Solution to the error "cryptsetup: WARNING: Permissive UMASK (0022). Private key material within the initrd might be left unprotected."
If you designed your partition table to install Ubuntu and encrypt some partitions with LUKS, you will occasionally have some problems. Today we will solve an error that occurs when installing some packages that update the initial ramdisk (initramfs), which causes our Linux system to not boot correctly the next time we start it.
The error in question is the following:
cryptsetup: WARNING: Permissive UMASK (0022). Private key material within the initrd might be left unprotected.
This error indicates that the private key material does not have the proper permissions and could be unprotected. The good news is that this error is relatively easy to fix if you know how your partition table is mounted.
Solution
The solution to this problem consists of assigning the correct permissions in the initial ramdisk configuration. Since your system boot does not work, you will have to configure a USB device with some Linux version and follow the steps we describe below. Essentially, you will have to follow these steps:
- Prepare a live USB for Linux (this step is outside the scope of this post)
- Enter as chroot into the system (this step is outside the scope of this post)
- Add permissions to the initial ramdisk
- Re-generate the initial ramdisk
Entering as chroot into the system
sudo cryptsetup luksOpen /dev/nvme0n1p1 LUKS_BOOT
sudo cryptsetup luksOpen /dev/nvme0n1p5 nvme0n1p5_cryptsudo mount /dev/mapper/vgubuntu-root /mnt
sudo mount /dev/mapper/LUKS_BOOT /mnt/boot
sudo mount /dev/nvme0n1p3 /mnt/boot/efi
for n in proc sys dev etc/resolv.conf; do sudo mount --rbind /$n /mnt/$n; done
sudo chroot /mnt
mount -aupdate-initramfs: Generating /boot/initrd.img-6.2.0-20-generic
cryptsetup: WARNING: Permissive UMASK (0022). Private key material within the
initrd might be left unprotected.
update-initramfs: Generating /boot/initrd.img-5.19.0-40-generic
cryptsetup: WARNING: Permissive UMASK (0022). Private key material within the
initrd might be left unprotected.root@ubuntu:/# dpkg -l | tail -n +6 | grep -E 'linux-image-[0-9]+' | grep ii
ii linux-image-5.19.0-40-generic 5.19.0-40.41 amd64 Signed kernel image generic
ii linux-image-6.2.0-20-generic 6.2.0-20.20 amd64 Signed kernel image genericAdding permissions to the initial ramdisk
echo "UMASK=0077" >> /etc/initramfs-tools/initramfs.confRe-generating the initial ramdisk
update-initramfs -u -k allupdate-initramfs: Generating /boot/initrd.img-6.2.0-20-generic
update-initramfs: Generating /boot/initrd.img-5.19.0-40-generic