-
cryptsetup (2:2.0.2-1ubuntu1.2) bionic; urgency=medium
* Introduce retry logic for external invocations after mdadm (LP: #1879980)
- Currently, if an encrypted rootfs is configured on top of a MD RAID1
array and such array gets degraded (e.g., a member is removed/failed)
the cryptsetup scripts cannot mount the rootfs, and the boot fails.
We fix that issue here by allowing the cryptroot script to be re-run
by initramfs-tools/local-block stage, as mdadm can activate degraded
arrays at that stage.
There is an initramfs-tools counter-part for this fix, but alone the
cryptsetup portion is harmless.
- d/i/cryptroot-script: set files used by cryptsetup/initramfs-tools
(flag that local-block is running and external invocation counter);
change logic from just wait 180 seconds / activating LVM every 10
seconds to waiting 5 seconds first, then allowing initramfs-tools
to run mdadm (to activate degraded arrays) and call back at least
30 times/seconds more / activating LVM every 1 second.
- d/i/cryptroot-script-block: set flag that local-block is running.
- d/i/cryptroot-script-bottom: clean up the flag and counter files.
- d/rules: ship the new local-bottom script.
-- <email address hidden> (Guilherme G. Piccoli) Mon, 03 Aug 2020 18:28:48 -0300
-
cryptsetup (2:2.0.2-1ubuntu1.1) bionic-proposed; urgency=medium
* SRU
* Apply patch from Trent Nelson to fix cryptroot-unlock for busybox
compatibility. LP: #1651818
-- Matthias Klose <email address hidden> Thu, 23 Aug 2018 16:36:42 +0200
-
cryptsetup (2:2.0.2-1ubuntu1) bionic; urgency=low
* Merge from Debian unstable.
- bugfix upstream release, which solves problems with luks2 format
disks not unlocking. LP: #1755322.
* Remaining changes:
- debian/control:
+ Depend on plymouth.
+ Invert the "busybox | busybox-static" Recommends, as the latter
is the one we ship in main as part of the ubuntu-standard task.
+ Drop explicit libgcrypt20 dependency from libcryptsetup4.
- Drop _BSD_SOURCE in favor of _DEFAULT_SOURCE
- Drop c99 std, as the default is now higher than that
- Drop upstart system jobs.
- Add maintscript to drop removed upstart system jobs.
- debian has its own now, but we have different version numbers.
this delta can be dropped after 18.04 release.
- Drop the CRYPTSETUP variable warning from the initramfs hook, as
overlayroot package ships a dropin in conf-hooks.d triggering false
warnings.
* Dropped changes:
- debian/cryptdisks{,-udev}.maintscript: drop, there is no package named
'cryptdisks' or 'cryptdisks-udev'.
cryptsetup (2:2.0.2-1) unstable; urgency=low
* New upstream release 2.0.2
* debian/initramfs/cryptroot-hook: copy libgcc_s.so.1 to the initrd, as
libargon2 (used by LUKS2 devices) uses pthread_cancel. (Closes: #890798.)
* debian/initramfs/cryptroot-script: create locking directory at initramfs
stage, before running the cryptsetup binary, which would create it
automatically but also spew a warning.
* debian/patches/Fix-loopaesOpen-for-keyfile-on-standard-input.patch:
removed as it was cherry-picked from upstream and included in 2.0.2.
* debian/libcryptsetup12.symbols: update with new crypt_token_is_assigned()
API function.
cryptsetup (2:2.0.1-1) unstable; urgency=low
* New upstream release 2.0.1:
- Use /run/cryptsetup as default for cryptsetup locking dir.
- Add missing symbols for new functions to debian/libcryptsetup12.symbols.
* debian/copyright: update copyright years.
* debian/patches: backport upstream's 8728ba08 to fix opening of loop-AES
devices using --key-file=-. (Closes: #888162.)
* debian/rules: replace `autoreconf -f -i` with `dh_autoreconf` and add
`dh_autoreconf_clean` to the "clean:" target. This bumps the minimum
debhelper version to 9.20160403~ in Build-Depends. (Closes: #888742.)
-- Steve Langasek <email address hidden> Fri, 06 Apr 2018 10:23:53 -0700
-
cryptsetup (2:2.0.1-0ubuntu2) bionic; urgency=medium
* Drop the CRYPTSETUP variable warning from the initramfs hook, as
overlayroot package ships a dropin in conf-hooks.d triggering false
warnings.
-- Dimitri John Ledkov <email address hidden> Thu, 22 Feb 2018 14:49:16 +0000
-
cryptsetup (2:2.0.1-0ubuntu1) bionic; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/control:
+ Depend on plymouth.
+ Invert the "busybox | busybox-static" Recommends, as the latter
is the one we ship in main as part of the ubuntu-standard task.
+ Drop explicit libgcrypt20 dependency from libcryptsetup4.
- Drop _BSD_SOURCE in favor of _DEFAULT_SOURCE
- Drop c99 std, as the default is now higher than that
- Drop upstart system jobs.
- Add maintscript to drop removed upstart system jobs.
- debian has its own now, but we have different version numbers
* New upstream release
* Cherry-pick Guilhem Moulin's changes below from Debian git
[ Guilhem Moulin ]
* New upstream release 2.0.1:
- Use /run/cryptsetup as default for cryptsetup locking dir.
- Add missing symbols for new functions to debian/libcryptsetup12.symbols.
* debian/copyright: update copyright years.
* debian/patches: backport upstream's 8728ba08 to fix opening of loop-AES
devices using --key-file=-. (Closes: #888162.)
cryptsetup (2:2.0.0-1) unstable; urgency=low
[ Guilhem Moulin ]
* cryptsetup-bin: Install /usr/lib/tmpfiles.d/cryptsetup.conf to create the
LUKS2 locking directory /run/lock/cryptsetup. For sysVinit, this is taken
care of by the cryptdisks-early init file.
* Remove debian/patches/Use-system-libargon2.patch (applied upstream).
* debian/README.{source,gbp.conf}: Upgrade to latest upstream conventions.
* debian/control: Bump Standards-Version to 4.1.3 (remove verbatim copy of
CC0-1.0 license from debian/copyright).
* debian/rules: Fix symlink target of libcryptsetup.so in libcryptsetup-dev
package. Thanks to Alan Fung for the report and patch. (Closes: #885435.)
* debian/initramfs/cryptroot-{hook,script}: Add support for 'skip' and
'offset' crypttab(5) options in the initramfs script. Thanks to Pascal
Liehne for the report and patch. (Closes: #872342.)
[ Jonas Meurer ]
* debian/initramfs/cryptopensc-*: Install required libs and config files for
pcscd and use correct path to pcscd. Thanks to Martijn van de Streek for
bugreport and patch. (Closes: #880750)
cryptsetup (2:2.0.0~rc1-1) experimental; urgency=low
* debian/rules: Compile with --enable-libargon2 to use system libargon2
instead of bundled version.
* debian/control: Bump Standards-Version to 4.1.1 (no changes necessary).
* debian/copyright: Update licensing information.
cryptsetup (2:2.0.0~rc0-1) experimental; urgency=low
* New upstream release 2.0.0 RC0 (closes: #877566). Highlights include:
- Support for new on-disk LUKS2 format, offering authenticated disk
encrption (EXPERIMENTAL), memory-hard PBKDF (argon2), kernel keyring for
storage of key material, and more.
- New CLI `integritysetup` which can setup standalone dm-integrity devices.
- soname bump of libcryptsetup library.
* Rename library package from libcryptsetup4 to libcryptsetup12.
* Also remove deprecated upstart configuration files on upgrade and purge.
(Closes: #883677)
* debian/control: Bump Standards-Version to 4.1.0 (no changes necessary).
* debian/*: Apply wrap-and-sort(1).
* debian/copyright: Update copyright years.
cryptsetup (2:1.7.5-1ubuntu1) bionic; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/control:
+ Depend on plymouth.
+ Invert the "busybox | busybox-static" Recommends, as the latter
is the one we ship in main as part of the ubuntu-standard task.
+ Drop explicit libgcrypt20 dependency from libcryptsetup4.
- Drop _BSD_SOURCE in favor of _DEFAULT_SOURCE
- Drop c99 std, as the default is now higher than that
- Drop upstart system jobs.
- Add maintscript to drop removed upstart system jobs.
* Merged upstream:
- d/p/fips-fix-luksformat-with-recent-kernels -- fix luksFormat
with recent FIPS enabled kernels.
* Merged in Debian:
- Use DEB_VERSION from dpkg/default.mk for pod2man release variable
cryptsetup (2:1.7.5-1) unstable; urgency=low
* New upstream release 1.7.5.
* cryptroot-unlock: When the standard input is a TTY, keep prompting for
passphrases until there are no more devices to unlock. (Closes: #866786)
* cryptsetup.prerm: Don't try to call `dmsetup table` to list dm-crypt
devices when the dm_mod module isn't loaded. (Closes: #870673)
* Rename upstream signing key from debian/upstream/signing-key.asc to
debian/upstream-signing-key.asc in order to avoid lintian error
orig-tarball-missing-upstream-signature" (we use the key to verify
signature on upstrem's git tags).
* Remove deprecated upstart configuration files: /etc/init/cryptdisks.conf
and /etc/init/cryptdisks-udev.conf. Cf. `lintian-info --tags
package-installs-deprecated-upstart-configuration`.
* debian/cryptsetup.{postinst,postrm}: Don't hard-code path to
update-initramfs(1).
* debian/rules: Include /usr/share/dpkg/pkg-info.mk to avoid parsing
dpkg-parsechangelog(1) output.
* debian/control: Bump Standards-Version to 4.0.0 (no changes necessary).
-- Julian Andres Klode <email address hidden> Mon, 29 Jan 2018 13:48:55 +0100
-
cryptsetup (2:1.7.5-1ubuntu1) bionic; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/control:
+ Depend on plymouth.
+ Invert the "busybox | busybox-static" Recommends, as the latter
is the one we ship in main as part of the ubuntu-standard task.
+ Drop explicit libgcrypt20 dependency from libcryptsetup4.
- Drop _BSD_SOURCE in favor of _DEFAULT_SOURCE
- Drop c99 std, as the default is now higher than that
- Drop upstart system jobs.
- Add maintscript to drop removed upstart system jobs.
* Merged upstream:
- d/p/fips-fix-luksformat-with-recent-kernels -- fix luksFormat
with recent FIPS enabled kernels.
* Merged in Debian:
- Use DEB_VERSION from dpkg/default.mk for pod2man release variable
cryptsetup (2:1.7.5-1) unstable; urgency=low
* New upstream release 1.7.5.
* cryptroot-unlock: When the standard input is a TTY, keep prompting for
passphrases until there are no more devices to unlock. (Closes: #866786)
* cryptsetup.prerm: Don't try to call `dmsetup table` to list dm-crypt
devices when the dm_mod module isn't loaded. (Closes: #870673)
* Rename upstream signing key from debian/upstream/signing-key.asc to
debian/upstream-signing-key.asc in order to avoid lintian error
orig-tarball-missing-upstream-signature" (we use the key to verify
signature on upstrem's git tags).
* Remove deprecated upstart configuration files: /etc/init/cryptdisks.conf
and /etc/init/cryptdisks-udev.conf. Cf. `lintian-info --tags
package-installs-deprecated-upstart-configuration`.
* debian/cryptsetup.{postinst,postrm}: Don't hard-code path to
update-initramfs(1).
* debian/rules: Include /usr/share/dpkg/pkg-info.mk to avoid parsing
dpkg-parsechangelog(1) output.
* debian/control: Bump Standards-Version to 4.0.0 (no changes necessary).
-- Julian Andres Klode <email address hidden> Wed, 17 Jan 2018 21:39:10 +0100
-
cryptsetup (2:1.7.3-4ubuntu1) artful; urgency=low
* New upstream release, merge from Debian unstable. Remaining
Ubuntu changes:
- debian/control:
+ Depend on plymouth.
+ Invert the "busybox | busybox-static" Recommends, as the latter
is the one we ship in main as part of the ubuntu-standard task.
+ Drop explicit libgcrypt20 dependency from libcryptsetup4.
* d/p/fips-fix-luksformat-with-recent-kernels -- fix luksFormat
with recent FIPS enabled kernels.
* Drop _BSD_SOURCE in favor of _DEFAULT_SOURCE
* Drop c99 std, as the default is now higher than that
* Use DEB_VERSION from dpkg/default.mk for pod2man release variable
* Drop upstart system jobs.
* Add maintscript to drop removed upstart system jobs.
cryptsetup (2:1.7.3-4) unstable; urgency=high
[ Guilhem Moulin ]
* Drop obsolete update-rc.d parameters. Thanks to Michael Biebl for the
patch. (Closes: #847620)
* debian/copyright: Fix license mismatch (docs/examples/*
lib/crypto_backend/* lib/loopaes/* lib/tcrypt/* lib/verity/* python/* are
LGPL-2.1+ not GPL-2+). (Closes: #861802)
* debian/initramfs/cryptroot-hook: honor RESUME={none,auto} as documented in
initramfs.conf(5) by initramfs-tools >=0.129. (Closes: #861074)
cryptsetup (2:1.7.3-3) unstable; urgency=medium
[ Jonas Meurer ]
* debian/scripts/decrypt_ssl: fix script to actually output the decrypted
key. Apparently this script has been broken since June 2008. Doesn't seem
like anybody is using it. Thanks to g1 for spotting and reporting the
error. (Closes: #844050)
* debian/initramfs/cryptroot-script:
+ limit the sleep after max passphrase attempts to devices for the rootfs.
This mitigates the negative impact in case of broken keyscripts etc.
+ add $crypttarget to each message to provide more context.
* debian/initramfs/cryptroot-hook: fix sanity check for key files on root
fs in get_device_opts(): detect if processed device is a root (parent)
device even for LVM setups. (closes: #842951)
* debian/README.initramfs: minor fix to the decrypt_derived keyscript
section: now that systemd is standard, 'cryptdisks_start' should be used
instead of '/etc/init.d/cryptdisks start'.
* debian/manpages/crypttab.xml: add a warning to the 'keyscript' option
that systemd doesn't support the option (yet) and mention the possible
workaround to process the devices in question in the initramfs.
[ Guilhem Moulin ]
* add debian/gbp.conf to set the upstream tag to "v%(version%.%_)s". As
this enables git-buildpackage >= 0.8.7 to automatically generate
orig.tar.gz, step nr. 5 is now removed from debian/README.source.
* debian/compat: bump debhelper compatibility version to 9.
* debian/initramfs/cryptroot-hook:
+ fix tab damage for consistency with the rest of the code
+ better warning for deprecated settings
+ fix sanity check for key files in get_device_opts(): print a warning if
the key file isn't on the root FS, or if the root device is not
encrypted, even for LVM setups.
+ fix sanity check for key files in get_device_opts(): print a warning if
the processed device is a resume device, even for LVM setups.
+ fix runtime error in get_lvm_deps() if the first argument is either
missing or the empty string.
+ reset IFS after processing $rootopts in get_device_opts(); the missing
linefeed in $IFS caused LVM logical volumes spaning over multiple PVs
not to have their parent devices detected correctly.
cryptsetup (2:1.7.3-2) unstable; urgency=medium
[ Guilhem Moulin ]
* debian/README.Debian: update authorized_keys(5) path, incorrect since
2:1.7.2-1, for remote unlocking at initramfs stage using the dropbear SSH
server.
[ Jonas Meurer ]
* debian/initramfs/cryptroot-script: sleep after max passphrase attempts.
This mitigates local brute-force attacks and addresses CVE-2016-4484.
Thanks to Ismael Ripoll and Hector Marco for discovery and report.
- decrease $count by one in tries loop if unlocking was successful.
- warn and sleep for 60 seconds if the maximum allowed attempts of
unlocking (configured with crypttab option tries, default=3) are
reached.
cryptsetup (2:1.7.3-1) unstable; urgency=medium
* New upstream release 1.7.3.
* debian/rules: run dh_strip_nondeterminism(1p) in binary-arch rules to
make the package build more reproducible. Introduces a new Build-Depends
on dh-strip-nondeterminism. Thanks to Reiner Herrmann for bugreport and
patch. (Closes: #842581)
cryptsetup (2:1.7.2-5) unstable; urgency=high
[ Guilhem Moulin ]
* debian/upstream/signing-key.asc: add upstream's armored OpenPGP key,
fingerprint 2A29 1824 3FDE 4664 8D06 86F9 D9B0 577B D93E 98FC.
* debian/watch: add "pgpsigurlmangle" option so uscan(1) can automatically
verify cryptographic signatures on release tarballs.
[ Jonas Meurer ]
* debian/initramfs/cryptroot-hook: only source crypt-hook from
/etc/cryptsetup-initramfs/ when present. (Closes: #841503)
cryptsetup (2:1.7.2-4) unstable; urgency=high
[ Guilhem Moulin ]
* debian/initramfs/cryptroot-hook:
+ Fix warning printed for lvm devices backed by multiple dm-crypt nodes.
Regression introduced in 2:1.7.2-1. Thanks Zoltan Hidvegi, for the
patch. (Closes: #840480)
+ Don't escape all slash characters "/" in device paths of the form
/dev/by-label/..., only the label itself. Regression introduced in
2:1.7.2-2 as a fix for #839888.
cryptsetup (2:1.7.2-3) unstable; urgency=medium
[ Guilhem Moulin ]
* debian/initramfs/cryptroot-conf: don't set CRYPTSETUP and KEYFILE_PATTERN,
so the (deprecated) values set in /etc/initramfs-tools aren't overridden
to the empty string by default. Regression introduced in 2:1.7.2-1.
(Closes: #839994.)
* debian/README.initramfs: fixed minor typo.
cryptsetup (2:1.7.2-2) unstable; urgency=medium
* debian/cryptdisks.functions: fix a nasty typo in do_start that rendered
systems with sysVinit unbootable. Thanks to Marc Haber for bugreport and
patch (Closes: #839888)
cryptsetup (2:1.7.2-1) unstable; urgency=medium
[ Jonas Meurer ]
* new upstream release 1.7.2. Highlights include:
- code now uses kernel crypto API backend according to new changes
introduced in mainline kernel. (in 1.7.1)
- cryptsetup now allows special "-" (standard input) keyfile handling
even for TCRYPT (TrueCrypt and VeraCrypt compatible) devices. (in 1.7.1)
- Support activation options for error handling modes in Linux kernel
dm-verity module. (in 1.7.2)
* debian/cryptdisks.functions: use '--key-file=-' again with the tcrypt
extension, now that upstream issue #269 is fixed.
* migrate the packaging repository from SVN to Git:
- debian/control: Update Vcs-* fields to point to the new git repository.
- debian/README.source: document new repository structure and release
handling.
* debian/README.Debian, debian/NEWS: minor typo fixes.
* debian/rules: run pod2man --release="$(DEB_VERSION). (Closes: #839352)
[ Guilhem Moulin ]
* debian/control: add self to uploaders.
* debian/cryptdisks.functions: when iterating through the crypttab, don't
abort after the first disk that fails to be closed. Regression introduced
2:1.7.0-1 when the filed is sourced under 'set -e'.
* debian/cryptdisks.functions: stop using `seq` since cryptsetup doesn't
depend on busybox. Instead, try again after 1, 2, 4, 8 and 16s when an
encrypted disk cannot be closed. (Closes: #811456)
* debian/cryptsetup.maintscript: add a "rm_conffile" directive to remove
conffile /etc/bash_completion.d/cryptdisks, obsolete since 2:1.7.0-1.
(Closes: #810227)
* debian/README.initramfs: fix typo s/initramfs-update/update-initramfs/.
Thanks, Stuart Prescott. (Closes: #827263)
* debian/rules: Add 'hardening=+pie' to DEB_BUILD_MAINT_OPTIONS to compile
ELF executables as PIEs.
* debian/control: Bump Standards-Version to 3.9.8 (no changes necessary).
* debian/cryptsetup.lintian-overrides: Remove unused lintian override
init.d-script-does-not-source-init-functions.
* Use /etc/crytsetup-initramfs/conf-hook for initramfs hook script
configuration. For backward compatibility setting CRYPTSETUP and
KEYFILE_PATTERN in /etc/initramfs-tools/initramfs.conf is still supported
for now, but causes the hook to print a warning.
This is done following the initramfs-tools maintainers' request (see
#807527) that hook and boot script configuration files be stored outside
the /etc/initramfs-tools directory. (Closes: #783393)
* Print a warning when private key material is to be included in the
initramfs image (ie, if $KEYFILE_PATTERN is not empty), and the image is
created with a permissive mode.
* Add Indonesian debconf templates translation. Thanks, Izharul Haq for the
patch. (Closes: #835158)
* debian/initramfs/cryptroot-hook: Avoid leading space in $rootdevs,
$resumedevs, etc.
* Support unlocking devices at initramfs stage using a key file stored on
the encrypted root FS. Note however that resume devices won't be unlocked
this way since the resume boot script is currently run before mounting the
root FS. (Closes: #776409)
* debian/initramfs/cryptroot-hook: Avoid undesired effects for target or
device names containing non-alphanumeric characters such as "." or "-":
+ replace `grep "^$x\b"` by `awk -vx="$x" '$1==x {print}'`; and
+ replace `echo "$x"` by printf '%s' "$x" when the argument might start
with a dash.
* debian/initramfs/cryptroot-{hook,script}, debian/cryptdisks.functions:
ensure slash characters "/" from device labels are escaped when
constructing symlinks under /dev/disk/by-label.
* debian/scripts/decrypt_gnupg:
+ Remove --no-mdc-warning to display a warning if the MDC integrity
protection is missing.
+ Replace "GnuPG key" by "gpg-encrypted key" in messages and
documentation.
* debian/initramfs/cryptgnupg-hook: Add support for multiple devices
encrypted using a gpg-encrypted key.
* debian/README.gnupg: Indicate that not the only the gpg-encrypted key for
the root FS is copied onto the initramfs, but also the ones for all
devices that need to be unlocked at initramfs stage.
* debian/initramfs/cryptroot-hook: Fix bug for device label starting with
"UUID=".
[ Helmut Grohne ]
* libcryptsetup-dev: move the .pc file to a multiarch location such that
cross-pkg-config can find it. (closes: #811545)
* Fix FTCBFS: Use host arch compiler for askpass as well. (closes: #811559)
-- Andy Whitcroft <email address hidden> Thu, 10 Aug 2017 14:07:29 +0100
