[pkg-cryptsetup-devel] Bug#839994: Bug#839994: Newest version prevent boot of full encrypted disk
Guilhem Moulin
guilhem at guilhem.org
Fri Oct 7 12:04:01 UTC 2016
On Fri, 07 Oct 2016 at 11:10:08 +0100, Klaus Ethgen wrote:
>> This is an undocumented way of forcing cryptsetup initramfs integration.
>> As of 2:1.7.2-1, the hook script configuration variable are to be set in
>> /etc/crytsetup-initramfs/conf-hook, cf. the following changelog entry
>>
>> * Use /etc/crytsetup-initramfs/conf-hook for initramfs hook script
>> configuration. For backward compatibility setting CRYPTSETUP and
>> KEYFILE_PATTERN in /etc/initramfs-tools/initramfs.conf is still supported
>> for now, but causes the hook to print a warning.
>> This is done following the initramfs-tools maintainers' request (see
>> #807527) that hook and boot script configuration files be stored outside
>> the /etc/initramfs-tools directory. (Closes: #783393)
>
> Ah, in that file (/etc/cryptsetup-initramfs/conf-hook, not
> /etc/crytsetup-initramfs/conf-hook) is a (empty) setting "CRYPTSETUP=".
> This file is from yesterday, and was installed by today with the
> upgrade.
>
> However, that particulare problem was only about including cryptsetup
> out of the chroot from a recovery grml stick.
>
> The current implementation following some documenations I had in the
> past. The main key is a file "initramfs-tools/conf.d/diskkey" with the
> following content:
> KEYFILE_PATTERN="/etc/security/disk.key"
> export KEYFILE_PATTERN
I see. Indeed, we've unfortunately been too fast at releasing a fix for
#786578. That is, we documented setting KEYFILE_PATTERN
/etc/initramfs-tools/initramfs.conf (or alternatively, under
/etc/initramfs-tools/conf.d) while the initramfs-tools maintainers later
(#807527) objected to using /etc/initramfs-tools for hook configuration:
“If a hook script requires configuration beyond the exported
variables listed below, it should read a private configuration file
that is separate from the /etc/initramfs-tools directory. It must
not read initramfs-tools configuration files directly.” —
initramfs-tools(8)
Can you confirm your system boots as expected once you delete
/etc/initramfs-tools/conf.d/diskkey and use
/etc/cryptsetup-initramfs/conf-hook instead? I'll push a proper fix
later today, to make the latter config file take precedence over
mkinitramfs(8) settings; but *not override them* as it's incorrectly
done now. (Just to be clear, we *will* drop backward compatibility at
some point, but after at least one stable release cycle, and with a
loud warning printed at each update-initramfs run meanwhile.)
Cheers,
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20161007/d1bece00/attachment.sig>
More information about the pkg-cryptsetup-devel
mailing list