Your message dated Sun, 21 May 2006 07:26:08 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#358452: fixed in cryptsetup 2:1.0.3-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: cryptsetup
Version: 2:1.0.2+1.0.3-rc3-1
Severity: wishlist
Hi,
in order to support encrypted root paritions from an initramfs, it would
be good if the cryptsetup package could be adapted to install the two
files attached in this mail (my debian packaging skills are not up to
par here, so I'll leave that as an exercise to the reader):
croot3-hooks-cryptroot: in /etc/mkinitramfs/hooks/cryptroot
croot3-scripts-local-premount-cryptroot: in
/etc/mkinitramfs/scripts/local-premount/cryptroot
The cryptroot works in two different ways depending on whether the root
partition is a luks partition or not.
o With LUKS
-----------
The kernel only needs to be booted with root=/dev/path/to/luks-partition
o Without LUKS
--------------
The kernel should be booted with root=/dev/path/to/partition and
cryptopts=OPTIONS.
OPTIONS can be cipher, size, hash and cryptnode. The first three should
be self-explanatory, while cryptnode is the name of the cryptnode to
setup (i.e. /dev/mapper/something).
o Additionally
--------------
The cryptnode option is also honoured with a luks partition.
An example of cryptopts would be:
cryptopts=cipher=aes-cbc-essiv:sha256,size=256,hash=plain
These options can also be set by creating
/etc/mkinitramfs/conf.d/cryptroot with the CRYPTOPTS variable (it will
be sourced by the relevant scripts, so something like
CRYPTOPTS="cipher=aes-cbc-essiv:sha256,size=256,hash=plain").
Oh, and if the user wants some more esoteric way of getting the key, a
script can be placed in /etc/mkinitramfs/cryptgetpw which outputs the
key on stdout (which allows e.g. usb-key based keys with a suitable
script).
This functionality depends on bug 348147 being fixed first.
Regards,
David
#!/bin/sh
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
copy_exec /sbin/cryptsetup /sbin
copy_exec /sbin/dmsetup /sbin
[ -x "/etc/mkinitramfs/cryptgetpw" ] && copy_exec /etc/mkinitramfs/cryptgetpw
/sbin
exit 0
#!/bin/sh
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
# get pre-requisites
prereqs)
prereqs
exit 0
;;
esac
# Do we have any settings from the /etc/conf.d/cryptroot file?
[ -r /conf/conf.d/cryptroot ] && . /conf/conf.d/cryptroot
cryptopts="${CRYPTOPTS}"
# Does the kernel boot command line override them?
for x in $(cat /proc/cmdline); do
case $x in
cryptopts=*)
cryptopts=${x#cryptopts=}
;;
esac
done
# Sanity checks
if [ "$FSTYPE" != "luks" -a -z "$cryptopts" ]; then
# Apparently the root partition isn't encrypted
echo "No cryptoroot configured or detected"
exit 0
fi
# There are two possible scenarios here:
#
# 1) The fstype of the root device has been identified as "luks"
# 2) The fstype is not "luks" but cryptopts has been set
#
# The former means that we use the luks functionality of cryptsetup, the
# latter means that we do it the old-fashioned way.
# Start by parsing some options, all options are relevant to regular cryptsetup
# but only cryptnode is relevant to luks which picks up the rest of the
# parameters by reading the partition header
cryptcipher=aes-cbc-essiv:sha256
cryptsize=256
crypthash=sha256
cryptnode=cryptroot
if [ -n "$cryptopts" ]; then
IFS=" ,"
for x in $cryptopts; do
case $x in
hash=*)
crypthash=${x#hash=}
;;
size=*)
cryptsize=${x#size=}
;;
cipher=*)
cryptcipher=${x#cipher=}
;;
node=*)
cryptnode=${x#node=}
;;
esac
done
unset IFS
fi
NEWROOT="/dev/mapper/$cryptnode"
# Check which cryptosolution we want
if [ "$FSTYPE" = "luks" ]; then
# 1) The fstype of the root device has been identified as "luks"
cryptcreate="/sbin/cryptsetup luksOpen $ROOT $cryptnode"
cryptremove=""
else
# 2) The fstype is not "luks" but cryptopts has been set
cryptcreate="/sbin/cryptsetup -c $cryptcipher -s $cryptsize -h
$crypthash create $cryptnode $ROOT"
cryptremove="/sbin/cryptsetup remove $cryptnode"
fi
# Loop until we have a satisfactory password
while [ 1 ]; do
if [ -x "/sbin/cryptgetpw" ]; then
/sbin/cryptgetpw | $cryptcreate
else
$cryptcreate
fi
if [ $? -eq 0 ]; then
fstype < "$NEWROOT" > /dev/.initramfs/source.me
. /dev/.initramfs/source.me
if [ "$FSTYPE" != "unknown" ]; then
break
fi
fi
echo "$0: cryptsetup failed or fstype not recognized, bad password or
options?"
$cryptremove
sleep 3
done
# init can now pick up new FSTYPE, FSSIZE and ROOT
echo "ROOT=\"$NEWROOT\"" >> /dev/.initramfs/source.me
exit 0
--- End Message ---
--- Begin Message ---
Source: cryptsetup
Source-Version: 2:1.0.3-1
We believe that the bug you reported is fixed in the latest version of
cryptsetup, which is due to be installed in the Debian FTP archive:
cryptsetup-udeb_1.0.3-1_amd64.udeb
to pool/main/c/cryptsetup/cryptsetup-udeb_1.0.3-1_amd64.udeb
cryptsetup_1.0.3-1.diff.gz
to pool/main/c/cryptsetup/cryptsetup_1.0.3-1.diff.gz
cryptsetup_1.0.3-1.dsc
to pool/main/c/cryptsetup/cryptsetup_1.0.3-1.dsc
cryptsetup_1.0.3-1_amd64.deb
to pool/main/c/cryptsetup/cryptsetup_1.0.3-1_amd64.deb
cryptsetup_1.0.3.orig.tar.gz
to pool/main/c/cryptsetup/cryptsetup_1.0.3.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Meurer <[EMAIL PROTECTED]> (supplier of updated cryptsetup package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 13 May 2006 19:45:08 +0200
Source: cryptsetup
Binary: cryptsetup cryptsetup-udeb
Architecture: source amd64
Version: 2:1.0.3-1
Distribution: unstable
Urgency: low
Maintainer: Jonas Meurer <[EMAIL PROTECTED]>
Changed-By: Jonas Meurer <[EMAIL PROTECTED]>
Description:
cryptsetup - configures encrypted block devices
cryptsetup-udeb - configures encrypted block devices (udeb)
Closes: 358386 358388 358422 358452 359277 362564 363007 364153 364203 364529
365333 365633
Changes:
cryptsetup (2:1.0.3-1) unstable; urgency=low
.
[ Jonas Meurer ]
* new upstream release, 1.0.3 final
- Add alignPayload patch by Peter Palfrader (closes: #358388)
- meaningful exitcodes and password retrying by Johannes WeiÃl
(closes: #359277)
* add 01_terminal_timeout.dpatch from Andres Salomon <[EMAIL PROTECTED]>.
- gets rid of getpass(), which is obsolete according to manpage
- restores the terminal state before doing the timeout (closes: #364153)
* add 02_docs_tries.dpatch, to describe --tries in the cryptsetup manpage.
* add 03_stdin_input.dpatch from David Härdeman <[EMAIL PROTECTED]>,
fixes input from stdin, accepts input with more than 32 characters
(closes: #364529, #365333)
* add 04_status_exit_codes.dpatch from David Härdeman <[EMAIL PROTECTED]>,
fixes the exit codes of 'cryptsetup status'
* provide a cryptsetup-udeb package (closes: #358422)
* remove debian/luksformat.8 in clean target (closes: #358386)
* fix update-rc.d arguments to start cryptdisks in rc0 and rc6.
it is not really started [but stopped], but still the links need to be
named S48cryptdisks. otherwise it will be invoked before umountfs.
* add initramfs cryptroot functionality, thanks to David Härdeman
<[EMAIL PROTECTED]> for the patch (closes: #358452)
* rename /lib/cryptsetup/init_functions to cryptdisks.functions
* move most of /etc/init.d/cryptdisks to cryptdisks.functions.
/etc/init.d/cryptdisks now does not much more than importing
cryptdisks.functions. required for running two seperate cryptdisks
initscripts.
* split the cryptdisks initscript into cryptdisks-early and cryptdisks.
actually both scripts do the same except having slightly different output.
the early script is run before lvm/evms/... are started, and the other one
after they are started. (closes: #363007)
* add support for mount to cryptdisks. this makes it possible to use
keyfiles from removable media. see the crypttab.5 manpage for more
information.
* use upstream cryptsetup tries option instead of the shell code in
cryptdisks. rename cryptdisks 'retry' option to 'tries'.
* document the fact, that the default settings in /etc/default/cryptdisks
take only effect if the relevant option is set without a value in
crypttab. add the environment section to crypttab.5.txt (closes: #364203)
* update the TODO list.
* update crypdisks.default
* run do_swap and do_tmp. Thanks to Riku Voipio <[EMAIL PROTECTED]>
(closes: #365633)
* bump Standards-Version to 3.7.2.0, no changes needed
.
[ David Härdeman ]
* add lvm capabilities to initramfs scripts (closes: #362564)
* add cryptsetup.postinst which executes update-initramfs when
cryptsetup is first installed (not on upgrades)
Files:
183b038ce477656952988130a2eb09cc 813 admin optional cryptsetup_1.0.3-1.dsc
7fbb5a7684c572b1e1ce154aee1ddd86 422578 admin optional
cryptsetup_1.0.3.orig.tar.gz
59c6a0940ec637773e194c2bcb9f38d0 36164 admin optional
cryptsetup_1.0.3-1.diff.gz
0891808596ec175f0661d59ca955c263 245486 admin optional
cryptsetup_1.0.3-1_amd64.deb
9845613a7cba974a30cf1d7f6a1b1d84 182546 debian-installer optional
cryptsetup-udeb_1.0.3-1_amd64.udeb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEaJ9wd6lUs+JfIQIRAjOcAJ9yqMlTOJ8I4D7+zdIc9W4s/7NciQCfe9ND
yJMAjoaRQ52SL+jzqv8wlhs=
=kLdv
-----END PGP SIGNATURE-----
--- End Message ---
