Package: calamares-settings-debian Version: 10.0.20-1 Severity: normal calamares supports full disk encryption using luks and grub.
It installs an encryption key in the initramfs, the problem is that in Debian, the initramfs is world readable by default, which means that a user on an unlocked system could retrieve the unlock key. Creating a file called /etc/initramfs-tools/conf.d/initramfs-permissions containing UMASK=0077 will result in a more secure configuration, and can be done from the calamares-settings-debian package.
