diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 17:44:12 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 17:44:12 +0000 |
commit | 1be69c2c660b70ac2f4de2a5326e27e3e60eb82d (patch) | |
tree | bb299ab6f411f4fccd735907035de710e4ec6abc /docs/v1.1.0-ReleaseNotes | |
parent | Initial commit. (diff) | |
download | cryptsetup-1be69c2c660b70ac2f4de2a5326e27e3e60eb82d.tar.xz cryptsetup-1be69c2c660b70ac2f4de2a5326e27e3e60eb82d.zip |
Adding upstream version 2:2.3.7.upstream/2%2.3.7upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'docs/v1.1.0-ReleaseNotes')
-rw-r--r-- | docs/v1.1.0-ReleaseNotes | 110 |
1 files changed, 110 insertions, 0 deletions
diff --git a/docs/v1.1.0-ReleaseNotes b/docs/v1.1.0-ReleaseNotes new file mode 100644 index 0000000..7ee6dea --- /dev/null +++ b/docs/v1.1.0-ReleaseNotes @@ -0,0 +1,110 @@ +Cryptsetup 1.1.0 Release Notes +============================== + +Changes since version 1.0.7 +---------------------------- + +Important changes: +~~~~~~~~~~~~~~~~~~ + + * IMPORTANT: the default compiled-in cipher parameters changed + plain mode: aes-cbc-essiv:sha256 (default is backward incompatible!). + LUKS mode: aes-cbc-essiv:sha256 (only key size increased) + In both modes is now default key size 256bits. + + * Default compiled-in parameters are now configurable through configure options: + --with-plain-* / --with-luks1-* (see configure --help) + + * If you need backward compatible defaults for distribution use + configure --with-plain-mode=cbc-plain --with-luks1-keybits=128 + + Default compiled-in modes are printed in "cryptsetup --help" output. + + * Change in iterations count (LUKS): + The slot and key digest iteration minimum count is now 1000. + The key digest iteration count is calculated from iteration time (approx 1/8 of req. time). + For more info about above items see discussion here: http://tinyurl.com/yaug97y + + * New libcryptsetup API (documented in libcryptsetup.h). + + The old API (using crypt_options struct) is still available but will remain + frozen and not used for new functions. + Soname of library changed to libcryptsetup.so.1.0.0. + (But only recompilation should be needed for old programs.) + + The new API provides much more flexible operation over LUKS device for + applications, it is preferred that new applications will use libcryptsetup + and not wrapper around cryptsetup binary. + + * New luksHeaderBackup and luksHeaderRestore commands. + + These commands allows binary backup of LUKS header. + Please read man page about possible security issues with backup files. + + * New luksSuspend (freeze device and wipe key) and luksResume (with provided passphrase). + + luksSuspend wipe encryption key in kernel memory and set device to suspend + (blocking all IO) state. This option can be used for situations when you need + temporary wipe encryption key (like suspend to RAM etc.) + Please read man page for more information. + + * New --master-key-file option for luksFormat and luksAddKey. + + User can now specify pre-generated master key in file, which allows regenerating + LUKS header or add key with only master key knowledge. + + * Uses libgcrypt and enables all gcrypt hash algorithms for LUKS through -h luksFormat option. + + Please note that using different hash for LUKS header make device incompatible with + old cryptsetup releases. + + * Introduces --debug parameter. + + Use when reporting bugs (just run cryptsetup with --debug and attach output + to issue report.) Sensitive data are never printed to this log. + + * Moves command successful messages to verbose level. + + * Requires device-mapper library and libgcrypt to build. + + * Uses dm-uuid for all crypt devices, contains device type and name now. + + * Removes support for dangerous non-exclusive option + (it is ignored now, LUKS device must be always opened exclusive) + +Other changes: +~~~~~~~~~~~~~~ + * Fixed localization to work again. Also cryptsetup is now translated by translationproject.org. + * Fix some libcryptsetup problems, including + * exported symbols and versions in libcryptsetup (properly use versioned symbols) + * Add crypt_log library function. + * Add CRYPT_ prefix to enum defined in libcryptsetup.h. + * Move duplicate Command failed message to verbose level (error is printed always). + * Fix several problems in build system + * use autopoint and clean gettext processing. + * Check in configure if selinux libraries are required in static version. + * Fix build for non-standard location of gcrypt library. + * Add temporary debug code to find processes locking internal device. + * Fix error handling during reading passphrase. + * Fail passphrase read if piped input no longer exists. + * Fix man page to not require --size which expands to device size by default. + * Clean up Makefiles and configure script. + * Try to read first sector from device to properly check that device is ready. + * Move memory locking and dm initialization to command layer. + * Increase priority of process if memory is locked. + * Add log macros and make logging more consistent. + * Keyfile now must be provided by path, only stdin file descriptor is used (api only). + * Do not call isatty() on closed keyfile descriptor. + * Move key slot manipulation function into LUKS specific code. + * Replace global options struct with separate parameters in helper functions. + * Implement old API calls using new functions. + * Allow using passphrase provided in options struct for LuksOpen. + * Allow restrict keys size in LuksOpen. + * Fix errors when compiled with LUKS_DEBUG. + * Print error when getline fails. + * Completely remove internal SHA1 implementation code, not needed anymore. + * Pad luks header to 512 sector size. + * Rework read/write blockwise to not split operation to many pieces. + * Use posix_memalign if available. + * Fix segfault if provided slot in luksKillslot is invalid. + * Remove unneeded timeout when remove of temporary device succeeded. |