XPost: linux.debian.maint.boot

On 14/01/2025 at 08:53, Pascal Hambourg wrote:

On 14/01/2025 at 02:51, Dave wrote:

(Possible dupe of 1092968)

I installed Debian testing from a live CD.
During the installation process, I set up 2 encrypted partitions:
- btrfs on LVM on LUKS for the root file system
- swap on an encrypted partition with a random key

(...)

The encrypted partition for the root file system correctly prompted
for the passphrase when booting, and worked completely normally.

(...)

systemd-cryptsetup package should be installed.

systemd-cryptsetup is a new package split from systemd. systemd
recommends it but it may not be available when the base system is
installed and/or recommends are ignored.

systemd-cryptsetup is included in netinst images but d-i does not
install it. I guess Recommends: are ignored by debootstrap.

I am quite puzzled how the resulting system was able to decrypt one
partition, but not the other.

The LUKS volume containing the root filesystem is decrypted by the
initramfs which does not need systemd-cryptsetup.

systemd-cryptsetup is required to open encrypted volumes other than
those which are already opened by the initramfs (/, /usr, hibernation
swap). I believe this bug should be fixed before Trixie release so added
it to the wiki wishlist.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.maint.boot

Hi,

Pascal Hambourg <pascal@plouf.fr.eu.org> (2025-05-24):

systemd-cryptsetup is included in netinst images but d-i does not
install it. I guess Recommends: are ignored by debootstrap.

kibi@tokyo:~/debian-installer/packages/debootstrap (master =)$ git grep Recommends
debian/changelog: * rules,control: adjust Recommends/Suggests to be appropriate on each
debian/changelog: * upgrade wget from Recommends to Depends, closes: #126799
debian/control:Recommends: sopv | sqv | gpgv, mount, ${debootstrap:Recommends}
debian/rules: dh_gencontrol -- -Vdebootstrap:Recommends='$(RECOMMENDS)' -Vdebootstrap:Suggests='$(SUGGESTS)'

The LUKS volume containing the root filesystem is decrypted by the initramfs which does not need systemd-cryptsetup.

systemd-cryptsetup is required to open encrypted volumes other than those which are already opened by the initramfs (/, /usr, hibernation swap). I believe this bug should be fixed before Trixie release so added it to the wiki wishlist.

Looking around, it seems we have many places using cryptsetup, very
likely via cryptsetup-udeb that's pulled by various packages:

Reverse Depends:
partman-crypto-dm,cryptsetup-udeb
cryptsetup-udeb:arm64,cryptsetup-udeb
rescue-mode,cryptsetup-udeb

And I'm only spotting one place where cryptsetup makes its way into
/target, via partman-crypto's finish.d/crypto_aptinstall:

if grep -q " device-mapper$" /proc/misc; then
# We can't check the root node directly because root could be
# on an LVM LV on top of an encrypted device
if type dmsetup >/dev/null 2>&1 && \
dmsetup table | cut -d' ' -f4 | grep -q "crypt" 2>/dev/null; then
apt-install cryptsetup-initramfs || true
fi
fi

If we were to pull systemd-cryptsetup in the mix, should there by any restrictions/checks before deciding to do so?

How are things between systemd-cryptsetup and cryptsetup itself? Is that
a peaceful cohabitation/cooperation, or is that going to look like some competition, with race conditions and the like?

Looping in both maintainers for input.


Cheers,
--
Cyril Brulebois (kibi@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEtg6/KYRFPHDXTPR4/5FK8MKzVSAFAmgx6K8ACgkQ/5FK8MKz VSCR/g/9HXYnyjbpOxH6at5H1OOLEULnXWYPolFruRj2BFtCEhgr5HxECI0LWGZ8 DhodN5h2QB6omQDU55egsHRU1WSMuCTtaK+S1SUj42V3r0/LNSxab0HtsHYfVrBM BTiV1Xd4pVmCbi/59SgoUew+qc9SfzrhJ+ngzTIQr4hs8HVq2ZHnU7B8/IDvnFPO wXwjXNRwkRNheMHaO7YpZXjVAhhoVvOyhHv1q17poUZnduIRPSJYcIf9BvI38La3 0E7WFA4z9ha3ZRJeYGp9lBt0+FS06q96R264lEUchbn39I2JZCenXQU7oj9QrTDM ngkIxtyRrNKU08aU9fnFUkAhRqwYEnrF/h0gt0Fk2PmpsrkvSus1N6QAGgrE6gt7 1c3YrhFPKbpJv5VkiG+hjPzDBCjDbJ1zWoZklgxuY9kNMIIayr6uCnNWH2T0oh6w jKevsXhEVkp49Ihds09cPm1pJhAKVR4T+qNxYlGky//8f9kvDDoyPeSz44v5A7KX Rl5ety7ACtM2DOpvvXVciDOAS2X58CtuRF4gyAlV9qt6pnoemKT0WFa8/IZ0NDpZ qWN5XLGJY70wb5G6i2jh4mpu2HILpFh2mJlBZ7g6qS7DiUZAz3+tI/cnEJz26o/1 ySOO1kUqHGDw0HY0Va/ay1m81eYGvr5Hp8OdPoZQwYHkJ43TB4M=
=U1M1
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
*

XPost: linux.debian.maint.boot

Hi,

On Sat, 24 May 2025 at 17:41:42 +0200, Cyril Brulebois wrote:

And I'm only spotting one place where cryptsetup makes its way into
/target, via partman-crypto's finish.d/crypto_aptinstall:

if grep -q " device-mapper$" /proc/misc; then
# We can't check the root node directly because root could be
# on an LVM LV on top of an encrypted device
if type dmsetup >/dev/null 2>&1 && \
dmsetup table | cut -d' ' -f4 | grep -q "crypt" 2>/dev/null; then
apt-install cryptsetup-initramfs || true
fi
fi

If we were to pull systemd-cryptsetup in the mix, should there by any restrictions/checks before deciding to do so?

IMHO an ideal fix would be to install cryptsetup-initramfs only when
some device needs to be unlocked by initramfs-tools, and only install systemd-cryptsetup if there are remaining encrypted devices.

I recall suggesting that before in https://bugs.debian.org/930228 , but apparently never opened a follow-up bug to track that let alone suggest
a patch for it… Anyway that's probably too late at this point of the
release cycle.

AFAIK d-i won't allow setting up a system *requiring* systemd-cryptsetup
out of its menu, so perhaps echoing systemd's NEWS entry in the release
notes would be enough? If not, then installing systemd-cryptsetup
alongside cryptsetup-initramfs would solve the issue (after all systemd's cryptsetup integration used be included in the systemd binary package up
to bookworm).

How are things between systemd-cryptsetup and cryptsetup itself? Is that
a peaceful cohabitation/cooperation, or is that going to look like some competition, with race conditions and the like?

I have both installed on many systems and AFAIK they cohabit well.
cryptsetup's init scripts are inert and takes care of unlocking
remaining devices past initramfs stage.

--
Guilhem.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmgx9x8ACgkQ05pJnDwh pVJDXg//fszTMkc06GRZ4IIJf5f62pkPLKmJBfs/duQepat2drH76HLfGiCzQstQ QNV1LtfAzFuTkfUS9C44jV8iitoVAtYx2EgyUm09r5PVdRJEK9oIluDC+gD7H+BI PQVqLFhvcv9VKipg/yRVIJE9webTJBTq5PIEPv5pl2btL7JPGAmysVM40th+biuf V/CGjjTdSS8Pqxrb3HbU9e/fdsPnUL/mPW5XAn++cy3k4tDzPjyWWUQp7CexQs15 odzqn/9/QFS+4tR3qudy6aE76WnMscon9dA/RT35QVM3y1XJ29HF9s5l6jA/2u0O SjUVFf8gsuwYvdDDaX+S/2nckXj2vVbyCfT7nzeTsFv/TRuLNjMX0guApTCEMccx 32593i1Q50+vLqmaPAWhYlfNlr4R2I2pw2UEmZTJqK5vm/8ECYTcOmv3GhEsxNbq v3QWTjo0lbfmaZrfJ846kl0min1/TGqWywx2LdZnwPg+Pc79M0vLdZSy8c+Xt/5g TA4UZmUUOYJSev0i09UtrbTnsBmaIHlyZHWcNBGfo59/ylfPNNoTQF16SKL5481y nAkds4Xvh+hrqI04qFarwCpbWj4PC20qO31olxjrCq4qOw2vwOE0w4WLetFnh+lF s++ljm69cD/7P0XDUulRuLo6lzqQBxIwDgVZtn3PPXIqOvF+698=
=OZsx
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.maint.boot

Salut Guilhem,

Guilhem Moulin <guilhem@debian.org> (2025-05-24):

IMHO an ideal fix would be to install cryptsetup-initramfs only when
some device needs to be unlocked by initramfs-tools, and only install systemd-cryptsetup if there are remaining encrypted devices.

I recall suggesting that before in https://bugs.debian.org/930228 , but apparently never opened a follow-up bug to track that let alone suggest
a patch for it… Anyway that's probably too late at this point of the release cycle.

I'd be a little reluctant to add smart stuff at this stage, since such
things might need some iterations to get it right.

AFAIK d-i won't allow setting up a system *requiring* systemd-cryptsetup
out of its menu, so perhaps echoing systemd's NEWS entry in the release
notes would be enough? If not, then installing systemd-cryptsetup
alongside cryptsetup-initramfs would solve the issue (after all systemd's cryptsetup integration used be included in the systemd binary package up
to bookworm).

The status quo isn't ideal, we get very vocal users doing advanced
stuff and complaining loudly that it doesn't work. That doesn't make
me want to dive into the specifics, quite the contrary…

In any case, documentation is unlikely to be seen as enough, and if
installing both package side by side (possibly within the same set of
tests for simplicity's and consistency's stake?), that would work for
me…

I have both installed on many systems and AFAIK they cohabit well. cryptsetup's init scripts are inert and takes care of unlocking
remaining devices past initramfs stage.

… especially if you're familiar with their apparent peaceful
cohabitation.

Thanks for your input!


Cheers,
--
Cyril Brulebois (kibi@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEtg6/KYRFPHDXTPR4/5FK8MKzVSAFAmgx/DsACgkQ/5FK8MKz VSAwxw//cChu58vjNupDXs313iGq/W/79+SwhPwpvOCfVmw6fL+hQESLzwkA386T OmnxTBrsfAazLatZ8o2SfhbQej1WWGGEGNVrnJjyunCQuRvzntSP2yhrbArkFQFG 4/LFpM61bUYAhVSUjH3kDtf4/MY/1oaJGE9QiRFGHhhMRvH0A3hqbI9Khf6uLqVX dGKFacoKns0DBa2JtEfKt+J4yMXCBejf99+hZ8/YR7jqPXVF0nm7VopEKe05BWiu f7W6Of5mz1+SlLZeolD3beISpMmvhj/W0HSiHHBPi/VQaZGNUXzQbj8EUIcFXKoB SIBBWvKHsVaI0imHtltXTSEFM9EC2k3sbP3+qvpB7bf3vYlnzQZxJzMu61ikciFb QPOvFFRBo4/cHcgBffpwqh9VgMwjuz0Id1sRfJFwOBM1Eh1JK4QqZ2viIg/AcdUS Dlgybk9QCUZNV6RvoCcnAjYHAchXX5pzyKjxIIkEVB0j+6hg/9NS9A1wJN78jH9o qt3MZ0vy71GFpci+bVGlyFUx/7uvmd0auQUCJSgOFMQ+nYnLaH/9myMapvhb29nr GoNRbdoyiF5Gkmyf2kjXIQvLwOPIWP4Eup5ZL0J0kF9twDrj2LeP29DBT4B7jZyc KojRtwxZGh2GhXs5AX6+SudJ7INF4n0BhxDXH1FEFL8b6uJNwUA=
=VSoX
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
*

XPost: linux.debian.maint.boot

On 24/05/2025 at 18:43, Guilhem Moulin wrote:

On Sat, 24 May 2025 at 17:41:42 +0200, Cyril Brulebois wrote:

If we were to pull systemd-cryptsetup in the mix, should there by any
restrictions/checks before deciding to do so?

Is tweaking d-i to not install systemd at all (like Devuan) a supported
use case ?

IMHO an ideal fix would be to install cryptsetup-initramfs only when
some device needs to be unlocked by initramfs-tools, and only install systemd-cryptsetup if there are remaining encrypted devices.

It depends which criteria are used to define "ideal", e.g. minimal set
of installed packages vs maximum versatility.

Queuing cryptsetup-initramfs was convenient because it pulled all other cryptsetup packages at once.

AFAIK d-i won't allow setting up a system *requiring* systemd-cryptsetup
out of its menu

I just did it with manual partitioning, not "out of its menu".
Create an encrypted volume and use it as /home, /srv or whatever is not
mounted in the initramfs.

How are things between systemd-cryptsetup and cryptsetup itself? Is that
a peaceful cohabitation/cooperation, or is that going to look like some
competition, with race conditions and the like?

I have both installed on many systems and AFAIK they cohabit well. cryptsetup's init scripts are inert

They are masked by systemd. I tried to unmask them but the passphrase
prompt is not displayed.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.maint.boot

Pascal Hambourg <pascal@plouf.fr.eu.org> (2025-05-24):

On 24/05/2025 at 18:43, Guilhem Moulin wrote:

On Sat, 24 May 2025 at 17:41:42 +0200, Cyril Brulebois wrote:

If we were to pull systemd-cryptsetup in the mix, should there by
any restrictions/checks before deciding to do so?

Is tweaking d-i to not install systemd at all (like Devuan) a
supported use case ?

If people feel strongly about their init system, they can do whatever
they want to obtain a system they like. I don't see why we would care
about that for them.

IMHO an ideal fix would be to install cryptsetup-initramfs only when
some device needs to be unlocked by initramfs-tools, and only
install systemd-cryptsetup if there are remaining encrypted devices.

It depends which criteria are used to define "ideal", e.g. minimal set
of installed packages vs maximum versatility.

Queuing cryptsetup-initramfs was convenient because it pulled all
other cryptsetup packages at once.

I'm not sure when you showed up but there's been some back and forth on
that topic, with package splits and replits in different ways over the
last few release cycles.

AFAIK d-i won't allow setting up a system *requiring* systemd-cryptsetup out of its menu

I just did it with manual partitioning, not "out of its menu".
Create an encrypted volume and use it as /home, /srv or whatever is not mounted in the initramfs.

How are things between systemd-cryptsetup and cryptsetup itself? Is that a peaceful cohabitation/cooperation, or is that going to look like some competition, with race conditions and the like?

I have both installed on many systems and AFAIK they cohabit well. cryptsetup's init scripts are inert

They are masked by systemd. I tried to unmask them but the passphrase
prompt is not displayed.

So that was with current d-i, and not resorting to dropping to a shell
and doing nasty things behind its back? Things don't work out of the
box? But does that start working if you additionally install systemd-cryptsetup? If so, without any additional configuration?

(I'm not too afraid of the extra dependencies — already there — if we
were to pull this package “blindly” alongside cryptsetup, but the amount
of extra systemd targets and possible complexity doesn't make me
confident about being able to sort things out if some problems start
popping up after we start doing that. After all, we're just weeks away
from the release, it doesn't leave a lot of time to debug regressions or
just walk back…)


Cheers,
--
Cyril Brulebois (kibi@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEtg6/KYRFPHDXTPR4/5FK8MKzVSAFAmgyCWYACgkQ/5FK8MKz VSDAjhAAi5si9I13rOGn4GwfhMJoM/Z2Lk84cIaG4tgRBu28ixdYoDQ2piHIwyhe fUQ4cgPxdtbxQxpdLCrcCj75m/FIGQ9yOaydGZesUwyMA82LVW9OktXnZUL/kBUP kbb1RJqKSTIUzf1+gdM4rdrfN3ETyqrVh48rlZBEwtByKc6HP0OzO/dvhGiIlTSH 0Osu3LtVIvIXtiwf5cUqb/eOHTwvzIf4WIf2M+6HODPRmnzAdZuFxeaGrA+RaLIQ yXvtGAoK9jvWWVN4j2mQa6nFyq/Dh7y4Kujt1RpcrTCSna1NzZ//pQBcfjix0a1l jMmQrTBmXpnF9DXotlecHYFOjRKNTsdUOaxK3N9gn2wscOTZvdoL+Ed9Qapf6jLf s6NXitq9FkjRnz7CKN+Ie0cWhAEjXLD+0hVyguTEO4wkPYEEwNxT8d/YRlqtF4BG U0532ocWcWsKtdffAZ0Ljyl1esWZqUiWHvuERGlHc9uyOu/UxxG6696JhIeSwtIj X1XrbkL0rANLwF129oPnKIhSH1Zv7JFymH5ZDSjMdvUBlLXm42zXoX5m/beuuHjs NV1SGEp8zNklKSUJ/M3URfNvdf5YFGxf0qfNdLehMAr+204iOHMPnHJisAswcLAr T94GqoqaPGKi1XnURHyEPYtOkHmnIElGs1TqQrkacibuG371fJc=
=kg2m
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
*

XPost: linux.debian.maint.boot

On 24/05/2025 at 20:01, Cyril Brulebois wrote:

Pascal Hambourg <pascal@plouf.fr.eu.org> (2025-05-24):

On 24/05/2025 at 18:43, Guilhem Moulin wrote:

On Sat, 24 May 2025 at 17:41:42 +0200, Cyril Brulebois wrote:

If we were to pull systemd-cryptsetup in the mix, should there by
any restrictions/checks before deciding to do so?

Is tweaking d-i to not install systemd at all (like Devuan) a
supported use case ?

If people feel strongly about their init system, they can do whatever
they want to obtain a system they like. I don't see why we would care
about that for them.

Just asking, in case Dabian had some policy about Debian derivatives.

Queuing cryptsetup-initramfs was convenient because it pulled all
other cryptsetup packages at once.

I'm not sure when you showed up but there's been some back and forth on
that topic, with package splits and replits in different ways over the
last few release cycles.

I subscribed to debian-boot in 2021.

AFAIK d-i won't allow setting up a system *requiring* systemd-cryptsetup >>> out of its menu

I just did it with manual partitioning, not "out of its menu".
Create an encrypted volume and use it as /home, /srv or whatever is not
mounted in the initramfs.

(I assume your next question was about this part of the quote, so
cutting the rest)

So that was with current d-i, and not resorting to dropping to a shell
and doing nasty things behind its back? Things don't work out of the
box? But does that start working if you additionally install systemd-cryptsetup? If so, without any additional configuration?

Boot with debian-trixie-DI-rc1-amd64-netinst.iso, expert install, no
hack in the shell, encrypted /home using only regular menus -> installed
system boot: no passphrase prompt, fallback to emergency shell. Install systemd-cryptsetup -> it works without any additional configuration.

(I'm not too afraid of the extra dependencies — already there — if we were to pull this package “blindly” alongside cryptsetup, but the amount of extra systemd targets and possible complexity doesn't make me
confident about being able to sort things out if some problems start
popping up after we start doing that. After all, we're just weeks away
from the release, it doesn't leave a lot of time to debug regressions or
just walk back…)

Quoting Guilhem, "after all, systemd-cryptsetup used to be included in
the systemd binary package up to bookworm".

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.maint.boot

Pascal Hambourg <pascal@plouf.fr.eu.org> (2025-05-24):

I subscribed to debian-boot in 2021.

OK. :)

Boot with debian-trixie-DI-rc1-amd64-netinst.iso, expert install, no
hack in the shell, encrypted /home using only regular menus ->
installed system boot: no passphrase prompt, fallback to emergency
shell. Install systemd-cryptsetup -> it works without any additional configuration.

OK, thanks for confirming. I'm not sure if the logic around the cryptsetup-initramfs installation did or would pick up that use case.
Was cryptsetup-initramfs installed?

I'm not sure how to best spot the need for systemd-cryptsetup in those
cases, I'm really just familiar with the usual guided encrypted LVM
scenario… If someone wants to propose some logic, I'm all ears.

What do /etc/fstab and /etc/crypttab look like?

Quoting Guilhem, "after all, systemd-cryptsetup used to be included in
the systemd binary package up to bookworm".

Sure, tbut hat doesn't mean I want to compare what used to be bundled into systemd in a previous version, and the new contents of systemd-cryptsetup
after the split. systemd and related packages tend to move fast, sometimes breaking things, hence my erring on the side of caution. Guilhem's initial feedback is more than appeasing there of course.


Cheers,
--
Cyril Brulebois (kibi@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEtg6/KYRFPHDXTPR4/5FK8MKzVSAFAmgyGw0ACgkQ/5FK8MKz VSAEmxAAiIyoePNQVfmVm47Vga9NDwYto1pPGI7Yvdb+elihwJA9Jiz1Q4sACvfV RBCzwJgBNEzbU0vEXIWBXIl01/DYMUAUe7FAMkLkx+vkK/uG+yiZopauYpmi16OC 8+hYeloNz8qe43nQr1XYxh0yrAL4C+5IWA34inA6FEWW62xCLW6eUUnz8M78q+hF JPA3KyQfcULPXNW/ANbtTICWW0FgEIvvRevdy5c/Aq5BX3sm1OVML4wXwYpwMf+E /bXo/YLD/QgKVhD5DkFYDgxfElcmTXrqHhnfnxPdDA7oLXz2tQ6SZ6ja6YWfZdrm 3nQWjYreEPSsGE37uApO293QzqikwcIuMd/EZ07YHAPg7ZFIy90UeGu5ZIStQkY/ xbXFXrxJf+k1UoC3VRud3q50VtV6DC2rYw8mLAFRY4y8SsOUzQ0SlvQNZDXc4wUv 4t6pK9HfZ3UxcYwdY3GNesZsf+b/wj9Rt0+bfPkrnBy+CRTF5siCoHf4MWDYbiFf 01UazNxkS13Yws3S0emPYr2ni1UikuFaJZGMi6dDPfp589+DgiSS2qkb142AF4Y6 Buje44YaKvVaW4AjwlFJmf//u5q3U1CtI3Itmz8zWpiHN6n9UZAhg6OKC1e8TqA8 U8hAhoi2sqDy8n5w61SA5s4AtFiJcv25Ghf2TgNnGATvUl5L+k0=
=QFhJ
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
*

XPost: linux.debian.maint.boot

On 24/05/2025 at 21:16, Cyril Brulebois wrote:

Pascal Hambourg <pascal@plouf.fr.eu.org> (2025-05-24):

Boot with debian-trixie-DI-rc1-amd64-netinst.iso, expert install, no
hack in the shell, encrypted /home using only regular menus ->
installed system boot: no passphrase prompt, fallback to emergency
shell. Install systemd-cryptsetup -> it works without any additional
configuration.

OK, thanks for confirming. I'm not sure if the logic around the cryptsetup-initramfs installation did or would pick up that use case.

I do not see why it wouldn't. It works in bookworm.

Was cryptsetup-initramfs installed?

Yes:
May 24 10:12:30 apt-install: Queueing package cryptsetup-initramfs for
later installation

I'm not sure how to best spot the need for systemd-cryptsetup in those
cases, I'm really just familiar with the usual guided encrypted LVM scenario… If someone wants to propose some logic, I'm all ears.

As you wrote, I think the simpler, safer and more versatile is to queue systemd-cryptsetup along with cryptsetup-initramfs so that the behaviour
is the same as previous releases and won't surprise users.

If you want something more sophisticated, as Guilhem proposed: queue cryptsetup-initramfs for encrypted /, /usr and swap and queue systemd-cryptsetup for other encrypted volumes. But despite the mention
in release notes, some users may be surprised after installing Trixie
without systemd-cryptsetup when later adding an encrypted volume
(requiring systemd-cryptsetup).

What do /etc/fstab and /etc/crypttab look like?

/etc/fstab:
UUID=e88e70ed-524f-484e-9b26-b8768b7ca641 / ext4 errors=remount-ro 0 1
/dev/mapper/vda2_crypt /home ext4 defaults 0 2 /dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0

/etc/crypttab:
vda2_crypt UUID=258de875-138e-4c10-8438-d36e287aa880 none luks,discard,x-initrd.attach

As expected, the initramfs /cryptroot/crypttab is empty because there is
no need to mount /home early. A workaround would be to add the option "initramfs" in /etc/crypttab so that the line is added to the initramfs crypttab. But I do not advocate it, because any failure would spawn the initramfs shell which is much less convenient than systemd emergency shell.

PS: I suspect the option "x-initrd.attach" is not needed for /home, but
it is probably harmless.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.maint.boot

Pascal Hambourg <pascal@plouf.fr.eu.org> (2025-05-24):

Yes:
May 24 10:12:30 apt-install: Queueing package cryptsetup-initramfs for later installation

ACK. Modified the hook to pull both packages (and pushed master).

Modified debian-cd to ensure it's available (see kibi/for-master).

This seems to work fine.

You can experiment with:
https://people.debian.org/~kibi/bug-1092977+intel/

If tests look good to you, I'll upload partman-crypto.


Cheers,
--
Cyril Brulebois (kibi@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEtg6/KYRFPHDXTPR4/5FK8MKzVSAFAmgyPg4ACgkQ/5FK8MKz VSB2RRAAqua2V3BoLAWDjINvredUVWJ5Ln5rNloQqBlkxTssA8hh7sP1nPd8sD1Q WRWhBVPgZhLCdxmZ8qHlz7idC68VaU1eTFO8Rm+ZneX4CdvfCQtMcZuYd5oruMQU MTDp9USOVa7M8VjbdwVJB0q5CaaFDI4VDvUBfPEGoHmPvTwXgnmpbtj639zIOcJ4 2k6YG5+ldtusa/E+qg0tirxPifIx5tV58Cc11aqDAr+raumZ30yEwZBdPJsu1QUJ XLZAhuuYW5+RTO5IgOHs6bt3WGbvUT4HxDLQN+yq2f9rnqoJ31vVDotcbc085SbH Xa2juyro2Xyu9brXbvdwsmkgglhLUswuCoJzwdxk8kaCaRjh2Y2AEFaDR0J13ViT mb/RiiCXvwKibQzB0gbk+r5jzyuseBgJyp7tX+oyK2l6ID45TIj2Vpvj9551GK/Y OZLI0/ZBuKtEPKcFS5oqctvIqveiizsCnPV/BPV+Zs1IKAK43rba3IddunrXFYhW 7ECsJ9Fm05SpHrGBWII0E88y0LYtzLX5OmyHpeB9+Dd3iSOh6eSoVOsbN0SFm8vu gG0kvNt4Eop6TqiaGdH3kW/4BiAOBSTL1/GKLsBt4GwKOBF3Ab1jEIbOZbfOnFqh 0lITT4GyFLLA1d9hNVdvcfjmrSoOk0rGIAaSdjx9fs14O6XLBqA=
=7mKI
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
*

XPost: linux.debian.maint.boot

On 24/05/2025 at 23:45, Cyril Brulebois wrote:

ACK. Modified the hook to pull both packages (and pushed master).

Modified debian-cd to ensure it's available (see kibi/for-master).

Just for my own education, how come systemd-cryptsetup was already
included in netinst ? As a Recommends: of other included packages ?

This seems to work fine.

You can experiment with:
https://people.debian.org/~kibi/bug-1092977+intel/

Thanks.

If tests look good to you, I'll upload partman-crypto.

Tested successfully with the two following use cases:
- manual partitioning with encrypted /home -> bug fixed
- guided partitioning with encrypted LVM -> no regression

Note: users who install without any encryption and later add an
encrypted volume will still need to install systemd-cryptsetup in
addition to cryptsetup, so Trixie's behaviour will not be the same as
previous releases. The only way to keep the same behaviour would be to
always install systemd-cryptesetup.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.maint.boot

Pascal Hambourg <pascal@plouf.fr.eu.org> (2025-05-25):

Just for my own education, how come systemd-cryptsetup was already
included in netinst ? As a Recommends: of other included packages ?

Likely.

Tested successfully with the two following use cases:
- manual partitioning with encrypted /home -> bug fixed
- guided partitioning with encrypted LVM -> no regression

Thank you.

Note: users who install without any encryption and later add an
encrypted volume will still need to install systemd-cryptsetup in
addition to cryptsetup, so Trixie's behaviour will not be the same as previous releases. The only way to keep the same behaviour would be
to always install systemd-cryptesetup.

Things change over time, we can't install the exact same system all the
time. I'm not entirely sure about what to do with this particular
package… to me it kind of looks like “I want to use LVM all of sudden
and now I have to install lvm2?!”.


Cheers,
--
Cyril Brulebois (kibi@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEtg6/KYRFPHDXTPR4/5FK8MKzVSAFAmgzKyIACgkQ/5FK8MKz VSBdJBAAkAHsPuj94C8rvC9SK2VPu30vU7LAzj/l+SkLzjEo3J8QUXeVT+ZZddQk G/87SafRedDr1hTcwIdYgkoybEEfnbG/a6K6Qpvg7PhVJOuAaPq3ugptzDj6wz0r P8R8tQGFrvzETMO3GrFKIlKTYArdsy8D/jM/iEIjnLjag1wXInMsOTv9CCtgoe0y YiYjVVZhKz6TRT5dKGqXMRoYOm6p6d/ePnLZthUQKVnJQnkkIgxYLuhovjadkuwj tnzir9vzXgoiIp8n3VMTqWQ3uwMe8DkBX1YVHeSWyWcnbebeB8ODD/F/7LAQiWbb dFlAV9w2ouadjkprSI2cUc1UEjseQC2PoPvIxeHryAxXl7Qr9TJ0PscMO+Fg4IfS nE+Sn2ph7ZjKIeXxTeyAY9zJ7pSd6dH5BvfCCNe5Yjjr/34lhbnDLOstpMNtiX8l A07X1RaYNr/CT95eY8KuIFF/GmK0IsnBzR7xXkEl0gJbOggqE16VfutnPWV78OGi gjevuPE6mJeeRtzmwZg+QlxMjAbDB+9VWZjy67elbsaIgtdDnoKbdw7dvLCmYxaI Cx/XJDmO2zNLHkTpOhkMEH/dx+RHlkWSVE4yaHf/O/iT0zePimmige1yPSf9J0Pu Reg6g3kWOBnEZ+JiW3YPKEqaTUAAWfbkUtR5Ok+c5z1NCo28Bts=
=k00D
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
*

XPost: linux.debian.maint.boot

Cyril Brulebois <kibi@debian.org> (2025-05-25):

Things change over time, we can't install the exact same system all the
time. I'm not entirely sure about what to do with this particular
package… to me it kind of looks like “I want to use LVM all of sudden
and now I have to install lvm2?!”.

I've just verified, and indeed debootstrap doesn't install systemd's Recommends. It's not just systemd-cryptsetup, but also systemd-timesyncd
(which was split 1+ release cycle ago)…

IOW: We're just moving with the flow here, and if people feel this
should be installed everywhere, an argument could be made about the
Priority. systemd-timesyncd is standard, systemd-cryptsetup is only
optional, meaning the former gets pulled by d-i (unless opting-out)
while the latter doesn't.


I'll let others (maybe systemd maintainers in particular) comment and/or
act on this if they feel this should be addressed, I think that's
getting out of scope (or at least orthogonal enough) for what we were
meaning to fix here: missing package for some use cases when we know
(during installation) encryption is being set up.

Just uploaded partman-crypto.


Cheers,
--
Cyril Brulebois (kibi@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEtg6/KYRFPHDXTPR4/5FK8MKzVSAFAmgzWZIACgkQ/5FK8MKz VSBjgRAAkHF4fIeU+bq8Ooi6BVyZE72mYGCQ1Zczo6UK2QDyvXbH8KpLr15uu94w ir/5u31WlXBqBbjMCzDGjp/tnz2wYZRjCfcemZUwfpQygMOsbmQ+zy5pk4cYEJZg /oPY3Tii9IPoXq4JVJYB8J8YgK9B6P6qXIUetjTPbRM2ogP84HY4sTk0mmnQMea7 PT9Ek2EihJib9ZOo9ENfK6RVStIJ6pCsLXxyR2TDOG/mYAvNOoMKj2aeqQvV6jPB 6kkZnI2nAqVwLsRhoWJj+uscsTR2fh3CslbOZh7kVBGiT+NmXemfaEIsdGBNjJUC ILaHoHEgMKdOeqKn2hZZ0Y4X30i0PpRxjmpQMkC24Dp8XD1/J5P/J/UhsGZqOLMf 8+8840bjgmCEaKLX5dojFRf0UbDU1+Y7EdqNqfWmtXKeMMQPYuBTCsdCuwgkAPmZ Kazd9d7Kns3C4Wj0jBOl0qgchi9JRNKxlYnlpeqGzN3qy62ZnbJuBKmHXfvXazvh iFyLc+7unv+knKDDycUgowpxn5ZIFkV0MBGUNLidhWARoH5jZgtxrlpkrf4JruBJ QV81gHWrz7bPfu2uTFCwjgzJcdiWWbozYpKqVOZuYPqeUwsyLUxWC9VSSUCHy+em gaK3QDLxrkwJ1CrbA9O4NYSavmnOzmaEnv2zU5/bplXYqGEhnaY=
=THy+
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
*