Fixed-Security-Issue: Calamares encryption option (siduction-22.1-Masters_of_War-kde-amd64-202212291659.iso)

[Rockets31]

The encryption-option uses a keyfile (/crypto_keyfile.bin), which is included in initramfs for booting the system by crypttab option (keyscript=/bin/cat). The initramfs are not protected by root privileges, so key is output of cat and could be extracted... I think the keyscript option in crypttab is not used anymore.

Usually for Debian-distros you should following steps:

1. Remove "keyscript=/bin/cat" in crypttab.
2. root@debian:~# echo "KEYFILE_PATTERN="/crypto_keyfile.bin"" >> /etc/cryptsetup-initramfs/conf-hook
3. root@debian:~# echo UMASK=0077 >>/etc/initramfs-tools/initramfs.conf
4. root@debian:~# update-initramfs -u -k all

Step 2 tells initramfs-generation using the keyfile and step 3 uses restrictive privileges for the initramfs archives.

[hhl]

@Rockets31
to understand, are you referring to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767448#15 ,
and https://lists.debian.org/debian-devel/2019/07/msg00035.html et al.,
or calamares/calamares#1191 , calamares/calamares@43eb664 , calamares/calamares@c9b675c

And if that is (what you described above) a general clamares and/or debian security issue, you have to fill a bug/issue against calamares and/or debian!

[Rockets31]

It ist about the permissions of initramfs "umask=0077". This ist already fixed and implemented for Calamares and Debian. It was also fixed for archlinux mkinitcpio... Above I described one solution for this problem...
I think in bullseye-install-media Calamares AND "Debian" put a own "umask=0077-file" into /etc/initramfs-tools/conf.d directory. Maybe it is the way Calamares and/or Debian Installation Media are configured.

[hhl]

https://security-tracker.debian.org/tracker/CVE-2019-13179

We use “calamares -3.2.61-1+b”, so it is fixed!

I do not close this issue now, but change it from bug to documentation.
Maybe it is useful for our manual, help is always appreciated.