Package: initramfs-tools Severity: important Subject: Inconsistent crypttab semantics between cryptsetup-initramfs and systemd-cryptsetup may silently break boot-critical LUKS setups
Description:
Systems using classic cryptsetup-initramfs/keyscript-based LUKS unlocking
methods may
end up in an inconsistent and potentially unbootable state after upgrading
packages
related to:
```
systemd
systemd-cryptsetup
initramfs-tools
cryptsetup-initramfs
```
during upgrades around 2026-05-16 on Debian 13.5 (Trixie).
Relevant upgraded package groups during the affected upgrade window included:
* systemd / systemd-cryptsetup related packages
* initramfs-tools related packages
* linux-image / kernel packages
* grub / bootloader related packages
The issue appeared after initramfs regeneration following upgrades around
2026-05-16.
This issue appears to involve interactions between:
- initramfs-tools
- cryptsetup-initramfs
- systemd-cryptsetup
The core issue is not that systemd-cryptsetup exists in parallel to cryptsetup-
initramfs, but that the active initramfs generation and early userspace unlock
implementation may silently change semantics while continuing to use the same
/etc/crypttab configuration file.
In particular:
* /etc/crypttab options are interpreted differently depending on the active
early
userspace cryptsetup implementation
* unsupported boot-critical options are silently ignored instead of causing a
hard
failure
* no consistency validation exists between:
* initramfs generation path
* active early userspace cryptsetup implementation
* supported crypttab options
* installed cryptsetup-related packages
Observed behavior:
Classic initramfs-tools/cryptroot setups support:
```
keyscript=
```
but ignore:
```
fido2-device=
tpm2-device=
```
systemd-cryptsetup supports:
```
fido2-device=
tpm2-device=
```
but does not support:
```
keyscript=
```
A particularly problematic aspect is that:
* cryptsetup/libfido2 support may exist in normal userspace
* systemd-cryptsetup may be installed and operational in userspace
* but the generated initramfs still uses classic cryptroot/cryptsetup-initramfs
* while silently ignoring systemd-specific crypttab options after upgrades
performed
around 2026-05-16
This creates the misleading impression that FIDO2-based unlocking is supported
during
early boot, while the actual initramfs implementation does not contain:
* systemd-cryptsetup
* libfido2
* related FIDO2 integration hooks
At the same time, existing keyscript-based setups may stop functioning
correctly if
initramfs generation changes the active early boot unlock implementation while
continuing to use the same crypttab configuration.
Example warning during initramfs generation:
```
cryptsetup: WARNING: sda5_crypt: ignoring unknown option 'fido2-device'
```
This warning is easy to overlook and does not clearly communicate that the
generated
initramfs does not support FIDO2 unlocking at boot.
This is especially problematic for:
* remote systems
* colocated servers
* encrypted root filesystems
* unattended upgrades
* power outage recovery scenarios
A failed unlock path in such scenarios can render systems remotely unbootable.
In my environment this issue resulted in multiple systems becoming temporarily
non-
bootable after initramfs regeneration because the expected unlock path no longer
matched the actually generated early userspace implementation.
Recovery was only possible because external backup keys were available. However,
diagnosing the issue and manually unlocking and repairing affected systems
required
significant time and effort.
Important technical observation:
The issue is not caused by systemd-cryptsetup itself.
The actual problem is that initramfs generation and early userspace integration
may
change during upgrades without ensuring feature parity or configuration
compatibility
between:
* cryptsetup-initramfs
* cryptroot
* systemd-cryptsetup
* crypttab semantics
* available initramfs hooks
Suggested improvements:
1. Add hard validation for incompatible crypttab options depending on the active
initramfs stack.
2. Refuse initramfs generation when unsupported boot-critical crypttab options
are
present.
3. Explicitly document that:
* fido2-device= requires a compatible systemd-based initramfs implementation
* cryptsetup-initramfs/cryptroot currently ignore these options
* installing systemd-cryptsetup alone does not provide FIDO2 support inside
initramfs
* additional manual initramfs integration is currently required to provide:
- systemd-cryptsetup
- libfido2
- related FIDO2 hooks
4. Emit clear warnings when:
* systemd-cryptsetup is installed
* but the generated initramfs still uses classic cryptroot
* or required FIDO2/systemd hooks are missing
5. Avoid silent fallback behavior for boot-critical encryption options.
Environment:
Debian 13 (Trixie)
initramfs-tools
cryptsetup-initramfs
systemd-cryptsetup
LUKS2
FIDO2 tokens (YubiKey / Nitrokey)
Relevant observation:
The following packages may coexist without guaranteeing compatible initramfs
behavior:
```
cryptsetup-initramfs
systemd-cryptsetup
```
This can create misleading assumptions about supported crypttab features and
actual
early boot capabilities.
Additional relevant package groups observed during the affected upgrade
sequence:
systemd related:
* systemd
* systemd-cryptsetup
* systemd-sysv
* systemd-container
* systemd-timesyncd
* libsystemd0
* libsystemd-shared
* libpam-systemd
* libnss-systemd
* udev
* libudev1
initramfs related:
* initramfs-tools
* initramfs-tools-core
* initramfs-tools-bin
* busybox
kernel / boot related:
* linux-image-amd64
* linux-image-6.12.88+deb13-amd64
* grub-*
Relevant package history:
* cryptsetup-initramfs was already installed on 2026-03-27
* systemd-cryptsetup was installed shortly afterwards
-- Package-specific info:
-- initramfs sizes
-rw-r--r-- 1 root root 74M May 17 00:29 /boot/initrd.img-6.12.86+deb13-amd64
-rw-r--r-- 1 root root 74M May 23 21:05 /boot/initrd.img-6.12.88+deb13-amd64
-- /proc/cmdline
BOOT_IMAGE=/vmlinuz-6.12.88+deb13-amd64 root=/dev/mapper/station--state-root ro
quiet
i8042.nomux i8042.nopnp
-- resume
RESUME=/dev/mapper/station--state-swap
-- /proc/filesystems
fuseblk
ext3
ext2
ext4
squashfs
vfat
-- lsmod
Module Size Used by
cmac 12288 1
nls_utf8 12288 4
cifs 1511424 2
cifs_arc4 12288 1 cifs
nls_ucs2_utils 8192 1 cifs
cifs_md4 12288 1 cifs
dns_resolver 12288 1 cifs
netfs 573440 1 cifs
nls_ascii 12288 0
nls_cp437 16384 0
vfat 24576 0
fat 102400 1 vfat
uas 32768 0
sr_mod 28672 0
cdrom 81920 1 sr_mod
usb_storage 94208 1 uas
snd_seq_dummy 12288 0
snd_hrtimer 12288 1
snd_seq 110592 7 snd_seq_dummy
snd_seq_device 16384 1 snd_seq
nft_chain_nat 12288 3
xt_MASQUERADE 16384 1
nf_nat 65536 2 nft_chain_nat,xt_MASQUERADE
nf_conntrack_netlink 61440 0
br_netfilter 36864 0
bridge 389120 1 br_netfilter
stp 12288 1 bridge
llc 16384 2 bridge,stp
xfrm_interface 28672 0
xfrm6_tunnel 16384 1 xfrm_interface
tunnel6 12288 2 xfrm_interface,xfrm6_tunnel
tunnel4 12288 1 xfrm_interface
xfrm_user 69632 3
xfrm_algo 16384 1 xfrm_user
overlay 217088 0
qrtr 57344 2
ip6t_REJECT 12288 1
nf_reject_ipv6 24576 1 ip6t_REJECT
xt_hl 12288 22
ip6t_rt 16384 3
ipt_REJECT 12288 1
nf_reject_ipv4 16384 1 ipt_REJECT
xt_LOG 16384 10
nf_log_syslog 24576 10
nft_limit 16384 13
xt_limit 12288 0
xt_addrtype 12288 6
xt_tcpudp 16384 60
xt_conntrack 12288 17
nf_conntrack 204800 4
xt_conntrack,nf_nat,nf_conntrack_netlink,xt_MASQUERADE
nf_defrag_ipv6 24576 1 nf_conntrack
nf_defrag_ipv4 12288 1 nf_conntrack
nft_compat 20480 121
nf_tables 380928 650 nft_compat,nft_chain_nat,nft_limit
libcrc32c 12288 3 nf_conntrack,nf_nat,nf_tables
binfmt_misc 28672 1
iwldvm 253952 0
intel_rapl_msr 20480 0
intel_rapl_common 53248 1 intel_rapl_msr
mac80211 1454080 1 iwldvm
x86_pkg_temp_thermal 16384 0
intel_powerclamp 16384 0
coretemp 16384 0
snd_hda_codec_hdmi 98304 1
kvm_intel 417792 0
snd_hda_codec_realtek 225280 1
snd_hda_codec_generic 114688 1 snd_hda_codec_realtek
snd_hda_scodec_component 20480 1 snd_hda_codec_realtek
libarc4 12288 1 mac80211
uvcvideo 155648 0
snd_hda_intel 61440 1
kvm 1396736 1 kvm_intel
videobuf2_vmalloc 20480 1 uvcvideo
snd_intel_dspcfg 40960 1 snd_hda_intel
snd_intel_sdw_acpi 16384 1 snd_intel_dspcfg
snd_hda_codec 217088 4
snd_hda_codec_generic,snd_hda_codec_hdmi,snd_hda_intel,snd_hda_codec_realtek
uvc 12288 1 uvcvideo
iwlwifi 581632 1 iwldvm
videobuf2_memops 16384 1 videobuf2_vmalloc
videobuf2_v4l2 36864 1 uvcvideo
snd_hda_core 143360 5
snd_hda_codec_generic,snd_hda_codec_hdmi,snd_hda_intel,snd_hda_codec,snd_hda_codec_re
altek
snd_ctl_led 24576 0
videodev 368640 2 videobuf2_v4l2,uvcvideo
snd_hwdep 20480 1 snd_hda_codec
thinkpad_acpi 163840 0
snd_pcm 188416 4
snd_hda_codec_hdmi,snd_hda_intel,snd_hda_codec,snd_hda_core
irqbypass 12288 1 kvm
videobuf2_common 81920 4
videobuf2_vmalloc,videobuf2_v4l2,uvcvideo,videobuf2_memops
rapl 20480 0
nvram 16384 1 thinkpad_acpi
memconsole_coreboot 12288 0
sparse_keymap 12288 1 thinkpad_acpi
intel_cstate 20480 0
squashfs 86016 9
loop 45056 18
intel_uncore 266240 0
cfg80211 1404928 3 iwldvm,iwlwifi,mac80211
memconsole 12288 1 memconsole_coreboot
pcspkr 12288 0
at24 28672 0
mc 94208 4
videodev,videobuf2_v4l2,uvcvideo,videobuf2_common
snd_timer 53248 3 snd_seq,snd_hrtimer,snd_pcm
platform_profile 12288 1 thinkpad_acpi
mei_me 57344 0
snd 151552 16
snd_ctl_led,snd_hda_codec_generic,snd_seq,snd_seq_device,snd_hda_codec_hdmi,snd_hwdep
,snd_hda_intel,snd_hda_codec,snd_hda_codec_realtek,snd_timer,thinkpad_acpi,snd_pcm
mei 188416 1 mei_me
soundcore 16384 2 snd_ctl_led,snd
rfkill 40960 3 thinkpad_acpi,cfg80211
joydev 24576 0
ac 16384 0
sg 45056 0
evdev 28672 22
firewire_sbp2 28672 0
parport_pc 40960 0
ppdev 24576 0
lp 20480 0
parport 81920 3 parport_pc,lp,ppdev
efi_pstore 12288 0
configfs 69632 1
nfnetlink 20480 5 nft_compat,nf_conntrack_netlink,nf_tables
ip_tables 28672 0
x_tables 53248 12
xt_conntrack,nft_compat,xt_LOG,xt_tcpudp,xt_addrtype,ip6t_rt,ipt_REJECT,ip_tables,xt_
limit,xt_hl,xt_MASQUERADE,ip6t_REJECT
autofs4 57344 10
ext4 1146880 5
crc16 12288 1 ext4
mbcache 16384 1 ext4
jbd2 200704 1 ext4
crc32c_generic 12288 0
dm_crypt 65536 2
dm_mod 221184 20 dm_crypt
i915 4382720 86
hid_generic 12288 0
crct10dif_pclmul 12288 1
crc32_pclmul 12288 0
crc32c_intel 16384 9
ghash_clmulni_intel 16384 0
usbhid 77824 0
drm_buddy 28672 1 i915
sha512_ssse3 53248 1
iTCO_wdt 16384 0
hid 262144 2 usbhid,hid_generic
sd_mod 81920 3
sha256_ssse3 32768 1
intel_pmc_bxt 16384 1 iTCO_wdt
sdhci_pci 98304 0
iTCO_vendor_support 12288 1 iTCO_wdt
i2c_algo_bit 16384 1 i915
sha1_ssse3 32768 0
drm_display_helper 274432 1 i915
cqhci 32768 1 sdhci_pci
watchdog 49152 1 iTCO_wdt
ehci_pci 16384 0
psmouse 217088 0
sdhci 86016 1 sdhci_pci
ehci_hcd 110592 1 ehci_pci
firewire_ohci 65536 0
aesni_intel 122880 9
xhci_pci 24576 0
gf128mul 16384 1 aesni_intel
cec 69632 2 drm_display_helper,i915
ahci 49152 3
crypto_simd 16384 1 aesni_intel
xhci_hcd 364544 1 xhci_pci
firewire_core 245760 2 firewire_ohci,firewire_sbp2
libahci 61440 1 ahci
rc_core 73728 1 cec
ttm 106496 1 i915
i2c_i801 36864 0
cryptd 28672 6 crypto_simd,ghash_clmulni_intel
drm_kms_helper 253952 2 drm_display_helper,i915
libata 466944 2 libahci,ahci
mmc_core 253952 3 sdhci,cqhci,sdhci_pci
serio_raw 16384 0
i2c_smbus 16384 1 i2c_i801
battery 28672 1 thinkpad_acpi
crc_itu_t 12288 1 firewire_core
usbcore 409600 9
xhci_hcd,ehci_pci,usbhid,usb_storage,uvcvideo,ehci_hcd,xhci_pci,uas
e1000e 368640 0
drm 774144 25
drm_kms_helper,drm_display_helper,drm_buddy,thinkpad_acpi,i915,ttm
scsi_mod 327680 7
sd_mod,usb_storage,firewire_sbp2,uas,libata,sg,sr_mod
video 81920 2 thinkpad_acpi,i915
wmi 28672 1 video
button 24576 0
fan 24576 0
usb_common 16384 4 xhci_hcd,usbcore,uvcvideo,ehci_hcd
scsi_common 16384 8
scsi_mod,sd_mod,usb_storage,firewire_sbp2,uas,libata,sg,sr_mod
lpc_ich 28672 0
-- /etc/initramfs-tools/modules
-- /etc/kernel-img.conf
# Kernel image management overrides
# See kernel-img.conf(5) for details
do_symlinks = yes
do_bootloader = no
do_initrd = yes
link_in_boot = no
-- /etc/initramfs-tools/initramfs.conf
MODULES=most
BUSYBOX=auto
KEYMAP=n
COMPRESS=zstd
DEVICE=
NFSROOT=auto
RUNSIZE=10%
FSTYPE=auto
-- /etc/initramfs-tools/update-initramfs.conf
update_initramfs=yes
backup_initramfs=no
-- /etc/crypttab
# root device
sda5_crypt UUID=$this_is_a_temp_UUID_replacement none luks,fido2-
device=auto,discard,x-initrd.attach
-- mkinitramfs hooks
/etc/initramfs-tools/hooks/:
/usr/share/initramfs-tools/hooks:
cryptgnupg
cryptgnupg-sc
cryptkeyctl
cryptopensc
cryptpassdev
cryptroot
cryptroot-unlock
dmsetup
fsck
fuse
intel_microcode
iscsi
keymap
klibc-utils
kmod
lvm2
ntfs_3g
plymouth
resume
thermal
udev
yubikey-luks
zz-busybox
-- System Information:
Debian Release: 13.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.88+deb13-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages initramfs-tools depends on:
ii initramfs-tools-core 0.148.4
ii linux-base 4.12.1
initramfs-tools recommends no packages.
Versions of packages initramfs-tools suggests:
ii bash-completion 1:2.16.0-7
-- no debconf information
signature.asc
Description: This is a digitally signed message part
