This bug was fixed in the package cryptsetup - 2:2.0.3-6ubuntu1 --------------- cryptsetup (2:2.0.3-6ubuntu1) cosmic; urgency=low * Merge from Debian unstable. LP: #1781912. * Remaining changes: - debian/control: + Recommend plymouth. + Invert the "busybox | busybox-static" Recommends, as the latter is the one we ship in main as part of the ubuntu-standard task. - Apply patch from Trent Nelson to fix cryptroot-unlock for busybox compatibility. LP: #1651818 * Dropped changes, included in Debian: - Drop explicit libgcrypt20 dependency from libcryptsetup4. - Drop the CRYPTSETUP variable warning from the initramfs hook, as overlayroot package ships a dropin in conf-hooks.d triggering false warnings. - Drop _BSD_SOURCE in favor of _DEFAULT_SOURCE - Drop c99 std, as the default is now higher than that * Dropped changes, no longer needed: - Add maintscript to drop removed upstart system jobs. cryptsetup (2:2.0.3-6) unstable; urgency=medium * debian/TODO.md: Remove mention of parent device detection for mdadm (#629236) as it's fixed since 2:2.0.3-2. * debian/README.gnupg, debian/TODO.md, debian/doc/crypttab.xml: minor typo fixes. * debian/rules, debian/patches/disable-internal-tests.patch: Remove patch to add configure flag '--disable-internal-tests'. The internal test suite is run by dh_auto_test(1), and it is skipped if DEB_BUILD_OPTIONS environment variable contains the string "nocheck". * debian/cryptdisks-functions, debian/initramfs/scripts/local-top/cryptroot: When the 2nd column of a crypttab entry denodes a block special device, resolve the device but don't convert it to /dev/block/$major:$minor. (Closes: #903246.) * debian/initramfs/hooks/cryptroot: + Treat null device numbers as invalid in resolve_device(), cf. /Documentation/admin-guide/devices.txt in the kernel source tree. + generate_initrd_crypttab(): add '\n' to the local IFS since get_resume_devno() prints one major:minor pair per line. * debian/initramfs/scripts/local-{top,bottom}/cryptopensc: + Save process ID of the pcscd daemon at local-top stage, and kill it at local-bottom stage. Thanks to Pascal Vibet for the patch. (Closes: #903574.) + Fix path to the pcscd executable (the fix for #880750 was incomplete). * debian/README.opensc: Remove mention of 'README.openct.gz' as it's gone since 2:2.0.3-2. * debian/scripts/decrypt_opensc: Fix plymouth prompt message (use $CRYPTTAB_NAME not $crypttarget). cryptsetup (2:2.0.3-5) unstable; urgency=medium [ Jonas Meurer ] * debian/askpass.c, debian/scripts/passdev.c, debian/rules: + Drop _BSD_SOURCE in favor of _DEFAULT_SOURCE + Drop c99 std, as the default is now higher than that * debian/control: + Drop explicit dependencies on libgcrypt20 and libgpg-error0 from libcryptsetup12. They're pulled in by ${shlibs:Depends} automatically. [ Guilhem Moulin ] * debian/initramfs/cryptroot-unlock: Keep looping forever (as long as the disk is locked) if the CRYPTTAB_OPTION_tries variable is set to 0, cf. crypttab(5). * debian/doc/crypttab.xml: Clarify that the 'readonly' flag sets up a read-only mapping. Cf. `cryptsetup --readonly`. * debian/initramfs/hooks/cryptroot: + Fix generation of initrd crypttab(5) with `update-initramfs -u -v` for key files matching $KEYFILE_PATTERN, or when a 'keyscript' is specified in the crypttab options. Regression since 2:2.0.3-2. (Closes: #902733.) + Avoid processing entries multiple times in get_crypttab_entry(), which could happen with 'keyscript=decrypt_derived' for instance. + Don't complain that the sysfs dir can't be found when the hook failed to normalize the device (another warning is shown already). + If source device is mapped (for instance if it's a logical volume), put its dm name into the initrd crypttab. LVM2's local-block script doesn't work with UUIDs, and giving it a VG+LV is better anyway as we avoid to activate all volumes at initramfs stage. (Closes: #902943.) * debian/initramfs/conf-hook: Clarify that if KEYFILE_PATTERN if null or unset then no key file is copied. * debian/initramfs/*, debian/functions, debian/cryptdisks-functions: + Use major:minor device IDs internally, as this facilitate discovery of sysfs directories, and we don't have to take care of the udev mangling. + Decode octal sequences when reading /etc/crypttab or /etc/fstab. This means that key files and option values can contain blanks and special characters encoded as octal sequences. + Refactor crypttab(5) parsing logic, to avoid duplication of boilerplate code. * debian/functions: If the key file is a symlink, warn about insecure permissions of the target, not the link itself. * debian/scripts/decrypt_derived: For devices with keys in the kernel keyring (e.g., LUKS2 by default), refuse to derive anything. * debian/patches/disable-internal-tests.patch: Add configure option '--disable-internal-tests' to disable the internal test suite. * debian/rules: Don't run upstream's internal test suite if $DEB_BUILD_OPTIONS contains the string "skip-internal-tests". (Tests are still run by default.) * debian/cryptdisks-functions: Restore support for crypttab(5) entries with regular files as source device. Regression since 2:2.0.3-2. (Closes: #902879.) * debian/control: Bump Standards-Version to 4.1.5 (no changes necessary). cryptsetup (2:2.0.3-4) unstable; urgency=low * debian/initramfs/hooks/cryptroot: + Fix typo in warning message. (Closes: #901971.) + sysfs_devdir(): don't croak when the normalized device pathname isn't of the form /dev/$blk. This is the case in the Debian installer, where the devtmpfs pseudo-filesystem exposes /dev/mapper/$name as a block device instead of a symlink to /dev/dm-$index. + sysfs_devdir(): return /sys/dev/block/$maj:$min (a symlink pointing the sysfs directory corresponding to the device) rather than /sys/block/$blk. While the latter is present for mapped devices, it's not present for block devices corresponding to disk partitions. See sysfs(5) for details. (Closes: #902183.) + get_crypttab_entry(): skip (harmless) warning if blkid_tag() fails to get the UUID of a dm-crypt device's slave (it's normal with plain dm-crypt devices). + get_crypttab_entry(): don't warn that key file doesn't exist if it's e.g., an existing character special device. * debian/functions:unlock_mapping(): translate crypttab(5) option 'size=' to `cryptsetup --key-size=`, not `--size` (which doesn't set the key size but the size of the device in number of 512 byte sectors). Regression since 2:2.0.3-2. (Closes: #902245.) * debian/initramfs/scripts/local-top/cryptroot, debian/cryptdisks-functions, debian/initramfs/cryptroot-unlock: Fix off-by-one unlock count. Some keyscripts (such as decrypt_keyctl) don't work properly if on first try the CRYPTTAB_TRIED environment variable isn't set to 0. Regression since 2:2.0.3-2. (Closes: #902116.) * debian/scripts/decrypt_keyctl: replace the source device path with the mapped device name in messages, to match the new askpass behavior. cryptsetup (2:2.0.3-3) unstable; urgency=low [ Jonas Meurer ] * debian/*: run wrap-and-sort(1) * debian/control: + Add Conflicts and Breaks on 'cryptsetup-bin (<< 2:2.0.3-2)' to cryptsetup-run. Needed since we moved luksformat between the packages. (Closes: #901773) + Remove all traces of package 'cryptsetup-luks' from dependency headers. This package has never been part of an official Debian release and the time it existed is more than 12 years ago. + Remove Conflicts/Breaks headers from the split of cryptsetup into cryptsetup/cryptsetup-bin in release 2:1.4.1-3. The conflicting version is from Debian Wheezy, which means that there's three releases in between. We don't support dist-upgrades with skipped releases anyway. + Remove obsolete 'Breaks: hashalot (<< 0.3-2)' from cryptsetup-run. + Remove versioned depends of libcryptsetup12 on libgcrypt20 and libgpg-error0. Both versions are satisfied since more than three releases. + Remove versioned build-depends on docbook-xsl, dpkg-dev, libdevmapper-dev, libgcrypt20-dev and libtool. All versions are satisfied since more than three releases. * debian/*: Change maintainer contact address to @alioth-lists.debian.net. [ Guilhem Moulin ] * debian/control: Replace 2:2.0.2-2 with 2:2.0.3-1 in Breaks/Replaces/Depends fields. (2:2.0.2-2 was never released, the version we released after the package split was 2:2.0.3-1.) * debian/initramfs/cryptroot-script: exit immediately when /lib/cryptsetup/functions is not present. (Closes: #901830.) * debian/cryptsetup-run.prerm: use `dmsetup table --target crypt` to avoid manually excluding mapped devices using another subsystem. * d/initramfs/hooks/cryptroot: + Fix parser for cipher specifications in mapping table of crypt targets. In particular, the cipher mode wasn't parsed properly, potentially causing missing modules in initrd.img compiled with MODULES=dep. Regression introduced in 2:2.0.3-2. (Closes: #901884.) + Print a warning when the mapping table specifies the cipher in kernel crypto API format ("capi:" prefix). We don't support these yet. cryptsetup (2:2.0.3-2) unstable; urgency=medium The "nights are long in summer" cryptsetup sprint release :-) Guilhem and Jonas hacked together for three days (and nights), refactored almost all of the cryptsetup packages, squashed (at least) 19 bugs and started work on several new features. Yay! [ Guilhem Moulin ] * cryptsetup-initramfs: Demote "Depends: console-setup, kbd" to Recommends: (Closes: #901641.) * debian/initramfs/*-hook: complete refactoring. Common functions are now in /lib/cryptsetup/functions (source-able from shell scripts). (Closes: #784881.) * debian/initramfs/cryptroot-hook: + Use sysfs(5) block (resp. fs) hierarchies to detect slave dm-crypt devices such as LVM2 on top of LUKS (resp. multiple device filesystems such as btrfs). This approach is more robust than parsing the output of `lvs` or `btrfs filesystem`. + Export relevant crypttab(5) snippet (for devices that need to be unlocked at initramfs stage) to the initramfs' /cryptroot/crypttab. + Print a warning inviting the user to uninstall 'cryptsetup-initramfs' if 1/ the CRYPTSETUP configuration option is unset or null (the default), and 2/ the hook didn't detect any device to be unlocked at initramfs stage. The benefit is two-fold: it guides users through the package split, and warns them that their system might not reboot if the hook script didn't work properly. * Remove the 'decrypt_openct' keyscript since openct was last seen in oldoldstable, cf. #760258 (ROM). * debian/initramfs/cryptroot-script: refactoring, using functions from /lib/cryptsetup/functions. (Closes: #720952, #826124.) + One can disable the cryptsetup initramfs scripts for a particular boot by passing "cryptopts=" as kernel boot argument. (Closes: #873840.) + No longer sleep for a full minute after exceeding the maximum number of unlocking tries. (This was added in 2:1.7.3-2 as an attempt to mitigate CVE-2016-4484.) Instead, the script sleeps for 1 second after each failed attempt in order to defeat online brute-force attacks. (Closes: #898495.) * debian/README.initramfs: Remove mention that the initramfs scripts and the crypsetup binary are using a different hash algorithm for plain dm-crypt volumes. This is no longer true since 2:1.0.6~pre1+svn45-1, cf. #406317. * debian/cryptdisks.functions: + Refactoring, using functions from /lib/cryptsetup/functions. (Closes: #859953, #891219.) + Install to /lib/cryptsetup/cryptdisks-functions. * crypttab(5): + Remove support for the 'precheck' option. The precheck for LUKS devices is still hardcoded to `cryptsetup isLuks`; the script refuses to unlock non-LUKS devices (plain dm-crypt and tcrypt devices) containing a known filesystem (other that swap). + Don't ignore the 'plain' option: disable auto-detection and treat the device as a plain dm-crypt device. (Closes: #886007.) + Add support for some option aliases to unify with systemd's crypttab(5) options. Namely, 'read-only' is an alias for 'readonly', 'key-slot=' is an alias for 'keyslot=', 'tcrypt-hidden' is an alias for 'tcrypthidden', and 'tcrypt-veracrypt' is an alias for 'veracrypt'. + Add support for 'keyfile-size=' and 'keyfile-offset=' options. (Closes: #849335.) + Source devices can now be specified using their PARTUUID or PARTLABEL, similar to fstab(5). * debian/scripts/cryptdisks_start: Add support for '-r'/'--readonly' switch to setup readonly mappings. (Closes: #782843.) * debian/scripts/cryptdisks_stop: Add support for closing multiple disks at once. (Closes: #783194.) [ Jonas Meurer ] * debian/doc/crypttab.xml: + Add a section about the different crypttab formats of our package and the systemd cryptsetup wrapper. + Document, which options are ignored by the initramfs scripts and which are unsupported by the systemd implementation. (Closes: #714380) + Clarify documentation of option 'tries'. It also applies when using keyscripts, not only with interactive passphrases. (Closes: #826127) + Make it obvious that in case a keyscript is configured, the third option is passed as argument to the keyscript. Mention the optional requirement to quote the value. (Closes: #826122) + Some minor wording improvements. * debian/control, debian/combat: Bump debhelper compatibility level to 11. * debian/rules: + Completely refactor the rules file, adapt to debhelper 11 style. (Closes: #901713) + Run the upstream build-time testsuite thanks to dh_auto_test. + Move the luksformat script from cryptsetup-bin to cryptsetup-run. + Install the bug-script into all packages. + No longer install the sysvinit initscripts into cryptsetup-udeb. + Remove many old build and compile flags, debhelper takes care of most of them nowadays. cryptsetup (2:2.0.3-1) unstable; urgency=medium [ Guilhem Moulin ] * Split cryptsetup package into cryptsetup-run (init scripts and libraries) and cryptsetup-initramfs (initramfs integration). The 'cryptsetup' package is now a transitional dummy package. (Closes: #783297.) * debian/cryptsetup-run.preinst: remove logic for rm_conffile /etc/udev/rules.d/z60_cryptsetup.rules, which was added for #493151 in 2:1.0.6-5. * debian/cryptdisks.bash_completion: only complete cryptdisks_stop arguments with crypttab(5) targets that already exist, and only complete cryptdisks_start targets with crypttab(5) targets that don't exist yet. (Closes: #827200.) * debian/initramfs/cryptroot-hook: + use copy_file() from hook-functions to copy key files to the initrd. This ensures that relevant messages are printed in verbose mode. (Closes: #898516.) + remove backward compatibility support for setting CRYPTSETUP and KEYFILE_PATTERN in /etc/initramfs-tools/initramfs.conf. Since 2:1.7.2-1 they should be set in /etc/cryptsetup-initramfs/conf-hook. + add 'algif_skcipher' kernel module to large initramfs (if the MODULES variable isn't "dep"). That module is required for unlocking LUKS2 devices. [ Jonas Meurer ] * New upstream release 2.0.3 * debian/control: - Bump standards-version to 4.1.4, no changes required - Change my mail address to '