1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619 1620 1621 1622 1623 1624 1625 1626 1627 1628 1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643 1644 1645 1646 1647 1648 1649 1650 1651 1652 1653 1654 1655 1656 1657 1658 1659 1660 1661 1662 1663 1664 1665 1666 1667 1668 1669 1670 1671 1672 1673 1674 1675 1676 1677 1678 1679 1680 1681 1682 1683 1684 1685 1686 1687 1688 1689 1690 1691 1692 1693 1694 1695 1696 1697 1698 1699 1700 1701 1702 1703 1704 1705 1706 1707 1708 1709 1710 1711 1712 1713 1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764 1765 1766 1767 1768 1769 1770 1771 1772 1773 1774 1775 1776 1777 1778 1779 1780 1781 1782 1783 1784 1785 1786 1787 1788 1789 1790 1791 1792 1793 1794 1795 1796 1797 1798 1799 1800 1801 1802 1803 1804 1805 1806 1807 1808 1809 1810 1811 1812 1813 1814 1815 1816 1817 1818 1819 1820 1821 1822 1823 1824 1825 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 1836 1837 1838 1839 1840 1841 1842 1843 1844 1845 1846 1847 1848 1849 1850 1851 1852 1853 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 1865 1866 1867 1868 1869 1870 1871 1872 1873 1874 1875 1876 1877 1878 1879 1880 1881 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1901 1902 1903 1904 1905 1906 1907 1908 1909 1910 1911 1912 1913 1914 1915 1916 1917 1918 1919 1920 1921 1922 1923 1924 1925 1926 1927 1928 1929 1930 1931 1932 1933 1934 1935 1936 1937 1938 1939 1940 1941 1942 1943 1944 1945 1946 1947 1948 1949 1950 1951 1952 1953 1954 1955 1956 1957 1958 1959 1960 1961 1962 1963 1964 1965 1966 1967 1968 1969 1970 1971 1972 1973 1974 1975 1976 1977 1978 1979 1980 1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 2026 2027 2028 2029 2030 2031 2032 2033 2034 2035 2036 2037 2038 2039 2040 2041 2042 2043 2044 2045 2046 2047 2048 2049 2050 2051 2052 2053 2054 2055 2056 2057 2058 2059 2060 2061 2062 2063 2064 2065 2066 2067 2068 2069 2070 2071 2072 2073 2074 2075 2076 2077 2078 2079 2080 2081 2082 2083 2084 2085 2086 2087 2088 2089 2090 2091 2092 2093 2094 2095 2096 2097 2098 2099 2100 2101 2102 2103 2104 2105 2106 2107 2108 2109 2110 2111 2112 2113 2114 2115 2116 2117 2118 2119 2120 2121 2122 2123 2124 2125 2126 2127 2128 2129 2130 2131 2132 2133 2134 2135 2136 2137 2138 2139 2140 2141 2142 2143 2144 2145 2146 2147 2148 2149 2150 2151 2152 2153 2154 2155 2156 2157 2158 2159 2160 2161 2162 2163 2164 2165 2166 2167 2168 2169 2170 2171 2172 2173 2174 2175 2176 2177 2178 2179 2180 2181 2182 2183 2184 2185 2186 2187 2188 2189 2190 2191 2192 2193 2194 2195 2196 2197 2198 2199 2200 2201 2202 2203 2204 2205 2206 2207 2208 2209 2210 2211 2212 2213 2214 2215 2216 2217 2218 2219 2220 2221 2222 2223 2224 2225 2226 2227 2228 2229 2230 2231 2232 2233 2234 2235 2236 2237 2238 2239 2240 2241 2242 2243 2244 2245 2246 2247 2248 2249 2250 2251 2252 2253 2254 2255 2256 2257 2258 2259 2260 2261 2262 2263 2264 2265 2266 2267 2268 2269 2270 2271 2272 2273 2274 2275 2276 2277 2278 2279 2280 2281 2282 2283 2284 2285 2286 2287 2288 2289 2290 2291 2292 2293 2294 2295 2296 2297 2298 2299 2300 2301 2302 2303 2304 2305 2306 2307 2308 2309 2310 2311 2312 2313 2314 2315 2316 2317 2318 2319 2320 2321 2322 2323 2324 2325 2326 2327 2328 2329 2330 2331 2332 2333 2334 2335 2336 2337 2338 2339 2340 2341 2342 2343 2344 2345 2346 2347 2348 2349 2350 2351 2352 2353 2354 2355 2356 2357 2358 2359 2360 2361 2362 2363 2364 2365 2366 2367 2368 2369 2370 2371 2372 2373 2374 2375 2376 2377 2378 2379 2380 2381 2382 2383 2384 2385 2386 2387 2388 2389 2390 2391 2392 2393 2394 2395 2396 2397 2398 2399 2400 2401 2402 2403 2404 2405 2406 2407 2408 2409 2410 2411 2412 2413 2414 2415 2416 2417 2418 2419 2420 2421 2422 2423 2424 2425 2426 2427 2428 2429 2430 2431 2432 2433 2434 2435 2436 2437 2438 2439 2440 2441 2442 2443 2444 2445 2446 2447 2448 2449 2450 2451 2452 2453 2454 2455 2456 2457 2458 2459 2460 2461 2462 2463 2464 2465 2466 2467 2468 2469 2470 2471 2472 2473 2474 2475 2476 2477 2478 2479 2480 2481 2482 2483 2484 2485 2486 2487 2488 2489 2490 2491 2492 2493 2494 2495 2496 2497 2498 2499 2500 2501 2502 2503 2504 2505 2506 2507 2508 2509 2510 2511 2512 2513 2514 2515 2516 2517 2518 2519 2520 2521 2522 2523 2524 2525 2526 2527 2528 2529 2530 2531 2532 2533 2534 2535 2536 2537 2538 2539 2540 2541 2542 2543 2544 2545 2546 2547 2548 2549 2550 2551 2552 2553 2554 2555 2556 2557 2558 2559 2560 2561 2562 2563 2564 2565 2566 2567 2568 2569 2570 2571 2572 2573 2574 2575 2576 2577 2578 2579 2580 2581 2582 2583 2584 2585 2586 2587 2588 2589 2590 2591 2592 2593 2594 2595 2596 2597 2598 2599 2600 2601 2602 2603 2604 2605 2606 2607 2608 2609 2610 2611 2612 2613 2614 2615 2616 2617 2618 2619 2620 2621 2622 2623 2624 2625 2626 2627 2628 2629 2630 2631 2632 2633 2634 2635 2636 2637 2638 2639 2640 2641 2642 2643 2644 2645 2646 2647 2648 2649 2650 2651 2652 2653 2654 2655 2656 2657 2658 2659 2660 2661 2662 2663 2664 2665 2666 2667 2668 2669 2670 2671 2672 2673 2674 2675 2676 2677 2678 2679 2680 2681 2682 2683 2684 2685 2686 2687 2688 2689 2690 2691 2692 2693 2694 2695 2696 2697 2698 2699 2700 2701 2702 2703 2704 2705 2706 2707 2708 2709 2710 2711 2712 2713 2714 2715 2716 2717 2718 2719 2720 2721 2722 2723 2724 2725 2726 2727 2728 2729 2730 2731 2732 2733 2734 2735 2736 2737 2738 2739 2740 2741 2742 2743 2744 2745 2746 2747 2748 2749 2750 2751 2752 2753 2754 2755 2756 2757 2758 2759 2760 2761 2762 2763 2764 2765 2766 2767 2768 2769 2770 2771 2772 2773 2774 2775 2776 2777 2778 2779 2780 2781 2782 2783 2784 2785 2786 2787 2788 2789 2790 2791 2792 2793 2794 2795 2796 2797 2798 2799 2800 2801 2802 2803 2804 2805 2806 2807 2808 2809 2810 2811 2812 2813 2814 2815 2816 2817 2818 2819 2820 2821 2822 2823 2824 2825 2826 2827 2828 2829 2830 2831 2832 2833 2834 2835 2836 2837 2838 2839 2840 2841 2842 2843 2844 2845 2846 2847 2848 2849 2850 2851 2852 2853 2854 2855 2856 2857 2858 2859 2860 2861 2862 2863 2864 2865 2866 2867 2868 2869 2870 2871 2872 2873 2874 2875 2876 2877 2878 2879 2880 2881 2882 2883 2884 2885 2886 2887 2888 2889 2890 2891 2892 2893 2894 2895 2896 2897 2898 2899 2900 2901 2902 2903 2904 2905 2906 2907 2908 2909 2910 2911 2912 2913 2914 2915 2916 2917 2918 2919 2920 2921 2922 2923 2924 2925 2926 2927 2928 2929 2930 2931 2932 2933 2934 2935 2936 2937 2938 2939 2940 2941 2942 2943 2944 2945 2946 2947 2948 2949 2950 2951 2952 2953 2954 2955 2956 2957 2958 2959 2960 2961 2962 2963 2964 2965 2966 2967 2968 2969 2970 2971 2972 2973 2974 2975 2976 2977 2978 2979 2980 2981 2982 2983 2984 2985 2986 2987 2988 2989 2990 2991 2992 2993 2994 2995 2996 2997 2998 2999 3000 3001 3002 3003 3004 3005 3006 3007 3008 3009 3010 3011 3012 3013 3014 3015 3016 3017 3018 3019 3020 3021 3022 3023 3024 3025 3026 3027 3028 3029 3030 3031 3032 3033 3034 3035 3036 3037 3038 3039 3040 3041 3042 3043 3044 3045 3046 3047 3048 3049 3050 3051 3052 3053 3054 3055 3056 3057 3058 3059 3060 3061 3062 3063 3064 3065 3066 3067 3068 3069 3070 3071 3072 3073 3074 3075 3076 3077 3078 3079 3080 3081 3082 3083 3084 3085 3086 3087 3088 3089 3090 3091 3092 3093 3094 3095 3096 3097 3098 3099 3100 3101 3102 3103 3104 3105 3106 3107 3108 3109 3110 3111 3112 3113 3114 3115 3116 3117 3118 3119 3120 3121 3122 3123 3124 3125 3126 3127 3128 3129 3130 3131 3132 3133 3134 3135 3136 3137 3138 3139 3140 3141 3142 3143 3144 3145 3146 3147 3148 3149 3150 3151 3152 3153 3154 3155 3156 3157 3158 3159 3160 3161 3162 3163 3164 3165 3166 3167 3168 3169 3170 3171 3172 3173 3174 3175 3176 3177 3178 3179 3180 3181 3182 3183 3184 3185 3186 3187 3188 3189 3190 3191 3192 3193 3194 3195 3196 3197 3198 3199 3200 3201 3202 3203 3204 3205 3206 3207 3208 3209 3210 3211 3212 3213 3214 3215 3216 3217 3218 3219 3220 3221 3222 3223 3224 3225 3226 3227 3228 3229 3230 3231 3232 3233 3234 3235 3236 3237 3238 3239 3240 3241 3242 3243 3244 3245 3246 3247 3248 3249 3250 3251 3252 3253 3254 3255 3256 3257 3258 3259 3260 3261 3262 3263 3264 3265 3266 3267 3268 3269 3270 3271 3272 3273 3274 3275 3276 3277 3278 3279 3280 3281 3282 3283 3284 3285 3286 3287 3288 3289 3290 3291 3292 3293 3294 3295 3296 3297 3298 3299 3300 3301 3302 3303 3304 3305 3306 3307 3308 3309 3310 3311 3312 3313 3314 3315 3316 3317 3318 3319 3320 3321 3322 3323 3324 3325 3326 3327 3328 3329 3330 3331 3332 3333 3334 3335 3336 3337 3338 3339 3340 3341 3342 3343 3344 3345 3346 3347 3348 3349 3350 3351 3352 3353 3354 3355 3356 3357 3358 3359 3360 3361 3362 3363 3364 3365 3366 3367 3368 3369 3370 3371 3372 3373 3374 3375 3376 3377 3378 3379 3380 3381 3382 3383 3384 3385 3386 3387 3388 3389 3390 3391 3392 3393 3394 3395 3396 3397 3398 3399 3400 3401 3402 3403 3404 3405 3406 3407 3408 3409 3410 3411 3412 3413 3414 3415 3416 3417 3418 3419 3420 3421 3422 3423 3424 3425 3426 3427 3428 3429 3430 3431 3432 3433 3434 3435 3436 3437 3438 3439 3440 3441 3442 3443 3444 3445 3446 3447 3448 3449 3450 3451 3452 3453 3454 3455 3456 3457 3458 3459 3460 3461 3462 3463 3464 3465 3466 3467 3468 3469 3470 3471 3472 3473 3474 3475 3476 3477 3478 3479 3480 3481 3482 3483 3484 3485 3486 3487 3488 3489 3490 3491 3492 3493 3494 3495 3496 3497 3498 3499 3500 3501 3502 3503 3504 3505 3506 3507 3508 3509 3510 3511 3512 3513 3514 3515 3516 3517 3518 3519 3520 3521 3522 3523 3524 3525 3526 3527 3528 3529 3530 3531 3532 3533 3534 3535 3536 3537 3538 3539 3540 3541 3542 3543 3544 3545 3546 3547 3548 3549 3550 3551 3552 3553 3554 3555 3556 3557 3558 3559 3560 3561 3562 3563 3564 3565 3566 3567 3568 3569 3570 3571 3572 3573 3574 3575 3576 3577 3578 3579 3580 3581 3582 3583 3584 3585 3586 3587 3588 3589 3590 3591 3592 3593 3594 3595 3596 3597 3598 3599 3600 3601 3602 3603 3604 3605 3606 3607 3608 3609 3610 3611 3612 3613 3614 3615 3616 3617 3618 3619 3620 3621 3622 3623 3624 3625 3626 3627 3628 3629 3630 3631 3632 3633 3634 3635 3636 3637 3638 3639 3640 3641 3642 3643 3644 3645 3646 3647 3648 3649 3650 3651 3652 3653 3654 3655 3656 3657 3658 3659 3660 3661 3662 3663 3664 3665 3666 3667 3668 3669 3670 3671 3672 3673 3674 3675 3676 3677 3678 3679 3680 3681 3682 3683 3684 3685 3686 3687 3688 3689 3690 3691 3692 3693 3694 3695 3696 3697 3698 3699 3700 3701 3702 3703 3704 3705 3706 3707 3708 3709 3710 3711 3712 3713 3714 3715 3716 3717 3718 3719 3720 3721 3722 3723 3724 3725 3726 3727 3728 3729 3730 3731 3732 3733 3734 3735 3736 3737 3738 3739 3740 3741 3742 3743 3744 3745 3746 3747 3748 3749 3750 3751 3752 3753 3754 3755 3756 3757 3758 3759 3760 3761 3762 3763 3764 3765 3766 3767 3768 3769 3770 3771 3772 3773 3774 3775 3776 3777 3778 3779 3780 3781 3782 3783 3784 3785 3786 3787 3788 3789 3790 3791 3792 3793 3794 3795 3796 3797 3798 3799 3800 3801 3802 3803 3804 3805 3806 3807 3808 3809 3810 3811 3812 3813 3814 3815 3816
|
cryptsetup (2:2.7.5-1) unstable; urgency=medium
* New bugfix upstream release.
* d/t/cryptroot-*: Always install login(1) inside the guest to fix DEP-8
tests.
* d/t/utils/mock.pm: Fix login().
* initramfs hook: Don't let ripemd160 trigger copying legacy.so into the
initramfs image. Since OpenSSL 3.0.7 RIPEMD160 is in both legacy and
default providers.
* Adjust build-deps and DEP-8 tests to account for OpenSSL legacy provider
being shipped in its own package.
* DEP-8: Fix d/t/initramfs-hook-legacy.
* crypttab(5): Don't claim that ‘noauto’ is not supported by systemd.
(Closes: #1071602)
-- Guilhem Moulin <guilhem@debian.org> Tue, 03 Sep 2024 12:23:09 +0200
cryptsetup (2:2.7.4-1) unstable; urgency=medium
[ Guilhem Moulin ]
* New bugfix upstream release.
* d/functions: Silently ignore crypttab(5) option x-initrd.attach.
(Closes: #1072058)
* DEP-8: Mark cryptroot-* as flaky. To be re-evaluated if/when the
tests only run on environment where KVM is available. (Closes: #1073052)
* d/t/cryptroot-lvm.d/preinst: Add x-initrd.attach crypttab(5) option.
* initramfs: local-bottom: Call `dmsetup remove --deferred` on the root FS
holders. Thanks to Luca Boccassi for the suggestion.
* d/t/cryptroot-*: Always install passwd(1) inside the guest.
[ Benjamin Drung ]
* initramfs hook: Combine calls to manual_add_modules (LP: #2065180)
-- Guilhem Moulin <guilhem@debian.org> Sun, 04 Aug 2024 22:59:09 +0200
cryptsetup (2:2.7.2-2) unstable; urgency=medium
* Update standards version to 4.7.0, no changes needed.
* d/crontrol: cryptsetup-initramfs: Add Breaks: libcryptsetup12 (<<
2:2.7.2-1) since the hook assumes libcryptsetup.so.12 is not linked with
libargon2.so. (Closes: #1068849)
* d/t/utils/mkinitramfs: Remove obsolete copy_libgcc() call.
-- Guilhem Moulin <guilhem@debian.org> Mon, 15 Apr 2024 00:51:12 +0200
cryptsetup (2:2.7.2-1) unstable; urgency=medium
* New bugfix upstream release.
+ Fix various issues with OPAL devices.
* Use OpenSSL's own argon2 implementation rather than libargon2. This drops
libargon2 from (Build-)Depends and bumps the minimum required OpenSSL
version to 3.2.
* d/control: cryptsetup Depends: Bump minimum cryptsetup-bin version to
2:2.7.2-1 as the wrapper no longer contain workarounds for libargon2 and
libgcc_s.
* d/copyright: Update licensing information to reflect upstream's
relicensing of its FAQ and an older miscellaneous script.
-- Guilhem Moulin <guilhem@debian.org> Tue, 09 Apr 2024 15:18:49 +0200
cryptsetup (2:2.7.1-1) unstable; urgency=medium
* New bugfix upstream release.
[ Guilhem Moulin ]
* d/functions: get_mnt_devno(): Speed up execution time on large
/proc/mounts.
* d/t/cryptroot-*: Fix DEP-8 tests when the kernel .deb installs modules in
/usr/lib/modules not /lib/modules, such as
linux-image-6.6.15-686-pae_6.6.15-2_i386.deb.
* d/cryptsetup.lintian-overrides: Remove unused overrides.
[ Helmut Grohne ]
* /lib/cryptsetup/askpass: Coordinated move to /usr for DEP17
(Closes: #1060270)
-- Guilhem Moulin <guilhem@debian.org> Sat, 09 Mar 2024 23:05:42 +0100
cryptsetup (2:2.7.0-1) unstable; urgency=medium
* Upload to unstable.
* Revert "d/gbp.conf: Set ‘debian-branch = debian/experimental’."
* Revert "Use OpenSSL's own argon2 implementation" (since sid doesn't have
OpenSSL 3.2 yet).
* Revert "d/control: cryptsetup Depends: Bump minimum cryptsetup-bin version
to 2.7~."
* Revert "d/cryptsetup.lintian-overrides: Ignore ‘conflicts-with-version
cryptsetup-nuke-password’."
* Revert "d/cryptsetup.lintian-overrides: Remove unused overrides."
* Revert "/lib/cryptsetup/askpass: coordinated move to /usr for DEP17"
-- Guilhem Moulin <guilhem@debian.org> Mon, 26 Feb 2024 12:50:46 +0100
cryptsetup (2:2.7.0-1+exp) experimental; urgency=medium
* New upstream release.
[ Guilhem Moulin ]
* d/control: cryptsetup Depends: Bump minimum cryptsetup-bin version to 2.7~.
* d/control: Build-Depends: Replace pkg-config with pkgconf.
* d/cryptsetup-suspend.lintian-overrides: Remove alien tag.
* d/cryptsetup.lintian-overrides: Remove unused overrides.
* d/cryptsetup.lintian-overrides: Add override ‘conflicts-with-version
cryptsetup-nuke-password’.
* d/t/cryptroot-*: Fix DEP-8 tests with QEMU 8.2.
[ Helmut Grohne ]
* /lib/cryptsetup/askpass: coordinated move to /usr for DEP17.
(Closes: #1060270)
-- Guilhem Moulin <guilhem@debian.org> Mon, 26 Feb 2024 11:57:19 +0100
cryptsetup (2:2.7.0~rc1-1) experimental; urgency=medium
* New upstream release candidate.
* d/gbp.conf: Set ‘debian-branch = debian/experimental’.
* Add new DEP-8 test to check crypto backend flags. (And whether system
libargon2 is used.)
* Use OpenSSL's own argon2 implementation rather than libargon2. This drops
libargon2 from (Build-)Depends and bumps the minimum required OpenSSL
version to 3.2.
-- Guilhem Moulin <guilhem@debian.org> Wed, 20 Dec 2023 18:28:36 +0100
cryptsetup (2:2.7.0~rc0-2) experimental; urgency=medium
Rebuild for experimental.
-- Guilhem Moulin <guilhem@debian.org> Tue, 05 Dec 2023 21:11:42 +0100
cryptsetup (2:2.6.1-6) unstable; urgency=medium
[ Kevin Locke ]
* cryptsetup-initramfs: Add support for compressed kernel modules.
(Closes: #1036049, #1057441)
[ Guilhem Moulin ]
* d/tests: Replace `passwd --delete` with `busybox passwd -d`.
* add_modules(): Change suffix drop logic to match initramfs-tools.
* Fix DEP-8 tests with kernels shipping compressed modules.
-- Guilhem Moulin <guilhem@debian.org> Tue, 05 Dec 2023 17:48:58 +0100
cryptsetup (2:2.7.0~rc0-1) experimental; urgency=medium
* New upstream release candidate 2.7.0:
+ Add support for (opt-in) hardware OPAL disk encryption.
+ plain mode: Set default cipher to aes-xts-plain64 and password hashing
to sha256. This is a backward incompatible change for plain mode when
relying on the defaults. It doesn't affect LUKS volumes. Defaults for
plain mode should not be relied upon anyway; for many releases the
Debian wrappers found in the ‘cryptsetup’ binary package spew a loud
warning when ‘cipher=’ or ‘hash=’ are not explicitly specified in the
crypttab(5) options of plain devices. The cryptsetup(8) executable now
issue such a warning as well.
+ Allow activation (open), luksResume, and luksAddKey to use the volume
key stored in a keyring.
+ Allow one to store volume key to a user-specified keyring in open and
luksResume commands.
* Update d/libcryptsetup12.symbols.
* Remove d/patches applied upstream.
* Update debian/* to reflect current cipher and hash for plain mode.
* d/tests: Replace `passwd --delete` with `busybox passwd -d`.
-- Guilhem Moulin <guilhem@debian.org> Wed, 29 Nov 2023 17:19:10 +0100
cryptsetup (2:2.6.1-5) unstable; urgency=medium
[ Guilhem Moulin ]
* d/control: Drop cryptsetup-run transitional binary package.
(Closes: #1038285)
[ Michael Biebl ]
* cryptsetup-suspend-wrapper: Don't error out on missing
/lib/systemd/system-sleep directory, which was removed from the systemd
package. (Closes: #1050606)
-- Guilhem Moulin <guilhem@debian.org> Sun, 27 Aug 2023 12:24:57 +0200
cryptsetup (2:2.6.1-4) unstable; urgency=medium
* Backport upstream MR !498, see #1028250:
+ 7893c33d: Check for physical memory available also in PBKDF benchmark.
+ 6721d3a8: Use only half of detected free memory on systems without swap.
-- Guilhem Moulin <guilhem@debian.org> Thu, 20 Apr 2023 23:46:08 +0200
cryptsetup (2:2.6.1-3) unstable; urgency=medium
[ Guilhem Moulin ]
* initramfs hook: Fix copy_libgcc_argon2() on non merged-/usr systems.
(Closes: #1032518)
* Backport upstream MR !490, see #1028250:
+ 27f8e5c0: Try to avoid OOM killer on low-memory systems without swap
+ 899bad8c: Print warning when keyslot requires more memory than available
* d/t/initramfs-hook: Pass `-xdev` to `find "$INITRD_DIR"` in order to solve
a race condition in that autopkgtest.
[ Remus-Gabriel Chelu ]
* Add Romanian debconf templates translation. (Closes: #1031497)
-- Guilhem Moulin <guilhem@debian.org> Mon, 13 Mar 2023 23:43:50 +0100
cryptsetup (2:2.6.1-2) unstable; urgency=medium
* initramfs hook: Explicitly call copy_libgcc(). The recent libargon2-1
upgrade is built with glibc ≥2.34 hence no longer links libpthread. This
in turns means that initramfs-tool's copy_exec() is no longer able to
detect pthread_*() need and thus doesn't copy libgcc_s.so anymore. So we
need to do it manually instead. Closes: #1032221
-- Guilhem Moulin <guilhem@debian.org> Thu, 02 Mar 2023 05:01:53 +0100
cryptsetup (2:2.6.1-1) unstable; urgency=medium
* New upstream bugfix release.
* d/README.Debian: Explicitly set cswap1's device type to 'plain'.
(Closes: #1025136)
* d/control: Update standards version to 4.6.2, no changes needed.
* d/clean: Add some gitignore(5)'d files. (Closes: #1026838)
* cryptgnupg-sc hook: Look terminfo file in /usr/share/terminfo in adition
to /lib/terminfo, see #1028202. (Closes: 1028234)
* d/copyright: Bump copyright years.
-- Guilhem Moulin <guilhem@debian.org> Fri, 10 Feb 2023 00:50:42 +0100
cryptsetup (2:2.6.0-2) unstable; urgency=low
* libcryptsetup-dev: Add 'Depends: libargon2-dev, libblkid-dev,
libdevmapper-dev, libjson-c-dev, libssl-dev, uuid-dev' to account for
libcryptsetup.pc's Requires.private. Closes: #1025054.
-- Guilhem Moulin <guilhem@debian.org> Tue, 29 Nov 2022 15:42:25 +0100
cryptsetup (2:2.6.0-1) unstable; urgency=low
* New upstream release 2.6.0.
-- Guilhem Moulin <guilhem@debian.org> Tue, 29 Nov 2022 01:20:38 +0100
cryptsetup (2:2.6.0~rc0-1) experimental; urgency=medium
* New upstream release candidate 2.6.0, introducing support for handling
macOS FileVault2 devices (FVAULT2). The new version of FileVault based on
the APFS filesystem used in recent macOS versions is currently not
supported: only the (legacy) FileVault2 format based on Core Storage and
HFS+ filesystem (introduced in MacOS X 10.7 Lion) is supported. Moreover
header formatting and changes are not supported; cryptsetup never changes
the metadata on the device.
Closes: #923513.
* Update d/copyright for 2:2.6.0~rc0-1.
* Ship cryptsetup-fvault2Dump(8) and cryptsetup-fvault2Open(8) to
cryptsetup-bin binary package.
* Update d/libcryptsetup12.symbols for 2:2.6.0~rc0-1.
* Add 'fvault2' flag to crypttab(5) to force detection of Apple's FileVault2
volumes.
* d/rules: Add new target execute_before_dh_auto_test so blhc ignores
compilations of tests/*.c.
* d/u/metadata: Set 'Security-Contact' upstream metadata field.
-- Guilhem Moulin <guilhem@debian.org> Sat, 19 Nov 2022 17:30:40 +0100
cryptsetup (2:2.5.0-6) unstable; urgency=medium
* d/t/cryptroot-*: Mask systemd-firstboot.service.
* d/t/cryptroot-*: Use camel case for apt.conf(5) settings.
* d/t/cryptroot-*: _apt(): Sort apt.conf(5) settings.
* d/t/cryptroot-*: Honor apt_preferences(5) settings under autopkgtest.
* d/t/cryptroot-*: init: bind mount temporary filesystems to fix
autopkgtests with systemd 252. (Closes: #1022970)
-- Guilhem Moulin <guilhem@debian.org> Fri, 28 Oct 2022 19:30:14 +0200
cryptsetup (2:2.5.0-5) unstable; urgency=medium
* d/t/cryptroot-*: Bump setup timeout to 3600s so autopkgtests don't fail on
debci runners lacking KVM support.
-- Guilhem Moulin <guilhem@debian.org> Tue, 04 Oct 2022 20:01:50 +0200
cryptsetup (2:2.5.0-4) unstable; urgency=medium
* suspend.conf: Improve description and typofix.
* d/t/cryptroot-*: Fix race condition between creating new partition and
using them.
* d/t/cryptroot-*: Fail the test after a reasonable timeout.
(Closes: #1020714)
* d/t/cryptroot-*: setup_apt(): Add 'Identifier: Packages' to `apt-get
indextargets` filter.
* cryptsetup-suspend-wrapper: Explicitly disable udev support when resuming.
(Closes: #1020553)
* d/t/cryptroot-*: Pin versions for all packages in PKGS_EXTRA that are part
of src:cryptsetup.
-- Guilhem Moulin <guilhem@debian.org> Tue, 04 Oct 2022 01:14:30 +0200
cryptsetup (2:2.5.0-3) unstable; urgency=low
* d/t/cryptroot-*: Disable VGA card on the guest.
* d/t/cryptroot-*: Communicate with guests on /dev/hvc0 and remove
console=hvc0 from the kernel command line to get a noise-free channel.
* d/t/cryptroot-*: poweroff(): Use poweroff(8) not `echo o
>/proc/sysrq-trigger`.
* d/t/cryptroot-*: hibernate(): Use systemctl(1) not `echo disk
>/sys/power/state`.
* d/t/cryptroot-*: Use a separate logfile for each communication channel.
* Refactor d/t/utils/mock.pm and add QMP support; this adds 'Depends:
libjson-perl' to cryptroot-* autopkgtests.
* d/t/cryptroot-*: Use the QMP "quit" command to destroy guests early.
* d/t/cryptroot-*: Start getty on /dev/hvc0 only (not /dev/ttyS0) in
non-interactive mode.
* d/t/cryptroot-*: Remove console=tty0 from the kernel command line.
* d/t/cryptroot-*: Mask all timer units to avoid cluttering test
environments with background jobs.
* d/t/cryptroot-lvm: Also test cryptsetup-suspend (enter to and resume from
S3 state).
* d/t/cryptroot-*: Simplify login prompt regex.
* d/t/cryptroot-*: Use $' when consuming input buffers.
* Salsa CI: Include recipes/debian.yml.
* Salsa CI: Remove redundant variable RELEASE=unstable.
* Salsa CI: Re-enable autopkgtest job with partial coverage.
* cryptsetup-suspend-wrapper: Improve quoting.
* cryptsetup-suspend-wrapper: Use crypttab_find_entry()'s return status.
* d/copyright: Improve wording.
* d/copyright: Fix license for d/scripts/suspend/cryptsetup-suspend.c .
* Add license headers for d/scripts/suspend/*.
* Relicense own code from GPLv2+ to GPLv3+.
* cryptsetup-suspend-wrapper: Don't bindmount temporary filesystems.
* cryptsetup-suspend-wrapper: Improve $INITRAMFS_DIR detection and cleanup.
* cryptsetup-suspend-wrapper: Improve TODO comment.
* d/t/cryptroot-*: Add a network device in interactive mode.
* d/t/cryptroot-lvm: Test I/O on the root FS after wakeup to make sure the
device is not suspended.
* cryptsetup-suspend-wrapper: Harden chroot environment: mount ramfs
read-only and with the 'nodev' option, make it unbindable, and use a
restrictive root mode.
* initramfs hook: Remove duplicate unmangling.
* initramfs hook: populate_CRYPTO_HASHES(): Add missing call to
crypttab_parse_options().
* d/functions: crypttab_parse_options(): Always reset $CRYPTTAB_TYPE.
* cryptsetup-suspend-wrapper: Ignore $KEEP_INITRAMFS if a newer initrd is
detected.
* d/functions: resume_device(): Fix resuming by keyscript.
* d/functions: Refactor resume_device() and freeze_cgroups().
* cryptsetup-suspend-wrapper: Don't copy /lib/firmware if it already exists
in the initrd.
* cryptsetup-suspend-wrapper: Don't treat udevd specially as luksResume now
appears to work when udevd is still frozen.
* cryptsetup-suspend-wrapper: Populate ACTIVE_DEVICES via callback.
* cryptsetup-suspend-wrapper: Use FD3 to list remaining devices.
* d/t/utils/debootstrap: Strip colon and suffix from package (Pre-)Depends.
* d/t/utils/debootstrap: Remove obsolete comment and Pre-Depends.
* d/t/cryptroot-*: Manually create merged-/usr layout and install
usr-is-merged.
-- Guilhem Moulin <guilhem@debian.org> Sun, 18 Sep 2022 23:01:46 +0200
cryptsetup (2:2.5.0-2) unstable; urgency=low
[ Matthias Klose ]
* Add support for 'noudeb' build profile. (Closes: #983318)
[ Christoph Anton Mitterer ]
* initramfs hook: align busybox check on klibc-utils's hook.
[ Benjamin Drung ]
* initramfs hook: Fix broken compatibility with OpenSSL3 when cryptsetup
needs legacy hashes (currently ripemd160 and whirlpool). (LP: #1979159)
[ Guilhem Moulin ]
* New DEP-8 test for crude checks of the initramfs hook.
* Minor changes to the legacy.so inclusion logic.
* DEP-8: Add checks for OpenSSL's legacy.so inclusion.
* d/rules: Inspect DEB_BUILD_* with $(filter ,) not $(findstring ,).
* initramfs boot script: Remove custom LVM handling. Since 2.03.15-1 lvm2
doesn't ship an initramfs boot script anymore and relies solely on udev
rules instead. We therefore don't have to manually activate LVs/VGs
anymore, but cryptsetup-initramfs now conflicts with earlier lvm2
versions. (Closes: #928943)
* Override lintian tag 'conflicts-with-version' given the above.
* initramfs hook: Don't overwrite crypttab(5) source to /dev/mapper/$NAME
for mapped devices. (Closes: #1016455)
* initramfs hook: Preserve crypttab source specifications and devices
starting with /dev/disk/by- or /dev/mapper/.
* d/README.initramfs: Improve section about cryptopts= kernel parameter.
* d/Debian.README: Mention that systemd masks /etc/init.d/cryptdisks.
(Closes: #1010708)
* Rename systemd_cryptsetup-suspend.conf to systemd/cryptsetup-suspend.conf.
* cryptsetup-suspend-wrapper: Fix grep calls in some corner cases such as
template cgroups.
* cryptsetup-suspend-wrapper: Avoid double slash in cgroup paths.
* cryptsetup-suspend-wrapper: Consolidate style.
* d/t/cryptroot-*: Relax the kernel.deb regex to account for release
candidates.
* d/t/cryptroot-*: Add more partition type GUIDs.
* d/t/cryptroot-*: Improve sources.list(5) generation.
* d/t/cryptroot-*: Make APT repository Origin and URI configurable.
* d/t/cryptroot-*: Start udevd before setting up the guest.
* d/t/cryptroot-*: Use a separate /run partition when bootstrapping.
* Run `chmod +x d/t/cryptdisks d/t/utils/init` for consistency.
* d/t/cryptroot-*.d/config: Remove 'cryptsetup' from PKGS_EXTRA as it's only
needed for cryptroot-sysvinit.
* d/t/cryptroot-sysvinit: Rename 'rootfs.key' keyfile to 'homefs.key' which
better describes the purpose of the keyfile.
* d/t/cryptroot-*: Replace /target with '$ROOT'.
* d/t/cryptroot-*: Rename 'testvg' Volume Group to 'cryptvg'.
* d/t/cryptroot-*: Add note about testing cryptsetup-suspend.
* d/t: Add convenience wrapper script for local cryptroot-* test runs.
* New DEP-8 test for LVM-on-MD-on-LUKS2 layout backed by 4 independently
encrypted partitions (all unlocked at initramfs stage).
* New DEP-8 test for a complex nested block device stack.
* Salsa CI: Disable autopkgtest job for now.
-- Guilhem Moulin <guilhem@debian.org> Tue, 09 Aug 2022 01:40:50 +0200
cryptsetup (2:2.5.0-1) unstable; urgency=medium
* New upstream release. (Closes: #1000634, #1011128)
* d/copyright: Fix licence for tokens/ssh/cryptsetup-ssh.c.
* Remove patches applied upstream.
* Rename 'ssh-plugin-test' to 'ssh-test-plugin'.
* Add DEP-8 tests for cryptroot unlocking at early boot stage.
-- Guilhem Moulin <guilhem@debian.org> Fri, 29 Jul 2022 16:31:23 +0200
cryptsetup (2:2.5.0~rc1-3) experimental; urgency=medium
* DEP-8: Add 'Features: test-name=' in order to name inline tests.
* d/t/control: Add 'Restrictions: rw-build-tree' to upstream-testsuite.
* d/control: Remove cryptsetup-reencrypt from cryptsetup-bin package
description since the utility was removed upstream in v2.5.0-rc1.
* d/changelog: Retroactively correct 2:2.4.0~rc0-1+exp1 entry.
* Update d/patches with what's landed upstream since v2.5.0-rc1.
* d/patches, d/rules: Pass $(LDFLAGS) when building fake_token_path.so and
no longer silence blhc(1) for test files.
* Move SSH token plugin stuff into new binary package 'cryptsetup-ssh'.
That plugin is arguably not useful for everyone and we can save the
'Depends: libssh-4' on cryptsetup-bin by moving cryptsetup-ssh(8) and
libcryptsetup-token-ssh.so to a separate package. Since LUKS2 SSH token
support was added after the Bullseye release, and since it is still in
experimental stage, we don't let cryptsetup-bin or cryptsetup depend on
the new binary package. Users who need that feature will need to install
it manually.
-- Guilhem Moulin <guilhem@debian.org> Thu, 21 Jul 2022 20:41:20 +0200
cryptsetup (2:2.5.0~rc1-2) experimental; urgency=medium
* localtest: Treat skipped tests as failure for full coverage.
* d/watch: Add uversionmangle option for release candidates.
* unit-wipe-test: Skip DIO tests when the file system doesn't support
O_DIRECT. This is needed on the buildds where the source tree appears to
be on a tmpfs.
-- Guilhem Moulin <guilhem@debian.org> Fri, 15 Jul 2022 20:49:13 +0200
cryptsetup (2:2.5.0~rc1-1) experimental; urgency=low
* New upstream release candidate 2.5.0. Highlights include:
+ Remove cryptsetup-reencrypt(8) executable, use `cryptsetup reencrypt`
instead (for both LUKS1 and LUKS2).
+ Split manual pages into per-action pages, for instance cryptsetup-open.8
which can be consulted with `man cryptsetup open`.
+ Add LUKS2 encryption removal support with `cryptsetup reencrypt
--decrypt`.
+ Preserve unknown metadata option (features implemented in more recent
cryptsetup releases) during reencryption.
* Salsa CI's deploy stage: Use a Bullseye image.
* Salsa CI's deploy stage: Use apt-get(8) not apt(8).
* Salsa CI's deploy stage: Replace `cp` with `install`.
* Salsa CI's reprotest job: Remove '--no-diffoscope' flag.
* Salsa CI's reprotest job: Update reason for running under 'nocheck' build
profile.
* d/README.source: Update text to reflect current practices.
* DEP-8: Run installed binaries and libraries through the full upstream test
suite (needs machine-level isolation).
* Retroactivately add NEWS.Debian for #949336.
* d/t/control: Add 'Depends: xxd' for 'Tests: cryptdisks' stanza.
* foreach_cryptdev(): Process each device *after* its slaves.
* do_stop(): Remove device holders beforehand. (Closes: #1006802)
* Fix space damage.
* d/u/metadata: Add FAQ URL.
* Refresh lintian overrides to accommodate lintian v2.115.
* d/control: New Build-Depends: asciidoctor (unless under 'nodoc' build
profile).
* d/cryptsetup.docs: Fix FAQ filename.
* Move usr/share/man/*/* glob to debian/*.manpages where it belongs.
* Update d/libcryptsetup12.symbols.
* Bump Standards-Version to 4.6.1 (no changes needed).
* Update d/copyright.
-- Guilhem Moulin <guilhem@debian.org> Fri, 15 Jul 2022 01:49:59 +0200
cryptsetup (2:2.4.3-1) unstable; urgency=high
[ Guilhem Moulin ]
* New upstream security release 2.4.3, with fix for CVE-2021-4122:
decryption through LUKS2 reencryption crash recovery. (Closes: #1003685,
#1003686)
* Remove cryptsetup-initramfs.preinst. (Closes: #1001063)
[ Christoph Anton Mitterer ]
* d/rules: don't expand here-document.
-- Guilhem Moulin <guilhem@debian.org> Thu, 13 Jan 2022 19:07:05 +0100
cryptsetup (2:2.4.2-1) unstable; urgency=high
* New upstream bugfix release 2.4.2.
* d/control: Replace Build-Depends on removed package libsepol1-dev with
libsepol-dev. (Closes: #999815)
* blkid/un_blkid checks: Ignore large offsets when converting from sectors
to bytes.
* crypttab(5): Formatting fix.
* Refresh d/copyright.
* Refresh lintian overrides to accommodate lintian v2.112.
-- Guilhem Moulin <guilhem@debian.org> Thu, 18 Nov 2021 17:15:08 +0100
cryptsetup (2:2.4.1-1) unstable; urgency=medium
[ Guilhem Moulin ]
* New upstream bugfix release 2.4.1.
* d/rules:
+ Use execute_after_dh_* from Debhelper compatibility level 13 when
relevant.
+ Skip documentation generation under nodoc profile.
+ Add new target execute_before_dh_auto_test so blhc ignores compilations
of tests/*.c.
* d/cryptsetup-initramfs.lintian-overrides: Refresh for lintian 2.107.0.
* crypttab(5):
+ Improve documentation about escape sequences.
+ Document that keyscript= can also take an absolute path.
(Closes: #994219)
+ Document that keyscript's exit status is ignored.
+ Various typo fixes and manpages improvements.
* initramfs: Add new hook configuration option ASKPASS=[Yn] to opt out from
askpass inclusion. (Closes: #994486)
* d/cryptsetup-initramfs.post*: Replace `which` with `command -v`.
* Merge debian/experimental branch and bring cryptsetup-suspend to sid.
* d/bash_completion: s/mawk/awk/. We're only using the POSIX subset so any
implementation should work. (Closes: #993374)
* Add DEP-8 tests for cryptdisks_start and cryptdisks_stop covering most of
d/functions and d/cryptdisks-functions. The testbed requires
'isolation-machine' restriction since we need to load kernel modules and
create loop devices.
* d/gbp.conf, d/watch: Explicitly use gzip compression.
[ Christoph Anton Mitterer ]
* d/functions: Export _CRYPTTAB_* to the keyscript's environment.
[ Lukas Schwaighofer ]
* initramfs: Honor activation/auto_activation_volume_list setting.
(Closes: #993725)
[ Thorsten Glaser ]
* blkid/un_blkid checks: Honor offset= option. (Closes: #994056)
-- Guilhem Moulin <guilhem@debian.org> Fri, 08 Oct 2021 14:27:03 +0200
cryptsetup (2:2.4.0-1+exp1) experimental; urgency=medium
* Upload to experimental.
* d/rules: Prefix /lib/systemd/system-shutdown/cryptsetup-suspend.shutdown
with /usr to fix FTBS with debhelper 13.4; see #992469.
-- Guilhem Moulin <guilhem@debian.org> Thu, 19 Aug 2021 22:55:02 +0200
cryptsetup (2:2.4.0-1) unstable; urgency=low
[ Guilhem Moulin ]
* New upstream release.
* Salsa CI: Set SALSA_CI_BLHC_ARGS to avoid failing when *test* files are
built without the "right" LDFLAGS.
* Remove obsolete upstart configuration files on upgrade and purge.
(Closes: #990490)
* d/*.{pre,post}*: Explicitly exit with status code 0.
* d/copyright: Set field Upstream-Name.
* d/control: Bump Standards-Version to 4.6.0 (no changes necessary).
* d/control: Remove cryptsetup-run from cryptsetup's Recommends.
(Closes: #987769)
* d/control: Demote cryptsetup-initramfs from cryptsetup's Recommends to
Suggests. This concludes the package split started in 2:2.0.3-1 during
the Buster release cycle.
[ Ayla Ounce ]
* Add support for --perf_* flags to initramfs.
-- Guilhem Moulin <guilhem@debian.org> Thu, 19 Aug 2021 03:11:11 +0200
cryptsetup (2:2.4.0~rc1-1+exp1) experimental; urgency=medium
* New upstream release candidate.
* d/copyright: Update file.
* d/cryptsetup.docs: Add upstream's README.md.
* d/TODO.md: Remove implemented `luksSuspend` integration.
-- Guilhem Moulin <guilhem@debian.org> Fri, 30 Jul 2021 02:37:32 +0200
cryptsetup (2:2.4.0~rc0-1+exp1) experimental; urgency=medium
* New upstream release candidate 2.4.0. Highlights include:
+ Support for external libraries (plugins) for handling LUKS2 token
objects.
+ Experimental SSH token handler and cryptsetup-ssh(8) utility (resp.
shipped in the 'cryptsetup' and 'cryptsetup-bin' binary packages) as a
demonstration of the external LUKS2 token interface. This adds
libssh-dev to build-depends.
+ Change default LUKS2 PBKDF to Argon2id from Argon2i.
+ Increase minimal memory cost for Argon2 benchmark to 64MiB (suggested
value in Argon2 RFC).
+ Autodetect optimal encryption sector size on LUKS2 format.
+ integritysetup: add integrity-recalculate-reset flag.
+ cryptsetup: retains keyslot number in luksChangeKey for LUKS2.
+ Add close --deferred and --cancel-deferred options.
-- Guilhem Moulin <guilhem@debian.org> Tue, 06 Jul 2021 10:18:17 +0200
cryptsetup (2:2.3.6-1+exp1) experimental; urgency=medium
* New upstream bugfix release. (Closes: #949336)
-- Guilhem Moulin <guilhem@debian.org> Fri, 28 May 2021 22:54:20 +0200
cryptsetup (2:2.3.5-1+exp1) experimental; urgency=medium
* Upload to experimental.
-- Guilhem Moulin <guilhem@debian.org> Thu, 11 Mar 2021 23:36:01 +0100
cryptsetup (2:2.3.5-1) unstable; urgency=medium
* New upstream bugfix release. (Closes: #985581)
* d/watch: Monitor upstream tags rather than tarballs.
* d/gbp.conf: Set 'upstream-vcs-tag' to add upstream tag as additional
parent.
* Simplify d/README.source in accordance with the above.
* Rename d/upstream-signing-key.asc to d/upstream/signing-key.asc as uscan
is now able to verify git tags.
* encrypted-boot.md: Clarify how to solve double password prompt for the
device holding /boot.
* d/copyright: Update copyright year.
-- Guilhem Moulin <guilhem@debian.org> Fri, 02 Apr 2021 23:43:41 +0200
cryptsetup (2:2.3.4-2+exp1) experimental; urgency=medium
* Upload to experimental.
-- Guilhem Moulin <guilhem@debian.org> Thu, 14 Jan 2021 19:55:25 +0100
cryptsetup (2:2.3.4-2) unstable; urgency=medium
[ Guilhem Moulin ]
* d/control: Remove Build-Depends: dh-exec. In compatibility level 13
Debhelper supports variable expansion, which was why we used dh-exec in
the first place.
* libcryptsetup-dev: Install libcryptsetup.so to /lib/$DEB_HOST_MULTIARCH
not /usr/lib/$DEB_HOST_MULTIARCH (closes: #978585), and override
subsequent lintian warning per #843932.
* d/*.install: Replace wildcard with $DEB_HOST_MULTIARCH for consistency.
* d/cryptsetup.lintian-overrides: Rename "init.d-script-does-not-implement-
optional-option $FOO status" tags to "init.d-script-does-not-implement-
status-option $FOO".
* Bump Standards-Version to 4.5.1 (no changes necessary).
* d/cryptdisks-functions: Rename left-over loop_cryptdevs() to
foreach_cryptdev(). Regression from 2:2.3.0-1. (Closes: #974591)
* Initramfs boot script: Drop `lvm vgchange`'s --ignoreskippedcluster flag
which is now a no-op.
* Make d/cryptsetup-initramfs.preinst mangling idempotent.
* Rename Debian resp. upstream branch to debian/latest resp. upstream/latest
for DEP-14 compliance.
* Rename d/gitlab-ci.yml to d/salsa-ci.yml.
* Consolidate d/gbp.conf.
* cryptsetup-initramfs now requires initramfs-tools 0.137 or later and no
longer copies libgcc_s.so.1 to the initrd since recent initramfs-tools
take care of it.
* Add libcryptsetup.la to debian/not-installed.
[ Guilherme G. Piccoli ]
* Initramfs boot script: Fix a deadlock when cryptroot would wait at
local-top stage for a device to appear, while the device would only be
created at local-block stage. This can be the case in dm-crypt-over-MD
scenario when booting the RAID array in degraded mode. (Closes: #933059)
[ Felix C. Stegerman ]
* Fix typo in README.gnupg-sc
-- Guilhem Moulin <guilhem@debian.org> Thu, 14 Jan 2021 19:16:40 +0100
cryptsetup (2:2.3.4-1+exp1) experimental; urgency=medium
* Upload to experimental.
-- Guilhem Moulin <guilhem@debian.org> Fri, 04 Sep 2020 00:55:41 +0200
cryptsetup (2:2.3.4-1) unstable; urgency=high
* New upstream bugfix release, including fix for CVE-2020-14382:
possible out-of-bounds memory write while validating LUKS2 data
segments metadata on 32-bits platforms. (Closes: #969471)
-- Guilhem Moulin <guilhem@debian.org> Fri, 04 Sep 2020 00:30:40 +0200
cryptsetup (2:2.3.3-3+exp3) experimental; urgency=medium
* d/control: Make cryptsetup-suspend explicitly depend on
initramfs-tools-core as we use unmkinitramfs(8) in the wrapper.
* systemd-suspend.service override: Set OOMScoreAdjust to -1000 to
disable OOM killing of processes of the unit. Thanks, ಚಿರಾಗ್.
(Closes: #968569)
* d/doc/cryptsetup-suspend.xml: Document that key material included in the
initramfs image will remain unencrypted (see #969286).
-- Guilhem Moulin <guilhem@debian.org> Mon, 31 Aug 2020 00:09:10 +0200
cryptsetup (2:2.3.3-3+exp2) experimental; urgency=medium
* d/control: Typofix in cryptsetup-suspend's long description.
(Closes: #968455)
* d/control: Make cryptsetup-suspend explicitly depend on kbd as we use
openvt(1) in the systemd-suspend.service override. (Closes: #969226)
* d/*: Run wrap-and-sort(1).
* d/scripts/suspend/cryptsetup-suspend-wrapper:
+ Parse /proc/meminfo in a single pass using shell builtins rather than
calling awk(1).
+ Use "/boot/initrd.img-$(uname -r)" as path to the initrd instead of
deriving it from the kernel command line. BOOT_IMAGE's value is
relative to the boot's loader viewpoint, which might differ from that of
the main system.
+ run_dir(): Prefer find(1)'s -execdir option over -exec.
+ Conditionally remove/copy firmware into the initramfs image.
(Closes: #969270)
* d/rules: Build our scripts with `-Wall -Werror`.
* d/cryptsetup-suspend.{postinst,postrm}: Call `systemctl daemon-reload`,
which appears to be needed on upgrades. (dh_installsystemd(1) doesn't
support overrides so we manually copy the snippet it would add.)
-- Guilhem Moulin <guilhem@debian.org> Sun, 30 Aug 2020 18:01:49 +0200
cryptsetup (2:2.3.3-3+exp1) experimental; urgency=medium
* Add new binary package 'crypsetup-suspend', which implements support
to luksSuspend LUKS devices before ACPI S3 system suspend.
+ See the cryptsetup-suspend(7) manpage for further information.
-- Jonas Meurer <jonas@freesources.org> Wed, 12 Aug 2020 21:29:31 +0200
cryptsetup (2:2.3.3-2) unstable; urgency=medium
[ Helmut Grohne ]
* d/control: Annotate Build-Depends with <!nocheck>. (Closes: #964092)
[ Guilhem Moulin ]
* d/rules: Build with `--with-tmpfilesdir` to force installing
usr/lib/tmpfiles.d/cryptsetup.conf instead of picking the source from
scripts/cryptsetup.conf. This fixes FTBS in environments containing
systemd. (Closes: #968250)
* Add 'bitlk' flag in crypttab(5) to force detection of Windows BitLocker
volumes. (Closes: #967853)
-- Guilhem Moulin <guilhem@debian.org> Wed, 12 Aug 2020 00:22:59 +0200
cryptsetup (2:2.3.3-1) unstable; urgency=medium
[ Guilhem Moulin ]
* New upstream bugfix release.
* d/scripts/decrypt_derived: Remove useless call to `| tr -d '\n'`.
* d/control: Bump debhelper compatibility level to 13. Remove
debian/tmp/lib/$DEB_HOST_MULTIARCH/libcryptsetup.la as we don't install it
anywhere.
[ Rob Pilling ]
* d/scripts/decrypt_derived:
+ move an error message to standard error so it's not accidentally used as
a key
+ exit with a success code when successful
-- Guilhem Moulin <guilhem@debian.org> Thu, 04 Jun 2020 01:41:44 +0200
cryptsetup (2:2.3.2-1) unstable; urgency=medium
* New upstream release.
* debian/control: Set 'Rules-Requires-Root: no'.
* d/initramfs/hooks/cryptroot: Unconditionally copy 'ecb' kernel module
when the host CPU lacks AES-NI support. On such systems XTS needs ECB.
This is a work around for #883595 on kernels 4.10 and later.
(Closes: #959423)
-- Guilhem Moulin <guilhem@debian.org> Wed, 06 May 2020 16:22:01 +0200
cryptsetup (2:2.3.1-1) unstable; urgency=medium
* New upstream release.
* d/initramfs/hooks/cryptroot: Don't set unused variable LIBC_DIR.
-- Guilhem Moulin <guilhem@debian.org> Tue, 24 Mar 2020 02:07:07 +0100
cryptsetup (2:2.3.0-1) unstable; urgency=low
* New upstream release, introducing support for BitLocker-compatible
devices (BITLK format) used in Windows systems.
WARNING: crypttab(5) support for these devices is currently *experimental*
and requires blkid from util-linux >=2.33 (i.e., Buster or later). These
devices currently have no keyword to use in the 4th field (unlike 'luks'
or 'plain'), the device type is inferred from the signature instead.
* crypttab(5): Make the 4th field (options) optional so we don't have to
introduce a new keyword for each new device type. (That field is also
optional in the systemd implementation.) Other fields (dm target name,
source device, and key file) remain required.
* Install cryptdisks_{start,stop} bash completion scripts to the right
path/name so they are loaded automatically. This was no longer the case
since 2:1.7.0-1. (Closes: #949623)
* d/*.install: Replace tabs with spaces.
* d/cryptdisks-functions: Fix broken $FORCE_START handling. Since
2:2.0.3-2 the SysV init scripts' "force-start" option was no longer
overriding noauto/noearly. (Closes: #933142)
* Move some functions to d/function from the initramfs hook.
* SysV init scripts: skip devices holding the root FS and/or /usr during the
shutdown phase; these file systems are still mounted at this point so any
attempt to gracefully close the underlying device(s) is bound to fail.
(Closes: #916649, #918008)
* Bump Standards-Version to 4.5.0 (no changes necessary).
-- Guilhem Moulin <guilhem@debian.org> Wed, 04 Mar 2020 00:48:19 +0100
cryptsetup (2:2.2.2-3) unstable; urgency=high
* initramfs hook: Workaround fix for the libgcc_s's source location.
(Closes: #950628, #939766.) Fixing #950254 will provide a better
solution.
-- Guilhem Moulin <guilhem@debian.org> Tue, 04 Feb 2020 14:11:12 +0100
cryptsetup (2:2.2.2-2) unstable; urgency=medium
[ Guilhem Moulin ]
* d/initramfs/hooks/cryptroot: On initramfs images built with MODULES=dep,
include the IV generator found in the cipher specification when there is a
matching kernel module. On 5.4 kernels ESSIV isn't implemented in
dm_crypt anymore, but by a dedicated 'essiv' module which thus needs to be
available in order to unlock dm-crypt target using 'aes-cbc-essiv:sha256'.
Closes: #948593.
[ Debian Janitor ]
* Set debhelper-compat version in Build-Depends.
* Set upstream metadata fields: Bug-Database, Bug-Submit, Repository,
Repository-Browse.
-- Guilhem Moulin <guilhem@debian.org> Sat, 18 Jan 2020 20:53:19 +0100
cryptsetup (2:2.2.2-1) unstable; urgency=medium
* New upstream bugfix release.
* debian/control:
+ Add 'procps' to the Build-Depends since the upstream test suite uses
free(1).
+ Bump Standards-Version to 4.4.1 (no changes necessary).
-- Guilhem Moulin <guilhem@debian.org> Fri, 01 Nov 2019 19:32:36 +0100
cryptsetup (2:2.2.1-1) unstable; urgency=medium
* New upstream bugfix release.
* Remove d/patches, applied upstream.
-- Guilhem Moulin <guilhem@debian.org> Fri, 06 Sep 2019 13:28:55 +0200
cryptsetup (2:2.2.0-3) unstable; urgency=medium
* Cherry pick upstream commit 8f8f0b32: Fix mapped segments overflow on
32bit architectures. Regression since 2:2.1.0-1. (Closes: #935702)
-- Guilhem Moulin <guilhem@debian.org> Mon, 26 Aug 2019 12:53:45 +0200
cryptsetup (2:2.2.0-2) unstable; urgency=medium
* debian/control: Add 'Multi-Arch: foreign' tag to the transitional dummy
package 'crytsetup-run'.
* debian/control, debian/compat: Bump debhelper compatibility level to 12.
* debian/rules: Remove dh_makeshlibs(1) override; debhelper 12.3's auto
detection feature subsumes our use of --add-udeb=. This fixes FTBFS with
debhelper 12.5.
-- Guilhem Moulin <guilhem@debian.org> Wed, 21 Aug 2019 22:45:12 +0200
cryptsetup (2:2.2.0-1) unstable; urgency=medium
* New upstream release 2.2.0. Highlights include:
+ New LUKS2 online reencryption extension, allowing reencryption of
mounted LUKS2 devices.
+ Optional global serialization lock for memory hard PBKDF, to workaround
situations when multiple devices are unlocked in parallel, possibly
exhausting memory and triggering the OOM killer. (Cf. #924560.)
+ Add integritysetup support for bitmap mode (Linux >=5.2).
+ Reduce keyslots area size in luksFormat when the header device is too
small.
* Remove d/patches, applied upstream.
-- Guilhem Moulin <guilhem@debian.org> Thu, 15 Aug 2019 09:31:55 +0200
cryptsetup (2:2.1.0-8) unstable; urgency=medium
* encrypted-boot.md:
+ Clarify partition layout.
+ encrypted-boot.md: New section 'Using a custom keyboard layout'.
* d/gbp.conf: New section [export-orig] mirroring [buildpackage].
* d/gitlab-ci.yml: Add 'publish' stage and make yamllint(1) happy.
* d/patches: Backport upstream commit c03e3fe8 so libcryptsetup's
crypt_keyslot_add_by_volume_key() also works a on LUKS2 header where all
bound key slots were deleted, like it does for LUKS1. (Closes: #934715)
-- Guilhem Moulin <guilhem@debian.org> Wed, 14 Aug 2019 16:34:23 +0200
cryptsetup (2:2.1.0-7) unstable; urgency=low
* debian/cryptsetup.NEWS: Mention the 'cryptsetup' and 'cryptsetup-run'
package swap.
* debian/control: Add 'cryptsetup-initramfs' to 'cryptsetup's Recommends:,
so upgrading systems pull it automatically on upgrade. (cryptsetup
<2:2.1.0-6 was a dummy transitional package depending on cryptsetup-run
and cryptsetup-initramfs.) Closes: #932643.
* debian/control: Add 'cryptsetup-run' to 'cryptsetup's Recommends. This
avoids it being removed by `apt upgrade --autoremove` from <2:2.1.0-6,
thus avoids the old cryptsetup-run's prerm script showing a scary (but
moot) warning. After upgrading the prerm script is gone and the package
can be removed without troubles, so we can get rid of it after Bullseye.
(Closes: #932625.)
* cryptsetup-initramfs: Add loud warning upon "prerm remove" if there are
mapped crypt devices (like for cryptsetup.prerm).
* Thanks to David Prévot for helping with the upgrade path!
-- Guilhem Moulin <guilhem@debian.org> Sun, 21 Jul 2019 21:21:10 -0300
cryptsetup (2:2.1.0-6) unstable; urgency=low
* debian/control:
+ Add 'Multi-Arch: foreign' tags to 'cryptsetup-bin' and 'crytsetup-run',
as binaries from these packages are architecture independent.
(Closes: #930115)
+ Add 'Build-Depends: jq, xxd' as the jq(1) and xxd(1) executables are
required for some upstream tests (skipped if the executables are not
found in $PATH).
+ Swap 'cryptsetup' and 'cryptsetup-run' packages: the former now contains
init scripts, libraries, keyscripts, etc. while the latter is now a
transitional dummy package.
+ Remove obsolete cryptsetup.maintscript.
+ Bump Standards-Version to 4.4.0 (no changes necessary).
* debian/*:
+ Fix path names for /usr/share/doc/cryptsetup*/**. (Closes: #904916).
+ Remove compatibility warnings regarding setting 'CRYPTSETUP' in
the initramfs hook configuration. The variable is no longer honored,
and cryptsetup is always integrated to the initramfs when the
'cryptsetup-initramfs' package is installed.
* debian/doc/pandoc/encrypted-boot.md: Minor refactoring.
* debian/gitlab-ci.yml: Adapt pandoc flags to Debian 9 (pass '-S').
* debian/initramfs/conf-hook: Clarify that KEYFILE_PATTERN isn't expanded
for crypttab(5) entries with a 'keyscript=' option. (Closes: #930696)
* debian/doc/crypttab.xml: Point to README.initramfs in the "See Also"
section. (Closes: #913233)
-- Guilhem Moulin <guilhem@debian.org> Sat, 20 Jul 2019 22:15:04 -0300
cryptsetup (2:2.1.0-5) unstable; urgency=medium
[ Jonas Meurer ]
* debian/README.*: Fix markdown formatting issues
* Copy https://wiki.debian.org/CryptsetupDebug to debian/README.debug
[ Guilhem Moulin ]
* d/README.Debian: New section "Unlocking LUKS devices from GRUB" pointing
to https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html .
-- Guilhem Moulin <guilhem@debian.org> Mon, 10 Jun 2019 14:51:15 +0200
cryptsetup (2:2.1.0-4) unstable; urgency=medium
[Guilhem Moulin]
* d/initramfs/hooks/cryptroot: Always add userspace crypto module
('algif_skcipher' kernel module) to the initramfs. This module is
required for required for opening LUKS2 devices, and since 2:2.0.2-2 it's
added to large initramfs (i.e., when the MODULES variable isn't set to
"dep"). It's now added regardless of the value of $MODULES, as 1/ LUKS2
is the default LUKS header format version; and 2/ we can't check at
initramfs creation time whether there are LUKS2 devices to be opened at
early boot stage (detached headers might not be present then).
Closes: #929616.
[Jonathan Dowland]
* Update package descriptions to reflect the move of luksformat from
cryptsetup-bin to cryptsetup-run. Closes: #928751.
-- Guilhem Moulin <guilhem@debian.org> Tue, 28 May 2019 17:04:16 +0200
cryptsetup (2:2.1.0-3) unstable; urgency=medium
* d/scripts/decrypt_opensc: Fix standard output poisoning. Thanks to Nils
Mueller for the report and patch. (Closes: #926573.)
* d/initramfs/hooks/cryptopensc: Ensure that libpcsclite.so is copied to the
initramfs on non-usrmerge systems. (Closes: #928263.)
-- Guilhem Moulin <guilhem@debian.org> Tue, 30 Apr 2019 21:20:47 +0200
cryptsetup (2:2.1.0-2) unstable; urgency=medium
* debian/copyright:
+ Update copyright years.
+ Add OpenSSL linking exception, in accordance with upstream's "COPYING"
and "COPYING.LGPL" files. Since 2:2.1.0-1 the cryptsetup binaries and
library are linked against libssl, which is the new upstream default
backend for LUKS header processing.
* debian/askpass.c: in the console backend, clear stdin's end-of-file
indicator before calling getline() again. Thanks to Ken Milmore for the
detailed report and patch. (Closes: #921906.)
-- Guilhem Moulin <guilhem@debian.org> Thu, 28 Feb 2019 22:32:43 +0100
cryptsetup (2:2.1.0-1) unstable; urgency=medium
* New upstream release. Highlights include:
- The on-disk LUKS format version now defaults to LUKS2 (use `luksFormat
--type luks1` to use LUKS1 format). Closes: #919725.
- The cryptographic backend used for LUKS header processing is now libssl
instead of libgcrypt.
- LUKS' default key size is now 512 in XTS mode, half of which is used for
block encryption. XTS mode uses two internal keys, hence the previous
default key size (256) caused AES-128 to be used for block encryption,
while users were expecting AES-256.
[ Guilhem Moulin ]
* Add docs/Keyring.txt and docs/LUKS2-locking.txt to
/usr/share/doc/cryptsetup-run.
* debian/README.Debian: Mention that for non-persistent encrypted swap one
should also disable the resume device.
* debian/README.initramfs: Mention that keyscript=decrypt_derived normally
won't work with LUKS2 sources. (The volume key of LUKS2 devices is by
default offloaded to the kernel keyring service, hence not readable by
userspace.) Since 2:2.0.3-5 the keyscript loudly fails on such sources.
* decrypt_keyctl keyscript: Always use our askpass binary for password
prompt (fail instead of falling back to using stty or `read -s` if askpass
is not available). askpass and decrypt_keyctl are both shipped in our
'cryptsetup-run' and 'cryptsetup-udeb' binary packages, and the cryptsetup
and askpass binaries are added together to the initramfs image.
* decrypt_keyctl: Document the identifier used in the user keyring:
"cryptsetup:$CRYPTTAB_KEY", or merely "cryptsetup" if "$CRYPTTAB_KEY" is
empty or "none". The latter improves compatibility with gdm and
systemd-ask-password(1).
* debian/*: run wrap-and-sort(1).
* debian/doc/crypttab.xml: mention `cryptsetup refresh` and the `--persistent`
option flag.
* debian/control: Bump Standards-Version to 4.3.0 (no changes necessary).
[ Jonas Meurer ]
* Update docs about 'discard' option: Mention in manpage, that it's enabled
per default by Debian Installer. Give advice to add it to new devices in
/etc/crypttab and add it to crypttab example entries in the docs.
-- Guilhem Moulin <guilhem@debian.org> Sat, 09 Feb 2019 00:40:17 +0100
cryptsetup (2:2.0.6-1) unstable; urgency=medium
* New upstream bugfix release. Highlights include:
- Fix support of larger metadata areas in LUKS2 header.
- Fix checking of device size alignment and hash & AEAD algorithms to
avoid formatting devices that later cannot be activated.
- Fix cryptsetup-reencrypt interrupt handling.
- Allow Adiantum cipher construction (require Linux 4.21 or later).
-- Guilhem Moulin <guilhem@debian.org> Mon, 03 Dec 2018 20:16:07 +0100
cryptsetup (2:2.0.5-2) unstable; urgency=medium
* debian/initramfs/hooks/*: Skip call to copy_file() when the target already
exists (as the function return value 1 in the case).
* OpenPGP Smartcard support, based on work by Peter Lebbing and Erik
Nellessen. (Closes: #888916, #903163.)
* Move header presence check to crypttab_parse_options() from
unlock_mapping(). Having the presence checks in unlock_mapping() caused
dummy password prompts in interactive mode when the LUKS header file was
missing. Regression since 2:2.0.3-2. (Closes: #914458.)
-- Guilhem Moulin <guilhem@debian.org> Sat, 24 Nov 2018 18:34:42 +0100
cryptsetup (2:2.0.5-1) unstable; urgency=medium
* New upstream release.
* Remove d/patches/Disable-blockwise-compat-test-as-it-s-FS-dependent.patch
as the test suite no longer fails on misaligned I/O in O_DIRECT mode.
(Cf. upstream issue #403.)
-- Guilhem Moulin <guilhem@debian.org> Mon, 29 Oct 2018 12:21:00 +0100
cryptsetup (2:2.0.4-3) unstable; urgency=medium
[ Guilhem Moulin ]
* debian/initramfs/hooks/cryptroot:
+ Make _CRYPTTAB_* variables local to crypttab_find_and_print_entry().
(Closes: #907243.)
+ Silence the warning that honoring CRYPTSETUP="[y|n]" in the config is
deprecated when the variable is set to "y". (Keep the warning when it's
set to "n" though.) Closes: #908220.
* debian/functions: Make get_crypt_type() set variable CRYPTTAB_TYPE to the
type of crypt device ("luks" / "plain" / "tcrypt").
* debian/initramfs/scripts/local-top/cryptroot: Don't complain that
(successful) unlocking of a LUKS device doesn't yield a known file system.
The check is preserved for plain dm-crypt devices and tcrypt devices.
(Closes: #906283.)
* debian/control: Bump Standards-Version to 4.2.1 (no changes necessary).
* debian/doc/crypttab.xml: Improve formatting.
* debian/cryptsetup-run.lintian-overrides: Remove unused override
init.d-script-possible-missing-stop (x2).
* debian/libcryptsetup12.symbols: Add "Build-Depends-Package:
libcryptsetup-dev" field.
[ Helmut Grohne ]
* Fix FTCBFS: Supply $(CC) from dpkg's buildtools.mk. (Closes: #911042)
[ Dimitri John Ledkov ]
* Implement support for `cryptsetup --sector-size` in crypttab(5).
LP: #1776626.
-- Guilhem Moulin <guilhem@debian.org> Mon, 22 Oct 2018 17:45:35 +0200
cryptsetup (2:2.0.4-2) unstable; urgency=medium
* debian/cryptsetup-initramfs.preinst: Don't try to overwrite
/etc/cryptsetup-initramfs/conf-hook if that file doesn't exist. (The fix
for #905188 broke 2:2.0.4-1's instability on sid.) Closes: #905514.
* debian/control: Bump Standards-Version to 4.2.0 (no changes necessary).
-- Guilhem Moulin <guilhem@debian.org> Tue, 07 Aug 2018 17:25:30 +0200
cryptsetup (2:2.0.4-1) unstable; urgency=medium
* New upstream release. Add 'libblkid-dev' to Build-Depends since
libcryptsetup and utilities are now linked to libblkid.
* debian/cryptsetup-initramfs.preinst: Improve conffile ownership transfer
from 'cryptsetup' to 'cryptsetup-initramfs' to comply with Policy §10.7.3.
(Closes: #905188.)
-- Guilhem Moulin <guilhem@debian.org> Sun, 05 Aug 2018 04:59:10 +0800
cryptsetup (2:2.0.3-7) unstable; urgency=medium
* debian/scripts/gen-ssl-key: avoid storing temporary key file on disk.
* debian/initramfs/*, debian/scripts/*: improve quoting.
* debian/initramfs/cryptroot-unlock: Normalize paths before comparison.
This fixes usage on initramfs images with an usrmerge layout, such as
images made by mkinitramfs(8) from initramfs-tools-core 0.132. (Closes:
#904926.)
* debian/functions: crypttab_find_entry(), crypttab_foreach_entry(): return
gracefully if $TABFILE doesn't exist.
-- Guilhem Moulin <guilhem@debian.org> Mon, 30 Jul 2018 16:32:07 +0800
cryptsetup (2:2.0.3-6) unstable; urgency=medium
* debian/TODO.md: Remove mention of parent device detection for mdadm
(#629236) as it's fixed since 2:2.0.3-2.
* debian/README.gnupg, debian/TODO.md, debian/doc/crypttab.xml: minor typo
fixes.
* debian/rules, debian/patches/disable-internal-tests.patch: Remove patch to
add configure flag '--disable-internal-tests'. The internal test suite is
run by dh_auto_test(1), and it is skipped if DEB_BUILD_OPTIONS environment
variable contains the string "nocheck".
* debian/cryptdisks-functions, debian/initramfs/scripts/local-top/cryptroot:
When the 2nd column of a crypttab entry denodes a block special device,
resolve the device but don't convert it to /dev/block/$major:$minor.
(Closes: #903246.)
* debian/initramfs/hooks/cryptroot:
+ Treat null device numbers as invalid in resolve_device(), cf.
/Documentation/admin-guide/devices.txt in the kernel source tree.
+ generate_initrd_crypttab(): add '\n' to the local IFS since
get_resume_devno() prints one major:minor pair per line.
* debian/initramfs/scripts/local-{top,bottom}/cryptopensc:
+ Save process ID of the pcscd daemon at local-top stage, and kill it at
local-bottom stage. Thanks to Pascal Vibet for the patch.
(Closes: #903574.)
+ Fix path to the pcscd executable (the fix for #880750 was incomplete).
* debian/README.opensc: Remove mention of 'README.openct.gz' as it's gone
since 2:2.0.3-2.
* debian/scripts/decrypt_opensc: Fix plymouth prompt message (use
$CRYPTTAB_NAME not $crypttarget).
-- Guilhem Moulin <guilhem@debian.org> Fri, 13 Jul 2018 22:10:43 +0200
cryptsetup (2:2.0.3-5) unstable; urgency=medium
[ Jonas Meurer ]
* debian/askpass.c, debian/scripts/passdev.c, debian/rules:
+ Drop _BSD_SOURCE in favor of _DEFAULT_SOURCE
+ Drop c99 std, as the default is now higher than that
* debian/control:
+ Drop explicit dependencies on libgcrypt20 and libgpg-error0 from
libcryptsetup12. They're pulled in by ${shlibs:Depends} automatically.
[ Guilhem Moulin ]
* debian/initramfs/cryptroot-unlock: Keep looping forever (as long as the
disk is locked) if the CRYPTTAB_OPTION_tries variable is set to 0, cf.
crypttab(5).
* debian/doc/crypttab.xml: Clarify that the 'readonly' flag sets up a
read-only mapping. Cf. `cryptsetup --readonly`.
* debian/initramfs/hooks/cryptroot:
+ Fix generation of initrd crypttab(5) with `update-initramfs -u -v` for
key files matching $KEYFILE_PATTERN, or when a 'keyscript' is specified
in the crypttab options. Regression since 2:2.0.3-2. (Closes: #902733.)
+ Avoid processing entries multiple times in get_crypttab_entry(), which
could happen with 'keyscript=decrypt_derived' for instance.
+ Don't complain that the sysfs dir can't be found when the hook failed to
normalize the device (another warning is shown already).
+ If source device is mapped (for instance if it's a logical volume), put
its dm name into the initrd crypttab. LVM2's local-block script doesn't
work with UUIDs, and giving it a VG+LV is better anyway as we avoid to
activate all volumes at initramfs stage. (Closes: #902943.)
* debian/initramfs/conf-hook: Clarify that if KEYFILE_PATTERN if null or
unset then no key file is copied.
* debian/initramfs/*, debian/functions, debian/cryptdisks-functions:
+ Use major:minor device IDs internally, as this facilitate discovery of
sysfs directories, and we don't have to take care of the udev mangling.
+ Decode octal sequences when reading /etc/crypttab or /etc/fstab. This
means that key files and option values can contain blanks and special
characters encoded as octal sequences.
+ Refactor crypttab(5) parsing logic, to avoid duplication of boilerplate
code.
* debian/functions: If the key file is a symlink, warn about insecure
permissions of the target, not the link itself.
* debian/scripts/decrypt_derived: For devices with keys in the kernel
keyring (e.g., LUKS2 by default), refuse to derive anything.
* debian/patches/disable-internal-tests.patch: Add configure option
'--disable-internal-tests' to disable the internal test suite.
* debian/rules: Don't run upstream's internal test suite if
$DEB_BUILD_OPTIONS contains the string "skip-internal-tests". (Tests are
still run by default.)
* debian/cryptdisks-functions: Restore support for crypttab(5) entries with
regular files as source device. Regression since 2:2.0.3-2.
(Closes: #902879.)
* debian/control: Bump Standards-Version to 4.1.5 (no changes necessary).
-- Guilhem Moulin <guilhem@debian.org> Sat, 07 Jul 2018 01:47:57 +0200
cryptsetup (2:2.0.3-4) unstable; urgency=low
* debian/initramfs/hooks/cryptroot:
+ Fix typo in warning message. (Closes: #901971.)
+ sysfs_devdir(): don't croak when the normalized device pathname isn't of
the form /dev/$blk. This is the case in the Debian installer, where the
devtmpfs pseudo-filesystem exposes /dev/mapper/$name as a block device
instead of a symlink to /dev/dm-$index.
+ sysfs_devdir(): return /sys/dev/block/$maj:$min (a symlink pointing the
sysfs directory corresponding to the device) rather than /sys/block/$blk.
While the latter is present for mapped devices, it's not present for
block devices corresponding to disk partitions. See sysfs(5) for
details. (Closes: #902183.)
+ get_crypttab_entry(): skip (harmless) warning if blkid_tag() fails to
get the UUID of a dm-crypt device's slave (it's normal with plain
dm-crypt devices).
+ get_crypttab_entry(): don't warn that key file doesn't exist if it's
e.g., an existing character special device.
* debian/functions:unlock_mapping(): translate crypttab(5) option
'size=<size>' to `cryptsetup --key-size=<size>`, not `--size` (which
doesn't set the key size but the size of the device in number of 512 byte
sectors). Regression since 2:2.0.3-2. (Closes: #902245.)
* debian/initramfs/scripts/local-top/cryptroot, debian/cryptdisks-functions,
debian/initramfs/cryptroot-unlock: Fix off-by-one unlock count. Some
keyscripts (such as decrypt_keyctl) don't work properly if on first try
the CRYPTTAB_TRIED environment variable isn't set to 0. Regression since
2:2.0.3-2. (Closes: #902116.)
* debian/scripts/decrypt_keyctl: replace the source device path with the
mapped device name in messages, to match the new askpass behavior.
-- Guilhem Moulin <guilhem@debian.org> Sun, 24 Jun 2018 22:48:41 +0200
cryptsetup (2:2.0.3-3) unstable; urgency=low
[ Jonas Meurer ]
* debian/*: run wrap-and-sort(1)
* debian/control:
+ Add Conflicts and Breaks on 'cryptsetup-bin (<< 2:2.0.3-2)' to
cryptsetup-run. Needed since we moved luksformat between the
packages. (Closes: #901773)
+ Remove all traces of package 'cryptsetup-luks' from dependency
headers. This package has never been part of an official Debian
release and the time it existed is more than 12 years ago.
+ Remove Conflicts/Breaks headers from the split of cryptsetup into
cryptsetup/cryptsetup-bin in release 2:1.4.1-3. The conflicting
version is from Debian Wheezy, which means that there's three
releases in between. We don't support dist-upgrades with skipped
releases anyway.
+ Remove obsolete 'Breaks: hashalot (<< 0.3-2)' from cryptsetup-run.
+ Remove versioned depends of libcryptsetup12 on libgcrypt20 and
libgpg-error0. Both versions are satisfied since more than three
releases.
+ Remove versioned build-depends on docbook-xsl, dpkg-dev,
libdevmapper-dev, libgcrypt20-dev and libtool. All versions are
satisfied since more than three releases.
* debian/*: Change maintainer contact address to @alioth-lists.debian.net.
[ Guilhem Moulin ]
* debian/control: Replace 2:2.0.2-2 with 2:2.0.3-1 in Breaks/Replaces/Depends
fields. (2:2.0.2-2 was never released, the version we released after the
package split was 2:2.0.3-1.)
* debian/initramfs/cryptroot-script: exit immediately when
/lib/cryptsetup/functions is not present. (Closes: #901830.)
* debian/cryptsetup-run.prerm: use `dmsetup table --target crypt` to avoid
manually excluding mapped devices using another subsystem.
* d/initramfs/hooks/cryptroot:
+ Fix parser for cipher specifications in mapping table of crypt targets.
In particular, the cipher mode wasn't parsed properly, potentially
causing missing modules in initrd.img compiled with MODULES=dep.
Regression introduced in 2:2.0.3-2. (Closes: #901884.)
+ Print a warning when the mapping table specifies the cipher in kernel
crypto API format ("capi:" prefix). We don't support these yet.
-- Guilhem Moulin <guilhem@debian.org> Wed, 20 Jun 2018 17:22:36 +0200
cryptsetup (2:2.0.3-2) unstable; urgency=medium
The "nights are long in summer" cryptsetup sprint release :-)
Guilhem and Jonas hacked together for three days (and nights), refactored
almost all of the cryptsetup packages, squashed (at least) 19 bugs and
started work on several new features. Yay!
[ Guilhem Moulin ]
* cryptsetup-initramfs: Demote "Depends: console-setup, kbd" to Recommends:
(Closes: #901641.)
* debian/initramfs/*-hook: complete refactoring. Common functions are now in
/lib/cryptsetup/functions (source-able from shell scripts).
(Closes: #784881.)
* debian/initramfs/cryptroot-hook:
+ Use sysfs(5) block (resp. fs) hierarchies to detect slave dm-crypt
devices such as LVM2 on top of LUKS (resp. multiple device filesystems
such as btrfs). This approach is more robust than parsing the output of
`lvs` or `btrfs filesystem`.
+ Export relevant crypttab(5) snippet (for devices that need to be
unlocked at initramfs stage) to the initramfs' /cryptroot/crypttab.
+ Print a warning inviting the user to uninstall 'cryptsetup-initramfs'
if 1/ the CRYPTSETUP configuration option is unset or null (the
default), and 2/ the hook didn't detect any device to be unlocked at
initramfs stage. The benefit is two-fold: it guides users through the
package split, and warns them that their system might not reboot if the
hook script didn't work properly.
* Remove the 'decrypt_openct' keyscript since openct was last seen in
oldoldstable, cf. #760258 (ROM).
* debian/initramfs/cryptroot-script: refactoring, using functions from
/lib/cryptsetup/functions. (Closes: #720952, #826124.)
+ One can disable the cryptsetup initramfs scripts for a particular boot
by passing "cryptopts=" as kernel boot argument. (Closes: #873840.)
+ No longer sleep for a full minute after exceeding the maximum number of
unlocking tries. (This was added in 2:1.7.3-2 as an attempt to mitigate
CVE-2016-4484.) Instead, the script sleeps for 1 second after each failed
attempt in order to defeat online brute-force attacks. (Closes: #898495.)
* debian/README.initramfs: Remove mention that the initramfs scripts and the
crypsetup binary are using a different hash algorithm for plain dm-crypt
volumes. This is no longer true since 2:1.0.6~pre1+svn45-1, cf. #406317.
* debian/cryptdisks.functions:
+ Refactoring, using functions from /lib/cryptsetup/functions.
(Closes: #859953, #891219.)
+ Install to /lib/cryptsetup/cryptdisks-functions.
* crypttab(5):
+ Remove support for the 'precheck' option. The precheck for LUKS devices
is still hardcoded to `cryptsetup isLuks`; the script refuses to unlock
non-LUKS devices (plain dm-crypt and tcrypt devices) containing a known
filesystem (other that swap).
+ Don't ignore the 'plain' option: disable auto-detection and treat the
device as a plain dm-crypt device. (Closes: #886007.)
+ Add support for some option aliases to unify with systemd's crypttab(5)
options. Namely, 'read-only' is an alias for 'readonly', 'key-slot=' is
an alias for 'keyslot=', 'tcrypt-hidden' is an alias for 'tcrypthidden',
and 'tcrypt-veracrypt' is an alias for 'veracrypt'.
+ Add support for 'keyfile-size=' and 'keyfile-offset=' options.
(Closes: #849335.)
+ Source devices can now be specified using their PARTUUID or PARTLABEL,
similar to fstab(5).
* debian/scripts/cryptdisks_start: Add support for '-r'/'--readonly' switch
to setup readonly mappings. (Closes: #782843.)
* debian/scripts/cryptdisks_stop: Add support for closing multiple disks at
once. (Closes: #783194.)
[ Jonas Meurer ]
* debian/doc/crypttab.xml:
+ Add a section about the different crypttab formats of our package and
the systemd cryptsetup wrapper.
+ Document, which options are ignored by the initramfs scripts and which
are unsupported by the systemd implementation. (Closes: #714380)
+ Clarify documentation of option 'tries'. It also applies when using
keyscripts, not only with interactive passphrases. (Closes: #826127)
+ Make it obvious that in case a keyscript is configured, the third option
is passed as argument to the keyscript. Mention the optional requirement
to quote the value. (Closes: #826122)
+ Some minor wording improvements.
* debian/control, debian/compat: Bump debhelper compatibility level to 11.
* debian/rules:
+ Completely refactor the rules file, adapt to debhelper 11 style.
(Closes: #901713)
+ Run the upstream build-time testsuite thanks to dh_auto_test.
+ Move the luksformat script from cryptsetup-bin to cryptsetup-run.
+ Install the bug-script into all packages.
+ No longer install the sysvinit initscripts into cryptsetup-udeb.
+ Remove many old build and compile flags, debhelper takes care of most of
them nowadays.
-- Jonas Meurer <jonas@freesources.org> Mon, 18 Jun 2018 02:40:41 +0200
cryptsetup (2:2.0.3-1) unstable; urgency=medium
[ Guilhem Moulin ]
* Split cryptsetup package into cryptsetup-run (init scripts and libraries)
and cryptsetup-initramfs (initramfs integration). The 'cryptsetup'
package is now a transitional dummy package. (Closes: #783297.)
* debian/cryptsetup-run.preinst: remove logic for rm_conffile
/etc/udev/rules.d/z60_cryptsetup.rules, which was added for #493151 in
2:1.0.6-5.
* debian/cryptdisks.bash_completion: only complete cryptdisks_stop arguments
with crypttab(5) targets that already exist, and only complete
cryptdisks_start targets with crypttab(5) targets that don't exist yet.
(Closes: #827200.)
* debian/initramfs/cryptroot-hook:
+ use copy_file() from hook-functions to copy key files to the initrd.
This ensures that relevant messages are printed in verbose mode.
(Closes: #898516.)
+ remove backward compatibility support for setting CRYPTSETUP and
KEYFILE_PATTERN in /etc/initramfs-tools/initramfs.conf. Since 2:1.7.2-1
they should be set in /etc/cryptsetup-initramfs/conf-hook.
+ add 'algif_skcipher' kernel module to large initramfs (if the MODULES
variable isn't "dep"). That module is required for unlocking LUKS2
devices.
[ Jonas Meurer ]
* New upstream release 2.0.3
* debian/control:
- Bump standards-version to 4.1.4, no changes required
- Change my mail address to 'jonas@freesources.org'
- Change Vcs links to the new repository on salsa.debian.org
* debian/README.source: minor improvements
* debian/doc/crypttab.xml: Fix typo in manpage
-- Jonas Meurer <jonas@freesources.org> Fri, 15 Jun 2018 15:32:16 +0200
cryptsetup (2:2.0.2-1) unstable; urgency=low
* New upstream release 2.0.2
* debian/initramfs/cryptroot-hook: copy libgcc_s.so.1 to the initrd, as
libargon2 (used by LUKS2 devices) uses pthread_cancel. (Closes: #890798.)
* debian/initramfs/cryptroot-script: create locking directory at initramfs
stage, before running the cryptsetup binary, which would create it
automatically but also spew a warning.
* debian/patches/Fix-loopaesOpen-for-keyfile-on-standard-input.patch:
removed as it was cherry-picked from upstream and included in 2.0.2.
* debian/libcryptsetup12.symbols: update with new crypt_token_is_assigned()
API function.
-- Guilhem Moulin <guilhem@debian.org> Sat, 17 Mar 2018 18:03:03 +0100
cryptsetup (2:2.0.1-1) unstable; urgency=low
* New upstream release 2.0.1:
- Use /run/cryptsetup as default for cryptsetup locking dir.
- Add missing symbols for new functions to debian/libcryptsetup12.symbols.
* debian/copyright: update copyright years.
* debian/patches: backport upstream's 8728ba08 to fix opening of loop-AES
devices using --key-file=-. (Closes: #888162.)
* debian/rules: replace `autoreconf -f -i` with `dh_autoreconf` and add
`dh_autoreconf_clean` to the "clean:" target. This bumps the minimum
debhelper version to 9.20160403~ in Build-Depends. (Closes: #888742.)
-- Guilhem Moulin <guilhem@debian.org> Sun, 11 Feb 2018 00:02:05 +0100
cryptsetup (2:2.0.0-1) unstable; urgency=low
[ Guilhem Moulin ]
* cryptsetup-bin: Install /usr/lib/tmpfiles.d/cryptsetup.conf to create the
LUKS2 locking directory /run/lock/cryptsetup. For sysVinit, this is taken
care of by the cryptdisks-early init file.
* Remove debian/patches/Use-system-libargon2.patch (applied upstream).
* debian/README.{source,gbp.conf}: Upgrade to latest upstream conventions.
* debian/control: Bump Standards-Version to 4.1.3 (remove verbatim copy of
CC0-1.0 license from debian/copyright).
* debian/rules: Fix symlink target of libcryptsetup.so in libcryptsetup-dev
package. Thanks to Alan Fung for the report and patch. (Closes: #885435.)
* debian/initramfs/cryptroot-{hook,script}: Add support for 'skip' and
'offset' crypttab(5) options in the initramfs script. Thanks to Pascal
Liehne for the report and patch. (Closes: #872342.)
[ Jonas Meurer ]
* debian/initramfs/cryptopensc-*: Install required libs and config files for
pcscd and use correct path to pcscd. Thanks to Martijn van de Streek for
bugreport and patch. (Closes: #880750)
-- Guilhem Moulin <guilhem@debian.org> Mon, 22 Jan 2018 00:25:52 +0100
cryptsetup (2:2.0.0~rc1-1) experimental; urgency=low
* debian/rules: Compile with --enable-libargon2 to use system libargon2
instead of bundled version.
* debian/control: Bump Standards-Version to 4.1.1 (no changes necessary).
* debian/copyright: Update licensing information.
-- Guilhem Moulin <guilhem@debian.org> Wed, 01 Nov 2017 17:37:15 +0100
cryptsetup (2:2.0.0~rc0-1) experimental; urgency=low
* New upstream release 2.0.0 RC0 (closes: #877566). Highlights include:
- Support for new on-disk LUKS2 format, offering authenticated disk
encrption (EXPERIMENTAL), memory-hard PBKDF (argon2), kernel keyring for
storage of key material, and more.
- New CLI `integritysetup` which can setup standalone dm-integrity devices.
- soname bump of libcryptsetup library.
* Rename library package from libcryptsetup4 to libcryptsetup12.
* Also remove deprecated upstart configuration files on upgrade and purge.
(Closes: #883677)
* debian/control: Bump Standards-Version to 4.1.0 (no changes necessary).
* debian/*: Apply wrap-and-sort(1).
* debian/copyright: Update copyright years.
-- Guilhem Moulin <guilhem@debian.org> Tue, 03 Oct 2017 03:37:36 +0200
cryptsetup (2:1.7.5-1) unstable; urgency=low
* New upstream release 1.7.5.
* cryptroot-unlock: When the standard input is a TTY, keep prompting for
passphrases until there are no more devices to unlock. (Closes: #866786)
* cryptsetup.prerm: Don't try to call `dmsetup table` to list dm-crypt
devices when the dm_mod module isn't loaded. (Closes: #870673)
* Rename upstream signing key from debian/upstream/signing-key.asc to
debian/upstream-signing-key.asc in order to avoid lintian error
orig-tarball-missing-upstream-signature" (we use the key to verify
signature on upstrem's git tags).
* Remove deprecated upstart configuration files: /etc/init/cryptdisks.conf
and /etc/init/cryptdisks-udev.conf. Cf. `lintian-info --tags
package-installs-deprecated-upstart-configuration`.
* debian/cryptsetup.{postinst,postrm}: Don't hard-code path to
update-initramfs(1).
* debian/rules: Include /usr/share/dpkg/pkg-info.mk to avoid parsing
dpkg-parsechangelog(1) output.
* debian/control: Bump Standards-Version to 4.0.0 (no changes necessary).
-- Guilhem Moulin <guilhem@debian.org> Thu, 14 Sep 2017 13:00:23 +0200
cryptsetup (2:1.7.3-4) unstable; urgency=high
[ Guilhem Moulin ]
* Drop obsolete update-rc.d parameters. Thanks to Michael Biebl for the
patch. (Closes: #847620)
* debian/copyright: Fix license mismatch (docs/examples/*
lib/crypto_backend/* lib/loopaes/* lib/tcrypt/* lib/verity/* python/* are
LGPL-2.1+ not GPL-2+). (Closes: #861802)
* debian/initramfs/cryptroot-hook: honor RESUME={none,auto} as documented in
initramfs.conf(5) by initramfs-tools >=0.129. (Closes: #861074)
-- Jonas Meurer <mejo@debian.org> Tue, 09 May 2017 13:50:59 +0200
cryptsetup (2:1.7.3-3) unstable; urgency=medium
[ Jonas Meurer ]
* debian/scripts/decrypt_ssl: fix script to actually output the decrypted
key. Apparently this script has been broken since June 2008. Doesn't seem
like anybody is using it. Thanks to g1 for spotting and reporting the
error. (Closes: #844050)
* debian/initramfs/cryptroot-script:
+ limit the sleep after max passphrase attempts to devices for the rootfs.
This mitigates the negative impact in case of broken keyscripts etc.
+ add $crypttarget to each message to provide more context.
* debian/initramfs/cryptroot-hook: fix sanity check for key files on root
fs in get_device_opts(): detect if processed device is a root (parent)
device even for LVM setups. (closes: #842951)
* debian/README.initramfs: minor fix to the decrypt_derived keyscript
section: now that systemd is standard, 'cryptdisks_start' should be used
instead of '/etc/init.d/cryptdisks start'.
* debian/manpages/crypttab.xml: add a warning to the 'keyscript' option
that systemd doesn't support the option (yet) and mention the possible
workaround to process the devices in question in the initramfs.
[ Guilhem Moulin ]
* add debian/gbp.conf to set the upstream tag to "v%(version%.%_)s". As
this enables git-buildpackage >= 0.8.7 to automatically generate
orig.tar.gz, step nr. 5 is now removed from debian/README.source.
* debian/compat: bump debhelper compatibility version to 9.
* debian/initramfs/cryptroot-hook:
+ fix tab damage for consistency with the rest of the code
+ better warning for deprecated settings
+ fix sanity check for key files in get_device_opts(): print a warning if
the key file isn't on the root FS, or if the root device is not
encrypted, even for LVM setups.
+ fix sanity check for key files in get_device_opts(): print a warning if
the processed device is a resume device, even for LVM setups.
+ fix runtime error in get_lvm_deps() if the first argument is either
missing or the empty string.
+ reset IFS after processing $rootopts in get_device_opts(); the missing
linefeed in $IFS caused LVM logical volumes spaning over multiple PVs
not to have their parent devices detected correctly.
-- Jonas Meurer <mejo@debian.org> Fri, 09 Dec 2016 01:18:17 +0100
cryptsetup (2:1.7.3-2) unstable; urgency=medium
[ Guilhem Moulin ]
* debian/README.Debian: update authorized_keys(5) path, incorrect since
2:1.7.2-1, for remote unlocking at initramfs stage using the dropbear SSH
server.
[ Jonas Meurer ]
* debian/initramfs/cryptroot-script: sleep after max passphrase attempts.
This mitigates local brute-force attacks and addresses CVE-2016-4484.
Thanks to Ismael Ripoll and Hector Marco for discovery and report.
- decrease $count by one in tries loop if unlocking was successful.
- warn and sleep for 60 seconds if the maximum allowed attempts of
unlocking (configured with crypttab option tries, default=3) are
reached.
-- Jonas Meurer <mejo@debian.org> Mon, 07 Nov 2016 11:34:41 +0100
cryptsetup (2:1.7.3-1) unstable; urgency=medium
* New upstream release 1.7.3.
* debian/rules: run dh_strip_nondeterminism(1p) in binary-arch rules to
make the package build more reproducible. Introduces a new Build-Depends
on dh-strip-nondeterminism. Thanks to Reiner Herrmann for bugreport and
patch. (Closes: #842581)
-- Jonas Meurer <mejo@debian.org> Mon, 31 Oct 2016 22:00:52 +0100
cryptsetup (2:1.7.2-5) unstable; urgency=high
[ Guilhem Moulin ]
* debian/upstream/signing-key.asc: add upstream's armored OpenPGP key,
fingerprint 2A29 1824 3FDE 4664 8D06 86F9 D9B0 577B D93E 98FC.
* debian/watch: add "pgpsigurlmangle" option so uscan(1) can automatically
verify cryptographic signatures on release tarballs.
[ Jonas Meurer ]
* debian/initramfs/cryptroot-hook: only source crypt-hook from
/etc/cryptsetup-initramfs/ when present. (Closes: #841503)
-- Jonas Meurer <mejo@debian.org> Fri, 21 Oct 2016 18:10:56 +0200
cryptsetup (2:1.7.2-4) unstable; urgency=high
[ Guilhem Moulin ]
* debian/initramfs/cryptroot-hook:
+ Fix warning printed for lvm devices backed by multiple dm-crypt nodes.
Regression introduced in 2:1.7.2-1. Thanks Zoltan Hidvegi, for the
patch. (Closes: #840480)
+ Don't escape all slash characters "/" in device paths of the form
/dev/by-label/..., only the label itself. Regression introduced in
2:1.7.2-2 as a fix for #839888.
-- Jonas Meurer <mejo@debian.org> Thu, 13 Oct 2016 23:11:45 +0200
cryptsetup (2:1.7.2-3) unstable; urgency=medium
[ Guilhem Moulin ]
* debian/initramfs/cryptroot-conf: don't set CRYPTSETUP and KEYFILE_PATTERN,
so the (deprecated) values set in /etc/initramfs-tools aren't overridden
to the empty string by default. Regression introduced in 2:1.7.2-1.
(Closes: #839994.)
* debian/README.initramfs: fixed minor typo.
-- Jonas Meurer <mejo@debian.org> Sat, 08 Oct 2016 00:01:25 +0200
cryptsetup (2:1.7.2-2) unstable; urgency=medium
* debian/cryptdisks.functions: fix a nasty typo in do_start that rendered
systems with sysVinit unbootable. Thanks to Marc Haber for bugreport and
patch (Closes: #839888)
-- Jonas Meurer <mejo@debian.org> Thu, 06 Oct 2016 10:47:05 +0200
cryptsetup (2:1.7.2-1) unstable; urgency=medium
[ Jonas Meurer ]
* new upstream release 1.7.2. Highlights include:
- code now uses kernel crypto API backend according to new changes
introduced in mainline kernel. (in 1.7.1)
- cryptsetup now allows special "-" (standard input) keyfile handling
even for TCRYPT (TrueCrypt and VeraCrypt compatible) devices. (in 1.7.1)
- Support activation options for error handling modes in Linux kernel
dm-verity module. (in 1.7.2)
* debian/cryptdisks.functions: use '--key-file=-' again with the tcrypt
extension, now that upstream issue #269 is fixed.
* migrate the packaging repository from SVN to Git:
- debian/control: Update Vcs-* fields to point to the new git repository.
- debian/README.source: document new repository structure and release
handling.
* debian/README.Debian, debian/NEWS: minor typo fixes.
* debian/rules: run pod2man --release="$(DEB_VERSION). (Closes: #839352)
[ Guilhem Moulin ]
* debian/control: add self to uploaders.
* debian/cryptdisks.functions: when iterating through the crypttab, don't
abort after the first disk that fails to be closed. Regression introduced
2:1.7.0-1 when the filed is sourced under 'set -e'.
* debian/cryptdisks.functions: stop using `seq` since cryptsetup doesn't
depend on busybox. Instead, try again after 1, 2, 4, 8 and 16s when an
encrypted disk cannot be closed. (Closes: #811456)
* debian/cryptsetup.maintscript: add a "rm_conffile" directive to remove
conffile /etc/bash_completion.d/cryptdisks, obsolete since 2:1.7.0-1.
(Closes: #810227)
* debian/README.initramfs: fix typo s/initramfs-update/update-initramfs/.
Thanks, Stuart Prescott. (Closes: #827263)
* debian/rules: Add 'hardening=+pie' to DEB_BUILD_MAINT_OPTIONS to compile
ELF executables as PIEs.
* debian/control: Bump Standards-Version to 3.9.8 (no changes necessary).
* debian/cryptsetup.lintian-overrides: Remove unused lintian override
init.d-script-does-not-source-init-functions.
* Use /etc/crytsetup-initramfs/conf-hook for initramfs hook script
configuration. For backward compatibility setting CRYPTSETUP and
KEYFILE_PATTERN in /etc/initramfs-tools/initramfs.conf is still supported
for now, but causes the hook to print a warning.
This is done following the initramfs-tools maintainers' request (see
#807527) that hook and boot script configuration files be stored outside
the /etc/initramfs-tools directory. (Closes: #783393)
* Print a warning when private key material is to be included in the
initramfs image (ie, if $KEYFILE_PATTERN is not empty), and the image is
created with a permissive mode.
* Add Indonesian debconf templates translation. Thanks, Izharul Haq for the
patch. (Closes: #835158)
* debian/initramfs/cryptroot-hook: Avoid leading space in $rootdevs,
$resumedevs, etc.
* Support unlocking devices at initramfs stage using a key file stored on
the encrypted root FS. Note however that resume devices won't be unlocked
this way since the resume boot script is currently run before mounting the
root FS. (Closes: #776409)
* debian/initramfs/cryptroot-hook: Avoid undesired effects for target or
device names containing non-alphanumeric characters such as "." or "-":
+ replace `grep "^$x\b"` by `awk -vx="$x" '$1==x {print}'`; and
+ replace `echo "$x"` by printf '%s' "$x" when the argument might start
with a dash.
* debian/initramfs/cryptroot-{hook,script}, debian/cryptdisks.functions:
ensure slash characters "/" from device labels are escaped when
constructing symlinks under /dev/disk/by-label.
* debian/scripts/decrypt_gnupg:
+ Remove --no-mdc-warning to display a warning if the MDC integrity
protection is missing.
+ Replace "GnuPG key" by "gpg-encrypted key" in messages and
documentation.
* debian/initramfs/cryptgnupg-hook: Add support for multiple devices
encrypted using a gpg-encrypted key.
* debian/README.gnupg: Indicate that not the only the gpg-encrypted key for
the root FS is copied onto the initramfs, but also the ones for all
devices that need to be unlocked at initramfs stage.
* debian/initramfs/cryptroot-hook: Fix bug for device label starting with
"UUID=".
[ Helmut Grohne ]
* libcryptsetup-dev: move the .pc file to a multiarch location such that
cross-pkg-config can find it. (closes: #811545)
* Fix FTCBFS: Use host arch compiler for askpass as well. (closes: #811559)
-- Jonas Meurer <mejo@debian.org> Wed, 05 Oct 2016 20:53:09 +0200
cryptsetup (2:1.7.0-2) unstable; urgency=medium
[ Guilhem Moulin ]
* Fix cryptsetup shutdown procedure on sysvinit, broken since 2:1.7.0-1 for
systems without active crypttab entry at the time fo the shutdown.
(Closes: #792552, #810380)
-- Jonas Meurer <mejo@debian.org> Sun, 10 Jan 2016 18:45:20 +0100
cryptsetup (2:1.7.0-1) unstable; urgency=medium
[ Jonas Meurer ]
* new upstream release 1.7.0. Highlights include:
- cryptsetup TCRYPT mode now supports VeraCrypt devices (in 1.6.7)
- fix activation using (UNSECURE) ECB mode (in 1.6.7) (closes: #784129)
- properly support stdin "-" handling for luksAddKey for both new and old
keyfile parameters. (in 1.6.8)
- default hash function is now SHA256 (used in key derivation function
and anti-forensic splitter) (in 1.7.0)
* debian/cryptsetup.functions, debian/initramfs/cryptroot.{hook,script}: add
support for veracrypt option to cryptdisks initscript and cryptroot
initramfs script. (closes: #806290)
* debian/cryptdisks.functions: don't use '--key-file=-' with the tcrypt
extension. This fixes the tcrypt implementation in the initscript and
provides a workaround for upstream issue #269.
* debian/cryptsetup.bug-script: do not send potentially private information
without prior user confirmation in reportbug script. (Closes: #783298)
* debian/cryptsetup.apport: do not send potentially private information
without prior user confirmation in apport hook.
* debian/control, debian/NEWS: fix links to cryptsetup homepage/FAQ. Homepage
(and FAQ) moved from code.google.com to gitlab.com. (closes: #781674)
* debian/*: update hyperlinks to use https instead of http where appropriate.
* debian/rules, debian/post{inst,rm}: don't install cryptdisks_st{art,op}
symlinks to /usr/sbin if everything-in-usr directories scheme is used.
Thanks to Marco d'Itri for the patch. (closes: #767921)
* debian/scripts/luksformat: search for mkfs binaries in /usr/sbin, /usr/bin,
/sbin and /bin (default order in $PATH). This fixes luksformat for btrfs
filesystems. (closes: #805353)
* debian/dirs, debian/rules: install cryptdisks bash-completion script into
/usr/share/bash-completion/completions.
* debian/cryptdisks.functions: iterate over remaining open crypttab devices
in do_stop() in order to close dependent devices and don't freeze the
shutdown process. Thanks to Avatar for the patch. (closes: #792552)
* debian/rules: set V=1 in order to make build logs usable for blhc.
* debian/rules: set DEB_VERSION and DEB_DATE in a way to make cryptsetup
build reproducible. Thanks to Dhole and Valentin Lorentz for patches.
(closes: #780864, #794106)
* debian/cryptdisks.functions: bring the passphrase prompt in line with the
one from initramfs script in order to make the user experience more
consistent. (closes: #772943)
* debian/initramfs/cryptroot-script: move sanity checks of $cryptkeyscript
and potential expansion to '/lib/cryptsetup/askpass' to the beginning of
setup_mapping().
[ Guilhem Moulin ]
* debian/README.{Debian,remote}: remove dropbear-specific configuration and
point to dropbear-initramfs instead. Since version 2015.70-1, dropbear
ships dropbear-specific initramfs configuration and documentation in an
own binary package dropbear-initramfs. (closes: #801471)
* debian/initramfs/cryptroot-{hook,script}: add support for 'keyslot' option
to cryptroot initramfs script. (closes: #801479)
* debian/README.initramfs, debian/initramfs/cryptroot-hook: add support for
storing keyfiles directly in the initrd. (closes: #786578)
* debian/initramfs/cryptroot-hook: display a warning for invalid source
devices. (closes: #720515, #781955, #784435)
* debian/askpass.c: add plymouth support to the askpass helper command.
* debian/cryptdisks.functions, debian/initramfs/cryptroot-script: remove
special treatment of plymouth installations now that askpass supports
plymouth natively.
* debian/initramfs/cryptroot-unlock(-hook): add initramfs hook and script
to remotely unlock cryptroot devices. (closes: #782024, #697156)
-- Jonas Meurer <mejo@debian.org> Thu, 07 Jan 2016 02:22:33 +0100
cryptsetup (2:1.6.6-5) unstable; urgency=high
* debian/cryptdisks.functions: fix the precheck for ubuntu+upstart
before invoking 'status cryptdisks-udev'. (closes: #773456)
* debian/cryptdisks.functions: fix the insufficient grep regex for
detecting a running cryptdisks-udev (upstart) init script.
-- Jonas Meurer <mejo@debian.org> Thu, 22 Jan 2015 21:22:08 +0100
cryptsetup (2:1.6.6-4) unstable; urgency=medium
[ Simon McVittie ]
* debian/initramfs/cryptroot-script: decrypt /usr as well as / so that
split-/usr will work with initramfs-tools (>= 0.118). (closes: #767832)
[ Jonas Meurer ]
* debian/cryptdisks.funcctions: check for cryptdisks-udev initscript before
actually invoking 'status' on it. It's only useful in ubuntu+upstart
environment anyway. (closes: #764564)
* debian/askpas.c: fix systemd_read() to really strip trailing newline from
input. Thanks to Quentin Lefebvre for report and patch. (closes: #768407)
-- Jonas Meurer <mejo@debian.org> Wed, 17 Dec 2014 14:24:41 +0100
cryptsetup (2:1.6.6-3) unstable; urgency=medium
* debian/initramfs/cryptroot-script: fix environment variable $CRYPTTAB_TRIED
to hold the number of actual tries instead of the number of maximum tries.
Thanks to Luc Maisonobe for debugging and the patch. (closes: #758788)
-- Jonas Meurer <mejo@debian.org> Tue, 07 Oct 2014 19:51:36 +0200
cryptsetup (2:1.6.6-2) unstable; urgency=medium
* rename 'luksheader' option in crypttab to 'header', as it may be used for
different encryption modes later as well.
* add support for detached LUKS header to initramfs scripts. Thanks to Pablo
Santiago for the hint and DiagonalArg from Launchpad for patch suggestions.
(closes: #716652)
* fix support for truecrypt devices in initramfs scripts. Thanks to Lukas
Wunner for the patch. (closes: #748286)
* use blkid instead of fstype everywhere in cryptroot initramfs scripts.
Thanks to Pablo Santiago for the hint.
* debian/initramfs/cryptroot-hook: add support for 'initramfs' option to
crypttab. Thanks to Hugh Davenport for the patch. (closes: #697162)
* debian/initramfs/cryptroot-script: add support for multiple btrfs root
devices. This should fix the WARNING at mkinitramfs for unencrypted
btrfs root device(s) as well. Thanks to Jon Severinsson and Gerald Turner
for patches. (closes: #682751, #762268)
* debian/initramfs/cryptroot-script: skip missing device in initramfs after
dropping to the panic/emergency shell instead of looping in the panic
shell. Thanks to Cédric Barboiron for the patch. (closes: #762573)
* debian/initramfs/cryptroot-script: for LVM devices, don't set ROOT to
$NEWROOT in /etc/param.conf in case that /etc/param.conf already has ROOT
set. This is the case for flash-kernel devices. Thanks to Brandon Parker
for bugreport and patch. (closes: #759720)
* debian/initramfs/cryptroot-script: in slumber loop, retry vg_activate
every ten seconds. Fixes LVM on USB in cases that the USB device didn't
come up fast enough. (closes: #762032)
* fix package version number in debian/NEWS.
* bump standards-version to 3.9.6, no changes needed.
-- Jonas Meurer <mejo@debian.org> Wed, 20 Aug 2014 19:59:03 +0200
cryptsetup (2:1.6.6-1) unstable; urgency=medium
* new upsream version 1.6.6.
* add versioned dependency on cryptsetup-bin to cryptsetup. (closes: #747670)
* change versioned build-depends on automake to >= 1.12 to reflect upstream
requirements. Thanks to Joel Johnson. (closes: #740688)
* build and link against libgcrypt20 (>= 1.6.1). Add note about whirlpool
bug in older libgcrypt releases and how to deal with it to debian/NEWS.
* add systemd support to askpass. Thanks to David Härdeman for the patch.
(closes: #742600, #755074)
* fix initramfs cryptroot hook to not include modules unconditionally. Thanks
to Dmitrijs Ledkovs for bugreport and patch. (closes: #714104)
* fix decrypt_keyctl script to ask again in case of wrong passphrase. Thanks
to Dmitriy Matrosov for bugreport and patch. (closes: #748368)
* incorporate changes from ubuntu package:
- don't hardcode paths to udevadm and udevsettle.
- restore terminal settings in askpass.c. (closes: #714942)
- migrate upstart jobs to new names.
-- Jonas Meurer <mejo@debian.org> Tue, 04 Mar 2014 20:14:07 +0100
cryptsetup (2:1.6.4-4) unstable; urgency=medium
* really fix plain device opening in initramfs cryptroot script this time.
Thanks again to Dirk Griesbach for the patch. (closes: #740592)
-- Jonas Meurer <mejo@debian.org> Mon, 03 Mar 2014 21:00:16 +0100
cryptsetup (2:1.6.4-3) unstable; urgency=medium
* fix plain device opening, broken by switch to new unified open command
in 1.6.4-1. Thanks to Dirk Griesbach for the patch. (closes: #740592)
* update italian debconf translations, thanks to Italian l10n team and
Francesca Ciceri. (closes: #740557)
* remove trailing whitespaces from text files.
* some minor packaging fixes thanks to lintian checks:
- fix VCS-* fields in debian/control to use canoncial URIs.
- remove empty directory from libcryptsetup4 package.
- add lintian-override for init.d-script-not-included-in-package.
-- Jonas Meurer <mejo@debian.org> Sun, 02 Mar 2014 13:51:35 +0100
cryptsetup (2:1.6.4-2) unstable; urgency=medium
* fix libcryptsetup.so symlink. Thanks to Michael Biebl. (closes: #740484)
-- Jonas Meurer <mejo@debian.org> Sun, 02 Mar 2014 01:33:39 +0100
cryptsetup (2:1.6.4-1) unstable; urgency=low
* new upstream version 1.6.4.
- minor fixes in cryptsetup manpage. (closes: #725131)
- by default verify new passphrase in luksChangeKey and luksAddKey
commands (closes: #728302)
- cryptsetup releases are released on kernel.org since 1.6.4. Change
debian/watch accordingly.
* use compiled defaults for cypher, keysize and hash in luksformat script
* improvements to docs (thanks to Christoph Anton Mitterer):
- small improvement to explanation for CRYPTTAB_TRIED environment variable
in crypttab manpage
- update cipher, size and hash settings in examples (closes: #714331)
- replace '/dev/hdX' devices with '/dev/sdX' in examples
- full path to keyscripts in /lib/cryptsetup/scripts not needed in examples
* update init and initramfs scripts to use new open syntax (closes: #714395)
* add scripts/local-block/cryptroot in order to support event based block
device handling. Thanks to Goswin von Brederlow (closes: #678692)
* add support for TCRYPT device handling to cryptdisks init and cryptroot
initramfs scripts. (closes: #722509)
* improve passphrase prompt in cryptroot initramfs script. Thanks to Joachim
Breitner. (closes: #728080)
* add support for detached luks header to cryptdisks init script. Thanks to
Ximin Luo. (closes: #716652)
* enhance docs about remote unlocking feature. Thanks to Karl O. Pinc.
(closes: #715487, #714952)
* update README.keyctl docs: since linux kernel 2.6.38, dm-crypt is not
single-threaded any longer. (closes: #714806)
* don't sleep between retries in cryptroot initramfs script. (closes: #715525)
* add multi-arch support. Thanks to Shawn Landden. (closes: #696008, #732099)
* suggest keyutils. Thanks to Nikolaus Rath. (closes: #734133, #735496)
* fix initramfs/cryptroot-hook to support more than one lvm source devices.
Thanks to Jens Reinsberger for the patch. (closes: #659688, #737686)
* bump standards-version to 3.9.5, no changes needed.
* override lintian false positives for init scripts:
- init.d-script-does-not-implement-optional-option status
- init.d-script-does-not-source-init-functions
-- Jonas Meurer <mejo@debian.org> Fri, 28 Jun 2013 12:14:55 +0200
cryptsetup (2:1.6.1-1) unstable; urgency=low
[ Milan Broz ]
* new upstream version. (closes: #704827, 707997)
- default LUKS encryption mode is XTS (aes-xts-plain64) (closes: #714331)
- adds native support for Truecrypt and compatible on-disk format
- adds benchmark command
- adds cryptsetup-reencrypt, a tool to offline reencrypt LUKS device
- adds veritysetup, a tool for dm-verity block device verification module
* install docs/examples into docs at cryptsetup-dev package.
* fix compilation warnings in askpass.c.
[ Steve Langasek ]
* fix upstart jobs to not cause boot hangs when actually used in
conjunction with startpar. (closes: #694499, #677712).
* in connection with the above, make the cryptdisks-early job explicitly
wait for 'umountfs' on shutdown just like cryptdisks does; otherwise,
the teardown of the cryptdisks upstart job may cause the cryptdisks-early
init script run before we're done unmounting filesystems.
[ Jonas Meurer ]
* minor wording fixes to README.initramfs, suggested by intrigeri and Adam
D. Barrett.
* add bash-completion script for cryptdisks_{start,stop}. Thanks to Claudius
Hubig for providing a patch. (closes: #700777)
* support specifying key-slot in crypttab. Thanks to Kevin Locke for the
patch. (closes: #704470)
* remove evms support code from cryptroot initramfs script. (closes: #713918)
* fix location of keyscripts in initramfs documentation. (closes: #697446)
* fix a typo in decrypt_ssl script that prevented stdout from beeing
redirected to /dev/null. (closes: #700285)
* give full path to blkid in crytproot initramfs script. (closes: #697155)
* export number of previous tries from cryptroot and cryptdisks to
keyscript. Thanks to Laurens Blankers for the idea. Opens the possibility
to fallback after a given number of tries for keyscripts. (closes: #438481,
#471729, #697455)
* improve check for cpu hardware encryption support in initramfs cryptroot
hook. (closes: #714326)
-- Jonas Meurer <mejo@debian.org> Fri, 28 Jun 2013 12:10:41 +0200
cryptsetup (2:1.4.3-4) unstable; urgency=medium
* change recommends for busybox to busybox | busybox-static. Thanks to
Armin Haas for the bugreport. (closes: #692151)
-- Jonas Meurer <mejo@debian.org> Wed, 07 Nov 2012 16:12:25 +0100
cryptsetup (2:1.4.3-3) unstable; urgency=medium
* add recommends for 'kbd, console-setup' to cryptsetup package. Both are
necessary to support local keymap in initramfs. Thanks to Raphaël Hertzog
for the bugreport. (closes: #689722)
* move suggestion for 'initramfs-tools (>= 0.91) | linux-initramfs-tool,
busybox' to recommends. Both are required for encrypted root fs.
* remove suggestion for udev, most debian systems have it installed anyway.
* mention option to use UUID=<luks_uuid> for source device in crypttab(5).
Thanks to Felicitus for the bug report. (closes: #688786)
* add a paragraph in README.initramfs: Describe, why renaming the target
name is not supported for encrypted root devices. Thanks to Adam Lee for
bugreport and proposed workaround for this limitation. (closes: #671037)
* fix keyfile permission checks in cryptdisks init scripts to follow
symlinks. Thanks to intrigeri for the bugreport. (closes: #691517)
* fix owner group check for keyfile in cryptdisks init scripts to really
check owner group.
* update debconf translations:
- brasilian portuguese, thanks to Adriano Rafael Gomes. (closes: #685762)
- japanese, thanks to victory. (closes: #690784)
* fix typo in manpages: s/passphase/passphrase. Thanks to Milan Broz for
the bugreport. (closes: #684086)
-- Jonas Meurer <mejo@debian.org> Thu, 01 Nov 2012 15:34:09 +0100
cryptsetup (2:1.4.3-2) unstable; urgency=medium
* fix the shared library symbols magic: so far, the symbols file for
libcryptsetup4 included just a wildcard for all exported symbols, with
libcrypsetup4 (>= 2:1.4) as minimum version. This was wrong. Symbols
that were added later need adjusted minimum versions. Thanks for the
great help in #debian-mentors. (closes: #677127)
* remove emtpy directory /lib from cryptsetup-bin package.
* compile askpass and passdev with CFLAGS, CPPFLAGS and LDFLAGS.
-- Jonas Meurer <mejo@debian.org> Tue, 12 Jun 2012 21:26:18 +0200
cryptsetup (2:1.4.3-1) unstable; urgency=low
[ Jonas Meurer ]
* mention limitations for keyscripts in crypttab(5) manpage: keyscripts
must not depend on binaries/files which are part of the to-be-unlocked
device. (closes: #665494)
* bump versioned build-dependency on debhelper now that we install
upstart initscripts in debian as well.
* change versioned breaks/replaces for cryptsetup-bin on cryptsetup to
1.4.3-1~, fixing upgrades in debian.
[ Jean-Louis Dupond ]
* New upstream version. (closes: #670071)
- Fix keyslot removal (closes: #672299)
- Add -r to cryptsetup.8 (closes: #674027)
* Split up package in cryptsetup and cryptsetup-bin.
* I'm now co-maintainer (closes: #600777).
* Start cryptdisks-enable upstart job on 'or container', to let us
simplify the udevtrigger job.
* debian/cryptdisks.functions: handle the case where crypttab contains a
name for the source device that is not the kernel's preferred name for
it (as is the case for LVs). (Thanks Steve Langasek)
* debian/cryptdisks.functions: fix a race condition in some cases by
adding and udevadm settle before rename.
* debian/cryptdisks.functions: add UUID & LABEL support to do_start.
* debian/copyright: really fix lintian warning.
* debian/rules: also include upstart files in debian.
-- Jonas Meurer <mejo@debian.org> Fri, 08 Jun 2012 13:42:51 +0200
cryptsetup (2:1.4.1-3) unstable; urgency=low
[ Jonas Meurer ]
* finally add back support for configuration of custom rootfs-devices through
the boot parameter 'root' to initramfs cryptroot script. Thanks a lot to
August Martin for the bugreport as well as continuously debugging and
providing patches. (closes: #546610)
* use blkid instead of fstype to detect the content of devices in initramfs
cryptroot script. Unfortunately fstype doesn't recognize md-raid devices,
which leads to errors with encrypted devices on top of software raid.
* check whether $NEWROOT already exists before actually invoking cryptsetup
in initramfs cryptroot script. (closes: #653241)
* fix conditions for prechecks at do_noluks() in cryptdisks.functions. Should
prevent data loss with encrypted swap in most cases. (closes: #652497)
* change default value for tmpfs and examples from ext2 to ext4.
* minor code cleanup.
* update debconf translations:
- russian, thanks to Yuri Kozlov. (closes: #661303)
- spanish, thanks to Camaleón. (closes: #661316)
[ Jean-Louis Dupond ]
* fix watch file.
* always add aesni module to initramfs if we have hardware aes support.
(closes: #639832).
* debian/copyright: fix lintain warning.
* add upstart scripts for ubuntu.
* silent warnings on kernels without kernel/{arch,crypto}.
* add crypttab_start_one_disk in function script to handle udev startup
in ubuntu.
* bump standards-version to 3.9.3, no changes needed.
-- Jonas Meurer <mejo@debian.org> Wed, 11 Apr 2012 23:55:35 +0200
cryptsetup (2:1.4.1-2) unstable; urgency=low
* acknowledge NMU. Thanks to Michael Biebl. (closes: #659182)
* don't print error for non-encrypted rootfs in initramfs cryptroot hook.
Thanks to Jamie Heilman and Christoph Anton Mitterer for bugreports.
(closes: #659087, #659106)
* use dmsetup splitname to extract VG name from $node in initramfs cryptroot
hook. Thanks to Kai Weber for the bugreport, Milan Broz and Claudio
Imbrenda for suggestions and patches. (closes: #659235)
-- Jonas Meurer <mejo@debian.org> Sun, 12 Feb 2012 15:51:11 +0100
cryptsetup (2:1.4.1-1.1) unstable; urgency=low
* Non-maintainer upload.
* Fix dangling .so symlink. Don't hard code the library version but use
readlink instead to determine where the .so symlink should point at.
(closes: #659182)
-- Michael Biebl <biebl@debian.org> Sat, 11 Feb 2012 04:32:01 +0100
cryptsetup (2:1.4.1-1) unstable; urgency=low
* new upstream release (1.4.0 + 1.4.1) (closes: #647851)
- fixes typo in german translation. (closes: #645528)
- remove patches, all incorporated upstream.
- soname bump, rename library package to libcryptsetup4
* check for busybox in initramfs cryptroot hook, and install the sed binary
in case it's either not installed or not activated. (closes: #591853)
* add checks for 'type $KEYSCRIPT' to initscripts cryptdisks.functions, and
to cryptroot initramfs script/hook. this adds support for keyscripts inside
$PATH. thanks to Ian Jackson for the suggestion. (closes: #597583)
* use argument '--sysinit' for vgchange in cryptroot initramfs script. Thanks
to Christoph Anton Mitterer for the suggestion.
* add option for discard/trim features to crypttab and initramfs scripts.
Thanks to intrigeri and Peter Colberg for patches. (closes: #648868)
* print $target on error in initramfs hook. Thanks to Daniel Hahler for the
bugreport. (closes: #648192)
* add a warning about using decrypt_derived keyscript for devices with
persistent data. Thanks to Arno Wagner for pointing this out.
* remove quotes from resume device candidates at get_resume_devs() in
initramfs hook script. Thanks to Johannes Rohr. (closes: #634017)
* support custom $TABFILE, thanks to Douglas Huff. (closes: #638317)
* fix get_lvm_deps() in initramfs cryptroot hook to add all physical volumes
of lvm volume group that contains the rootfs logical volume, even if the
rootfs is lv is not spread over all physical volumes. Thanks to Christian
Pernegger for bugreport and patch. (closes: #634109)
* debian/initramfs/cryptroot-script: Move check for maximum number of tries
behind the while loop, to make the warning appear in case that maximum
number of tries is reached. Thanks to Chistian Lamparter for bugreport and
patch. (closes: #646083)
* incorporate changes to package descriptions and debconf templates that
suggested by debian-l10n-english people. Special thanks go to Justin B Rye.
* acknowledge NMU, thanks a lot to Christian Perrier for his great work on
the i18n front. (closes: #633105, #641719, #641839, #641947, #642470,
#640056, #642540, #643633, #643962, #644853)
* add and update debconf translations:
- italian, thanks to Milo Casagrande, Francesca Ciceri. (closes: #656933)
- german, thanks to Erik Pfannenstein. (closes: #642147)
- spanish, thanks to Camaleón. (closes: #658360)
- russian, thanks to Yuri Kuzlov (closes: #654676)
* set architecture to linux-any, depends on linux kernel anyway. Thanks to
Christoph Egger. (closes: #638257)
* small updates to the copyright file.
* add targets build-indep and build-arch to debian/rules, thanks to lintian.
-- Jonas Meurer <mejo@debian.org> Sun, 05 Feb 2012 03:17:59 +0100
cryptsetup (2:1.3.0-3.1) unstable; urgency=low
* Non-maintainer upload.
* Fix pending l10n issues. Debconf translations:
- French (Julien Patriarca). Closes: #633105
- Vietnamese (Hung Tran). Closes: #641719
- Portuguese (Miguel Figueiredo). Closes: #641839
- Russian (Yuri Kozlov). Closes: #641947
- Swedish (Martin Bagge / brother). Closes: #642470,#640056
- Czech (Michal Simunek). Closes: #642540
- Dutch; (Jeroen Schot). Closes: #643633
- Spanish; (Camaleón). Closes: #643962
- Danish (Joe Hansen). Closes: #644853
-- Christian Perrier <bubulle@debian.org> Sun, 25 Dec 2011 19:00:24 +0100
cryptsetup (2:1.3.0-3) unstable; urgency=low
* drop the loopback magick from cryptdisks scripts. Mario 'Bitkoenig' Holbe
pointed out, that auto-destruction support was added to the loopback driver
with kernel 2.6.25. Given, that even lenny has a more recent kernel,
support for kernels < 2.6.25 is not required any more. (closes: #626458)
* add debconf question 'prerm/active-mappings' with priority high to prerm
maintainer script. will warn about active dm-crypt mappings before the
package is removed/purged. (closes: #626641)
* add lintian-override for 'cryptsetup: no-debconf-config', as the debconf
question in prerm doesn't require a debconf config script.
* add debian/patches/03_create_fix_keyfile.patch. (closes: #626738)
-- Jonas Meurer <mejo@debian.org> Thu, 19 May 2011 20:50:08 +0200
cryptsetup (2:1.3.0-2) unstable; urgency=low
* fix changelog of 2:1.3.0-1 release, thanks to Thorsten Glaser for the hint
-- Jonas Meurer <mejo@debian.org> Thu, 12 May 2011 03:06:46 +0200
cryptsetup (2:1.3.0-1) unstable; urgency=low
* new upstream release
- automatically allocates loopback device for container files. update the
cryptdisks functions to only setup loopback device for kernel < 2.6.35.
otherwise, let cryptsetup do the magic itself.
- introduces maximum default keyfile size, see --help for value. manually
set the keyfile size with --keyfile-size in order to overwrite the limit.
- adds luksChangeKey command for changing passphrase/keyfile in one step
- adds loopAES compatibility command loopaesOpen
- remove d/patches/01_luksAddKey_return_code.patch, incorporated upstream
* add gettext support to luksformat script. Thanks to intrigeri for initial
patch, and adduser sources for implementation ideas. (closes: #558405)
* fix KEYSCRIPT checks in cryptdisks.functions for empty values.
* update REAMDE.gnupg and initramfs cryptgnupg hook script:
- warn about keys being copied to initramfs.
- fix the documentation to provide working examples.
* update README.Debian and related documentation:
- add a section about the 'special' keyscripts askpass and passdev
(closes: #601314)
- update several sections, remove reference to lenny
* add debian/patches/01_create_fix_size.patch, to fix a regression in 1.2.0
where the size argument was ignored for create command (closes: #624828)
* add debian/patches/02_manpage.patch, escapes minus signs in manpage
* remove usplash support from cryptroot initramfs script, askpass and
keyscripts, add plymouth support to keyscripts. (closes: #620923)
* ignore options like cipher, hash, size, etc. for luks commands in
cryptdisks. mention this in the crypttab manpage. (closes: #619249)
* again check for existance of /lib/cryptsetup/cryptdisks.functions before
sourcing it in cryptdisks(-early).init. required if cryptsetup is removed
but not purged, where initscripts are still around. (closes: #625468)
* bump standards-version to 3.9.2, no changes needed.
* debian/libcryptsetup1.symbols: update, 1.3.0 adds new function symbols
-- Jonas Meurer <mejo@debian.org> Wed, 11 May 2011 14:45:42 +0200
cryptsetup (2:1.2.0-2) unstable; urgency=low
* upload to unstable.
* fixes a ftbfs due to updated libgpg-error and libgcrypt11 build-
dependencies. (closes: #614530)
* install cryptkeyctl initramfs hook, needed for keyctl keyscript in
initramfs, thanks to Maik Zumstrull (closes: #610750)
* use 'egrep -c' instead of wc in cryptdisks_st* scripts, wc might not be
available as it's located at /usr/bin. Thanks to Mario 'BitKoenig' Holbe
for bugreport and patch. (closes: #611747)
* add debian/patches/01_luksAddKey_return_code.patch, fixes the luksAddKey
return code when the master key is used. (closes: #610366)
* fix luksformat script to invoke usage() with --help. (closes: #612947)
* add a paragraph about known upgrade issues to the crypttab manpage. this
paragraph strongly suggests to configure cipher, hash and keysize for
plain dm-crypt devices. (closes: #612452)
* fix examples in crypttab manpage, cipher, hash and keysize should be
configured for plain dm-crypt devices.
* luksformat: invoke udevadm settle between mkfs.vfat and luksClose, to
prevent possible race conditions. This is a workaround. (closes: #601886)
* update lintian-overrides for new lintian from experimental.
* fix spelling mistake in README.Debian thanks to lintian.
* update short and long description for udebs to mention udeb and
debian-installer. This satisfies lintian.
* fix get_resume_device() in initramfs cryptroot hook script to add source
device for decrypt_derived keyscript in case it's not the root device.
Thanks to Robert Lange and mahashakti89 for bugreport. (closes: #592430)
-- Jonas Meurer <mejo@debian.org> Mon, 07 Mar 2011 23:52:13 +0100
cryptsetup (2:1.2.0-1) experimental; urgency=low
* new major upstream release (closes: #603804)
- adds text version of FAQ
- adds new options --use-random and --use-urandom for MK generation
- fixes luksRemoveKey to not ask for remaining keyslot passphrase
- no longer supports luksDelKey command (replaced by luksKillSlot)
- no longer supports reload command, dmsetup reload should be used instead
- adds support to change the UUID later (with --uuid cmd option)
- adds --dump-master-key option for luksDump command
- no luksOpen, luksFormat and create for open devices (closes: #600208)
- remove debian/patches/01_manpage.patch, incorporated upstream
- and many more changes, see upstream changelog for further information
- update debian/libcryptsetup1.symbols
* invoke update-initramfs at cryptsetup removal in order to not leave behind
a broken initramfs. thanks to ubuntu for the hint.
* link dynamically against libgcrypt11 and libgpg-error0 now that the
libraries have been moved to /lib. add versioned depends for libcryptsetup1
on (libgcrypt >= 1.4.6-2) and libgpg-error0 (>= 1.10-0.1).
* debian/initramfs/cryptroot-script: prereq 'cryptroot-prepare' added in
order to support cryptroot to depend on custom initramfs scripts. thanks
to Marc Haber for the suggestion. (closes: #601311)
* debian/cryptdisks.functions:
+ fix check for ownership and permissions of $key to work with slighly
different output of 'ls -l' with selinux enabled. (closes: #600522)
+ fix $TRIES implementation to support TRIES=0 again. (closes: #602501)
* change 'echo -e' to 'printf' in debian/initramfs/cryptroot-script. thanks
to checkbashisms script devscripts for spotting that bashism.
* add a libcryptsetup1-udeb library package for debian-installer in order to
satisfy cryptsetup-udeb dependencies with dynamically linked binary.
Version the build-depends on libgcrypt11-dev to (>= 1.4.6-3), to satisfy
udeb library dependencies.
* change 'XC-Package-Type: udeb' to 'Package-Type: udeb' in debian/control
* add debian/cryptsetup.apport from Ubuntu, install only for dist=Ubuntu.
build-depends on dpkg-dev (>= 1.15.1) is required for this to work.
-- Jonas Meurer <mejo@debian.org> Sun, 16 Jan 2011 01:01:03 +0100
cryptsetup (2:1.1.3-4) unstable; urgency=high
* bump standards-version to 3.9.1, no changes required
* add patches/01_manpage_units: mention units (512b sectors) for -o option
in man page. (closes: #584174)
* move cryptdisks_st* scripts from /usr/sbin to /sbin, add symlinks for
compatibility reasons. thanks to Mario 'BitKoenig' Holbe. (closes: #589800)
* add decrypt_keyctl keyscript and initramfs hook from Michael Gebetsroither,
which supports to cache a passphrase for later use. (closes: #563961)
* invoke /sbin/lvm with full path in cryptroot initramfs script. thanks to
Bernd Zeimetz. (closes: #597648)
* print out a warning at initramfs cryptroot hook in case that detection of
canonical device failed. (closes: #594092)
* add manpage fixes, thanks to Stephen Gildea for patch. (closes: #598237)
* fix deprecated ext2 wrapper checkscript to succeed for ext2, ext3, ext4
and ext4dev filesystems. (closes: #595331)
* again remove duplicates from debian/NEWS.
* truncate trailing spaces for some variables at initramfs cryptroot hook.
* remove volume group -guessing magic from initramfs scripts and hooks,
instead activate all available lvm volume groups. thanks to Christoph
Anton Mitterer for the suggestion. (closes: #554506, #591626)
* remove /etc/bash_completion.d from debian/cryptsetup.dirs
* set urgency=high as this upload fixes two release-critical bugs.
-- Jonas Meurer <mejo@debian.org> Thu, 04 Nov 2010 20:36:45 +0100
cryptsetup (2:1.1.3-3) unstable; urgency=low
* fix usage of new variable $DEFAULT_LOUD, and some cosmetical changes.
thanks to Mario 'BitKoenig' Holbe. (closes: #589029)
-- Jonas Meurer <mejo@debian.org> Thu, 22 Jul 2010 12:56:01 +0200
cryptsetup (2:1.1.3-2) unstable; urgency=low
* introduce new $INITSTATE 'manual' for cryptdisks_st* scripts. that way,
noauto devices are processed again by cryptdisks_st* scripts.
(closes: #588697, #588698, #589153, #589798)
* introduce new variable $DEFAULT_LOUD. now the 'loud' option in crypttab
affects only the device in question. thanks to Mario 'BitKoenig' Holbe.
* introduce new crypttab option 'quiet' which overwrites and unsets the
'loud' option. thanks to Mario 'BitKoenig' Holbe. (closes: #589029)
-- Jonas Meurer <mejo@debian.org> Wed, 21 Jul 2010 10:42:49 +0200
cryptsetup (2:1.1.3-1) unstable; urgency=low
* new upstream release:
- fix device alignment ioctl calls parameters for archs like ppc64.
- fix activate_by_* API calls to handle NULL device name as documented
- fix udev support for old libdevmapper with not compatible definition
* fix rm_lo_setup() in cryptdisks.functions for failed device setup. thanks
to Roger Pettersson. (closes: #581712)
* add X-Stop-After headers to cryptdisks(-early) initscripts. this fixes
shutdown process for system without encrypted rootfs at least. thanks to
Alfredo Finelli. (closes: #575652)
* more merges from ubuntu, thanks to and Steve Langasek (closes: #575024):
- debian/cryptdisk.functions: initially create the device under a temporary
name and rename it only at the end using 'dmsetup rename', to ensure that
upstart/mountall doesn't see our device before it's ready to go.
LP: #475936.
- cryptdisks.functions: do_tmp should mount under /var/run/cryptsetup for
changing the permissions of the filesystem root, not directly on /tmp,
since mounting on /tmp a) is racy, b) confuses mountall something fierce.
LP: #475936.
* fix manpage checkscripts documentation. clarify that both cryptdisks and
cryptroot invoke checkscripts. thanks Christoph Anton Mitterer.
* remove quotes from $KEYSCRIPT invokation, thanks Alexandre Rossi.
(closes: #585099)
* fix support for commandline options to mkfs in luksformat. thanks to Eduard
Bloch again for bugreport and patch. (closes: #585787)
* remove duplicates from debian/NEWS, thanks Steve Langasek (closes: 586019)
* improve documentation on environment variables in cryptdisks.default and
crypttab manpage. thanks Christoph Anton Mitterer. (closes: #585664)
* several improvements to (pre)check scripts, inspired by scripts from
Christoph Anton Mitterer (closes: #585418, #585496)
- checkscripts exit with error 1 if executables aren't available.
- ext2, swap and xfs scripts are deprecated and invoke blkid script.
- drop filtering of minix filesystem in blkid, util-linux 2.17.2 in debian
- remove *vol_id check scripts, vol_id isn't available in debian any longer
- don't use sed in *blkid check scripts any longer
* fix initramfs/cryptroot-hook to canonicalize $device in get_resume_devices
function. this should really weed out all duplicates. (closes: #586122),
and catch all udev/device-mapper symlink setups as well (closes: #554506)
* bash-completion file now in pck bash-completion (closes: #586299, #586162)
* add a paragraph about the boot order of init scripts to README.Debian,
describing the current catch-22 situation. (closes: #576646)
* initscripts and cryptdisks_st* no longer silently quit in case that include
file /lib/cryptsetup/cryptdisks.functions is missing. (closes: #587220)
* fix cryptdisks-early LSB headers to restore legacy boot sequence order.
mdadm-raid was started before cryptdisks-early. (closes: #587224)
* cryptdisks initscript now raises a warning for failed started devices, and
cryptdisks-early initscript raises a warning for failed stopped devices.
this makes the initscript actions far more transparent to users. same holds
for cryptdisks_st*. thanks to Christoph Anton Mitterer. (closes: #587222)
* remove lintian overrides init.d-script-should-depend-on-virtual-facility
as lintian lintian 2.4.2 has fixed #580082.
* bump standards-version to 3.9.0, remove version information from replaces/
provides/conflicts against cryptsetup-luks, change conflicts against
hashalot (<= 0.3-1) to breaks hashalot (<< 0.3-1) and add replaces.
* fix loads of typos, thanks to Christoph Anton Mitterer. (closes: #588068)
* update copyright years and list Milan Broz in debian/copyright
-- Jonas Meurer <mejo@debian.org> Sat, 10 Jul 2010 14:32:40 +0200
cryptsetup (2:1.1.2-1) unstable; urgency=low
* new upstream release, changes include:
- Fix luksFormat/luksOpen reading passphrase from stdin and "-" keyfile.
(closes: #583397)
- Add verbose log level and move unlocking message there.
- Remove device even if underlying device disappeared (remove, luksClose).
(closes: #554600, #574126)
- Fix (deprecated) reload device command to accept new device argument.
* merged from ubuntu:
- if plymouth is present in the initramfs, use this directly, bypassing
the cryptsetup askpass script
- start usplash in initramfs, since we need it for fancy passphrase input
- Set FRAMEBUFFER=y in cryptroot-conf, to pull plymouth into the initramfs
- debian/initramfs/cryptroot-hook: Properly anchor our regexps when
grepping /etc/crypttab so that we don't incorrectly match device names
that are substrings of one another.
- debian/initramfs/cryptroot-script: Don't leak /conf/conf.d/cryptroot
file descriptor to subprocesses.
* sync list of supported filesystems in passdev.c and cryptpassdev-hook
* fix debian/watch file to work with updated code.google.com download page
* stop building and shipping static libs (closes: #583387, #583471)
* improve documentation on (pre)checks in manpage. (closes: #583568, #583567)
* remove xfs and ext2 check scripts documentation from crypttab manpage,
blkid script can be used. thanks Christoph Anton Mitterer (closes: #583570)
-- Jonas Meurer <mejo@debian.org> Tue, 01 Jun 2010 15:37:50 +0200
cryptsetup (2:1.1.1-1) unstable; urgency=low
* new upstream release, changes include:
- detects and uses device-mapper udev support if available
- fix luksOpen reading of passphrase on stdin if "-" keyfile specified
- fix isLuks to initialise crypto backend (closes: #578979)
- fix luksClose operation for stacked DM devices
* remove all patches, they have all been merged upstream
* redirect output of copy_exec in add_device() from initramfs cryptroot
hook to stderr. fixes verbose run of mkinitramfs. (closes: #574163)
* acknowledge NMU. thanks to maximilian attems. (closes: #576488)
* change default for random key from /dev/random to /dev/urandom in
README.Debian, extend explanation. (closes: #579932)
* add comment to crypttab manpage about how to disable (pre)checks.
(closes: #574948)
* fix cryptdisks.functions to print cryptsource and crypttarget again at
the passphrase prompt. (closes: #578428)
* reorder build-depends, add pkg-config, change automake1.9 to automake
* add new lintian overrides
* switch to new dpkg source format "3.0 (quilt)", use upstream bzip tarball
* add ${misc:Depends} to depends for libcryptsetup-dev
* remove UID checks from initscripts, as these aren't meant to be invoked by
users anyway, and the UID checks introduced dependency on /usr filesystem.
* use grep -s for /etc/fstab in initramfs/cryptroot-hook. (closes: #580756)
* note that fs modules fore passdev devices need to be added to initramfs
in README.initramfs (closes: #580898)
* merged from ubuntu:
- Fix grammar error in debian/initramfs/cryptroot-script (closes: #581973)
* add busybox to suggests, thanks to martin michlmayr. (closes: #582914)
-- Jonas Meurer <mejo@debian.org> Wed, 26 May 2010 23:38:01 +0200
cryptsetup (2:1.1.0-2.1) unstable; urgency=low
* Non-maintainer upload.
[ Martin Pitt ]
* debian/initramfs/cryptroot-script: (closes: #576488)
- Source /scripts/functions after checking for prerequisites.
- prereqs(): Do not assume we are running within initramfs, and calculate
relative path correctly.
-- maximilian attems <maks@debian.org> Thu, 08 Apr 2010 01:37:17 +0200
cryptsetup (2:1.1.0-2) unstable; urgency=low
* fix version in NEWS.Debian: 2:1.1.0~rc2-1 instead of 2:1.0.7-3.
* remove 'NOT RELEASED YET' from 2:1.1.0-1 changelog
* capitalize names in changelog
* mention the old default plain mode in changelog and NEWS, add a note that
debian-installer setups can ignore the warning, and warn for plain dm-crypt
mappings in crypttab that don't have set cipher, hash and size.
(closes: #573103, #573261)
-- Jonas Meurer <mejo@debian.org> Tue, 16 Mar 2010 13:44:50 +0100
cryptsetup (2:1.1.0-1) unstable; urgency=low
* new upstream stable release (1.1.0), notable changes since rc2:
- default key size for LUKS changed from 128 to 256 bits
- default plain mode changed from aes-cbc-plain to aes-cbc-essiv:sha256
- key slot and key diggest iteration minimum set to 1000
- convert hash name to lower case in header
* update patch 02_manpage
* add more supported filesystems to passdev.c, isofs->iso9660. thanks to
Christoph Anton Mitterer. (closes: #557405)
* update to standards-version 3.8.4, no changes needed
* accept spaces in $opts at postinst script. (closes: #559184)
* set extended $PATH in cryptdisks.functions. thanks to Christoph Anton
Mitterer. (closes: #557329)
* fix huge initramfs for archs which don't have kernel/arch directory.
thanks to martin michlmayr for bugreport and patch. (closes: #559510)
* support commandline options to mkfs in luksformat. thanks to Eduard
Bloch for bugreport and patch. (closes: #563975)
* extend error messages for evms setup in cryptroot-script
* add 03_luksAddKey.patch, to not verify unlocking passphrase in luksAddKey
command. (closes: #570418)
* add 04_crypto_init.patch, to properly initialise crypto backend in header
backup/restore commands.
* change build-dependency on cvs to new autopoint package (closes: #572463)
* rename decrypt_gpg keyscript to decrypt_gnupg, improve it based on ideas
by Christoph Anton Mitterer, mention the keyscript rename in NEWS.Debian.
Also, provide a initramfs cryptgnupg hook script. Thanks to Christoph
Anton Mitterer for bugreport and ideas. (closes: #560034)
* check for root privileges with '/usr/bin/id -u' in init scripts and
cryptdisks_{start|stop}. (closes: #563162)
-- Jonas Meurer <mejo@debian.org> Mon, 08 Mar 2010 14:15:35 +0100
cryptsetup (2:1.1.0~rc2-1) unstable; urgency=low
* new upstream release candidate (1.1.0-rc2), highlights include:
- new libcryptsetup API (documented in libcryptsetup.h)
- luksHeaderBackup and luksHeaderRestore commands (closes: #533643)
- use libgcrypt, enables all gcrypt hash algorithms for LUKS through
-h luksFormat option (closes: #387159, #537385)
- new --master-key-file option for luksFormat and luksAddKey
- use dm-uuid for all crypt devices, contains device type and name now
(closes: #548988, #549870)
- command successful messages moved to verbose level (closes: #541805)
- several code changes to improve speed of luksOpen (closes: #536415)
- luksSuspend and luksResume commands
* remove unneeded patches 03_read_rework and 04_no_stderr_success, update
02_manpage for new upstream release candidate.
* update patch to comply with DEP-3 (http://dep.debian.net/deps/dep3/)
* fix initramfs/cryptroot-hook to support setups where /dev/mapper/ contains
symlinks to devices at /dev/dm-*. the lvm2/device-mapper packages had
defaults changed to this temporary. it has been fixed in a subsequent
upload of lvm2 in the meantime, but still it's not a bad idea to be
prepared for such setups in the future. that way cryproot now supports
/dev/dm-* devices as well. (closes: #532579, #544487, #544773)
* fix initscript dependencies both for cryptdisks and cryptdisks-early.
thanks to Petter Reinholdtsen for bugreport and patch. (closes: #548356)
* finally change default behaviour of initscripts/cryptroot-hook to include
all available crypto modules into the initramfs. this change should fix
any problems with cryto modules missing from the initramfs. announce the
change in NEWS.Debian. (closes: #547597)
* add error messages to lvm detecting code in initramfs/cryptroot-script
in order to make debugging easier. (closes: #541248)
* implement detection of devices which are required by decrypt_derived
keyscript in initscripts/cryptroot-hook. that way setups where encrypted
swap has the key derived from non-root partitions should support suspend/
resume as well. (closes: #475838)
* remove outdated documentation from the source package: CryptoRoot.HowTo,
CheckSystem.Doc
* mention in README.initramfs that busybox is required for cryptroot to work
* stop creating /etc/keys in postinst maintainer script.
* update build system to include library files again: (closes: #480157)
- split into three packages: cryptsetup, libcryptsetup1, libcryptsetup-dev
- rename preinst to cryptsetup.preinst, copy code to create /etc/crypttab
skeleton into cryptsetup-udeb.preinst.
- build with --enable-shared and --enable-static for libcryptsetup.a
- create debian/libcryptsetup1.symbols with help of dpkg-gensymbols
* add debian/cryptsetup.lintian-override for two false positives
* raise build-depends on debhelper and debian/compat for that reason
* update README.remote to work with latest dropbear package. thanks to
debian@x.ray.net.
* make all crypttab fields available to keyscripts as environment variables.
thanks to ludwig nussel from suse for idea and implmentation. document
this in crypttab(5) manpage. impelement the same environment variables in
initramfs cryptroot script.
* fix formatting errors in crypttab(5) manpage.
-- Jonas Meurer <mejo@debian.org> Thu, 15 Oct 2009 19:26:14 +0200
cryptsetup (2:1.0.7-2) unstable; urgency=low
* add a paragraph to the cryptsetup manpage that mentions /proc/crypto as
source for available crypto ciphers, modes, hashs, keysizes, etc.
(closes: #518266)
* fix luksformat to check for mkfs.$fs both in /sbin and /usr/sbin. thanks
to Jon Dowland. (closes: #539734)
* mention era eriksson as author of the typo fixes for manpage (submitted as
bug #476624) in changelog of cryptsetup 2:1.0.6-3. (closes: #541344)
* bump standards-version to 3.8.3. no changes needed.
* add 04_no_stderr_success.patch, which adds an option to suppress success
messages to stderr. don't apply the patch as this already has been fixed
upstream in another way. next cryptsetup release will print the command
successful message to stdout only if opt_verbose is set.
* add checkscripts blkid and un_blkid for the reason that vol_id will be
removed from udev soon. advertise the new scripts at all places that
mentioned vol_id or un_vol_id before.
* add /usr/share/bug/cryptsetup which adds /proc/cmdline, /etc/crypttab,
/etc/fstab and output of 'lsmod' to bugs against cryptsetup.
* add debian/README.remote, which describes how to setup a cryptroot system
with support for remote unlocking via ssh login into the initramfs. Thanks
to debian@x.ray.net for writing it down.
* update debian/copyright for current format from dep.debian.net/deps/dep5
* add chainiv, cryptomgr and krng to standard list of modules in initramfs
cryptroot hook. (closes: #541835)
* add a section describing LUKS header backups and related security
implications to README.Debian. a tool to automate this task should not be
distributed at all. (closes: #432150)
-- Jonas Meurer <mejo@debian.org> Tue, 01 Sep 2009 12:38:02 +0200
cryptsetup (2:1.0.7-1) unstable; urgency=low
* new upstream release, highlights include (diff from ~rc1):
- allow removal of last slot in luksRemoveKey and luksKillSlot
- eject unsupported --offset and --skip options for luksFormat
* make passdev accept a timeout option, thanks to Evgeni Golov for the patch.
(closes: #502598)
* finally add the cryptsource delay implementation from ubuntu, as it seems
to workaround some issues where appearance of the root device takes longer
than expected. (closes: #488271)
* execute udev_settle before $cryptremove if $cryptcreate fails at
setup_mapping() in the initramfs cryptroot script. it seems like a short
delay and/or udev_settly is needed in between of 'cryptsetup create' and
'cryptsetup remove'. thanks to Gernot Schilling for the bugreport.
(closes: #529527)
* talk about /dev/urandom instead of /dev/random in crypttab manpage.
(closes: #537344)
* check for $IGNORE before check_key() in handle_crypttab_line_start()
* rewrite error code handling:
- return 1 for errors in handle_crypttab_line_{start|stop}
- handle_crypttab_line_... || true needed due to set -e in initscript
- check for exit code of handle_crypttab_line_{start<stop} in
cryptdisks_{start|stop}, exit with proper status code (closes: #524173)
* add a counter to the while loop in cryptdisks_{start|stop}, in order to
detect if $dst was not found in crypttab. (closes: #524485)
* check for keyscript in the new location in initramfs/cryptopensc-hook.
* add README.opensc to docs, thanks to Benjamin Kiessling for writing it.
(closes: #514538)
* add patches/03_rework_read.patch [rework write_blockwise() and
read_blockwise()], but don't apply it yet as it's still experimental.
applying it will increase the speed of luksOpen.
-- Jonas Meurer <mejo@debian.org> Thu, 30 Jul 2009 17:41:16 +0200
cryptsetup (2:1.0.7~rc1-2) unstable; urgency=low
* flag the root device with rootdev option at /conf/conf.d/cryptroot in
initramfs hook, check for that flag before adding ROOT=$NEWROOT to
/conf/param.conf in initramfs script. that should prevent the initramfs
script from adding ROOT=$NEWROOT for resume devices. (closes: #535801)
-- Jonas Meurer <mejo@debian.org> Wed, 15 Jul 2009 11:44:45 +0200
cryptsetup (2:1.0.7~rc1-1) unstable; urgency=low
* new upstream release candidate, highlights include:
- use better error messages if device doesn't exist or is already used by
other mapping (closes: #492926)
- check device size when loading LUKS header
- add some error hint if dm-crypt mapping failed (key size and kernel
version check for XTS and LRW mode for now) (closes: #494584)
- display device name when asking for password
- retain readahead of underlying device, if devmapper version supports it
- set UUID in device-mapper for LUKS devices
- define device-mapper crypt UUID maximal length and check for its size
- add some checks for error codes, fixes warning: ignoring return value...
- update LUKS homepage in manpage to code.google.com/p/cryptsetup
* patches/01_fix_make_distclean.patch: removed, incorporated upstream
* patches/02_manpage.patch: updated, mostly incorporated upstream
* remove invokation of ./setup-gettext.sh from debian/rules.
* set $PATH in checks/xfs. Required to make /usr/sbin/xfs_admin work at early
boot stage. Thanks to Stefan Bender. (closes: #525118)
* update path to docbook-xsl stylesheet in debian/rules to
/usr/share/xml/docbook/stylesheet/docbook-xsl/. Add versioned build-depends
to docbook-xsl (>= 1.74.3+dfsg) for that reason.
* fix bashisms in scripts/decrypt_opensc, thanks to Raphael Geissert.
(closes: #530060)
* fix UUID and LABEL handling for cryptroot, thanks to Kees Cook and ubuntu.
(closes: #522041)
* add ROOT=$NEWROOT to /conf/param.conf in cryptroot initramfs script. This
is required for lilo to find the correct root device. Thanks to Pyotr
Berezhkov and Christian Schaarschmidt. (closes: #511447, #511840)
* replace mini autogen.sh with autoreconf in debian/rules. Thanks to Bastian
Kleineidam. (closes: #522798)
* support escaped newlines in askpass.c, thanks to Kees Cook and ubuntu.
(closes: #528133)
* use the same passphrase prompt in init script and initramfs script
* mention the incoherent behaviour of cryptsetup create/luksOpen with invalid
passwords/keys in cryptsetup manpage. (closes: #529359)
* bump standards-version to 3.8.2, no changes required.
* add 'X-Interactive: true' LSB-header to initscripts.
* fix bash_completion script to use 'command ls'. that way it now works with
aliased ls as well. thanks to Daniel Dehennin. (closes: #535351)
-- Jonas Meurer <mejo@debian.org> Sat, 04 Jul 2009 15:52:06 +0200
cryptsetup (2:1.0.6+20090405.svn49-1) unstable; urgency=low
* New upstream svn snapshot. Highlights include:
- Uses remapping to error target instead of calling udevsettle for
temporary crypt device. (closes: #514729, #498964, #521547)
- Removes lots of autoconf stuff as it's generated by autogen.sh anyway.
- Uses autopoint in build process, thus needs to Build-Depend on cvs.
- Fixes signal handler to proper close device.
- Wipes start of device before LUKS-formatting.
- Allows deletion of key slot with it's own key. (closes: #513596)
- Checks device mapper communication and gives proper error message in
case the communication fails. (closes: #507727)
* Update debian patches accordingly:
- Remove obsolete patches 01_gettext_package and 03_check_for_root
- Update patch 02_manpage
* Add missing newlines to some error messages in passdev.c. Thanks to
Christoph Anton Mitterer for bugreport and patch. (closes: #509067)
* Move keyscripts in initramfs from /keyscripts to /lib/cryptsetup/scripts
for the sake of consistency between initramfs and normal system. Document
this change in NEWS.Debian. (closes: #509066)
* Fix $LOUD in cryptdisks.init and cryptdisks.functions to take effect. Add
LOUD="yes" to cryptdisks_start. (closes: #513149)
* cryptdisks_{start,stop}: print error message if no entry is found in
crypttab for the given name.
* Actually fix watchfile to work with code.google.com.
* Update Homepage field to code.google.com URL. (closes: #516236)
* Fix location of ltmain.sh, build-depend on versioned libtool.
(closes: #521673, #522338)
* Some minor changes to make lintian happy:
- use set -e instead of /bin/sh -e in preinst.
- link to GPL v2 in debian/copyright
* Bump standards-version to 3.8.1, no changes needed.
* Fix a typo in NEWS.Debian. (closes: #522387)
* Taken from ubuntu:
- debian/checks/un_vol_id: dynamically build the "unknown volume type"
string, to allow for encrypted swap, (closes: #521789, #521469). Fix
sed to replace '/' with '\/' instead of '\\/' in device names.
- disable error message 'failed to setup lvm device' (LP 151532).
-- Jonas Meurer <mejo@debian.org> Mon, 06 Apr 2009 08:49:14 +0200
cryptsetup (2:1.0.6-7) unstable; urgency=medium
* Add patches/01_gettext_package.patch: Remove -luks from GETTEXT_PACKAGE
in configure.in.
* Support keyfiles option in bash completion. Thanks to Stefan Goebel for
the patch. (closes: #499936)
* Update patches/02_manpage.patch: Fix the documnetation of default cipher
for LUKS mappings. (closes: #495832)
* Update debian/watch file to reflect the move of project home to
code.google.com.
* Check for $CRYPTDISKS_ENABLE in cryptdisks initscripts instead of
cryptdisks.functions. This way, cryptdisks_start/stop work even with
$CRYPTDISKS_ENABLE != "yes". Thanks to Pietro Abate. (closes: #506643)
* Add force-start to cryptdisks(-early).init in order to support starting
noauto devices manually. Thanks to Niccolo Rigacci. (closes: #505779)
* Document how to enable remote device unlocking via dropbear ssh server
in the initramfs during boot process. Thanks to Chris <debian@x.ray.net>
for the great work. (closes: #465902)
* Completely remove support and documentation of the timeout option,
document this in NEWS.Debian. (closes: #495509, #474120)
* Use exit instead of return in decrypt_ssl keyscript. Thanks to Rene Wagner.
(closes: #499704)
* Fix initramfs/cryptpassdev-hook to check for passdev instead of mountdev.
Thanks to Christoph Anton Mitterer.
* cryptdisks.functions:
- Search for keyscript in /lib/cryptdisks/scripts. the cryptoroot initramfs
script already supports keyscripts without path as argument. Thanks to
Christoph Anton Mitterer.
* README.initramfs:
- Remove the mention of bug #398302 from the section about suspend/resume,
as this bug has been fixes for some time now.
- Remove step 6 (mkswap) from the section about decrypt_derived, as it was
superfluous. Thanks to Helmut Grohe. (closes: #491867)
* Fix initramfs/cryptroot-script to use the lvm binary instead of vgchange.
Thanks to Marc Haber. (closes: #506536)
* Make get_lvm_deps() recursive in initramfs/cryptroot-hook. This is required
to detect the dm-crypt device in setups with more than one level of device
mapper mappings. For example if LVM is used with snapshots on top of the
dm-crypt mapping. Thanks to Christian Jaeger for bugreport and patch, Ben
Hutchings and Yves-Alexis Perez for help with debugging. (closes: #507721)
* urgency=medium due to several important fixes.
-- Jonas Meurer <mejo@debian.org> Wed, 17 Dec 2008 21:25:45 +0100
cryptsetup (2:1.0.6-6) unstable; urgency=high
* Don't cat keyfile into pipe for do_noluks(). cryptsetup handles
--key-file=- different for luks and plain dm-crypt mappings. This time
really (closes: #493848). Thus again upload with urgency=high.
-- Jonas Meurer <mejo@debian.org> Sat, 09 Aug 2008 13:36:31 +0200
cryptsetup (2:1.0.6-5) unstable; urgency=high
* Fix watch file to not report -pre and -rc releases as superior.
* Remove the global var $SIZE from cryptdisks.functions again but keep the
extended value checks.
* Remove the udev rules file also in preinst, code taken from example at
http://wiki.debian.org/DpkgConffileHandling. Thanks Marco d'Itri.
(closes: #493151)
* Remove duplicated configuration of --key-file in $PARAMS at do_noluks().
(closes: #493848).
* Invoke mount_fs() and umount_fs() in cryptdisks_start, add
log_action_begin_msg() and log_action_end_msg() to both cryptdisks_start
and cryptdisks_stop.
* Copy fd 3 code from do_start and do_stop to cryptdisks_start and
cryptdisks_stop to fix "keyscript | cryptsetup". (closes: #493622)
* This upload fixes two RC bugs, thus upload with severity=high.
-- Jonas Meurer <mejo@debian.org> Wed, 06 Aug 2008 10:19:21 +0200
cryptsetup (2:1.0.6-4) unstable; urgency=medium
[ David Härdeman ]
* Make sure $IGNORE is reset as necessary, patch by Thomas Luzat
<thomas@luzat.com> (closes: #490199)
* Use askpass in init scripts as well (closes: #489033, #477203)
[ Jonas Meurer ]
* Don't copy_exec libgcc1 in cryptopensc initramfs hook, as it's already
copied by copy_exec /usr/sbin/pcscd automaticly. Thanks to Evgeni Golov
<sargentd@die-welt.net>. (closes: #490300)
* Remove the udev rules file again as the relevant rules are now provided
by dmsetup package which cryptsetup depends on.
* Add splashy support to askpass, thanks to John Hughes <john@calva.com>
for the patch. (closes: #492451) The support is limited to cryptroot
though, as splashy freezes for passphrase input dialogs from initscripts.
Document that in README.Debian.
* Now that askpass is used as keyscript for interactive mode, it's not
necessary to set cryptsetup parameter '--tries=$TRIES' and TRIES=1 for
interactive mode anymore in cryptdisks.functions.
* Implement special treatment for random passphrases now that we use
"--key-file=-" for all situations. Only necessary in do_noluks.
* Fix the passphrase prompt string in initramfs/cryptroot.script to use
$cryptsource instead of $cryptsources.
* Major documentation cleanup for lenny:
- Rewrite CryptoSwap.HowTo in README.Debian, remove CryptoSwap.HowTo.
- Refer to README.initramfs instead of CryptoRoot.HowTo for encrypted root
filesystem in README.Debian.
- Remove outdated docs CryptoRoot.HowTo, usbcrypto.udev and gen-old-ssl-key
as well as the decrypt_old_ssl keyscript.
- Remove debian/TODO, didn't have any useful content anyway.
- Fix section ''9. The "decrypt_derived" keyscript'': Add swap option to
the example line for crypttab and other minor fixes. Thanks to
Helmut Grohne <helmut@subdivi.de>. (closes: #491867)
* urgency=medium since important (#492451) and security (#477203) bugs get
fixed by this upload.
-- Jonas Meurer <mejo@debian.org> Mon, 28 Jul 2008 00:21:44 +0200
cryptsetup (2:1.0.6-3) unstable; urgency=low
[ Jonas Meurer ]
* Fix cryptdisks.functions to actually recognize the noauto option. Thanks
to Christian Pernegger <pernegger@gmail.com> (closes: #483882)
* Update patches/02_manpage.patch:
- fixes two more typos, thanks to and Era Eriksson <era@iki.fi> for the
patch, and Bruno Barrera Yever <bbyever@gmail.com> for forwarding it
to the bts (closes: #476624)
- removes a duplicate sentence
* Rephrase "Enter password for $crypttarget" to "Enter password to unlock
the disk $cryptsource ($crypttarget)" in initramfs/cryptroot.script.
* Bump Standards-Version to 3.8.0:
- Add a README.source which references /usr/share/doc/quilt/README.source.
- Add support for debian build option parallel=n to debian/rules.
* Add a udev rules file to ignore temporary-cryptsetup-* devices, as
suggested in bug #467200. Thanks to Sam Morris <sam@robots.org.uk>.
* Transform debian/copyright into machine-readable code as proposed in
http://wiki.debian.org/Proposals/CopyrightFormat. Update and add several
copyright notices.
* Change reference to docbook xml v4.2 driver file from an online version
to a local one in the manpage files, as the build process should not
depend on internet access. Add docbook-xml to build-depends. Thanks to
Lucas Nussbaum <lucas@lucas-nussbaum.net>. (closes: #487056)
[ David Härdeman ]
* Hopefully fix askpass to properly handle console and usplash input
(closes: #477203)
* Clarify crypttab manpage (closes: #487246)
* Make regex work if keyfile has extended attributes,
https://launchpad.net/bugs/231339 (closes: #488131)
* Support comments in options part of crypttab (closes: #488128)
-- Jonas Meurer <mejo@debian.org> Mon, 07 Jul 2008 00:30:07 +0200
cryptsetup (2:1.0.6-2) unstable; urgency=low
[ Jonas Meurer ]
* Taken from ubuntu:
- debian/scripts/luksformat: Use 256 bit key size by default. (LP: #78508)
- debian/patches/02_manpage.patch: Clarify default key sizes (128 for
luksFormat and 256 for create) in cryptsetup.8. (side-note in LP #78508)
* Use 'shred -uz' instead of 'rm -r' to remove a tempfile that contains a
key in gen-ssl-key example script.
[ David Härdeman ]
* Misc bugfixes to askpass, make sure it is installed to the correct
location and is built using pedantic mode.
* Change the initramfs script to use askpass to prompt for
passphrases, this should hopefully fix #382375 and #465902 once it
is enabled in the init scripts as well.
* Add a keyscript called passdev which allows a keyfile to be
retrieved from a device which is first mounted, mainly useful to get
keyfiles off USB devices etc.
* Unbreak MODULES=dep booting (closes: #478268)
* Relax checks for suspend devices a bit (closes: #477658)
* Convert man pages to docbook.
-- David Härdeman <david@hardeman.nu> Mon, 26 May 2008 08:12:32 +0200
cryptsetup (2:1.0.6-1) unstable; urgency=low
[ Jonas Meurer ]
* new upstream release
- reload option is deprecated and a warning is printed. (closes: #428288)
* convert patch system from dpatch to quilt.
* enhance the information regarding the default hash setting in NEWS.Debian.
Thanks to Ross Boylan <ross@biostat.ucsf.edu>.
* change author of keyslot patch to Marc Merlin in changelog, thanks to
U. Kuehn for raising that issue.
* doing some debian/rules redesign and cleanup, speeds up the build process.
* ignore devices with the noauto option early enough to prevent any checks
on them. Thanks to Joachim Breitner <nomeata@debian.org> (closes: #464672)
* update debian/copyright to actually mention copyright, thanks lintian.
* change script=$(basename $req) to script=${req##*/} in initramfs cryptroot
script. Thanks to Adeodato Simó <dato@net.com.org.es>. (closes: #466240)
* change test ... -a ... to [ ... ] && [ ... ] in the check scripts.
* add support for tries option to initramfs scripts. Thanks to Helmut Grohne
<helmut@subdivi.de>. (closes: #430158, #469869) Use --tries=1 for
cryptsetup in the initramfs script. Document the difference between
initscript and initramfs for tries=0 in the crypttab manpage.
* add, build and install askpass.c, a helper program by David Härdeman. The
idea is to use it for passphrase prompt in the initramfs script.
[ David Härdeman ]
* Work with LABEL=, UUID= and symlinks in /etc/fstab (closes: #466175)
* Improve module loading in initramfs hook so that the newer as well
as arch specific crypto drivers are taken into consideration
(closes: #464673)
* Depend on race-free version of libdevmapper, thus making udevsettle
call from cryptsetup binary unnecessary. Also change call to
udevsettle in initramfs script (which is still useful as it related
to the source device) to optionally use udevadm if present (closes:
#456326).
-- Jonas Meurer <mejo@debian.org> Mon, 31 Mar 2008 15:58:35 +0200
cryptsetup (2:1.0.6~pre1+svn45-1) unstable; urgency=low
* New upstream svn snapshot:
- Adds typo fixes by Justin Pryzby <jpryzby+d@quoininc.com> to cryptsetup.8
manpage.
- Mentions luksKillSlot in the manpage. Thanks to Alexander Heinlein
<alexander.heinlein@web.de>. (closes: #459206)
- Adds the patch by Marc Merlin <marc_www@merlins.org> to support explicit
key slots for luksFormat and luksAddKey. Thanks to U. Kuehn, who figured
out that this patch wasn't applied even though changelog said so.
- Supports adding new keys to active devices again. Thanks to Tobias Frost
<tobi@coldtobi.de> for the bugreport. (closes: #460409)
* Add support for a custom filesystem for /tmp. Patch provided by
Hans-Peter Oeri <hp@oeri.ch>.
* Add X-Start-Before headers to cryptdisks and cryptdisks-early initscripts.
Thanks to Petter Reinholdtsen <pere@debian.org> for report and patch.
(closes: #458944)
* Add support for a noauto option to cryptdisks. Thanks to U Kuehn
<ukuehn@acm.org> for the idea.
* Add typo fixes by Justin Pryzby <jpryzby+d@quoininc.com> to crypttab.5
manpage. (closes: #460994)
* Add a cryptdisks_stop script, corresponding to cryptdisks_start. Thanks to
Joachim Breitner <nomeata@debian.org> for the idea. (closes: #459832)
* Change log_progress_msg to log_action_msg in cryptdisks.functions. That
way a newline is printed after the start of every device. Thanks to Frans
Pop <elendil@planet.nl> for the bugreport. (closes: #461548)
* Add bash_completition script provided by Kevin Locke <kwl7@cornell.edu>.
(closes: #423591)
* Fix a spelling error in the package description: linux -> Linux.
* Fix bashisms in cryptdisks_{start,stop} found by Raphael Geissert
<atomo64+debian@gmail.com>.
* Change the default hash in initramfs scripts from sha256 to ripemd160 for
consistency with cryptsetup default. Add information about that to
NEWS.Debian. Thanks to martin f krafft <madduck@debian.org>.
(closes: #406317)
-- Jonas Meurer <mejo@debian.org> Wed, 30 Jan 2008 09:01:52 +0100
cryptsetup (2:1.0.6~pre1-1) unstable; urgency=low
[ Jonas Meurer ]
* New upstream alpha release 1.0.6~pre1:
- [01_crypt_luksFormat_libcryptsetup.dpatch] removed, applied upstream
- [02_manpage.dpatch] likewise
- [04_fix_unused_or_unitialized_variables.dpatch] likewise
- [05_segfault_at_nonexisting_device.dpatch] likewise
- [06_run_udevsettle.dpatch] update for new upstream
* Disable 03_check_for_root.dpatch. As Ludwig Nussel mentioned on
dm-crypt@saout.de, cryptsetup 1.0.5 already prints out meaningfull errors
if expected permissions are not available. Therefore the check for uid ==
0 is superfluous.
* [06_run_udevsettle.dpatch] Run udevsettle after device-mapper device
creation. Fixes issues with temporary device files in /dev/mapper. Patch
by Reinhard Tartler from Ubuntu. (closes: #444914)
* Add support for offset and skip options to cryptdisks/crypttab. Thanks to
Marc-Jano Knopp. (closes: #446674)
* Update the long description in debian/control. Don't mention kernel 2.6.4
any longer, remove references to /usr/share/doc/cryptsetup/CryptoRoot.HowTo
and mkinitrd.
* Add noearly option to cryptdisks/crypttab, which causes cryptdisks-early
to ignore the entry. Thanks to Joerg Jaspert (closes: #423102)
* Change log_progress_msg "$dst (started)" to device_msg "$dst" "started" in
cryptdisks.functions. Makes console output of cryptdisks more consistent.
* Add cryptdisks_start and patch to cryptdisks.functions by Jon Dowland.
Also add a manpage for cryptdisks_start(8). (closes: #447159)
* Add load_optimized_module() function to cryptdisks.functions. Initial idea
by Reinhard Tartler from Ubuntu, enhanced by David Härdeman.
(closes: #445186)
* Add support for UUID=.. device strings to initramfs cryptroot-hook. Thanks
to Reinhard Tartler from Ubuntu for the patch. (closes: #445189)
* Support UUID=... and LABEL=... device strings in /etc/crypttab. Thanks
to Martin Pitt from Ubuntu for the patch. (closes: #445189)
* Add Vcs-Browser and Vcs-Svn fields to debian/control.
* Fix debian/rules to not fail to build if autom4te.cache is left behind
from a previous incomplete build. Patch again taken from Ubuntu.
* Mention in the crypttab manpage that files are allowed as source. In that
case they are mounted as loopback device automatically. Thanks to
Michal Cihar (closes: #451909)
* At stopping dm-crypt devices really remove the corresponding loopback
device if one has been used. Thanks to Rene Pavlik for report and to David
Härdeman, who had the idea for the fix. (closes: #451916)
* Also remove loopback devices if the cryptsetup device setup fails.
* Document a possible deadlock if cryptsetup is invoked as a 'run programm'
in a udev role. This i related to the invokation of udevsettle in
cryptsetup. Thanks to Dick Middleton for reporting and debugging.
(closes: #444914)
* Move umount_fs() from handle_crypttab_line() to the end of do_start().
* Bump Standards-Version to 3.7.3.0. No changes needed.
* Remove unused litian-override file
* Remove --build $(DEB_BUILD_GNU_TYPE) and --host $(DEB_HOST_GNU_TYPE) from
invocation of ./configure, as they are already included in $(confflags).
-- Jonas Meurer <mejo@debian.org> Thu, 06 Dec 2007 15:56:05 +0100
cryptsetup (2:1.0.5-2) unstable; urgency=low
[ Jonas Meurer ]
* Add libselinux1-dev and libsepol1-dev to build-depends. Detected by
the build daemon from hell by Steinar H. Gunderson. Thanks to Manoj
Srivastava for advice.
* Fix the watchfile
* Fix cryptopensc-hook to honor key=none. Thanks to Daniel Baumann
(closes: #436434)
* Remove outdated README.html and example usbcrypto.* scripts from
documentation. Add example usbcrypto.udev script. Thanks to Volker Sauer
for the update. (closes: #409775)
* Document that stdin is read different with '--key-file=-' than without.
Thanks to Marc Haber. (closes: #418450)
* Document that --timeout is useless in conjunction with --key-file. Thanks
Alexander Zangerl. (closes: #421693)
* [03_check_for_root.dpatch] Check for UID == 0 before actually doing
something. Thanks to Benjamin Seidenberg. (closes: #401766)
* [04_fix_unused_or_unitialized_variables.dpatch] Fix some gcc warnings
about unused or unitialized variables. Thanks to Ludwig Nussel for the
patch.
* [05_segfault_at_nonexisting_device.dpatch] Fix segfault when trying to
open a non existing device. Thanks to Ludwig Nussel for the patch.
(closes: #438198)
* Add CFLAGS="$(CFLAGS)" before ./configure invocation in debian/rules.
This way CFLAGS are passed to the configure script. Thanks to Gordon
Farquharson for the patch. (closes: #438450)
* Add a warning about missing hash option in crypttab to initramfs
cryptoroot hook. Thanks to Sebastian Leske for the patch.
(closes: #438169)
* Add support for openct using data objects on a smartcard as key. Thanks to
Daniel Baumann <baumann@swiss-it.ch> for patch and documentation.
(closes: #438473)
* Polish opensc_decrypt and openct_decrypt.
* Add initramfs patch by maximilian attems. Bump depends on initramfs-tools
to (>= 0.91). (closes: #441428)
* several cleanups to make lintian happy:
- remove #!/bin/sh from cryptsetup.functions as it is not executable.
- remove unused-override configure-generated-file-in-source config.log.
- add some hyphen fixes to patches/02_manpage.dpatch
* Filter out the detection of filesystem type 'minix' in checks vol_id and
un_vol_id if checking for any valid filesystem. The minix fs signature
seems short enough to be detected erroneously by /lib/udev/vol_id.
Thanks to Fredrik Olofsson and arno for the bugreport. (closes: #411784)
* Add Homepage field to debian/control.
-- Jonas Meurer <mejo@debian.org> Mon, 24 Sep 2007 15:42:06 +0200
cryptsetup (2:1.0.5-1) unstable; urgency=low
[ Jonas Meurer ]
* New upstream release, nearly identical to svn snapshot svn29.
* Fix watch file to use cryptsetup instead of cryptsetup-luks.
* Add 01_crypt_luksFormat_libcryptsetup.dpatch - rename luksInit to
luksFormat in libcryptsetup.h.
* Merge some ubuntu changes:
- make luksformat check if filesystem is already mounted to prevent a
strange error message.
- modprobe dm-mod in cryptsetup.functions.
- wait for udev to be settled in initramfs script.
[ David Härdeman ]
* Allow other crypto devices to be setup even if one fails.
(closes: #423100)
* Remove an incorrect warning in postinst.
-- Jonas Meurer <mejo@debian.org> Fri, 27 Jul 2007 04:59:33 +0200
cryptsetup (2:1.0.4+svn29-1) unstable; urgency=low
* New upstream svn snapshot with several bugfixes
- remove 01_tries_fix.dpatch, added upstream
-- Jonas Meurer <mejo@debian.org> Wed, 02 May 2007 02:48:37 +0200
cryptsetup (2:1.0.4+svn26-3) unstable; urgency=low
* Add cryptdevice name to prompt before actually starting it. Thanks
to Joerg Jaspert. (closes: #421803)
-- Jonas Meurer <mejo@debian.org> Wed, 02 May 2007 01:05:22 +0200
cryptsetup (2:1.0.4+svn26-2) unstable; urgency=low
[ David Härdeman ]
* Fix typo in crypttab(5), the ext checkscript is called ext2, not
ext3. (closes: #410390)
* Use the initramfs-tools keymap support instead of our own (requires
initramfs-tools >= 0.87)
* Add support for usplash password prompt (closes: #397981)
* Remove the "ssl" and "gpg" options which are supported by keyscripts
since October 2006 (see NEWS for details).
* Spring cleaning of cryptdisks.functions, now supports multiple tries
for keyscripts and uses lsb logging. (closes: #420105, #383808)
[ Jonas Meurer ]
* Add 01_tries_fix.dpatch, makes the --tries commandline option work
again. (closes: #414326, #412064)
* Document the un_vol_id check script, remove the swap check script from
documentation. The swap check indeed is rather useless, thanks to Frank
Engler <bts.to.FrankEngler@spamgourmet.com>. The script itself is kept
for compability issues. (closes: #406837)
* Add smartcard keyscript and initramfs-tools hooks/scripts. This adds
support for disk encryption with smartcards, even for root disks.
Thanks a lot to Gerald Turner <gturner@unzane.com> for the patch and a
smartcard reader for testing this. (closes: #416528)
* update copyright file: change "program" to "package", and mention GPL
version 2. add a full disclaimer.
* Add "--showkeys" to the dmsetup invocation in decrypt_derived script.
(closes: #420399)
* Fixes in cryptdisks.functions:
- Don't suppress error messages at mount and unmount and don't break
if 'mount $point' fails.
- Fix handling of checks and prechecks, the vars somehow where mixed
- Really use $CHECKARGS if it's defined
- Rename "stopped" to "stopping" for devices which are shutdown at
'cryptdisks stop' (show a difference to already stopped devices).
-- Jonas Meurer <mejo@debian.org> Sat, 28 Apr 2007 20:45:50 +0200
cryptsetup (2:1.0.4+svn26-1) unstable; urgency=high
[ Jonas Meurer ]
* New upstream svn snapshot 1.0.4+svn26
- contains a slightly modified patch by Rob Walker
<rob@tenfoot.org.uk> to fix a sector size error. (closes: #403075)
- fixes a LUKS header corruption on arm, which downgrades bug
#403426 from critical to important.
- prevents password retrying with I/O errors.
* handle chainmode/essiv "plain" correctly in initramfs hook.
Thanks to Leonard Norrgard. (closes: #402417)
* remove 'rm -rf m4' from a clean target in debian/rules.
* urgency=high to get this into etch.
[ David Härdeman ]
* Document the difference in default hash functions between the
initramfs scripts and the plain cryptsetup binary. (closes: #398429)
* Verify symlinks for source devices when initramfs is generated and
correct if necessary. (closes: #405301)
-- Jonas Meurer <mejo@debian.org> Tue, 9 Jan 2007 21:53:06 +0100
cryptsetup (2:1.0.4+svn16-2) unstable; urgency=high
[ David Härdeman ]
* Add cbc to standard list of modules. Thanks to Michael Olbrich
<michael.olbrich@gmx.net>. (closes: #401370)
* Fix support for crypto-on-evms. Thanks to Enrico Gatto
<cat@legnago.linux.it>. (closes: #402417)
[ Jonas Meurer ]
* urgency=high to get this into etch.
-- Jonas Meurer <mejo@debian.org> Thu, 14 Dec 2006 01:41:40 +0100
cryptsetup (2:1.0.4+svn16-1) unstable; urgency=medium
[ David Härdeman ]
* Support adding separate blockcipher modules to initramfs image
(necessary for kernels >= 2.6.19)
* Hashing was previously not done correctly when decrypt_derived was used
[ Jonas Meurer ]
* Add new upstream patch 02_luks_var_keysize.dpatch. Cryptsetup no longer
segfaults with unsupported keysize. (closes: #381973)
* Urgency medium as we really want these fixes in etch.
-- Jonas Meurer <mejo@debian.org> Tue, 28 Nov 2006 18:17:12 +0100
cryptsetup (2:1.0.4-8) unstable; urgency=high
[ Jonas Meurer ]
* Add 'set -e' and 'if ...; then ... fi' to cryptdisks-early as well.
[ David Härdeman ]
* Make sure that a failed modprobe does not break with 'set -e'.
(closes: #398799)
-- Jonas Meurer <mejo@debian.org> Thu, 16 Nov 2006 16:59:35 +0100
cryptsetup (2:1.0.4-7) unstable; urgency=low
[ David Härdeman ]
* Do not try to configure resume devices which we cant get the key for
and also try harder to find resume devices.
(closes: #397887, #397888)
* Kill some more bashisms.
* Only try three times per crypto device in initramfs scripts to avoid
unbootable systems if a swap partition can't be setup.
* Added decrypt_derived keyscript and improved documentation of latest
changes, see README.initramfs for details.
-- Jonas Meurer <mejo@debian.org> Tue, 14 Nov 2006 16:27:51 +0100
cryptsetup (2:1.0.4-6) unstable; urgency=high
[ David Härdeman ]
* Improve LVM dependency checks in initramfs hook. Thanks to Loïc
Minier <lool@dooz.org> for the patch. (closes: #397633, #397651)
-- Jonas Meurer <mejo@debian.org> Thu, 9 Nov 2006 13:55:48 +0100
cryptsetup (2:1.0.4-5) unstable; urgency=high
[ David Härdeman ]
* Make sure that duplicate entries in initramfs do not block the boot
(closes: #397454)
* Do not check for the presence of a key if the keyscript option is
set (closes: #397450)
-- Jonas Meurer <mejo@debian.org> Tue, 7 Nov 2006 18:03:41 +0100
cryptsetup (2:1.0.4-4) unstable; urgency=high
[ David Härdeman ]
* Readd and document the kernel boot argument "cryptopts" due to user
demand
* Implement support for multiple device setup in initramfs.
(closes: #394136, #382280)
* Remove bashisms. (closes: #396092)
* Fix FTBFS by altering dpatch so that it is applied to Makefile.in.in
before configure is executed. (closes: #396126)
[ Jonas Meurer ]
* Only warn for insecure keyfile mode/owner. Add some information about
insecure keys in README.Debian. (closes: #395357, #394134)
-- Jonas Meurer <mejo@debian.org> Fri, 3 Nov 2006 02:22:49 +0100
cryptsetup (2:1.0.4-3) unstable; urgency=medium
[ Jonas Meurer ]
* Suggest dosfstools. Needed for the default settings in luksformat. Thanks
to Loïc Minier <lool@dooz.org>. (closes: #393473)
* Suggest initramfs-tools (>= 0.60) | linux-initramfs-tool as well.
* Still urgency=medium for the same reasons
[ David Härdeman ]
* Change the previous fix for #388871 to use the original patch from
Loïc Minier <lool@dooz.org>. This also removes the bogus UTF8 char.
(closes: #393895)
-- Jonas Meurer <mejo@debian.org> Wed, 18 Oct 2006 23:03:47 +0200
cryptsetup (2:1.0.4-2) unstable; urgency=medium
[ Jonas Meurer ]
* Fix postinst, use 'elif [ -z $foo] || [ -z $bar ]; then ...'
* Fix a typo in cryptdisks.functions, change $opt to $opts for more
consistency with the postinst script.
* Fix mount_fs() in cryptdisks.functions to actually do what we want it to
do. Up to now, the initscript stopped if a mountpoint failed to mount.
* urgency=medium to get cryptsetup 1.0.4 into etch
-- Jonas Meurer <mejo@debian.org> Tue, 17 Oct 2006 16:16:02 +0200
cryptsetup (2:1.0.4-1) unstable; urgency=low
[ David Härdeman ]
* Always update the current initramfs when a new version is installed
* Move the double-ssl decryption into a keyscript and change the ssl
option to use that script instead
* Move the gpg key decryption into a keyscript and change the gpg
option to use that script instead
* Clean up cryptdisks.functions
* Let initramfs-tools know that we need busybox in the initramfs image
* Fix bogus error message from initramfs hook, based on patch by
Loïc Minier <lool@dooz.org>. (closes: #388871)
* Remove the undocumented kernel boot argument "cryptopts"
* Always add some crypto modules/tools to the initramfs image unless
MODULES=dep. (closes: #389835)
* Update README.initramfs.
* Add checks and warnings that the ssl and gpg options are going away
in favour of the keyscript option
* Fix the decrypt_ssl script (closes: #390514)
[ Jonas Meurer ]
* New upstream release.
- [01_terminal_output.dpatch] removed, finally went upstream
- [02_docs_tries.dpatch] removed, went upstream
- [03_fix_build_error.dpatch] renamed to 01_fix_build_error.dpatch
* Fix SYNOPSIS in crypttab(5) manpage to show all arguments as mandatory.
Thanks to Michael Steinfurth.
* Check in postinst for entries with missing arguments in /etc/crypttab.
Warn is one is found. Thanks to Michael Steinfurth (closes: #388083)
* Fix pretest for encrypted swap. Allow unencrypted swap on the source
device. Thanks to Dennis Furey. (closes: #387158)
* Fix posttest for encrypted swap. Don't skip if a swap filesystem is found
on the target device. Thanks to Sam Couter. (closes: #385317)
* Use 'set -e' and 'if [ -r <file> ]; then ...; fi' in init script. Thanks
to Goswin Brederlow. (closes: #390354)
* change '... > &2' to ... >&2' in cryptdisks.functions
-- Jonas Meurer <mejo@debian.org> Mon, 16 Oct 2006 19:22:41 +0200
cryptsetup (2:1.0.4~rc2-1) unstable; urgency=low
[ Jonas Meurer ]
* Add some more german translations to de.po.
* Add a note to NEWS.Debian where the fix for #376393 is explained. thanks
to Robert Bihlmeyer for the report. (closes: #379719)
* Allow swap filesystems to be overwritten when the swap flag is set. thanks
to Raphaël Quinet for the report. (closes: #379771)
* Update to upstream 1.0.4-rc2. (closes: #378422, #379726, closes: #379723)
* removed patches 03-05, merged upstream.
* [01_terminal_output.dpatch] updated for new upstream.
* [02_docs_tries.dpatch] updated for new upstream, to fix luksDelKey
documentation and to give more information about the keysize.
(closes: #379084)
[ David Härdeman ]
* Make sure that README.initramfs is included in the package (closes
#380048)
* Replace panic calls in cryptsetup script with exit 1 to match the
behaviour of other scripts. The regular initramfs script will panic
later when root isn't detected anyway
* Make all four fields in crypttab mandatory (closes: #370180,
#376941)
* Add UTF8 keyboard input support to initramfs image (closes: #379737)
* Add a keyscript option (closes: #370302, #375913)
* [03_fix_build_error.dpatch] patch po/Makefile with more recent
gettext implementation.
-- Jonas Meurer <mejo@debian.org> Mon, 4 Sep 2006 03:55:35 +0200
cryptsetup (2:1.0.3-3) unstable; urgency=low
[ Jonas Meurer ]
* revert the change that for swap devices the vol_id check is run by
default. if the swap partition is encrypted with a random key, the check
will always fail. thanks to Mika Bostrom <bostik@bostik.iki.fi>
(closes: #371135, #371160, #377434)
* fix the vol_id checkscript to do what it's expected to do.
* add the un_vol_id checkscript, which does the reverse of vol_id.
* use 'check=un_vol_id, checkargs=swap' for swap devices per default.
* added do_close function to cryptdisks.functions, as do_swap needs to use
it. up to now, 'cryptsetup remove' was invoked regardless whether the
device contains a LUKS partition or not. this is fixed now too.
* allow custom check scripts. check only if $CHECK exists in
/lib/cryptsetup/checks/ and use the given value as full path otherwise.
* make precheck for no_luks mandatory, fail if any known filesystem is
found.
* update crypttab manpage to reflect the checksystem changes. added an own
section for check scripts. update the CheckSystem documentation.
* update and simplify the gen-ssl-key script, thanks to Markus Nass
<generalstone@gmx.net>
* move gen-ssl-key, decrypt_ssl and luksformat to debian/scripts in the
source.
* add new directory /lib/cryptsetup/scripts/ for key decryption scripts like
decrypt_ssl and decrypt_gpg.
* add 05_fix_pointer_and_int_comparison.dpatch, fixes compiler warnings on
64bit architectures. Thanks to David Härdeman for the patch.
* revert the order of do_start and do_stop at 'cryptdisks restart'. thanks
to Hans Peter Wiedau <hpw@quelltext.com> for pointing out that silly typo.
(closes: #377591)
[ David Härdeman ]
* Support root-on-crypto-on-lvm in the initramfs scripts without
having to change the root variable (closes: #371846)
* If possible, load correct keymap in the initramfs image before any
password prompts (closes: #376393)
-- Jonas Meurer <mejo@debian.org> Mon, 10 Jul 2006 20:01:02 +0200
cryptsetup (2:1.0.3-2) unstable; urgency=low
[ David Härdeman ]
* Add patch by Arjan Oosting <arjanoosting@home.nl) for lvm-on-cryptroot
in initramfs scripts (closes: #362564)
[ Jonas Meurer ]
* install luksformat to /usr/sbin, as it depends on perl (closes: #369923)
* use essiv cipher in luksformat, debian 2.6.16 kernels have essiv support
compiled in (closes: #369878)
* fix cryptsetup output, patch by David Härdeman <david@2gen.com>
(closes: #369575)
* add new check 'vol_id', which uses /lib/udev/vol_id from udev and supports
checks for any known filesystem type. implement a new option checkargs in
cryptdisks for that. suggest udev. closes one half of #370302. thanks to
Markus Nass and Darvid Härdeman for the suggestion.
* always check for a swap partition before running mkswap
* updated README.Debian, Checksystem.Doc and crypttab.5.txt accordingly.
* drop usage of strings from swap check, as it is in /usr/bin. thanks to
Markus Nass.
-- Jonas Meurer <mejo@debian.org> Mon, 5 Jun 2006 18:27:07 +0200
cryptsetup (2:1.0.3-1) unstable; urgency=low
[ Jonas Meurer ]
* new upstream release, 1.0.3 final
- Add alignPayload patch by Peter Palfrader (closes: #358388)
- meaningful exitcodes and password retrying by Johannes Weißl
(closes: #359277)
* add 01_terminal_timeout.dpatch from Andres Salomon <dilinger@debian.org>.
- gets rid of getpass(), which is obsolete according to manpage
- restores the terminal state before doing the timeout (closes: #364153)
* add 02_docs_tries.dpatch, to describe --tries in the cryptsetup manpage.
* add 03_stdin_input.dpatch from David Härdeman <david@2gen.com>,
fixes input from stdin, accepts input with more than 32 characters
(closes: #364529, #365333)
* add 04_status_exit_codes.dpatch from David Härdeman <david@2gen.com>,
fixes the exit codes of 'cryptsetup status'
* provide a cryptsetup-udeb package (closes: #358422)
* remove debian/luksformat.8 in clean target (closes: #358386)
* fix update-rc.d arguments to start cryptdisks in rc0 and rc6.
it is not really started [but stopped], but still the links need to be
named S48cryptdisks. otherwise it will be invoked before umountfs.
* add initramfs cryptroot functionality, thanks to David Härdeman
<david@2gen.com> for the patch (closes: #358452)
* rename /lib/cryptsetup/init_functions to cryptdisks.functions
* move most of /etc/init.d/cryptdisks to cryptdisks.functions.
/etc/init.d/cryptdisks now does not much more than importing
cryptdisks.functions. required for running two seperate cryptdisks
initscripts.
* split the cryptdisks initscript into cryptdisks-early and cryptdisks.
actually both scripts do the same except having slightly different output.
the early script is run before lvm/evms/... are started, and the other one
after they are started. (closes: #363007)
* add support for mount to cryptdisks. this makes it possible to use
keyfiles from removable media. see the crypttab.5 manpage for more
information.
* use upstream cryptsetup tries option instead of the shell code in
cryptdisks. rename cryptdisks 'retry' option to 'tries'.
* document the fact, that the default settings in /etc/default/cryptdisks
take only effect if the relevant option is set without a value in
crypttab. add the environment section to crypttab.5.txt (closes: #364203)
* update the TODO list.
* update crypdisks.default
* run do_swap and do_tmp. Thanks to Riku Voipio <riku.voipio@iki.fi>
(closes: #365633)
* bump Standards-Version to 3.7.2.0, no changes needed
[ David Härdeman ]
* add lvm capabilities to initramfs scripts (closes: #362564)
* add cryptsetup.postinst which executes update-initramfs when
cryptsetup is first installed (not on upgrades)
-- Jonas Meurer <mejo@debian.org> Sat, 13 May 2006 19:45:08 +0200
cryptsetup (2:1.0.2+1.0.3-rc3-1) unstable; urgency=low
[ Jonas Meurer ]
* new upstream release candidate:
- fixes sector size of the temporary mapping (closes: #355156)
- more verbose error logging (closes: #353755, #356288, #258376)
- upstream accepted my patches to the manpage
* fixed spelling error in README.Debian
* removed debian/cryptsetup.sgml, outdated
* ran ispell against doc files in debian/, fixed many typos
* change /usr/share/cryptsetup to /lib/cryptsetup in crypttab.5.txt
(closes: #354910)
* add --build (and maybe even --host) to configure flags, for
cross-compiling
* remove debian/luksformat.8 in clean target
* fix bashism in cryptdisks. thanks to Michal Politowski
<mpol@charybda.icm.edu.pl> (closes: #356484)
* add support for openssl encrypted keys, based on a patch by General Stone
<generalstone@gmx.net> (closes: #350615)
* add some code to support gnupg encrypted keys, some parts are missing.
-- Jonas Meurer <mejo@debian.org> Fri, 17 Mar 2006 00:42:41 +0100
cryptsetup (2:1.0.2+1.0.3-rc2-1) unstable; urgency=low
[ Jonas Meurer ]
* new upstream version 1.0.3-rc2, fixing issues with devmapper
* new upstream version 1.0.3-rc1, doesn't use essiv per default
* new upstream version (1.0.2) released
- add --timeout option for interactive usage
- add --batch-mode option to suppress input verifications
* install local cryptsetup.8 copy instead of the upstream manpage
- mention --readonly as possible option to luksOpen (closes: #353753)
- mention --batch-mode, --timeout, --version
- transform remaining option hyphens from '-' to '\-'
* merged ubuntu patches:
- modify cryptdisks init script to use lsb functions
- add luksformat and a manpage
* removed postinst and postrm, empty scripts
* added a README.Debian and a TODO
* added a NEWS file for Debian, and explain both the upstream transition
from plain cryptsetup to cryptsetup-luks, and the check options for
crypttab.
* install manpages using dh_installman, not with install
* updated CryptoRoot.HowTo, mention /etc/mkinitrd/modules and different
linux-image versions. (closes: #344867)
* removed needless debian/hack
* added debian/watch
* bumped debhelper compat level to 5, add versioned depends on
debhelper (>> 5.0.0)
* update debian/cryptsetup.8 to mention batch-mode and timeout
* updated cryptdisks
- modify init script to use lsb functions, at least where possible
- updated comments for cryptdisks.default
- moved option parsing and setup of loopback devices to seperate functions.
added a new include file /lib/cryptsetup/init_functions with functions
parse_opts, lo_setup, check_key, do_luks, do_noluks, do_swap, do_tmp
- always check for the source device exists before running cryptsetup
- hardcode precheck for LUKS to use 'cryptsetup isLuks'. this is much safer
than allowing other random prechecks, as it manifests that the source
device actually is a LUKS partition.
- don't remove the LUKS device when postcheck fails, as the supplied
password/key is correct anyway.
- use the new 'timeout' commandline option of cryptsetup instead of an
external wrapper
- be silent for not existing devices per default. Implement the loud
option for crypttab to warn if a device does not exist.
- remerge postchecks and prechecks into checks.
- don't disable swap & luks combination, instead disable luks with
/dev/random, /dev/urandom or /dev/hwrandom as key.
- run parse_opts before check_key, to know whether we use luks or not
[ Michael Gebetsroither ]
* converted crypttab.sgml to asciidoc
* added dependencies for asciidoc to manpage conversion
* added developer documentation for a robust checksystem into cryptdisks
-- Jonas Meurer <mejo@debian.org> Sun, 26 Feb 2006 20:04:49 +0100
cryptsetup (2:1.0.1-16) unstable; urgency=low
[ Jonas Meurer ]
* already fixed in 2:1.0.1-14: binaries xor and delay from
usbcrypto.mkinitrd don't exist in debian. replaces with a perl script
and /bin/sleep. thanks to wesley terpstra for the help.
(closes: #324353)
* clean cryptdisks from bashisms (closes: #350360)
* check for /usr/bin/timeout before using it in cryptdisks. First, it's
only available when /usr is mounted, and that is not definitive when
cryptdisks is run at boot time. Second, timeout is a non-essential
debian package, and not neccecarily installed. The usage of
/usr/bin/timeout in any case is only a temporary workaround.
* move /usr/share/cryptsetup to /lib/cryptsetup, as the checks need to be
available at boot time, before local filesystems (like i.e. /usr) are
mounted.
* replace RETRY=`expr $RETRY - 1` with RETRY=$(($RETRY-1)), as expr is in
/usr/bin.
* install init.d script and default file with dh_installinit
(closes: #350548)
* don't build-depend on cvs
-- Jonas Meurer <mejo@debian.org> Mon, 30 Jan 2006 17:54:50 +0100
cryptsetup (2:1.0.1-15) unstable; urgency=low
[ Jonas Meurer ]
* rebuilt with -sa, to include the sources into upload
-- Jonas Meurer <mejo@debian.org> Fri, 27 Jan 2006 18:18:46 +0100
cryptsetup (2:1.0.1-14) unstable; urgency=low
[ Jonas Meurer ]
* added a configurable timeout option for interactive password
prompt. set the default timeout to 180 seconds in
/etc/default/cryptdisks, and documented the crypttab option in
the crypttab manpage. (closes: #328961)
* fixed the default "precheck" and "postcheck" options, currently
no useful precheck exists, so no default here.
* removed the dummy cryptsetup-luks package, ftpmaster complains
about it.
[ Michael Gebetsroither ]
* make small fixes to CryptoSwap.HowTo
* added postcheck for swap (closes: #342079)
-- Jonas Meurer <mejo@debian.org> Fri, 27 Jan 2006 12:59:10 +0100
cryptsetup (2:1.0.1-13) unstable; urgency=low
* split the "check" in a "precheck" and a "postcheck" option
- adds the possibility to check the source device before creating the
decrypted target device, useful for things like swap.
-- Jonas Meurer <mejo@debian.org> Sun, 22 Jan 2006 21:24:06 +0100
cryptsetup (2:1.0.1-12) unstable; urgency=low
* correctly parse options in cryptdisks (closes: #304399)
* remove the moduledir /usr/lib/cryptsetup from the deb, it's
empty anyway (closes: #334648)
* replace /usr/local/bin/delay with /bin/sleep in usbcrypto.mkinitrd
* cosmetical changes to /etc/crypttab
* add "check" and "retry" options to cryptdisks script,
thanks to A Mennucc <debdev@mennucci.sns.it>. (closes: #290626)
-- Jonas Meurer <mejo@debian.org> Sun, 22 Jan 2006 19:46:18 +0100
cryptsetup (2:1.0.1-11) unstable; urgency=low
* include sources although the debian revision is not -1
-- Jonas Meurer <mejo@debian.org> Sun, 22 Jan 2006 16:35:12 +0100
cryptsetup (2:1.0.1-10) unstable; urgency=low
* introduce an epoch to make upgrade happen
-- Jonas Meurer <mejo@debian.org> Sun, 22 Jan 2006 09:02:47 +0100
cryptsetup (1.0.1-9) unstable; urgency=low
* rename the package to cryptsetup, provide a dummy cryptsetup-luks package
* initial upload to debian
-- Jonas Meurer <mejo@debian.org> Sun, 22 Jan 2006 08:06:25 +0100
cryptsetup-luks (1.0.1-8) unstable; urgency=low
* use upstream tarball as orig.tar.gz and keep debian changes in diff.gz
* change to use dpatch
* adjust build environment to work with upstream sources, and without
autogen.sh
* merge fixes for debian scripts from cryptsetup.
* keep cryptsetup manpage untouched, as merging cryptsetup and
cryptsetup-luks manpages is rather complex.
* set mandir to /usr/share/man for configure
* add a lintian-override file
-- Jonas Meurer <mejo@debian.org> Sun, 22 Jan 2006 06:48:30 +0100
cryptsetup-luks (1.0.1-7) unstable; urgency=high
* make cryptsetup create work again (patch for lib/libdevmapper.c)
-- Michael Gebetsroither <michael.geb@gmx.at> Sat, 21 Jan 2006 14:39:36 +0100
cryptsetup-luks (1.0.1-6) unstable; urgency=low
* recompile for new libdevmapper
-- Michael Gebetsroither <michael.geb@gmx.at> Tue, 10 Jan 2006 15:10:17 +0100
cryptsetup-luks (1.0.1-5) unstable; urgency=low
* improved documentation for /etc/crypttab
-- Michael Gebetsroither <michael.geb@gmx.at> Mon, 7 Nov 2005 17:05:20 +0100
cryptsetup-luks (1.0.1-4) unstable; urgency=low
* added luks option for /etc/crypttab (thx to Fabian Thorns
<fabian@thorns.it> for the initial patch)
-- Michael Gebetsroither <michael.geb@gmx.at> Thu, 3 Nov 2005 19:22:59 +0100
cryptsetup-luks (1.0.1-3) unstable; urgency=low
* completly switched to luks upstream
-- Michael Gebetsroither <michael.geb@gmx.at> Thu, 11 Aug 2005 22:14:16 +0200
cryptsetup-luks (1.0.1-2) unstable; urgency=low
* fixed build dependencies
-- Michael Gebetsroither <michael.geb@gmx.at> Mon, 20 Jun 2005 22:30:38 +0200
cryptsetup-luks (1.0.1-1) unstable; urgency=low
* synced with luks upstream
-- Michael Gebetsroither <michael.geb@gmx.at> Mon, 20 Jun 2005 16:22:53 +0200
cryptsetup-luks (1.0-5) unstable; urgency=low
* fixed a small typo in the manpage
-- Michael Gebetsroither <michael.geb@gmx.at> Sat, 23 Apr 2005 11:06:31 +0200
cryptsetup-luks (1.0-4) unstable; urgency=low
* cleand source-tree for submitting a wishlist report into debian BTS
-- Michael Gebetsroither <michael.geb@gmx.at> Tue, 19 Apr 2005 18:44:13 +0200
cryptsetup-luks (1.0-3) unstable; urgency=low
* updatet dependencies (libdevmapper1.00 => libdevmapper1.01)
-- Michael Gebetsroither <michael.geb@gmx.at> Tue, 19 Apr 2005 13:51:10 +0200
cryptsetup-luks (1.0-2) unstable; urgency=low
* replaced original debian cryptsetup manpage with manpage from
cryptsetup-luks
-- Michael Gebetsroither <michael.geb@gmx.at> Sun, 3 Apr 2005 13:33:55 +0200
cryptsetup-luks (1.0-1) unstable; urgency=low
* new upstream release
-- Michael Gebetsroither <michael.geb@gmx.at> Sat, 2 Apr 2005 23:29:43 +0200
cryptsetup-luks (0.993-3) unstable; urgency=low
* fixed dependencis
-- Michael Gebetsroither <michael.geb@gmx.at> Sun, 13 Feb 2005 01:28:11 +0100
cryptsetup-luks (0.993-2) unstable; urgency=low
* fixed a few source problems
* fixed post/pre install scripts
-- Michael Gebetsroither <michael.geb@gmx.at> Sat, 12 Feb 2005 16:18:07 +0100
cryptsetup-luks (0.993-1) unstable; urgency=low
* synced with luks upstream
-- Michael Gebetsroither <michael.geb@gmx.at> Sat, 12 Feb 2005 15:50:21 +0100
cryptsetup-luks (0.992-5) unstable; urgency=low
* fixed a few problems in den debian source package
-- Michael Gebetsroither <michael.geb@gmx.at> Sat, 12 Feb 2005 04:22:30 +0100
cryptsetup-luks (0.992-4) unstable; urgency=low
* debianized the package
* cleand up build system
-- Michael Gebetsroither <michael.geb@gmx.at> Sat, 12 Feb 2005 00:12:43 +0100
cryptsetup-luks (0.992-3) unstable; urgency=low
* Fixed typo
-- Michael Gebetsroither <michael.geb@gmx.at> Fri, 11 Feb 2005 18:38:42 +0100
cryptsetup-luks (0.992-2) unstable; urgency=low
* Added note within description
-- Michael Gebetsroither <michael.geb@gmx.at> Fri, 11 Feb 2005 18:21:03 +0100
cryptsetup-luks (0.992-1) unstable; urgency=low
* "integrated LUKS" support (very messy hack)
-- Michael Gebetsroither <michael.geb@gmx.at> Thu, 10 Feb 2005 18:16:21 +0100
|