy_exec /usr/bin/openct-tool +copy_exec /usr/bin/pkcs15-tool +copy_exec /usr/sbin/ifdhandler +copy_exec /usr/sbin/openct-control --- cryptsetup-1.0.6.orig/debian/initramfs/cryptroot-conf +++ cryptsetup-1.0.6/debian/initramfs/cryptroot-conf @@ -0,0 +1,6 @@ +# This will setup non-us keyboards in early userspace, +# necessary for punching in passphrases. +KEYMAP=y + +# force busybox on initramfs +BUSYBOX=y --- cryptsetup-1.0.6.orig/debian/scripts/decrypt_opensc +++ cryptsetup-1.0.6/debian/scripts/decrypt_opensc @@ -0,0 +1,47 @@ +#!/bin/sh + +# Why not use "openct-tool rwait" instead of polling opensc-tool exit status? +# Well openct daemon has to be running which interferes with pcscd since both +# implement reader drivers, my particular CCID reader (SCM SCR331-LC1) doesn't +# work with the CCID driver in openct, however it does work with pcscd. + +# Why not use "opensc-tool --wait" instead of polling opensc-tool exit status? +# Although opensc-tool --help reports that there is a --wait option, it doesn't +# seem to be implemented. + +check_card() { + cardfound=0 + + cardtmp=$(/usr/bin/opensc-tool -n 2>&1) + if [ $? == 0 ] ; then + cardfound=1 + fi +} + +wait_card() { + check_card + if [ $cardfound == 0 ] ; then + echo "Waiting for Smart Card..." >&2 + tries=0 + while [ $cardfound == 0 -a $tries -lt 60 ] ; do + sleep 1 + check_card + tries=$(($tries + 1)) + done + if [ $cardfound == 0 ] ; then + echo 'Failed to find Smart Card card!' >&2 + exit 1 + fi + fi +} + +wait_card +if [ -p /dev/.initramfs/usplash_outfifo ] && [ -x /sbin/usplash_write ]; then + # Get pin number from usplash + /sbin/usplash_write "INPUTQUIET Enter pin for $crypttarget ($cryptsource): " + /usr/bin/pkcs15-crypt --decipher --input $1 --pkcs1 --raw --pin "$(cat /dev/.initramfs/usplash_outfifo)" +else + # Get pin number from console + /usr/bin/pkcs15-crypt --decipher --input $1 --pkcs1 --raw < /dev/console 2> /dev/console +fi +exit $? --- cryptsetup-1.0.6.orig/debian/scripts/cryptdisks_start +++ cryptsetup-1.0.6/debian/scripts/cryptdisks_start @@ -0,0 +1,36 @@ +#!/bin/sh + +# cryptdisks_start - wrapper around cryptsetup which parses +# /etc/crypttab, just like mount parses /etc/fstab. + +# Initial code and (c) 2007 Jon Dowland +# License: GNU General Public License, v2 or any later +# (http://www.gnu.org/copyleft/gpl.html) + +set -e + +if [ $# -lt 1 ]; then + echo "usage: $0 " >&2 + echo >&2 + echo "reads /etc/crypttab and starts the mapping corresponding to " >&2 + exit 1 +fi + +if [ -r /lib/cryptsetup/cryptdisks.functions ]; then + . /lib/cryptsetup/cryptdisks.functions +else + exit 0 +fi + +log_action_begin_msg "Starting crypto disk" +mount_fs + +egrep -v "^[[:space:]]*(#|$)" "$TABFILE" | while read dst src key opts; do + if [ "$1" = "$dst" ]; then + handle_crypttab_line_start "$dst" "$src" "$key" "$opts" <&3 + exit 0 + fi +done 3<&1 + +umount_fs +log_action_end_msg 0 --- cryptsetup-1.0.6.orig/debian/scripts/decrypt_derived +++ cryptsetup-1.0.6/debian/scripts/decrypt_derived @@ -0,0 +1,46 @@ +#!/bin/sh + +countlines() { + local IFS input count tmp + input="$1" + count=0 + IFS=' +' + for tmp in $input; do + count=$(( $count + 1 )) + done + echo $count +} + +if [ -z "$1" ]; then + echo "$0: must be executed with a crypto device as argument" >&2 + exit 1 +fi + +if ! device=$(dmsetup --showkeys table 2> /dev/null | grep "^$1:"); then + echo "$0: failed to find $1 in dmtable" >&2 + exit 1 +fi + +if [ -z "$device" ]; then + echo "$0: device $1 doesn't exist" >&2 + exit 1 +fi + +count=$(countlines "$device") +if [ $count -ne 1 ]; then + echo "$0: more than one device match $1" >&2 + exit 1 +fi + +eval set -- $device +type="$4" +key="$6" + +if [ "$type" != "crypt" ]; then + echo "$0: device $1 is not a crypto device" >&2 + exit 1 +fi + +echo -n "$key" +exit 0 --- cryptsetup-1.0.6.orig/debian/scripts/gen-ssl-key +++ cryptsetup-1.0.6/debian/scripts/gen-ssl-key @@ -0,0 +1,26 @@ +#!/bin/sh +# +# script to generate a keyfile that is encrypted with openssl +# +# Written 2005 by Markus Nass +# Improved 2006 by Jonas Meurer +# Further improved 2006 by Markus Nass + +usage() { + echo "Usage: $0 " + exit 1 +} + +if [ "$1" = "" -o "$1" = "-h" -o "$1" = "--help" ]; then + usage +fi + +if [ -x /usr/bin/openssl ]; then + key=`tempfile` + dd if=/dev/random of=$key bs=1c count=256 + openssl enc -aes-256-cbc -e -salt -in $key -out $1 + #rm -f $key; key="" + shred -uz $key; key="" +else + echo "/usr/bin/openssl is not available" && exit 1 +fi --- cryptsetup-1.0.6.orig/debian/scripts/decrypt_ssl +++ cryptsetup-1.0.6/debian/scripts/decrypt_ssl @@ -0,0 +1,17 @@ +#!/bin/sh +# +# Script to decrypt the key which is encrypted with openssl. +# See /usr/share/doc/cryptsetup/examples/gen-ssl-key to create such a key. +# + +decrypt_ssl () { + echo "" >&2 + echo "Decrypting ssl key $1..." >&2 + if ! /usr/bin/openssl enc -aes-256-cbc -d -salt -in $1 2> /dev/null 2>&1; then + return 1 + fi + return 0 +} + +decrypt_ssl $1 +exit $? --- cryptsetup-1.0.6.orig/debian/scripts/luksformat +++ cryptsetup-1.0.6/debian/scripts/luksformat @@ -0,0 +1,99 @@ +#!/usr/bin/perl -w + +# luksformat - wrapper around LUKS-capable cryptsetup and mkfs for easy +# creation of an encrypted device. +# +# (C) 2005 Canonical Ltd. +# Author: Martin Pitt +# License: GNU General Public License, v2 or any later +# (http://www.gnu.org/copyleft/gpl.html) + +use Getopt::Long; + +sub help() { + print "luksformat - Create and format an encrypted LUKS device +Usage: luksformat [-t ] \n"; + exit 1; +} + +# default file system +$fs = 'vfat'; +exit 1 unless GetOptions ('t|type=s' => \$fs); + +help() if $#ARGV != 0; + +if ($> != 0) { + print STDERR "This program needs to be started as root\n"; + exit 1; +} + +$device = $ARGV[0]; + +open(MOUNTS, "/proc/mounts"); +while () { + die "Error: device mounted: $device\n" if (/\Q$device\E/) +} + +$mkfs = "/sbin/mkfs.$fs"; +if (! -x $mkfs) { + print STDERR "Error: invalid file system: $fs\n"; + exit 1; +} + +# generate temporary mapped device name which is not yet used +$name = ""; +for ($i = 1; $i < 100; $i++) { + if (! -e "/dev/mapper/luksformat$i") { + $name = "luksformat$i"; + last; + } +} + +$name or die "Error: could not generate temporary mapped device name"; + +# we do not need to be overly concerned with race conditions here, cryptsetup +# will just fail if the name already exists now. +print "Creating encrypted device on $device...\n"; +if ((system 'cryptsetup', 'luksFormat', '-s', '256', '--cipher', 'aes-cbc-essiv:sha256', $device)) { + die "Could not create LUKS device $device"; +} + +print "Please enter your passphrase again to verify it\n"; +if ((system 'cryptsetup', 'luksOpen', $device, $name) != 0) { + print STDERR "The passphrases you entered were not identical\n"; + exit 1; +} + +$result = system $mkfs, "/dev/mapper/$name"; +print "\n"; +system 'cryptsetup', 'luksClose', $name; + +die "Could not format device with file system $fs" if $result; + +__END__ + +=head1 NAME + +luksformat - Create and format an encrypted LUKS device + +=head1 SYNOPSIS + +B [B<-t> I] I + +=head1 DESCRIPTION + +B is a wrapper around B and B which provides an +easy interface for creating an encrypted device that follows the LUKS standard +and for putting a file system onto the encrypted device. + +The default file system is B since that is most commonly used on +removable devices. However, you can specify any available file system with the +B<-t> option. + +=head1 SEE ALSO + +L, L + +=head1 AUTHOR + +This program was written by Martin Pitt . --- cryptsetup-1.0.6.orig/debian/scripts/cryptdisks_stop +++ cryptsetup-1.0.6/debian/scripts/cryptdisks_stop @@ -0,0 +1,35 @@ +#!/bin/sh + +# cryptdisks_stop - wrapper around cryptsetup which parses +# /etc/crypttab, just like mount parses /etc/fstab. + +# Initial code stolen from cryptdisks_start by Jon Dowland +# Copyright (C) 2008 by Jonas Meurer +# License: GNU General Public License, v2 or any later +# (http://www.gnu.org/copyleft/gpl.html) + +set -e + +if [ $# -lt 1 ]; then + echo "usage: $0 " >&2 + echo >&2 + echo "reads /etc/crypttab and stops the mapping corresponding to " >&2 + exit 1 +fi + +if [ -r /lib/cryptsetup/cryptdisks.functions ]; then + . /lib/cryptsetup/cryptdisks.functions +else + exit 0 +fi + +log_action_begin_msg "Stopping crypto disk" + +egrep -v "^[[:space:]]*(#|$)" "$TABFILE" | while read dst src key opts; do + if [ "$1" = "$dst" ]; then + handle_crypttab_line_stop "$dst" "$src" "$key" "$opts" <&3 + exit 0 + fi +done 3<&1 + +log_action_end_msg 0 --- cryptsetup-1.0.6.orig/debian/scripts/decrypt_openct +++ cryptsetup-1.0.6/debian/scripts/decrypt_openct @@ -0,0 +1,65 @@ +#!/bin/sh + +#check_reader() { +# readerfound=0 +# +# readertmp=$(/usr/bin/openct-tool list 2>&1) +# if [ $? = 0 ] ; then +# readerfound=1 +# fi +#} + +wait_reader() { +# check_reader + echo "Waiting for Smart Card reader..." >&2 + /usr/bin/openct-tool rwait >/dev/null 2>&1 + if [ $? != 0 ]; then + echo 'Failed to find Smart Card reader!' >&2 + fi +# if [ $readerfound = 0 ] ; then +# tries=0 +# while [ $readerfound == 0 -a $tries -lt 60 ] ; do +# echo "Waiting for Smart Card reader..." >&2 +# sleep 1 +# check_reader +# tries=$(($tries + 1)) +# done +# if [ $readerfound = 0 ] ; then +# echo 'Failed to find Smart Card reader!' >&2 +# exit 1 +# fi +# fi +} + +wait_card() { + echo "Waiting for Smart Card..." >&2 + /usr/bin/openct-tool wait >/dev/null 2>&1 + if [ $? != 0 ]; then + echo 'Failed to find Smart Card!' >&2 + fi +} + +/usr/sbin/openct-control init +wait_reader +wait_card + +# Due to a bug in openct, the --label does not work on data objects, means, +# all data objects have by default the label 'pkcs15-init', that's why we are +# setting the label manually if none is configured by the user. + +if [ -z "$1" ] || [ "$1" = "none" ] ; then + LABEL="pkcs15-init" +else + LABEL="$1" +fi + +if [ -p /dev/.initramfs/usplash_outfifo ] && [ -x /sbin/usplash_write ]; then + # Get pin number from usplash + /sbin/usplash_write "INPUTQUIET Enter pin for $crypttarget ($cryptsource): " + /usr/bin/pkcs15-tool --read-data-object $LABEL --pin "$(cat /dev/.initramfs/usplash_outfifo)" -o /proc/self/fd/3 3>&1 1>/dev/null 2>&1 +else + # Interactive call, user enters pin + /usr/bin/pkcs15-tool --read-data-object $LABEL -o /proc/self/fd/3 3>&1 1>/dev/null 2>&1 +fi + +exit $? --- cryptsetup-1.0.6.orig/debian/scripts/decrypt_gpg +++ cryptsetup-1.0.6/debian/scripts/decrypt_gpg @@ -0,0 +1,29 @@ +#!/bin/sh + +decrypt_gpg () { + local key tries rc + key="$1" + tries=0 + rc=1 + + echo "Performing GPG key decryption" >&2 + if /usr/bin/gpg -q --decrypt $key; then + return 0 + else + return 1 + fi +} + +echo "gpg decryption not implemented yet" >&2 +exit 1 + +if [ ! -x /usr/bin/gpg ]; then + exit 1 +fi + +if [ -z "$1" ]; then + exit 1 +fi + +decrypt_gpg "$1" +exit $?