diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-17 08:06:26 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-17 08:06:26 +0000 |
commit | 1660d4b7a65d9ad2ce0deaa19d35579ca4084ac5 (patch) | |
tree | 6cf8220b628ebd2ccfc1375dd6516c6996e9abcc /docs/v1.3.0-ReleaseNotes | |
parent | Initial commit. (diff) | |
download | cryptsetup-upstream.tar.xz cryptsetup-upstream.zip |
Adding upstream version 2:2.6.1.upstream/2%2.6.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'docs/v1.3.0-ReleaseNotes')
-rw-r--r-- | docs/v1.3.0-ReleaseNotes | 101 |
1 files changed, 101 insertions, 0 deletions
diff --git a/docs/v1.3.0-ReleaseNotes b/docs/v1.3.0-ReleaseNotes new file mode 100644 index 0000000..b7ae977 --- /dev/null +++ b/docs/v1.3.0-ReleaseNotes @@ -0,0 +1,101 @@ +Cryptsetup 1.3.0 Release Notes +============================== + +Changes since version 1.2.0 + +Important changes +~~~~~~~~~~~~~~~~~ + * Several userspace crypto backends support + + cryptsetup now supports generic crypto backend interface which allows + compile package with various crypto libraries, these are already implemented: + + * gcrypt (default, used in previous versions) + * OpenSSL + * NSS (because of missing ripemd160 it cannot provide full backward compatibility) + * kernel userspace API (provided by kernel 2.6.38 and above) + (Note that kernel userspace backend is very slow for this type of operation. + But it can be useful for embedded systems, because you can avoid userspace + crypto library completely.) + + Backend is selected during configure time, using --with-crypto_backend option. + + configure --with-crypto_backend=BACKEND (gcrypt/openssl/nss/kernel) [gcrypt] + + Note that performance checked (iterations) in LUKS header will cause that + real iteration time will differ with different backends. + (There are huge differences in speed between libraries.) + + * Cryptsetup now automatically allocates loopback device (/dev/loop) if device + argument is file and not plain device. + + This require Linux kernel 2.6.25 and above (which implements loop autoclear flag). + + You can see backing file in cryptsetup status output if underlying device is loopback. + + * Introduce maximum default keyfile size, add configure option, visible in --help. + + Cryptsetup now fails if read from keyfile exceeds internal limit. + You can always specify keyfile size (overrides limit) by using --keyfile-size option. + + * Adds luksChangeKey command + + cryptestup luksChangeKey --key-file <old keyfile> <new keyfile> [--key-slot X] + cryptestup luksChangeKey [--key-slot X] (for passphrase change) + + This command allows passphrase/keyfile change in one step. If no key slot is + specified (and there is still free key slot on device) new slot is allocated before + the old is purged. + + If --key-slot option is specified (or there is no free slot) command will overwrite + existing slot. + WARNING: Be sure you have another slot active or header backup when using explicit + key slot (so you can unlock the device even after possible media failure). + + * Adds compatible support for loop-AES encryption type in loopaesOpen command. + + Linux dm-crypt in 2.6.38 and above supports loop-AES compatible mapping + (including multi-key and special CBC mode, all three modes are supported). + + If you have raw loop-AES keyfile (text file with uuencoded per-line keys), you can + access loop-AES volume using + cryptsetup loopaesOpen <device> <name> [--key-size 128] --key-file <key-file> + + If you are using GPG encrypted keyfile + gpg --decrypt <key-file> | cryptsetup loopaesOpen --key-file=- <device> <name> + + Do not forget to specify key size. Version and hash is automatically detected + according to number of lines in key file. For special configuration you can + override IV sector offset using --skip option, device offset with --offset + and hash algorithm using --hash, see man page for details. + + Please note that loopAES dm-crypt mode is provided for compatibility reasons + (so you do not need to patch kernel and util-linux to map existing volumes) + but it is not, and never will be, optimized for speed. + It is experimental feature for now. + + * Require the whole key read from keyfile in create command (regression in 1.2.0). + + * WARNING: This is the last cryptsetup release which supports library with + old API (using struct crypt_options). + These calls are deprecated since 1.1.0 and AFAIK no application + is using it in recent distros. Removing compatible code will allow + new features to be implemented easily. + +Other changes +~~~~~~~~~~~~~ + * Lock memory also in luksDump command. + * Fix return code when passphrase is read from pipe. + * Increase libcryptsetup version (loopAES change), still fully backward compatible. + * Fixes static build (--disable-static-cryptsetup now works properly). + * Supports secure data flag for device-mapper ioctl (will be in 2.6.39, + forcing kernel to wipe all ioctl buffers with possible key data). + To enable this flag you need new device-mapper library, in LVM2 2.02.84. + * Add copyright texts into some files and adds GPL exception allowing + to distribute resulting binaries linked with OpenSSL. + * Update FAQ. + * Fix message when locking memory fails. + * Fix luksAddKey return code if master key is used. + * Update some text files in distributions. + * Add docs directory with Release Notes archive. + * Do not hardcode loopback device name in tests, use internal loopback library. |