cryptsetup (2:2.7.0-1ubuntu4.2) noble; urgency=medium
* Refine proc mounts entries traversal (LP: #2054390)
- d/functions: Backport upstream commit 95fd4be9b4c6: d/functions:
get_mnt_devno(): Speed up execution time on large /proc/mounts.
-- Chengen Du <chengen.du@canonical.com> Thu, 14 Nov 2024 03:44:47 +0000
cryptsetup (2:2.7.0-1ubuntu4.1) noble; urgency=medium
* initramfs hook: Combine calls to manual_add_modules (LP: #2065180)
-- Benjamin Drung <bdrung@ubuntu.com> Mon, 01 Jul 2024 20:38:08 +0200
cryptsetup (2:2.7.0-1ubuntu4) noble; urgency=high
* No change rebuild against libssl3t64.
-- Julian Andres Klode <juliank@ubuntu.com> Mon, 08 Apr 2024 16:37:57 +0200
cryptsetup (2:2.7.0-1ubuntu3) noble; urgency=medium
* No-change rebuild for CVE-2024-3094
-- Steve Langasek <steve.langasek@ubuntu.com> Sun, 31 Mar 2024 07:30:59 +0000
cryptsetup (2:2.7.0-1ubuntu2) noble; urgency=medium
* No-change rebuild against libssl3t64
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Mar 2024 17:36:38 +0000
cryptsetup (2:2.7.0-1ubuntu1) noble; urgency=medium
* Merge with Debian; remaining changes:
- Support zstd compressed modules for the self test.
- Compile-in support for a FIPS mode. LP #2032659
- debian/control:
+ Recommend plymouth.
+ Depend on busybox-initramfs instead of busybox | busybox-static.
+ Move cryptsetup-initramfs back to cryptsetup's Recommends.
+ Do not build cryptsetup-suspend binary package on i386.
- Fix cryptroot-unlock for busybox compatibility.
- Fix warning and error when running on ZFS on root
+ d/functions: Return an empty devno for ZFS devices as they don't have
major:minor device numbers.
+ d/initramfs/hooks/cryptroot: Ignore and don't print an error message
when devices don't have a devno.
- Fix cryptroot-* autopkgtests on Ubuntu. (LP #1983522)
+ debian/tests/utils/mock.pm: return from consume() function if select()
times out or fails
+ debian/tests/utils/cryptroot-common: fix apt source and kernel package
names for Ubuntu
+ debian/tests/cryptroot-sysvinit.d: use systemd-sysv init for Ubuntu
cryptroot-sysvinit package test
+ debian/tests/cryptroot-nested.d: fix cryptsetup-nested test, add
workaround for LP1831747 by adding a e2fsprogs dependency
+ debian/tests/initramfs-hook: fix test's initramfs layout for Ubuntu and
allow blowfish test use 64Mb of provisioned space (drop --size)
+ debian/tests/control: disable cryptdisks test
-- Matthias Klose <doko@ubuntu.com> Thu, 29 Feb 2024 14:13:21 +0100
cryptsetup (2:2.7.0-1) unstable; urgency=medium
* Upload to unstable.
* Revert "d/gbp.conf: Set ‘debian-branch = debian/experimental’."
* Revert "Use OpenSSL's own argon2 implementation" (since sid doesn't have
OpenSSL 3.2 yet).
* Revert "d/control: cryptsetup Depends: Bump minimum cryptsetup-bin version
to 2.7~."
* Revert "d/cryptsetup.lintian-overrides: Ignore ‘conflicts-with-version
cryptsetup-nuke-password’."
* Revert "d/cryptsetup.lintian-overrides: Remove unused overrides."
* Revert "/lib/cryptsetup/askpass: coordinated move to /usr for DEP17"
-- Guilhem Moulin <guilhem@debian.org> Mon, 26 Feb 2024 12:50:46 +0100
cryptsetup (2:2.7.0-1+exp) experimental; urgency=medium
* New upstream release.
[ Guilhem Moulin ]
* d/control: cryptsetup Depends: Bump minimum cryptsetup-bin version to 2.7~.
* d/control: Build-Depends: Replace pkg-config with pkgconf.
* d/cryptsetup-suspend.lintian-overrides: Remove alien tag.
* d/cryptsetup.lintian-overrides: Remove unused overrides.
* d/cryptsetup.lintian-overrides: Add override ‘conflicts-with-version
cryptsetup-nuke-password’.
* d/t/cryptroot-*: Fix DEP-8 tests with QEMU 8.2.
[ Helmut Grohne ]
* /lib/cryptsetup/askpass: coordinated move to /usr for DEP17.
(Closes: #1060270)
-- Guilhem Moulin <guilhem@debian.org> Mon, 26 Feb 2024 11:57:19 +0100
cryptsetup (2:2.7.0~rc1-1) experimental; urgency=medium
* New upstream release candidate.
* d/gbp.conf: Set ‘debian-branch = debian/experimental’.
* Add new DEP-8 test to check crypto backend flags. (And whether system
libargon2 is used.)
* Use OpenSSL's own argon2 implementation rather than libargon2. This drops
libargon2 from (Build-)Depends and bumps the minimum required OpenSSL
version to 3.2.
-- Guilhem Moulin <guilhem@debian.org> Wed, 20 Dec 2023 18:28:36 +0100
cryptsetup (2:2.7.0~rc0-2) experimental; urgency=medium
Rebuild for experimental.
-- Guilhem Moulin <guilhem@debian.org> Tue, 05 Dec 2023 21:11:42 +0100
cryptsetup (2:2.6.1-6ubuntu1) noble; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Support zstd compressed modules for the self test.
- Compile-in support for a FIPS mode. LP #2032659
- debian/control:
+ Recommend plymouth.
+ Depend on busybox-initramfs instead of busybox | busybox-static.
+ Move cryptsetup-initramfs back to cryptsetup's Recommends.
+ Do not build cryptsetup-suspend binary package on i386.
- Fix cryptroot-unlock for busybox compatibility.
- Fix warning and error when running on ZFS on root
+ d/functions: Return an empty devno for ZFS devices as they don't have
major:minor device numbers.
+ d/initramfs/hooks/cryptroot: Ignore and don't print an error message
when devices don't have a devno.
- Fix cryptroot-* autopkgtests on Ubuntu. (LP #1983522)
+ debian/tests/utils/mock.pm: return from consume() function if select()
times out or fails
+ debian/tests/utils/cryptroot-common: fix apt source and kernel package
names for Ubuntu
+ debian/tests/cryptroot-sysvinit.d: use systemd-sysv init for Ubuntu
cryptroot-sysvinit package test
+ debian/tests/cryptroot-nested.d: fix cryptsetup-nested test, add
workaround for LP1831747 by adding a e2fsprogs dependency
+ debian/tests/initramfs-hook: fix test's initramfs layout for Ubuntu and
allow blowfish test use 64Mb of provisioned space (drop --size)
+ debian/tests/control: disable cryptdisks test
-- Mate Kukri <mate.kukri@canonical.com> Wed, 03 Jan 2024 10:38:16 +0000
cryptsetup (2:2.6.1-6) unstable; urgency=medium
[ Kevin Locke ]
* cryptsetup-initramfs: Add support for compressed kernel modules.
(Closes: #1036049, #1057441)
[ Guilhem Moulin ]
* d/tests: Replace `passwd --delete` with `busybox passwd -d`.
* add_modules(): Change suffix drop logic to match initramfs-tools.
* Fix DEP-8 tests with kernels shipping compressed modules.
-- Guilhem Moulin <guilhem@debian.org> Tue, 05 Dec 2023 17:48:58 +0100
cryptsetup (2:2.7.0~rc0-1) experimental; urgency=medium
* New upstream release candidate 2.7.0:
+ Add support for (opt-in) hardware OPAL disk encryption.
+ plain mode: Set default cipher to aes-xts-plain64 and password hashing
to sha256. This is a backward incompatible change for plain mode when
relying on the defaults. It doesn't affect LUKS volumes. Defaults for
plain mode should not be relied upon anyway; for many releases the
Debian wrappers found in the ‘cryptsetup’ binary package spew a loud
warning when ‘cipher=’ or ‘hash=’ are not explicitly specified in the
crypttab(5) options of plain devices. The cryptsetup(8) executable now
issue such a warning as well.
+ Allow activation (open), luksResume, and luksAddKey to use the volume
key stored in a keyring.
+ Allow one to store volume key to a user-specified keyring in open and
luksResume commands.
* Update d/libcryptsetup12.symbols.
* Remove d/patches applied upstream.
* Update debian/* to reflect current cipher and hash for plain mode.
* d/tests: Replace `passwd --delete` with `busybox passwd -d`.
-- Guilhem Moulin <guilhem@debian.org> Wed, 29 Nov 2023 17:19:10 +0100
cryptsetup (2:2.6.1-5ubuntu1) noble; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Support zstd compressed modules for the self test.
- Compile-in support for a FIPS mode. LP #2032659
- debian/control:
+ Recommend plymouth.
+ Depend on busybox-initramfs instead of busybox | busybox-static.
+ Move cryptsetup-initramfs back to cryptsetup's Recommends.
+ Do not build cryptsetup-suspend binary package on i386.
- Fix cryptroot-unlock for busybox compatibility.
- Fix warning and error when running on ZFS on root
+ d/functions: Return an empty devno for ZFS devices as they don't have
major:minor device numbers.
+ d/initramfs/hooks/cryptroot: Ignore and don't print an error message
when devices don't have a devno.
- Fix cryptroot-* autopkgtests on Ubuntu. (LP #1983522)
+ debian/tests/utils/mock.pm: return from consume() function if select()
times out or fails
+ debian/tests/utils/cryptroot-common: fix apt source and kernel package
names for Ubuntu
+ debian/tests/cryptroot-sysvinit.d: use systemd-sysv init for Ubuntu
cryptroot-sysvinit package test
+ debian/tests/cryptroot-nested.d: fix cryptsetup-nested test, add
workaround for LP1831747 by adding a e2fsprogs dependency
+ debian/tests/initramfs-hook: fix test's initramfs layout for Ubuntu and
allow blowfish test use 64Mb of provisioned space (drop --size)
+ debian/tests/control: disable cryptdisks test
-- Mate Kukri <mate.kukri@canonical.com> Mon, 20 Nov 2023 09:50:25 +0000
cryptsetup (2:2.6.1-5) unstable; urgency=medium
[ Guilhem Moulin ]
* d/control: Drop cryptsetup-run transitional binary package.
(Closes: #1038285)
[ Michael Biebl ]
* cryptsetup-suspend-wrapper: Don't error out on missing
/lib/systemd/system-sleep directory, which was removed from the systemd
package. (Closes: #1050606)
-- Guilhem Moulin <guilhem@debian.org> Sun, 27 Aug 2023 12:24:57 +0200
cryptsetup (2:2.6.1-4ubuntu3) mantic; urgency=medium
* Support zstd compressed modules for the self test.
-- Andrea Righi <andrea.righi@canonical.com> Mon, 11 Sep 2023 15:05:35 +0000
cryptsetup (2:2.6.1-4ubuntu2) mantic; urgency=medium
* Compile-in support for a FIPS mode. LP: #2032659
-- Dimitri John Ledkov <dimitri.ledkov@canonical.com> Tue, 22 Aug 2023 16:06:53 +0100
cryptsetup (2:2.6.1-4ubuntu1) mantic; urgency=medium
* Merge with Debian unstable (LP: #2019292). Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Depend on busybox-initramfs instead of busybox | busybox-static.
+ Move cryptsetup-initramfs back to cryptsetup's Recommends.
+ Do not build cryptsetup-suspend binary package on i386.
- Fix cryptroot-unlock for busybox compatibility.
- Fix warning and error when running on ZFS on root
- d/functions: Return an empty devno for ZFS devices as they don't have
major:minor device numbers.
- d/initramfs/hooks/cryptroot: Ignore and don't print an error message
when devices don't have a devno.
- debian/patches/decrease_memlock_ulimit.patch
Fixed FTBFS due to a restricted build environment
- Fix cryptroot-* autopkgtests on Ubuntu. (LP: #1983522)
+ debian/tests/utils/mock.pm: return from consume() function if select()
times out or fails
+ debian/tests/utils/cryptroot-common: fix apt source and kernel package
names for Ubuntu
+ debian/tests/cryptroot-sysvinit.d: use systemd-sysv init for Ubuntu
cryptroot-sysvinit package test
+ debian/tests/cryptroot-nested.d: fix cryptsetup-nested test, add
workaround for LP1831747 by adding a e2fsprogs dependency
+ debian/tests/initramfs-hook: fix test's initramfs layout for Ubuntu and
allow blowfish test use 64Mb of provisioned space (drop --size)
+ debian/tests/control: disable cryptdisks test
-- Vladimir Petko <vladimir.petko@canonical.com> Mon, 15 May 2023 09:55:25 +1200
cryptsetup (2:2.6.1-4) unstable; urgency=medium
* Backport upstream MR !498, see #1028250:
+ 7893c33d: Check for physical memory available also in PBKDF benchmark.
+ 6721d3a8: Use only half of detected free memory on systems without swap.
-- Guilhem Moulin <guilhem@debian.org> Thu, 20 Apr 2023 23:46:08 +0200
cryptsetup (2:2.6.1-3) unstable; urgency=medium
[ Guilhem Moulin ]
* initramfs hook: Fix copy_libgcc_argon2() on non merged-/usr systems.
(Closes: #1032518)
* Backport upstream MR !490, see #1028250:
+ 27f8e5c0: Try to avoid OOM killer on low-memory systems without swap
+ 899bad8c: Print warning when keyslot requires more memory than available
* d/t/initramfs-hook: Pass `-xdev` to `find "$INITRD_DIR"` in order to solve
a race condition in that autopkgtest.
[ Remus-Gabriel Chelu ]
* Add Romanian debconf templates translation. (Closes: #1031497)
-- Guilhem Moulin <guilhem@debian.org> Mon, 13 Mar 2023 23:43:50 +0100
cryptsetup (2:2.6.1-2) unstable; urgency=medium
* initramfs hook: Explicitly call copy_libgcc(). The recent libargon2-1
upgrade is built with glibc ≥2.34 hence no longer links libpthread. This
in turns means that initramfs-tool's copy_exec() is no longer able to
detect pthread_*() need and thus doesn't copy libgcc_s.so anymore. So we
need to do it manually instead. Closes: #1032221
-- Guilhem Moulin <guilhem@debian.org> Thu, 02 Mar 2023 05:01:53 +0100
cryptsetup (2:2.6.1-1ubuntu1) lunar; urgency=low
* Merge with Debian unstable (LP: #2004423). Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Depend on busybox-initramfs instead of busybox | busybox-static.
+ Move cryptsetup-initramfs back to cryptsetup's Recommends.
+ Do not build cryptsetup-suspend binary package on i386.
- Fix cryptroot-unlock for busybox compatibility.
- Fix warning and error when running on ZFS on root
- d/functions: Return an empty devno for ZFS devices as they don't have
major:minor device numbers.
- d/initramfs/hooks/cryptroot: Ignore and don't print an error message
when devices don't have a devno.
- debian/patches/decrease_memlock_ulimit.patch
Fixed FTBFS due to a restricted build environment
- Fix cryptroot-* autopkgtests on Ubuntu. (LP: #1983522)
+ debian/tests/utils/mock.pm: return from consume() function if select()
times out or fails
+ debian/tests/utils/cryptroot-common: fix apt source and kernel package
names for Ubuntu
+ debian/tests/cryptroot-sysvinit.d: use systemd-sysv init for Ubuntu
cryptroot-sysvinit package test
+ debian/tests/cryptroot-nested.d: fix cryptsetup-nested test, add
workaround for LP1831747 by adding a e2fsprogs dependency
+ debian/tests/initramfs-hook: fix test's initramfs layout for Ubuntu and
allow blowfish test use 64Mb of provisioned space (drop --size)
+ debian/tests/control: disable cryptdisks test
-- Vladimir Petko <vladimir.petko@canonical.com> Mon, 13 Feb 2023 15:57:18 +1300
cryptsetup (2:2.6.1-1) unstable; urgency=medium
* New upstream bugfix release.
* d/README.Debian: Explicitly set cswap1's device type to 'plain'.
(Closes: #1025136)
* d/control: Update standards version to 4.6.2, no changes needed.
* d/clean: Add some gitignore(5)'d files. (Closes: #1026838)
* cryptgnupg-sc hook: Look terminfo file in /usr/share/terminfo in adition
to /lib/terminfo, see #1028202. (Closes: 1028234)
* d/copyright: Bump copyright years.
-- Guilhem Moulin <guilhem@debian.org> Fri, 10 Feb 2023 00:50:42 +0100
cryptsetup (2:2.6.0-2) unstable; urgency=low
* libcryptsetup-dev: Add 'Depends: libargon2-dev, libblkid-dev,
libdevmapper-dev, libjson-c-dev, libssl-dev, uuid-dev' to account for
libcryptsetup.pc's Requires.private. Closes: #1025054.
-- Guilhem Moulin <guilhem@debian.org> Tue, 29 Nov 2022 15:42:25 +0100
cryptsetup (2:2.6.0-1) unstable; urgency=low
* New upstream release 2.6.0.
-- Guilhem Moulin <guilhem@debian.org> Tue, 29 Nov 2022 01:20:38 +0100
cryptsetup (2:2.6.0~rc0-1) experimental; urgency=medium
* New upstream release candidate 2.6.0, introducing support for handling
macOS FileVault2 devices (FVAULT2). The new version of FileVault based on
the APFS filesystem used in recent macOS versions is currently not
supported: only the (legacy) FileVault2 format based on Core Storage and
HFS+ filesystem (introduced in MacOS X 10.7 Lion) is supported. Moreover
header formatting and changes are not supported; cryptsetup never changes
the metadata on the device.
Closes: #923513.
* Update d/copyright for 2:2.6.0~rc0-1.
* Ship cryptsetup-fvault2Dump(8) and cryptsetup-fvault2Open(8) to
cryptsetup-bin binary package.
* Update d/libcryptsetup12.symbols for 2:2.6.0~rc0-1.
* Add 'fvault2' flag to crypttab(5) to force detection of Apple's FileVault2
volumes.
* d/rules: Add new target execute_before_dh_auto_test so blhc ignores
compilations of tests/*.c.
* d/u/metadata: Set 'Security-Contact' upstream metadata field.
-- Guilhem Moulin <guilhem@debian.org> Sat, 19 Nov 2022 17:30:40 +0100
cryptsetup (2:2.5.0-6ubuntu3) lunar; urgency=medium
* Fix cryptroot-lvm autopkgtest on Ubuntu. (LP: #1983522)
- debian/tests/control: enable cryptroot-lvm
- debian/tests/utils/mock.pm: return from consume() function if select()
times out or fails
-- Vladimir Petko <vladimir.petko@canonical.com> Fri, 02 Dec 2022 15:53:42 +1300
cryptsetup (2:2.5.0-6ubuntu2) lunar; urgency=medium
* Fix cryptroot-* autopkgtests on Ubuntu. (LP: #1983522)
- debian/tests/utils/cryptroot-common: fix apt source and kernel package
names for Ubuntu
- debian/tests/cryptroot-sysvinit.d: use systemd-sysv init for Ubuntu
cryptroot-sysvinit package test
- debian/tests/cryptroot-nested.d: fix cryptsetup-nested test, add
workaround for LP1831747 by adding a e2fsprogs dependency
- debian/tests/control: disable cryptdisks, cryptroot-lvm due to CI
failures and update comments
- debian/tests/utils/mock.pm: fix cryptoroot-lvm test adding retries to the
suspend operation and consuming the console buffer before making
assertions. It still hangs in CI and requires further work.
- debian/tests/initramfs-hook: fix test's initramfs layout for Ubuntu and
allow blowfish test use 64Mb of provisioned space (drop --size)
-- Vladimir Petko <vladimir.petko@canonical.com> Fri, 02 Dec 2022 14:14:42 +1300
cryptsetup (2:2.5.0-6ubuntu1) lunar; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Depend on busybox-initramfs instead of busybox | busybox-static.
+ Move cryptsetup-initramfs back to cryptsetup's Recommends.
+ Do not build cryptsetup-suspend binary package on i386.
- Fix cryptroot-unlock for busybox compatibility.
- Fix warning and error when running on ZFS on root
- d/functions: Return an empty devno for ZFS devices as they don't have
major:minor device numbers.
- d/initramfs/hooks/cryptroot: Ignore and don't print an error message
when devices don't have a devno.
- debian/patches/decrease_memlock_ulimit.patch
Fixed FTBFS due to a restricted build environment
- Disable failing Debian-tailored cryptroot-* autopkgtests
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 07 Nov 2022 08:36:38 -0800
cryptsetup (2:2.5.0-6) unstable; urgency=medium
* d/t/cryptroot-*: Mask systemd-firstboot.service.
* d/t/cryptroot-*: Use camel case for apt.conf(5) settings.
* d/t/cryptroot-*: _apt(): Sort apt.conf(5) settings.
* d/t/cryptroot-*: Honor apt_preferences(5) settings under autopkgtest.
* d/t/cryptroot-*: init: bind mount temporary filesystems to fix
autopkgtests with systemd 252. (Closes: #1022970)
-- Guilhem Moulin <guilhem@debian.org> Fri, 28 Oct 2022 19:30:14 +0200
cryptsetup (2:2.5.0-5) unstable; urgency=medium
* d/t/cryptroot-*: Bump setup timeout to 3600s so autopkgtests don't fail on
debci runners lacking KVM support.
-- Guilhem Moulin <guilhem@debian.org> Tue, 04 Oct 2022 20:01:50 +0200
cryptsetup (2:2.5.0-4) unstable; urgency=medium
* suspend.conf: Improve description and typofix.
* d/t/cryptroot-*: Fix race condition between creating new partition and
using them.
* d/t/cryptroot-*: Fail the test after a reasonable timeout.
(Closes: #1020714)
* d/t/cryptroot-*: setup_apt(): Add 'Identifier: Packages' to `apt-get
indextargets` filter.
* cryptsetup-suspend-wrapper: Explicitly disable udev support when resuming.
(Closes: #1020553)
* d/t/cryptroot-*: Pin versions for all packages in PKGS_EXTRA that are part
of src:cryptsetup.
-- Guilhem Moulin <guilhem@debian.org> Tue, 04 Oct 2022 01:14:30 +0200
cryptsetup (2:2.5.0-3) unstable; urgency=low
* d/t/cryptroot-*: Disable VGA card on the guest.
* d/t/cryptroot-*: Communicate with guests on /dev/hvc0 and remove
console=hvc0 from the kernel command line to get a noise-free channel.
* d/t/cryptroot-*: poweroff(): Use poweroff(8) not `echo o
>/proc/sysrq-trigger`.
* d/t/cryptroot-*: hibernate(): Use systemctl(1) not `echo disk
>/sys/power/state`.
* d/t/cryptroot-*: Use a separate logfile for each communication channel.
* Refactor d/t/utils/mock.pm and add QMP support; this adds 'Depends:
libjson-perl' to cryptroot-* autopkgtests.
* d/t/cryptroot-*: Use the QMP "quit" command to destroy guests early.
* d/t/cryptroot-*: Start getty on /dev/hvc0 only (not /dev/ttyS0) in
non-interactive mode.
* d/t/cryptroot-*: Remove console=tty0 from the kernel command line.
* d/t/cryptroot-*: Mask all timer units to avoid cluttering test
environments with background jobs.
* d/t/cryptroot-lvm: Also test cryptsetup-suspend (enter to and resume from
S3 state).
* d/t/cryptroot-*: Simplify login prompt regex.
* d/t/cryptroot-*: Use $' when consuming input buffers.
* Salsa CI: Include recipes/debian.yml.
* Salsa CI: Remove redundant variable RELEASE=unstable.
* Salsa CI: Re-enable autopkgtest job with partial coverage.
* cryptsetup-suspend-wrapper: Improve quoting.
* cryptsetup-suspend-wrapper: Use crypttab_find_entry()'s return status.
* d/copyright: Improve wording.
* d/copyright: Fix license for d/scripts/suspend/cryptsetup-suspend.c .
* Add license headers for d/scripts/suspend/*.
* Relicense own code from GPLv2+ to GPLv3+.
* cryptsetup-suspend-wrapper: Don't bindmount temporary filesystems.
* cryptsetup-suspend-wrapper: Improve $INITRAMFS_DIR detection and cleanup.
* cryptsetup-suspend-wrapper: Improve TODO comment.
* d/t/cryptroot-*: Add a network device in interactive mode.
* d/t/cryptroot-lvm: Test I/O on the root FS after wakeup to make sure the
device is not suspended.
* cryptsetup-suspend-wrapper: Harden chroot environment: mount ramfs
read-only and with the 'nodev' option, make it unbindable, and use a
restrictive root mode.
* initramfs hook: Remove duplicate unmangling.
* initramfs hook: populate_CRYPTO_HASHES(): Add missing call to
crypttab_parse_options().
* d/functions: crypttab_parse_options(): Always reset $CRYPTTAB_TYPE.
* cryptsetup-suspend-wrapper: Ignore $KEEP_INITRAMFS if a newer initrd is
detected.
* d/functions: resume_device(): Fix resuming by keyscript.
* d/functions: Refactor resume_device() and freeze_cgroups().
* cryptsetup-suspend-wrapper: Don't copy /lib/firmware if it already exists
in the initrd.
* cryptsetup-suspend-wrapper: Don't treat udevd specially as luksResume now
appears to work when udevd is still frozen.
* cryptsetup-suspend-wrapper: Populate ACTIVE_DEVICES via callback.
* cryptsetup-suspend-wrapper: Use FD3 to list remaining devices.
* d/t/utils/debootstrap: Strip colon and suffix from package (Pre-)Depends.
* d/t/utils/debootstrap: Remove obsolete comment and Pre-Depends.
* d/t/cryptroot-*: Manually create merged-/usr layout and install
usr-is-merged.
-- Guilhem Moulin <guilhem@debian.org> Sun, 18 Sep 2022 23:01:46 +0200
cryptsetup (2:2.5.0-2ubuntu1) kinetic; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Depend on busybox-initramfs instead of busybox | busybox-static.
+ Move cryptsetup-initramfs back to cryptsetup's Recommends.
+ Do not build cryptsetup-suspend binary package on i386.
- Fix cryptroot-unlock for busybox compatibility.
- Fix warning and error when running on ZFS on root: (LP: #1830110)
- d/functions: Return an empty devno for ZFS devices as they don't have
major:minor device numbers.
- d/initramfs/hooks/cryptroot: Ignore and don't print an error message
when devices don't have a devno.
- debian/patches/decrease_memlock_ulimit.patch
Fixed FTBFS due to a restricted build environment
* Disable failing Debian-tailored cryptroot-* autopkgtests, see bug #1983522
-- Benjamin Drung <bdrung@ubuntu.com> Wed, 24 Aug 2022 00:56:28 +0200
cryptsetup (2:2.5.0-2) unstable; urgency=low
[ Matthias Klose ]
* Add support for 'noudeb' build profile. (Closes: #983318)
[ Christoph Anton Mitterer ]
* initramfs hook: align busybox check on klibc-utils's hook.
[ Benjamin Drung ]
* initramfs hook: Fix broken compatibility with OpenSSL3 when cryptsetup
needs legacy hashes (currently ripemd160 and whirlpool). (LP: #1979159)
[ Guilhem Moulin ]
* New DEP-8 test for crude checks of the initramfs hook.
* Minor changes to the legacy.so inclusion logic.
* DEP-8: Add checks for OpenSSL's legacy.so inclusion.
* d/rules: Inspect DEB_BUILD_* with $(filter ,) not $(findstring ,).
* initramfs boot script: Remove custom LVM handling. Since 2.03.15-1 lvm2
doesn't ship an initramfs boot script anymore and relies solely on udev
rules instead. We therefore don't have to manually activate LVs/VGs
anymore, but cryptsetup-initramfs now conflicts with earlier lvm2
versions. (Closes: #928943)
* Override lintian tag 'conflicts-with-version' given the above.
* initramfs hook: Don't overwrite crypttab(5) source to /dev/mapper/$NAME
for mapped devices. (Closes: #1016455)
* initramfs hook: Preserve crypttab source specifications and devices
starting with /dev/disk/by- or /dev/mapper/.
* d/README.initramfs: Improve section about cryptopts= kernel parameter.
* d/Debian.README: Mention that systemd masks /etc/init.d/cryptdisks.
(Closes: #1010708)
* Rename systemd_cryptsetup-suspend.conf to systemd/cryptsetup-suspend.conf.
* cryptsetup-suspend-wrapper: Fix grep calls in some corner cases such as
template cgroups.
* cryptsetup-suspend-wrapper: Avoid double slash in cgroup paths.
* cryptsetup-suspend-wrapper: Consolidate style.
* d/t/cryptroot-*: Relax the kernel.deb regex to account for release
candidates.
* d/t/cryptroot-*: Add more partition type GUIDs.
* d/t/cryptroot-*: Improve sources.list(5) generation.
* d/t/cryptroot-*: Make APT repository Origin and URI configurable.
* d/t/cryptroot-*: Start udevd before setting up the guest.
* d/t/cryptroot-*: Use a separate /run partition when bootstrapping.
* Run `chmod +x d/t/cryptdisks d/t/utils/init` for consistency.
* d/t/cryptroot-*.d/config: Remove 'cryptsetup' from PKGS_EXTRA as it's only
needed for cryptroot-sysvinit.
* d/t/cryptroot-sysvinit: Rename 'rootfs.key' keyfile to 'homefs.key' which
better describes the purpose of the keyfile.
* d/t/cryptroot-*: Replace /target with '$ROOT'.
* d/t/cryptroot-*: Rename 'testvg' Volume Group to 'cryptvg'.
* d/t/cryptroot-*: Add note about testing cryptsetup-suspend.
* d/t: Add convenience wrapper script for local cryptroot-* test runs.
* New DEP-8 test for LVM-on-MD-on-LUKS2 layout backed by 4 independently
encrypted partitions (all unlocked at initramfs stage).
* New DEP-8 test for a complex nested block device stack.
* Salsa CI: Disable autopkgtest job for now.
-- Guilhem Moulin <guilhem@debian.org> Tue, 09 Aug 2022 01:40:50 +0200
cryptsetup (2:2.5.0-1ubuntu1) kinetic; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Depend on busybox-initramfs instead of busybox | busybox-static.
+ Move cryptsetup-initramfs back to cryptsetup's Recommends.
+ Do not build cryptsetup-suspend binary package on i386.
- Fix cryptroot-unlock for busybox compatibility.
- Fix warning and error when running on ZFS on root: (LP: #1830110)
- d/functions: Return an empty devno for ZFS devices as they don't have
major:minor device numbers.
- d/initramfs/hooks/cryptroot: Ignore and don't print an error message
when devices don't have a devno.
- debian/patches/decrease_memlock_ulimit.patch
Fixed FTBFS due to a restricted build environment
- Stop building the udeb on request.
* d/initramfs/hooks/cryptroot: Include OpenSSL legacy.so for ripemd160 and
whirlpool hash algorithms (LP: #1979159)
* Disable failing Debian-tailored cryptroot-* autopkgtests, see bug #1983522
-- Benjamin Drung <bdrung@ubuntu.com> Thu, 04 Aug 2022 12:30:02 +0200
cryptsetup (2:2.5.0-1) unstable; urgency=medium
* New upstream release. (Closes: #1000634, #1011128)
* d/copyright: Fix licence for tokens/ssh/cryptsetup-ssh.c.
* Remove patches applied upstream.
* Rename 'ssh-plugin-test' to 'ssh-test-plugin'.
* Add DEP-8 tests for cryptroot unlocking at early boot stage.
-- Guilhem Moulin <guilhem@debian.org> Fri, 29 Jul 2022 16:31:23 +0200
cryptsetup (2:2.5.0~rc1-3) experimental; urgency=medium
* DEP-8: Add 'Features: test-name=' in order to name inline tests.
* d/t/control: Add 'Restrictions: rw-build-tree' to upstream-testsuite.
* d/control: Remove cryptsetup-reencrypt from cryptsetup-bin package
description since the utility was removed upstream in v2.5.0-rc1.
* d/changelog: Retroactively correct 2:2.4.0~rc0-1+exp1 entry.
* Update d/patches with what's landed upstream since v2.5.0-rc1.
* d/patches, d/rules: Pass $(LDFLAGS) when building fake_token_path.so and
no longer silence blhc(1) for test files.
* Move SSH token plugin stuff into new binary package 'cryptsetup-ssh'.
That plugin is arguably not useful for everyone and we can save the
'Depends: libssh-4' on cryptsetup-bin by moving cryptsetup-ssh(8) and
libcryptsetup-token-ssh.so to a separate package. Since LUKS2 SSH token
support was added after the Bullseye release, and since it is still in
experimental stage, we don't let cryptsetup-bin or cryptsetup depend on
the new binary package. Users who need that feature will need to install
it manually.
-- Guilhem Moulin <guilhem@debian.org> Thu, 21 Jul 2022 20:41:20 +0200
cryptsetup (2:2.5.0~rc1-2) experimental; urgency=medium
* localtest: Treat skipped tests as failure for full coverage.
* d/watch: Add uversionmangle option for release candidates.
* unit-wipe-test: Skip DIO tests when the file system doesn't support
O_DIRECT. This is needed on the buildds where the source tree appears to
be on a tmpfs.
-- Guilhem Moulin <guilhem@debian.org> Fri, 15 Jul 2022 20:49:13 +0200
cryptsetup (2:2.5.0~rc1-1) experimental; urgency=low
* New upstream release candidate 2.5.0. Highlights include:
+ Remove cryptsetup-reencrypt(8) executable, use `cryptsetup reencrypt`
instead (for both LUKS1 and LUKS2).
+ Split manual pages into per-action pages, for instance cryptsetup-open.8
which can be consulted with `man cryptsetup open`.
+ Add LUKS2 encryption removal support with `cryptsetup reencrypt
--decrypt`.
+ Preserve unknown metadata option (features implemented in more recent
cryptsetup releases) during reencryption.
* Salsa CI's deploy stage: Use a Bullseye image.
* Salsa CI's deploy stage: Use apt-get(8) not apt(8).
* Salsa CI's deploy stage: Replace `cp` with `install`.
* Salsa CI's reprotest job: Remove '--no-diffoscope' flag.
* Salsa CI's reprotest job: Update reason for running under 'nocheck' build
profile.
* d/README.source: Update text to reflect current practices.
* DEP-8: Run installed binaries and libraries through the full upstream test
suite (needs machine-level isolation).
* Retroactivately add NEWS.Debian for #949336.
* d/t/control: Add 'Depends: xxd' for 'Tests: cryptdisks' stanza.
* foreach_cryptdev(): Process each device *after* its slaves.
* do_stop(): Remove device holders beforehand. (Closes: #1006802)
* Fix space damage.
* d/u/metadata: Add FAQ URL.
* Refresh lintian overrides to accommodate lintian v2.115.
* d/control: New Build-Depends: asciidoctor (unless under 'nodoc' build
profile).
* d/cryptsetup.docs: Fix FAQ filename.
* Move usr/share/man/*/* glob to debian/*.manpages where it belongs.
* Update d/libcryptsetup12.symbols.
* Bump Standards-Version to 4.6.1 (no changes needed).
* Update d/copyright.
-- Guilhem Moulin <guilhem@debian.org> Fri, 15 Jul 2022 01:49:59 +0200
cryptsetup (2:2.4.3-1ubuntu1) jammy; urgency=low
* Merge from Debian unstable (LP: #1959427). Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Depend on busybox-initramfs instead of busybox | busybox-static.
+ Move cryptsetup-initramfs back to cryptsetup's Recommends.
+ Do not build cryptsetup-suspend binary package on i386.
- Fix cryptroot-unlock for busybox compatibility.
- Fix warning and error when running on ZFS on root: (LP: #1830110)
- d/functions: Return an empty devno for ZFS devices as they don't have
major:minor device numbers.
- d/initramfs/hooks/cryptroot: Ignore and don't print an error message
when devices don't have a devno.
- debian/patches/decrease_memlock_ulimit.patch
Fixed FTBFS due to a restricted build environment
- Stop building the udeb on request.
-- Steve Langasek <steve.langasek@ubuntu.com> Fri, 28 Jan 2022 12:14:06 -0800
cryptsetup (2:2.4.3-1) unstable; urgency=high
[ Guilhem Moulin ]
* New upstream security release 2.4.3, with fix for CVE-2021-4122:
decryption through LUKS2 reencryption crash recovery. (Closes: #1003685,
#1003686)
* Remove cryptsetup-initramfs.preinst. (Closes: #1001063)
[ Christoph Anton Mitterer ]
* d/rules: don't expand here-document.
-- Guilhem Moulin <guilhem@debian.org> Thu, 13 Jan 2022 19:07:05 +0100
cryptsetup (2:2.4.2-1ubuntu4) jammy; urgency=medium
* Move cryptsetup-initramfs back to cryptsetup's Recommends (from Suggests).
-- Michael Hudson-Doyle <michael.hudson@ubuntu.com> Thu, 09 Dec 2021 12:53:00 +1300
cryptsetup (2:2.4.2-1ubuntu3) jammy; urgency=medium
* Fix build on i386.
-- Michael Hudson-Doyle <michael.hudson@ubuntu.com> Tue, 07 Dec 2021 13:17:48 +1300
cryptsetup (2:2.4.2-1ubuntu2) jammy; urgency=medium
* Do not build new cryptsetup-suspend binary package on i386.
-- Michael Hudson-Doyle <michael.hudson@ubuntu.com> Tue, 07 Dec 2021 11:47:55 +1300
cryptsetup (2:2.4.2-1ubuntu1) jammy; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Depend on busybox-initramfs instead of busybox | busybox-static.
- Fix cryptroot-unlock for busybox compatibility.
- Fix warning and error when running on ZFS on root: (LP: #1830110)
- d/functions: Return an empty devno for ZFS devices as they don't have
major:minor device numbers.
- d/initramfs/hooks/cryptroot: Ignore and don't print an error message when
devices don't have a devno.
Submitted to debian upstream as bug #902449.
- debian/patches/decrease_memlock_ulimit.patch
Fixed FTBFS due a restrict environment in the new Bionic Builder (LP: #1891473)
tests/luks2-validation.test, tests/compat-test, tests/tcrypt-compat-test.
- Thanks Guilherme G. Piccoli.
- Stop building the udeb on request.
* Dropped change, included in Debian:
- Introduce retry logic for external invocations after mdadm (LP: #1879980)
- Currently, if an encrypted rootfs is configured on top of a MD RAID1
array and such array gets degraded (e.g., a member is removed/failed)
the cryptsetup scripts cannot mount the rootfs, and the boot fails.
We fix that issue here by allowing the cryptroot script to be re-run
by initramfs-tools/local-block stage, as mdadm can activate degraded
arrays at that stage.
There is an initramfs-tools counter-part for this fix, but alone the
cryptsetup portion is harmless.
- d/cryptsetup-initramfs.install: ship the new local-bottom script.
- d/functions: declare variables for local-top|block|bottom scripts
(flag that local-block is running and external invocation counter.)
- d/i/s/local-block/cryptroot: set flag that local-block is running.
- d/i/s/local-bottom/cryptroot: clean up the flag and counter files.
- d/i/s/local-top/cryptroot: change the logic from just waiting 180
seconds to waiting 5 seconds first, then allowing initramfs-tools
to run mdadm (to activate degraded arrays) and call back at least
30 times/seconds more.
-- Michael Hudson-Doyle <michael.hudson@ubuntu.com> Thu, 02 Dec 2021 11:58:05 +1300
cryptsetup (2:2.4.2-1) unstable; urgency=high
* New upstream bugfix release 2.4.2.
* d/control: Replace Build-Depends on removed package libsepol1-dev with
libsepol-dev. (Closes: #999815)
* blkid/un_blkid checks: Ignore large offsets when converting from sectors
to bytes.
* crypttab(5): Formatting fix.
* Refresh d/copyright.
* Refresh lintian overrides to accommodate lintian v2.112.
-- Guilhem Moulin <guilhem@debian.org> Thu, 18 Nov 2021 17:15:08 +0100
cryptsetup (2:2.4.1-1) unstable; urgency=medium
[ Guilhem Moulin ]
* New upstream bugfix release 2.4.1.
* d/rules:
+ Use execute_after_dh_* from Debhelper compatibility level 13 when
relevant.
+ Skip documentation generation under nodoc profile.
+ Add new target execute_before_dh_auto_test so blhc ignores compilations
of tests/*.c.
* d/cryptsetup-initramfs.lintian-overrides: Refresh for lintian 2.107.0.
* crypttab(5):
+ Improve documentation about escape sequences.
+ Document that keyscript= can also take an absolute path.
(Closes: #994219)
+ Document that keyscript's exit status is ignored.
+ Various typo fixes and manpages improvements.
* initramfs: Add new hook configuration option ASKPASS=[Yn] to opt out from
askpass inclusion. (Closes: #994486)
* d/cryptsetup-initramfs.post*: Replace `which` with `command -v`.
* Merge debian/experimental branch and bring cryptsetup-suspend to sid.
* d/bash_completion: s/mawk/awk/. We're only using the POSIX subset so any
implementation should work. (Closes: #993374)
* Add DEP-8 tests for cryptdisks_start and cryptdisks_stop covering most of
d/functions and d/cryptdisks-functions. The testbed requires
'isolation-machine' restriction since we need to load kernel modules and
create loop devices.
* d/gbp.conf, d/watch: Explicitly use gzip compression.
[ Christoph Anton Mitterer ]
* d/functions: Export _CRYPTTAB_* to the keyscript's environment.
[ Lukas Schwaighofer ]
* initramfs: Honor activation/auto_activation_volume_list setting.
(Closes: #993725)
[ Thorsten Glaser ]
* blkid/un_blkid checks: Honor offset= option. (Closes: #994056)
-- Guilhem Moulin <guilhem@debian.org> Fri, 08 Oct 2021 14:27:03 +0200
cryptsetup (2:2.4.0-1+exp1) experimental; urgency=medium
* Upload to experimental.
* d/rules: Prefix /lib/systemd/system-shutdown/cryptsetup-suspend.shutdown
with /usr to fix FTBS with debhelper 13.4; see #992469.
-- Guilhem Moulin <guilhem@debian.org> Thu, 19 Aug 2021 22:55:02 +0200
cryptsetup (2:2.4.0-1) unstable; urgency=low
[ Guilhem Moulin ]
* New upstream release.
* Salsa CI: Set SALSA_CI_BLHC_ARGS to avoid failing when *test* files are
built without the "right" LDFLAGS.
* Remove obsolete upstart configuration files on upgrade and purge.
(Closes: #990490)
* d/*.{pre,post}*: Explicitly exit with status code 0.
* d/copyright: Set field Upstream-Name.
* d/control: Bump Standards-Version to 4.6.0 (no changes necessary).
* d/control: Remove cryptsetup-run from cryptsetup's Recommends.
(Closes: #987769)
* d/control: Demote cryptsetup-initramfs from cryptsetup's Recommends to
Suggests. This concludes the package split started in 2:2.0.3-1 during
the Buster release cycle.
[ Ayla Ounce ]
* Add support for --perf_* flags to initramfs.
-- Guilhem Moulin <guilhem@debian.org> Thu, 19 Aug 2021 03:11:11 +0200
cryptsetup (2:2.4.0~rc1-1+exp1) experimental; urgency=medium
* New upstream release candidate.
* d/copyright: Update file.
* d/cryptsetup.docs: Add upstream's README.md.
* d/TODO.md: Remove implemented `luksSuspend` integration.
-- Guilhem Moulin <guilhem@debian.org> Fri, 30 Jul 2021 02:37:32 +0200
cryptsetup (2:2.4.0~rc0-1+exp1) experimental; urgency=medium
* New upstream release candidate 2.4.0. Highlights include:
+ Support for external libraries (plugins) for handling LUKS2 token
objects.
+ Experimental SSH token handler and cryptsetup-ssh(8) utility (resp.
shipped in the 'cryptsetup' and 'cryptsetup-bin' binary packages) as a
demonstration of the external LUKS2 token interface. This adds
libssh-dev to build-depends.
+ Change default LUKS2 PBKDF to Argon2id from Argon2i.
+ Increase minimal memory cost for Argon2 benchmark to 64MiB (suggested
value in Argon2 RFC).
+ Autodetect optimal encryption sector size on LUKS2 format.
+ integritysetup: add integrity-recalculate-reset flag.
+ cryptsetup: retains keyslot number in luksChangeKey for LUKS2.
+ Add close --deferred and --cancel-deferred options.
-- Guilhem Moulin <guilhem@debian.org> Tue, 06 Jul 2021 10:18:17 +0200
cryptsetup (2:2.3.6-1+exp1) experimental; urgency=medium
* New upstream bugfix release. (Closes: #949336)
-- Guilhem Moulin <guilhem@debian.org> Fri, 28 May 2021 22:54:20 +0200
cryptsetup (2:2.3.6-0ubuntu2) jammy; urgency=medium
* No-change rebuild against openssl3
-- Simon Chopin <simon.chopin@canonical.com> Thu, 25 Nov 2021 14:22:07 +0200
cryptsetup (2:2.3.6-0ubuntu1) impish; urgency=medium
* New upstream release.
-- Matthieu Clemenceau <matthieu.clemenceau@canonical.com> Fri, 20 Aug 2021 11:32:12 +1200
cryptsetup (2:2.3.5-1+exp1) experimental; urgency=medium
* Upload to experimental.
-- Guilhem Moulin <guilhem@debian.org> Thu, 11 Mar 2021 23:36:01 +0100
cryptsetup (2:2.3.5-1) unstable; urgency=medium
* New upstream bugfix release. (Closes: #985581)
* d/watch: Monitor upstream tags rather than tarballs.
* d/gbp.conf: Set 'upstream-vcs-tag' to add upstream tag as additional
parent.
* Simplify d/README.source in accordance with the above.
* Rename d/upstream-signing-key.asc to d/upstream/signing-key.asc as uscan
is now able to verify git tags.
* encrypted-boot.md: Clarify how to solve double password prompt for the
device holding /boot.
* d/copyright: Update copyright year.
-- Guilhem Moulin <guilhem@debian.org> Fri, 02 Apr 2021 23:43:41 +0200
cryptsetup (2:2.3.4-2+exp1) experimental; urgency=medium
* Upload to experimental.
-- Guilhem Moulin <guilhem@debian.org> Thu, 14 Jan 2021 19:55:25 +0100
cryptsetup (2:2.3.4-2) unstable; urgency=medium
[ Guilhem Moulin ]
* d/control: Remove Build-Depends: dh-exec. In compatibility level 13
Debhelper supports variable expansion, which was why we used dh-exec in
the first place.
* libcryptsetup-dev: Install libcryptsetup.so to /lib/$DEB_HOST_MULTIARCH
not /usr/lib/$DEB_HOST_MULTIARCH (closes: #978585), and override
subsequent lintian warning per #843932.
* d/*.install: Replace wildcard with $DEB_HOST_MULTIARCH for consistency.
* d/cryptsetup.lintian-overrides: Rename "init.d-script-does-not-implement-
optional-option $FOO status" tags to "init.d-script-does-not-implement-
status-option $FOO".
* Bump Standards-Version to 4.5.1 (no changes necessary).
* d/cryptdisks-functions: Rename left-over loop_cryptdevs() to
foreach_cryptdev(). Regression from 2:2.3.0-1. (Closes: #974591)
* Initramfs boot script: Drop `lvm vgchange`'s --ignoreskippedcluster flag
which is now a no-op.
* Make d/cryptsetup-initramfs.preinst mangling idempotent.
* Rename Debian resp. upstream branch to debian/latest resp. upstream/latest
for DEP-14 compliance.
* Rename d/gitlab-ci.yml to d/salsa-ci.yml.
* Consolidate d/gbp.conf.
* cryptsetup-initramfs now requires initramfs-tools 0.137 or later and no
longer copies libgcc_s.so.1 to the initrd since recent initramfs-tools
take care of it.
* Add libcryptsetup.la to debian/not-installed.
[ Guilherme G. Piccoli ]
* Initramfs boot script: Fix a deadlock when cryptroot would wait at
local-top stage for a device to appear, while the device would only be
created at local-block stage. This can be the case in dm-crypt-over-MD
scenario when booting the RAID array in degraded mode. (Closes: #933059)
[ Felix C. Stegerman ]
* Fix typo in README.gnupg-sc
-- Guilhem Moulin <guilhem@debian.org> Thu, 14 Jan 2021 19:16:40 +0100
cryptsetup (2:2.3.4-1+exp1) experimental; urgency=medium
* Upload to experimental.
-- Guilhem Moulin <guilhem@debian.org> Fri, 04 Sep 2020 00:55:41 +0200
cryptsetup (2:2.3.4-1ubuntu3) hirsute; urgency=medium
* Stop building the udeb on request.
-- Matthias Klose <doko@ubuntu.com> Mon, 22 Feb 2021 12:10:36 +0100
cryptsetup (2:2.3.4-1ubuntu2) hirsute; urgency=medium
* No-change rebuild to drop the udeb package.
-- Matthias Klose <doko@ubuntu.com> Mon, 22 Feb 2021 10:30:38 +0100
cryptsetup (2:2.3.4-1ubuntu1) hirsute; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Depend on busybox-initramfs instead of busybox | busybox-static.
- Fix cryptroot-unlock for busybox compatibility.
- Fix warning and error when running on ZFS on root: (LP #1830110)
- d/functions: Return an empty devno for ZFS devices as they don't have
major:minor device numbers.
- d/initramfs/hooks/cryptroot: Ignore and don't print an error message when
devices don't have a devno.
Submitted to debian upstream as bug #902449.
- debian/patches/decrease_memlock_ulimit.patch
Fixed FTBFS due a restrict environment in the new Bionic Builder (LP #1891473)
tests/luks2-validation.test, tests/compat-test, tests/tcrypt-compat-test.
- Thanks Guilherme G. Piccoli.
- Introduce retry logic for external invocations after mdadm (LP #1879980)
- Currently, if an encrypted rootfs is configured on top of a MD RAID1
array and such array gets degraded (e.g., a member is removed/failed)
the cryptsetup scripts cannot mount the rootfs, and the boot fails.
We fix that issue here by allowing the cryptroot script to be re-run
by initramfs-tools/local-block stage, as mdadm can activate degraded
arrays at that stage.
There is an initramfs-tools counter-part for this fix, but alone the
cryptsetup portion is harmless.
- d/cryptsetup-initramfs.install: ship the new local-bottom script.
- d/functions: declare variables for local-top|block|bottom scripts
(flag that local-block is running and external invocation counter.)
- d/i/s/local-block/cryptroot: set flag that local-block is running.
- d/i/s/local-bottom/cryptroot: clean up the flag and counter files.
- d/i/s/local-top/cryptroot: change the logic from just waiting 180
seconds to waiting 5 seconds first, then allowing initramfs-tools
to run mdadm (to activate degraded arrays) and call back at least
30 times/seconds more.
* Dropped changes:
- Included in new upstream version:
- SECURITY UPDATE: Out-of-bounds write
- debian/patches/CVE-2020-14382-*.patch: check segment gaps regardless of
heap space in lib/luks2/luks2_json_metadata.c.
- CVE-2020-14382
- included in Debian:
- debian/cryptsetup-bin.install:
- Fix FTBFS due to dh_missing detecting crypsetup.conf in debian/tmp where
it was installed from ./scripts/crypsetup.conf.
- debian/rules:
- fix FTBFS on riscv64 adding --with-tmpfilesdir to ensure all archs, even
without systemd knows how to ship cryptsetup.conf
-- Michael Hudson-Doyle <michael.hudson@ubuntu.com> Tue, 10 Nov 2020 10:37:25 +1300
cryptsetup (2:2.3.4-1) unstable; urgency=high
* New upstream bugfix release, including fix for CVE-2020-14382:
possible out-of-bounds memory write while validating LUKS2 data
segments metadata on 32-bits platforms. (Closes: #969471)
-- Guilhem Moulin <guilhem@debian.org> Fri, 04 Sep 2020 00:30:40 +0200
cryptsetup (2:2.3.3-3+exp3) experimental; urgency=medium
* d/control: Make cryptsetup-suspend explicitly depend on
initramfs-tools-core as we use unmkinitramfs(8) in the wrapper.
* systemd-suspend.service override: Set OOMScoreAdjust to -1000 to
disable OOM killing of processes of the unit. Thanks, ಚಿರಾಗ್.
(Closes: #968569)
* d/doc/cryptsetup-suspend.xml: Document that key material included in the
initramfs image will remain unencrypted (see #969286).
-- Guilhem Moulin <guilhem@debian.org> Mon, 31 Aug 2020 00:09:10 +0200
cryptsetup (2:2.3.3-3+exp2) experimental; urgency=medium
* d/control: Typofix in cryptsetup-suspend's long description.
(Closes: #968455)
* d/control: Make cryptsetup-suspend explicitly depend on kbd as we use
openvt(1) in the systemd-suspend.service override. (Closes: #969226)
* d/*: Run wrap-and-sort(1).
* d/scripts/suspend/cryptsetup-suspend-wrapper:
+ Parse /proc/meminfo in a single pass using shell builtins rather than
calling awk(1).
+ Use "/boot/initrd.img-$(uname -r)" as path to the initrd instead of
deriving it from the kernel command line. BOOT_IMAGE's value is
relative to the boot's loader viewpoint, which might differ from that of
the main system.
+ run_dir(): Prefer find(1)'s -execdir option over -exec.
+ Conditionally remove/copy firmware into the initramfs image.
(Closes: #969270)
* d/rules: Build our scripts with `-Wall -Werror`.
* d/cryptsetup-suspend.{postinst,postrm}: Call `systemctl daemon-reload`,
which appears to be needed on upgrades. (dh_installsystemd(1) doesn't
support overrides so we manually copy the snippet it would add.)
-- Guilhem Moulin <guilhem@debian.org> Sun, 30 Aug 2020 18:01:49 +0200
cryptsetup (2:2.3.3-3+exp1) experimental; urgency=medium
* Add new binary package 'crypsetup-suspend', which implements support
to luksSuspend LUKS devices before ACPI S3 system suspend.
+ See the cryptsetup-suspend(7) manpage for further information.
-- Jonas Meurer <jonas@freesources.org> Wed, 12 Aug 2020 21:29:31 +0200
cryptsetup (2:2.3.3-2) unstable; urgency=medium
[ Helmut Grohne ]
* d/control: Annotate Build-Depends with <!nocheck>. (Closes: #964092)
[ Guilhem Moulin ]
* d/rules: Build with `--with-tmpfilesdir` to force installing
usr/lib/tmpfiles.d/cryptsetup.conf instead of picking the source from
scripts/cryptsetup.conf. This fixes FTBS in environments containing
systemd. (Closes: #968250)
* Add 'bitlk' flag in crypttab(5) to force detection of Windows BitLocker
volumes. (Closes: #967853)
-- Guilhem Moulin <guilhem@debian.org> Wed, 12 Aug 2020 00:22:59 +0200
cryptsetup (2:2.3.3-1ubuntu6) groovy; urgency=medium
* Introduce retry logic for external invocations after mdadm (LP: #1879980)
- Currently, if an encrypted rootfs is configured on top of a MD RAID1
array and such array gets degraded (e.g., a member is removed/failed)
the cryptsetup scripts cannot mount the rootfs, and the boot fails.
We fix that issue here by allowing the cryptroot script to be re-run
by initramfs-tools/local-block stage, as mdadm can activate degraded
arrays at that stage.
There is an initramfs-tools counter-part for this fix, but alone the
cryptsetup portion is harmless.
- d/cryptsetup-initramfs.install: ship the new local-bottom script.
- d/functions: declare variables for local-top|block|bottom scripts
(flag that local-block is running and external invocation counter.)
- d/i/s/local-block/cryptroot: set flag that local-block is running.
- d/i/s/local-bottom/cryptroot: clean up the flag and counter files.
- d/i/s/local-top/cryptroot: change the logic from just waiting 180
seconds to waiting 5 seconds first, then allowing initramfs-tools
to run mdadm (to activate degraded arrays) and call back at least
30 times/seconds more.
-- Guilherme G. Piccoli <gpiccoli@canonical.com> Wed, 16 Sep 2020 17:35:59 -0300
cryptsetup (2:2.3.3-1ubuntu5) groovy; urgency=medium
* SECURITY UPDATE: Out-of-bounds write
- debian/patches/CVE-2020-14382-*.patch: check segment gaps regardless of
heap space in lib/luks2/luks2_json_metadata.c.
- CVE-2020-14382
* debian/patches/decrease_memlock_ulimit.patch
Fixed FTBFS due a restrict environment in the new Bionic Builder (LP: #1891473)
tests/luks2-validation.test, tests/compat-test, tests/tcrypt-compat-test.
- Thanks Guilherme G. Piccoli.
-- Leonidas S. Barbosa <leo.barbosa@canonical.com> Wed, 09 Sep 2020 09:29:17 -0300
cryptsetup (2:2.3.3-1ubuntu4) groovy; urgency=medium
* No change rebuild against new json-c ABI.
-- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 28 Jul 2020 17:42:50 +0100
cryptsetup (2:2.3.3-1ubuntu3) groovy; urgency=medium
* debian/rules:
- fix FTBFS on riscv64 adding --with-tmpfilesdir to ensure all archs, even
without systemd knows how to ship cryptsetup.conf
-- Didier Roche <didrocks@ubuntu.com> Thu, 18 Jun 2020 11:44:50 +0200
cryptsetup (2:2.3.3-1ubuntu2) groovy; urgency=medium
* debian/cryptsetup-bin.install:
- Fix FTBFS due to dh_missing detecting crypsetup.conf in debian/tmp where
it was installed from ./scripts/crypsetup.conf.
* Fix warning and error when running on ZFS on root: (LP: #1830110)
- d/functions: Return an empty devno for ZFS devices as they don't have
major:minor device numbers.
- d/initramfs/hooks/cryptroot: Ignore and don't print an error message when
devices don't have a devno.
Submitted to debian upstream as bug #902449.
-- Didier Roche <didrocks@ubuntu.com> Thu, 18 Jun 2020 10:12:10 +0200
cryptsetup (2:2.3.3-1ubuntu1) groovy; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Depend on busybox-initramfs instead of busybox | busybox-static.
- Fix cryptroot-unlock for busybox compatibility.
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 09 Jun 2020 10:40:32 -0700
cryptsetup (2:2.3.3-1) unstable; urgency=medium
[ Guilhem Moulin ]
* New upstream bugfix release.
* d/scripts/decrypt_derived: Remove useless call to `| tr -d '\n'`.
* d/control: Bump debhelper compatibility level to 13. Remove
debian/tmp/lib/$DEB_HOST_MULTIARCH/libcryptsetup.la as we don't install it
anywhere.
[ Rob Pilling ]
* d/scripts/decrypt_derived:
+ move an error message to standard error so it's not accidentally used as
a key
+ exit with a success code when successful
-- Guilhem Moulin <guilhem@debian.org> Thu, 04 Jun 2020 01:41:44 +0200
cryptsetup (2:2.3.2-1) unstable; urgency=medium
* New upstream release.
* debian/control: Set 'Rules-Requires-Root: no'.
* d/initramfs/hooks/cryptroot: Unconditionally copy 'ecb' kernel module
when the host CPU lacks AES-NI support. On such systems XTS needs ECB.
This is a work around for #883595 on kernels 4.10 and later.
(Closes: #959423)
-- Guilhem Moulin <guilhem@debian.org> Wed, 06 May 2020 16:22:01 +0200
cryptsetup (2:2.3.1-1ubuntu1) groovy; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Depend on busybox-initramfs instead of busybox | busybox-static.
- Fix cryptroot-unlock for busybox compatibility.
-- Steve Langasek <steve.langasek@ubuntu.com> Fri, 01 May 2020 07:07:58 -0700
cryptsetup (2:2.3.1-1) unstable; urgency=medium
* New upstream release.
* d/initramfs/hooks/cryptroot: Don't set unused variable LIBC_DIR.
-- Guilhem Moulin <guilhem@debian.org> Tue, 24 Mar 2020 02:07:07 +0100
cryptsetup (2:2.3.0-1) unstable; urgency=low
* New upstream release, introducing support for BitLocker-compatible
devices (BITLK format) used in Windows systems.
WARNING: crypttab(5) support for these devices is currently *experimental*
and requires blkid from util-linux >=2.33 (i.e., Buster or later). These
devices currently have no keyword to use in the 4th field (unlike 'luks'
or 'plain'), the device type is inferred from the signature instead.
* crypttab(5): Make the 4th field (options) optional so we don't have to
introduce a new keyword for each new device type. (That field is also
optional in the systemd implementation.) Other fields (dm target name,
source device, and key file) remain required.
* Install cryptdisks_{start,stop} bash completion scripts to the right
path/name so they are loaded automatically. This was no longer the case
since 2:1.7.0-1. (Closes: #949623)
* d/*.install: Replace tabs with spaces.
* d/cryptdisks-functions: Fix broken $FORCE_START handling. Since
2:2.0.3-2 the SysV init scripts' "force-start" option was no longer
overriding noauto/noearly. (Closes: #933142)
* Move some functions to d/function from the initramfs hook.
* SysV init scripts: skip devices holding the root FS and/or /usr during the
shutdown phase; these file systems are still mounted at this point so any
attempt to gracefully close the underlying device(s) is bound to fail.
(Closes: #916649, #918008)
* Bump Standards-Version to 4.5.0 (no changes necessary).
-- Guilhem Moulin <guilhem@debian.org> Wed, 04 Mar 2020 00:48:19 +0100
cryptsetup (2:2.2.2-3ubuntu2) focal; urgency=medium
* Depend on cryptsetup from cryptsetup-initramfs instead of the dummy
cryptsetup-run package. LP: #1864360.
-- Steve Langasek <steve.langasek@ubuntu.com> Thu, 27 Feb 2020 00:16:14 -0600
cryptsetup (2:2.2.2-3ubuntu1) focal; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Depend on busybox-initramfs instead of busybox | busybox-static.
- Fix cryptroot-unlock for busybox compatibility.
-- Matthias Klose <doko@ubuntu.com> Mon, 10 Feb 2020 09:20:12 +0100
cryptsetup (2:2.2.2-3) unstable; urgency=high
* initramfs hook: Workaround fix for the libgcc_s's source location.
(Closes: #950628, #939766.) Fixing #950254 will provide a better
solution.
-- Guilhem Moulin <guilhem@debian.org> Tue, 04 Feb 2020 14:11:12 +0100
cryptsetup (2:2.2.2-2ubuntu1) focal; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Depend on busybox-initramfs instead of busybox | busybox-static.
- Fix cryptroot-unlock for busybox compatibility.
-- Steve Langasek <steve.langasek@ubuntu.com> Sat, 01 Feb 2020 22:11:22 -0800
cryptsetup (2:2.2.2-2) unstable; urgency=medium
[ Guilhem Moulin ]
* d/initramfs/hooks/cryptroot: On initramfs images built with MODULES=dep,
include the IV generator found in the cipher specification when there is a
matching kernel module. On 5.4 kernels ESSIV isn't implemented in
dm_crypt anymore, but by a dedicated 'essiv' module which thus needs to be
available in order to unlock dm-crypt target using 'aes-cbc-essiv:sha256'.
Closes: #948593.
[ Debian Janitor ]
* Set debhelper-compat version in Build-Depends.
* Set upstream metadata fields: Bug-Database, Bug-Submit, Repository,
Repository-Browse.
-- Guilhem Moulin <guilhem@debian.org> Sat, 18 Jan 2020 20:53:19 +0100
cryptsetup (2:2.2.2-1ubuntu1) focal; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Depend on busybox-initramfs instead of busybox | busybox-static.
- Fix cryptroot-unlock for busybox compatibility.
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 11 Nov 2019 22:07:44 -0800
cryptsetup (2:2.2.2-1) unstable; urgency=medium
* New upstream bugfix release.
* debian/control:
+ Add 'procps' to the Build-Depends since the upstream test suite uses
free(1).
+ Bump Standards-Version to 4.4.1 (no changes necessary).
-- Guilhem Moulin <guilhem@debian.org> Fri, 01 Nov 2019 19:32:36 +0100
cryptsetup (2:2.2.1-1ubuntu1) focal; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Depend on busybox-initramfs instead of busybox | busybox-static.
- Fix cryptroot-unlock for busybox compatibility.
-- Steve Langasek <steve.langasek@ubuntu.com> Fri, 18 Oct 2019 15:14:29 -0700
cryptsetup (2:2.2.1-1) unstable; urgency=medium
* New upstream bugfix release.
* Remove d/patches, applied upstream.
-- Guilhem Moulin <guilhem@debian.org> Fri, 06 Sep 2019 13:28:55 +0200
cryptsetup (2:2.2.0-3ubuntu1) eoan; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Depend on busybox-initramfs instead of busybox | busybox-static.
- Fix cryptroot-unlock for busybox compatibility.
-- Steve Langasek <steve.langasek@ubuntu.com> Wed, 28 Aug 2019 16:13:22 -0700
cryptsetup (2:2.2.0-3) unstable; urgency=medium
* Cherry pick upstream commit 8f8f0b32: Fix mapped segments overflow on
32bit architectures. Regression since 2:2.1.0-1. (Closes: #935702)
-- Guilhem Moulin <guilhem@debian.org> Mon, 26 Aug 2019 12:53:45 +0200
cryptsetup (2:2.2.0-2ubuntu1) eoan; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Depend on busybox-initramfs instead of busybox | busybox-static.
- Fix cryptroot-unlock for busybox compatibility.
-- Steve Langasek <steve.langasek@ubuntu.com> Sun, 25 Aug 2019 12:25:55 -0700
cryptsetup (2:2.2.0-2) unstable; urgency=medium
* debian/control: Add 'Multi-Arch: foreign' tag to the transitional dummy
package 'crytsetup-run'.
* debian/control, debian/compat: Bump debhelper compatibility level to 12.
* debian/rules: Remove dh_makeshlibs(1) override; debhelper 12.3's auto
detection feature subsumes our use of --add-udeb=. This fixes FTBFS with
debhelper 12.5.
-- Guilhem Moulin <guilhem@debian.org> Wed, 21 Aug 2019 22:45:12 +0200
cryptsetup (2:2.2.0-1ubuntu2) eoan; urgency=medium
* debian/initramfs/cryptroot-unlock: canonicalize executable paths.
Thanks to Paride Legovini <paride.legovini@canonical.com> for the patch.
LP: #1840752.
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 20 Aug 2019 15:34:10 -0700
cryptsetup (2:2.2.0-1ubuntu1) eoan; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Depend on busybox-initramfs instead of busybox | busybox-static.
- Apply patch from Trent Nelson to fix cryptroot-unlock for busybox
compatibility.
-- Gianfranco Costamagna <locutusofborg@debian.org> Tue, 20 Aug 2019 14:21:34 +0200
cryptsetup (2:2.2.0-1) unstable; urgency=medium
* New upstream release 2.2.0. Highlights include:
+ New LUKS2 online reencryption extension, allowing reencryption of
mounted LUKS2 devices.
+ Optional global serialization lock for memory hard PBKDF, to workaround
situations when multiple devices are unlocked in parallel, possibly
exhausting memory and triggering the OOM killer. (Cf. #924560.)
+ Add integritysetup support for bitmap mode (Linux >=5.2).
+ Reduce keyslots area size in luksFormat when the header device is too
small.
* Remove d/patches, applied upstream.
-- Guilhem Moulin <guilhem@debian.org> Thu, 15 Aug 2019 09:31:55 +0200
cryptsetup (2:2.1.0-8) unstable; urgency=medium
* encrypted-boot.md:
+ Clarify partition layout.
+ encrypted-boot.md: New section 'Using a custom keyboard layout'.
* d/gbp.conf: New section [export-orig] mirroring [buildpackage].
* d/gitlab-ci.yml: Add 'publish' stage and make yamllint(1) happy.
* d/patches: Backport upstream commit c03e3fe8 so libcryptsetup's
crypt_keyslot_add_by_volume_key() also works a on LUKS2 header where all
bound key slots were deleted, like it does for LUKS1. (Closes: #934715)
-- Guilhem Moulin <guilhem@debian.org> Wed, 14 Aug 2019 16:34:23 +0200
cryptsetup (2:2.1.0-7) unstable; urgency=low
* debian/cryptsetup.NEWS: Mention the 'cryptsetup' and 'cryptsetup-run'
package swap.
* debian/control: Add 'cryptsetup-initramfs' to 'cryptsetup's Recommends:,
so upgrading systems pull it automatically on upgrade. (cryptsetup
<2:2.1.0-6 was a dummy transitional package depending on cryptsetup-run
and cryptsetup-initramfs.) Closes: #932643.
* debian/control: Add 'cryptsetup-run' to 'cryptsetup's Recommends. This
avoids it being removed by `apt upgrade --autoremove` from <2:2.1.0-6,
thus avoids the old cryptsetup-run's prerm script showing a scary (but
moot) warning. After upgrading the prerm script is gone and the package
can be removed without troubles, so we can get rid of it after Bullseye.
(Closes: #932625.)
* cryptsetup-initramfs: Add loud warning upon "prerm remove" if there are
mapped crypt devices (like for cryptsetup.prerm).
* Thanks to David Prévot for helping with the upgrade path!
-- Guilhem Moulin <guilhem@debian.org> Sun, 21 Jul 2019 21:21:10 -0300
cryptsetup (2:2.1.0-6) unstable; urgency=low
* debian/control:
+ Add 'Multi-Arch: foreign' tags to 'cryptsetup-bin' and 'crytsetup-run',
as binaries from these packages are architecture independent.
(Closes: #930115)
+ Add 'Build-Depends: jq, xxd' as the jq(1) and xxd(1) executables are
required for some upstream tests (skipped if the executables are not
found in $PATH).
+ Swap 'cryptsetup' and 'cryptsetup-run' packages: the former now contains
init scripts, libraries, keyscripts, etc. while the latter is now a
transitional dummy package.
+ Remove obsolete cryptsetup.maintscript.
+ Bump Standards-Version to 4.4.0 (no changes necessary).
* debian/*:
+ Fix path names for /usr/share/doc/cryptsetup*/**. (Closes: #904916).
+ Remove compatibility warnings regarding setting 'CRYPTSETUP' in
the initramfs hook configuration. The variable is no longer honored,
and cryptsetup is always integrated to the initramfs when the
'cryptsetup-initramfs' package is installed.
* debian/doc/pandoc/encrypted-boot.md: Minor refactoring.
* debian/gitlab-ci.yml: Adapt pandoc flags to Debian 9 (pass '-S').
* debian/initramfs/conf-hook: Clarify that KEYFILE_PATTERN isn't expanded
for crypttab(5) entries with a 'keyscript=' option. (Closes: #930696)
* debian/doc/crypttab.xml: Point to README.initramfs in the "See Also"
section. (Closes: #913233)
-- Guilhem Moulin <guilhem@debian.org> Sat, 20 Jul 2019 22:15:04 -0300
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog cryptsetup-initramfs`.
Generated by dwww version 1.16 on Mon Dec 15 21:02:37 CET 2025.