=== modified file 'Makefile'
--- Makefile	2018-08-19 01:35:11 +0000
+++ Makefile	2018-08-19 14:06:55 +0000
@@ -425,6 +425,8 @@
 		$(INITRAMFSTOOLS)/hooks/mandos
 	install --mode=u=rw,go=r initramfs-tools-hook-conf \
 		$(INITRAMFSTOOLS)/conf-hooks.d/mandos
+	install --mode=u=rw,go=r initramfs-tools-conf \
+		$(INITRAMFSTOOLS)/conf.d/mandos-conf
 	install initramfs-tools-script \
 		$(INITRAMFSTOOLS)/scripts/init-premount/mandos
 	install initramfs-tools-script-stop \

=== modified file 'debian/mandos-client.dirs'
--- debian/mandos-client.dirs	2018-08-19 01:35:11 +0000
+++ debian/mandos-client.dirs	2018-08-19 14:06:55 +0000
@@ -2,5 +2,6 @@
 usr/sbin
 usr/share/initramfs-tools/hooks
 usr/share/initramfs-tools/conf-hooks.d
+usr/share/initramfs-tools/conf.d
 usr/share/initramfs-tools/scripts/init-premount
 usr/share/initramfs-tools/scripts/local-premount

=== added file 'initramfs-tools-conf'
--- initramfs-tools-conf	1970-01-01 00:00:00 +0000
+++ initramfs-tools-conf	2018-08-19 14:06:55 +0000
@@ -0,0 +1,17 @@
+# -*- shell-script -*-
+
+# Since the initramfs image will contain key files, we need to
+# restrict permissions on it by setting UMASK here.
+# 
+# The proper place to set UMASK is (according to
+# /etc/cryptsetup-initramfs/conf-hook), in
+# /etc/initramfs-tools/initramfs.conf, which we shouldn't edit.  The
+# corresponding directory for drop-in files from packages is
+# /usr/share/initramfs-tools/conf.d, and this file will be installed
+# there as "mandos-conf".
+# 
+# This setting of UMASK will have unfortunate unintended side effects
+# on the files *inside* the initramfs, but these are later fixed by
+# "initramfs-tools-hook", installed as
+# "/usr/share/initramfs-tools/hooks/mandos".
+UMASK=0027

=== modified file 'initramfs-tools-hook'
--- initramfs-tools-hook	2018-08-19 01:35:11 +0000
+++ initramfs-tools-hook	2018-08-19 14:06:55 +0000
@@ -252,8 +252,8 @@
 # initrd; it is intended to affect the initrd.img file itself, since
 # it now contains secret key files.  There is, however, no other way
 # to set the permission of the initrd.img file without a race
-# condition.  This umask is set by "initramfs-tools-hook-conf",
-# installed as "/usr/share/initramfs-tools/conf-hooks.d/mandos".)
+# condition.  This umask is set by "initramfs-tools-conf", installed
+# as "/usr/share/initramfs-tools/conf.d/mandos-conf".)
 # 
 for full in "${MANDOSDIR}" "${CONFDIR}"; do
     while [ "$full" != "/" ]; do

=== modified file 'initramfs-tools-hook-conf'
--- initramfs-tools-hook-conf	2009-05-17 00:50:09 +0000
+++ initramfs-tools-hook-conf	2018-08-19 14:06:55 +0000
@@ -9,5 +9,3 @@
     rm "${outfile}"
     (umask 027; touch "${outfile}")
 fi
-
-UMASK=027