Fix documentation manual unlock 2

[459below]

Sorry, the cryptsetup is not included in the initramfs by the current versions of the script. With this PR they will. This should now really fix #10 .

[459below]

Seems like Jessie does always include cryptsetup, but Stretch does not. I will revert the commits, which are rendered useless by that fact.

[fetzerms]

Thanks for your contributions! Before merging: Do we need to add CRYPTSETUP=y when using Stretch? Does it hurt, if we add it to Jessie as well?

Or did I get that wrong?

[459below]

In short: Yes, it seems to be needed to add this on Stretch and No, it shouldn't have any adverse effects on Jessie.

[tmasar@thalamus ~]$ head -n 15 /etc/cryptsetup-initramfs/conf-hook 
#
# Configuration file for the cryptroot initramfs hook.
#

#
# CRYPTSETUP: [ y | n ]
#
# Add cryptsetup modules to the initramfs image, regardless of _this_
# machine configuration.  By default, cryptsetup modules are only added
# when there is a device that needs to be unlocked at initramfs stage
# (such as root or resume devices).
#

CRYPTSETUP=y

The CRYPTSETUP parameter determines, whether initramfs should be forced to include the cryptsetup binary. The parameter has been moved around over time and in Stretch it now lives in its own config file.

As far as I know CRYPTSETUP - in theory - should be set automatically, if we have an encrypted system and with Jessie it seems to be working as intended. However in my experience it doesn't always work. I'm not sure what I would've done wrong, but just yesterday when I analyzed compatibility with Stretch, the system didn't produce a initramfs with cryptsetup included on its own, even though it was the very stock encrypted system by the Debian installer. Since it doesn't really add much to the size of the initramfs, I would always set this parameter to be on the safe side.

If we want to add this parameter to Jessie I think we could use a separate hook, which just includes CRYPTSETUP=y. That's what I did to encrypt Raspbian a while back. That hook would be ignored by Stretch.

I have used this to encrypt an existing system. The strategy was:

• enable CRYPTSETUP
• create initrd.img including cryptsetup
• check with lsinitramfs /initrd.img | grep cryptsetup
• access the system offline (e.g. liveboot or whatever)
• backup the entire fs to .tar.gz
• format system with LUKS
• restore into LUKS partition and update fstab, crypttab, etc
• boot initrd and let it fail
• unlock from initramfs emergency shell and continue to boot
• setup everything regarding bootloader, fstab, crypttab
• system would then be encrypted and bootable