summaryrefslogtreecommitdiffstats
path: root/docs/v1.1.0-ReleaseNotes
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 17:44:12 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 17:44:12 +0000
commit1be69c2c660b70ac2f4de2a5326e27e3e60eb82d (patch)
treebb299ab6f411f4fccd735907035de710e4ec6abc /docs/v1.1.0-ReleaseNotes
parentInitial commit. (diff)
downloadcryptsetup-1be69c2c660b70ac2f4de2a5326e27e3e60eb82d.tar.xz
cryptsetup-1be69c2c660b70ac2f4de2a5326e27e3e60eb82d.zip
Adding upstream version 2:2.3.7.upstream/2%2.3.7upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'docs/v1.1.0-ReleaseNotes')
-rw-r--r--docs/v1.1.0-ReleaseNotes110
1 files changed, 110 insertions, 0 deletions
diff --git a/docs/v1.1.0-ReleaseNotes b/docs/v1.1.0-ReleaseNotes
new file mode 100644
index 0000000..7ee6dea
--- /dev/null
+++ b/docs/v1.1.0-ReleaseNotes
@@ -0,0 +1,110 @@
+Cryptsetup 1.1.0 Release Notes
+==============================
+
+Changes since version 1.0.7
+----------------------------
+
+Important changes:
+~~~~~~~~~~~~~~~~~~
+
+ * IMPORTANT: the default compiled-in cipher parameters changed
+ plain mode: aes-cbc-essiv:sha256 (default is backward incompatible!).
+ LUKS mode: aes-cbc-essiv:sha256 (only key size increased)
+ In both modes is now default key size 256bits.
+
+ * Default compiled-in parameters are now configurable through configure options:
+ --with-plain-* / --with-luks1-* (see configure --help)
+
+ * If you need backward compatible defaults for distribution use
+ configure --with-plain-mode=cbc-plain --with-luks1-keybits=128
+
+ Default compiled-in modes are printed in "cryptsetup --help" output.
+
+ * Change in iterations count (LUKS):
+ The slot and key digest iteration minimum count is now 1000.
+ The key digest iteration count is calculated from iteration time (approx 1/8 of req. time).
+ For more info about above items see discussion here: http://tinyurl.com/yaug97y
+
+ * New libcryptsetup API (documented in libcryptsetup.h).
+
+ The old API (using crypt_options struct) is still available but will remain
+ frozen and not used for new functions.
+ Soname of library changed to libcryptsetup.so.1.0.0.
+ (But only recompilation should be needed for old programs.)
+
+ The new API provides much more flexible operation over LUKS device for
+ applications, it is preferred that new applications will use libcryptsetup
+ and not wrapper around cryptsetup binary.
+
+ * New luksHeaderBackup and luksHeaderRestore commands.
+
+ These commands allows binary backup of LUKS header.
+ Please read man page about possible security issues with backup files.
+
+ * New luksSuspend (freeze device and wipe key) and luksResume (with provided passphrase).
+
+ luksSuspend wipe encryption key in kernel memory and set device to suspend
+ (blocking all IO) state. This option can be used for situations when you need
+ temporary wipe encryption key (like suspend to RAM etc.)
+ Please read man page for more information.
+
+ * New --master-key-file option for luksFormat and luksAddKey.
+
+ User can now specify pre-generated master key in file, which allows regenerating
+ LUKS header or add key with only master key knowledge.
+
+ * Uses libgcrypt and enables all gcrypt hash algorithms for LUKS through -h luksFormat option.
+
+ Please note that using different hash for LUKS header make device incompatible with
+ old cryptsetup releases.
+
+ * Introduces --debug parameter.
+
+ Use when reporting bugs (just run cryptsetup with --debug and attach output
+ to issue report.) Sensitive data are never printed to this log.
+
+ * Moves command successful messages to verbose level.
+
+ * Requires device-mapper library and libgcrypt to build.
+
+ * Uses dm-uuid for all crypt devices, contains device type and name now.
+
+ * Removes support for dangerous non-exclusive option
+ (it is ignored now, LUKS device must be always opened exclusive)
+
+Other changes:
+~~~~~~~~~~~~~~
+ * Fixed localization to work again. Also cryptsetup is now translated by translationproject.org.
+ * Fix some libcryptsetup problems, including
+ * exported symbols and versions in libcryptsetup (properly use versioned symbols)
+ * Add crypt_log library function.
+ * Add CRYPT_ prefix to enum defined in libcryptsetup.h.
+ * Move duplicate Command failed message to verbose level (error is printed always).
+ * Fix several problems in build system
+ * use autopoint and clean gettext processing.
+ * Check in configure if selinux libraries are required in static version.
+ * Fix build for non-standard location of gcrypt library.
+ * Add temporary debug code to find processes locking internal device.
+ * Fix error handling during reading passphrase.
+ * Fail passphrase read if piped input no longer exists.
+ * Fix man page to not require --size which expands to device size by default.
+ * Clean up Makefiles and configure script.
+ * Try to read first sector from device to properly check that device is ready.
+ * Move memory locking and dm initialization to command layer.
+ * Increase priority of process if memory is locked.
+ * Add log macros and make logging more consistent.
+ * Keyfile now must be provided by path, only stdin file descriptor is used (api only).
+ * Do not call isatty() on closed keyfile descriptor.
+ * Move key slot manipulation function into LUKS specific code.
+ * Replace global options struct with separate parameters in helper functions.
+ * Implement old API calls using new functions.
+ * Allow using passphrase provided in options struct for LuksOpen.
+ * Allow restrict keys size in LuksOpen.
+ * Fix errors when compiled with LUKS_DEBUG.
+ * Print error when getline fails.
+ * Completely remove internal SHA1 implementation code, not needed anymore.
+ * Pad luks header to 512 sector size.
+ * Rework read/write blockwise to not split operation to many pieces.
+ * Use posix_memalign if available.
+ * Fix segfault if provided slot in luksKillslot is invalid.
+ * Remove unneeded timeout when remove of temporary device succeeded.