> Good, then this is "just" a documentation issue. The defaults in the > initramfs scripts are unfortunately different from that of the plain > cryptsetup binary, so the hash=ripemd160 line should be included in the > /etc/crypttab setup.
Hmm... That feels a bit ugly IMHO. Having different defaults could lead to future bugs. And a line in the documentation wouldn't prevent lusers who don't read docs too well from just trying it. > Changing the defaults is not a good solution since that would break the > setup for others, Are you sure? To break an existing setup, it seems the user would need a mapping that depends on sha256 as the default hash (in initramfs). But such a mapping cannot exist, unless the user specifically creates the mapping manually with sha256 and forgets to add the hash spec to /etc/crypttab. That is a user error, which would moreover bite the user whenever s/he tried to activate the partition with /etc/init.d/cryptdisks - something that the user is very likely to have tried already. It should suffice to tell the user to fix it in a NEWS entry or debconf notice. So it seems it would work if we fix the initramfs scripts, and run update-initramfs in postinst.
pgpoLLOghbIkL.pgp
Description: PGP signature
