Skip to main content

Now, less cryptic - Cryptsetup changes in Saucy

Previously, whenever cryptsetup package was installed, its modules and utilities were unconditionally copied into initramfs. Making it quite large.

But there are legitimate use cases of installing cryptsetup, yet not needing it in the initramfs. One only needs cryptsetup in the initramfs if root filesystem or resume devices are encrypted.

I have therefore modified cryptsetup initramfs hooks to only include cryptsetup in the initramfs when necessary. I have tested multiple combinations and here is a small summary:

No cryptsetup in initramfs, when:

  • no encrypted devices present
  • non-rootfs filesystems are encrypted (e.g. /var/lib is encrypted)
  • swap is encrypted with random key file (i.e. non-persistent encrypted swap)
Cryptsetup is in initramfs, when:
  • rootfs is encrypted ( '/' )
  • swap is encrypted with a passphrase / key-file (i.e. can unlock & resume from hibernate)
  • CRYPTSETUP='y' option is specified in /etc/initramfs-tools/initramfs.conf
The last provision is for the case where one wants to generate an initrd on this machine, which will then be transferred to boot something else.


cryptsetup (2:1.4.3-4ubuntu4) saucy; urgency=low

  * debian/initramfs/cryptroot-hook:
    - Do not unconditionally include cryptsetup utils in the initramfs.
    - Do not include any modules or utils in the initramfs, unless
      rootfs/resume devices are encrypted or CRYPTSETUP is set to 'y' in
      the initramfs.conf configuration file.
 -- Dmitrijs Ledkovs Mon, 10 Jun 2013 16:25:46 +0100

Comments

Popular posts from this blog

How to disable TLS 1.0 and TLS 1.1 on Ubuntu

Example of website that only supports TLS v1.0, which is rejected by the client Overivew TLS v1.3 is the latest standard for secure communication over the internet. It is widely supported by desktops, servers and mobile phones. Recently Ubuntu 18.04 LTS received OpenSSL 1.1.1 update bringing the ability to potentially establish TLS v1.3 connections on the latest Ubuntu LTS release. Qualys SSL Labs Pulse report shows more than 15% adoption of TLS v1.3. It really is time to migrate from TLS v1.0 and TLS v1.1. As announced on the 15th of October 2018 Apple , Google , and Microsoft will disable TLS v1.0 and TLS v1.1 support by default and thus require TLS v1.2 to be supported by all clients and servers. Similarly, Ubuntu 20.04 LTS will also require TLS v1.2 as the minimum TLS version as well. To prepare for the move to TLS v1.2, it is a good idea to disable TLS v1.0 and TLS v1.1 on your local systems and start observing and reporting any websites, systems and applications that...

Ubuntu Livepatch service now supports over 60 different kernels

Linux kernel getting a livepatch whilst running a marathon. Generated with AI. Livepatch service eliminates the need for unplanned maintenance windows for high and critical severity kernel vulnerabilities by patching the Linux kernel while the system runs. Originally the service launched in 2016 with just a single kernel flavour supported. Over the years, additional kernels were added: new LTS releases, ESM kernels, Public Cloud kernels, and most recently HWE kernels too. Recently livepatch support was expanded for FIPS compliant kernels, Public cloud FIPS compliant kernels, and as well IBM Z (mainframe) kernels. Bringing the total of kernel flavours support to over 60 distinct kernel flavours supported in parallel. The table of supported kernels in the documentation lists the supported kernel flavours ABIs, the duration of individual build's support window, supported architectures, and the Ubuntu release. This work was only possible thanks to the collaboration with the Ubuntu C...

Swapfiles by default in Ubuntu

4MB RAM card By default, in Ubuntu, we usually create a swap partition. Back in the day of 4MB RAM cards this made total sense, as the ration of RAM to disk space, was still very low. Things have changed since. Server, desktop, embedded systems have migrated to newer generations of both RAM and persistent storage. On the high performance side of things we see machines with faster storage in the form of NVMe and SSD drives. Reserving space for swap on such storage, can be seen as expensive and wasteful. This is also true for recent enough laptops and desktops too. Mobile phones have substantial amounts of RAM these days, and at times, coupled with eMMC storage - it is flash storage of lower performance, which have limited number of write cycles, hence should not be overused for volatile swap data. And there are also unicorns in a form of high performance computing of high memory (shared memory) systems with little or no disk space. Today, carving a partition and reserving twice...