110 lines
4.9 KiB
Text
110 lines
4.9 KiB
Text
Cryptsetup 1.1.0 Release Notes
|
|
==============================
|
|
|
|
Changes since version 1.0.7
|
|
----------------------------
|
|
|
|
Important changes:
|
|
~~~~~~~~~~~~~~~~~~
|
|
|
|
* IMPORTANT: the default compiled-in cipher parameters changed
|
|
plain mode: aes-cbc-essiv:sha256 (default is backward incompatible!).
|
|
LUKS mode: aes-cbc-essiv:sha256 (only key size increased)
|
|
In both modes is now default key size 256bits.
|
|
|
|
* Default compiled-in parameters are now configurable through configure options:
|
|
--with-plain-* / --with-luks1-* (see configure --help)
|
|
|
|
* If you need backward compatible defaults for distribution use
|
|
configure --with-plain-mode=cbc-plain --with-luks1-keybits=128
|
|
|
|
Default compiled-in modes are printed in "cryptsetup --help" output.
|
|
|
|
* Change in iterations count (LUKS):
|
|
The slot and key digest iteration minimum count is now 1000.
|
|
The key digest iteration count is calculated from iteration time (approx 1/8 of req. time).
|
|
For more info about above items see discussion here: http://tinyurl.com/yaug97y
|
|
|
|
* New libcryptsetup API (documented in libcryptsetup.h).
|
|
|
|
The old API (using crypt_options struct) is still available but will remain
|
|
frozen and not used for new functions.
|
|
Soname of library changed to libcryptsetup.so.1.0.0.
|
|
(But only recompilation should be needed for old programs.)
|
|
|
|
The new API provides much more flexible operation over LUKS device for
|
|
applications, it is preferred that new applications will use libcryptsetup
|
|
and not wrapper around cryptsetup binary.
|
|
|
|
* New luksHeaderBackup and luksHeaderRestore commands.
|
|
|
|
These commands allows binary backup of LUKS header.
|
|
Please read man page about possible security issues with backup files.
|
|
|
|
* New luksSuspend (freeze device and wipe key) and luksResume (with provided passphrase).
|
|
|
|
luksSuspend wipe encryption key in kernel memory and set device to suspend
|
|
(blocking all IO) state. This option can be used for situations when you need
|
|
temporary wipe encryption key (like suspend to RAM etc.)
|
|
Please read man page for more information.
|
|
|
|
* New --master-key-file option for luksFormat and luksAddKey.
|
|
|
|
User can now specify pre-generated master key in file, which allows regenerating
|
|
LUKS header or add key with only master key knowledge.
|
|
|
|
* Uses libgcrypt and enables all gcrypt hash algorithms for LUKS through -h luksFormat option.
|
|
|
|
Please note that using different hash for LUKS header make device incompatible with
|
|
old cryptsetup releases.
|
|
|
|
* Introduces --debug parameter.
|
|
|
|
Use when reporting bugs (just run cryptsetup with --debug and attach output
|
|
to issue report.) Sensitive data are never printed to this log.
|
|
|
|
* Moves command successful messages to verbose level.
|
|
|
|
* Requires device-mapper library and libgcrypt to build.
|
|
|
|
* Uses dm-uuid for all crypt devices, contains device type and name now.
|
|
|
|
* Removes support for dangerous non-exclusive option
|
|
(it is ignored now, LUKS device must be always opened exclusive)
|
|
|
|
Other changes:
|
|
~~~~~~~~~~~~~~
|
|
* Fixed localization to work again. Also cryptsetup is now translated by translationproject.org.
|
|
* Fix some libcryptsetup problems, including
|
|
* exported symbols and versions in libcryptsetup (properly use versioned symbols)
|
|
* Add crypt_log library function.
|
|
* Add CRYPT_ prefix to enum defined in libcryptsetup.h.
|
|
* Move duplicate Command failed message to verbose level (error is printed always).
|
|
* Fix several problems in build system
|
|
* use autopoint and clean gettext processing.
|
|
* Check in configure if selinux libraries are required in static version.
|
|
* Fix build for non-standard location of gcrypt library.
|
|
* Add temporary debug code to find processes locking internal device.
|
|
* Fix error handling during reading passphrase.
|
|
* Fail passphrase read if piped input no longer exists.
|
|
* Fix man page to not require --size which expands to device size by default.
|
|
* Clean up Makefiles and configure script.
|
|
* Try to read first sector from device to properly check that device is ready.
|
|
* Move memory locking and dm initialization to command layer.
|
|
* Increase priority of process if memory is locked.
|
|
* Add log macros and make logging more consistent.
|
|
* Keyfile now must be provided by path, only stdin file descriptor is used (api only).
|
|
* Do not call isatty() on closed keyfile descriptor.
|
|
* Move key slot manipulation function into LUKS specific code.
|
|
* Replace global options struct with separate parameters in helper functions.
|
|
* Implement old API calls using new functions.
|
|
* Allow using passphrase provided in options struct for LuksOpen.
|
|
* Allow restrict keys size in LuksOpen.
|
|
* Fix errors when compiled with LUKS_DEBUG.
|
|
* Print error when getline fails.
|
|
* Completely remove internal SHA1 implementation code, not needed anymore.
|
|
* Pad luks header to 512 sector size.
|
|
* Rework read/write blockwise to not split operation to many pieces.
|
|
* Use posix_memalign if available.
|
|
* Fix segfault if provided slot in luksKillslot is invalid.
|
|
* Remove unneeded timeout when remove of temporary device succeeded.
|