summaryrefslogtreecommitdiffstats
path: root/docs/v1.4.0-ReleaseNotes
diff options
context:
space:
mode:
Diffstat (limited to 'docs/v1.4.0-ReleaseNotes')
-rw-r--r--docs/v1.4.0-ReleaseNotes131
1 files changed, 131 insertions, 0 deletions
diff --git a/docs/v1.4.0-ReleaseNotes b/docs/v1.4.0-ReleaseNotes
new file mode 100644
index 0000000..bef4e74
--- /dev/null
+++ b/docs/v1.4.0-ReleaseNotes
@@ -0,0 +1,131 @@
+Cryptsetup 1.4.0 Release Notes
+==============================
+
+Changes since version 1.3.1
+
+Important changes
+~~~~~~~~~~~~~~~~~
+
+WARNING: This release removes old deprecated API from libcryptsetup
+ (all functions using struct crypt_options).
+
+ This require libcrypsetup version change and
+ rebuild of applications using cryptsetup library.
+ All new API symbols are backward compatible.
+
+* If device is not rotational disk, cryptsetup no longer tries
+ to wipe keyslot with Gutmann algorithm for magnetic media erase
+ but simply rewrites area once by random data.
+
+* The on-disk LUKS header can now be detached (e.g. placed on separate
+ device or in file) using new --header option.
+
+ This option is only relevant for LUKS devices and can be used in
+ luksFormat, luksOpen, luksSuspend, luksResume and resize commands.
+
+ If used with luksFormat the --align-payload option is taken
+ as absolute sector alignment on ciphertext device and can be zero.
+
+ Example:
+ Create LUKS device with ciphertext device on /dev/sdb and header
+ on device /dev/sdc. Use all space on /dev/sdb (no reserved area for header).
+
+ cryptsetup luksFormat /dev/sdb --header /dev/sdc --align-payload 0
+
+ Activate such device:
+ cryptsetup luksOpen /dev/sdb --header /dev/sdc test_disk
+
+ You can use file for LUKS header (loop device will be used while
+ manipulating with such detached header), just you have to create
+ large enough file in advance.
+
+ dd if=/dev/zero of=/mnt/luks_header bs=1M count=4
+ cryptsetup luksFormat /dev/sdb --header /mnt/luks_header --align-payload 0
+
+ Activation is the same as above.
+
+ cryptsetup luksOpen /dev/sdb --header /mnt/luks_header test_disk
+
+ All keyslot operations need to be run on _header_ not on ciphertext device,
+ an example:
+
+ cryptsetup luksAddKey /mnt/luks_header
+
+ If you do not use --align-payload 0, you can later restore LUKS header
+ on device itself (and use it as normal LUKS device without detached header).
+
+ WARNING: There is no possible check that specified ciphertext device
+ matches detached on-disk header. Use with care, it can destroy
+ your data in case of a mistake.
+
+ WARNING: Storing LUKS header in a file means that anti-forensic splitter
+ cannot properly work (there is filesystem allocation layer between
+ header and disk).
+
+* Support --allow-discards option to allow discards/TRIM requests.
+
+ Since kernel 3.1, dm-crypt devices optionally (not by default) support
+ block discards (TRIM) commands.
+ If you want to enable this operation, you have to enable it manually
+ on every activation using --allow-discards
+
+ cryptsetup luksOpen --allow-discards /dev/sdb test_disk
+
+ WARNING: There are several security consequences, please read at least
+ http://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html
+ before you enable it.
+
+* Add --shared option for creating non-overlapping crypt segments.
+
+ The --shared options checks that mapped segments are not overlapping
+ and allows non-exclusive access to underlying device.
+ Only plain crypt devices can be used in this mode.
+
+ Example - map 64M of device disk and following 32 M area as another disk.
+
+ cryptsetup create outer_disk /dev/sdb --offset 0 --size 65536
+ cryptsetup create inner_disk /dev/sdb --offset 65536 --size 32768 --shared
+
+ (It can be used to simulate trivial hidden disk concepts.)
+
+libcryptsetup API changes:
+ * Added options to support detached metadata device
+ crypt_init_by_name_and_header()
+ crypt_set_data_device()
+ * Add crypt_last_error() API call.
+ * Fix plain crypt format parameters to include size option.
+ * Add crypt_get_iv_offset() function.
+
+ * Remove old API functions (all functions using crypt_options).
+
+* Support key-slot option for luksOpen (use only explicit keyslot).
+
+ You can now specify key slot in luksOpen and limit checking
+ only to specified slot.
+
+* Support retries and timeout parameters for luksSuspend.
+ (The same way as in luksOpen.)
+
+* Add doxygen-like documentation (it will be available on project page later).
+ (To generate it manually run doxygen in docs directory.)
+
+Other changes
+~~~~~~~~~~~~~
+* Fix crypt_load to properly check device size.
+* Do not allow context format of already formatted device.
+* Do not allow key retrieval while suspended (key could be wiped).
+* Do not allow suspend for non-LUKS devices.
+* Fix luksKillSLot exit code if slot is inactive or invalid.
+* Fix exit code if passphrases do not match in luksAddKey.
+* Fix return code for status command when device doesn't exists.
+* Fix verbose messages in isLuks command.
+* Support Nettle 2.4 crypto backend (supports ripemd160).
+* Add LUKS on-disk format description into package.
+* Enhance check of device size before writing LUKS header.
+* Add more paranoid checks for LUKS header and keyslot attributes.
+* Use new /dev/loop-control (kernel 3.1) if possible.
+* Remove hash/hmac restart from crypto backend and make it part of hash/hmac final.
+* Improve check for invalid offset and size values.
+* Revert default initialisation of volume key in crypt_init_by_name().
+* Add more regression tests.
+* Add some libcryptsetup example files (see docs/examples).