131 lines
5.2 KiB
Text
131 lines
5.2 KiB
Text
Cryptsetup 1.4.0 Release Notes
|
|
==============================
|
|
|
|
Changes since version 1.3.1
|
|
|
|
Important changes
|
|
~~~~~~~~~~~~~~~~~
|
|
|
|
WARNING: This release removes old deprecated API from libcryptsetup
|
|
(all functions using struct crypt_options).
|
|
|
|
This require libcrypsetup version change and
|
|
rebuild of applications using cryptsetup library.
|
|
All new API symbols are backward compatible.
|
|
|
|
* If device is not rotational disk, cryptsetup no longer tries
|
|
to wipe keyslot with Gutmann algorithm for magnetic media erase
|
|
but simply rewrites area once by random data.
|
|
|
|
* The on-disk LUKS header can now be detached (e.g. placed on separate
|
|
device or in file) using new --header option.
|
|
|
|
This option is only relevant for LUKS devices and can be used in
|
|
luksFormat, luksOpen, luksSuspend, luksResume and resize commands.
|
|
|
|
If used with luksFormat the --align-payload option is taken
|
|
as absolute sector alignment on ciphertext device and can be zero.
|
|
|
|
Example:
|
|
Create LUKS device with ciphertext device on /dev/sdb and header
|
|
on device /dev/sdc. Use all space on /dev/sdb (no reserved area for header).
|
|
|
|
cryptsetup luksFormat /dev/sdb --header /dev/sdc --align-payload 0
|
|
|
|
Activate such device:
|
|
cryptsetup luksOpen /dev/sdb --header /dev/sdc test_disk
|
|
|
|
You can use file for LUKS header (loop device will be used while
|
|
manipulating with such detached header), just you have to create
|
|
large enough file in advance.
|
|
|
|
dd if=/dev/zero of=/mnt/luks_header bs=1M count=4
|
|
cryptsetup luksFormat /dev/sdb --header /mnt/luks_header --align-payload 0
|
|
|
|
Activation is the same as above.
|
|
|
|
cryptsetup luksOpen /dev/sdb --header /mnt/luks_header test_disk
|
|
|
|
All keyslot operations need to be run on _header_ not on ciphertext device,
|
|
an example:
|
|
|
|
cryptsetup luksAddKey /mnt/luks_header
|
|
|
|
If you do not use --align-payload 0, you can later restore LUKS header
|
|
on device itself (and use it as normal LUKS device without detached header).
|
|
|
|
WARNING: There is no possible check that specified ciphertext device
|
|
matches detached on-disk header. Use with care, it can destroy
|
|
your data in case of a mistake.
|
|
|
|
WARNING: Storing LUKS header in a file means that anti-forensic splitter
|
|
cannot properly work (there is filesystem allocation layer between
|
|
header and disk).
|
|
|
|
* Support --allow-discards option to allow discards/TRIM requests.
|
|
|
|
Since kernel 3.1, dm-crypt devices optionally (not by default) support
|
|
block discards (TRIM) commands.
|
|
If you want to enable this operation, you have to enable it manually
|
|
on every activation using --allow-discards
|
|
|
|
cryptsetup luksOpen --allow-discards /dev/sdb test_disk
|
|
|
|
WARNING: There are several security consequences, please read at least
|
|
http://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html
|
|
before you enable it.
|
|
|
|
* Add --shared option for creating non-overlapping crypt segments.
|
|
|
|
The --shared options checks that mapped segments are not overlapping
|
|
and allows non-exclusive access to underlying device.
|
|
Only plain crypt devices can be used in this mode.
|
|
|
|
Example - map 64M of device disk and following 32 M area as another disk.
|
|
|
|
cryptsetup create outer_disk /dev/sdb --offset 0 --size 65536
|
|
cryptsetup create inner_disk /dev/sdb --offset 65536 --size 32768 --shared
|
|
|
|
(It can be used to simulate trivial hidden disk concepts.)
|
|
|
|
libcryptsetup API changes:
|
|
* Added options to support detached metadata device
|
|
crypt_init_by_name_and_header()
|
|
crypt_set_data_device()
|
|
* Add crypt_last_error() API call.
|
|
* Fix plain crypt format parameters to include size option.
|
|
* Add crypt_get_iv_offset() function.
|
|
|
|
* Remove old API functions (all functions using crypt_options).
|
|
|
|
* Support key-slot option for luksOpen (use only explicit keyslot).
|
|
|
|
You can now specify key slot in luksOpen and limit checking
|
|
only to specified slot.
|
|
|
|
* Support retries and timeout parameters for luksSuspend.
|
|
(The same way as in luksOpen.)
|
|
|
|
* Add doxygen-like documentation (it will be available on project page later).
|
|
(To generate it manually run doxygen in docs directory.)
|
|
|
|
Other changes
|
|
~~~~~~~~~~~~~
|
|
* Fix crypt_load to properly check device size.
|
|
* Do not allow context format of already formatted device.
|
|
* Do not allow key retrieval while suspended (key could be wiped).
|
|
* Do not allow suspend for non-LUKS devices.
|
|
* Fix luksKillSLot exit code if slot is inactive or invalid.
|
|
* Fix exit code if passphrases do not match in luksAddKey.
|
|
* Fix return code for status command when device doesn't exists.
|
|
* Fix verbose messages in isLuks command.
|
|
* Support Nettle 2.4 crypto backend (supports ripemd160).
|
|
* Add LUKS on-disk format description into package.
|
|
* Enhance check of device size before writing LUKS header.
|
|
* Add more paranoid checks for LUKS header and keyslot attributes.
|
|
* Use new /dev/loop-control (kernel 3.1) if possible.
|
|
* Remove hash/hmac restart from crypto backend and make it part of hash/hmac final.
|
|
* Improve check for invalid offset and size values.
|
|
* Revert default initialisation of volume key in crypt_init_by_name().
|
|
* Add more regression tests.
|
|
* Add some libcryptsetup example files (see docs/examples).
|