--- cryptsetup-1.1.0~rc2.orig/debian/cryptsetup.lintian-overrides +++ cryptsetup-1.1.0~rc2/debian/cryptsetup.lintian-overrides @@ -0,0 +1,2 @@ +cryptsetup: init.d-script-possible-missing-stop /etc/init.d/cryptdisks 1 +cryptsetup: init.d-script-possible-missing-stop /etc/init.d/cryptdisks-early 1 --- cryptsetup-1.1.0~rc2.orig/debian/control +++ cryptsetup-1.1.0~rc2/debian/control @@ -0,0 +1,67 @@ +Source: cryptsetup +Section: admin +Priority: optional +Maintainer: Ubuntu Core Developers +XSBC-Original-Maintainer: Debian Cryptsetup Team +Uploaders: Jonas Meurer +Build-Depends: debhelper (>= 6.0.7~), libgcrypt11-dev, libdevmapper-dev (>= 2:1.02.24-4), libpopt-dev, uuid-dev, libselinux1-dev, libsepol1-dev, gettext, cvs, libtool (>= 2.2), autoconf, automake1.9, quilt (>= 0.40), xsltproc, docbook-xml, docbook-xsl (>= 1.74.3+dfsg) +Standards-Version: 3.8.3 +Homepage: http://code.google.com/p/cryptsetup/ +X-Debian-Vcs-Browser: http://svn.debian.org/wsvn/pkg-cryptsetup/cryptsetup/trunk +X-Debian-Vcs-Svn: svn://svn.debian.org/svn/pkg-cryptsetup/cryptsetup/trunk +Vcs-Bzr: https://code.launchpad.net/~ubuntu-core-dev/cryptsetup/ubuntu + +Package: cryptsetup +Architecture: any +Depends: ${shlibs:Depends}, dmsetup, initramfs-tools (>= 0.91) | linux-initramfs-tool, watershed +Suggests: udev, dosfstools +Conflicts: cryptsetup-luks (<= 1.0.1-8), hashalot (<= 0.3-1) +Replaces: cryptsetup-luks (<= 1.0.1-8) +Description: configures encrypted block devices + Cryptsetup provides a command-line interface for configuring encrypted + devices. This is done using the Linux kernel device mapper target + dm-crypt. This version of cryptsetup has integrated support for LUKS. + . + cryptsetup is backwards compatible with the on-disk format of cryptoloop, + but also supports more secure formats. This package includes support for + automatically configuring encrypted devices at boot time via the config + file /etc/crypttab. Additional features are cryptoroot support through + initramfs-tools and several supported ways to read a passphrase or key. + +Package: cryptsetup-udeb +Section: debian-installer +XC-Package-Type: udeb +Architecture: any +Depends: ${shlibs:Depends}, dmsetup-udeb +Description: configures encrypted block devices + Cryptsetup provides a command-line interface for configuring encrypted + devices. This is done using the Linux kernel device mapper target + dm-crypt. This version of cryptsetup has integrated support for LUKS. + . + cryptsetup is backwards compatible with the on-disk format of cryptoloop, + but also supports more secure formats. This package includes support for + automatically configuring encrypted devices at boot time via the config + file /etc/crypttab. Additional features are cryptoroot support through + initramfs-tools and several supported ways to read a passphrase or key. + +Package: libcryptsetup1 +Section: libs +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: libcryptsetup shared library + Cryptsetup provides a command-line interface for configuring encrypted + devices. This is done using the Linux kernel device mapper target + dm-crypt. This version of cryptsetup has integrated support for LUKS. + . + This package provides the libcryptsetup shared library. + +Package: libcryptsetup-dev +Section: libdevel +Architecture: any +Depends: libcryptsetup1 (= ${binary:Version}) +Description: libcryptsetup development files + Cryptsetup provides a command-line interface for configuring encrypted + devices. This is done using the Linux kernel device mapper target + dm-crypt. This version of cryptsetup has integrated support for LUKS. + . + This package provides the libcryptsetup development files. --- cryptsetup-1.1.0~rc2.orig/debian/cryptdisks-udev.upstart +++ cryptsetup-1.1.0~rc2/debian/cryptdisks-udev.upstart @@ -0,0 +1,24 @@ +# cryptdisks - enable encrypted block devices + +description "enable encrypted block devices" + +start on block-device-added ID_FS_USAGE=crypto +instance $DEVNAME + +task +console output + +script + [ -r /lib/cryptsetup/cryptdisks.functions ] || { stop; exit 0; } + + . /lib/cryptsetup/cryptdisks.functions + + case "$CRYPTDISKS_ENABLE" in + [Nn]*) + exit 1 + ;; + esac + + INITSTATE=udev + crypttab_start_one_disk "$DEVNAME" +end script --- cryptsetup-1.1.0~rc2.orig/debian/README.remote +++ cryptsetup-1.1.0~rc2/debian/README.remote @@ -0,0 +1,96 @@ +unlocking rootfs via ssh login in initramfs +------------------------------------------- + +You can unlock your rootfs on bootup from remote, using ssh to log in to the +booting system while it's running with the initramfs mounted. + + +Setup +----- + +For remote unlocking to work, the following packages have to be installed +before building the initramfs: dropbear busybox + +The file /etc/initramfs-tools/initramfs.conf holds the configuration options +used when building the initramfs. It should contain BUSYBOX=y (this is set as +the default when the busybox package is installed) to have busybox installed +into the initramfs, and should not contain DROPBEAR=n, which would disable +installation of dropbear to initramfs. If set to DROPBEAR=y, dropbear will +beinstalled in any case; if DROPBEAR isn't set at all, then dropbear will only +be installed in case of an existing cryptroot setup. + +The host keys used for the initramfs are dropbear_dss_host_key and +dropbear_rsa_host_key, both located in/etc/initramfs-tools/etc/dropbear/. +If they do not exist when the initramfs is compiled, they will be created +automatically. Following are the commands to create them manually: + +# dropbearkey -t dss -f /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key +# dropbearkey -t rsa -f /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key + +As the initramfs will not be encrypted, publickey authentication is assumed. +The key(s) used for that will be taken from +/etc/initramfs-tools/root/.ssh/authorized_keys. +If this file doesn't exist when the initramfs is compiled, it will be created +and /etc/initramfs-tools/root/.ssh/id_rsa.pub will be added to it. +If the latter file doesn't exist either, it will be generated automatically - +you will find the matching private key which you will later need to log in to +the initramfs under /etc/initramfs-tools/root/.ssh/id_rsa (or id_rsa.dropbear +in case you need it in dropbear format). Following are the commands to do the +respective steps manually: + +To create a key (in dropbear format): + +# dropbearkey -t rsa -f /etc/initramfs-tools/root/.ssh/id_rsa.dropbear + +To convert the key from dropbear format to openssh format: + +# /usr/lib/dropbear/dropbearconvert dropbear openssh \ + /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \ + /etc/initramfs-tools/root/.ssh/id_rsa + +To extract the public key: + +# dropbearkey -y -f /etc/initramfs-tools/root/.ssh/id_rsa.dropbear | \ + grep "^ssh-rsa " > /etc/initramfs-tools/root/.ssh/id_rsa.pub + +To add the public key to the authorized_keys file: + +# cat /etc/initramfs-tools/root/.ssh/id_rsa.pub >> /etc/initramfs-tools/root/.ssh/authorized_keys + +In case you want some interface to get configured using dhcp, setting DEVICE= in +/etc/initramfs-tools/initramfs.conf should be sufficient. The initramfs should +also honour the ip= kernel parameter. +In case you use grub, you probably might want to set it in /boot/grub/menu.lst, +either in the '# kopt=' line or appended to specific 'kernel' line(s). +The ip= kernel parameter is documented in Documentation/nfsroot.txt in the +kernel source tree. + + +Issues +------ + +Don't forget to run update-initramfs when you changed the config to make it +effective! + +Collecting enough entropy for the ssh daemon sometimes seems to be an issue. +Startup of the ssh daemon might be delayed until enough entropy has been +retrieved. This is non-blocking for the startup process, so when you are at the +console you won't have to wait for the sshd to complete its startup. + + +Unlocking procedure +------------------- + +To unlock from remote, you could do something like this: + +# ssh -o "UserKnownHostsFile=~/.ssh/known_hosts.initramfs" \ + -i "~/id_rsa.initramfs" root@initramfshost.example.com \ + "echo -ne \"secret\" >/lib/cryptsetup/passfifo" + +This example assumes that you have an extra known_hosts file +"~/.ssh/known_hosts.initramfs" which hold's the cryptroot system's host-key, +that you have a file "~/id_rsa.initramfs" which holds the authorized-key for +the cryptroot system, that the cryptroot system's name is +"initramfshost.example.com", and that the cryptroot passphrase is "secret" + +-- , Wed, 30 Sep 2009 --- cryptsetup-1.1.0~rc2.orig/debian/libcryptsetup1.symbols +++ cryptsetup-1.1.0~rc2/debian/libcryptsetup1.symbols @@ -0,0 +1,2 @@ +libcryptsetup.so.1 libcryptsetup1 #MINVER# + *@CRYPTSETUP_1.0 2:1.1 --- cryptsetup-1.1.0~rc2.orig/debian/cryptsetup.apport +++ cryptsetup-1.1.0~rc2/debian/cryptsetup.apport @@ -0,0 +1,11 @@ +'''apport package hook for cryptsetup + +(c) 2009 Author: Reinhard Tartler +''' + +from apport.hookutils import * + +def add_info(report): + attach_file(report, '/etc/fstab', 'fstab') + attach_file_if_exists(report, '/etc/crypttab', 'crypttab') + --- cryptsetup-1.1.0~rc2.orig/debian/cryptsetup.dirs +++ cryptsetup-1.1.0~rc2/debian/cryptsetup.dirs @@ -0,0 +1,15 @@ +/etc/bash_completion.d +/etc/default +/etc/init.d +/lib/cryptsetup/checks +/lib/cryptsetup/scripts +/sbin +/usr/sbin +/usr/share/bug +/usr/share/initramfs-tools/hooks +/usr/share/initramfs-tools/scripts/local-top +/usr/share/initramfs-tools/scripts/local-bottom +/usr/share/initramfs-tools/conf-hooks.d +/usr/share/man/man5 +/usr/share/man/man8 +/usr/share/apport/package-hooks/ --- cryptsetup-1.1.0~rc2.orig/debian/passdev.c +++ cryptsetup-1.1.0~rc2/debian/passdev.c @@ -0,0 +1,287 @@ +/* + * passdev.c - waits for a given device to appear, mounts it and reads a + * key from it which is piped to stdout. + * + * Copyright (C) 2008 David Härdeman + * + * This package is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This package is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this package; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + + +#define _BSD_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +static bool do_debug = false; + +static void +debug(const char *fmt, ...) +{ + va_list ap; + + if (!do_debug) + return; + va_start(ap, fmt); + vfprintf(stderr, fmt, ap); + va_end(ap); +} + +static bool +do_mount(const char *device, const char *dir) +{ + pid_t pid; + pid_t wpid; + int status; + char *fstypes[] = { "ext4", "ext3", "ext2", "vfat", "reiserfs", "xfs", "isofs", "udf" }; + int fsindex; + + if (!device || !dir) + return false; + + for (fsindex = 0; + fsindex < (sizeof(fstypes) / sizeof(fstypes[0])); + fsindex++) + { + pid = fork(); + if (pid < 0) { + /* Error */ + return false; + } else if (pid > 0) { + /* We're in the parent process */ + do { + wpid = waitpid(pid, &status, 0); + } while (!WIFEXITED(status) && !WIFSIGNALED(status)); + if (WIFEXITED(status) && WEXITSTATUS(status) == EXIT_SUCCESS) + return true; + + /* Let's try another fstype */ + continue; + } else { + /* We're in the child process */ + debug("Mounting %s at %s\n", device, dir); + close(STDIN_FILENO); + close(STDOUT_FILENO); + close(STDERR_FILENO); + open("/dev/null", O_RDONLY, 0); + open("/dev/null", O_WRONLY, 0); + open("/dev/null", O_WRONLY, 0); + execl("/bin/mount", "/bin/mount", "-n", "-t", + fstypes[fsindex], + /*"ext4,ext3,ext2,vfat,reiserfs,xfs,isofs,udf",*/ + "-o", "noatime,nodiratime,nodev,noexec,nosuid,ro", + device, dir, (char *)NULL); + + /* If execl works, we won't end up here */ + exit(EXIT_FAILURE); + } + } + + /* We've tried all fstypes with no luck */ + return false; +} + +int +main(int argc, char **argv, char **envp) +{ + char *debugval; + char *devpath; + char *filepath; + struct stat st; + char *tmppath; + char tpath[] = "/tmp/passdev.XXXXXX"; + char *keypath; + int fd; + size_t toread; + size_t bytesread; + char *keybuffer; + size_t towrite; + size_t byteswritten; + ssize_t bytes; + char *to; + int timeout; + bool do_timeout = false; + + /* We only take one argument */ + if (argc != 2) { + fprintf(stderr, "Incorrect number of arguments\n"); + goto error; + } + + /* If DEBUG=1 is in the environment, enable debug messages */ + debugval = getenv("DEBUG"); + if (debugval && atoi(debugval) > 0) + do_debug = true; + + /* Split string into device and path (and timeout) */ + devpath = argv[1]; + filepath = strchr(devpath, ':'); + if (!filepath || !(*filepath) || !(*(filepath + 1))) { + fprintf(stderr, "Invalid key path\n"); + goto error; + } + *filepath = '\0'; + filepath++; + to = strchr(filepath, ':'); + if (to && (*to) && (*(to + 1))) { + *to = '\0'; + to++; + timeout = atoi(to); + if (timeout > 0) + do_timeout = true; + } + debug("Path is %p and filepath is %p\n", devpath, filepath); + if (do_timeout) + debug("Timeout is %i\n",timeout); + + /* Wait until device is available */ + if (access(devpath, F_OK)) { + debug("Waiting for %s\n", devpath); + while(access(devpath, F_OK)) { + sleep(1); + if (do_timeout) { + if (timeout <= 0) + break; + timeout--; + } + } + } + + /* Make sure device is a blockdev */ + if (stat(devpath, &st)) { + fprintf(stderr, "Unable to stat %s\n", devpath); + goto error; + } else if (!S_ISBLK(st.st_mode)) { + fprintf(stderr, "%s is no block device\n", devpath); + goto error; + } + + /* Create a tmp dir where we mount the device */ + tmppath = mkdtemp(tpath); + if (!tmppath) { + fprintf(stderr, "Failed to create temporary directory\n"); + goto error; + } + + /* Ok, mount it */ + if (!do_mount(devpath, tmppath)) { + fprintf(stderr, "Failed to mount %s\n", devpath); + goto error_rmdir; + } + + /* Generate the full path to the keyfile */ + keypath = malloc(strlen(tmppath) + 1 + strlen(filepath) + 1); + if (!keypath) { + fprintf(stderr, "Failed to allocate memory\n"); + goto error_umount; + } + sprintf(keypath, "%s/%s", tmppath, filepath); + + /* Check that the keyfile exists */ + if (access(keypath, F_OK)) { + fprintf(stderr, "Keyfile doesn't exist\n"); + goto error_free; + } + + /* Get the size of the keyfile */ + if (stat(keypath, &st)) { + fprintf(stderr, "Unable to stat keyfile\n"); + goto error_free; + } + + /* Check the size of the keyfile */ + if (st.st_size < 0) { + fprintf(stderr, "Invalid keyfile size\n"); + goto error_free; + } + toread = (size_t)st.st_size; + + /* Open the keyfile */ + if ((fd = open(keypath, O_RDONLY)) < 0) { + fprintf(stderr, "Failed to open keyfile\n"); + goto error_free; + } + + /* Allocate a buffer for the keyfile contents */ + keybuffer = malloc(toread); + if (!keybuffer) { + fprintf(stderr, "Failed to allocate memory\n"); + goto error_close; + exit(EXIT_FAILURE); + } + + /* Read the keyfile */ + bytesread = 0; + while (bytesread < toread) { + bytes = read(fd, keybuffer + bytesread, toread - bytesread); + if (bytes <= 0) { + fprintf(stderr, "Failed to read entire key\n"); + goto error_keybuffer; + } + bytesread += bytes; + } + + /* Clean up */ + close(fd); + free(keypath); + umount(tmppath); + rmdir(tmppath); + + /* Write result */ + byteswritten = 0; + towrite = toread; + while (byteswritten < towrite) { + bytes = write(STDOUT_FILENO, keybuffer + byteswritten, + towrite - byteswritten); + if (bytes <= 0) { + fprintf(stderr, "Failed to write entire key\n"); + memset(keybuffer, 0, toread); + free(keybuffer); + goto error; + } + byteswritten += bytes; + } + + /* Clean up */ + memset(keybuffer, 0, toread); + free(keybuffer); + + /* Done */ + exit(EXIT_SUCCESS); + + /* Error handling */ +error_keybuffer: + memset(keybuffer, 0, toread); + free(keybuffer); +error_close: + close(fd); +error_free: + free(keypath); +error_umount: + umount(tmppath); +error_rmdir: + rmdir(tmppath); +error: + exit(EXIT_FAILURE); +} + --- cryptsetup-1.1.0~rc2.orig/debian/cryptsetup.postinst +++ cryptsetup-1.1.0~rc2/debian/cryptsetup.postinst @@ -0,0 +1,66 @@ +#! /bin/sh + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-deconfigure' `in-favour' +# `removing' +# + +case "$1" in + configure) + if [ -x /usr/sbin/update-initramfs ]; then + update-initramfs -u + fi + + if dpkg --compare-versions "$2" lt "2:1.0.6+20090405.svn49-1ubuntu8" + then + rm -f /etc/rcS.d/S26cryptdisks-early /etc/rcS.d/S28cryptdisks + fi + + # Do a number of checks on the currently installed crypttab + egrep -v "^[[:space:]]*(#|$)" /etc/crypttab | while read dst src key opts; do + if [ -z "$dst" ]; then + continue + elif [ -z "$src" ] || [ -z "$key" ] || [ -z "$opts" ]; then + # All fields must be present + echo "WARNING: $dst in /etc/crypttab is missing some arguments, see man cryptab(5)." >&2 + continue + else + # Some options are deprecated + while [ -n "$opts" ]; do + opt=$(echo $opts | sed "s/,.*//") + opts=${opts##$opt} + opts=${opts##,} + + if [ "$opt" = "ssl" ]; then + echo "WARNING: $dst in /etc/crypttab uses the deprecated ssl option, see man crypttab(5)." >&2 + elif [ "$opt" = "gpg" ]; then + echo "WARNING: $dst in /etc/crypttab uses the deprecated gpg option, see man crypttab(5)." >&2 + fi + done + fi + + done + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 --- cryptsetup-1.1.0~rc2.orig/debian/README.Debian +++ cryptsetup-1.1.0~rc2/debian/README.Debian @@ -0,0 +1,260 @@ +Cryptsetup for Debian +--------------------- + + Table of Contents + + 1. Introduction into Cryptsetup for Debian + + 2. Encrypted swap partition(s) + + 3. Insecure mode/owner for keys + + 4. Cryptsetup and udev + + 5. The 'check' option + + 6. Cryptsetup and Splashy + + 7. Remotely unlock encrypted rootfs + + 8. Backup the LUKS header + + 9. Credits + + +1. Introduction into Cryptsetup for Debian +------------------------------------------ + + Cryptsetup is a command-line interface for configuring encrypted block +devices via dm-crypt, a kernel device-mapper target. +The Debian cryptsetup package provides the initscript /etc/init.d/cryptdisks +and a configuration file /etc/crypttab for automatically configuring +encrypted devices at boot time. See man crypttab(5) for more information. + + The /sbin/luksformat script provides a simple interface for creating an +encrypted device that follows the LUKS standard and for putting a file system +onto the encrypted device. See man luksformat(8) for more information. + + If you wish to perform a Debian installation to an encrypted root, you might +be interested in using a version of Debian Installer with partman-crypto, +which will install the system and setup cryptsetup and initramfs-tools. + + For instructions about how to encrypt your root filesystem and integrate +cryptsetup into initramfs on a running system, see + /usr/share/doc/cryptsetup/README.initramfs.gz. + +For instructions about how to encrypt your swap partition(s), see below. + + +2. Encrypted swap partition(s) +------------------------------ + + An encrypted swap partition prevents spying on plaintext secrets (passwords) +that may be written to disk when memory is swapped to disk. + + To encrypt your swap partitions, you'll first have to deactivate your swap: + +swapoff -a + + You'll have to add an entry for every swap partition in /etc/crypttab. Be +sure toeplace the source device (here /dev/hda9) with your swap devices: +# +cswap1 /dev/hda9 /dev/random swap,cipher=aes-cbc-essiv:sha256,size=256,hash=sha256 + + Now you need to change the swap devices in /etc/fstab to the encrypted swap +device names (/dev/mapper/cswap1 in this example). + +# +/dev/hda9 none swap sw 0 0 + +becomes + +# +/dev/mapper/cswap1 none swap sw 0 0 + + + Finally, you need to start the cryptsetup swap devices and reactivate swap: + +/etc/init.d/cryptdisks start +swapon -a + + That's it! You have a crypted swap device. Note that /dev/random as source +for your keyfile in /etc/crypttab might not generate enough random bytes. +If you're in doubt, you can use the (less secure) device /dev/urandom instead. + + Read the crypttab(5) manpage for more information, for example options to use +a different encryption algorithm than the default. + + +3. Insecure mode/owner for keys +------------------------------- + + Any key that is stored somewhere to be used with cryptsetup should have the +mode 400 (-r--------) and owner/group root. This way only root has permissions +to read the file. 'chown root.root keyfile' and 'chmod 400 keyfile' will do +the trick for you. + + If a key is stored on a vfat filesystem (very common for removable media), +chmod and chown will not work. The vfat filesytem (and several others too) +does not support file permissions and ownership. Instead, you should use the +uid, gid and umask options in /etc/fstab to ensure secure permissions for the +key. + + As an example, assume that /dev/sdg2 is the removable media containing +keyfiles on a vfat filesystem and that it is going to be mounted on +/media/flash0. The configuration in /etc/fstab should then be something +like this: + +# +/dev/sdg2 /media/flash0 vfat uid=0,gid=0,umask=277 0 0 + + If you are using udev, it might be a good idea to use the /dev/disk/by-label +links instead of /dev/sdg2 as the link will work no matter in which order the +media is inserted and detected. + + +4. Cryptsetup and udev +---------------------- + + As a workaround for some yet-to-be-fixed race condition in kernel, +device-mapper or udev, cryptsetup currently runs udevsettle. + + This leads to problems if you invoke cryptsetup as part of a udev rule. +udevsettle waits until queued kernel/udev events are processed and the +'run programs' have finished. Due to cryptsetup itself being a 'run +program' in this case, this ends in a deadlock. + + Therefore cryptsetup should be detached directly after invocation in this +case, so that it runs asynchronously. + + +5. The 'check' option +--------------------- + + The 'check' option in crypttab allows to configure checks to be run against +the target device after cryptsetup has been invoked. +The default check 'blkid' can check for any known filesystem type, as it uses +blkid from util-linux. you can check for a particular filesystem by giving for +example 'checkargs=ext2' or 'checkargs=swap' as an option in /etc/crypttab. + + The 'precheck' option is for configuring checks to be run against the source +device before cryptsetup has been invoked. They are only available for plain +cryptsetup devices. LUKS devices have a hardcoded precheck that uses the +'isLuks' command of cryptsetup. +As there is no way to check a device for plain cryptsetup data, you can only +check for data that should not be on the device. for example the check could +search for common filesystems on the device, and abort if it finds any. +As this will never really ensure that no data is lost, the package doesn't +provide such a check. +Another example for a precheck could be to check the partition table id. For +a device that shall be used as swap partition, it could verify that only +partitions with type 'swap' (82) are used for encrypted swap. + + Please send us your checks, if you write new ones. If they are generally +useful, we will include them in the package. + + See man crypttab(5) for more information about the checksystem. + + +6. Cryptsetup and Splashy +------------------------- + + Splashy support in cryptsetup is currently somehow limited. Splashy is known +to freeze at the password dialog for encrypted non-root filesystems. Only the +password dialog for the encrypted root filesystem works. + + It seems like splashy freezes for any input dialog in initscripts while +input dialogs at initramfs stage seem to work. This leads to the assumption +that the bug is somewhere in splashy and neither in cryptsetups initscripts +nor in askpass, the keyscript that is responsible for cryptsetups passphrase +input dialogs. + + +7. Remotely unlock encrypted rootfs +----------------------------------- + + Thanks to Chris it's possible to install a dropbear ssh +server into the initramfs, connect to this ssh server during execution of +initramfs early in the boot process, and unlock encrypted devices - even the +root device - before the boot process continues. + + This way it is possible to use an encrypted root filesystem on headless +systems where no physical access is available during boot process. + + Unfortunately dropbear 0.52-1 is required for this to work. As this version +is not incuded in lenny, you'll have to install it manually. Thankfully this +version configures everything automatically, so all you have to do after +installing dropbear on the remote system, is to copy the root ssh keyfile from +/etc/initramfs/root/ssh/id_rsa to your local system: + +$ scp remote.system.com:/etc/initramfs/root/ssh/id_rsa remote_rsa + + Now the remote system should start dropbear automatically during initramfs +excecution at the boot process. You can login into the initramfs via ssh + +$ ssh -i remote_rsa -l root remote.system.com + + and echo the passphrase to a fifo file on the remote system: + +# echo -n "my_secret_passphrase" > /lib/cryptsetup/passfifo + + That's it. Now that the encrypted root device is unlocked, the remote system +should continue with the boot process. + + /usr/share/doc/cryptsetup/README.remote.gz is a documentation with more +details on the setup of an initramfs with suppurt to remotely unlock the +encrypted rootfs. + + +8. Backup the LUKS header +------------------------- + + The LUKS header is located at the beginning of every LUKS encrypted device. +It stores information such as used cipher, hash, etc. But most importantly, +the header contains eight keyslots, which do keep an encrypted version of the +LUKS masterkey. the data on an encrypted LUKS partition is encrypted with this +masterkey. thus, there's no way to restore the data once the masterkey is +lost. For that reason, one might want to backup the LUKS header in order to +prevent accidential data loss. + + On the other hand keeping a backup of the LUKS header isn't recommended for +security reasons. The reason is, that LUKS was designed with key revocation in +mind. Once the LUKS header is copied to a backup, revoking a (possibly +compromised) passphrase or keyfile from the keyslot isn't enough anymore. the +revoked passphrase/keyfile can easily be reactived by writing back the header +backup to the device. + + If you still want to store a backup of your LUKS header with these drawbacks +in mind, at least do it the following way: + + Search for the 'Payload offset' in the output of + +# cryptsetup luksDump + + Prepare a ramdisk to store the backup temporarely. You should do that in order +to prevent any hardware caching functions or filesystem jounals to copy the +backup around to places you cannot control. If you want to store the backup +permanently, write it to a read-only medium like CD immediately from ramdisk, +without your burning program writing an intermediate image to some temp dir. + + To actually backup the header, use the following command: + +# dd if= of= count= + + That's it. But once again, keep in mind all the security implications when +doing LUKS header backups. In general it's better to backup the data from +encrypted LUKS devices to another encrypted LUKS device. That way you can +manage the keyslots for both original and backup device independently. + + +9. Credits +---------- + + People who contributed to documentation for the Debian cryptsetup package: + +Jonas Meurer +David Härdeman +Bastian Kleineidam +Michael Gebetsroither + + -- Jonas Meurer , Tue, 01 Sep 2009 12:20:51 +0200 --- cryptsetup-1.1.0~rc2.orig/debian/cryptdisks-enable.upstart +++ cryptsetup-1.1.0~rc2/debian/cryptdisks-enable.upstart @@ -0,0 +1,36 @@ +# cryptdisks - enable encrypted block devices +# +# Sweep up any devices in /etc/crypttab that have not yet been started at +# the end of udev coldplugging; this partly duplicates the cryptdisks-udev +# job, but is necessary because: +# - some devices may not be registered as ID_FS_USAGE=crypto by udev (e.g., +# random-encrypted devices), but we don't want to call the upstart job +# for every single block device +# - some devices can only be decrypted after other devices are decrypted and +# mounted first, so we need a two-pass system (like +# /etc/init.d/cryptdisks{,-early} previously) +# +# This job currently still does not guarantee a race-free startup; instances +# of cryptdisks-udev may be started in parallel with this job. + +description "enable remaining boot-time encrypted block devices" + +start on stopped udevtrigger + +task +console output + +script + [ -r /lib/cryptsetup/cryptdisks.functions ] || { stop; exit 0; } + + . /lib/cryptsetup/cryptdisks.functions + + case "$CRYPTDISKS_ENABLE" in + [Nn]*) + exit 1 + ;; + esac + + INITSTATE="init" + do_start +end script --- cryptsetup-1.1.0~rc2.orig/debian/copyright +++ cryptsetup-1.1.0~rc2/debian/copyright @@ -0,0 +1,59 @@ +Format-Specification: http://svn.debian.org/wsvn/dep/web/deps/dep5.mdwn?op=file +Maintainer: Milan Broz +Source: http://code.google.com/p/cryptsetup + +Files: debian/askpass.c, debian/passdev.c +Copyright: © 2008 David Härdeman +License: GPL-2+ + +Files: debian/scripts/cryptdisks_start +Copyright: © 2007 Jon Dowland +License: GPL-2+ + +Files: debian/README.openct +Copyright: © 2008 Daniel Baumann +License: GPL-2+ + +Files: debian/README.opensc +Copyright: © 2008 Benjamin Kiessling +License: GPL-2+ + +Files: debian/README.remote +Copyright: © 2009 +License: GPL-2+ + +Files: debian/scripts/luksformat +Copyright: © 2005 Canonical Ltd. +License: GPL-2+ + +Files: debian/* +Copyright: © 2004-2005 Wesley W. Terpstra + © 2005-2006 Michael Gebetsroither + © 2006-2008 David Härdeman + © 2005-2009 Jonas Meurer +License: GPL-2+ + +Files: luks/sha/* +Copyright: © 2002 Dr Brian Gladman, Worcester, UK +License: GPL + +Files: * +Copyright: © 2004 Christophe Saout + © 2004-2008 Clemens Fruhwirth +License: GPL-2+ + This package is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + . + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this package; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + . + On Debian systems, the complete text of the GNU General Public + License v2 can be found in `/usr/share/common-licenses/GPL-2'. --- cryptsetup-1.1.0~rc2.orig/debian/initramfs-conf.d +++ cryptsetup-1.1.0~rc2/debian/initramfs-conf.d @@ -0,0 +1,6 @@ +# declare that we want usplash added to the initramfs whenever cryptsetup is +# used +USPLASH=y + +# and for systems using plymouth instead, use the new option +FRAMEBUFFER=y --- cryptsetup-1.1.0~rc2.orig/debian/askpass.c +++ cryptsetup-1.1.0~rc2/debian/askpass.c @@ -0,0 +1,728 @@ +/* + * askpass.c - prompts a user for a passphrase using any suitable method + * and prints the result to stdout. + * + * Copyright (C) 2008 David Härdeman + * + * This package is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This package is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this package; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + + +#define _GNU_SOURCE +#define _BSD_SOURCE +#define _POSIX_C_SOURCE 1 +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define DEBUG 0 + +#define ARRAY_SIZE(x) (sizeof(x)/sizeof(x[0])) + +static bool disable_method(const char *method); + +/***************************************************************************** + * Utility functions * + *****************************************************************************/ +static void +debug(const char *fmt, ...) +{ + va_list ap; + static bool first = true; + static FILE *dbgfile; + + if (!DEBUG) + return; + + if (first) { + first = false; + dbgfile = fopen("/tmp/askpass.debug", "a"); + } + + if (!dbgfile) + return; + + va_start(ap, fmt); + vfprintf(dbgfile, fmt, ap); + va_end(ap); +} + +static void +usage(const char *arg0, const char *errmsg) +{ + if (errmsg) + fprintf(stderr, "Error: %s\nUsage: %s PROMPT\n", errmsg, arg0); + else + fprintf(stderr, "Usage: %s PROMPT\n", arg0); + exit(EXIT_FAILURE); +} + +static void +fifo_common_finish(int fd, char **buf, size_t *used, size_t *size) +{ + if (fd >= 0) + close(fd); + + if (!*buf) + return; + + memset(*buf, '\0', *size); + free(*buf); + *buf = NULL; + *used = 0; + *size = 0; +} + +static bool +fifo_common_read(int fd, char **buf, size_t *used, size_t *size) +{ + ssize_t result; + +again: + if ((*size - *used) == 0) { + *size += 4096; + *buf = realloc(*buf, *size); + if (!*buf) { + *size = 0; + *used = 0; + debug("Failed to allocate memory for passphrase\n"); + return false; + } + } + +reread: + result = read(fd, *buf + *used, *size - *used); + + if (result < 0) { + if (errno == EAGAIN) + return false; + if (errno == EINTR) + goto reread; + debug("Error when reading from fifo\n"); + return false; + } + + debug("Read %i bytes from fifo\n", (int)result); + *used += result; + + if (result == 0) + return true; + + goto again; +} + + +/***************************************************************************** + * usplash functions * + *****************************************************************************/ +#define USPLASH_WRITE_FIFO "/dev/.initramfs/usplash_fifo" +#define USPLASH_READ_FIFO "/dev/.initramfs/usplash_outfifo" +static size_t usplashused = 0; +static size_t usplashsize = 0; +static char *usplashbuf = NULL; +static bool usplashwaiting = false; + +static bool +usplash_command(const char *cmd) +{ + int wrfd; + ssize_t len; + size_t towrite = strlen(cmd) + 1; + size_t written = 0; + + wrfd = open(USPLASH_WRITE_FIFO, O_WRONLY | O_NONBLOCK); + if (wrfd < 0) + return false; + + while (written < towrite) { + len = write(wrfd, cmd + written, towrite - written); + if (len <= 0) + break; + written += len; + } + + close(wrfd); + if (written != towrite) + return false; + else + return true; +} + +static pid_t * +pidlist(const char *target, size_t *retlen) +{ + pid_t *plist = NULL; + size_t plistlen = 0; + pid_t pid; + DIR *pdir; + FILE *fp; + struct dirent *d; + char path[256]; + char buf[256]; + char *tmp; + + pdir = opendir("/proc"); + if (!pdir) + goto out; + + while ((d = readdir(pdir)) != NULL) { + pid = (pid_t)atoi(d->d_name); + if (!pid) + continue; + + snprintf(path, sizeof(path), "/proc/%s/cmdline", d->d_name); + + fp = fopen(path, "r"); + if (!fp) + continue; + + tmp = fgets(buf, sizeof(buf), fp); + fclose(fp); + if (!tmp) + continue; + + tmp = strrchr(buf, '/'); + if (tmp) + tmp++; + else + tmp = buf; + + if (strcmp(tmp, target)) + continue; + + plistlen++; + plist = realloc(plist, plistlen * sizeof(pid_t)); + if (!plist) { + debug("realloc failed"); + plistlen = 0; + plist = NULL; + goto out; + } + + plist[plistlen - 1] = pid; + } + +out: + if (pdir) + closedir(pdir); + *retlen = plistlen; + return plist; +} + +static bool +chvt(int vtnum) +{ + int fd; + bool rv = false; + + fd = open("/dev/console", O_RDWR); + if (fd < 0) + goto out; + + if (ioctl(fd, VT_ACTIVATE, vtnum)) + goto out; + + if (ioctl(fd, VT_WAITACTIVE, vtnum)) + goto out; + + rv = true; +out: + if (fd >= 0) + close(fd); + return rv; +} + +static size_t +killall(pid_t *plist, size_t plistlen, int sig) +{ + pid_t pid; + int i; + size_t signalled = 0; + + for (i = 0; i < plistlen; i++) { + pid = plist[i]; + if (pid == 0) + continue; + + debug("Signalling %i\n", (int)pid); + if (kill(pid, sig) == 0) + signalled++; + else + plist[i] = 0; + } + + return signalled; +} + +static void +usplash_finish(int fd) +{ + pid_t *plist; + size_t plistlen; + + debug("usplash_finish\n"); + if (usplashwaiting) { + /* This is ugly, but we need to unwedge usplash if a different + * method has been used to provide the passphrase and usplash + * is still waiting for user input. Sending a newline to + * usplash's console did not seem to provide a reliable + * method and this should only be needed in exceptional + * cases anyway. + */ + debug("Unwedging usplash\n"); + /* Changing the VT will normally terminate usplash */ + chvt(1); + sleep(1); + + /* Get a list of remaining usplash procs (if any) to kill */ + plist = pidlist("usplash", &plistlen); + if (plistlen > 0) { + if (killall(plist, plistlen, SIGTERM) > 0) { + sleep(2); + killall(plist, plistlen, SIGKILL); + } + } + usplashwaiting = false; + } else { + usplash_command("TIMEOUT 15"); + } + + fifo_common_finish(fd, &usplashbuf, &usplashused, &usplashsize); +} + +static bool +usplash_read(int fd, char **buf, size_t *size) +{ + debug("In usplash_read\n"); + if (fifo_common_read(fd, &usplashbuf, &usplashused, &usplashsize)) { + while (usplashused > 0 && + ((usplashbuf[usplashused - 1] == '\n') || + (usplashbuf[usplashused - 1] == '\0'))) { + usplashused--; + usplashbuf[usplashused] = '\0'; + debug("Correcting usplash read length\n"); + } + *buf = usplashbuf; + *size = usplashused; + usplashwaiting = false; + return true; + } + + return false; +} + +static int +usplash_prepare(const char *prompt) +{ + int rdfd = -1; + int usplash_cmd_len = strlen("TEXT-URGENT"); + int cmd_input_max = strlen(prompt) + usplash_cmd_len + 2; + char cmd_input[cmd_input_max]; + char *prompt_ptr = prompt; + char *newline = NULL; + + if (!usplash_command("TIMEOUT 0")) + return -1; + + /* handle any non-literal embedded newlines in prompt */ + while ( (newline = strstr(prompt_ptr,"\\n")) != NULL ) { + /* Calculate length of string leading up to newline. */ + int line_len = newline - prompt_ptr; + /* Add text-urgent length, space, and NULL. */ + line_len += usplash_cmd_len + 2; + + /* Even though line_len can never be larger than + cmd_input_max, check it anyway. */ + if (line_len > cmd_input_max) + return -1; + + /* Force trimming of prompt to location of newline. */ + snprintf(cmd_input, line_len, "TEXT-URGENT %s", prompt_ptr); + if (!usplash_command(cmd_input)) + return -1; + + /* Skip over newline. */ + prompt_ptr = newline + 2; + } + + snprintf(cmd_input, cmd_input_max, "INPUTQUIET %s", prompt_ptr); + if (!usplash_command(cmd_input)) + return -1; + + rdfd = open(USPLASH_READ_FIFO, O_RDONLY | O_NONBLOCK); + /* If usplash is enabled, disable console */ + if (rdfd >= 0) { + disable_method("console"); + usplashwaiting = true; + } + + return rdfd; +} + +/***************************************************************************** + * splashy functions * + *****************************************************************************/ + +/* It might be better style to just do a popen of splashy_update ? */ + +#define SPLASHY_SOCK "\0/splashy" +static size_t splashyused = 0; +static size_t splashysize = 0; +static char *splashybuf = NULL; + +static int +splashy_prepare(const char *prompt) +{ + int fd; + struct sockaddr addr = {AF_UNIX, SPLASHY_SOCK}; + struct iovec iov[2]; + + if ((fd = socket (PF_UNIX, SOCK_STREAM, 0)) == -1) { + return -1; + } + + if (connect (fd, &addr, sizeof addr) == -1) { + close (fd); + return -1; + } + + iov[0].iov_base = "getpass "; + iov[0].iov_len = strlen ("getpass "); + iov[1].iov_base = prompt; + iov[1].iov_len = strlen (prompt) + 1; + + if (writev (fd, iov, 2) == -1) { + close (fd); + return -1; + } + + /* Shutdown write? */ + + return fd; +} + +static bool +splashy_read(int fd, char **buf, size_t *size) +{ + debug("In splashy_read\n"); + if (fifo_common_read(fd, &splashybuf, &splashyused, &splashysize)) { + *buf = splashybuf; + *size = splashyused; + return true; + } + + return false; +} + + +static void +splashy_finish(int fd) +{ + fifo_common_finish (fd, &splashybuf, &splashyused, &splashysize); +} + +/***************************************************************************** + * fifo functions * + *****************************************************************************/ +#define FIFO_PATH "/lib/cryptsetup/passfifo" +static size_t fifoused = 0; +static size_t fifosize = 0; +static char *fifobuf = NULL; + +static void +fifo_finish(int fd) +{ + fifo_common_finish(fd, &fifobuf, &fifoused, &fifosize); +} + +static bool +fifo_read(int fd, char **buf, size_t *size) +{ + debug("In fifo_read\n"); + if (fifo_common_read(fd, &fifobuf, &fifoused, &fifosize)) { + *buf = fifobuf; + *size = fifoused; + return true; + } + + return false; +} + +static int +fifo_prepare(const char *prompt) +{ + int ret; + + ret = mkfifo(FIFO_PATH, 0600); + if (ret && errno != EEXIST) + return -1; + + return open(FIFO_PATH, O_RDONLY | O_NONBLOCK); +} + +/***************************************************************************** + * console functions * + *****************************************************************************/ +#define CONSOLE_PATH "/dev/console" +static struct termios term_old; +static bool term_set = false; +static char *consolebuf = NULL; +static size_t consolebuflen = 0; + +static void +console_finish(int fd) +{ + if (consolebuf) { + memset(consolebuf, '\0', consolebuflen); + free(consolebuf); + consolebuf = NULL; + consolebuflen = 0; + } + + if (!term_set || fd < 0) + return; + + term_set = false; + tcsetattr(fd, TCSAFLUSH, &term_old); + fprintf(stderr, "\n"); + klogctl(7, NULL, 0); +} + +bool +console_read(int fd, char **buf, size_t *size) +{ + ssize_t nread; + + /* Console is in ICANON mode so we'll get entire lines */ + nread = getline(&consolebuf, &consolebuflen, stdin); + + if (nread < 0) + return NULL; + + /* Strip trailing newline, if any */ + if (nread > 0 && consolebuf[nread - 1] == '\n') { + nread--; + consolebuf[nread] = '\0'; + } + + *size = nread; + *buf = consolebuf; + + return true; +} + +static int +console_prepare(const char *prompt) +{ + struct termios term_new; + char *prompt_ptr = prompt; + char *newline = NULL; + + if (!isatty(STDIN_FILENO)) { + if (access(CONSOLE_PATH, R_OK | W_OK)) { + debug("No access to console device " CONSOLE_PATH "\n"); + return -1; + } + + if (!freopen(CONSOLE_PATH, "r", stdin) || + !freopen(CONSOLE_PATH, "a", stdout) || + !freopen(CONSOLE_PATH, "a", stderr) || + !isatty(STDIN_FILENO)) { + debug("Failed to open console\n"); + return -1; + } + } + + if (tcgetattr(STDIN_FILENO, &term_old)) { + debug("Failed to get terminal settings\n"); + return -1; + } + + term_new = term_old; + term_new.c_lflag &= ~ECHO; + term_new.c_lflag |= ICANON; + + if (tcsetattr(STDIN_FILENO, TCSAFLUSH, &term_new)) { + debug("Failed to disable echoing\n"); + return -1; + } + + /* handle any non-literal embedded newlines in prompt */ + while ( (newline = strstr(prompt_ptr,"\\n")) != NULL ) { + /* Calculate length of string leading up to newline. */ + int line_len = newline - prompt_ptr; + + /* Force trimming of prompt to location of newline. */ + if (fwrite(prompt_ptr, line_len, 1, stderr) < 1 || + fwrite("\n", 1, 1, stderr) < 1) { + debug("Failed to print prompt\n"); + tcsetattr(STDIN_FILENO, TCSAFLUSH, &term_old); + return -1; + } + + /* Skip over newline. */ + prompt_ptr = newline + 2; + } + if (fputs(prompt_ptr, stderr) < 0) { + debug("Failed to print prompt\n"); + tcsetattr(STDIN_FILENO, TCSAFLUSH, &term_old); + return -1; + } + + /* Disable printk to console */ + klogctl(6, NULL, 0); + term_set = true; + return STDIN_FILENO; +} + +/***************************************************************************** + * main functions * + *****************************************************************************/ + +struct method { + const char *name; + int (*prepare)(const char *prompt); + bool (*read)(int fd, char **buf, size_t *size); + void (*finish)(int fd); + bool active; + bool enabled; + int fd; +}; + +static struct method methods[] = { + { "usplash", usplash_prepare, usplash_read, usplash_finish, false, true, -1 }, + { "splashy", splashy_prepare, splashy_read, splashy_finish, false, true, -1 }, + { "fifo", fifo_prepare, fifo_read, fifo_finish, false, true, -1 }, + { "console", console_prepare, console_read, console_finish, false, true, -1 } +}; + +static bool +disable_method(const char *method) +{ + int i; + bool result = false; + + debug("Disabling method %s\n", method ? method : "ALL"); + + for (i = 0; i < ARRAY_SIZE(methods); i++) { + /* A NULL method means all methods should be disabled */ + if (method && strcmp(methods[i].name, method)) + continue; + if (!methods[i].enabled) + continue; + if (methods[i].active) + methods[i].finish(methods[i].fd); + + methods[i].active = false; + methods[i].fd = -1; + methods[i].enabled = false; + result = true; + } + + return result; +} + +int +main(int argc, char **argv, char **envp) +{ + char *pass = NULL; + size_t passlen = 0; + int i; + int nfds; + fd_set fds; + int ret; + bool done = false; + sigset_t sigset; + + if (argc != 2) + usage(argv[0], "incorrect number of arguments"); + + sigfillset(&sigset); + sigprocmask(SIG_BLOCK, &sigset, NULL); + + for (i = 0; i < ARRAY_SIZE(methods); i++) { + if (!methods[i].enabled) + continue; + debug("Enabling method %s\n", methods[i].name); + methods[i].fd = methods[i].prepare(argv[1]); + if (methods[i].fd < 0) + methods[i].active = false; + else + methods[i].active = true; + } + + while (!done) { + nfds = 0; + FD_ZERO(&fds); + for (i = 0; i < ARRAY_SIZE(methods); i++) { + if (!methods[i].enabled || methods[i].fd < 0) + continue; + debug("method %i has fd %i and name %s\n", i, methods[i].fd, methods[i].name); + FD_SET(methods[i].fd, &fds); + if (methods[i].fd + 1 > nfds) + nfds = methods[i].fd + 1; + } + + if (nfds == 0) { + debug("All methods disabled\n"); + exit(EXIT_FAILURE); + } + + debug("Starting select with nfds %i\n", nfds); + ret = select(nfds, &fds, NULL, NULL, NULL); + + if (ret <= 0) { + if (ret == 0 || errno == EINTR) + continue; + debug("Select failed\n"); + disable_method(NULL); + exit(EXIT_FAILURE); + } + + for (i = 0; i < ARRAY_SIZE(methods); i++) { + if (!methods[i].enabled || methods[i].fd < 0) + continue; + if (!FD_ISSET(methods[i].fd, &fds)) + continue; + if (methods[i].read(methods[i].fd, &pass, &passlen) && pass) { + done = true; + break; + } + } + } + + debug("Writing %i bytes to stdout\n", (int)passlen); + write(STDOUT_FILENO, pass, passlen); + disable_method(NULL); + exit(EXIT_SUCCESS); +} + --- cryptsetup-1.1.0~rc2.orig/debian/cryptsetup.docs +++ cryptsetup-1.1.0~rc2/debian/cryptsetup.docs @@ -0,0 +1,5 @@ +AUTHORS +debian/README.initramfs +debian/README.remote +debian/README.openct +debian/README.opensc --- cryptsetup-1.1.0~rc2.orig/debian/libcryptsetup1.dirs +++ cryptsetup-1.1.0~rc2/debian/libcryptsetup1.dirs @@ -0,0 +1 @@ +/usr/lib --- cryptsetup-1.1.0~rc2.orig/debian/rules +++ cryptsetup-1.1.0~rc2/debian/rules @@ -0,0 +1,180 @@ +#!/usr/bin/make -f + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +DEB_VERSION := $(strip $(shell LC_ALL=C dpkg-parsechangelog | \ + egrep '^Version:' | head -n1 | cut -f2 -d ' ' )) +DEB_DATE := $(strip $(shell LC_ALL=C dpkg-parsechangelog | \ + egrep '^Date:' | head -n1 | cut -f2- -d ' ' | \ + LC_ALL=C date --file=- +%F )) + +# These are used for cross-compiling and for saving the configure script +# from having to guess our platform (since we know it already) +export DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +export DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) + +ifeq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE)) + confflags += --build $(DEB_HOST_GNU_TYPE) +else + confflags += --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE) +endif + +CFLAGS = -Wall -g + +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) + CFLAGS += -O0 +else + CFLAGS += -O2 +endif +ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) + INSTALL_PROGRAM += -s +endif +ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) + NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) + MAKEFLAGS += -j$(NUMJOBS) +endif + +# Include quilt stuff. +include /usr/share/quilt/quilt.make + +configure: configure-stamp +configure-stamp: $(QUILT_STAMPFN) + dh_testdir + find -xtype f ! -name manifest > manifest + autoreconf --force --install + CFLAGS="$(CFLAGS)" ./configure $(confflags) \ + --prefix=/usr \ + --sbindir=/sbin \ + --mandir=/usr/share/man \ + --enable-shared \ + --enable-static + find -xtype f > manifest.new + diff manifest manifest.new | grep '>' | cut -b3- > config.mess + touch $@ + +build: build-stamp +build-stamp: configure-stamp + dh_testdir + sed 's/VERSION/$(DEB_VERSION)/;s/DATE/$(DEB_DATE)/' \ + debian/doc/variables.xml.in > debian/doc/variables.xml + xsltproc --nonet --xinclude -o debian/doc/ \ + /usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl \ + debian/doc/manpages.xml + pod2man --section=8 --center="Administrative commands" --release="" debian/scripts/luksformat \ + debian/luksformat.8 + $(MAKE) + # link dynamically, better to depend on libraries in /usr for supportability + gcc lib/.libs/*.o src/*.o luks/.libs/*.o -o src/cryptsetup.static \ + -lpopt -ldevmapper -luuid -lgcrypt -lgpg-error + gcc -Wall -pedantic -std=c99 debian/askpass.c -o debian/askpass + gcc -Wall -pedantic -std=c99 debian/passdev.c -o debian/scripts/passdev + touch $@ + +clean: unpatch + dh_testdir + dh_testroot + if test -f Makefile; then $(MAKE) clean; fi + if test -f config.mess; then rm -f `cat config.mess`; fi + rm -f debian/luksformat.8 + rm -f debian/doc/*.[0-9] debian/doc/variables.xml + rm -f debian/scripts/passdev + rm -f debian/askpass + rm -f config.mess + rm -rf autom4te.cache + rm -f src/cryptsetup.static + dh_clean configure-stamp build-stamp install-stamp + +install: install-stamp +install-stamp: build-stamp + dh_testdir + dh_testroot + dh_clean + dh_installdirs + mkdir -p $(CURDIR)/debian/cryptsetup-udeb/ + $(MAKE) DESTDIR=$(CURDIR)/debian/cryptsetup install + cp src/cryptsetup.static $(CURDIR)/debian/cryptsetup/sbin/cryptsetup + + # Copy library files to library packages + #cp -a $(CURDIR)/debian/cryptsetup/usr/lib/libcryptsetup.la \ + # $(CURDIR)/debian/libcryptsetup-dev/usr/lib/ + cp -a $(CURDIR)/debian/cryptsetup/usr/lib/libcryptsetup.a \ + $(CURDIR)/debian/libcryptsetup-dev/usr/lib/ + cp -a $(CURDIR)/debian/cryptsetup/usr/lib/libcryptsetup.so \ + $(CURDIR)/debian/libcryptsetup-dev/usr/lib/ + cp -a $(CURDIR)/debian/cryptsetup/usr/lib/pkgconfig/libcryptsetup.pc \ + $(CURDIR)/debian/libcryptsetup-dev/usr/lib/pkgconfig/ + cp -a $(CURDIR)/debian/cryptsetup/usr/include/libcryptsetup.h \ + $(CURDIR)/debian/libcryptsetup-dev/usr/include/ + cp -a $(CURDIR)/debian/cryptsetup/usr/lib/libcryptsetup.so.1* \ + $(CURDIR)/debian/libcryptsetup1/usr/lib/ + + # Remove libraries from cryptsetup package, they're shiped in seperate library packags + rm -rf $(CURDIR)/debian/cryptsetup/usr/include + rm -rf $(CURDIR)/debian/cryptsetup/usr/lib + + install -m 0644 debian/cryptdisks.functions $(CURDIR)/debian/cryptsetup/lib/cryptsetup/ + install -m 0755 debian/checks/* $(CURDIR)/debian/cryptsetup/lib/cryptsetup/checks/ + install -m 0755 debian/scripts/luksformat $(CURDIR)/debian/cryptsetup/usr/sbin/ + install -m 0755 debian/scripts/cryptdisks_start $(CURDIR)/debian/cryptsetup/usr/sbin/ + install -m 0755 debian/scripts/cryptdisks_stop $(CURDIR)/debian/cryptsetup/usr/sbin/ + install -m 0755 debian/scripts/decrypt_* $(CURDIR)/debian/cryptsetup/lib/cryptsetup/scripts/ + install -m 0755 debian/scripts/passdev $(CURDIR)/debian/cryptsetup/lib/cryptsetup/scripts/ + install -m 0755 debian/askpass $(CURDIR)/debian/cryptsetup/lib/cryptsetup/ + install -m 0644 debian/cryptsetup.apport $(CURDIR)/debian/cryptsetup/usr/share/apport/package-hooks/cryptsetup.py + install -m 0755 debian/initramfs/cryptpassdev-hook \ + $(CURDIR)/debian/cryptsetup/usr/share/initramfs-tools/hooks/cryptpassdev + install -m 0755 debian/initramfs/cryptroot-hook \ + $(CURDIR)/debian/cryptsetup/usr/share/initramfs-tools/hooks/cryptroot + install -m 0755 debian/initramfs/cryptroot-script \ + $(CURDIR)/debian/cryptsetup/usr/share/initramfs-tools/scripts/local-top/cryptroot + install -m 0644 debian/initramfs/cryptroot-conf \ + $(CURDIR)/debian/cryptsetup/usr/share/initramfs-tools/conf-hooks.d/cryptsetup + install -m 0755 debian/initramfs/cryptopenct-hook \ + $(CURDIR)/debian/cryptsetup/usr/share/initramfs-tools/hooks/cryptopenct + install -m 0755 debian/initramfs/cryptopensc-hook \ + $(CURDIR)/debian/cryptsetup/usr/share/initramfs-tools/hooks/cryptopensc + install -m 0755 debian/initramfs/cryptopensc-script-local-top \ + $(CURDIR)/debian/cryptsetup/usr/share/initramfs-tools/scripts/local-top/cryptopensc + install -m 0755 debian/initramfs/cryptopensc-script-local-bottom \ + $(CURDIR)/debian/cryptsetup/usr/share/initramfs-tools/scripts/local-bottom/cryptopensc + + install -m 0644 debian/cryptsetup.bash_completion \ + $(CURDIR)/debian/cryptsetup/etc/bash_completion.d/cryptsetup + install -m 0755 debian/cryptsetup.reportbug-script \ + $(CURDIR)/debian/cryptsetup/usr/share/bug/cryptsetup + touch $@ + +binary-indep: build install +# We have nothing to do by default. + +binary-arch: build install + dh_testdir + dh_testroot + dh_installchangelogs -a ChangeLog + dh_installdocs -a + dh_installexamples -a debian/scripts/gen-ssl-key + dh_installinit -a --no-start --name=cryptdisks-early --update-rcd-params="start 59 0 6 ." + dh_installinit -a --no-start --name=cryptdisks --update-rcd-params="start 48 0 6 ." + dh_installinit -a --no-start --name=cryptdisks-enable --upstart-only + dh_installinit -a --no-start --name=cryptdisks-udev --upstart-only + dh_installman -a debian/doc/crypttab.5 debian/doc/cryptdisks_start.8 debian/doc/cryptdisks_stop.8 debian/luksformat.8 + # Copy relevant parts to cryptsetup-udeb package + cp -a $(CURDIR)/debian/cryptsetup/etc $(CURDIR)/debian/cryptsetup-udeb/ + cp -a $(CURDIR)/debian/cryptsetup/lib $(CURDIR)/debian/cryptsetup-udeb/ + cp -a $(CURDIR)/debian/cryptsetup/sbin $(CURDIR)/debian/cryptsetup-udeb/ + # Remove bash-completion script from cryptsetup-ueb package + rm -r $(CURDIR)/debian/cryptsetup-udeb/etc/bash_completion.d + dh_lintian -a + dh_compress -a + dh_fixperms -a + dh_strip -a + dh_makeshlibs -a + dh_shlibdeps -a + dh_gencontrol -a + dh_installdeb -a + dh_md5sums -a + dh_builddeb -a + +binary: binary-indep binary-arch +.PHONY: configure build clean install binary-indep binary-arch binary patch unpatch --- cryptsetup-1.1.0~rc2.orig/debian/README.source +++ cryptsetup-1.1.0~rc2/debian/README.source @@ -0,0 +1,2 @@ +This package uses quilt for its patch management, see +/usr/share/doc/quilt/README.source if you are unfamiliar with it. --- cryptsetup-1.1.0~rc2.orig/debian/libcryptsetup-dev.dirs +++ cryptsetup-1.1.0~rc2/debian/libcryptsetup-dev.dirs @@ -0,0 +1,3 @@ +usr/include +usr/lib +usr/lib/pkgconfig --- cryptsetup-1.1.0~rc2.orig/debian/cryptdisks.functions +++ cryptsetup-1.1.0~rc2/debian/cryptdisks.functions @@ -0,0 +1,707 @@ +# +# This file is for inclusion with +# . /lib/cryptsetup/cryptdisks.functions +# and should not be executed directly. + +PATH="/sbin:/bin" +TABFILE="/etc/crypttab" +CRYPTDISKS_ENABLE="Yes" + +#set -x + +# Sanity checks +[ -x /sbin/cryptsetup ] || exit 0 +[ -f "$TABFILE" ] || exit 0 + +. /lib/lsb/init-functions + +if [ -r /etc/default/cryptdisks ]; then + . /etc/default/cryptdisks +fi + +MOUNT="$CRYPTDISKS_MOUNT" + +LOUD="" + +# Parses the option field from the crypttab file +parse_opts () { + local opts opt IFS PARAM VALUE + + # Strip comments - https://bugs.launchpad.net/bugs/185380 + opts=$(echo -n $1 | sed 's/ *#.*//') + PARAMS="" + CHECK="" + CHECKARGS="" + PRECHECK="" + TRIES="3" + TMPFS="" + MAKESWAP="" + USELUKS="" + KEYSCRIPT="" + IGNORE="" + CRYPTTAB_OPTIONS="" + + # Parse the options field, convert to cryptsetup parameters + # and construct the command line + IFS=',' + for opt in $opts; do + PARAM=$(echo "$opt" | sed 's/=.*//') + VALUE=$(echo "$opt" | sed '/=/!d;s/^.*=//') + + case "$PARAM" in + readonly) + PARAMS="$PARAMS -r" + ;; + cipher) + if [ -z "$VALUE" ]; then + log_warning_msg "$dst: no value for cipher option, skipping" + return 1 + fi + PARAMS="$PARAMS -c $VALUE" + ;; + size) + if [ -z "$VALUE" ] || echo "$VALUE" | grep -q "^[[:digit:]]\+$" && [ "$VALUE" -gt 0 ]; then + PARAMS="$PARAMS -s $VALUE" + else + log_warning_msg "$dst: option size used with an incorrect argument, skipping" + return 1 + fi + ;; + hash) + if [ -z "$VALUE" ]; then + log_warning_msg "$dst: no value for hash option, skipping" + return 1 + fi + PARAMS="$PARAMS -h $VALUE" + ;; + offset) + if [ -z "$VALUE" ]; then + log_warning_msg "$dst: no value for offset option, skipping" + return 1 + fi + PARAMS="$PARAMS -o $VALUE" + ;; + skip) + if [ -z "$VALUE" ]; then + log_warning_msg "$dst: no value for skip option, skipping" + return 1 + fi + PARAMS="$PARAMS -p $VALUE" + ;; + verify) + PARAMS="$PARAMS -y" + ;; + check) + if [ -z "$VALUE" ]; then + VALUE="$CRYPTDISKS_CHECK" + fi + if [ -x "$VALUE" ]; then + CHECK="$VALUE" + elif [ -x "/lib/cryptsetup/checks/$VALUE" ]; then + CHECK="/lib/cryptsetup/checks/$VALUE" + else + log_warning_msg "check $VALUE is not an executable script, skipping" + return 1 + fi + ;; + checkargs) + if [ -n "$VALUE" ]; then + CHECKARGS="$VALUE" + fi + ;; + precheck) + if [ -z "$VALUE" ]; then + VALUE="$CRYPTDISKS_PRECHECK" + fi + if [ -x "$VALUE" ]; then + PRECHECK="$VALUE" + elif [ -x "/lib/cryptsetup/checks/$VALUE" ]; then + PRECHECK="/lib/cryptsetup/checks/$VALUE" + else + log_warning_msg "precheck $VALUE is not an executable script, skipping" + return 1 + fi + ;; + tries) + if echo "$VALUE" | grep -q "^[[:digit:]]\+$" && [ "$VALUE" -gt 0 ]; then + TRIES="$VALUE" + else + log_warning_msg "$dst: option tries used with an incorrect argument - forced to $TRIES" + fi + ;; + swap) + MAKESWAP="yes" + SWCHECK="/lib/cryptsetup/checks/un_blkid" + SWCHECKARGS="swap" + ;; + tmp) + if [ -z "$VALUE" ]; then + TMPFS="ext2" + else + TMPFS="$VALUE" + fi + ;; + luks) + USELUKS="yes" + ;; + noearly) + if [ "$INITSTATE" = "early" ]; then + IGNORE="yes" + fi + ;; + noauto) + if [ -n "$INITSTATE" ]; then + IGNORE="yes" + fi + ;; + loud) + LOUD="yes" + ;; + keyscript) + if [ -n "$KEYSCRIPT" ]; then + log_warning_msg "$dst: multiple key decryption options are not allowed together, skipping" + return 1 + elif [ -x "$VALUE" ]; then + KEYSCRIPT="$VALUE" + elif [ -x "/lib/cryptsetup/scripts/$VALUE" ]; then + KEYSCRIPT="/lib/cryptsetup/scripts/$VALUE" + elif [ -z "$VALUE" ]; then + log_warning_msg "$dst: no value for keyscript option, skipping" + return 1 + else + log_warning_msg "script $VALUE is not an executable script, skipping" + return 1 + fi + ;; + esac + + CRYPTTAB_OPTIONS="$CRYPTTAB_OPTIONS $PARAM" + [ -z "$VALUE" ] && VALUE="yes" + eval export CRYPTTAB_OPTION_$PARAM="\"$VALUE\"" + done + export CRYPTTAB_OPTIONS + + return 0 +} + +# Set up loopback devices +lo_setup () { + #local loopdev + + if [ ! -f "$src" ]; then + return 0 + fi + + if [ ! -x /sbin/losetup ]; then + return 1 + fi + + if ! grep -q "[[:space:]]loop$" /proc/devices; then + modprobe -qb loop > /dev/null 2>&1 || return 1 + fi + + loopdev=$(losetup -f 2> /dev/null) || return 1 + + losetup "$loopdev" "$src" || return 1 + src="$loopdev" + return 0 +} + +rm_lo_setup () { + if [ ! -f "$src" ]; then + return 0 + fi + + if [ -n "$loopdev" ]; then + losetup -d "$loopdev" || return 1 + fi + return 0 +} + +# Sanity check for keys +check_key () { + local GMODE OMODE OWNER GROUP + + # If the keyscript option is set, the "key" is just an argument to + # the keyscript and not necessarily a file + if [ -n "$KEYSCRIPT" ]; then + return 0 + fi + + if [ -z "$key" ] || [ "$key" = "none" ]; then + key="" + return 0 + fi + + if [ ! -e "$key" ]; then + log_warning_msg "$dst: keyfile not found" + return 1 + fi + + # stat is unfortunately in /usr/bin... + OMODE=$(ls -l "$key" | sed 's/[[:space:]].*//;s/^.\{7\}//') + GMODE=$(ls -l "$key" | sed 's/[[:space:]].*//;s/^.\{4\}\(.\{3\}\).*/\1/') + GROUP=$(ls -l "$key" | sed 's/^.\{11\}[^[:space:]]* [^[:space:]]* \([^[:space:]]*\).*/\1/') + # regex needs to work if keyfile has xattrs - https://launchpad.net/bugs/231339 + OWNER=$(ls -l "$key" | sed 's/^.\{10\}[+]\?.[^[:space:]]* \([^[:space:]]*\).*/\1/') + + # LUKS requires a persistent key, /dev/*random is not supported + if [ "$USELUKS" = "yes" ] && [ "$key" != "${key%random}" ]; then + log_warning_msg "$dst: LUKS does not work with random data as key" + return 1 + fi + + # Check owner + if [ "$OWNER" != "root" ]; then + log_warning_msg "$dst: INSECURE OWNER FOR $key, see /usr/share/doc/cryptsetup/README.Debian." + fi + + # If key is random, we're done + if [ "$key" != "${key%random}" ]; then + return 0 + fi + + # Check group and other permissions + if [ "$OMODE" != "---" ] || [ "$GROUP" != "root" ] && [ "$GMODE" != "---" ]; then + log_warning_msg "$dst: INSECURE MODE FOR $key, see /usr/share/doc/cryptsetup/README.Debian." + fi + + return 0 +} + +# Setup a luks mapping +do_luks () { + local tried keyscriptarg + tried=0 + keyscriptarg="" + + if ! cryptsetup isLuks "$src" >/dev/null 2>&1; then + log_warning_msg "$dst: device '$src' is not a LUKS partition, skipping" + return 1 + fi + + if [ -n "$KEYSCRIPT" ]; then + # keyscript => "key" is just an argument to the keyscript + keyscriptarg="$key" + key="-" + elif [ -z "$key" ]; then + # no keyscript, no key => password + keyscriptarg="Unlocking the disk $src ($dst)\nEnter passphrase: " + key="-" + if [ -x /bin/plymouth ] && plymouth --ping; then + KEYSCRIPT="plymouth ask-for-password --prompt" + keyscriptarg=$(printf "$keyscriptarg") + else + KEYSCRIPT="/lib/udev/watershed /lib/cryptsetup/askpass" + fi + elif [ "$key" != "${key%/dev/*}" ]; then + # no keyscript, device key => special treatment + keyscriptarg="" + key="$key" + KEYSCRIPT="" + else + # no keyscript, key => file input + keyscriptarg="$key" + key="-" + KEYSCRIPT="cat" + fi + + PARAMS="$PARAMS --key-file=$key" + + while [ "$tried" -lt "$TRIES" ]; do + if [ -n "$KEYSCRIPT" ]; then + if $KEYSCRIPT "$keyscriptarg" | cryptsetup $PARAMS luksOpen "$src" "${dst}_unformatted"; then + break + fi + else + if cryptsetup $PARAMS luksOpen "$src" "${dst}_unformatted"; then + break + fi + fi + + tried=$(( $tried + 1 )) + if [ "$tried" -ge "$TRIES" ]; then + return 1 + fi + done + + if [ -n "$CHECK" ] && ! "$CHECK" "/dev/mapper/${dst}_unformatted" $CHECKARGS; then + log_warning_msg "$dst: the check for '/dev/mapper/$dst' failed" + cryptsetup luksClose "${dst}_unformatted" + return 1 + fi + + return 0 +} + +# Setup a regular mapping +do_noluks () { + local pre_out tried keyscriptarg + tried=0 + keyscriptarg="" + + if [ -z "$PRECHECK" ]; then + PRECHECK="/lib/cryptsetup/checks/un_blkid" + fi + + if ! pre_out=$("$PRECHECK" "$src" 2> /dev/null) && \ + [ "$MAKESWAP" != "yes" ] && \ + ! /lib/cryptsetup/checks/blkid "$src" swap >/dev/null; then + log_warning_msg "$dst: the precheck for '$src' failed: $pre_out" + return 1 + fi + + if [ -n "$KEYSCRIPT" ]; then + # keyscript => "key" is just an argument to the keyscript + keyscriptarg="$key" + key="-" + elif [ -z "$key" ]; then + # no keyscript, no key => password + keyscriptarg="Unlocking the disk $cryptsource ($crypttarget)\nEnter passphrase: " + key="-" + if [ -x /bin/plymouth ] && plymouth --ping; then + KEYSCRIPT="plymouth ask-for-password --prompt" + keyscriptarg=$(printf "$keyscriptarg") + else + KEYSCRIPT="/lib/udev/watershed /lib/cryptsetup/askpass" + fi + else + # no keyscript, key => file input + keyscriptarg="" + key="$key" + KEYSCRIPT="" + fi + + PARAMS="$PARAMS --key-file=$key" + + while [ "$tried" -lt "$TRIES" ]; do + if [ -n "$KEYSCRIPT" ]; then + $KEYSCRIPT "$keyscriptarg" | cryptsetup $PARAMS create "${dst}_unformatted" "$src" + else + cryptsetup $PARAMS create "${dst}_unformatted" "$src" + fi + + if [ -z "$CHECK" ] || "$CHECK" "/dev/mapper/${dst}_unformatted" $CHECKARGS; then + break + else + log_warning_msg "$dst: the check for '/dev/mapper/$dst' failed - maybe the password is wrong" + cryptsetup remove "${dst}_unformatted" + fi + + tried=$(( $tried + 1 )) + if [ "$tried" -ge "$TRIES" ]; then + return 1 + fi + done + + return 0 +} + +# Premounts file systems +mount_fs () { + local point + MOUNTED="" + + for point in $MOUNT; do + if mount "$point" >/dev/null; then + MOUNTED="$MOUNTED $point" + fi + done +} + +# Postunmounts file systems +umount_fs () { + local point + + for point in $MOUNTED; do + umount "$point" >/dev/null + done +} + +# Prepares swap partitions using random keys +do_swap () { + local swap_out + + if [ "$MAKESWAP" != "yes" ] || [ ! -b "/dev/mapper/${dst}_unformatted" ] + then + return 0 + fi + + if swap_out=$(/lib/cryptsetup/checks/un_blkid "/dev/mapper/${dst}_unformatted" 2> /dev/null) || \ + /lib/cryptsetup/checks/blkid "/dev/mapper/${dst}_unformatted" swap > /dev/null 2>&1; then + mkswap "/dev/mapper/${dst}_unformatted" > /dev/null 2>&1 + else + log_warning_msg "$dst: the check for '/dev/mapper/$dst' failed. /dev/mapper/$dst contains data: $swap_out" + do_close + return 1 + fi + + return 0 +} + +# Prepares tmp partitions using random keys +do_tmp () { + if [ "x$TMPFS" = "x" ] || [ ! -b "/dev/mapper/${dst}_unformatted" ]; then + return 0 + fi + + mkfs -t $TMPFS -q "/dev/mapper/${dst}_unformatted" > /dev/null 2>&1 || return 1 + mkdir -p "/var/run/cryptsetup/$dst" + mount -t $TMPFS "/dev/mapper/${dst}_unformatted" "/var/run/cryptsetup/$dst" || return 1 + chmod 1777 "/var/run/cryptsetup/$dst" + umount "/var/run/cryptsetup/$dst" + return 0 +} + +# Rename the device from its temp name to its final name, which will +# trigger mountall +finalize_device () { + dmsetup rename "${dst}_unformatted" "$dst" +} + +# Removes a mapping +do_close () { + local found IFS opt + + found="no" + IFS=',' + for opt in $opts; do + if [ "$opt" = "luks" ]; then + found="yes" + break + fi + done + + if [ "$found" = "yes" ]; then + cryptsetup luksClose "$dst" + else + cryptsetup remove "$dst" + fi + return $? +} + +load_optimized_module () { + local module optmodule + module="$1" + + optmodule=$(find "/lib/modules/$(uname -r)/kernel/arch" -name "${module}*.ko" 2> /dev/null) + if [ -n "$optmodule" ] && [ "$(echo -n "$optmodule" | wc -l)" -eq 1 ]; then + modprobe "$optmodule" 2>/dev/null && return 0 + fi + + modprobe "$module" 2>/dev/null || return 1 + return 0 +} + +# Sets up all entries in crypttab +handle_crypttab_line_start () { + dst=$1 + src=$2 + key=$3 + opts=$4 + + # Make sure that all fields are present + if [ -z "$dst" ]; then + return 1 + elif [ -z "$src" ] || [ -z "$key" ] || [ -z "$opts" ]; then + device_msg "$dst" "skipped, missing parameters" + return 1 + fi + + # parse UUID= symlinks + if [ "${src#UUID=}" != "$src" ]; then + src="/dev/disk/by-uuid/${src#UUID=}" + elif [ "${src#LABEL=}" != "$src" ]; then + src="/dev/disk/by-label/${src#LABEL=}" + fi + + # Do the preparatory steps + if ! parse_opts "$opts"; then + device_msg "$dst" "invalid opts" + return 1 + fi + + # Ignore noauto devices + if [ "$IGNORE" = "yes" ] && [ -z "$FORCE_START" ]; then + device_msg "$dst" "ignored" + return 0 + fi + + if ! check_key; then + device_msg "$dst" "invalid key" + return 1 + elif ! lo_setup; then + device_msg "$dst" "loopback failed" + fi + + # Export crypttab fields as environment variables + export CRYPTTAB_NAME="$dst" + export CRYPTTAB_SOURCE="$src" + export CRYPTTAB_KEY="$key" + + # Make sure source device exists + if [ ! -r "$src" ]; then + if [ "$LOUD" = "yes" ]; then + device_msg "$dst" "skipped, device $src does not exist" + fi + return 1 + fi + + # Make sure that target device doesn't exist + if [ -b "/dev/mapper/${dst}_unformatted" ] || [ -b "/dev/mapper/$dst" ] + then + device_msg "$dst" "running" + return 0 + fi + + # All checks passed, do the real setup + log_action_msg "$dst (starting).." + result="ok" + if [ "$USELUKS" = "yes" ]; then + do_luks || result="fail" + else + do_noluks || result="fail" + fi + + # Finish up + if [ "$result" != "ok" ]; then + rm_lo_setup + device_msg "$dst" "failed" + return 1 + else + do_swap + do_tmp + finalize_device + device_msg "$dst" "started" + fi + + return 0 +} + +handle_crypttab_line_stop () { + dst=$1 + src=$2 + key=$3 + opts=$4 + + if [ ! -b "/dev/mapper/$dst" ]; then + device_msg "$dst" "stopped" + return 0 + fi + + opencount=$(dmsetup info -c --noheadings -o open "$dst" 2> /dev/null || true) + if [ -z "$opencount" ]; then + device_msg "$dst" "error" + return 1 + elif [ "$opencount" != "0" ]; then + device_msg "$dst" "busy" + return 0 + fi + + #major=$(dmsetup info -c --noheadings -o major "$dst" 2> /dev/null || true) + #minor=$(dmsetup info -c --noheadings -o minor "$dst" 2> /dev/null || true) + src_major=$(dmsetup deps "$dst" 2> /dev/null | sed -e 's/^.*(\([0-9]*\), [0-9]*)$/\1/g' || true) + src_minor=$(dmsetup deps "$dst" 2> /dev/null | sed -e 's/^.*([0-9]*, \([0-9]*\))$/\1/g' || true) + + if [ -z "$src_major" ] || [ -z "$src_minor" ]; then + device_msg "$dst" "error" + return 1 + fi + + do_close + + # Detach loopback device, if attached + if [ "$src_major" = "7" ]; then + loopdev="/dev/loop${src_minor}" + if ! rm_lo_setup; then + device_msg "$dst" "detaching loopback failed" + return 1 + fi + fi + + device_msg "$dst" "stopping" + + return 0 +} + +crypttab_start_one_disk () { + local dst src key opts result + local ret=0 + + egrep -v "^[[:space:]]*(#|$)" "$TABFILE" | while read dst src key opts; do + if [ "xUUID=$ID_FS_UUID" = "x$src" ]; then + src="/dev/disk/by-uuid/${src#UUID=}" + elif [ "xLABEL=$ID_FS_LABEL_ENC" = "x$src" ]; then + src="/dev/disk/by-label/${src#LABEL=}" + elif [ "x$1" != "x$src" ]; then + continue + fi + modprobe -qb dm-mod || true + modprobe -qb dm-crypt || true + dmsetup mknodes > /dev/null 2>&1 || true + # FIXME: no locking + mount_fs + handle_crypttab_line_start "$dst" "$src" "$key" "$opts" || ret=$? + umount_fs + done + return $ret +} + +do_start () { + local dst src key opts result + + modprobe -qb dm-mod || true + modprobe -qb dm-crypt || true + dmsetup mknodes > /dev/null 2>&1 || true + log_action_begin_msg "Starting $INITSTATE crypto disks" + mount_fs + + egrep -v "^[[:space:]]*(#|$)" "$TABFILE" | while read dst src key opts; do + dev_match="$src" + if [ "${dev_match#UUID=}" != "$dev_match" ]; then + dev_match="$(readlink -f /dev/disk/by-uuid/${dev_match#UUID=})" + elif [ "${dev_match#LABEL=}" != "$dev_match" ]; then + dev_match="$(readlink -f /dev/disk/by-label/${dev_match#LABEL=})" + fi + # if there's already a udev-triggered job running for this + # device, wait for it to finish, then re-process to confirm + # that it's started successfully. In the general case this + # will just be a no-op, but we don't want to defer to the + # other job entirely because this is the fallback for fixing + # up any ordering-dependent decrypting. + while status cryptdisks-udev DEVNAME="$dev_match" 2>&1 | grep -q 'start' + do + sleep 1 + done + handle_crypttab_line_start "$dst" "$src" "$key" "$opts" <&3 || true + done 3<&1 + umount_fs + + log_action_end_msg 0 +} + +# Removes all mappings in crypttab +do_stop () { + local dst src key opts opencount major minor loopmajor + + dmsetup mknodes + log_action_begin_msg "Stopping $INITSTATE crypto disks" + loopmajor=$(grep "[[:space:]]*loop$" /proc/devices | sed 's/^[[:space:]]*//;s/[[:space:]].*//') + + egrep -v "^[[:space:]]*(#|$)" "$TABFILE" | while read dst src key opts; do + handle_crypttab_line_stop "$dst" "$src" "$key" "$opts" <&3 || true + done 3<&1 + + log_action_end_msg 0 +} + +# Convenience function to handle $VERBOSE +device_msg () { + local dst msg + dst="$1" + msg="$2" + + if [ "$VERBOSE" != "no" ]; then + log_action_cont_msg "$dst ($msg)" + fi +} --- cryptsetup-1.1.0~rc2.orig/debian/README.openct +++ cryptsetup-1.1.0~rc2/debian/README.openct @@ -0,0 +1,133 @@ +openct with cryptsetup and luks in Debian +----------------------------------------- + +This is a overview on how you can make use of cryptsetup with your smartcard +device supported by openct. Please make sure that your smartcard reader or token +is supposed to be operated with openct and not with opensc or pcscd. You can get +some information about the supported hardware by openct at the following +homepage: + + + +This example is based on the ability of openct to store arbitrary data objects +on the smartcard. Note that you therefore have to use openct in version 0.6.12 +or newer, any versions before 0.6.12 do not properly support data objects. + +Although this use case was done with the Aladdin eToken PRO 32k, an USB crypto +token, this is a generic approach which works the same way with all supported +smartcard devices by openct. + +First of all, you should plug in your crypto token into USB or whatever +interface it uses and initalize the reader with the following command (as root): + + # openct-control init + +To check if your reader has been detected, you can run: + + # openct-tool list + +This should give you a similar result to this: + + 0 Aladdin eToken PRO + +If you do not see any reader listed, you have a problem and should read again +about the supported hardware on and make +sure you have the required support (e.g. USB) compiled into your kernel needed +to connect to your token. If you use a precompiled kernel from Debian, +everything is already built kernelwise and you probably only need to load the +module. + +In case you want to erase your previously used smartcard, you can do that by +executing the following command: + + # pkcs15-init --erase-card + +To setup the smartcard, you need to do the following: + + # pkcs15-init --create-pkcs15 + +Caution: You are beeing asked about the 'Security Officer PIN' and the 'User +unblocking PIN'. Although both of these pins are optional and can be left empty, +you should never do this: In case the personal user pin is typed wrong for a +given number (mostly three times), the smartcard is locked and can only be +unlocked with the user unblocking pin. If you even mistype the user unblocking +pin for a given number (mostly three times), the smartcard is locked and can +only be unlocked with the security officer pin, which is the most superior pin +in this hierarchy. With an unset (empty) security officer pin or user unblocking +pin, depending on the smartcard, an attacker can have unlimited tries to crack +your personal user pin, or, an attacker can simply make the smarcard unusable as +it cannot be unlocked anymore at all. + +To create a new identity on the smartcard, do the following: + + # pkcs15-init --store-pin --auth-id 01 --label "Daniel Baumann" + +If you have already one or more identities, you certainly want to bump the +auth-id here, and normally, the label used to describe the identify is the +persons first and last name. + +As we want to use the smartcard with luks, we first need to get some random +data: + + # dd if=/dev/random of=data.txt bs=1 count=32 + +And we store that random data as a data object to the private section of the +smartcard with: + + # pkcs15-init --store-data data.txt --auth-id 01 + +As of the time of writing, openct version 0.6.12 is available and does not +support labeling different data objects. Once this gets fixed in openct +upstream, you can store multiple data objects to the smartcard (create them by +appending '--label foo' to the above command and replace foo with the label you +want to use). + +Then, read the random data from the smartcard in order... + + # pkcs15-tool --read-data-object pkcs15-init -o /proc/self/fd/3 3>&1 1>/dev/null 2>&1 + # pkcs15-tool --read-data-object pkcs15-init -o key.txt 1>/dev/null 2>&1 + +...to import that output to luks as a valid key (assumed that /dev/sda5 is your +encrypted partition): + + # cryptsetup luksAddKey /dev/sda5 key.txt + +To tell cryptsetup to let you authenticate with the openct backend, you need to +pass the respective decrypt script to it as a parameter in /etc/crypttab +(assumed that /dev/sda5 is your encrypted partition): + + sda5_crypt /dev/sda5 none luks,keyscript=/lib/cryptsetup/scripts/decrypt_openct + +At the moment all data objects have the same label 'pkcs15-init'. Once openct +supports labeling data objects, you can pass the respective label to openct with +the key parameter in /etc/crypttab like this: + + sda5_crypt /dev/sda5 none luks,keyscript=/lib/cryptsetup/scripts/decrypt_openct,key=foo + +For the time beeing, 'pkcs15-init' is passed to openct when no key is specified. + +Don't forget to backup key.txt to a save place and remove the temporary files +afterwards: + + # shred -uz key.txt data.txt + +Caution: cryptsetup as of version 1.0.5-1 does not support fallback to passphrase +if smartcard authentification fails (bee it three times wrong pin or not +compatible/not detected smartcard reader). That means, that for testing +purposes, it is recommended to keep an initrd image in /boot available which +does *not* use openct or opensc for authentification, so that you can change +your bootloader configuration on the fly if something does not work out as +expected. Therefore, copy your current initrd (the .bak backups from +initramfs-tools can maybe get overwritten by update-initramfs during the setup +of openct, so it is better to be on the save side): + + # cp /boot/initrd.img-`uname -r` /boot/initrd.img-`uname -r`.temp + +If you have completed all the steps upto now, you can update your initramfs +image with: + + # update-initramfs -u -k `uname -r` + +and reboot your machine. + + -- Daniel Baumann Wed, 22 Aug 2007 10:36:00 +0200 --- cryptsetup-1.1.0~rc2.orig/debian/compat +++ cryptsetup-1.1.0~rc2/debian/compat @@ -0,0 +1 @@ +6 --- cryptsetup-1.1.0~rc2.orig/debian/cryptsetup.preinst +++ cryptsetup-1.1.0~rc2/debian/cryptsetup.preinst @@ -0,0 +1,57 @@ +#! /bin/sh + +set -e + +create_crypttab() { + if [ ! -f "/etc/crypttab" ]; then + cat <<-EOC >/etc/crypttab + # + EOC + fi +} + +# Remove a no-longer used conffile +rm_conffile() { + PKGNAME="$1" + CONFFILE="$2" + if [ -e "$CONFFILE" ]; then + md5sum="`md5sum \"$CONFFILE\" | sed -e \"s/ .*//\"`" + old_md5sum="`dpkg-query -W -f='${Conffiles}' $PKGNAME | sed -n -e \"\\\\' $CONFFILE '{s/ obsolete$//;s/.* //p}\"`" + if [ "$md5sum" != "$old_md5sum" ]; then + echo "Obsolete conffile $CONFFILE has been modified by you." + echo "Saving as $CONFFILE.dpkg-bak ..." + mv -f "$CONFFILE" "$CONFFILE".dpkg-bak + else + echo "Removing obsolete conffile $CONFFILE ..." + rm -f "$CONFFILE" + fi + fi +} + +LASTVERSION="2:1.0.6-5" +case "$1" in + install) + create_crypttab + if dpkg --compare-versions "$2" le "$LASTVERSION"; then + rm_conffile cryptsetup "/etc/udev/rules.d/z60_cryptsetup.rules" + fi + ;; + + upgrade) + if dpkg --compare-versions "$2" le "$LASTVERSION"; then + rm_conffile cryptsetup "/etc/udev/rules.d/z60_cryptsetup.rules" + fi + ;; + + abort-upgrade) + ;; + + *) + echo "preinst called with unknown argument '$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# + +exit 0 --- cryptsetup-1.1.0~rc2.orig/debian/cryptsetup.bash_completion +++ cryptsetup-1.1.0~rc2/debian/cryptsetup.bash_completion @@ -0,0 +1,124 @@ +# Bash command completion for cryptsetup + +have cryptsetup && +_cryptsetup() +{ + local cmd cur prev action actions luksactions argopts noargopts + + COMPREPLY=() + cur="${COMP_WORDS[COMP_CWORD]}" + prev="${COMP_WORDS[COMP_CWORD-1]}" + + actions="create remove status reload resize" + luksactions="luksFormat luksOpen luksClose luksAddKey luksDelKey luksUUID isLuks luksDump" + actions="$luksactions $actions" + + argopts="-c --cipher -h --hash -d --key-file -s --key-size -b --size" + argopts="$argopts -o --offset -p --skip -i --iter-time -q --batch-mode" + argopts="$argopts -t --timeout -T --tries" + noargopts="-y --verify-passphrase --readonly --version --align-payload" + + # complete file names for -d and --key-file + if [ "-d" = "$prev" -o "--key-file" = "$prev" ] ; then + COMPREPLY=( $(compgen -f -- "${cur}") ) + fi + + # If previous word was an option requiring an argument, can't complete + for argopt in $argopts ; do + if [ "$argopt" = "$prev" ] ; then + return + fi + done + + # If user typing an option, complete it + if [[ $cur == -* ]] ; then + COMPREPLY=( $(compgen -W "$argopts $noargopts" -- "$cur") ) + return + fi + + # See if we already have an action + action="" + for word in "${COMP_WORDS[@]}" ; do + for act in $actions ; do + if [ "$word" == "$act" ] ; then + action=$act + break + fi + done + + if [ -n "$action" ] ; then + break + fi + done + + # No action yet, complete it + if [ -z "$action" ] ; then + COMPREPLY=( $(compgen -W "$actions" -- "$cur") ) + return + fi + + # Completion based on action + case "$action" in + "create") + # create + if [ $COMP_CWORD -gt 1 ] && + [ ${COMP_WORDS[COMP_CWORD-2]} == "create" ] ; then + COMPREPLY=( $(compgen -f -X '!/dev*' -- "$cur") ) + fi + ;; + + "reload"|"remove"|"resize"|"status"|"luksClose") + # action + MAPPINGS="$(command ls /dev/mapper | fgrep --invert-match control)" + OLDIFS="$IFS" + IFS=" +" + COMPREPLY=( $(compgen -W "$MAPPINGS" -- "$cur") ) + IFS="$OLDIFS" + ;; + + "luksDelKey") + # luksDelKey + if [ ${COMP_WORDS[COMP_CWORD-1]} == "luksDelKey" ] ; then + # Get name + MAPPINGS="$(command ls /dev/mapper | fgrep --invert-match control)" + OLDIFS="$IFS" + IFS=" +" + COMPREPLY=( $(compgen -W "$MAPPINGS" -- "$cur") ) + IFS="$OLDIFS" + fi + ;; + + "luksAddKey"|"luksFormat") + # action [] + if [ ${COMP_WORDS[COMP_CWORD-1]} == "luksFormat" ] ; then + # Get name + MAPPINGS="$(command ls /dev/mapper | fgrep --invert-match control)" + OLDIFS="$IFS" + IFS=" +" + COMPREPLY=( $(compgen -W "$MAPPINGS" -- "$cur") ) + IFS="$OLDIFS" + elif [ ${COMP_WORDS[COMP_CWORD-2]} == "luksFormat" ] ; then + # Get key file + COMPREPLY=( $(compgen -f -- "$cur") ) + fi + ;; + + "luksOpen") + # luksOpen + if [ ${COMP_WORDS[COMP_CWORD-1]} == "luksOpen" ] ; then + COMPREPLY=( $(compgen -f -X '!/dev*' -- "$cur") ) + fi + ;; + + "isLuks"|"luksDump"|"luksUUID") + # action + COMPREPLY=( $(compgen -f -X '!/dev*' -- "$cur") ) + ;; + esac +} +[ "$have" ] && complete -o filenames -F _cryptsetup cryptsetup + +# vim:set filetype=sh sts=4 sw=4: --- cryptsetup-1.1.0~rc2.orig/debian/watch +++ cryptsetup-1.1.0~rc2/debian/watch @@ -0,0 +1,2 @@ +version=3 +opts="uversionmangle=s/luks-//;s/-pre/~pre/;s/-rc/~rc/" http://code.google.com/p/cryptsetup/downloads/list http://cryptsetup.googlecode.com/files/cryptsetup-(.*)\.tar\.bz2 --- cryptsetup-1.1.0~rc2.orig/debian/cryptsetup-udeb.preinst +++ cryptsetup-1.1.0~rc2/debian/cryptsetup-udeb.preinst @@ -0,0 +1,32 @@ +#! /bin/sh + +set -e + +create_crypttab() { + if [ ! -f "/etc/crypttab" ]; then + cat <<-EOC >/etc/crypttab + # + EOC + fi +} + +case "$1" in + install) + create_crypttab + ;; + + upgrade) + ;; + + abort-upgrade) + ;; + + *) + echo "preinst called with unknown argument '$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# + +exit 0 --- cryptsetup-1.1.0~rc2.orig/debian/NEWS +++ cryptsetup-1.1.0~rc2/debian/NEWS @@ -0,0 +1,176 @@ +cryptsetup (2:1.0.7-3) unstable; urgency=low + + The cryptroot initramfs hook script has been changed to include all + available crypto kernel modules in case that initramfs-tools is configured + with MODULES=most (default). See /etc/initramfs-tools/initramfs.conf for + more information. + If initramfs-tools is configured with MODULES=dep, the cryptroot hook script + still tries to detect required modules, as it did by default in the past. + + -- Jonas Meurer Sun, 27 Sep 2009 16:49:20 +0200 + +cryptsetup (2:1.0.7-2) unstable; urgency=low + + Checkscripts vol_id and un_vol_id have been replaced by blkid and un_blkid. + In case that you explicitly set keyscript=vol_id or keyscript=un_vol_id in + /etc/crypttab, you will need to update your /etc/crypttab manually. + Replacing 'vol_id' with 'blkid' and 'un_vol_id' with 'un_blkid' should work. + The new *blkid keyscripts are fully compatible to the old *vol_id scripts. + + -- Jonas Meurer Sun, 23 Aug 2009 23:32:49 +0200 + +cryptsetup (2:1.0.6-8) unstable; urgency=low + + Keyscripts inside the initramfs have been moved from /keyscripts to + /lib/cryptsetup/scripts. This way they're now available at the same location + as on the normal system. + In most cases no manual action is required. Only if you reference a keyscript + by path in some script that is included in the initramfs, then you need to + update that reference by updating the path. + + -- Jonas Meurer Tue, 23 Dec 2008 00:43:10 +0100 + +cryptsetup (2:1.0.6-7) unstable; urgency=medium + + Support for the timeout option has been removed from cryptdisks initscripts + in order to support splash screens and remote shells in boot process. + The implementation had been unclean and problematic anyway. + If you used the timeout option on headless systems without physical access, + then it's a much cleaner solution anyway, to use the 'noauto' option in + /etc/crypttab, and start the encrypted devices manually with + '/etc/init.d/cryptdisks force-start'. + Another approach is to start a minimal ssh-server in the initramfs and unlock + the encrypted devices after connecting to it. This even supports encrypted + root filesystems for headless server systems. + For more information, please see /usr/share/docs/cryptsetup/README.Debian.gz + + -- Jonas Meurer Tue, 16 Dec 2008 18:37:16 +0100 + +cryptsetup (2:1.0.6-4) unstable; urgency=medium + + The obsolete keyscript decrypt_old_ssl and the corresponding example script + gen-old-ssl-key have been removed from the package. If you're still using + them, either save a local backup of /lib/cryptsetup/scripts/decrypt_old_ssl + and put it back after the upgrade finished, or migrate your setup to use + keyscripts that are still supported. + + -- Jonas Meurer Sun, 27 Jul 2008 16:22:57 +0200 + +cryptsetup (2:1.0.6~pre1+svn45-1) unstable; urgency=low + + The default hash used by the initramfs cryptroot scripts has been changed + from sha256 to ripemd160 for consistency with the cryptsetup default. If you + have followed the recommendation to configure the hash in /etc/crypttab this + change will have no effect on you. + + If you set up disk encryption on your system using the Debian installer + and/or if you use LUKS encryption, everything is already set up correctly + and you don't need to do anything. + If you did *not* use the Debian installer and if you have encrypted devices + which do *not* use LUKS, you must make sure that the relevant entries in + /etc/crypttab contain a hash= setting. + + -- Jonas Meurer Tue, 29 Jan 2008 11:46:57 +0100 + +cryptsetup (2:1.0.5-2) unstable; urgency=low + + The vol_id and un_vol_id check scripts no longer regard minix as a valid + filesystem, since random data can be mistakenly identified as a minix + filesystem due to an inadequate signature length. + + If you use minix filesystems, you should not rely on prechecks anymore. + + -- Jonas Meurer Mon, 10 Sep 2007 14:39:44 +0200 + +cryptsetup (2:1.0.4+svn16-1) unstable; urgency=high + + The --key-file=- argument has changed. If a --hash parameter is passed, it + will now be honored. This means that the decrypt_derived keyscript will in + some situations create a different key than previously meaning that any swap + partitions that rely on the script will have to be recreated. To emulate the + old behaviour, make sure that you pass "--hash=plain" to cryptsetup. + + -- David Härdeman Tue, 21 Nov 2006 21:29:50 +0100 + +cryptsetup (2:1.0.4-7) unstable; urgency=low + + The cryptsetup initramfs scripts now also tries to detect swap + partitions used for software suspend (swsusp/suspend2/uswsusp) and + to set them up during the initramfs stage. See README.initramfs for + more details. + + -- David Härdeman Mon, 13 Nov 2006 19:27:02 +0100 + +cryptsetup (2:1.0.4-1) unstable; urgency=low + + The ssl and gpg options in /etc/crypttab have been deprecated in + favour of the keyscripts option. The options will still work, but + generate warnings. You should change any lines containing these + options to use keyscript=/lib/cryptsetup/scripts/decrypt_old_ssl or + keyscript=/lib/cryptsetup/scripts/decrypt_gpg instead as support + will be completely removed in the future. + + -- David Härdeman Mon, 16 Oct 2006 00:00:12 +0200 + +cryptsetup (2:1.0.3-4) unstable; urgency=low + + Up to now, the us keymap was loaded at the passphrase prompt in the boot + process and ascii characters were always used. With this upload this is + fixed, meaning that the correct keymap is loaded and the keyboard is + (optionally) set to UTF8 mode before the passphrase prompt. + + This may result in your password not working any more in the boot process. + In this case, you should add a new key with cryptsetup luksAddKey with your + correct keymap loaded. + + Additionally, all four fields are now mandatory in /etc/crypttab. An entry + which does not contain all fields will be ignored. It is recommented to + set cipher, size and hash anyway, as defaults may change in the future. + + If you didn't set any of these settings yet, then you should add + cipher=aes-cbc-plain,size=128,hash=ripemd160 + to the the options in /etc/crypttab. See man crypttab(5) for more details. + + -- David Härdeman Sat, 19 Aug 2006 18:08:40 +0200 + +cryptsetup (2:1.0.2+1.0.3-rc2-2) unstable; urgency=low + + The crypttab 'retry' has been renamed to 'tries' to reflect upstreams + functionality. Default is 3 tries now, even if the option is not given. + See the crypttab.5 manpage for more information. + + -- Jonas Meurer Fri, 28 Apr 2006 17:42:15 +0200 + +cryptsetup (2:1.0.2+1.0.3-rc2-1) unstable; urgency=low + + Since release 2:1.0.1-9, the cryptsetup package uses cryptsetup-luks as + upstream source. This is a enhanced version of plain cryptsetup which + includes support for the LUKS extension, a standard on-disk format for + hard disk encryption. Plain dm-crypt (as provided by the old cryptsetup + package) is still available, thus backwards compatibility is given. + Nevertheless it is recommended to update your encrypted partitions to + LUKS, as this implementation is more secure than the plain dm-crypt. + + Another major change is the check option for crypttab. It allows to + configure checks that are run after cryptsetup has been invoked, and + prechecks to be run against the source device before cryptsetup has been + invoked. See man crypttab(5) or README.Debian for more information. + + -- Jonas Meurer Fri, 3 Feb 2006 13:41:35 +0100 +cryptsetup (2:1.0.6-8) unstable; urgency=medium + + Support for the timeout option has been removed from cryptdisks initscripts + in order to support splash screens and remote shells in boot process. + The implementation had been unclean and produced many anyway. + If you used the timeout option on headless systems without physical access, + then it's a much cleaner solution anyway, to use the 'noauto' option in + /etc/crypttab, and start the encrypted devices manually with + '/etc/init.d/cryptdisks force-start'. + Another approach is to start a minimal ssh-server in the initramfs and unlock + the encrypted devices after connecting to it. This even supports encrypted + root filesystems for headless server systems. + For more information, please see /usr/share/docs/cryptsetup/README.Debian.gz + + + + -- Jonas Meurer Tue, 23 Dec 2008 00:43:10 +0100 --- cryptsetup-1.1.0~rc2.orig/debian/cryptdisks-early.init +++ cryptsetup-1.1.0~rc2/debian/cryptdisks-early.init @@ -0,0 +1,51 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: cryptdisks-early +# Required-Start: checkroot +# Required-Stop: umountroot +# Should-Start: udev +# Should-Stop: udev +# X-Start-Before: mdadm-raid lvm2 +# X-Interactive: true +# Default-Start: +# Default-Stop: 0 6 +# Short-Description: Setup early encrypted block devices. +# Description: +### END INIT INFO + +set -e + +if [ -r /lib/cryptsetup/cryptdisks.functions ]; then + . /lib/cryptsetup/cryptdisks.functions +else + exit 0 +fi + +INITSTATE="early" +LOUD="" + +case "$CRYPTDISKS_ENABLE" in +[Nn]*) + exit 0 + ;; +esac + +case "$1" in +start) + ;; +stop) + do_stop + ;; +restart|reload|force-reload) + do_stop + do_start + ;; +force-start) + FORCE_START="yes" + do_start + ;; +*) + echo "Usage: cryptdisks-early {start|stop|restart|reload|force-reload|force-start}" + exit 1 + ;; +esac --- cryptsetup-1.1.0~rc2.orig/debian/cryptdisks.init +++ cryptsetup-1.1.0~rc2/debian/cryptdisks.init @@ -0,0 +1,51 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: cryptdisks +# Required-Start: checkroot cryptdisks-early +# Required-Stop: umountroot cryptdisks-early +# Should-Start: udev mdadm-raid lvm2 +# Should-Stop: udev mdadm-raid lvm2 +# X-Start-Before: checkfs +# X-Interactive: true +# Default-Start: +# Default-Stop: 0 6 +# Short-Description: Setup remaining encrypted block devices. +# Description: +### END INIT INFO + +set -e + +if [ -r /lib/cryptsetup/cryptdisks.functions ]; then + . /lib/cryptsetup/cryptdisks.functions +else + exit 0 +fi + +INITSTATE="remaining" +LOUD="yes" + +case "$CRYPTDISKS_ENABLE" in +[Nn]*) + exit 0 + ;; +esac + +case "$1" in +start) + ;; +stop) + do_stop + ;; +restart|reload|force-reload) + do_stop + do_start + ;; +force-start) + FORCE_START="yes" + do_start + ;; +*) + echo "Usage: cryptdisks {start|stop|restart|reload|force-reload|force-start}" + exit 1 + ;; +esac --- cryptsetup-1.1.0~rc2.orig/debian/README.opensc +++ cryptsetup-1.1.0~rc2/debian/README.opensc @@ -0,0 +1,129 @@ +opensc/pcscd with cryptsetup and LUKS on Debian +------------------------------------------------------------------------ + +This is an overview on how you can make use of cryptsetup with your +smartcard device supported by opensc/pcscd. If your reader is supported +by openct please refer to the README.openct.gz in the cryptsetup docs. + +I assume that you already have an initialized smartcard with a RSA key +that has the proper X509 properties for encryption set. To generate such +a key in hardware on the smartcard you should execute the following +command: + + # pkcs15-init -G rsa/2048 -a [PIN id] -u sign,decrypt + +If your smart card doesn't support 2048 bit RSA just change the argument +to the largest size possible. + +The decrypt_opensc keyscript decrypts an encrypted key in your boot +partition with the private key on your smartcard. Therefore you have to +create a key for the partition that is to be decrypted using the +smartcard. As pkcs15-crypt does not seem to support PKCS1 padding, the +key is required to have the same size as your RSA key. For a 2048 bit +key use the following (the byte count is 256 as 2048/8 is 256): + + # dd if=/dev/random of=/boot/keys/key bs=1 count=256 + +Now the key is added to the LUKS partition: + + # cryptsetup luksAddKey /dev/sdXn /boot/keys/key + +Enter an already existing pass phrase and watch cryptsetup doing its +job. As we don't want the key in clear on the hard drive, we are going +to encrypt it with the public key to the key on the smartcard. +Read the public key first: + + # pkcs15-tool --read-public-key [key id] -o pubkey + +Then encrypt the random data with the extracted key, destroy the +plain text one and remove your public key from the hard drive (it isn't +necessary to shred it as a potential attacker can't use your public key +for anything). + + # openssl rsautl -in /boot/keys/key -inkey pubkey -pubin -raw \ + -encrypt -out /boot/keys/root + # shred -u /boot/keys/key + # rm -rf pubkey + +Now you'll have to edit /etc/crypttab. The format should be familiar but +I'll state it here again: + + name device /boot/keys/root luks, keyscript=/lib/cryptsetup/scripts/decrypt_opensc + +The modules needed by the reader should now be added to +/etc/initramfs-tools/modules, so they are loaded on boot time. For +example yenta_socket, pcmcia, pcmcia_core, serial_cs, rsrc_nonstatic for +PCMCIA card readers. + +In a perfect world you would just rebuild the initramfs now and it would +work. Unfortunately there are some additional issues to address. The +most important one is pcscd. Newer versions of pcscd use HAL and dbus to +detect readers. As most people (including me) aren't too enthusiastic +about adding these two daemons to the initramfs, we will rebuild the +daemon to use the traditional polling method with libusb. Again, this +step is only necessary if your reader uses pcscd (for example the +Gemalto PC Card readers). + +To do this, download the ccid and pcsc-lite packages from + + + +Install the libusb header files, extract the tarballs and build pcscd +with the following commands: + + # apt-get install libusb-dev + # ./configure --disable-libhal --enable-libusb + # make + # make install + +Now go to the ccid directory and execute these commands (the option is +only need if you use the libccidtwin.so to access your reader: + + # ./configure [--enable-twinserial] + # make + # make install + +This installs the new pcscd and it's libraries in /usr/local/. To +reflect the new situation we have to change the initramfs scripts. +Edit /etc/reader.conf to instruct pcscd to use the new libraries (they +should be in /usr/local/pcsc/drivers/) instead of the ones from the Debian +package. Replace everything after line 45 in +/usr/share/initramfs-tools/hooks/cryptopensc with the following chunk: + + for dir in etc/opensc usr/local/pcsc var/run tmp ; do + if [ ! -d ${DESTDIR}/${dir} ] ; then mkdir -p ${DESTDIR}/${dir} ; fi + done + + # Install pcscd daemon, drivers, conf file, and include libgcc as + # well since + # pcscd utilizes pthread_cancel + copy_exec /usr/local/sbin/pcscd + cp -r /usr/local/pcsc ${DESTDIR}/usr/local + cp /etc/reader.conf ${DESTDIR}/etc + cp -r /usr/local/lib ${DESTDIR}/usr/local + # Install opensc commands and conf file + copy_exec /usr/bin/opensc-tool + copy_exec /usr/bin/pkcs15-crypt + cp /lib/libgcc_s.so.1 ${DESTDIR}/lib + cp /etc/opensc/opensc.conf ${DESTDIR}/etc/opensc + +Edit /usr/share/initramfs-tools/scripts/local-bottom/cryptopensc and +/usr/share/initramfs-tools/scripts/local-top/cryptopensc to use the new +binary in /usr/local/sbin/pcscd instead of /usr/sbin/pcscd and change +the path in the existence test to: + + if [ ! -e /usr/local/sbin/pcscd ]; then + exit 0 + fi + +If you have completed all the steps upto now, you can update your +initramfs image with: + + # update-initramfs -u -k `uname -r` + +and reboot your machine. This leaves a backup of your old initramfs in +the boot partition if something doesn't work. If you have to debug your +initramfs during boot just append the "break=mount" option to the kernel +to have a debug shell just before the root partition would be mounted. + + -- Benjamin Kiessling , Sun, 26 Jul 2009 --- cryptsetup-1.1.0~rc2.orig/debian/changelog +++ cryptsetup-1.1.0~rc2/debian/changelog @@ -0,0 +1,1991 @@ +cryptsetup (2:1.1.0~rc2-1ubuntu10) lucid; urgency=low + + * cryptdisks.functions: replace 'echo -e' bashism with 'printf'. + * cryptdisks.functions: when called by cryptdisks-enable, check that we + don't already have a corresponding cryptdisks-udev job running (probably + waiting for a passphrase); if there is, wait until it's finished before + continuing. + + -- Steve Langasek Thu, 21 Jan 2010 14:57:21 +0000 + +cryptsetup (2:1.1.0~rc2-1ubuntu9) lucid; urgency=low + + * Set FRAMEBUFFER=y in the hook config as well, to pull plymouth into the + initramfs. + * cryptdisks.functions, debian/initramfs/cryptroot-script: fix the + invocation of plymouth, so that we actually get proper passphrase prompts + (once bug #496765 is fixed). + + -- Steve Langasek Sat, 16 Jan 2010 02:32:41 -0800 + +cryptsetup (2:1.1.0~rc2-1ubuntu8) lucid; urgency=low + + * cryptdisks.functions: do_tmp should mount under /var/run/cryptsetup for + changing the permissions of the filesystem root, not directly on /tmp, + since mounting on /tmp a) is racy, b) confuses mountall something fierce. + LP: #475936. + + -- Steve Langasek Tue, 22 Dec 2009 20:24:28 +0000 + +cryptsetup (2:1.1.0~rc2-1ubuntu7) lucid; urgency=low + + * Depend on watershed. + + -- Steve Langasek Tue, 22 Dec 2009 01:37:36 +0000 + +cryptsetup (2:1.1.0~rc2-1ubuntu6) lucid; urgency=low + + [ Steve Langasek ] + * Fix the LSB header in the init scripts, now that we don't install to + rcS.d. + + [ Martin Pitt ] + * debian/initramfs/cryptroot-script: Fix this to work with current + initramfs-tools: + - Source /scripts/functions after checking for prerequisites. + - prereqs(): Do not assume we are running within initramfs, and calculate + relative path correctly. + + -- Martin Pitt Fri, 18 Dec 2009 17:07:07 +0100 + +cryptsetup (2:1.1.0~rc2-1ubuntu5) lucid; urgency=low + + * Rename the upstart job introduced in the previous upload to + cryptdisks-udev and restore the previous version of the job as + cryptdisks-enable, to run at the end of udev coldplugging as before; + this isn't entirely race-free, but should nevertheless give us the + two passes needed to cover devices that are decrypted using keys stored + on other encrypted disks. LP: #443980. + + -- Steve Langasek Wed, 16 Dec 2009 06:41:30 +0000 + +cryptsetup (2:1.1.0~rc2-1ubuntu4) lucid; urgency=low + + [ Steve Langasek ] + * debian/initramfs/cryptroot-script: if plymouth is present in the + initramfs, use this directly, bypassing the cryptsetup askpass script; + but keep support for these other frontends around on a transitional + basis. + * debian/cryptdisks.functions: + - change interaction to use plymouth directly if present, and if not, to + fall back to /lib/cryptsetup/askpass as before + - wrap the call to /lib/cryptsetup/askpass with watershed, to make sure + we only ever have one of these running at a time; otherwise multiple + invocations could steal each other's input and/or write over each + other's output + - new function, crypttab_start_one_disk, to look for the named source + device in /etc/crypttab (by device name, UUID, or label) and start it + if configured to do so + * debian/cryptdisks-enable.upstart: run the upstart job once for each block + device, using the new crypttab_start_one_disk function, triggered by udev; + this doesn't eliminate the possibility of a race with gdm when the + decrypted volume isn't a 'bootwait' mount point (since gdm kills + plymouth), but it does eliminate the race between udev and cryptsetup. + LP: #454898. + * debian/cryptdisks-enable.upstart: check that the package is installed + and exit gracefully if it's not. LP: #435814 + * debian/cryptdisk.functions: initially create the device under a temporary + name and rename it only at the end using 'dmsetup rename', to ensure that + upstart/mountall doesn't see our device before it's ready to go. + LP: #475936. + + [ Colin Watson ] + * Add ext4 support to passdev. + + -- Steve Langasek Tue, 15 Dec 2009 18:05:45 -0800 + +cryptsetup (2:1.1.0~rc2-1ubuntu3) lucid; urgency=low + + * cryptroot-hook: Use if [ -n … ] instead of if ! test -z …. + + -- Loïc Minier Sat, 12 Dec 2009 11:32:52 +0100 + +cryptsetup (2:1.1.0~rc2-1ubuntu2) lucid; urgency=low + + * cryptroot-hook: dont call copy_modules_dir with empty arguments when + archcrypto isnt found (LP: #495161) + + -- Oliver Grawert Fri, 11 Dec 2009 14:39:00 +0100 + +cryptsetup (2:1.1.0~rc2-1ubuntu1) lucid; urgency=low + + * Merge with Debian testing. Remaining Ubuntu changes: + - debian/rules: cryptsetup is linked dynamically against libgcrypt and + libgpg-error. + - Upstart migration: + + Add debian/cryptdisks-enable.upstart. + + debian/cryptdisks{,-early}.init: Make the 'start' action of the init + script a no-op, this should be handled entirely by the upstart job. + (LP #473615) + + debian/cryptsetup.postinst: Remove any symlinks from /etc/rcS.d on + upgrade. + + debian/rules: Do not install start symlinks for those two, and install + debian/cryptdisks-enable.upstart scripts. + - Add debian/cryptsetup.apport: Apport package hook. Install in + debian/rules, and create dir in debian/cryptsetup.dirs. + - Start usplash in initramfs, since we need it for fancy passphrase input: + + debian/initramfs/cryptroot-conf, debian/initramfs-conf.d: USPLASH=y + + debian/control: Bump initramfs-tools Suggests to Depends:. + + -- Martin Pitt Wed, 11 Nov 2009 15:04:27 +0100 + +cryptsetup (2:1.1.0~rc2-1) unstable; urgency=low + + * new upstream release candidate (1.1.0-rc2), highlights include: + - new libcryptsetup API (documented in libcryptsetup.h) + - luksHeaderBackup and luksHeaderRestore commands (closes: #533643) + - use libgcrypt, enables all gcrypt hash algorithms for LUKS through + -h luksFormat option (closes: #387159, #537385) + - new --master-key-file option for luksFormat and luksAddKey + - use dm-uuid for all crypt devices, contains device type and name now + (closes: #548988, #549870) + - command successful messages moved to verbose level (closes: #541805) + - several code changes to improve speed of luksOpen (closes: #536415) + - luksSuspend and luksResume commands + * remove unneeded patches 03_read_rework and 04_no_stderr_success, update + 02_manpage for new upstream release candidate. + * update patch to comply with DEP-3 (http://dep.debian.net/deps/dep3/) + * fix initramfs/cryptroot-hook to support setups where /dev/mapper/ contains + symlinks to devices at /dev/dm-*. the lvm2/device-mapper packages had + defaults changed to this temporary. it has been fixed in a subsequent + upload of lvm2 in the meantime, but still it's not a bad idea to be + prepared for such setups in the future. that way cryproot now supports + /dev/dm-* devices as well. (closes: #532579, #544487, #544773) + * fix initscript dependencies both for cryptdisks and cryptdisks-early. + thanks to Petter Reinholdtsen for bugreport and patch. (closes: #548356) + * finally change default behaviour of initscripts/cryptroot-hook to include + all available crypto modules into the initramfs. this change should fix + any problems with cryto modules missing from the initramfs. announce the + change in NEWS.Debian. (closes: #547597) + * add error messages to lvm detecting code in initramfs/cryptroot-script + in order to make debugging easier. (closes: #541248) + * implement detection of devices which are required by decrypt_derived + keyscript in initscripts/cryptroot-hook. that way setups where encrypted + swap has the key derived from non-root partitions should support suspend/ + resume as well. (closes: #475838) + * remove outdated documentation from the source package: CryptoRoot.HowTo, + CheckSystem.Doc + * mention in README.initramfs that busybox is required for cryptroot to work + * stop creating /etc/keys in postinst maintainer script. + * update build system to include library files again: (closes: #480157) + - split into three packages: cryptsetup, libcryptsetup1, libcryptsetup-dev + - rename preinst to cryptsetup.preinst, copy code to create /etc/crypttab + skeleton into cryptsetup-udeb.preinst. + - build with --enable-shared and --enable-static for libcryptsetup.a + - create debian/libcryptsetup1.symbols with help of dpkg-gensymbols + * add debian/cryptsetup.lintian-override for two false positives + * raise build-depends on debhelper and debian/compat for that reason + * update README.remote to work with latest dropbear package. thanks to + debian@x.ray.net. + * make all crypttab fields available to keyscripts as environment variables. + thanks to ludwig nussel from suse for idea and implmentation. document + this in crypttab(5) manpage. impelement the same environment variables in + initramfs cryptroot script. + * fix formatting errors in crypttab(5) manpage. + + -- Jonas Meurer Thu, 15 Oct 2009 19:26:14 +0200 + +cryptsetup (2:1.0.7-2) unstable; urgency=low + + * add a paragraph to the cryptsetup manpage that mentions /proc/crypto as + source for available crypto ciphers, modes, hashs, keysizes, etc. + (closes: #518266) + * fix luksformat to check for mkfs.$fs both in /sbin and /usr/sbin. thanks + to Jon Dowland. (closes: #539734) + * mention era eriksson as author of the typo fixes for manpage (submitted as + bug #476624) in changelog of cryptsetup 2:1.0.6-3. (closes: #541344) + * bump standards-version to 3.8.3. no changes needed. + * add 04_no_stderr_success.patch, which adds an option to suppress success + messages to stderr. don't apply the patch as this already has been fixed + upstream in another way. next cryptsetup release will print the command + successfull message to stdout only if opt_verbose is set. + * add checkscripts blkid and un_blkid for the reason that vol_id will be + removed from udev soon. advertise the new scripts at all places that + mentioned vol_id or un_vol_id before. + * add /usr/share/bug/cryptsetup which adds /proc/cmdline, /etc/crypttab, + /etc/fstab and output of 'lsmod' to bugs against cryptsetup. + * add debian/README.remote, which describes how to setup a cryptroot system + with support for remote unlocking via ssh login into the initramfs. Thanks + to debian@x.ray.net for writing it down. + * update debian/copyright for current format from dep.debian.net/deps/dep5 + * add chainiv, cryptomgr and krng to standard list of modules in initramfs + cryptroot hook. (closes: #541835) + * add a section describing LUKS header backups and related security + implications to README.Debian. a tool to automate this task should not be + distributed at all. (closes: #432150) + + -- Jonas Meurer Tue, 01 Sep 2009 12:38:02 +0200 + +cryptsetup (2:1.0.7-1) unstable; urgency=low + + * new upstream release, highlights include (diff from ~rc1): + - allow removal of last slot in luksRemoveKey and luksKillSlot + - eject unsupported --offset and --skip options for luksFormat + * make passdev accept a timeout option, thanks to Evgeni Golov for the patch. + (closes: #502598) + * finally add the cryptsource delay implementation from ubuntu, as it seems + to workaround some issues where appearance of the root device takes longer + than expected. (closes: #488271) + * execute udev_settle before $cryptremove if $cryptcreate fails at + setup_mapping() in the initramfs cryptroot script. it seems like a short + delay and/or udev_settly is needed in between of 'cryptsetup create' and + 'cryptsetup remove'. thanks to Gernot Schilling for the bugreport. + (closes: #529527) + * talk about /dev/urandom instead of /dev/random in crypttab manpage. + (closes: #537344) + * check for $IGNORE before check_key() in handle_crypttab_line_start() + * rewrite error code handling: + - return 1 for errors in handle_crypttab_line_{start|stop} + - handle_crypttab_line_... || true needed due to set -e in initscript + - check for exit code of handle_crypttab_line_{start Thu, 30 Jul 2009 17:41:16 +0200 + +cryptsetup (2:1.0.7~rc1-2) unstable; urgency=low + + * flag the root device with rootdev option at /conf/conf.d/cryptroot in + initramfs hook, check for that flag before adding ROOT=$NEWROOT to + /conf/param.conf in initramfs script. that should prevent the initramfs + script from adding ROOT=$NEWROOT for resume devices. (closes: #535801) + + -- Jonas Meurer Wed, 15 Jul 2009 11:44:45 +0200 + +cryptsetup (2:1.0.7~rc1-1) unstable; urgency=low + + * new upstream release candidate, highlights include: + - use better error messages if device doesn't exist or is already used by + other mapping (closes: #492926) + - check device size when loading LUKS header + - add some error hint if dm-crypt mapping failed (key size and kernel + version check for XTS and LRW mode for now) (closes: #494584) + - display device name when asking for password + - retain readahead of underlying device, if devmapper version supports it + - set UUID in device-mapper for LUKS devices + - define device-mapper crypt UUID maximal length and check for its size + - add some checks for error codes, fixes warning: ignoring return value... + - update LUKS homepage in manpage to code.google.com/p/cryptsetup + * patches/01_fix_make_distclean.patch: removed, incorporated upstream + * patches/02_manpage.patch: updated, mostly incorporated upstream + * remove invokation of ./setup-gettext.sh from debian/rules. + * set $PATH in checks/xfs. Required to make /usr/sbin/xfs_admin work at early + boot stage. Thanks to Stefan Bender. (closes: #525118) + * update path to docbook-xsl stylesheet in debian/rules to + /usr/share/xml/docbook/stylesheet/docbook-xsl/. Add versioned build-depends + to docbook-xsl (>= 1.74.3+dfsg) for that reason. + * fix bashisms in scripts/decrypt_opensc, thanks to Raphael Geissert. + (closes: #530060) + * fix UUID and LABEL handling for cryptroot, thanks to Kees Cook and ubuntu. + (closes: #522041) + * add ROOT=$NEWROOT to /conf/param.conf in cryptroot initramfs script. This + is required for lilo to find the correct root device. Thanks to Pyotr + Berezhkov and Christian Schaarschmidt. (closes: #511447, #511840) + * replace mini autogen.sh with autoreconf in debian/rules. Thanks to Bastian + Kleineidam. (closes: #522798) + * support escaped newlines in askpass.c, thanks to Kees Cook and ubuntu. + (closes: #528133) + * use the same passphrase prompt in init script and initramfs script + * mention the incoherent behaviour of cryptsetup create/luksOpen with invalid + passwords/keys in cryptsetup manpage. (closes: #529359) + * bump standards-version to 3.8.2, no changes required. + * add 'X-Interactive: true' LSB-header to initscripts. + * fix bash_completion script to use 'command ls'. that way it now works with + aliased ls as well. thanks to Daniel Dehennin. (closes: #535351) + + -- Jonas Meurer Sat, 04 Jul 2009 15:52:06 +0200 + +cryptsetup (2:1.0.6+20090405.svn49-1ubuntu8) lucid; urgency=low + + [ Steve Langasek ] + * Make the 'start' action of the init script a no-op, this should be + handled entirely by the upstart job now; and remove any symlinks from + /etc/rcS.d on upgrade. LP: #473615. + + [ Reinhard Tartler ] + * Add an apport hook + * import the blkid and un_blkid from debian, LP: #446517 + * also use this script by default (setting in /etc/default/cryptdisks) + + -- Steve Langasek Wed, 04 Nov 2009 12:06:47 +0000 + +cryptsetup (2:1.0.6+20090405.svn49-1ubuntu7) karmic; urgency=low + + * Reupload previous version, siretart had left changes in bzr which + weren't documented in the changelog and caused FTBFS. + + -- Scott James Remnant Wed, 14 Oct 2009 13:57:59 +0100 + +cryptsetup (2:1.0.6+20090405.svn49-1ubuntu6) karmic; urgency=low + + [ Steve Langasek ] + * Move the Debian Vcs- fields aside. + + [ Scott James Remnant ] + * debian/cryptdisks-enable.upstart: Don't overcompensate for my idiocy, + cryptsetup should not need a controlling terminal, just a terminal + is fine. May fix LP: #439138. + + -- Scott James Remnant Wed, 14 Oct 2009 04:52:16 +0100 + +cryptsetup (2:1.0.6+20090405.svn49-1ubuntu4) karmic; urgency=low + + * debian/cryptdisks-enable.upstart: Things that often help include + not setting stdin/out to /dev/null, so you can actually type the + passphrase. I am an idiot. LP: #430496. + + -- Scott James Remnant Thu, 17 Sep 2009 17:58:01 +0100 + +cryptsetup (2:1.0.6+20090405.svn49-1ubuntu3) karmic; urgency=low + + * debian/cryptdisks-enable.upstart: add upstart job to enable encrypted + disks once we've finished probing for udev devices, so that mountall + can use them. LP: #430496. + + -- Scott James Remnant Thu, 17 Sep 2009 00:04:00 +0100 + +cryptsetup (2:1.0.6+20090405.svn49-1ubuntu2) karmic; urgency=low + + * debian/initramfs/cryptroot-conf: declare that we want usplash included + in the initramfs whenever this package is installed. LP: #427356. + + -- Steve Langasek Tue, 15 Sep 2009 08:43:15 -0700 + +cryptsetup (2:1.0.6+20090405.svn49-1ubuntu1) karmic; urgency=low + + * Merge from debian unstable, remaining changes: + - Ubuntu specific: + + debian/rules: link dynamically for better security supportability and + smaller packages. + + debian/control: Depend on initramfs-tools so system is not potentially + rendered unbootable. + - debian/initramfs/cryptroot-script wait for encrypted device to appear, + report with log_*_msg (debian bug 488271). + - debian/initramfs/cryptroot-hook: fix support for UUID and LABEL + correlation between fstab and crypttab (debian bug 522041). + - debian/askpass.c, debian/initramfs/cryptroot-script: using newline + escape in passphrase prompt to avoid line-wrapping (debian bug 528133). + * Drop 04_fix_udevsettle_call.patch: fixed upstream differently. + + -- Kees Cook Sun, 10 May 2009 17:29:32 -0700 + +cryptsetup (2:1.0.6+20090405.svn49-1) unstable; urgency=low + + * New upstream svn snapshot. Highlights include: + - Uses remapping to error target instead of calling udevsettle for + temporary crypt device. (closes: #514729, #498964, #521547) + - Removes lots of autoconf stuff as it's generated by autogen.sh anyway. + - Uses autopoint in build process, thus needs to Build-Depend on cvs. + - Fixes signal handler to proper close device. + - Wipes start of device before LUKS-formatting. + - Allows deletion of key slot with it's own key. (closes: #513596) + - Checks device mapper communication and gives proper error message in + case the communication fails. (closes: #507727) + * Update debian patches accordingly: + - Remove obsolete patches 01_gettext_package and 03_check_for_root + - Update patch 02_manpage + * Add missing newlines to some error messages in passdev.c. Thanks to + Christoph Anton Mitterer for bugreport and patch. (closes: #509067) + * Move keyscripts in initramfs from /keyscripts to /lib/cryptsetup/scripts + for the sake of consistency between initramfs and normal system. Document + this change in NEWS.Debian. (closes: #509066) + * Fix $LOUD in cryptdisks.init and cryptdisks.functions to take effect. Add + LOUD="yes" to cryptdisks_start. (closes: #513149) + * cryptdisks_{start,stop}: print error message if no entry is found in + crypttab for the given name. + * Actually fix watchfile to work with code.google.com. + * Update Homepage field to code.google.com URL. (closes: #516236) + * Fix location of ltmain.sh, build-depend on versioned libtool. + (closes: #521673, #522338) + * Some minor changes to make lintian happy: + - use set -e instead of /bin/sh -e in preinst. + - link to GPL v2 in debian/copyright + * Bump standards-version to 3.8.1, no changes needed. + * Fix a typo in NEWS.Debian. (closes: #522387) + * Taken from ubuntu: + - debian/checks/un_vol_id: dynamically build the "unknown volume type" + string, to allow for encrypted swap, (closes: #521789, #521469). Fix + sed to replace '/' with '\/' instead of '\\/' in device names. + - disable error message 'failed to setup lvm device' (LP 151532). + + -- Jonas Meurer Mon, 06 Apr 2009 08:49:14 +0200 + +cryptsetup (2:1.0.6-7ubuntu7) jaunty; urgency=low + + * debian/control: Depend on initramfs-tools so system is not potentially + rendered unbootable (LP: #358654). + + -- Kees Cook Thu, 09 Apr 2009 12:29:31 -0700 + +cryptsetup (2:1.0.6-7ubuntu6) jaunty; urgency=low + + * debian/initramfs/cryptroot-script: we don't require vol_id to understand + the encrypted device, but we should check the device is fully up first + before continuing by calling udevadm settle. LP: #291752. + + -- Steve Langasek Sat, 07 Mar 2009 21:39:14 -0800 + +cryptsetup (2:1.0.6-7ubuntu5) jaunty; urgency=low + + * debian/initramfs/cryptroot-hook: fix support for UUID and LABEL correlation + between fstab and crypttab (LP: #287879). + + -- TJ Mon, 16 Feb 2009 23:00:00 +0000 + +cryptsetup (2:1.0.6-7ubuntu4) jaunty; urgency=low + + * debian/askpass.c: also handle newline escape code in console prompt. + + -- Kees Cook Sun, 15 Feb 2009 08:57:05 -0800 + +cryptsetup (2:1.0.6-7ubuntu3) jaunty; urgency=low + + [ https://launchpad.net/~svenkata ] + * debian/checks/un_vol_id: dynamically build the "unknown volume type" + string, to allow for encrypted swap, LP: #316607 + + -- Dustin Kirkland Thu, 12 Feb 2009 16:57:30 -0600 + +cryptsetup (2:1.0.6-7ubuntu2) jaunty; urgency=low + + * debian/askpass.c: handle newline escape code in password prompt. + * debian/initramfs/cryptroot-script: add newline to split cryptroot + password prompt onto two lines for readability (LP: #326900). + + -- Kees Cook Sun, 08 Feb 2009 07:26:01 -0800 + +cryptsetup (2:1.0.6-7ubuntu1) jaunty; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/initramfs/cryptroot-script: + - must source /scripts/functions to get the log_*_msg() functions. + - wait for encrypted device to show up (LP 164044, 291752). + - disable error message 'failed to setup lvm device' (LP 151532). + - debian/rules: + - fix location of ltmain.sh (Ubuntu-specific until libtool 2.2.x is + in Debian unstable). + - link dynamically (LP 62751). + - add 04_fix_udevsettle_call.patch: fix path to binary for udevsettle. + * Revert versioned build-depency on libdevmapper-dev, since Ubuntu's + version is higher now. + + -- Kees Cook Tue, 06 Jan 2009 13:00:16 -0800 + +cryptsetup (2:1.0.6-7) unstable; urgency=medium + + * Add patches/01_gettext_package.patch: Remove -luks from GETTEXT_PACKAGE + in configure.in. + * Support keyfiles option in bash completion. Thanks to Stefan Goebel for + the patch. (closes: #499936) + * Update patches/02_manpage.patch: Fix the documnetation of default cipher + for LUKS mappings. (closes: #495832) + * Update debian/watch file to reflect the move of project home to + code.google.com. + * Check for $CRYPTDISKS_ENABLE in cryptdisks initscripts instead of + cryptdisks.functions. This way, cryptdisks_start/stop work even with + $CRYPTDISKS_ENABLE != "yes". Thanks to Pietro Abate. (closes: #506643) + * Add force-start to cryptdisks(-early).init in order to support starting + noauto devices manually. Thanks to Niccolo Rigacci. (closes: #505779) + * Document how to enable remote device unlocking via dropbear ssh server + in the initramfs during boot process. Thanks to Chris + for the great work. (closes: #465902) + * Completely remove support and documentation of the timeout option, + document this in NEWS.Debian. (closes: #495509, #474120) + * Use exit instead of return in decrypt_ssl keyscript. Thanks to Rene Wagner. + (closes: #499704) + * Fix initramfs/cryptpassdev-hook to check for passdev instead of mountdev. + Thanks to Christoph Anton Mitterer. + * cryptdisks.functions: + - Search for keyscript in /lib/cryptdisks/scripts. the cryptoroot initramfs + script already supports keyscripts without path as argument. Thanks to + Christoph Anton Mitterer. + * README.initramfs: + - Remove the mention of bug #398302 from the section about suspend/resume, + as this bug has been fixes for some time now. + - Remove step 6 (mkswap) from the section about decrypt_derived, as it was + superfluous. Thanks to Helmut Grohe. (closes: #491867) + * Fix initramfs/cryptroot-script to use the lvm binary instead of vgchange. + Thanks to Marc Haber. (closes: #506536) + * Make get_lvm_deps() recursive in initramfs/cryptroot-hook. This is required + to detect the dm-crypt device in setups with more than one level of device + mapper mappings. For example if LVM is used with snapshots on top of the + dm-crypt mapping. Thanks to Christian Jaeger for bugreport and patch, Ben + Hutchings and Yves-Alexis Perez for help with debugging. (closes: #507721) + * urgency=medium due to several important fixes. + + -- Jonas Meurer Wed, 17 Dec 2008 21:25:45 +0100 + +cryptsetup (2:1.0.6-6ubuntu2.1) intrepid-proposed; urgency=low + + * debian/initramfs/cryptroot-script: do not require that vol_id + can parse the encrypted device as valid (LP: #291752). + + -- Kees Cook Fri, 31 Oct 2008 13:10:06 -0700 + +cryptsetup (2:1.0.6-6ubuntu2) intrepid; urgency=low + + * Fixes for (LP: #272301) + * debian/initramfs/cryptroot-script: must source /scripts/functions to get + the log_*_msg() functions + * 04_fix_udevsettle_call.patch: fix path to binary for udevsettle + + -- Dustin Kirkland Fri, 19 Sep 2008 18:03:28 -0500 + +cryptsetup (2:1.0.6-6ubuntu1) intrepid; urgency=low + + * drop almost all ubuntu specific changes from the cryptsetup package, + because they have been merged in debian. Thanks a lot! + * merge from debian, remaining changes: + - remove versioned build-depency on libdevmapper-dev, we are using a + rather sophisticated loop for making sure the root filesystem appears. + * debian/rules: fix location of ltmain.sh + * don't exit usplash anymore in the init script. LP: #110970, #139363 + * Disable error message 'failed to setup lvm device'. It is harmless, and + caused by the fact that the udev rules provided by lvm2 are setting up + the lvm on their own. In debian the scripts here are responsible for this + but obviously fail in ubuntu. LP: #151532 + + -- Reinhard Tartler Sat, 30 Aug 2008 17:52:16 +0200 + +cryptsetup (2:1.0.6-6) unstable; urgency=high + + * Don't cat keyfile into pipe for do_noluks(). cryptsetup handles + --key-file=- different for luks and plain dm-crypt mappings. This time + really (closes: #493848). Thus again upload with urgency=high. + + -- Jonas Meurer Sat, 09 Aug 2008 13:36:31 +0200 + +cryptsetup (2:1.0.6-5) unstable; urgency=high + + * Fix watch file to not report -pre and -rc releases as superior. + * Remove the global var $SIZE from cryptdisks.functions again but keep the + extended value checks. + * Remove the udev rules file also in preinst, code taken from example at + http://wiki.debian.org/DpkgConffileHandling. Thanks Marco d'Itri. + (closes: #493151) + * Remove duplicated configuration of --key-file in $PARAMS at do_noluks(). + (closes: #493848). + * Invoke mount_fs() and umount_fs() in cryptdisks_start, add + log_action_begin_msg() and log_action_end_msg() to both cryptdisk_start + and cryptdisks_stop. + * Copy fd 3 code from do_start and do_stop to cryptdisks_start and + cryptdisks_stop to fix "keyscript | cryptsetup". (closes: #493622) + * This upload fixes two RC bugs, thus upload with severity=high. + + -- Jonas Meurer Wed, 06 Aug 2008 10:19:21 +0200 + +cryptsetup (2:1.0.6-4) unstable; urgency=medium + + [ David Härdeman ] + * Make sure $IGNORE is reset as necessary, patch by Thomas Luzat + (closes: #490199) + * Use askpass in init scripts as well (closes: #489033, #477203) + + [ Jonas Meurer ] + * Don't copy_exec libgcc1 in cryptopensc initramfs hook, as it's already + copied by copy_exec /usr/sbin/pcscd automaticly. Thanks to Evgeni Golov + . (closes: #490300) + * Remove the udev rules file again as the relevant rules are now provided + by dmsetup package which cryptsetup depends on. + * Add splashy support to askpass, thanks to John Hughes + for the patch. (closes: #492451) The support is limited to cryptroot + though, as splashy freezes for passphrase input dialogs from initscripts. + Document that in README.Debian. + * Now that askpass is used as keyscript for interactive mode, it's not + necessary to set cryptsetup parameter '--tries=$TRIES' and TRIES=1 for + interactive mode anymore in cryptdisks.functions. + * Implement special treatment for random passphrases now that we use + "--key-file=-" for all situations. Only necessary in do_noluks. + * Fix the passphrase prompt string in initramfs/cryptroot.script to use + $cryptsource instead of $cryptsources. + * Major documentation cleanup for lenny: + - Rewrite CryptoSwap.HowTo in README.Debian, remove CryptoSwap.HowTo. + - Refer to README.initramfs instead of CryptoRoot.HowTo for encrypted root + filesystem in README.Debian. + - Remove outdated docs CryptoRoot.HowTo, usbcrypto.udev and gen-old-ssl-key + as well as the decrypt_old_ssl keyscript. + - Remove debian/TODO, didn't have any useful content anyway. + - Fix section ''9. The "decrypt_derived" keyscript'': Add swap option to + the example line for crypttab and other minor fixes. Thanks to + Helmut Grohne . (closes: #491867) + * urgency=medium since important (#492451) and security (#477203) bugs get + fixed by this upload. + + -- Jonas Meurer Mon, 28 Jul 2008 00:21:44 +0200 + +cryptsetup (2:1.0.6-3) unstable; urgency=low + + [ Jonas Meurer ] + * Fix cryptdisks.functions to actually recognize the noauto option. Thanks + to Christian Pernegger (closes: #483882) + * Update patches/02_manpage.patch: + - fixes two more typos, thanks to and Era Eriksson for the + patch, and Bruno Barrera Yever for forwarding it + to the bts (closes: #476624) + - removes a duplicate sentence + * Rephrase "Enter password for $crypttarget" to "Enter password to unlock + the disk $cryptsource ($crypttarget)" in initramfs/cryptroot.script. + * Bump Standards-Version to 3.8.0: + - Add a README.source which references /usr/share/doc/quilt/README.source. + - Add support for debian build option parallel=n to debian/rules. + * Add a udev rules file to ignore temporary-cryptsetup-* devices, as + suggested in bug #467200. Thanks to Sam Morris . + * Transform debian/copyright into machine-readable code as proposed in + http://wiki.debian.org/Proposals/CopyrightFormat. Update and add several + copyright notices. + * Change reference to docbook xml v4.2 driver file from an online version + to a local one in the manpage files, as the build process should not + depend on internet access. Add docbook-xml to build-depends. Thanks to + Lucas Nussbaum . (closes: #487056) + + [ David Härdeman ] + * Hopefully fix askpass to properly handle console and usplash input + (closes: #477203) + * Clarify crypttab manpage (closes: #487246) + * Make regex work if keyfile has extended attributes, + https://launchpad.net/bugs/231339 (closes: #488131) + * Support comments in options part of crypttab (closes: #488128) + + -- Jonas Meurer Mon, 07 Jul 2008 00:30:07 +0200 + +cryptsetup (2:1.0.6-2ubuntu7) intrepid; urgency=low + + * reintroduce changes from 2:1.0.6-2ubuntu5 that have been accidentally + dropped in version 2:1.0.6-2ubuntu6. + + -- Reinhard Tartler Fri, 20 Jun 2008 15:15:54 +0200 + +cryptsetup (2:1.0.6-2ubuntu6) intrepid; urgency=low + + [ Kjell Braden ] + * load scripts/functions for log_{begin,end}_msg + * debian/initramfs/cryptroot-script: wait for the cryptsource, not the resulting mapped root device + * debian/initramfs/cryptroot-hook: copy binaries to the right directory + + [ Reinhard Tartler ] + * remove versioned build-depency on libdevmapper-dev, we are using a + rather sophisticated loop for making sure the root filesystem appears. + + -- Reinhard Tartler Wed, 18 Jun 2008 00:26:43 +0200 + +cryptsetup (2:1.0.6-2ubuntu5) intrepid; urgency=low + + * Okay, I give up. include preprocessed manpages and adapt + debian/rules to easily produce those. + ATTENTION: on subsequent uploads, make sure that the manpages are + available and up-to-date. + + -- Reinhard Tartler Sun, 15 Jun 2008 13:33:07 +0200 + +cryptsetup (2:1.0.6-2ubuntu4) intrepid; urgency=low + + * also use local dtd in debian/doc/variables.xml.in. + + -- Reinhard Tartler Sun, 15 Jun 2008 12:55:42 +0200 + +cryptsetup (2:1.0.6-2ubuntu3) intrepid; urgency=low + + * try harder to fix FTBFS. + + -- Reinhard Tartler Sun, 15 Jun 2008 11:42:54 +0200 + +cryptsetup (2:1.0.6-2ubuntu2) intrepid; urgency=low + + * build docbook documentation using local dtds instead of trying to + download them at buildtime. Fixes FTBFS. + + -- Reinhard Tartler Sun, 15 Jun 2008 11:12:28 +0200 + +cryptsetup (2:1.0.6-2ubuntu1) intrepid; urgency=low + + * Merge new debian version. Remaining changes: + - Add XSBC-Vcs-Bzr tag to indicate that this package is managed using + bzr on launchpad. + - debian/rules: cryptsetup is linked dynamically against libgcrypt and + libgpg-error. + - cryptdisks.functions: stop usplash on user input. LP #62751 + - Parse comments in lines not starting with '#', LP #185380 + - If the encrypted source device hasn't shown up yet, give it a + little while to deal with removable devices. LP #164044 + * Depend on race-free version of libdevmapper, thus making udevsettle + call from cryptsetup binary unnecessary. Dropping patch + debian/patches/06_run_udevsettle.patch + * remove patch from LP #73862, loading optimized modules has been solved + in debian in another way. + * cryptdisk.functions: remove spurious call to load_optimized_module. + LP: #239946 + * bugfix: make regex work if keyfile has extended attributes. LP: #231339. + * remove patch in cryptdisks.functions for rexecing the script itself for + ensuring that a tty is always available. (See LP #58794.) According to + Scott, this is not necessary anymore. + + -- Reinhard Tartler Sat, 14 Jun 2008 23:28:51 +0200 + +cryptsetup (2:1.0.6-2) unstable; urgency=low + + [ Jonas Meurer ] + * Taken from ubuntu: + - debian/scripts/luksformat: Use 256 bit key size by default. (LP: #78508) + - debian/patches/02_manpage.patch: Clarify default key sizes (128 for + luksFormat and 256 for create) in cryptsetup.8. (side-note in LP #78508) + * Use 'shred -uz' instead of 'rm -r' to remove a tempfile that contains a + key in gen-ssl-key example script. + + [ David Härdeman ] + * Misc bugfixes to askpass, make sure it is installed to the correct + location and is built using pedantic mode. + * Change the initramfs script to use askpass to prompt for + passphrases, this should hopefully fix #382375 and #465902 once it + is enabled in the init scripts as well. + * Add a keyscript called passdev which allows a keyfile to be + retrieved from a device which is first mounted, mainly useful to get + keyfiles off USB devices etc. + * Unbreak MODULES=dep booting (closes: #478268) + * Relax checks for suspend devices a bit (closes: #477658) + * Convert man pages to docbook. + + -- David Härdeman Mon, 26 May 2008 08:12:32 +0200 + +cryptsetup (2:1.0.6-1ubuntu4) intrepid; urgency=low + + [ Kjell Braden ] + * Fix configuration parsing (LP: #239808) + + [ Reinhard Tartler ] + * cryptroot-script: use 'echo' instead of 'log_begin_msg' (LP: #237723) + + -- Reinhard Tartler Fri, 13 Jun 2008 21:26:17 +0200 + +cryptsetup (2:1.0.6-1ubuntu3) intrepid; urgency=low + + * Parse comments in lines not starting with '#', LP: #185380 + * in cryptroot hook, don't rely on 'udevadm settle' to wait long enough + for the cryptdevice to appear. Reimplement the busy waiting loop found + while waiting for the root file system. Patch based on work by Swâmi + Petaramesh. LP: #164044 + * debian/crypdisks.functions: call 'env' with full path. LP: #178829. + + -- Reinhard Tartler Mon, 26 May 2008 22:12:32 +0200 + +cryptsetup (2:1.0.6-1ubuntu2) intrepid; urgency=low + + * Simplify the patch in debian/cryptdisks.functions that stops usplash + before asking for a passphrase. + + -- Reinhard Tartler Mon, 26 May 2008 20:18:14 +0200 + +cryptsetup (2:1.0.6-1ubuntu1) intrepid; urgency=low + + * Merge new debian version. Remaining changes: + - cryptsetup is linked dynamically against libgcrypt and libgpg-error. + - stop usplash on user input. LP #62751 + - debian/cryptdisks.functions: Always output and read from the console. + LP #58794. + - Add XSBC-Vcs-Bzr tag to indicate that this package is managed using + bzr on launchpad. + - debian/initramfs/cryptroot-hook: LP #73862 + Added patch to install aes optimized cypher module + - try to load optimized cypher module in cryptsetup.functions as well, + because cryptroot-hook is only executed when we really have a + cryptoroot. + * other ubuntu changes have been merged into debian. Please report bugs + if you believe some patches have been dropped. + * removed 07_typos_fix.patch, has been reviewed and applied upstream. + + -- Reinhard Tartler Sun, 25 May 2008 22:52:30 +0200 + +cryptsetup (2:1.0.6-1) unstable; urgency=low + + [ Jonas Meurer ] + * new upstream release + - reload option is depreciated and a warning is printed. (closes: #428288) + * convert patch system from dpatch to quilt. + * enhance the information regarding the default hash setting in NEWS.Debian. + Thanks to Ross Boylan . + * change author of keyslot patch to Marc Merlin in changelog, thanks to + U. Kuehn for raising that issue. + * doing some debian/rules redesign and cleanup, speeds up the build process. + * ignore devices with the noauto option early enough to prevent any checks + on them. Thanks to Joachim Breitner (closes: #464672) + * update debian/copyright to actually mention copyright, thanks lintian. + * change script=$(basename $req) to script=${req##*/} in initramfs cryptroot + script. Thanks to Adeodato Simó . (closes: #466240) + * change test ... -a ... to [ ... ] && [ ... ] in the check scripts. + * add support for tries option to initramfs scripts. Thanks to Helmut Grohne + . (closes: #430158, #469869) Use --tries=1 for + cryptsetup in the initramfs script. Document the difference between + initscript and initramfs for tries=0 in the crypttab manpage. + * add, build and install askpass.c, a helper program by David Härdeman. The + idea is to use it for passphrase prompt in the initramfs script. + + [ David Härdeman ] + * Work with LABEL=, UUID= and symlinks in /etc/fstab (closes: #466175) + * Improve module loading in initramfs hook so that the newer as well + as arch specific crypto drivers are taken into consideration + (closes: #464673) + * Depend on race-free version of libdevmapper, thus making udevsettle + call from cryptsetup binary unnecessary. Also change call to + udevsettle in initramfs script (which is still useful as it related + to the source device) to optionally use udevadm if present (closes: + #456326). + + -- Jonas Meurer Mon, 31 Mar 2008 15:58:35 +0200 + +cryptsetup (2:1.0.6~pre1+svn45-1) unstable; urgency=low + + * New upstream svn snapshot: + - Adds typo fixes by Justin Pryzby to cryptsetup.8 + manpage. + - Mentions luksKillSlot in the manpage. Thanks to Alexander Heinlein + . (closes: #459206) + - Adds the patch by Marc Merlin to support explicit + key slots for luksFormat and luksAddKey. Thanks to U. Kuehn, who figured + out that this patch wasn't applied even though changelog said so. + - Supports adding new keys to active devices again. Thanks to Tobias Frost + for the bugreport. (closes: #460409) + * Add support for a custom filesystem for /tmp. Patch provided by + Hans-Peter Oeri . + * Add X-Start-Before headers to cryptdisks and cryptdisks-early initscripts. + Thanks to Petter Reinholdtsen for report and patch. + (closes: #458944) + * Add support for a noauto option to cryptdisks. Thanks to U Kuehn + for the idea. + * Add typo fixes by Justin Pryzby to crypttab.5 + manpage. (closes: #460994) + * Add a cryptdisks_stop script, corresponding to cryptdisks_start. Thanks to + Joachim Breitner for the idea. (closes: #459832) + * Change log_progress_msg to log_action_msg in cryptdisks.functions. That + way a newline is printed after the start of every device. Thanks to Frans + Pop for the bugreport. (closes: #461548) + * Add bash_completition script provided by Kevin Locke . + (closes: #423591) + * Fix a spelling error in the package description: linux -> Linux. + * Fix bashisms in cryptdisks_{start,stop} found by Raphael Geissert + . + * Change the default hash in initramfs scripts from sha256 to ripemd160 for + consistency with cryptsetup default. Add information about that to + NEWS.Debian. Thanks to martin f krafft . + (closes: #406317) + + -- Jonas Meurer Wed, 30 Jan 2008 09:01:52 +0100 + +cryptsetup (2:1.0.6~pre1-1) unstable; urgency=low + + [ Jonas Meurer ] + * New upstream alpha release 1.0.6~pre1: + - [01_crypt_luksFormat_libcryptsetup.dpatch] removed, applied upstream + - [02_manpage.dpatch] likewise + - [04_fix_unused_or_unitialized_variables.dpatch] likewise + - [05_segfault_at_nonexisting_device.dpatch] likewise + - [06_run_udevsettle.dpatch] update for new upstream + * Disable 03_check_for_root.dpatch. As Ludwig Nussel mentioned on + dm-crypt@saout.de, cryptsetup 1.0.5 already prints out meaningfull errors + if expected permissions are not available. Therefore the check for uid == + 0 is superfluous. + * [06_run_udevsettle.dpatch] Run udevsettle after device-mapper device + creation. Fixes issues with temporary device files in /dev/mapper. Patch + by Reinhard Tartler from Ubuntu. (closes: #444914) + * Add support for offset and skip options to cryptdisks/crypttab. Thanks to + Marc-Jano Knopp. (closes: #446674) + * Update the long description in debian/control. Don't mention kernel 2.6.4 + any longer, remove references to /usr/share/doc/cryptsetup/CryptoRoot.HowTo + and mkinitrd. + * Add noearly option to cryptdisks/crypttab, which causes cryptdisks-early + to ignore the entry. Thanks to Joerg Jaspert (closes: #423102) + * Change log_progress_msg "$dst (started)" to device_msg "$dst" "started" in + cryptdisks.functions. Makes console output of cryptdisks more consistent. + * Add cryptdisks_start and patch to cryptdisks.functions by Jon Dowland. + Also add a manpage for cryptdisks_start(8). (closes: #447159) + * Add load_optimized_module() function to cryptdisks.functions. Initial idea + by Reinhard Tartler from Ubuntu, enhanced by David Härdeman. + (closes: #445186) + * Add support for UUID=.. device strings to initramfs cryptroot-hook. Thanks + to Reinhard Tartler from Ubuntu for the patch. (closes: #445189) + * Support UUID=... and LABEL=... device strings in /etc/crypttab. Thanks + to Martin Pitt from Ubuntu for the patch. (closes: #445189) + * Add Vcs-Browser and Vcs-Svn fields to debian/control. + * Fix debian/rules to not fail to build if autom4te.cache is left behind + from a previous incomplete build. Patch again taken from Ubuntu. + * Mention in the crypttab manpage that files are allowed as source. In that + case they are mounted as loopback device automatically. Thanks to + Michal Cihar (closes: #451909) + * At stopping dm-crypt devices really remove the corresponding loopback + device if one has been used. Thanks to Rene Pavlik for report and to David + Härdeman, who had the idea for the fix. (closes: #451916) + * Also remove loopback devices if the cryptsetup device setup fails. + * Document a possible deadlock if cryptsetup is invoked as a 'run programm' + in a udev role. This i related to the invokation of udevsettle in + cryptsetup. Thanks to Dick Middleton for reporting and debugging. + (closes: #444914) + * Move umount_fs() from handle_crypttab_line() to the end of do_start(). + * Bump Standards-Version to 3.7.3.0. No changes needed. + * Remove unused litian-override file + * Remove --build $(DEB_BUILD_GNU_TYPE) and --host $(DEB_HOST_GNU_TYPE) from + invocation of ./configure, as they are already included in $(confflags). + + -- Jonas Meurer Thu, 06 Dec 2007 15:56:05 +0100 + +cryptsetup (2:1.0.5-2ubuntu12) hardy; urgency=low + + * added debian/patches/07_typos_fix.dpatch: fixed typos in man pages. (LP: #164181) + + -- Bruno Barrera Yever Mon, 07 Apr 2008 18:43:05 -0500 + +cryptsetup (2:1.0.5-2ubuntu11) hardy; urgency=low + + * debian/initramfs/cryptroot-script: Do show the disk name after all, since + some people use multiple encrypted partitions as LVM PVs. (LP: #201413) + + -- Martin Pitt Sun, 06 Apr 2008 11:54:41 -0600 + +cryptsetup (2:1.0.5-2ubuntu10) hardy; urgency=low + + * debian/initramfs/cryptroot-script: Do not mention the name of the + encrypted device. It is just technobabble anyway (sda4_crypt), and there + is just one root partition ever, so it is not needed to tell apart + different partitions. From a security POV, someone who can change your + initramfs to boot a different root partition can just as well change the + strings, too. (LP: #201413) + + -- Martin Pitt Wed, 02 Apr 2008 15:51:53 +0200 + +cryptsetup (2:1.0.5-2ubuntu9) hardy; urgency=low + + * debian/scripts/luksformat: Use 256 bit key size by default. + (LP: #78508) + * debian/patches/02_manpage.dpatch: Clarify default key sizes (128 for + luksFormat and 256 for create) in cryptsetup.8. (side-note in LP #78508) + + -- Martin Pitt Wed, 27 Feb 2008 17:43:46 +0100 + +cryptsetup (2:1.0.5-2ubuntu8) hardy; urgency=low + + * Fix -x calls and access() call. + + -- Scott James Remnant Fri, 14 Dec 2007 16:54:53 +0000 + +cryptsetup (2:1.0.5-2ubuntu7) hardy; urgency=low + + * debian/initramfs/cryptroot-script: call udevadm instead of udevsettle + * debian/patches/06_call_udevsettle.dpatch: likewise + + -- Scott James Remnant Fri, 14 Dec 2007 16:11:36 +0000 + +cryptsetup (2:1.0.5-2ubuntu6) hardy; urgency=low + + * Make cryptsetup understand devices specified by UUID=... or LABEL= + in crypttab. (LP: #153597) + + -- Andrea Colangelo Mon, 29 Oct 2007 18:22:51 +0100 + +cryptsetup (2:1.0.5-2ubuntu5) hardy; urgency=low + + * reenable additional udevsettle calls in cryptroot hook from + https://launchpad.net/bugs/85640, LP: #132373. + * change maintainer to ubuntu-core-dev. + * use Vcs-Bzr instead of XSCB-Vcs-Bzr header in debian/control. + + -- Reinhard Tartler Thu, 08 Nov 2007 23:52:19 +0100 + +cryptsetup (2:1.0.5-2ubuntu4) hardy; urgency=low + + * reapply changes from version 2:1.0.5-2ubuntu2, got dropped with last + upload. Sorry, pitti. + * convert patch to lib/libdevmapper.c to a dpatch. + + -- Reinhard Tartler Sun, 04 Nov 2007 21:42:43 +0100 + +cryptsetup (2:1.0.5-2ubuntu3) hardy; urgency=low + + * RELIABILY FIX: lib/libdevmapper.c: Ensure that pending device creation + events are being processed by calling /sbin/udevsettle. Patch based on + OpenSUSE bug #285478, LP: #132373. + * Based on the change above, the patch from LP #85640 is no longer needed. + dropping the relevant parts. + * Fix debian/rules to not fail to build if autom4te.cache is left behind + from a previous incomplete build. + + -- Reinhard Tartler Fri, 02 Nov 2007 20:53:31 +0100 + +cryptsetup (2:1.0.5-2ubuntu2) gutsy; urgency=low + + * debian/initramfs/cryptroot-script: + - If the supplied password worked, remove the prompt from usplash again, + so that the user has some visual feedback that everything is alright. + (LP: #151305) + - Do not show the UUID device node of the outer physical device. It is + scary ("/dev/disk/by-uuid/1234yadayada") and displaying it does not + improve security at all: If attackers can tamper with your initramfs, + they can also change the prompt, and if the UUID of the physical device + changes, then booting will not even get that far. Now it is a much more + friendly "Enter passphrase for sda5_crypt:" which is still technical, + but it's necessary to point out which device will be unlocked in case + there are several. + + -- Martin Pitt Thu, 11 Oct 2007 19:51:58 +0200 + +cryptsetup (2:1.0.5-2ubuntu1) gutsy; urgency=low + + * Merge new debian version. Remaining changes: + - cryptsetup is linked dynamically against libgcrypt and libgpg-error. + This will break systems where /usr is a separate encrypted filesystem + but not have other bad consequences (in particular, systems with + encrypted root are still fine). The upsides include better + security supportability and smaller packages. + - libcryptsetup.so et al removed from the binary packages. They have + no stable ABI and are not suitable for use by other packages, and + were in violation of library policies etc. They're not needed since + the cryptsetup executable statically contains the relevant parts of + libcryptsetup. + - cryptdisks.functions: remove #!/bin/bash as it isn't a script + by itself; it's only sourced by other scripts. This gets rid + of the lintian warning `script-not-executable' for this file. + - stop usplash on user input. LP #62751 + - Always output and read from the console. LP #58794. + - Add XSBC-Vcs-Bzr tag to indicate that this package is managed using + bzr on launchpad. + - Bump libgcrypt11 build-dependency again to 1.2.4-2ubuntu2 to eliminate + libnsl linkage; + - debian/initramfs/cryptroot-hook: (LP: #73862) + Added patch to install aes optimized cypher module + - try to load optimized cypher module in cryptsetup.functions as well, + because cryptroot-hook is only executed when we really have a + cryptoroot. + - apply patch from pitti for allowing UUIDs in /etc/crypttab. + This allowes crypted PVs! LP: #144390. + - remove README.ubuntu, since it contains old and obsolete information. + + -- Reinhard Tartler Tue, 02 Oct 2007 21:31:28 +0200 + +cryptsetup (2:1.0.5-2) unstable; urgency=low + + [ Jonas Meurer ] + * Add libselinux1-dev and libsepol1-dev to build-depends. Detected by + the build daemon from hell by Steinar H. Gunderson. Thanks to Manoj + Srivastava for advice. + * Fix the watchfile + * Fix cryptopensc-hook to honor key=none. Thanks to Daniel Baumann + (closes: #436434) + * Remove outdated README.html and example usbcrypto.* scripts from + documentation. Add example usbcrypto.udev script. Thanks to Volker Sauer + for the update. (closes: #409775) + * Document that stdin is read different with '--key-file=-' than without. + Thanks to Marc Haber. (closes: #418450) + * Document that --timeout is useless in conjunction with --key-file. Thanks + Alexander Zangerl. (closes: #421693) + * [03_check_for_root.dpatch] Check for UID == 0 before actually doing + something. Thanks to Benjamin Seidenberg. (closes: #401766) + * [04_fix_unused_or_unitialized_variables.dpatch] Fix some gcc warnings + about unused or unitialized variables. Thanks to Ludwig Nussel for the + patch. + * [05_segfault_at_nonexisting_device.dpatch] Fix segfault when trying to + open a non existing device. Thanks to Ludwig Nussel for the patch. + (closes: #438198) + * Add CFLAGS="$(CFLAGS)" before ./configure invocation in debian/rules. + This way CFLAGS are passed to the configure script. Thanks to Gordon + Farquharson for the patch. (closes: #438450) + * Add a warning about missing hash option in crypttab to initramfs + cryptoroot hook. Thanks to Sebastian Leske for the patch. + (closes: #438169) + * Add support for openct using data objects on a smartcard as key. Thanks to + Daniel Baumann for patch and documentation. + (closes: #438473) + * Polish opensc_decrypt and openct_decrypt. + * Add initramfs patch by maximilian attems. Bump depends on initramfs-tools + to (>= 0.91). (closes: #441428) + * several cleanups to make lintian happy: + - remove #!/bin/sh from cryptsetup.functions as it is not executable. + - remove unused-override configure-generated-file-in-source config.log. + - add some hyphen fixes to patches/02_manpage.dpatch + * Filter out the detection of filesystem type 'minix' in checks vol_id and + un_vol_id if checking for any valid filesystem. The minix fs signature + seems short enough to be detected erroneously by /lib/udev/vol_id. + Thanks to Fredrik Olofsson and arno for the bugreport. (closes: #411784) + * Add Homepage field to debian/control. + + -- Jonas Meurer Mon, 24 Sep 2007 15:42:06 +0200 + +cryptsetup (2:1.0.5-1ubuntu5) UNRELEASED; urgency=low + + * apply patch from pitti for allowing UUIDs in /etc/crypttab. + This allowes crypted PVs! LP: #144390. + * remove README.ubuntu, since it contains old and obsolete information. + + -- Reinhard Tartler Tue, 02 Oct 2007 19:59:24 +0200 + +cryptsetup (2:1.0.5-1ubuntu4) gutsy; urgency=low + + [ Stephan Hermann ] + * debian/initramfs/cryptroot-hook: (LP: #73862) + - Added patch to install aes optimized cypher module + + [ Reinhard Tartler ] + * re-applying old patch to new package version + * try to load optimized cypher module in cryptsetup.functions as well, + because cryptroot-hook is only executed when we really have a + cryptoroot. + + -- Reinhard Tartler Thu, 27 Sep 2007 19:38:48 +0200 + +cryptsetup (2:1.0.5-1ubuntu3) gutsy; urgency=low + + * Bump libgcrypt11 build-dependency again to 1.2.4-2ubuntu2 to eliminate + libnsl linkage; should finally produce a usable cryptsetup binary for + the udeb. + + -- Colin Watson Wed, 19 Sep 2007 15:28:52 +0100 + +cryptsetup (2:1.0.5-1ubuntu2) gutsy; urgency=low + + * Bump libgcrypt11 build-dependency to 1.2.4-2ubuntu1 and rebuild for + proper udeb dependencies. + + -- Colin Watson Wed, 19 Sep 2007 01:37:02 +0100 + +cryptsetup (2:1.0.5-1ubuntu1) gutsy; urgency=low + + * Merge new debian version. Remaining changes: + - cryptsetup is linked dynamically against libgcrypt and libgpg-error. + This will break systems where /usr is a separate encrypted filesystem + but not have other bad consequences (in particular, systems with + encrypted root are still fine). The upsides include better + security supportability and smaller packages. + - libcryptsetup.so et al removed from the binary packages. They have + no stable ABI and are not suitable for use by other packages, and + were in violation of library policies etc. They're not needed since + the cryptsetup executable statically contains the relevant parts of + libcryptsetup. + - cryptdisks.functions: remove #!/bin/bash as it isn't a script + by itself; it's only sourced by other scripts. This gets rid + of the lintian warning `script-not-executable' for this file. + - stop usplash on user input. LP #62751 + - Always output and read from the console. LP #58794. + * Add XSBC-Vcs-Bzr tag to indicate that this package is managed using + bzr on launchpad. + * UVF exception request granted by Scott Kitterman and Chuck Short + LP: #138295 + + -- Reinhard Tartler Sat, 08 Sep 2007 19:04:54 +0200 + +cryptsetup (2:1.0.5-1) unstable; urgency=low + + [ Jonas Meurer ] + * New upstream release, nearly identical to svn snapshot svn29. + * Fix watch file to use cryptsetup instead of cryptsetup-luks. + * Add 01_crypt_luksFormat_libcryptsetup.dpatch - rename luksInit to + luksFormat in libcryptsetup.h. + * Merge some ubuntu changes: + - make luksformat check if filesystem is already mounted to prevent a + strange error message. + - modprobe dm-mod in cryptsetup.functions. + - wait for udev to be settled in initramfs script. + + [ David Härdeman ] + * Allow other crypto devices to be setup even if one fails. + (closes: #423100) + * Remove an incorrect warning in postinst. + + -- Jonas Meurer Fri, 27 Jul 2007 04:59:33 +0200 + +cryptsetup (2:1.0.4+svn29-1ubuntu6) gutsy; urgency=low + + * Add notes by Ilkka Tuohela in a new file debian/README.ubuntu + + -- Reinhard Tartler Sat, 08 Sep 2007 18:43:56 +0200 + +cryptsetup (2:1.0.4+svn29-1ubuntu5) gutsy; urgency=low + + * cryptsetup is linked dynamically against libgcrypt and libgpg-error. + This will break systems where /usr is a separate encrypted filesystem + but not have other bad consequences (in particular, systems with + encrypted root are still fine). The upsides include better + security supportability and smaller packages. + * libcryptsetup.so et al removed from the binary packages. They have + no stable ABI and are not suitable for use by other packages, and + were in violation of library policies etc. They're not needed since + the cryptsetup executable statically contains the relevant parts of + libcryptsetup. + * cryptdisks.functions: remove #!/bin/bash as it isn't a script + by itself; it's only sourced by other scripts. This gets rid + of the lintian warning `script-not-executable' for this file. + + -- Ian Jackson Fri, 31 Aug 2007 12:05:33 +0100 + +cryptsetup (2:1.0.4+svn29-1ubuntu4) gutsy; urgency=low + + * s/$CRYPTCMD/cryptsetup/ in debian/cryptdisks.functions + (LP: #115617) + + -- Reinhard Tartler Tue, 29 May 2007 17:04:05 +0200 + +cryptsetup (2:1.0.4+svn29-1ubuntu3) gutsy; urgency=low + + * make luksformat check if filesystem is already mounted to prevent a + strange error message. thanks to mvo for the patch (LP: #116633) + * remove file debian/initramfs-cryptroot-script from source. it is not + installed anywhere, and a leftover from the last merge. + * add missing hunk of cryptsetup.functions compared to debian package. + * reapply http://librarian.launchpad.net/7329604/bug85640.debdiff to + debian/initramfs/cryptroot-script, since stgraber's patch has been + lost in the last merge. (LP: #85640) + + -- Reinhard Tartler Tue, 29 May 2007 15:02:57 +0200 + +cryptsetup (2:1.0.4+svn29-1ubuntu2) gutsy; urgency=low + + * modprobe dm-mod from cryptsetup.functions. (LP: #64625, #91405) + + -- Reinhard Tartler Tue, 29 May 2007 13:31:39 +0200 + +cryptsetup (2:1.0.4+svn29-1ubuntu1) gutsy; urgency=low + + * Merge from Debian unstable. Remaining Ubuntu changes: + - stop usplash on user input. Ubuntu: #62751 + - Always output and read from the console. Ubuntu: #58794. + - Wait for Udev to be ready to avoid partition non-detection. (LP: #85640) + * Modify Maintainer value to match Debian-Maintainer-Field Spec + + -- Andrea Veri Sun, 6 May 2007 22:33:25 +0200 + +cryptsetup (2:1.0.4+svn29-1) unstable; urgency=low + + * New upstream svn snapshot with several bugfixes + - remove 01_tries_fix.dpatch, added upstream + + -- Jonas Meurer Wed, 02 May 2007 02:48:37 +0200 + +cryptsetup (2:1.0.4+svn26-3) unstable; urgency=low + + * Add cryptdevice name to prompt before actually starting it. Thanks + to Joerg Jaspert. (closes: #421803) + + -- Jonas Meurer Wed, 02 May 2007 01:05:22 +0200 + +cryptsetup (2:1.0.4+svn26-2) unstable; urgency=low + + [ David Härdeman ] + * Fix typo in crypttab(5), the ext checkscript is called ext2, not + ext3. (closes: #410390) + * Use the initramfs-tools keymap support instead of our own (requires + initramfs-tools >= 0.87) + * Add support for usplash password prompt (closes: #397981) + * Remove the "ssl" and "gpg" options which are supported by keyscripts + since October 2006 (see NEWS for details). + * Spring cleaning of cryptdisks.functions, now supports multiple tries + for keyscripts and uses lsb logging. (closes: #420105, #383808) + + [ Jonas Meurer ] + * Add 01_tries_fix.dpatch, makes the --tries commandline option work + again. (closes: #414326, #412064) + * Document the un_vol_id check script, remove the swap check script from + documentation. The swap check indeed is rather useless, thanks to Frank + Engler . The script itself is kept + for compability issues. (closes: #406837) + * Add smartcard keyscript and initramfs-tools hooks/scripts. This adds + support for disk encryption with smartcards, even for root disks. + Thanks a lot to Gerald Turner for the patch and a + smartcard reader for testing this. (closes: #416528) + * update copyright file: change "program" to "package", and mention GPL + version 2. add a full disclaimer. + * Add "--showkeys" to the dmsetup invocation in decrypt_derived script. + (closes: #420399) + * Fixes in cryptdisks.functions: + - Don't suppress error messages at mount and unmount and don't break + if 'mount $point' fails. + - Fix handling of checks and prechecks, the vars somehow where mixed + - Really use $CHECKARGS if it's defined + - Rename "stopped" to "stopping" for devices which are shutdown at + 'cryptdisks stop' (show a difference to already stopped devices). + + -- Jonas Meurer Sat, 28 Apr 2007 20:45:50 +0200 + +cryptsetup (2:1.0.4+svn26-1ubuntu2) feisty; urgency=low + + * Wait for Udev to be ready to avoid partition non-detection. (LP: #85640) + + -- Stéphane Graber Thu, 14 Apr 2007 10:03:41 +0200 + +cryptsetup (2:1.0.4+svn26-1ubuntu1) feisty; urgency=low + + * merge debian changes. Remaining ubuntu changes: + - stop usplash on user input. Ubuntu: #62751 + - Always output and read from the console. Ubuntu: #58794. + + -- Reinhard Tartler Sat, 3 Feb 2007 21:30:03 +0100 + +cryptsetup (2:1.0.4+svn26-1) unstable; urgency=high + + [ Jonas Meurer ] + * New upstream svn snapshot 1.0.4+svn26 + - contains a slightly modified patch by Rob Walker + to fix a sector size error. (closes: #403075) + - fixes a LUKS header corruption on arm, which downgrades bug + #403426 from critical to important. + - prevents password retrying with I/O errors. + * handle chainmode/essiv "plain" correctly in initramfs hook. + Thanks to Leonard Norrgard. (closes: #402417) + * remove 'rm -rf m4' from a clean target in debian/rules. + * urgency=high to get this into etch. + + [ David Härdeman ] + * Document the difference in default hash functions between the + initramfs scripts and the plain cryptsetup binary. (closes: #398429) + * Verify symlinks for source devices when initramfs is generated and + correct if necessary. (closes: #405301) + + -- Jonas Meurer Tue, 9 Jan 2007 21:53:06 +0100 + +cryptsetup (2:1.0.4+svn16-2) unstable; urgency=high + + [ David Härdeman ] + * Add cbc to standard list of modules. Thanks to Michael Olbrich + . (closes: #401370) + * Fix support for crypto-on-evms. Thanks to Enrico Gatto + . (closes: #402417) + + [ Jonas Meurer ] + * urgency=high to get this into etch. + + -- Jonas Meurer Thu, 14 Dec 2006 01:41:40 +0100 + +cryptsetup (2:1.0.4+svn16-1) unstable; urgency=medium + + [ David Härdeman ] + * Support adding separate blockcipher modules to initramfs image + (necessary for kernels >= 2.6.19) + * Hashing was previously not done correctly when decrypt_derived was used + + [ Jonas Meurer ] + * Add new upstream patch 02_luks_var_keysize.dpatch. Cryptsetup no longer + segfaults with unsupported keysize. (closes: #381973) + * Urgency medium as we really want these fixes in etch. + + -- Jonas Meurer Tue, 28 Nov 2006 18:17:12 +0100 + +cryptsetup (2:1.0.4-8ubuntu2) feisty; urgency=low + + * fix and improve initramfs hook: terminate usplash if running, since + adequate secure text input is not possible with usplash ATM + * usplash support: Terminate usplash before asking a password. + Closes https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/62751 + + -- Reinhard Tartler Wed, 24 Jan 2007 22:43:28 +0100 + +cryptsetup (2:1.0.4-8ubuntu1) feisty; urgency=low + + * merge debian changes, remaining patches: + - Always output and read from the console. Ubuntu: #58794. + * other changes have been merged or do noy apply anymore + * read password via usplash if available in initramfs for rootfs. based on a patch from + Swen Thümmler (Thanks for that!) Ubuntu #62751 + * read password from initscript via usplash if running. should fix the + rest of Ubuntu #62751. Only problem with that patch: It asks only once + for the password! improvements welcome! + + -- Reinhard Tartler Sun, 19 Nov 2006 20:04:19 +0100 + +cryptsetup (2:1.0.4-8) unstable; urgency=high + + [ Jonas Meurer ] + * Add 'set -e' and 'if ...; then ... fi' to cryptdisks-early as well. + + [ David Härdeman ] + * Make sure that a failed modprobe does not break with 'set -e'. + (closes: #398799) + + -- Jonas Meurer Thu, 16 Nov 2006 16:59:35 +0100 + +cryptsetup (2:1.0.4-7) unstable; urgency=low + + [ David Härdeman ] + * Do not try to configure resume devices which we cant get the key for + and also try harder to find resume devices. + (closes: #397887, #397888) + * Kill some more bashisms. + * Only try three times per crypto device in initramfs scripts to avoid + unbootable systems if a swap partition can't be setup. + * Added decrypt_derived keyscript and improved documentation of latest + changes, see README.initramfs for details. + + -- Jonas Meurer Tue, 14 Nov 2006 16:27:51 +0100 + +cryptsetup (2:1.0.4-6) unstable; urgency=high + + [ David Härdeman ] + * Improve LVM dependency checks in initramfs hook. Thanks to Loïc + Minier for the patch. (closes: #397633, #397651) + + -- Jonas Meurer Thu, 9 Nov 2006 13:55:48 +0100 + +cryptsetup (2:1.0.4-5) unstable; urgency=high + + [ David Härdeman ] + * Make sure that duplicate entries in initramfs do not block the boot + (closes: #397454) + * Do not check for the presence of a key if the keyscript option is + set (closes: #397450) + + -- Jonas Meurer Tue, 7 Nov 2006 18:03:41 +0100 + +cryptsetup (2:1.0.4-4) unstable; urgency=high + + [ David Härdeman ] + * Readd and document the kernel boot argument "cryptopts" due to user + demand + * Implement support for multiple device setup in initramfs. + (closes: #394136, #382280) + * Remove bashisms. (closes: #396092) + * Fix FTBFS by altering dpatch so that it is applied to Makefile.in.in + before configure is executed. (closes: #396126) + + [ Jonas Meurer ] + * Only warn for insecure keyfile mode/owner. Add some information about + insecure keys in README.Debian. (closes: #395357, #394134) + + -- Jonas Meurer Fri, 3 Nov 2006 02:22:49 +0100 + +cryptsetup (2:1.0.4-3) unstable; urgency=medium + + [ Jonas Meurer ] + * Suggest dosfstools. Needed for the default settings in luksformat. Thanks + to Loïc Minier . (closes: #393473) + * Suggest initramfs-tools (>= 0.60) | linux-initramfs-tool as well. + * Still urgency=medium for the same reasons + + [ David Härdeman ] + * Change the previous fix for #388871 to use the original patch from + Loïc Minier . This also removes the bogus UTF8 char. + (closes: #393895) + + -- Jonas Meurer Wed, 18 Oct 2006 23:03:47 +0200 + +cryptsetup (2:1.0.4-2) unstable; urgency=medium + + [ Jonas Meurer ] + * Fix postinst, use 'elif [ -z $foo] || [ -z $bar ]; then ...' + * Fix a typo in cryptdisks.functions, change $opt to $opts for more + consistency with the postinst script. + * Fix mount_fs() in cryptdisks.functions to actually do what we want it to + do. Up to now, the initscript stopped if a mountpoint failed to mount. + * urgency=medium to get cryptsetup 1.0.4 into etch + + -- Jonas Meurer Tue, 17 Oct 2006 16:16:02 +0200 + +cryptsetup (2:1.0.4-1) unstable; urgency=low + + [ David Härdeman ] + * Always update the current initramfs when a new version is installed + * Move the double-ssl decryption into a keyscript and change the ssl + option to use that script instead + * Move the gpg key decryption into a keyscript and change the gpg + option to use that script instead + * Clean up cryptdisks.functions + * Let initramfs-tools know that we need busybox in the initramfs image + * Fix bogus error message from initramfs hook, based on patch by + Loïc Minier . (closes: #388871) + * Remove the undocumented kernel boot argument "cryptopts" + * Always add some crypto modules/tools to the initramfs image unless + MODULES=dep. (closes: #389835) + * Update README.initramfs. + * Add checks and warnings that the ssl and gpg options are going away + in favour of the keyscript option + * Fix the decrypt_ssl script (closes: #390514) + + [ Jonas Meurer ] + * New upstream release. + - [01_terminal_output.dpatch] removed, finally went upstream + - [02_docs_tries.dpatch] removed, went upstream + - [03_fix_build_error.dpatch] renamed to 01_fix_build_error.dpatch + * Fix SYNOPSIS in crypttab(5) manpage to show all arguments as mandatory. + Thanks to Michael Steinfurth. + * Check in postinst for entries with missing arguments in /etc/crypttab. + Warn is one is found. Thanks to Michael Steinfurth (closes: #388083) + * Fix pretest for encrypted swap. Allow unencrypted swap on the source + device. Thanks to Dennis Furey. (closes: #387158) + * Fix posttest for encrypted swap. Don't skip if a swap filesystem is found + on the target device. Thanks to Sam Couter. (closes: #385317) + * Use 'set -e' and 'if [ -r ]; then ...; fi' in init script. Thanks + to Goswin Brederlow. (closes: #390354) + * change '... > &2' to ... >&2' in cryptdisks.functions + + -- Jonas Meurer Mon, 16 Oct 2006 19:22:41 +0200 + +cryptsetup (2:1.0.4~rc2-1) unstable; urgency=low + + [ Jonas Meurer ] + * Add some more german translations to de.po. + * Add a note to NEWS.Debian where the fix for #376393 is explained. thanks + to Robert Bihlmeyer for the report. (closes: #379719) + * Allow swap filesystems to be overwritten when the swap flag is set. thanks + to Raphaël Quinet for the report. (closes: #379771) + * Update to upstream 1.0.4-rc2. (closes: #378422, #379726, closes: #379723) + * removed patches 03-05, merged upstream. + * [01_terminal_output.dpatch] updated for new upstream. + * [02_docs_tries.dpatch] updated for new upstream, to fix luksDelKey + documentation and to give more information about the keysize. + (closes: #379084) + + [ David Härdeman ] + * Make sure that README.initramfs is included in the package (closes + #380048) + * Replace panic calls in cryptsetup script with exit 1 to match the + behaviour of other scripts. The regular initramfs script will panic + later when root isn't detected anyway + * Make all four fields in crypttab mandatory (closes: #370180, + #376941) + * Add UTF8 keyboard input support to initramfs image (closes: #379737) + * Add a keyscript option (closes: #370302, #375913) + * [03_fix_build_error.dpatch] patch po/Makefile with more recent + gettext implementation. + + + -- Jonas Meurer Mon, 4 Sep 2006 03:55:35 +0200 + +cryptsetup (2:1.0.3-3ubuntu3) edgy; urgency=low + + * Always output and read from the console. Ubuntu: #58794. + + -- Scott James Remnant Thu, 21 Sep 2006 03:05:18 +0100 + +cryptsetup (2:1.0.3-3ubuntu2) edgy; urgency=low + + * Load the dm-crypt module on startup. Ubuntu: #53475. + + -- Scott James Remnant Wed, 23 Aug 2006 11:53:49 +0200 + +cryptsetup (2:1.0.3-3ubuntu1) edgy; urgency=low + + * Sync with Debian: + Remaining Ubuntu Changes + + debian/cryptdisks.functions: + - Tell usplash to quit if we ask for a passphrase + + -- Sebastian Dröge Tue, 11 Jul 2006 20:03:27 +0200 + +cryptsetup (2:1.0.3-3) unstable; urgency=low + + [ Jonas Meurer ] + * revert the change that for swap devices the vol_id check is run by + default. if the swap partition is encrypted with a random key, the check + will always fail. thanks to Mika Bostrom + (closes: #371135, #371160, #377434) + * fix the vol_id checkscript to do what it's expected to do. + * add the un_vol_id checkscript, which does the reverse of vol_id. + * use 'check=un_vol_id, checkargs=swap' for swap devices per default. + * added do_close function to cryptdisks.functions, as do_swap needs to use + it. up to now, 'cryptsetup remove' was invoked regardless whether the + device contains a LUKS partition or not. this is fixed now too. + * allow custom check scripts. check only if $CHECK exists in + /lib/cryptsetup/checks/ and use the given value as full path otherwise. + * make precheck for no_luks mandatory, fail if any known filesystem is + found. + * update crypttab manpage to reflect the checksystem changes. added an own + section for check scripts. update the CheckSystem documentation. + * update and simplify the gen-ssl-key script, thanks to Markus Nass + + * move gen-ssl-key, decrypt_ssl and luksformat to debian/scripts in the + source. + * add new directory /lib/cryptsetup/scripts/ for key decryption scripts like + decrypt_ssl and decrypt_gpg. + * add 05_fix_pointer_and_int_comparison.dpatch, fixes compiler warnings on + 64bit architectures. Thanks to David Härdeman for the patch. + * revert the order of do_start and do_stop at 'cryptdisks restart'. thanks + to Hans Peter Wiedau for pointing out that silly typo. + (closes: #377591) + + [ David Härdeman ] + * Support root-on-crypto-on-lvm in the initramfs scripts without + having to change the root variable (closes: #371846) + * If possible, load correct keymap in the initramfs image before any + password prompts (closes: #376393) + + -- Jonas Meurer Mon, 10 Jul 2006 20:01:02 +0200 + +cryptsetup (2:1.0.3-2) unstable; urgency=low + + [ David Härdeman ] + * Add patch by Arjan Oosting + (closes: #369575) + * add new check 'vol_id', which uses /lib/udev/vol_id from udev and supports + checks for any known filesystem type. implement a new option checkargs in + cryptdisks for that. suggest udev. closes one half of #370302. thanks to + Markus Nass and Darvid Härdeman for the suggestion. + * always check for a swap partition before running mkswap + * updated README.Debian, Checksystem.Doc and crypttab.5.txt accordingly. + * drop usage of strings from swap check, as it is in /usr/bin. thanks to + Markus Nass. + + -- Jonas Meurer Mon, 5 Jun 2006 18:27:07 +0200 + +cryptsetup (2:1.0.3-1) unstable; urgency=low + + [ Jonas Meurer ] + * new upstream release, 1.0.3 final + - Add alignPayload patch by Peter Palfrader (closes: #358388) + - meaningful exitcodes and password retrying by Johannes Weißl + (closes: #359277) + * add 01_terminal_timeout.dpatch from Andres Salomon . + - gets rid of getpass(), which is obsolete according to manpage + - restores the terminal state before doing the timeout (closes: #364153) + * add 02_docs_tries.dpatch, to describe --tries in the cryptsetup manpage. + * add 03_stdin_input.dpatch from David Härdeman , + fixes input from stdin, accepts input with more than 32 characters + (closes: #364529, #365333) + * add 04_status_exit_codes.dpatch from David Härdeman , + fixes the exit codes of 'cryptsetup status' + * provide a cryptsetup-udeb package (closes: #358422) + * remove debian/luksformat.8 in clean target (closes: #358386) + * fix update-rc.d arguments to start cryptdisks in rc0 and rc6. + it is not really started [but stopped], but still the links need to be + named S48cryptdisks. otherwise it will be invoked before umountfs. + * add initramfs cryptroot functionality, thanks to David Härdeman + for the patch (closes: #358452) + * rename /lib/cryptsetup/init_functions to cryptdisks.functions + * move most of /etc/init.d/cryptdisks to cryptdisks.functions. + /etc/init.d/cryptdisks now does not much more than importing + cryptdisks.functions. required for running two seperate cryptdisks + initscripts. + * split the cryptdisks initscript into cryptdisks-early and cryptdisks. + actually both scripts do the same except having slightly different output. + the early script is run before lvm/evms/... are started, and the other one + after they are started. (closes: #363007) + * add support for mount to cryptdisks. this makes it possible to use + keyfiles from removable media. see the crypttab.5 manpage for more + information. + * use upstream cryptsetup tries option instead of the shell code in + cryptdisks. rename cryptdisks 'retry' option to 'tries'. + * document the fact, that the default settings in /etc/default/cryptdisks + take only effect if the relevant option is set without a value in + crypttab. add the environment section to crypttab.5.txt (closes: #364203) + * update the TODO list. + * update crypdisks.default + * run do_swap and do_tmp. Thanks to Riku Voipio + (closes: #365633) + * bump Standards-Version to 3.7.2.0, no changes needed + + [ David Härdeman ] + * add lvm capabilities to initramfs scripts (closes: #362564) + * add cryptsetup.postinst which executes update-initramfs when + cryptsetup is first installed (not on upgrades) + + -- Jonas Meurer Sat, 13 May 2006 19:45:08 +0200 + +cryptsetup (2:1.0.2+1.0.3-rc3-1) unstable; urgency=low + + [ Jonas Meurer ] + * new upstream release candidate: + - fixes sector size of the temporary mapping (closes: #355156) + - more verbose error logging (closes: #353755, #356288, #258376) + - upstream accepted my patches to the manpage + * fixed spelling error in README.Debian + * removed debian/cryptsetup.sgml, outdated + * ran ispell against doc files in debian/, fixed many typos + * change /usr/share/cryptsetup to /lib/cryptsetup in crypttab.5.txt + (closes: #354910) + * add --build (and maybe even --host) to configure flags, for + cross-compiling + * remove debian/luksformat.8 in clean target + * fix bashism in cryptdisks. thanks to Michal Politowski + (closes: #356484) + * add support for openssl encrypted keys, based on a patch by General Stone + (closes: #350615) + * add some code to support gnupg encrypted keys, some parts are missing. + + -- Jonas Meurer Fri, 17 Mar 2006 00:42:41 +0100 + +cryptsetup (2:1.0.2+1.0.3-rc2-1) unstable; urgency=low + + [ Jonas Meurer ] + * new upstream version 1.0.3-rc2, fixing issues with devmapper + * new upstream version 1.0.3-rc1, doesn't use essiv per default + * new upstream version (1.0.2) released + - add --timeout option for interactive usage + - add --batch-mode option to suppress input verifications + * install local cryptsetup.8 copy instead of the upstream manpage + - mention --readonly as possible option to luksOpen (closes: #353753) + - mention --batch-mode, --timeout, --version + - transform remaining option hyphens from '-' to '\-' + * merged ubuntu patches: + - modify cryptdisks init script to use lsb functions + - add luksformat and a manpage + * removed postinst and postrm, empty scripts + * added a README.Debian and a TODO + * added a NEWS file for Debian, and explain both the upstream transition + from plain cryptsetup to cryptsetup-luks, and the check options for + crypttab. + * install manpages using dh_installman, not with install + * updated CryptoRoot.HowTo, mention /etc/mkinitrd/modules and different + linux-image versions. (closes: #344867) + * removed needless debian/hack + * added debian/watch + * bumped debhelper compat level to 5, add versioned depends on + debhelper (>> 5.0.0) + * update debian/cryptsetup.8 to mention batch-mode and timeout + * updated cryptdisks + - modify init script to use lsb functions, at least where possible + - updated comments for cryptdisks.default + - moved option parsing and setup of loopback devices to seperate functions. + added a new include file /lib/cryptsetup/init_functions with functions + parse_opts, lo_setup, check_key, do_luks, do_noluks, do_swap, do_tmp + - always check for the source device exists before running cryptsetup + - hardcode precheck for LUKS to use 'cryptsetup isLuks'. this is much safer + than allowing other random prechecks, as it manifests that the source + device actually is a LUKS partition. + - don't remove the LUKS device when postcheck fails, as the supplied + password/key is correct anyway. + - use the new 'timeout' commandline option of cryptsetup instead of an + external wrapper + - be silent for not existing devices per default. Implement the loud + option for crypttab to warn if a device does not exist. + - remerge postchecks and prechecks into checks. + - don't disable swap & luks combination, instead disable luks with + /dev/random, /dev/urandom or /dev/hwrandom as key. + - run parse_opts before check_key, to know whether we use luks or not + + [ Michael Gebetsroither ] + * converted crypttab.sgml to asciidoc + * added dependencies for asciidoc to manpage conversion + * added developer documentation for a robust checksystem into cryptdisks + + -- Jonas Meurer Sun, 26 Feb 2006 20:04:49 +0100 + +cryptsetup (2:1.0.1-16) unstable; urgency=low + + [ Jonas Meurer ] + * already fixed in 2:1.0.1-14: binaries xor and delay from + usbcrypto.mkinitrd don't exist in debian. replaces with a perl script + and /bin/sleep. thanks to wesley terpstra for the help. + (closes: #324353) + * clean cryptdisks from bashisms (closes: #350360) + * check for /usr/bin/timeout before using it in cryptdisks. First, it's + only available when /usr is mounted, and that is not definitive when + cryptdisks is run at boot time. Second, timeout is a non-essential + debian package, and not neccecarily installed. The usage of + /usr/bin/timeout in any case is only a temporary workaround. + * move /usr/share/cryptsetup to /lib/cryptsetup, as the checks need to be + available at boot time, before local filesystems (like i.e. /usr) are + mounted. + * replace RETRY=`expr $RETRY - 1` with RETRY=$(($RETRY-1)), as expr is in + /usr/bin. + * install init.d script and default file with dh_installinit + (closes: #350548) + * don't build-depend on cvs + + -- Jonas Meurer Mon, 30 Jan 2006 17:54:50 +0100 + +cryptsetup (2:1.0.1-15) unstable; urgency=low + + [ Jonas Meurer ] + * rebuilt with -sa, to include the sources into upload + + -- Jonas Meurer Fri, 27 Jan 2006 18:18:46 +0100 + +cryptsetup (2:1.0.1-14) unstable; urgency=low + + [ Jonas Meurer ] + * added a configurable timeout option for interactive password + prompt. set the default timeout to 180 seconds in + /etc/default/cryptdisks, and documented the crypttab option in + the crypttab manpage. (closes: #328961) + * fixed the default "precheck" and "postcheck" options, currently + no useful precheck exists, so no default here. + * removed the dummy cryptsetup-luks package, ftpmaster complains + about it. + + [ Michael Gebetsroither ] + * make small fixes to CryptoSwap.HowTo + * added postcheck for swap (closes: #342079) + + -- Jonas Meurer Fri, 27 Jan 2006 12:59:10 +0100 + +cryptsetup (2:1.0.1-13) unstable; urgency=low + + * split the "check" in a "precheck" and a "postcheck" option + - adds the possibility to check the source device before creating the + decrypted target device, useful for things like swap. + + -- Jonas Meurer Sun, 22 Jan 2006 21:24:06 +0100 + +cryptsetup (2:1.0.1-12) unstable; urgency=low + + * correctly parse options in cryptdisks (closes: #304399) + * remove the moduledir /usr/lib/cryptsetup from the deb, it's + empty anyway (closes: #334648) + * replace /usr/local/bin/delay with /bin/sleep in usbcrypto.mkinitrd + * cosmetical changes to /etc/crypttab + * add "check" and "retry" options to cryptdisks script, + thanks to A Mennucc . (closes: #290626) + + -- Jonas Meurer Sun, 22 Jan 2006 19:46:18 +0100 + +cryptsetup (2:1.0.1-11) unstable; urgency=low + + * include sources although the debian revision is not -1 + + -- Jonas Meurer Sun, 22 Jan 2006 16:35:12 +0100 + +cryptsetup (2:1.0.1-10) unstable; urgency=low + + * introduce an epoch to make upgrade happen + + -- Jonas Meurer Sun, 22 Jan 2006 09:02:47 +0100 + +cryptsetup (1.0.1-9) unstable; urgency=low + + * rename the package to cryptsetup, provide a dummy cryptsetup-luks package + * initial upload to debian + + -- Jonas Meurer Sun, 22 Jan 2006 08:06:25 +0100 + +cryptsetup-luks (1.0.1-8) unstable; urgency=low + + * use upstream tarball as orig.tar.gz and keep debian changes in diff.gz + * change to use dpatch + * adjust build environment to work with upstream sources, and without + autogen.sh + * merge fixes for debian scripts from cryptsetup. + * keep cryptsetup manpage untouched, as merging cryptsetup and + cryptsetup-luks manpages is rather complex. + * set mandir to /usr/share/man for configure + * add a lintian-override file + + -- Jonas Meurer Sun, 22 Jan 2006 06:48:30 +0100 + +cryptsetup-luks (1.0.1-7) unstable; urgency=high + + * make cryptsetup create work again (patch for lib/libdevmapper.c) + + -- Michael Gebetsroither Sat, 21 Jan 2006 14:39:36 +0100 + +cryptsetup-luks (1.0.1-6) unstable; urgency=low + + * recompile for new libdevmapper + + -- Michael Gebetsroither Tue, 10 Jan 2006 15:10:17 +0100 + +cryptsetup-luks (1.0.1-5) unstable; urgency=low + + * improved documentation for /etc/crypttab + + -- Michael Gebetsroither Mon, 7 Nov 2005 17:05:20 +0100 + +cryptsetup-luks (1.0.1-4) unstable; urgency=low + + * added luks option for /etc/crypttab (thx to Fabian Thorns + for the initial patch) + + -- Michael Gebetsroither Thu, 3 Nov 2005 19:22:59 +0100 + +cryptsetup-luks (1.0.1-3) unstable; urgency=low + + * completly switched to luks upstream + + -- Michael Gebetsroither Thu, 11 Aug 2005 22:14:16 +0200 + +cryptsetup-luks (1.0.1-2) unstable; urgency=low + + * fixed build dependencies + + -- Michael Gebetsroither Mon, 20 Jun 2005 22:30:38 +0200 + +cryptsetup-luks (1.0.1-1) unstable; urgency=low + + * synced with luks upstream + + -- Michael Gebetsroither Mon, 20 Jun 2005 16:22:53 +0200 + +cryptsetup-luks (1.0-5) unstable; urgency=low + + * fixed a small typo in the manpage + + -- Michael Gebetsroither Sat, 23 Apr 2005 11:06:31 +0200 + +cryptsetup-luks (1.0-4) unstable; urgency=low + + * cleand source-tree for submitting a wishlist report into debian BTS + + -- Michael Gebetsroither Tue, 19 Apr 2005 18:44:13 +0200 + +cryptsetup-luks (1.0-3) unstable; urgency=low + + * updatet dependencies (libdevmapper1.00 => libdevmapper1.01) + + -- Michael Gebetsroither Tue, 19 Apr 2005 13:51:10 +0200 + +cryptsetup-luks (1.0-2) unstable; urgency=low + + * replaced original debian cryptsetup manpage with manpage from + cryptsetup-luks + + -- Michael Gebetsroither Sun, 3 Apr 2005 13:33:55 +0200 + +cryptsetup-luks (1.0-1) unstable; urgency=low + + * new upstream release + + -- Michael Gebetsroither Sat, 2 Apr 2005 23:29:43 +0200 + +cryptsetup-luks (0.993-3) unstable; urgency=low + + * fixed dependencis + + -- Michael Gebetsroither Sun, 13 Feb 2005 01:28:11 +0100 + +cryptsetup-luks (0.993-2) unstable; urgency=low + + * fixed a few source problems + * fixed post/pre install scripts + + -- Michael Gebetsroither Sat, 12 Feb 2005 16:18:07 +0100 + +cryptsetup-luks (0.993-1) unstable; urgency=low + + * synced with luks upstream + + -- Michael Gebetsroither Sat, 12 Feb 2005 15:50:21 +0100 + +cryptsetup-luks (0.992-5) unstable; urgency=low + + * fixed a few problems in den debian source package + + -- Michael Gebetsroither Sat, 12 Feb 2005 04:22:30 +0100 + +cryptsetup-luks (0.992-4) unstable; urgency=low + + * debianized the package + * cleand up build system + + -- Michael Gebetsroither Sat, 12 Feb 2005 00:12:43 +0100 + +cryptsetup-luks (0.992-3) unstable; urgency=low + + * Fixed typo + + -- Michael Gebetsroither Fri, 11 Feb 2005 18:38:42 +0100 + +cryptsetup-luks (0.992-2) unstable; urgency=low + + * Added note within description + + -- Michael Gebetsroither Fri, 11 Feb 2005 18:21:03 +0100 + +cryptsetup-luks (0.992-1) unstable; urgency=low + + * "integrated LUKS" support (very messy hack) + + -- Michael Gebetsroither Thu, 10 Feb 2005 18:16:21 +0100 + --- cryptsetup-1.1.0~rc2.orig/debian/cryptdisks.default +++ cryptsetup-1.1.0~rc2/debian/cryptdisks.default @@ -0,0 +1,14 @@ +# Run cryptdisks at startup ? +CRYPTDISKS_ENABLE=Yes + +# Mountpoints to mount, before starting cryptsetup. This is useful for +# keyfiles on removable media. Seperate mountpoints by space. +CRYPTDISKS_MOUNT="" + +# Default check script, see /lib/cryptsetup/checks/ +# Takes effect, if the 'check' option is set in crypttab without a value +CRYPTDISKS_CHECK=blkid + +# Default precheck script, see +# Takes effect, if the 'precheck' option is set in crypttab without a value +CRYPTDISKS_PRECHECK= --- cryptsetup-1.1.0~rc2.orig/debian/README.initramfs +++ cryptsetup-1.1.0~rc2/debian/README.initramfs @@ -0,0 +1,196 @@ +1. Introduction +--------------- +Kernels more recent than 2.6.12 have dropped support for devfs, which +means that initrd-tools can no longer be used to boot into an encrypted +root partition. Instead, a similar functionality has been developed for +use with an initramfs-image. + + +2. A fresh installation +----------------------- +If you plan to perform a completely new installation of Debian onto a +machine and to do so using an encrypted root partition, you might want +to consider using a version of Debian Installer with partman-crypto +(see http://wiki.debian.org/DebianInstaller/PartmanCrypto). + +The installation will then take care of all the details and perform the +necessary configuration for you, meaning that you should not have to +read the rest of this document to get a machine with an encrypted +root fs up and running. + +However, if you are not planning to perform a new installation from scratch, +the following information might be useful to you. + + +3. Requirements +--------------- +In order to boot from an encrypted root fs, you need an initramfs-image +which includes the necessary kernel modules and scripts to setup +the root device after the kernel has been initialized, but before the rest +of the operating system is booted. + +To do so, you need two partitions: +- an unencrypted /boot partition +- an encrypted / partition + +In addition, you need to have both initramfs-tools and busybox installed. + +NOTE: You should make sure that your swap partition is either encrypted, or +that you are using a swap file on an encrypted partition, as crypto keys and +other sensitive information might otherwise be written out to the swap +partition in unencrypted form. + + +4. Setup (regular dm-crypt) +--------------------------- +First of all, you must edit /etc/crypttab and add a line describing your +root device, for example: + + cryptroot /dev/hda2 none cipher=aes-cbc-essiv:sha256,size=256,hash=sha256 + +This will allow cryptsetup to create /dev/mapper/cryptroot from the +encrypted partition /dev/hda2 during boot. + +In addition, you must also make sure that the root device is listed in +/etc/fstab, for example: + + /dev/mapper/cryptroot / ext3 defaults 0 1 + +This will allow the initramfs support scripts to know which of the devices +in the crypttab that is the root device. + +After doing these changes, you should regenerate the initramfs by running +"initramfs-update -u", then make sure that your boot loader is configured +to feed the initramfs to the kernel when booting. The kernel root argument +should also be changed to /dev/mapper/cryptroot. + +Now, reboot the machine, and if everything is correctly configured, you +should be given a prompt to type in the passphrase for the encrypted +root partition before the boot can continue. + +NOTE: the initramfs scripts default to using the sha256 hash function while +the plain cryptsetup binary defaults to using the ripemd160 hash function. +In order to ensure that the crypto setup works in a consistant manner, you +should make sure that the hash function is specified in the /etc/crypttab file +if you are using regular dm-crypt (with LUKS the hash function to use is stored +in the LUKS header). + + +5. Setup (using LUKS) +--------------------- +If you are using the LUKS feature of cryptsetup, the above setup recipe should +still apply, but since most options can be derived from the information stored +in the LUKS header on-disk, the line to add to /etc/crypttab should look +something like this: + + cryptroot /dev/sda2 none luks + + +6. Exotic key types +------------------- +The above examples assume that you use a regular passphrase as the key to the +encrypted filesystem. However, if you wish to make use of more complex setups +(such as root-key-on-usb-memory), you can create a script which does all the +steps necessary to retrieve the key and then prints it to stdout. + +Then add a keyscript=/path/to/your/script.sh to the options (fourth column) in +the above mentioned /etc/crypttab line, so that it looks something like this: + + cryptroot /dev/sda2 none luks,keyscript=/usr/local/sbin/cryptkey + +Next, regenerate your initramfs image. This will copy the script into the +initramfs image under the /keyscripts/ directory. + +NOTE: there is a limited set of tools available when the script is executing +as part of the initramfs bootup, you have to make sure that you do not use +any tools which are not available or your script, and therefore boot, will +fail. + + +7. "cryptopts" boot argument +---------------------------- +In general, you should use the above approach with a line describing your +root partition in /etc/crypttab and /etc/fstab. However, if for some reason +you wish to override the settings that are derived from these files and +stored in the initramfs image, you can use the "cryptopts" boot argument +(this *only* works for the root partition). + +The format of cryptopts is: +cryptopts==,=... + +Beside the "hash", "size", "cipher" and "lvm" options that correspond to the +same options in the fourth field of /etc/crypttab, the options "target", +"source" and "key" are also supported. They correspond to the first, second +and third field of /etc/crypttab, respectively. See the crypttab man page +for further details. + +Several "cryptopts" boot arguments can also be specified in case more than +one mapping needs to be setup in the initramfs stage of the boot. + +Example boot arguments: +root=/dev/mapper/crypt0 cryptopts=target=crypt0,source=/dev/hda1,cipher=twofish + +8. Resume device support +------------------------ +The initramfs scripts will also try to automatically determine the devices, +if any, that are used for software suspend (swsusp, suspend2 or uswsusp) and +to set them up during the initramfs stage in order to allow suspend and resume +in combination with encryption to keep the resume image safe from potential +attackers. + +If your resume device and your root partition use two different cryptsetup +mappings, you might want to use the "decrypt_derived" keyscript as described +below. + +9. The "decrypt_derived" keyscript +---------------------------------- +Assume that you have two entries in /etc/crypttab: + +cryptroot /dev/hda1 none luks +cryptswap /dev/hda2 none luks + +If cryptswap is used as your suspend/resume device, you'd normally need to +enter two different passphrases during the boot, but the "decrypt_derived" +script can generate the key for the second mapping using a hash of the key +for the first mapping. + +In short, you'll need to do something like the following to take advantage +of the decrypt_derived script: + +1) swapoff -a +2) cryptsetup luksClose cryptswap +3) edit /etc/crypttab and change the cryptswap line to e.g.: +cryptswap /dev/hda2 cryptroot cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,keyscript=/lib/cryptsetup/scripts/decrypt_derived,swap +4) /etc/init.d/cryptdisks start +5) Make sure that /dev/mapper/cryptswap has been created +6) swapon -a +7) (optional) update-initramfs -u + +After you've followed the above steps, your swap device should be setup +automatically after the root device has been setup during the boot stage. + +Note: If you don't use suspend device support, it's better to use completely +random keys for your encrypted swap device. See the section '2. Encrypted +swap partition(s)' in /usr/share/doc/cryptsetup/README.Debian for information +on how to setup this. + +10. The "passdev" keyscript +---------------------------- +If you have a keyfile on a removable device (e.g. a USB-key), you can use the +passdev keyscript. It will wait for the device to appear, mount it read-only, +read the key and then unmount the device. + +The "key" part of /etc/crypttab will be interpreted as :[:], +it is strongly recommended that you use one of the persistent device names from +/dev/disk/*, e.g. /dev/disk/by-label/myusbkey. + +This is an example of a suitable line in cryptsetup: +cryptroot /dev/hda2 /dev/disk/by-label/myusbkey:/keys/root.key cipher=aes-cbc-essiv:sha256,size=256,hash=plain,keyscript=/lib/cryptsetup/scripts/passdev + +The above line would cause the boot to pause until /dev/disk/by-label/myusbkey +appears in the fs, then mount that device and use the file /keys/root.key +on the device as the key (without any hashing) as the key for the fs. + +The timeout option has to be in seconds. + +-- David Härdeman --- cryptsetup-1.1.0~rc2.orig/debian/cryptsetup.reportbug-script +++ cryptsetup-1.1.0~rc2/debian/cryptsetup.reportbug-script @@ -0,0 +1,23 @@ +#!/bin/sh + +exec >&3 + +echo "-- /proc/cmdline" +cat /proc/cmdline +echo + +if [ -r /etc/crypttab ]; then + echo "-- /etc/crypttab" + cat /etc/crypttab + echo +fi + +if [ -r /etc/fstab ]; then + echo "-- /etc/fstab" + cat /etc/fstab + echo +fi + +echo "-- lsmod" +lsmod +echo --- cryptsetup-1.1.0~rc2.orig/debian/doc/crypttab.xml +++ cryptsetup-1.1.0~rc2/debian/doc/crypttab.xml @@ -0,0 +1,463 @@ + + + + + + + + + crypttab + 5 + + + + + crypttab + static information about encrypted filesystems + + + + DESCRIPTION + + The file /etc/crypttab contains descriptive + information about encrypted filesystems. crypttab + is only read by programs, and not written; it is the duty of the system + administrator to properly create and maintain this file. Each filesystem is + described on a separate line; fields on each line are separated by tabs or + spaces. Lines starting with # are comments, empty lines are + ignored. The order of records in crypttab is important + because the init scripts sequentially iterate through + crypttab doing their thing. + + + The first field, target, describes the mapped + device name. It must be a plain filename without any directory components. + A mapped device which encrypts/decrypts data to/from the source + device will be created at + /dev/mapper/target by + cryptsetup. + + + The second field, source device, describes either the + block special device or file (which will be automatically mounted as a loop + device) that should hold the encrypted data. + + + The third field, key file, describes the file to use + as a key for decrypting the data of the source device. + It can also be a device name (e.g. + /dev/urandom), note however that + LUKS requires a persistent key and therefore does not + support random data keys. + + + If the key file is the string none, + a passphrase will be read interactively from the console. In this case, the + options precheck, check, checkargs and tries may be useful. + + + The fourth field, options, describes the cryptsetup + options associated with the encryption process. At minimum, the field should + contain the string luks or the + cipher, hash and + size options. + + + Options are in the format: key=value + [,key=value …]. The + supported options are described below. + + + Note that all four fields are mandatory and that a missing field will lead + to unspecified behaviour. + + + + + OPTIONS + + + cipher=<cipher> + + + Encryption algorithm. See cryptsetup -c. + + + + + + size=<size> + + + Encryption key size. See cryptsetup -s. + + + + + + hash=<hash> + + + Hash algorithm. See cryptsetup -h. + + + + + + offset=<offset> + + + Start offset. Uses cryptsetup -o. + + + + + + skip=<skip> + + + Skip sectors at the beginning. Uses cryptsetup -p. + + + + + + verify + + + Verify password. Uses cryptsetup -y. + + + + + + readonly + + The backing device is read-only (eg: a dvd). + + + + + luks + + Use device with luks extensions. + + + + + swap + + + Run mkswap on the created device. + + + + + + tmp=<tmpfs> + + + Run mkfs with filesystem type + <tmpfs> on the created device. Default is ext2. + + + + + + precheck=<precheck> + + Check the source device by suitable program; if the check fails, + the device is not created; <precheck> is a script to check the + source device. The sourcedevice is given as an argument to the script. + + + + + + check=<check> + + Check the content of the device by a suitable program; if the + check fails, the device is removed. If a program is provided as an + argument, it is run, giving the decrypted volume (target device) as the + first argument, and the value of the checkargs option as the second + argument. Cryptdisks searches for the given program in + /lib/cryptsetup/checks/. + Default is blkid. + + + + + + checkargs=<arguments> + + Give <arguments> as the second argument to the check + script. See the CHECKSCRIPTS section for more information. + + + + + + tries=<num> + + The input of the passphrase is tried <num> times in case + of failure. If you want to disable retries, pass tries=1. + Default is 3. For the root device, tries=0 enables + infinitive retries due to a special case in the initramfs scripts. + + + + + + noearly + + The cryptsetup init scripts are invoked twice during the boot + process - once before lvm, evms, raid, etc. are started and once again + after that. Sometimes you need to start your encrypted disks in a special + order. With this option the device is ignored during the first invokation + of the cryptsetup init scripts. + + + + + + noauto + + Entirely ignore the device at the boot process. It's still + possible to map the device manually using cryptdisks_start. + + + + + + loud + + Be loud. Print warnings if a device does not exist. + + + + + keyscript=<path> + + + The executable at the indicated path is executed with the + key file from the third field of the crypttab as its + only argument and the output is used as the key. This also works with + encrypted root filesystems via initramfs if the executable is + self-contained (i.e. an executable which does not rely on any external + program which is not present in the initramfs environment). + + + All fields of the appropriate crypttab entry are available to the keyscript + as exported environment variables: + + + CRYPTTAB_NAME + + The target name + + + + CRYPTTAB_SOURCE + + The source device + + + + CRYPTTAB_KEY + + The key file + + + + CRYPTTAB_OPTIONS + + A list of exported crypttab options + + + + CRYPTTAB_OPTION_<option> + + The value of the appropriate crypttab option, with value set to 'yes' + in case the option is merely a flag. + + + + + + + + + + + CHECKSCRIPTS + + + blkid + + Checks for any known filesystem. Supports a filesystem type as + argument via <checkargs>: + + + + no checkargs - succeeds if any valid filesystem is found on the device. + + + "none" - succeeds if no valid filesystem is found on the device. + + + "ext3" [or another filesystem type like xfs, swap, crypto_LUKS, ...] - + succeeds if ext3 filesystem is found on the device. + + + + + + + un_blkid + + Checks for no known filesystem. Supports a filesystem type as + argument via <checkargs>: + + + + no checkargs - succeeds if no valid filesystem is found on the device. + + + "ext3" [or another filesystem type like xfs, swap, crypto_LUKS, ...] - + succeeds if no ext3 filesystem is found on the device. + + + + + + + ext2 + + Checks for a valid ext2/ext3 filesystem. + + + + + xfs + + Checks for a valid xfs filesystem. + + + + + + + EXAMPLES + + +# Encrypted swap device +cswap /dev/sda6 /dev/urandom swap + +# Encrypted luks disk with interactive password +cdisk0 /dev/hda1 none luks + +# Encrypted ext2 disk with interactive password +# - retry 5 times if the check fails +cdisk1 /dev/sda2 none checkargs=ext2,tries=5 + +# Encrypted disk with interactive password +# - use a nondefault check script +# - no retries +cdisk2 /dev/hdc1 none check=customscript,tries=1 + +# Encrypted disk with interactive password +# - twofish as the cipher +cdisk3 /dev/sda3 none cipher=twofish + + + + + + ENVIRONMENT + + + CRYPTDISKS_ENABLE + + + Set to yes to run cryptdisks at startup. Set to + no to disable cryptdisks. + + + + + + CRYPTDISKS_MOUNT + + Specifies the mountpoints that are mounted before cryptdisks is + invoked. Useful for keys on removable devices, such as cdrom, usbstick, + flashcard, etc. + + + + + + CRYPTDISKS_CHECK + + Specifies the checkscript to be run against the target device, + after cryptdisks has been invoked. The target device is passed as the + first and only argument to the checkscript. Takes effect if the + check option is given in crypttab with no value. + + + + + + CRYPTDISKS_PRECHECK + + Specifies the checkscript to be run against the source device, + before cryptdisks has been invoked. The source device is given as the + first and only argument to the checkscript. Takes effect if the + precheck option is given in crypttab with no value. + + + + + + + + SEE ALSO + + cryptsetup(8) + /etc/crypttab + + + + + AUTHOR + + This manual page was originally written by + + Bastian + Kleineidam + + calvin@debian.org + for the Debian distribution of cryptsetup. It has been further improved by + + Michael + Gebetsroither + + michael.geb@gmx.at, + + Jonas + Meurer + + jonas@freesources.org + and + + David + Härdeman + + david@hardeman.nu. + + + + --- cryptsetup-1.1.0~rc2.orig/debian/doc/variables.xml.in +++ cryptsetup-1.1.0~rc2/debian/doc/variables.xml.in @@ -0,0 +1,16 @@ + + + + + + + VERSION + cryptsetup + cryptsetup manual + + + + DATE + + + --- cryptsetup-1.1.0~rc2.orig/debian/doc/manpages.xml +++ cryptsetup-1.1.0~rc2/debian/doc/manpages.xml @@ -0,0 +1,9 @@ + + + + + Manual Pages + + + + --- cryptsetup-1.1.0~rc2.orig/debian/doc/cryptdisks_stop.xml +++ cryptsetup-1.1.0~rc2/debian/doc/cryptdisks_stop.xml @@ -0,0 +1,54 @@ + + + + + + + + + cryptdisk_stop + 8 + + + + + cryptdisks_stop + wrapper around cryptsetup which parses /etc/crypttab. + + + + + cryptdisks_stop + <name> + + + + + DESCRIPTION + + cryptdisks_stop is a wrapper around + cryptsetup which parses + /etc/crypttab just like the initscript + /etc/init.d/cryptdisks does, and stops the dm-crypt mapping which corresponds + to <name>. + + + + + SEE ALSO + + cryptsetup(8), crypttab(5) + + + + + AUTHORThis manual page was written by Jonas Meurer + <mejo@debian.org> in January 2008. + + + + --- cryptsetup-1.1.0~rc2.orig/debian/doc/cryptdisks_start.xml +++ cryptsetup-1.1.0~rc2/debian/doc/cryptdisks_start.xml @@ -0,0 +1,54 @@ + + + + + + + + + cryptdisks_start + 8 + + + + + cryptdisks_start + wrapper around cryptsetup which parses /etc/crypttab. + + + + + cryptdisks_start + <name> + + + + + DESCRIPTION + + cryptdisks_start is a wrapper around + cryptsetup which parses + /etc/crypttab just like the initscript + /etc/init.d/cryptdisks does, and starts the dm-crypt mapping which + corresponds to <name>. + + + + + SEE ALSO + + cryptsetup(8), crypttab(5) + + + + + AUTHORThis manual page was written by Jonas Meurer + <mejo@debian.org> in December 2007. + + + + --- cryptsetup-1.1.0~rc2.orig/debian/initramfs/cryptopensc-script-local-top +++ cryptsetup-1.1.0~rc2/debian/initramfs/cryptopensc-script-local-top @@ -0,0 +1,36 @@ +#!/bin/sh + +set -e + +PREREQ="" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in + prereqs) + prereqs + exit 0 + ;; +esac + +. /scripts/functions + +# Hook for starting smartcard reading software + +if [ ! -e /sbin/pcscd ]; then + exit 0 +fi + +# Start pcscd daemon nomrally: +# start-stop-daemon --start --quiet \ +# --pidfile /var/run/pcscd.pid \ +# --exec /sbin/pcscd +# Alternatively, start pcscd daemon in foreground so that it's pretty colored +# output may be seen on the console, useful for watching error messages since +# pcscd uses syslog which is not available (use --error or --critical to filter +# out debug message clutter): +# /sbin/pcscd --error --foreground & +/sbin/pcscd --foreground & --- cryptsetup-1.1.0~rc2.orig/debian/initramfs/cryptroot-hook +++ cryptsetup-1.1.0~rc2/debian/initramfs/cryptroot-hook @@ -0,0 +1,532 @@ +#!/bin/sh + +PREREQ="" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions + +get_root_device() { + local device mount type options dump pass + + if [ ! -r /etc/fstab ]; then + return 1 + fi + + grep '^[^#]' /etc/fstab | \ + while read device mount type options dump pass; do + if [ "$mount" = "/" ]; then + echo "$device" + return + fi + done +} + +get_resume_devices() { + local device opt count dupe candidates devices + candidates="" + + # First, get a list of potential resume devices + + # uswsusp + if [ -e /etc/uswsusp.conf ]; then + device=$(sed -rn 's/^resume device[[:space:]]*[:=][[:space:]]*// p' /etc/uswsusp.conf) + if [ -n "$device" ]; then + candidates="$candidates $device" + fi + fi + + # uswsusp - again... + if [ -e /etc/suspend.conf ]; then + device=$(sed -rn 's/^resume device[[:space:]]*[:=][[:space:]]*// p' /etc/suspend.conf) + if [ -n "$device" ]; then + candidates="$candidates $device" + fi + fi + + # regular swsusp + for opt in $(cat /proc/cmdline); do + case $opt in + resume=*) + device="${opt#resume=}" + candidates="$candidates $device" + ;; + esac + done + + # initramfs-tools + if [ -e /etc/initramfs-tools/conf.d/resume ]; then + device=$(sed -rn 's/^RESUME[[:space:]]*=[[:space:]]*// p' /etc/initramfs-tools/conf.d/resume) + if [ -n "$device" ]; then + candidates="$candidates $device" + fi + fi + + # Now check the sanity of all candidates + devices="" + count=0 + for device in $candidates; do + # Weed out clever defaults + if [ "$device" = "" ]; then + continue + fi + + # Detect devices required by decrypt_derived + derived="$(grep "^${device#/dev/mapper/}.*decrypt_derived" /etc/crypttab 2>/dev/null | awk '{print $3}')" + if [ -n "$derived" ]; then + if grep -q "^$derived" /etc/crypttab; then + candidates="$candidates /dev/mapper/$derived" + else + echo "cryptsetup: WARNING: decrypt_derived device $derived not found in crypttab" >&2 + fi + fi + + # Weed out duplicates + dupe=0 + for opt in $devices; do + if [ "$device" = "$opt" ]; then + dupe=1 + fi + done + if [ $dupe -eq 1 ]; then + continue + fi + + # This device seems ok + devices="$devices $device" + count=$(( $count + 1 )) + done + + if [ $count -gt 1 ]; then + echo "cryptsetup: WARNING: found more than one resume device candidate:" >&2 + for device in $devices; do + echo " $device" >&2 + done + fi + + if [ $count -gt 0 ]; then + echo $devices + fi + + return 0 +} + +node_is_in_crypttab() { + local node + node="$1" + + grep -q ^$node /etc/crypttab + return $? +} + +get_lvm_deps() { + local node deps maj min depnode + node="$1" + + if [ -z $node ]; then + echo "cryptsetup: WARNING: get_lvm_deps - invalid arguments" >&2 + return 1 + fi + + if ! deps=$(dmsetup deps "$node" 2> /dev/null | sed 's/[^:]*: *//;s/[ (]//g;s/)/ /g'); then + echo "cryptsetup: WARNING: failed to find deps for $node" >&2 + return 1 + fi + + # We should now have a list of major,minor pairs, e.g. "3,2 3,3" + for dep in $deps; do + maj=${dep%,*} + min=${dep#*,} + depnode=$(dmsetup ls | sed -n "s/\\([^ ]*\\) *($maj, $min)/\\1/p" | sed -e "s/[ \t]*$//") + if [ -z "$depnode" ]; then + continue + fi + if [ "$(dmsetup table "$depnode" 2> /dev/null | cut -d' ' -f3)" != "crypt" ]; then + get_lvm_deps "$depnode" + continue + fi + echo "$depnode" + done + + return 0 +} + +get_device_opts() { + local target source link extraopts rootopts opt + target="$1" + extraopts="$2" + KEYSCRIPT="" + OPTIONS="" + + if [ -z "$target" ]; then + echo "cryptsetup: WARNING: get_device_opts - invalid arguments" >&2 + return 1 + fi + + opt=$( grep ^$target /etc/crypttab | head -1 | sed 's/[[:space:]]\+/ /g' ) + source=$( echo $opt | cut -d " " -f2 ) + key=$( echo $opt | cut -d " " -f3 ) + rootopts=$( echo $opt | cut -d " " -f4- ) + + if [ -z "$opt" ] || [ -z "$source" ] || [ -z "$key" ] || [ -z "$rootopts" ]; then + echo "cryptsetup: WARNING: invalid line in /etc/crypttab - $opt" >&2 + return 1 + fi + + # Sanity checks for $source + if [ -h "$source" ]; then + link=$(readlink -nqe "$source") + if [ -z "$link" ]; then + echo "cryptsetup: WARNING: $source is a dangling symlink" >&2 + return 1 + fi + + if [ "$link" != "${link#/dev/mapper/}" ]; then + echo "cryptsetup: NOTE: using $link instead of $source for $target" >&2 + source="$link" + fi + fi + + # Sanity checks for $key + if [ "$key" = "/dev/random" ] || [ "$key" = "/dev/urandom" ]; then + echo "cryptsetup: WARNING: target $target has a random key, skipped" >&2 + return 1 + fi + + if [ -n "$extraopts" ]; then + rootopts="$extraopts,$rootopts" + fi + + # We have all the basic options, let's go trough them + OPTIONS="target=$target,source=$source,key=$key" + local IFS=", " + unset HASH_FOUND + unset LUKS_FOUND + for opt in $rootopts; do + case $opt in + cipher=*) + OPTIONS="$OPTIONS,$opt" + ;; + hash=*) + OPTIONS="$OPTIONS,$opt" + HASH_FOUND=1 + ;; + size=*) + OPTIONS="$OPTIONS,$opt" + ;; + lvm=*) + OPTIONS="$OPTIONS,$opt" + ;; + keyscript=*) + opt=${opt#keyscript=} + if [ ! -x "/lib/cryptsetup/scripts/$opt" ] && [ ! -x "$opt" ]; then + echo "cryptsetup: WARNING: target $target has an invalid keyscript, skipped" >&2 + return 1 + fi + KEYSCRIPT="$opt" + OPTIONS="$OPTIONS,keyscript=/lib/cryptsetup/scripts/$(basename "$opt")" + ;; + tries=*) + OPTIONS="$OPTIONS,$opt" + ;; + rootdev) + OPTIONS="$OPTIONS,$opt" + ;; + luks) + LUKS_FOUND=1 + ;; + *) + # Presumably a non-supported option + ;; + esac + done + + # Warn for missing hash option, unless we have a LUKS partition + if [ -z "$HASH_FOUND" ] && [ -z "$LUKS_FOUND" ]; then + echo "WARNING: Option hash missing in crypttab for target $target, assuming ripemd160." >&2 + echo " If this is wrong, this initramfs image will not boot." >&2 + echo " Please read /usr/share/doc/cryptsetup/README.initramfs.gz and add" >&2 + echo " the correct hash option to your /etc/crypttab." >&2 + fi + + # If keyscript is set, the "key" is just an argument to the script + if [ "$key" != "none" ] && [ -z "$KEYSCRIPT" ]; then + echo "cryptsetup: WARNING: target $target uses a key file, skipped" >&2 + return 1 + fi +} + +get_device_modules() { + local node value cipher blockcipher ivhash + node="$1" + + # Check the ciphers used by the active root mapping + value=$(dmsetup table "$node" | cut -d " " -f4) + cipher=$(echo "$value" | cut -d ":" -f1 | cut -d "-" -f1) + blockcipher=$(echo "$value" | cut -d ":" -f1 | cut -d "-" -f2) + ivhash=$(echo "$value" | cut -d ":" -s -f2) + + if [ -n "$cipher" ]; then + echo "$cipher" + else + return 1 + fi + + if [ -n "$blockcipher" ] && [ "$blockcipher" != "plain" ]; then + echo "$blockcipher" + fi + + if [ -n "$ivhash" ] && [ "$ivhash" != "plain" ]; then + echo "$ivhash" + fi + return 0 +} + +canonical_device() { + local dev altdev original + dev="$1" + + altdev="${dev#LABEL=}" + if [ "$altdev" != "$dev" ]; then + dev="/dev/disk/by-label/$altdev" + fi + + altdev="${dev#UUID=}" + if [ "$altdev" != "$dev" ]; then + dev="/dev/disk/by-uuid/$altdev" + fi + + original="$dev" + if [ -h "$dev" ]; then + dev=$(readlink -e "$dev") + fi + + if [ "x${dev%/dev/dm-*}" = "x" ]; then + # try to detect corresponding symlink in /dev/mapper/ + for dmdev in /dev/mapper/*; do + if [ "$(readlink -e "$dmdev")" = "$dev" ]; then + dev="$dmdev" + fi + done + fi + + altdev="${dev#/dev/mapper/}" + if [ "$altdev" != "$dev" ]; then + echo "$altdev" + return 0 + elif [ "x${original%/dev/disk/by-*/*}" = "x" ]; then + # support crypttab UUID/LABEL entries + # this is a /dev/disk/by-*/ path so return just the 'basename' + echo "${original##/dev/disk/by-*/}" + return 0 + fi + + return 1 +} + +add_device() { + local node nodes opts lastopts i count + nodes="$1" + opts="" # Applied to all nodes + lastopts="" # Applied to last node + + if [ -z "$nodes" ]; then + return 0 + fi + + # Flag root device + if [ "$nodes" = "$rootdev" ]; then + if [ -z "$opts" ]; then + opts="rootdev" + else + opts="$opts,rootdev" + fi + fi + + # Check that it is a node under /dev/mapper/ + nodes=$(canonical_device "$nodes") || return 0 + + # Can we find this node in crypttab + if ! node_is_in_crypttab "$nodes"; then + # dm node but not in crypttab, is it a lvm device backed by dm-crypt nodes? + lvmnodes=$(get_lvm_deps "$nodes") || return 1 + + # not backed by any dm-crypt nodes; stop here + if [ -z "$lvmnodes" ]; then + return 0 + fi + + # It is a lvm device! + lastopts="lvm=$nodes" + nodes="$lvmnodes" + fi + + # Prepare to setup each node + count=$(echo "$nodes" | wc -w) + i=1 + for node in $nodes; do + # Prepare the additional options + if [ $i -eq $count ]; then + if [ -z "$opts" ]; then + opts="$lastopts" + elif [ -n "$lastopts" ]; then + opts="$opts,$lastopts" + fi + fi + + # Get crypttab root options + if ! get_device_opts "$node" "$opts"; then + continue + fi + echo "$OPTIONS" >> "$DESTDIR/conf/conf.d/cryptroot" + + # If we have a keyscript, make sure it is included + if [ -n "$KEYSCRIPT" ]; then + if [ ! -d "$DESTDIR/lib/cryptsetup/scripts" ]; then + mkdir -p "$DESTDIR/lib/cryptsetup/scripts" + fi + + if [ -e "/lib/cryptsetup/scripts/$KEYSCRIPT" ]; then + copy_exec "/lib/cryptsetup/scripts/$KEYSCRIPT" /lib/cryptsetup/scripts + elif [ -e "$KEYSCRIPT" ]; then + copy_exec "$KEYSCRIPT" /lib/cryptsetup/scripts + else + echo "cryptsetup: WARNING: failed to find keyscript $KEYSCRIPT" >&2 + continue + fi + fi + + # Calculate needed modules + modules=$(get_device_modules $node | sort | uniq) + if [ -z "$modules" ]; then + echo "cryptsetup: WARNING: failed to determine cipher modules to load for $node" >&2 + continue + fi + echo dm_mod + echo dm_crypt + echo "$modules" + + i=$(( $i + 1 )) + done + + return 0 +} + +add_crypto_modules() { + local mod file altmod found genericfound + mod="$1" + found="" + genericfound="" + + if [ -z "$mod" ]; then + return 1 + fi + + # We have several potential sources of modules (in order of preference): + # + # a) /lib/modules/$VERSION/kernel/arch/$ARCH/crypto/$mod-$specific.ko + # b) /lib/modules/$VERSION/kernel/crypto/$mod_generic.ko + # c) /lib/modules/$VERSION/kernel/crypto/$mod.ko + # + # and (currently ignored): + # + # d) /lib/modules/$VERSION/kernel/drivers/crypto/$specific-$mod.ko + + for file in $(find "$MODULESDIR/kernel/arch/" -name "$mod-*.ko"); do + altmod="${file##*/}" + altmod="${altmod%.ko}" + manual_add_modules "$altmod" + found="yes" + done + + for file in $(find "$MODULESDIR/kernel/crypto/" -name "${mod}_generic.ko"); do + altmod="${file##*/}" + altmod="${altmod%.ko}" + manual_add_modules "$altmod" + found="yes" + genericfound="yes" + done + + if [ -z "$genericfound" ]; then + for file in $(find "$MODULESDIR/kernel/crypto/" -name "${mod}.ko"); do + altmod="${file##*/}" + altmod="${altmod%.ko}" + manual_add_modules "$altmod" + found="yes" + done + fi + + if [ -z "$found" ]; then + return 1 + fi + + return 0 +} + +# +# Begin real processing +# + +setup="no" +rootdev="" +resumedevs="" + +# Find the root and resume device(s) +if [ -r /etc/crypttab ]; then + rootdev=$(get_root_device) + if [ -z "$rootdev" ]; then + echo "cryptsetup: WARNING: could not determine root device from /etc/fstab" >&2 + fi + resumedevs=$(get_resume_devices) +fi + +# Load the config opts and modules for each device +for dev in $rootdev $resumedevs; do + if ! modules=$(add_device "$dev"); then + echo "cryptsetup: FAILURE: could not determine configuration for $dev" >&2 + continue + fi + setup="yes" + + if [ "$MODULES" = "most" ]; then + archcrypto="$(find "$MODULESDIR/kernel/arch" -type d -name "crypto")" + if [ -n "$archcrypto" ]; then + copy_modules_dir "${archcrypto##*${MODULESDIR}/}" + fi + copy_modules_dir "kernel/crypto" + else + for mod in $modules; do + add_crypto_modules $mod + done + fi +done + +# With large initramfs, we always add a basic subset of modules +if [ "$MODULES" != "dep" ]; then + for mod in aes cbc chainiv cryptomgr krng sha256 xts; do + add_crypto_modules $mod + done +fi + +# See if we need to add the basic components +if [ "$MODULES" != "dep" ] || [ "$setup" = "yes" ]; then + for mod in dm_mod dm_crypt; do + manual_add_modules $mod + done + + copy_exec /sbin/cryptsetup + copy_exec /sbin/dmsetup + copy_exec /lib/cryptsetup/askpass +fi + +exit 0 --- cryptsetup-1.1.0~rc2.orig/debian/initramfs/cryptpassdev-hook +++ cryptsetup-1.1.0~rc2/debian/initramfs/cryptpassdev-hook @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +PREREQ="cryptroot" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions + +# Hooks for adding filesystem modules to the initramfs when the passdev +# keyscript is used + +# Check whether the passdev script has been included +if [ ! -x "${DESTDIR}/lib/cryptsetup/scripts/passdev" ]; then + exit 0 +fi + +# The filesystem type of the removable device is probed at boot-time, so +# we add a generous list of filesystems to include. This also helps with +# recovery situation as including e.g. the vfat module might help a user +# who needs to create a new cryptkey (using a backup of a keyfile) on +# a windows-machine for example. + +# This list needs to be kept in sync with the one defined in passdev.c +for fs in ext4 ext3 ext2 vfat reiserfs xfs isofs udf; do + manual_add_modules "$fs" > /dev/null 2>&1 || true +done +exit 0 + --- cryptsetup-1.1.0~rc2.orig/debian/initramfs/cryptopenct-hook +++ cryptsetup-1.1.0~rc2/debian/initramfs/cryptopenct-hook @@ -0,0 +1,61 @@ +#!/bin/sh + +set -e + +PREREQ="cryptroot" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in + prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions + +# Hooks for loading smartcard reading software into the initramfs + +# Check whether cryptroot hook has installed decrypt_openct script +if [ ! -x ${DESTDIR}/lib/cryptsetup/scripts/decrypt_openct ] ; then + exit 0 +fi + +# Install cryptroot key files into initramfs +keys=$(sed 's/^\(.*,\|\)key=//; s/,.*//' ${DESTDIR}/conf/conf.d/cryptroot) + +if [ "${keys}" != "none" ] +then + if [ -z "${keys}" ] ; then + echo $0: Missing key files in ${DESTDIR}/conf/conf.d/cryptroot >&2 + cat ${DESTDIR}/conf/conf.d/cryptroot >&2 + exit 1 + fi + for key in ${keys} ; do + if [ ! -d ${DESTDIR}/$(dirname ${key}) ] ; then + mkdir -p ${DESTDIR}/$(dirname ${key}) + fi + cp ${key} ${DESTDIR}/${key} + done +fi + +# Install directories needed by smartcard reading daemon, command, and +# key-script +for dir in etc etc/init.d etc/udev/rules.d lib/udev usr/bin usr/sbin var/run/openct tmp ; do + if [ ! -d ${DESTDIR}/${dir} ] ; then mkdir -p ${DESTDIR}/${dir} ; fi +done + +# Install openct tools, drivers, conf file +cp /etc/openct.conf ${DESTDIR}/etc/ +cp /etc/udev/rules.d/z60_openct.rules ${DESTDIR}/etc/udev/rules.d/ +cp /lib/udev/openct_pcmcia ${DESTDIR}/lib/udev/ +cp /lib/udev/openct_serial ${DESTDIR}/lib/udev/ +cp /lib/udev/openct_usb ${DESTDIR}/lib/udev/ +copy_exec /usr/bin/openct-tool +copy_exec /usr/bin/pkcs15-tool +copy_exec /usr/sbin/ifdhandler +copy_exec /usr/sbin/openct-control --- cryptsetup-1.1.0~rc2.orig/debian/initramfs/cryptopensc-script-local-bottom +++ cryptsetup-1.1.0~rc2/debian/initramfs/cryptopensc-script-local-bottom @@ -0,0 +1,30 @@ +#!/bin/sh + +set -e + +PREREQ="" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in + prereqs) + prereqs + exit 0 + ;; +esac + +. /scripts/functions + +# Hook for stopping smartcard reading software + +if [ ! -e /sbin/pcscd ]; then + exit 0 +fi + +# Start pcscd daemon nomrally. If it was started in foregound, chances are +# it'll harmlessly complain about missing /var/run/pcscd* files due to the root +# filessytem being remounted. +start-stop-daemon --stop --quiet --pidfile /var/run/pcscd.pid --name pcscd --- cryptsetup-1.1.0~rc2.orig/debian/initramfs/cryptroot-script +++ cryptsetup-1.1.0~rc2/debian/initramfs/cryptroot-script @@ -0,0 +1,374 @@ +#!/bin/sh + +# +# Standard initramfs preamble +# +prereqs() +{ + # Make sure that cryptroot is run last in local-top + for req in $(dirname $0)/*; do + script=${req##*/} + if [ $script != cryptroot ]; then + echo $script + fi + done +} + +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +# source for log_*_msg() functions, see LP: #272301 +. /scripts/functions + +# +# Helper functions +# +message() +{ + if [ -x /bin/plymouth ] && plymouth --ping; then + plymouth message --text="$@" + elif [ -p /dev/.initramfs/usplash_outfifo ] && [ -x /sbin/usplash_write ]; then + usplash_write "TEXT-URGENT $@" + else + echo "$@" >&2 + fi + return 0 +} + +udev_settle() +{ + # Wait for udev to be ready, see https://launchpad.net/bugs/85640 + if [ -x /sbin/udevadm ]; then + /sbin/udevadm settle --timeout=30 + elif [ -x /sbin/udevsettle ]; then + /sbin/udevsettle --timeout=30 + fi + return 0 +} + +parse_options() +{ + local cryptopts + cryptopts="$1" + + if [ -z "$cryptopts" ]; then + return 1 + fi + + # Defaults + cryptcipher=aes-cbc-essiv:sha256 + cryptsize=256 + crypthash=ripemd160 + crypttarget=cryptroot + cryptsource="" + cryptlvm="" + cryptkeyscript="" + cryptkey="" # This is only used as an argument to an eventual keyscript + crypttries=3 + cryptrootdev="" + CRYPTTAB_OPTIONS="" + + local IFS=" ," + for x in $cryptopts; do + case $x in + hash=*) + crypthash=${x#hash=} + ;; + size=*) + cryptsize=${x#size=} + ;; + cipher=*) + cryptcipher=${x#cipher=} + ;; + target=*) + crypttarget=${x#target=} + export CRYPTTAB_NAME="$crypttarget" + ;; + source=*) + cryptsource=${x#source=} + if [ ${cryptsource#UUID=} != $cryptsource ]; then + cryptsource="/dev/disk/by-uuid/${cryptsource#UUID=}" + elif [ ${cryptsource#LABEL=} != $cryptsource ]; then + cryptsource="/dev/disk/by-label/${cryptsource#LABEL=}" + fi + export CRYPTTAB_SOURCE="$cryptsource" + ;; + lvm=*) + cryptlvm=${x#lvm=} + ;; + keyscript=*) + cryptkeyscript=${x#keyscript=} + ;; + key=*) + if [ "${x#key=}" != "none" ]; then + cryptkey=${x#key=} + fi + export CRYPTTAB_KEY="$cryptkey" + ;; + tries=*) + crypttries="${x#tries=}" + case "$crypttries" in + *[![:digit:].]*) + crypttries=3 + ;; + esac + ;; + rootdev) + cryptrootdev="yes" + ;; + esac + PARAM="${x%=*}" + if [ "$PARAM" = "$x" ]; then + VALUE="yes" + else + VALUE="${x#*=}" + fi + CRYPTTAB_OPTIONS="$CRYPTTAB_OPTIONS $PARAM" + eval export CRYPTTAB_OPTION_$PARAM="\"$VALUE\"" + done + export CRYPTTAB_OPTIONS + + if [ -z "$cryptsource" ]; then + message "cryptsetup: source parameter missing" + return 1 + fi + return 0 +} + +activate_vg() +{ + local vg + vg="${1#/dev/mapper/}" + + # Sanity checks + if [ ! -x /sbin/lvm ]; then + message "cryptsetup: lvm is not available" + return 1 + elif [ "$vg" = "$1" ]; then + message "cryptsetup: lvm device name ($vg) does not begin with /dev/mapper/" + return 1 + fi + + # Make sure that the device contains at least one dash + if [ "${vg%%-*}" = "$vg" ]; then + message "cryptsetup: lvm device name ($vg) does not contain a dash" + return 1 + fi + + # Split volume group from logical volume. + vg=$(echo ${vg} | sed -e 's#\(.*\)\([^-]\)-[^-].*#\1\2#') + + # Reduce padded --'s to -'s + vg=$(echo ${vg} | sed -e 's#--#-#g') + + lvm vgchange -ay ${vg} + return $? +} + +activate_evms() +{ + local dev module + dev="${1#/dev/evms/}" + + # Sanity checks + if [ ! -x /sbin/evms_activate ] || [ "$dev" = "$1" ]; then + return 1 + fi + + # Load modules used by evms + for module in dm-mod linear raid0 raid1 raid10 raid5 raid6; do + modprobe -q $module + done + + # Activate it + /sbin/evms_activate + return $? +} + +setup_mapping() +{ + local opts count cryptcreate cryptremove NEWROOT + opts="$1" + + if [ -z "$opts" ]; then + return 0 + fi + + parse_options "$opts" || return 1 + + if [ -n "$cryptkeyscript" ] && [ ! -x "$cryptkeyscript" ]; then + message "cryptsetup: error - script \"$cryptkeyscript\" missing" + return 1 + fi + + # The same target can be specified multiple times + # e.g. root and resume lvs-on-lvm-on-crypto + if [ -e "/dev/mapper/$crypttarget" ]; then + return 0 + fi + + modprobe -q dm_crypt + + # Make sure the cryptsource device is available + if [ ! -e $cryptsource ]; then + activate_vg $cryptsource + activate_evms $cryptsource + fi + + # If the encrypted source device hasn't shown up yet, give it a + # little while to deal with removable devices + + # the following lines below have been taken from + # /usr/share/initramfs-tools/scripts/local, as suggested per + # https://launchpad.net/bugs/164044 + if [ ! -e "$cryptsource" ]; then + log_begin_msg "Waiting for encrypted source device..." + + # Default delay is 180s + if [ -z "${ROOTDELAY}" ]; then + slumber=180 + else + slumber=${ROOTDELAY} + fi + if [ -x /sbin/usplash_write ]; then + /sbin/usplash_write "TIMEOUT ${slumber}" || true + fi + + slumber=$(( ${slumber} * 10 )) + while [ ! -e "$cryptsource" ]; do + /bin/sleep 0.1 + slumber=$(( ${slumber} - 1 )) + [ ${slumber} -gt 0 ] || break + done + + if [ ${slumber} -gt 0 ]; then + log_end_msg 0 + else + log_end_msg 1 || true + fi + if [ -x /sbin/usplash_write ]; then + /sbin/usplash_write "TIMEOUT 15" || true + fi + fi + udev_settle + + # We've given up, but we'll let the user fix matters if they can + while [ ! -e "${cryptsource}" ]; do + echo " Check cryptopts=source= bootarg cat /proc/cmdline" + echo " or missing modules, devices: cat /proc/modules ls /dev" + panic -r "ALERT! ${cryptsource} does not exist. Dropping to a shell!" + done + + # Prepare commands + if /sbin/cryptsetup isLuks $cryptsource > /dev/null 2>&1; then + cryptcreate="/sbin/cryptsetup -T 1 luksOpen $cryptsource $crypttarget" + else + cryptcreate="/sbin/cryptsetup -T 1 -c $cryptcipher -s $cryptsize -h $crypthash create $crypttarget $cryptsource" + fi + cryptremove="/sbin/cryptsetup remove $crypttarget" + NEWROOT="/dev/mapper/$crypttarget" + + # Try to get a satisfactory password $crypttries times + count=0 + while [ $crypttries -le 0 ] || [ $count -lt $crypttries ]; do + count=$(( $count + 1 )) + + if [ $count -gt 1 ]; then + /bin/sleep 3 + fi + + if [ $crypttries -gt 0 ] && [ $count -gt $crypttries ]; then + message "cryptsetup: maximum number of tries exceeded for $crypttarget" + return 1 + fi + + if [ -z "$cryptkeyscript" ]; then + cryptkey="Unlocking the disk $cryptsource ($crypttarget)\nEnter passphrase: " + if [ -x /bin/plymouth ] && plymouth --ping; then + cryptkeyscript="plymouth ask-for-password --prompt" + cryptkey=$(echo -e "$cryptkey") + else + cryptkeyscript="/lib/cryptsetup/askpass" + fi + fi + + + if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \ + $cryptkeyscript "$cryptkey" | $cryptcreate --key-file=- ; then + message "cryptsetup: cryptsetup failed, bad password or options?" + continue + fi + + if [ ! -e "$NEWROOT" ]; then + message "cryptsetup: unknown error setting up device mapping" + return 1 + fi + + FSTYPE='' + eval $(fstype < "$NEWROOT") + + # See if we need to setup lvm on the crypto device + if [ "$FSTYPE" = "lvm" ] || [ "$FSTYPE" = "lvm2" ]; then + if [ -z "$cryptlvm" ]; then + message "cryptsetup: lvm fs found but no lvm configured" + return 1 + elif ! activate_vg "/dev/mapper/$cryptlvm"; then + # disable error message, LP: #151532 + #message "cryptsetup: failed to setup lvm device" + return 1 + fi + + NEWROOT="/dev/mapper/$cryptlvm" + if [ "$cryptrootdev" = "yes" ]; then + # required for lilo to find the root device + echo "ROOT=$NEWROOT" >> /conf/param.conf + fi + eval $(fstype < "$NEWROOT") + fi + + if [ -z "$FSTYPE" ] || [ "$FSTYPE" = "unknown" ]; then + message "cryptsetup: unknown fstype, bad password or options?" + udev_settle + $cryptremove + continue + fi + + message "cryptsetup: $crypttarget setup successfully" + break + done + + udev_settle + return 0 +} + +# +# Begin real processing +# + +# Do we have any kernel boot arguments? +found='' +for opt in $(cat /proc/cmdline); do + case $opt in + cryptopts=*) + found=yes + setup_mapping "${opt#cryptopts=}" + ;; + esac +done + +if [ -n "$found" ]; then + exit 0 +fi + +# Do we have any settings from the /conf/conf.d/cryptroot file? +if [ -r /conf/conf.d/cryptroot ]; then + while read mapping <&3; do + setup_mapping "$mapping" + done 3< /conf/conf.d/cryptroot +fi + +exit 0 --- cryptsetup-1.1.0~rc2.orig/debian/initramfs/cryptroot-conf +++ cryptsetup-1.1.0~rc2/debian/initramfs/cryptroot-conf @@ -0,0 +1,9 @@ +# This will setup non-us keyboards in early userspace, +# necessary for punching in passphrases. +KEYMAP=y + +# force busybox on initramfs +BUSYBOX=y + +# declare that we need usplash included in the initramfs, for pretty prompting +USPLASH=y --- cryptsetup-1.1.0~rc2.orig/debian/initramfs/cryptopensc-hook +++ cryptsetup-1.1.0~rc2/debian/initramfs/cryptopensc-hook @@ -0,0 +1,60 @@ +#!/bin/sh + +set -e + +PREREQ="cryptroot" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in + prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions + +# Hooks for loading smartcard reading software into the initramfs + +# Check whether cryptroot hook has installed decrypt_opensc script +if [ ! -x ${DESTDIR}/lib/cryptsetup/scripts/decrypt_opensc ] ; then + exit 0 +fi + +# Install cryptroot key files into initramfs +keys=$(sed 's/^\(.*,\|\)key=//; s/,.*//' ${DESTDIR}/conf/conf.d/cryptroot) + +if [ "${keys}" != "none" ]; then + if [ -z "${keys}" ]; then + echo $0: Missing key files in ${DESTDIR}/conf/conf.d/cryptroot >&2 + cat ${DESTDIR}/conf/conf.d/cryptroot >&2 + exit 1 + fi + for key in ${keys} ; do + if [ ! -d ${DESTDIR}/$(dirname ${key}) ] ; then + mkdir -p ${DESTDIR}/$(dirname ${key}) + fi + cp ${key} ${DESTDIR}/${key} + done +fi + +# Install directories needed by smartcard reading daemon, command, and +# key-script +for dir in etc/opensc usr/lib/pcsc var/run tmp ; do + if [ ! -d ${DESTDIR}/${dir} ] ; then mkdir -p ${DESTDIR}/${dir} ; fi +done + +# Install pcscd daemon, drivers, conf file, and include libgcc as well since +# pcscd utilizes pthread_cancel +copy_exec /usr/sbin/pcscd +cp -r /usr/lib/pcsc ${DESTDIR}/usr/lib +cp /etc/reader.conf ${DESTDIR}/etc + +# Install opensc commands and conf file +copy_exec /usr/bin/opensc-tool +copy_exec /usr/bin/pkcs15-crypt +cp /etc/opensc/opensc.conf ${DESTDIR}/etc/opensc --- cryptsetup-1.1.0~rc2.orig/debian/patches/series +++ cryptsetup-1.1.0~rc2/debian/patches/series @@ -0,0 +1 @@ +02_manpage.patch --- cryptsetup-1.1.0~rc2.orig/debian/patches/02_manpage.patch +++ cryptsetup-1.1.0~rc2/debian/patches/02_manpage.patch @@ -0,0 +1,33 @@ +Description: improve the cryptsetup manpage +Author: Jonas Meurer +Last-Update: 2009-09-26 + +--- a/man/cryptsetup.8 ++++ b/man/cryptsetup.8 +@@ -92,7 +92,7 @@ + .IP + dumps the header information of a LUKS partition. No options. + .PP +-\fIluksHeaderBackup\fR --header-backup-file ++\fIluksHeaderBackup\fR \-\-header-backup-file + .IP + Stores binary backup of LUKS header and keyslot areas. + +@@ -100,7 +100,7 @@ + + Also note that anti-forensic splitter is not used during manipulation with backup file. + .PP +-\fIluksHeaderRestore\fR --header-backup-file ++\fIluksHeaderRestore\fR \-\-header-backup-file + .IP + + Restores binary backup of LUKS header and keyslot areas from specified file. +@@ -208,7 +208,7 @@ + .SH NOTES ON SUPPORTED CIPHERS, MODES, HASHES AND KEY SIZES + The available combinations of ciphers, modes, hashes and key sizes depend on kernel support. See /proc/crypto for a list of available options. You might need to load additional kernel crypto modules in order to get more options. + +-For --hash option all algorithms supported by gcrypt library are available. ++For \-\-hash option all algorithms supported by gcrypt library are available. + .SH NOTES ON PASSWORDS + Mathematics can't be bribed. Make sure you keep your passwords safe. There are a few nice tricks for constructing a fallback, when suddenly out of (or after being) blue, your brain refuses to cooperate. These fallbacks are possible with LUKS, as it's only possible with LUKS to have multiple passwords. + .SH AUTHORS --- cryptsetup-1.1.0~rc2.orig/debian/scripts/luksformat +++ cryptsetup-1.1.0~rc2/debian/scripts/luksformat @@ -0,0 +1,104 @@ +#!/usr/bin/perl -w + +# luksformat - wrapper around LUKS-capable cryptsetup and mkfs for easy +# creation of an encrypted device. +# +# (C) 2005 Canonical Ltd. +# Author: Martin Pitt +# License: GNU General Public License, v2 or any later +# (http://www.gnu.org/copyleft/gpl.html) + +use Getopt::Long; + +sub help() { + print "luksformat - Create and format an encrypted LUKS device +Usage: luksformat [-t ] \n"; + exit 1; +} + +# default file system +$fs = 'vfat'; +exit 1 unless GetOptions ('t|type=s' => \$fs); + +help() if $#ARGV != 0; + +if ($> != 0) { + print STDERR "This program needs to be started as root\n"; + exit 1; +} + +$device = $ARGV[0]; + +open(MOUNTS, "/proc/mounts"); +while () { + die "Error: device mounted: $device\n" if (/\Q$device\E/) +} + +if (-x "/sbin/mkfs.$fs") { + $mkfs = "/sbin/mkfs.$fs"; +} +elsif (-x "/usr/sbin/mkfs.$fs") { + $mkfs = "/usr/sbin/mkfs.$fs"; +} +else { + print STDERR "Error: invalid file system: $fs\n"; + exit 1; +} + +# generate temporary mapped device name which is not yet used +$name = ""; +for ($i = 1; $i < 100; $i++) { + if (! -e "/dev/mapper/luksformat$i") { + $name = "luksformat$i"; + last; + } +} + +$name or die "Error: could not generate temporary mapped device name"; + +# we do not need to be overly concerned with race conditions here, cryptsetup +# will just fail if the name already exists now. +print "Creating encrypted device on $device...\n"; +if ((system 'cryptsetup', 'luksFormat', '-s', '256', '--cipher', 'aes-cbc-essiv:sha256', $device)) { + die "Could not create LUKS device $device"; +} + +print "Please enter your passphrase again to verify it\n"; +if ((system 'cryptsetup', 'luksOpen', $device, $name) != 0) { + print STDERR "The passphrases you entered were not identical\n"; + exit 1; +} + +$result = system $mkfs, "/dev/mapper/$name"; +print "\n"; +system 'cryptsetup', 'luksClose', $name; + +die "Could not format device with file system $fs" if $result; + +__END__ + +=head1 NAME + +luksformat - Create and format an encrypted LUKS device + +=head1 SYNOPSIS + +B [B<-t> I] I + +=head1 DESCRIPTION + +B is a wrapper around B and B which provides an +easy interface for creating an encrypted device that follows the LUKS standard +and for putting a file system onto the encrypted device. + +The default file system is B since that is most commonly used on +removable devices. However, you can specify any available file system with the +B<-t> option. + +=head1 SEE ALSO + +L, L + +=head1 AUTHOR + +This program was written by Martin Pitt . --- cryptsetup-1.1.0~rc2.orig/debian/scripts/decrypt_ssl +++ cryptsetup-1.1.0~rc2/debian/scripts/decrypt_ssl @@ -0,0 +1,17 @@ +#!/bin/sh +# +# Script to decrypt the key which is encrypted with openssl. +# See /usr/share/doc/cryptsetup/examples/gen-ssl-key to create such a key. +# + +decrypt_ssl () { + echo "" >&2 + echo "Decrypting ssl key $1..." >&2 + if ! /usr/bin/openssl enc -aes-256-cbc -d -salt -in $1 2> /dev/null 2>&1; then + return 1 + fi + return 0 +} + +decrypt_ssl $1 +exit $? --- cryptsetup-1.1.0~rc2.orig/debian/scripts/cryptdisks_start +++ cryptsetup-1.1.0~rc2/debian/scripts/cryptdisks_start @@ -0,0 +1,46 @@ +#!/bin/sh + +# cryptdisks_start - wrapper around cryptsetup which parses +# /etc/crypttab, just like mount parses /etc/fstab. + +# Initial code and (c) 2007 Jon Dowland +# License: GNU General Public License, v2 or any later +# (http://www.gnu.org/copyleft/gpl.html) + +set -e + +if [ $# -lt 1 ]; then + echo "usage: $0 " >&2 + echo >&2 + echo "reads /etc/crypttab and starts the mapping corresponding to " >&2 + exit 1 +fi + +if [ -r /lib/cryptsetup/cryptdisks.functions ]; then + . /lib/cryptsetup/cryptdisks.functions +else + exit 0 +fi + +LOUD="yes" + +log_action_begin_msg "Starting crypto disk" +mount_fs + +count=0 +tablen="$(egrep -v "^[[:space:]]*(#|$)" "$TABFILE" | /usr/bin/wc -l)" +egrep -v "^[[:space:]]*(#|$)" "$TABFILE" | while read dst src key opts; do + count=$(( $count + 1 )) + if [ "$1" = "$dst" ]; then + ret=0 + handle_crypttab_line_start "$dst" "$src" "$key" "$opts" <&3 || ret=$? + elif [ $count -ge $tablen ]; then + ret=1 + device_msg "$1" "failed, not found in crypttab" + else + continue + fi + umount_fs + log_action_end_msg $ret + exit $ret +done 3<&1 --- cryptsetup-1.1.0~rc2.orig/debian/scripts/decrypt_openct +++ cryptsetup-1.1.0~rc2/debian/scripts/decrypt_openct @@ -0,0 +1,65 @@ +#!/bin/sh + +#check_reader() { +# readerfound=0 +# +# readertmp=$(/usr/bin/openct-tool list 2>&1) +# if [ $? = 0 ] ; then +# readerfound=1 +# fi +#} + +wait_reader() { +# check_reader + echo "Waiting for Smart Card reader..." >&2 + /usr/bin/openct-tool rwait >/dev/null 2>&1 + if [ $? != 0 ]; then + echo 'Failed to find Smart Card reader!' >&2 + fi +# if [ $readerfound = 0 ] ; then +# tries=0 +# while [ $readerfound == 0 -a $tries -lt 60 ] ; do +# echo "Waiting for Smart Card reader..." >&2 +# sleep 1 +# check_reader +# tries=$(($tries + 1)) +# done +# if [ $readerfound = 0 ] ; then +# echo 'Failed to find Smart Card reader!' >&2 +# exit 1 +# fi +# fi +} + +wait_card() { + echo "Waiting for Smart Card..." >&2 + /usr/bin/openct-tool wait >/dev/null 2>&1 + if [ $? != 0 ]; then + echo 'Failed to find Smart Card!' >&2 + fi +} + +/usr/sbin/openct-control init +wait_reader +wait_card + +# Due to a bug in openct, the --label does not work on data objects, means, +# all data objects have by default the label 'pkcs15-init', that's why we are +# setting the label manually if none is configured by the user. + +if [ -z "$1" ] || [ "$1" = "none" ] ; then + LABEL="pkcs15-init" +else + LABEL="$1" +fi + +if [ -p /dev/.initramfs/usplash_outfifo ] && [ -x /sbin/usplash_write ]; then + # Get pin number from usplash + /sbin/usplash_write "INPUTQUIET Enter pin for $crypttarget ($cryptsource): " + /usr/bin/pkcs15-tool --read-data-object $LABEL --pin "$(cat /dev/.initramfs/usplash_outfifo)" -o /proc/self/fd/3 3>&1 1>/dev/null 2>&1 +else + # Interactive call, user enters pin + /usr/bin/pkcs15-tool --read-data-object $LABEL -o /proc/self/fd/3 3>&1 1>/dev/null 2>&1 +fi + +exit $? --- cryptsetup-1.1.0~rc2.orig/debian/scripts/decrypt_derived +++ cryptsetup-1.1.0~rc2/debian/scripts/decrypt_derived @@ -0,0 +1,46 @@ +#!/bin/sh + +countlines() { + local IFS input count tmp + input="$1" + count=0 + IFS=' +' + for tmp in $input; do + count=$(( $count + 1 )) + done + echo $count +} + +if [ -z "$1" ]; then + echo "$0: must be executed with a crypto device as argument" >&2 + exit 1 +fi + +if ! device=$(dmsetup --showkeys table 2> /dev/null | grep "^$1:"); then + echo "$0: failed to find $1 in dmtable" >&2 + exit 1 +fi + +if [ -z "$device" ]; then + echo "$0: device $1 doesn't exist" >&2 + exit 1 +fi + +count=$(countlines "$device") +if [ $count -ne 1 ]; then + echo "$0: more than one device match $1" >&2 + exit 1 +fi + +eval set -- $device +type="$4" +key="$6" + +if [ "$type" != "crypt" ]; then + echo "$0: device $1 is not a crypto device" >&2 + exit 1 +fi + +echo -n "$key" +exit 0 --- cryptsetup-1.1.0~rc2.orig/debian/scripts/decrypt_gpg +++ cryptsetup-1.1.0~rc2/debian/scripts/decrypt_gpg @@ -0,0 +1,29 @@ +#!/bin/sh + +decrypt_gpg () { + local key tries rc + key="$1" + tries=0 + rc=1 + + echo "Performing GPG key decryption" >&2 + if /usr/bin/gpg -q --decrypt $key; then + return 0 + else + return 1 + fi +} + +echo "gpg decryption not implemented yet" >&2 +exit 1 + +if [ ! -x /usr/bin/gpg ]; then + exit 1 +fi + +if [ -z "$1" ]; then + exit 1 +fi + +decrypt_gpg "$1" +exit $? --- cryptsetup-1.1.0~rc2.orig/debian/scripts/decrypt_opensc +++ cryptsetup-1.1.0~rc2/debian/scripts/decrypt_opensc @@ -0,0 +1,47 @@ +#!/bin/sh + +# Why not use "openct-tool rwait" instead of polling opensc-tool exit status? +# Well openct daemon has to be running which interferes with pcscd since both +# implement reader drivers, my particular CCID reader (SCM SCR331-LC1) doesn't +# work with the CCID driver in openct, however it does work with pcscd. + +# Why not use "opensc-tool --wait" instead of polling opensc-tool exit status? +# Although opensc-tool --help reports that there is a --wait option, it doesn't +# seem to be implemented. + +check_card() { + cardfound=0 + + cardtmp=$(/usr/bin/opensc-tool -n 2>&1) + if [ $? = 0 ] ; then + cardfound=1 + fi +} + +wait_card() { + check_card + if [ $cardfound = 0 ] ; then + echo "Waiting for Smart Card..." >&2 + tries=0 + while [ $cardfound = 0 -a $tries -lt 60 ] ; do + sleep 1 + check_card + tries=$(($tries + 1)) + done + if [ $cardfound = 0 ] ; then + echo 'Failed to find Smart Card card!' >&2 + exit 1 + fi + fi +} + +wait_card +if [ -p /dev/.initramfs/usplash_outfifo ] && [ -x /sbin/usplash_write ]; then + # Get pin number from usplash + /sbin/usplash_write "INPUTQUIET Enter pin for $crypttarget ($cryptsource): " + /usr/bin/pkcs15-crypt --decipher --input $1 --pkcs1 --raw --pin "$(cat /dev/.initramfs/usplash_outfifo)" +else + # Get pin number from console + /usr/bin/pkcs15-crypt --decipher --input $1 --pkcs1 --raw < /dev/console 2> /dev/console +fi +exit $? --- cryptsetup-1.1.0~rc2.orig/debian/scripts/gen-ssl-key +++ cryptsetup-1.1.0~rc2/debian/scripts/gen-ssl-key @@ -0,0 +1,26 @@ +#!/bin/sh +# +# script to generate a keyfile that is encrypted with openssl +# +# Written 2005 by Markus Nass +# Improved 2006 by Jonas Meurer +# Further improved 2006 by Markus Nass + +usage() { + echo "Usage: $0 " + exit 1 +} + +if [ "$1" = "" -o "$1" = "-h" -o "$1" = "--help" ]; then + usage +fi + +if [ -x /usr/bin/openssl ]; then + key=`tempfile` + dd if=/dev/random of=$key bs=1c count=256 + openssl enc -aes-256-cbc -e -salt -in $key -out $1 + #rm -f $key; key="" + shred -uz $key; key="" +else + echo "/usr/bin/openssl is not available" && exit 1 +fi --- cryptsetup-1.1.0~rc2.orig/debian/scripts/cryptdisks_stop +++ cryptsetup-1.1.0~rc2/debian/scripts/cryptdisks_stop @@ -0,0 +1,45 @@ +#!/bin/sh + +# cryptdisks_stop - wrapper around cryptsetup which parses +# /etc/crypttab, just like mount parses /etc/fstab. + +# Initial code stolen from cryptdisks_start by Jon Dowland +# Copyright (C) 2008 by Jonas Meurer +# License: GNU General Public License, v2 or any later +# (http://www.gnu.org/copyleft/gpl.html) + +set -e + +if [ $# -lt 1 ]; then + echo "usage: $0 " >&2 + echo >&2 + echo "reads /etc/crypttab and stops the mapping corresponding to " >&2 + exit 1 +fi + +if [ -r /lib/cryptsetup/cryptdisks.functions ]; then + . /lib/cryptsetup/cryptdisks.functions +else + exit 0 +fi + +LOUD="yes" + +log_action_begin_msg "Stopping crypto disk" + +count=0 +tablen="$(egrep -v "^[[:space:]]*(#|$)" "$TABFILE" | /usr/bin/wc -l)" +egrep -v "^[[:space:]]*(#|$)" "$TABFILE" | while read dst src key opts; do + count=$(( $count + 1 )) + if [ "$1" = "$dst" ]; then + ret=0 + handle_crypttab_line_stop "$dst" "$src" "$key" "$opts" <&3 || ret=$? + elif [ $count -ge $tablen ]; then + ret=1 + device_msg "$1" "failed, not found in crypttab" + else + continue + fi + log_action_end_msg $ret + exit $ret +done 3<&1 --- cryptsetup-1.1.0~rc2.orig/debian/checks/blkid +++ cryptsetup-1.1.0~rc2/debian/checks/blkid @@ -0,0 +1,34 @@ +#!/bin/sh +# this script depends on /sbin/blkid from the util-linux package + +# usage: blkid +# may be any device that should be checked. +# if no is given, the check fails if no valid filesystem is found. +# if is given, the check fails when no filesystem type +# is found on the device. if is 'none', the check fails if any +# know filesystem is found. + +# note that the 'minix' fs is filtered out if checking for any valid fs, +# as it has been reported that this fs my be detected erroneously by blkid. + +if test ! -x "/sbin/blkid"; then + echo " - WARNING: blkid from util-linux is not available, impossible to run checks." + exit 0 +fi + +dev=$1 +fs=$2 + +blkid="$(/sbin/blkid -p $dev | sed -e 's/^.*TYPE="\(.*\)" USAGE.*$/\1/g')" + +# blkid output is empty if $dev has an unknown filesystem +if [ -z "$blkid" ] && [ -z "$fs" ]; then + echo " - The device $dev does not contain a known filesystem." + exit 1 +elif [ -n "$blkid" ] && [ "$blkid" != "minix" ] && [ "$fs" = "none" ]; then + echo " - The device $dev contains a valid filesystem type $blkid." + exit 1 +elif [ -n "$fs" ] && [ "$blkid" != "$fs" ]; then + echo " - The device $dev does not contain a filesystem type $fs." + exit 1 +fi --- cryptsetup-1.1.0~rc2.orig/debian/checks/un_vol_id +++ cryptsetup-1.1.0~rc2/debian/checks/un_vol_id @@ -0,0 +1,33 @@ +#!/bin/sh +# this script depends on /lib/udev/vol_id from the udev package + +# usage: un_vol_id +# may be any device that should be checked. +# if no is given, the check fails for any valid filesystem +# if is given, the check fails when a filesystem type +# is found on the device. + +# note that the 'minix' fs is filtered out if checking for any valid fs, +# as it has been reported that this fs my be detected erroneously by vol_id. + +if test ! -x "/lib/udev/vol_id"; then + echo " - WARNING: vol_id is not available, impossible to run checks." + exit 0 +fi + +dev=$1 +fs=$2 + +vol_id="$(/lib/udev/vol_id -t $dev 2>&1)" + +# vol_id output if $dev has an unknown filesystem +pattern="$(echo $dev | sed 's/\//\\\//g')" +unknown="$(/lib/udev/vol_id -t /dev/null 2>&1 | sed "s/\/dev\/null/$pattern/g")" + +if [ "$vol_id" != "$unknown" ] && [ "$vol_id" != "minix" ] && [ -z "$fs" ]; then + echo " - The device $dev contains a valid filesystem type $vol_id." + exit 1 +elif [ -n "$fs" ] && [ "$vol_id" = "$fs" ]; then + echo " - The device $dev contains a filesystem type $fs." + exit 1 +fi --- cryptsetup-1.1.0~rc2.orig/debian/checks/xfs +++ cryptsetup-1.1.0~rc2/debian/checks/xfs @@ -0,0 +1,12 @@ +#!/bin/sh +#thanks Martin Steigerwald + +PATH="/usr/sbin:/usr/bin:/sbin:/bin" + +ulimit -c 0 +if /usr/sbin/xfs_admin -l $1 2>/dev/null 1>&2; then + exit 0 +else + echo " - The device $1 does not contain a valid XFS filesystem." + exit 1 +fi --- cryptsetup-1.1.0~rc2.orig/debian/checks/vol_id +++ cryptsetup-1.1.0~rc2/debian/checks/vol_id @@ -0,0 +1,37 @@ +#!/bin/sh +# this script depends on /lib/udev/vol_id from the udev package + +# usage: vol_id +# may be any device that should be checked. +# if no is given, the check fails if no valid filesystem is found. +# if is given, the check fails when no filesystem type +# is found on the device. if is 'none', the check fails if any +# know filesystem is found. + +# note that the 'minix' fs is filtered out if checking for any valid fs, +# as it has been reported that this fs my be detected erroneously by vol_id. + +if test ! -x "/lib/udev/vol_id"; then + echo " - WARNING: vol_id is not available, impossible to run checks." + exit 0 +fi + +dev=$1 +fs=$2 + +vol_id="$(/lib/udev/vol_id -t $dev 2>&1)" + +# vol_id output if $dev has an unknown filesystem +pattern="$(echo $dev | sed 's/\//\\\//g')" +unknown="$(/lib/udev/vol_id -t /dev/null 2>&1 | sed "s/\/dev\/null/$pattern/g")" + +if [ "$vol_id" = "$unknown" ] && [ -z "$fs" ]; then + echo " - The device $dev does not contain a known filesystem." + exit 1 +elif [ "$vol_id" != "$unknown" ] && [ "$vol_id" != "minix" ] && [ "$fs" = "none" ]; then + echo " - The device $dev contains a valid filesystem type $vol_id." + exit 1 +elif [ -n "$fs" ] && [ "$vol_id" != "$fs" ]; then + echo " - The device $dev does not contain a filesystem type $fs." + exit 1 +fi --- cryptsetup-1.1.0~rc2.orig/debian/checks/ext2 +++ cryptsetup-1.1.0~rc2/debian/checks/ext2 @@ -0,0 +1,8 @@ +#!/bin/sh + +if /sbin/e2label $1 2>/dev/null 1>&2; then + exit 0 +else + echo " - The device $1 does not contain a valid EXT2 or EXT3 filesystem." + exit 1 +fi --- cryptsetup-1.1.0~rc2.orig/debian/checks/un_blkid +++ cryptsetup-1.1.0~rc2/debian/checks/un_blkid @@ -0,0 +1,30 @@ +#!/bin/sh +# this script depends on /sbin/blkid from the util-linux package + +# usage: un_blkid +# may be any device that should be checked. +# if no is given, the check fails for any valid filesystem +# if is given, the check fails when a filesystem type +# is found on the device. + +# note that the 'minix' fs is filtered out if checking for any valid fs, +# as it has been reported that this fs my be detected erroneously by blkid. + +if test ! -x "/sbin/blkid"; then + echo " - WARNING: blkid from util-linux is not available, impossible to run checks." + exit 0 +fi + +dev=$1 +fs=$2 + +blkid="$(/sbin/blkid -p $dev | sed -e 's/^.*TYPE="\(.*\)" USAGE.*$/\1/g')" + +# blkid output is empty if $dev has an unknown filesystem +if [ -n "$blkid" ] && [ "$blkid" != "minix" ] && [ -z "$fs" ]; then + echo " - The device $dev contains a valid filesystem type $blkid." + exit 1 +elif [ -n "$fs" ] && [ "$blkid" = "$fs" ]; then + echo " - The device $dev contains a filesystem type $fs." + exit 1 +fi --- cryptsetup-1.1.0~rc2.orig/debian/checks/swap +++ cryptsetup-1.1.0~rc2/debian/checks/swap @@ -0,0 +1,10 @@ +#!/bin/sh + +ulimit -c 0 +if dd if="$1" bs=4k count=1 2>/dev/null | grep -E '(SWAPSPACE2)|(SWAP_SPACE)' >/dev/null; then + exit 0 +else + echo " - The device $1 is not a valid SWAP partition." + exit 1 +fi +