diff options
Diffstat (limited to 'docs/v1.4.0-ReleaseNotes')
-rw-r--r-- | docs/v1.4.0-ReleaseNotes | 131 |
1 files changed, 131 insertions, 0 deletions
diff --git a/docs/v1.4.0-ReleaseNotes b/docs/v1.4.0-ReleaseNotes new file mode 100644 index 0000000..bef4e74 --- /dev/null +++ b/docs/v1.4.0-ReleaseNotes @@ -0,0 +1,131 @@ +Cryptsetup 1.4.0 Release Notes +============================== + +Changes since version 1.3.1 + +Important changes +~~~~~~~~~~~~~~~~~ + +WARNING: This release removes old deprecated API from libcryptsetup + (all functions using struct crypt_options). + + This require libcrypsetup version change and + rebuild of applications using cryptsetup library. + All new API symbols are backward compatible. + +* If device is not rotational disk, cryptsetup no longer tries + to wipe keyslot with Gutmann algorithm for magnetic media erase + but simply rewrites area once by random data. + +* The on-disk LUKS header can now be detached (e.g. placed on separate + device or in file) using new --header option. + + This option is only relevant for LUKS devices and can be used in + luksFormat, luksOpen, luksSuspend, luksResume and resize commands. + + If used with luksFormat the --align-payload option is taken + as absolute sector alignment on ciphertext device and can be zero. + + Example: + Create LUKS device with ciphertext device on /dev/sdb and header + on device /dev/sdc. Use all space on /dev/sdb (no reserved area for header). + + cryptsetup luksFormat /dev/sdb --header /dev/sdc --align-payload 0 + + Activate such device: + cryptsetup luksOpen /dev/sdb --header /dev/sdc test_disk + + You can use file for LUKS header (loop device will be used while + manipulating with such detached header), just you have to create + large enough file in advance. + + dd if=/dev/zero of=/mnt/luks_header bs=1M count=4 + cryptsetup luksFormat /dev/sdb --header /mnt/luks_header --align-payload 0 + + Activation is the same as above. + + cryptsetup luksOpen /dev/sdb --header /mnt/luks_header test_disk + + All keyslot operations need to be run on _header_ not on ciphertext device, + an example: + + cryptsetup luksAddKey /mnt/luks_header + + If you do not use --align-payload 0, you can later restore LUKS header + on device itself (and use it as normal LUKS device without detached header). + + WARNING: There is no possible check that specified ciphertext device + matches detached on-disk header. Use with care, it can destroy + your data in case of a mistake. + + WARNING: Storing LUKS header in a file means that anti-forensic splitter + cannot properly work (there is filesystem allocation layer between + header and disk). + +* Support --allow-discards option to allow discards/TRIM requests. + + Since kernel 3.1, dm-crypt devices optionally (not by default) support + block discards (TRIM) commands. + If you want to enable this operation, you have to enable it manually + on every activation using --allow-discards + + cryptsetup luksOpen --allow-discards /dev/sdb test_disk + + WARNING: There are several security consequences, please read at least + http://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html + before you enable it. + +* Add --shared option for creating non-overlapping crypt segments. + + The --shared options checks that mapped segments are not overlapping + and allows non-exclusive access to underlying device. + Only plain crypt devices can be used in this mode. + + Example - map 64M of device disk and following 32 M area as another disk. + + cryptsetup create outer_disk /dev/sdb --offset 0 --size 65536 + cryptsetup create inner_disk /dev/sdb --offset 65536 --size 32768 --shared + + (It can be used to simulate trivial hidden disk concepts.) + +libcryptsetup API changes: + * Added options to support detached metadata device + crypt_init_by_name_and_header() + crypt_set_data_device() + * Add crypt_last_error() API call. + * Fix plain crypt format parameters to include size option. + * Add crypt_get_iv_offset() function. + + * Remove old API functions (all functions using crypt_options). + +* Support key-slot option for luksOpen (use only explicit keyslot). + + You can now specify key slot in luksOpen and limit checking + only to specified slot. + +* Support retries and timeout parameters for luksSuspend. + (The same way as in luksOpen.) + +* Add doxygen-like documentation (it will be available on project page later). + (To generate it manually run doxygen in docs directory.) + +Other changes +~~~~~~~~~~~~~ +* Fix crypt_load to properly check device size. +* Do not allow context format of already formatted device. +* Do not allow key retrieval while suspended (key could be wiped). +* Do not allow suspend for non-LUKS devices. +* Fix luksKillSLot exit code if slot is inactive or invalid. +* Fix exit code if passphrases do not match in luksAddKey. +* Fix return code for status command when device doesn't exists. +* Fix verbose messages in isLuks command. +* Support Nettle 2.4 crypto backend (supports ripemd160). +* Add LUKS on-disk format description into package. +* Enhance check of device size before writing LUKS header. +* Add more paranoid checks for LUKS header and keyslot attributes. +* Use new /dev/loop-control (kernel 3.1) if possible. +* Remove hash/hmac restart from crypto backend and make it part of hash/hmac final. +* Improve check for invalid offset and size values. +* Revert default initialisation of volume key in crypt_init_by_name(). +* Add more regression tests. +* Add some libcryptsetup example files (see docs/examples). |