| Cryptsetup 1.3.0 Release Notes |
| ============================== |
| |
| Changes since version 1.2.0 |
| |
| Important changes |
| ~~~~~~~~~~~~~~~~~ |
| * Several userspace crypto backends support |
| |
| cryptsetup now supports generic crypto backend interface which allows |
| compile package with various crypto libraries, these are already implemented: |
| |
| * gcrypt (default, used in previous versions) |
| * OpenSSL |
| * NSS (because of missing ripemd160 it cannot provide full backward compatibility) |
| * kernel userspace API (provided by kernel 2.6.38 and above) |
| (Note that kernel userspace backend is very slow for this type of operation. |
| But it can be usefull for embedded systems, because you can avoid userspace |
| crypto library completely.) |
| |
| Backend is selected during configure time, using --with-crypto_backend option. |
| |
| configure --with-crypto_backend=BACKEND (gcrypt/openssl/nss/kernel) [gcrypt] |
| |
| Note that performance checked (iterations) in LUKS header will cause that |
| real iteration time will differ with different backends. |
| (There are huge differences in speed between libraries.) |
| |
| * Cryptsetup now automatically allocates loopback device (/dev/loop) if device |
| argument is file and not plain device. |
| |
| This require Linux kernel 2.6.25 and above (which implements loop autoclear flag). |
| |
| You can see backing file in cryptsetup status output if underlying device is loopback. |
| |
| * Introduce maximum default keyfile size, add configure option, visible in --help. |
| |
| Cryptsetup now fails if read from keyfile exceeds internal limit. |
| You can always specify keyfile size (overrides limit) by using --keyfile-size option. |
| |
| * Adds luksChangeKey command |
| |
| cryptestup luksChangeKey --key-file <old keyfile> <new keyfile> [--key-slot X] |
| cryptestup luksChangeKey [--key-slot X] (for passphrase change) |
| |
| This command allows passphrase/keyfile change in one step. If no key slot is |
| specified (and there is still free key slot on device) new slot is allocated before |
| the old is purged. |
| |
| If --key-slot option is specified (or there is no free slot) command will overwrite |
| existing slot. |
| WARNING: Be sure you have another slot active or header backup when using explicit |
| key slot (so you can unlock the device even after possible media failure). |
| |
| * Adds compatible support for loop-AES encryption type in loopaesOpen command. |
| |
| Linux dm-crypt in 2.6.38 and above supports loop-AES compatible mapping |
| (including multi-key and special CBC mode, all three modes are supported). |
| |
| If you have raw loop-AES keyfile (text file with uuencoded per-line keys), you can |
| access loop-AES volume using |
| cryptsetup loopaesOpen <device> <name> [--key-size 128] --key-file <key-file> |
| |
| If you are using GPG encrypted keyfile |
| gpg --decrypt <key-file> | cryptsetup loopaesOpen --key-file=- <device> <name> |
| |
| Do not forget to specify key size. Version and hash is automatically detected |
| according to number of lines in key file. For special configuration you can |
| override IV sector offset using --skip option, device offset with --offset |
| and hash algorithm using --hash, see man page for details. |
| |
| Please note that loopAES dm-crypt mode is provided for compatibility reasons |
| (so you do not need to patch kernel and util-linux to map existing volumes) |
| but it is not, and never will be, optimized for speed. |
| It is experimental feature for now. |
| |
| * Require the whole key read from keyfile in create command (regression in 1.2.0). |
| |
| * WARNING: This is the last cryptsetup release which supports library with |
| old API (using struct crypt_options). |
| These calls are deprecated since 1.1.0 and AFAIK no application |
| is using it in recent distros. Removing compatible code will allow |
| new features to be implemented easily. |
| |
| Other changes |
| ~~~~~~~~~~~~~ |
| * Lock memory also in luksDump command. |
| * Fix return code when passphrase is read from pipe. |
| * Increase libcryptsetup version (loopAES change), still fully backward compatible. |
| * Fixes static build (--disable-static-cryptsetup now works properly). |
| * Supports secure data flag for device-mapper ioctl (will be in 2.6.39, |
| forcing kernel to wipe all ioctl buffers with possible key data). |
| To enable this flag you need new device-mapper library, in LVM2 2.02.84. |
| * Add copyright texts into some files and adds GPL exception allowing |
| to distribute resulting binaries linked with OpenSSL. |
| * Update FAQ. |
| * Fix message when locking memory fails. |
| * Fix luksAddKey return code if master key is used. |
| * Update some text files in distributions. |
| * Add docs directory with Release Notes archive. |
| * Do not hardcode loopback device name in tests, use internal loopback library. |