diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 17:44:12 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 17:44:12 +0000 |
commit | 1be69c2c660b70ac2f4de2a5326e27e3e60eb82d (patch) | |
tree | bb299ab6f411f4fccd735907035de710e4ec6abc /docs | |
parent | Initial commit. (diff) | |
download | cryptsetup-1be69c2c660b70ac2f4de2a5326e27e3e60eb82d.tar.xz cryptsetup-1be69c2c660b70ac2f4de2a5326e27e3e60eb82d.zip |
Adding upstream version 2:2.3.7.upstream/2%2.3.7upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'docs')
58 files changed, 6325 insertions, 0 deletions
diff --git a/docs/ChangeLog.old b/docs/ChangeLog.old new file mode 100644 index 0000000..7a4027c --- /dev/null +++ b/docs/ChangeLog.old @@ -0,0 +1,887 @@ +2012-12-21 Milan Broz <gmazyland@gmail.com> + * Since version 1.6 This file is no longer maintained. + * See version control log http://code.google.com/p/cryptsetup/source/list + +2012-10-11 Milan Broz <gmazyland@gmail.com> + * Added keyslot checker (by Arno Wagner). + * Version 1.5.1. + +2012-09-11 Milan Broz <gmazyland@gmail.com> + * Add crypt_keyslot_area() API call. + +2012-08-27 Milan Broz <gmazyland@gmail.com> + * Optimize seek to keyfile-offset (Issue #135, thx to dreisner). + * Fix luksHeaderBackup for very old v1.0 unaligned LUKS headers. + +2012-08-12 Milan Broz <gmazyland@gmail.com> + * Allocate loop device late (only when real block device needed). + * Rework underlying device/file access functions. + * Create hash image if doesn't exist in veritysetup format. + * Provide better error message if running as non-root user (device-mapper, loop). + +2012-07-10 Milan Broz <gmazyland@gmail.com> + * Version 1.5.0. + +2012-06-25 Milan Broz <gmazyland@gmail.com> + * Add --device-size option for reencryption tool. + * Switch to use unit suffix for --reduce-device-size option. + * Remove open device debugging feature (no longer needed). + * Fix library name for FIPS check. + +2012-06-20 Milan Broz <gmazyland@gmail.com> + * Version 1.5.0-rc2. + +2012-06-18 Milan Broz <gmazyland@gmail.com> + * Introduce cryptsetup-reencrypt - experimental offline LUKS reencryption tool. + * Fix luks-header-from-active script (do not use LUKS header on-disk, add UUID). + * Add --test-passphrase option for luksOpen (check passphrase only). + +2012-06-11 Milan Broz <gmazyland@gmail.com> + * Introduce veritysetup for dm-verity target management. + * Version 1.5.0-rc1. + +2012-06-10 Milan Broz <gmazyland@gmail.com> + * Both data and header device can now be a file. + * Loop is automatically allocated in crypt_set_data_device(). + * Require only up to last keyslot area for header device (ignore data offset). + * Fix header backup and restore to work on files with large data offset. + +2012-05-27 Milan Broz <gmazyland@gmail.com> + * Fix readonly activation if underlying device is readonly (1.4.0). + * Include stddef.h in libdevmapper.h (size_t definition). + * Version 1.4.3. + +2012-05-21 Milan Broz <gmazyland@gmail.com> + * Add --enable-fips for linking with fipscheck library. + * Initialize binary and library selfcheck if running in FIPS mode. + * Use FIPS RNG in FIPS mode for KEY and SALT (only gcrypt backend supported). + +2012-05-09 Milan Broz <gmazyland@gmail.com> + * Fix keyslot removal (wipe keyslot) for device with 4k hw block (1.4.0). + * Allow empty cipher (cipher_null) for testing. + +2012-05-02 Milan Broz <gmazyland@gmail.com> + * Fix loop mapping on readonly file. + * Relax --shared test, allow mapping even for overlapping segments. + * Support shared flag for LUKS devices (dangerous). + * Switch on retry on device remove for libdevmapper. + * Allow "private" activation (skip some udev global rules) flag. + +2012-04-09 Milan Broz <gmazyland@gmail.com> + * Fix header check to support old (cryptsetup 1.0.0) header alignment. (1.4.0) + * Version 1.4.2. + +2012-03-16 Milan Broz <gmazyland@gmail.com> + * Add --keyfile-offset and --new-keyfile-offset parameters to API and CLI. + * Add repair command and crypt_repair() for known LUKS metadata problems repair. + * Allow to specify --align-payload only for luksFormat. + +2012-03-16 Milan Broz <mbroz@redhat.com> + * Unify password verification option. + * Support password verification with quiet flag if possible. (1.2.0) + * Fix retry if entered passphrases (with verify option) do not match. + * Support UUID=<LUKS_UUID> format for device specification. + +2012-02-11 Milan Broz <mbroz@redhat.com> + * Add --master-key-file option to luksOpen (open using volume key). + +2012-01-12 Milan Broz <mbroz@redhat.com> + * Fix use of empty keyfile. + +2011-11-13 Milan Broz <mbroz@redhat.com> + * Fix error message for luksClose and detached LUKS header. + * Allow --header for status command to get full info with detached header. + +2011-11-09 Milan Broz <mbroz@redhat.com> + * Version 1.4.1. + +2011-11-05 Milan Broz <mbroz@redhat.com> + * Merge pycryptsetup (Python libcryptsetup bindings). + * Fix stupid typo in set_iteration_time API call. + * Fix cryptsetup status output if parameter is device path. + +2011-10-27 Milan Broz <mbroz@redhat.com> + * Fix crypt_get_volume_key_size() for plain device. + * Fix FSF address in license text. + +2011-10-25 Milan Broz <mbroz@redhat.com> + * Print informative message in isLuks only in verbose mode. + * Version 1.4.0. + +2011-10-10 Milan Broz <mbroz@redhat.com> + * Version 1.4.0-rc1. + +2011-10-05 Milan Broz <mbroz@redhat.com> + * Support Nettle 2.4 crypto backend (for ripemd160). + * If device is not rotational, do not use Gutmann wipe method. + * Add crypt_last_error() API call. + * Fix luksKillSLot exit code if slot is inactive or invalid. + * Fix exit code if passphrases do not match in luksAddKey. + * Add LUKS on-disk format description into package. + +2011-09-22 Milan Broz <mbroz@redhat.com> + * Support key-slot option for luksOpen (use only explicit keyslot). + +2011-08-22 Milan Broz <mbroz@redhat.com> + * Add more paranoid checks for LUKS header and keyslot attributes. + * Fix crypt_load to properly check device size. + * Use new /dev/loop-control (kernel 3.1) if possible. + * Enhance check of device size before writing LUKS header. + * Do not allow context format of already formatted device. + +2011-07-25 Milan Broz <mbroz@redhat.com> + * Remove hash/hmac restart from crypto backend and make it part of hash/hmac final. + * Improve check for invalid offset and size values. + +2011-07-19 Milan Broz <mbroz@redhat.com> + * Revert default initialisation of volume key in crypt_init_by_name(). + * Do not allow key retrieval while suspended (key could be wiped). + * Do not allow suspend for non-LUKS devices. + * Support retries and timeout parameters for luksSuspend. + * Add --header option for detached metadata (on-disk LUKS header) device. + * Add crypt_init_by_name_and_header() and crypt_set_data_device() to API. + * Allow different data offset setting for detached header. + +2011-07-07 Milan Broz <mbroz@redhat.com> + * Remove old API functions (all functions using crypt_options). + * Add --enable-discards option to allow discards/TRIM requests. + * Add crypt_get_iv_offset() function to API. + +2011-07-01 Milan Broz <mbroz@redhat.com> + * Add --shared option for creating non-overlapping crypt segments. + * Add shared flag to libcryptsetup api. + * Fix plain crypt format parameters to include size option (API change). + +2011-06-08 Milan Broz <mbroz@redhat.com> + * Fix return code for status command when device doesn't exists. + +2011-05-24 Milan Broz <mbroz@redhat.com> + * Version 1.3.1. + +2011-05-17 Milan Broz <mbroz@redhat.com> + * Fix keyfile=- processing in create command (1.3.0). + * Simplify device path status check. + +2011-05-03 Milan Broz <mbroz@redhat.com> + * Do not ignore size argument for create command (1.2.0). + +2011-04-18 Milan Broz <mbroz@redhat.com> + * Fix error paths in blockwise code and lseek_write call. + * Add Nettle crypto backend support. + +2011-04-05 Milan Broz <mbroz@redhat.com> + * Version 1.3.0. + +2011-03-22 Milan Broz <mbroz@redhat.com> + * Also support --skip and --hash option for loopaesOpen. + * Fix return code when passphrase is read from pipe. + * Document cryptsetup exit codes. + +2011-03-18 Milan Broz <mbroz@redhat.com> + * Respect maximum keyfile size parameter. + * Introduce maximum default keyfile size, add configure option. + * Require the whole key read from keyfile in create command (broken in 1.2.0). + * Fix offset option for loopaesOpen. + * Lock memory also in luksDump command. + * Version 1.3.0-rc2. + +2011-03-14 Milan Broz <mbroz@redhat.com> + * Version 1.3.0-rc1. + +2011-03-11 Milan Broz <mbroz@redhat.com> + * Add loop manipulation code and support mapping of images in file. + * Add backing device loop info into status message. + * Add luksChangeKey command. + +2011-03-05 Milan Broz <mbroz@redhat.com> + * Add exception to COPYING for binary distribution linked with OpenSSL library. + * Set secure data flag (wipe all ioctl buffers) if devmapper library supports it. + +2011-01-29 Milan Broz <mbroz@redhat.com> + * Fix mapping removal if device disappeared but node still exists. + * Fix luksAddKey return code if master key is used. + +2011-01-25 Milan Broz <mbroz@redhat.com> + * Add loop-AES handling (loopaesOpen and loopaesClose commands). + (requires kernel 2.6.38 and above) + +2011-01-05 Milan Broz <mbroz@redhat.com> + * Fix static build (--disable-static-cryptsetup now works properly). + +2010-12-30 Milan Broz <mbroz@redhat.com> + * Add compile time crypto backends implementation + (gcrypt, OpenSSL, NSS and userspace Linux kernel crypto api). + * Currently NSS is lacking ripemd160, cannot provide full plain compatibility. + * Use --with-crypto_backend=[gcrypt|openssl|nss|kernel] to configure. + +2010-12-20 Milan Broz <mbroz@redhat.com> + * Version 1.2.0. + +2010-11-25 Milan Broz <mbroz@redhat.com> + * Fix crypt_activate_by_keyfile() to work with PLAIN devices. + * Fix create command to properly handle keyfile size. + +2010-11-16 Milan Broz <mbroz@redhat.com> + * Version 1.2.0-rc1. + +2010-11-13 Milan Broz <mbroz@redhat.com> + * Fix password callback call. + * Fix default plain password entry from terminal in activate_by_passphrase. + * Add --dump-master-key option for luksDump to allow volume key dump. + * Allow to activate by internally cached volume key + (format/activate without keyslots active - used for temporary devices). + * Initialize volume key from active device in crypt_init_by_name() + * Fix cryptsetup binary exitcodes. + * Increase library version (still binary compatible with 1.1.x release). + +2010-11-01 Milan Broz <mbroz@redhat.com> + * No longer support luksDelKey, reload and --non-exclusive. + * Remove some obsolete info from man page. + * Add crypt_get_type(), crypt_resize(), crypt_keyslot_max() + and crypt_get_active_device() to API. + * Rewrite all implementations in cryptsetup to new API. + * Fix luksRemoveKey to behave as documented (do not ask + for remaining keyslot passphrase). + * Add more regression tests for commands. + * Disallow mapping of device which is already in use (mapped or mounted). + * Disallow luksFormat on device in use. + +2010-10-27 Milan Broz <mbroz@redhat.com> + * Rewrite cryptsetup luksFormat, luksOpen, luksAddKey to use new API + to allow adding new features. + * Implement --use-random and --use-urandom for luksFormat to allow + setting of RNG for volume key generator. + * Add crypt_set_rng_type() and crypt_get_rng_type() to API. + * Add crypt_set_uuid() to API. + * Allow UUID setting in luksFormat and luksUUID (--uuid parameter). + * Add --keyfile-size and --new-keyfile-size (in bytes) size and disallow overloading + of --key-size for limiting keyfile reads. + * Fix luksFormat to properly use key file with --master-key-file switch. + * Fix possible double free when handling master key file. + +2010-10-17 Milan Broz <mbroz@redhat.com> + * Add crypt_get_device_name() to API (get underlying device name). + * Change detection for static libraries. + * Fix pkg-config use in automake scripts. + * Remove --disable-shared-library switch and handle static library build + by common libtool logic (using --enable-static). + * Add --enable-static-cryptsetup option to build cryptsetup.static binary + together with shared build. + +2010-08-05 Milan Broz <mbroz@redhat.com> + * Wipe iteration and salt after KillSlot in LUKS header. + * Rewrite file differ test to C (and fix it to really work). + * Switch to 1MiB default alignment of data. + For more info see https://bugzilla.redhat.com/show_bug.cgi?id=621684 + * Do not query non-existent device twice (cryptsetup status /dev/nonexistent). + * Check if requested hash is supported before writing LUKS header. + +2010-07-28 Arno Wagner <arno@wagner.name> + * Add FAQ (Frequently Asked Questions) file to distribution. + +2010-07-03 Milan Broz <mbroz@redhat.com> + * Fix udev support for old libdevmapper with not compatible definition. + * Version 1.1.3. + +2010-06-01 Milan Broz <mbroz@redhat.com> + * Fix device alignment ioctl calls parameters. + * Fix activate_by_* API calls to handle NULL device name as documented. + +2010-05-30 Milan Broz <mbroz@redhat.com> + * Version 1.1.2. + +2010-05-27 Milan Broz <mbroz@redhat.com> + * Fix luksFormat/luksOpen reading passphrase from stdin and "-" keyfile. + * Support --key-file/-d option for luksFormat. + * Fix description of --key-file and add --verbose and --debug options to man page. + * Add verbose log level and move unlocking message there. + * Remove device even if underlying device disappeared. + * Fix (deprecated) reload device command to accept new device argument. + +2010-05-23 Milan Broz <mbroz@redhat.com> + * Fix luksClose operation for stacked DM devices. + * Version 1.1.1. + +2010-05-03 Milan Broz <mbroz@redhat.com> + * Fix automatic dm-crypt module loading. + * Escape hyphens in man page. + * Version 1.1.1-rc2. + +2010-04-30 Milan Broz <mbroz@redhat.com> + * Try to use pkgconfig for device mapper library. + * Detect old dm-crypt module and disable LUKS suspend/resume. + * Fix apitest to work on older systems. + * Allow no hash specification in plain device constructor. + * Fix luksOpen reading of passphrase on stdin (if "-" keyfile specified). + * Fix isLuks to initialise crypto backend (blkid instead is suggested anyway). + * Version 1.1.1-rc1. + +2010-04-12 Milan Broz <mbroz@redhat.com> + * Fix package config to use proper package version. + * Avoid class C++ keyword in library header. + * Detect and use devmapper udev support if available (disable by --disable-udev). + +2010-04-06 Milan Broz <mbroz@redhat.com> + * Prefer some device paths in status display. + * Support device topology detectionfor data alignment. + +2010-02-25 Milan Broz <mbroz@redhat.com> + * Do not verify unlocking passphrase in luksAddKey command. + * Properly initialise crypto backend in header backup/restore commands. + +2010-01-17 Milan Broz <mbroz@redhat.com> + * If gcrypt compiled with capabilities, document workaround for cryptsetup (see lib/gcrypt.c). + * Version 1.1.0. + +2010-01-10 Milan Broz <mbroz@redhat.com> + * Fix initialisation of gcrypt during luksFormat. + * Convert hash name to lower case in header (fix sha1 backward compatible header) + * Check for minimum required gcrypt version. + +2009-12-30 Milan Broz <mbroz@redhat.com> + * Fix key slot iteration count calculation (small -i value was the same as default). + * The slot and key digest iteration minimum is now 1000. + * The key digest iteration # is calculated from iteration time (approx 1/8 of that). + * Version 1.1.0-rc4. + +2009-12-11 Milan Broz <mbroz@redhat.com> + * Fix error handling during reading passhrase. + +2009-12-01 Milan Broz <mbroz@redhat.com> + * Allow changes of default compiled-in cipher parameters through configure. + * Switch default key size for LUKS to 256bits. + * Switch default plain mode to aes-cbc-essiv:sha256 (default is backward incompatible!). + +2009-11-14 Milan Broz <mbroz@redhat.com> + * Add CRYPT_ prefix to enum defined in libcryptsetup.h. + * Fix status call to fail when running as non-root user. + * Check in configure if selinux libraries are required in static version. + * Add temporary debug code to find processes locking internal device. + * Simplify build system, use autopoint and clean gettext processing. + * Use proper NLS macros and detection (so the message translation works again). + * Version 1.1.0-rc3. + +2009-09-30 Milan Broz <mbroz@redhat.com> + * Fix exported symbols and versions in libcryptsetup. + * Do not use internal lib functions in cryptsetup. + * Add crypt_log to library. + * Fix crypt_remove_device (remove, luksClose) implementation. + * Move dm backend initialisation to library calls. + * Move duplicate Command failed message to verbose level (error is printed always). + * Add some password and used algorithms notes to man page. + * Version 1.1.0-rc2. + +2009-09-28 Milan Broz <mbroz@redhat.com> + * Add luksHeaderBackup and luksHeaderRestore commands. + * Fail passphrase read if piped input no longer exists. + * Version 1.1.0-rc1. + +2009-09-15 Milan Broz <mbroz@redhat.com> + * Initialize crypto library before LUKS header load. + * Fix manpage to not require --size which expands to device size by default. + +2009-09-10 Milan Broz <mbroz@redhat.com> + * Clean up Makefiles and configure script. + * Version 1.1.0-test0. + +2009-09-08 Milan Broz <mbroz@redhat.com> + * Use dm-uuid for all crypt devices, contains device type and name now. + * Try to read first sector from device to properly check that device is ready. + +2009-09-02 Milan Broz <mbroz@redhat.com> + * Add luksSuspend (freeze device and wipe key) and luksResume (with provided passphrase). + +2009-08-30 Milan Broz <mbroz@redhat.com> + * Require device device-mapper to build and do not use backend wrapper for dm calls. + * Move memory locking and dm initialization to command layer. + * Increase priority of process if memory is locked. + * Add log macros and make logging more consistent. + * Move command successful messages to verbose level. + * Introduce --debug parameter. + * Move device utils code and provide context parameter (for log). + * Keyfile now must be provided by path, only stdin file descriptor is used (api only). + * Do not call isatty() on closed keyfile descriptor. + * Run performance check for PBKDF2 from LUKS code, do not mix hash algorithms results. + * Add ability to provide pre-generated master key and UUID in LUKS header format. + * Add LUKS function to verify master key digest. + * Move key slot manipulation function into LUKS specific code. + * Replace global options struct with separate parameters in helper functions. + * Add new libcryptsetup API (documented in libcryptsetup.h). + * Implement old API calls using new functions. + * Remove old API code helper functions. + * Add --master-key-file option for luksFormat and luksAddKey. + +2009-08-17 Milan Broz <mbroz@redhat.com> + * Fix PBKDF2 speed calculation for large passphrases. + * Allow using passphrase provided in options struct for LuksOpen. + * Allow restrict keys size in LuksOpen. + +2009-07-30 Milan Broz <mbroz@redhat.com> + * Fix errors when compiled with LUKS_DEBUG. + * Print error when getline fails. + * Remove po/cryptsetup-luks.pot, it's autogenerated. + * Return ENOENT for empty keyslots, EINVAL will be used later for other type of error. + * Switch PBKDF2 from internal SHA1 to libgcrypt, make hash algorithm not hardcoded to SHA1 here. + * Add required parameters for changing hash used in LUKS key setup scheme. + * Do not export simple XOR helper now used only inside AF functions. + * Completely remove internal SHA1 implementation code, not needed anymore. + * Enable hash algorithm selection for LUKS through -h luksFormat option. + +2009-07-28 Milan Broz <mbroz@redhat.com> + * Pad luks header to 512 sector size. + * Rework read/write blockwise to not split operation to many pieces. + * Use posix_memalign if available. + +2009-07-22 Milan Broz <mbroz@redhat.com> + * Fix segfault if provided slot in luksKillslot is invalid. + * Remove unneeded timeout when remove of temporary device succeeded. + +2009-07-22 Milan Broz <mbroz@redhat.com> + * version 1.0.7 + +2009-07-16 Milan Broz <mbroz@redhat.com> + * Allow removal of last slot in luksRemoveKey and luksKillSlot. + +2009-07-11 Milan Broz <mbroz@redhat.com> + + * Add --disable-selinux option and fix static build if selinux is required. + * Reject unsupported --offset and --skip options for luksFormat and update man page. + +2009-06-22 Milan Broz <mbroz@redhat.com> + + * Summary of changes in subversion for 1.0.7-rc1: + * Various man page fixes. + * Set UUID in device-mapper for LUKS devices. + * Retain readahead of underlying device. + * Display device name when asking for password. + * Check device size when loading LUKS header. Remove misleading error message later. + * Add error hint if dm-crypt mapping failed. + * Use better error messages if device doesn't exist or is already used by other mapping. + * Fix make distcheck. + * Check if all slots are full during luksAddKey. + * Fix segfault in set_error. + * Code cleanups, remove precompiled pot files, remove unnecessary files from po directory + * Fix uninitialized return value variable in setup.c. + * Code cleanups. (thanks to Ivan Stankovic) + * Fix wrong output for remaining key at key deletion. + * Allow deletion of key slot while other keys have the same key information. + * Add missing AM_PROG_CC_C_O to configure.in + * Remove duplicate sentence in man page. + * Wipe start of device (possible fs signature) before LUKS-formatting. + * Do not process configure.in in hidden directories. + * Return more descriptive error in case of IO or header format error. + * Use remapping to error target instead of calling udevsettle for temporary crypt device. + * Check device mapper communication and warn user if device-mapper support missing in kernel. + * Fix signal handler to properly close device. + * write_lseek_blockwise: declare innerCount outside the if block. + * add -Wall to the default CFLAGS. fix some signedness issues. + * Error handling improvement. + * Add non-exclusive override to interface definition. + * Refactor key slot selection into keyslot_from_option. + +2007-05-01 Clemens Fruhwirth <clemens@endorphin.org> + + * lib/backends.c, man/cryptsetup.8: Apply patch from Ludwig Nussel + <ludwig.nussel@suse.de>, for old SuSE compat hashing. + +2007-04-16 Clemens Fruhwirth <clemens@endorphin.org> + + * Summary of changes in subversion: + Fix segfault for key size > 32 bytes. + Kick ancient header version conversion. + Fix http://bugs.debian.org/403075 + No passwort retrying for I/O errors. + Fix hang on "-i 0". + Fix parenthesization error that prevented --tries from working + correctly. + +2006-11-28 gettextize <bug-gnu-gettext@gnu.org> + + * m4/gettext.m4: Upgrade to gettext-0.15. + * m4/glibc2.m4: New file, from gettext-0.15. + * m4/intmax.m4: New file, from gettext-0.15. + * m4/inttypes-h.m4: New file, from gettext-0.15. + * m4/inttypes-pri.m4: Upgrade to gettext-0.15. + * m4/lib-link.m4: Upgrade to gettext-0.15. + * m4/lib-prefix.m4: Upgrade to gettext-0.15. + * m4/lock.m4: New file, from gettext-0.15. + * m4/longdouble.m4: New file, from gettext-0.15. + * m4/longlong.m4: New file, from gettext-0.15. + * m4/nls.m4: Upgrade to gettext-0.15. + * m4/po.m4: Upgrade to gettext-0.15. + * m4/printf-posix.m4: New file, from gettext-0.15. + * m4/signed.m4: New file, from gettext-0.15. + * m4/size_max.m4: New file, from gettext-0.15. + * m4/visibility.m4: New file, from gettext-0.15. + * m4/wchar_t.m4: New file, from gettext-0.15. + * m4/wint_t.m4: New file, from gettext-0.15. + * m4/xsize.m4: New file, from gettext-0.15. + * m4/Makefile.am: New file. + * configure.in (AC_OUTPUT): Add m4/Makefile. + (AM_GNU_GETTEXT_VERSION): Bump to 0.15. + +2006-10-22 David Härdeman <david@hardeman.nu> + + * Allow hashing of keys passed through stdin. + +2006-10-13 Clemens Fruhwirth <clemens@endorphin.org> + + * configure.in: 1.0.4 release + +2006-10-13 Clemens Fruhwirth <clemens@endorphin.org> + + * man/cryptsetup.8: Document --tries switch; patch by Jonas + Meurer. + +2006-10-13 Clemens Fruhwirth <clemens@endorphin.org> + + * lib/setup.c: Added terminal timeout rewrite as forwarded by + Jonas Meurer + +2006-10-04 Clemens Fruhwirth <clemens@endorphin.org> + + * Merged patch from Marc Merlin <marc@merlins.org> to allow user + selection of key slot. + +2006-09-26 gettextize <bug-gnu-gettext@gnu.org> + + * m4/codeset.m4: Upgrade to gettext-0.14.4. + * m4/gettext.m4: Upgrade to gettext-0.14.4. + * m4/glibc2.m4: New file, from gettext-0.14.4. + * m4/glibc21.m4: Upgrade to gettext-0.14.4. + * m4/iconv.m4: Upgrade to gettext-0.14.4. + * m4/intdiv0.m4: Upgrade to gettext-0.14.4. + * m4/intmax.m4: New file, from gettext-0.14.4. + * m4/inttypes.m4: Upgrade to gettext-0.14.4. + * m4/inttypes_h.m4: Upgrade to gettext-0.14.4. + * m4/inttypes-pri.m4: Upgrade to gettext-0.14.4. + * m4/isc-posix.m4: Upgrade to gettext-0.14.4. + * m4/lcmessage.m4: Upgrade to gettext-0.14.4. + * m4/lib-ld.m4: Upgrade to gettext-0.14.4. + * m4/lib-link.m4: Upgrade to gettext-0.14.4. + * m4/lib-prefix.m4: Upgrade to gettext-0.14.4. + * m4/longdouble.m4: New file, from gettext-0.14.4. + * m4/longlong.m4: New file, from gettext-0.14.4. + * m4/nls.m4: Upgrade to gettext-0.14.4. + * m4/po.m4: Upgrade to gettext-0.14.4. + * m4/printf-posix.m4: New file, from gettext-0.14.4. + * m4/progtest.m4: Upgrade to gettext-0.14.4. + * m4/signed.m4: New file, from gettext-0.14.4. + * m4/size_max.m4: New file, from gettext-0.14.4. + * m4/stdint_h.m4: Upgrade to gettext-0.14.4. + * m4/uintmax_t.m4: Upgrade to gettext-0.14.4. + * m4/ulonglong.m4: Upgrade to gettext-0.14.4. + * m4/wchar_t.m4: New file, from gettext-0.14.4. + * m4/wint_t.m4: New file, from gettext-0.14.4. + * m4/xsize.m4: New file, from gettext-0.14.4. + * Makefile.am (ACLOCAL_AMFLAGS): New variable. + * configure.in (AM_GNU_GETTEXT_VERSION): Bump to 0.14.4. + +2006-08-04 Clemens Fruhwirth <clemens@endorphin.org> + + * configure.in: 1.0.4-rc2 + +2006-08-04 Clemens Fruhwirth <clemens@endorphin.org> + + * luks/Makefile.am: Add a few regression tests + +2006-08-04 Clemens Fruhwirth <clemens@endorphin.org> + + * lib/setup.c (get_key): Applied patch from David Härdeman + <david@2gen.com> for reading binary keys from stdin using + the "-" as key file. + +2006-08-04 Clemens Fruhwirth <clemens@endorphin.org> + + * lib/setup.c (__crypt_luks_add_key): For checking options struct + (optionsCheck) filter out CRYPT_FLAG_VERIFY and + CRYPT_FLAG_VERIFY_IF_POSSIBLE, so that in no case password verification is done + for password retrieval. + +2006-08-04 Clemens Fruhwirth <clemens@endorphin.org> + + * configure.in: Merge Patch from http://bugs.gentoo.org/show_bug.cgi?id=132126 for sepol + +2006-07-23 Clemens Fruhwirth <clemens@endorphin.org> + + * Applied patches from David Härdeman <david@2gen.com> to fix 64 + bit compiler warning issues. + +2006-05-19 Clemens Fruhwirth <clemens@endorphin.org> + + * Applied patches from Jonas Meurer + - fix terminal status after timeout + - add remark for --tries to manpage + - allow more than 32 chars from standard input. + - exit status fix for cryptsetup status. + +2006-05-06 Clemens Fruhwirth <clemens@endorphin.org> + + * src/cryptsetup.c (yesDialog): Fix getline problem for 64-bit archs. + +2006-04-05 Clemens Fruhwirth <clemens@endorphin.org> + + * configure.in: Release 1.0.3. + + * Applied patch by Johannes Weißl for more meaningful exit codes + and password retries + +2006-03-30 Clemens Fruhwirth <clemens@endorphin.org> + + * lib/setup.c (__crypt_create_device): (char *) -> (const char *) + +2006-03-30 Clemens Fruhwirth <clemens@endorphin.org> + + * Apply alignPayload patch from Peter Palfrader <weasel@debian.org> + +2006-03-15 Clemens Fruhwirth <clemens@endorphin.org> + + * configure.in: 1.0.3-rc3. Most displease release ever. + * lib/setup.c (__crypt_create_device): More verbose error message. + +2006-02-26 Clemens Fruhwirth <clemens@endorphin.org> + + * lib/setup.c: Revert to 1.0.1 key reading. + +2006-02-25 Clemens Fruhwirth <clemens@endorphin.org> + + * man/cryptsetup.8: merge patch from Jonas Meurer + +2006-02-25 Clemens Fruhwirth <clemens@endorphin.org> + + * configure.in: 1.0.3-rc2 + +2006-02-25 Clemens Fruhwirth <clemens@endorphin.org> + + * lib/libdevmapper.c (dm_create_device): Remove dup check here. + * lib/setup.c (__crypt_luks_open): Adopt same dup check as regular + create command. + +2006-02-22 Clemens Fruhwirth <clemens@endorphin.org> + + * configure.in: Spin 1.0.3-rc1 + +2006-02-22 Clemens Fruhwirth <clemens@endorphin.org> + + * src/cryptsetup.c (action_create): Change defaulting. + (action_luksFormat): Change defaulting. + + * lib/setup.c (parse_into_name_and_mode): Revert that default + change. This is FORBIDDEN here, as it will change cryptsetup + entire default. This is BAD in a non-LUKS world. + +2006-02-21 Clemens Fruhwirth <clemens@endorphin.org> + + * luks/keyencryption.c (setup_mapping): Add proper size restriction to mapping. + (LUKS_endec_template): Add more verbose error message. + +2006-02-21 Clemens Fruhwirth <clemens@endorphin.org> + + * lib/libdevmapper.c (dm_query_device): Incorporate patch from + Bastian Blank + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=344313 + +2006-02-21 Clemens Fruhwirth <clemens@endorphin.org> + + * src/cryptsetup.c: Rename show_error -> show_status. + +2006-02-20 Clemens Fruhwirth <clemens@endorphin.org> + + * lib/libdevmapper.c (dm_create_device): Prevent existing mapping + from being removed when a mapping with the same name is added + + * Add timeout patch from Jonas Meurer + + * src/cryptsetup.c: Remove conditional error printing to enable + printing the no-error msg (Command successful). Verify passphrase + for LUKS volumes. + (main): Add no-verify-passphrase + + * lib/setup.c (parse_into_name_and_mode): Change default mode complition to essiv:sha256. + +2006-01-04 Clemens Fruhwirth <clemens@endorphin.org> + + * src/cryptsetup.c (help): Merge patch from Gentoo: change gettext(..) to _(..). + +2005-12-06 Clemens Fruhwirth <clemens@endorphin.org> + + * man/cryptsetup.8: Correct "seconds" to "microseconds" in the explanation for -i. + +2005-11-09 Clemens Fruhwirth <clemens@endorphin.org> + + * src/cryptsetup.c (main): Add version string. + +2005-11-08 Clemens Fruhwirth <clemens@endorphin.org> + + * lib/backends.c: compile fix. + +2005-09-11 Clemens Fruhwirth <clemens@endorphin.org> + + * lib/setup.c (get_key): Fixed another incompatibility from my + get_key rewrite with original cryptsetup. + +2005-09-11 Clemens Fruhwirth <clemens@endorphin.org> + + * Merged changes from Florian Knauf's fk02 branch. + +2005-09-08 Clemens Fruhwirth <clemens@endorphin.org> + + * lib/setup.c (get_key): Fixed another incompatibility with + original cryptsetup. + +2005-08-20 Clemens Fruhwirth <clemens@endorphin.org> + + * Checked in a patch from Michael Gebetsroither <gebi@sbox.tugraz.at> + to silent all confirmation dialogs. + +2005-06-23 Clemens Fruhwirth <clemens@endorphin.org> + + * src/cryptsetup.c (help): print PACKAGE_STRING + +2005-06-20 Clemens Fruhwirth <clemens@endorphin.org> + + * luks/keymanage.c (LUKS_set_key): Security check against header manipulation + + * src/cryptsetup.c (action_luksDelKey): Safety check in luksDelKey + + * luks/keymanage.c: Changed disk layout generation to align key material to 4k boundaries. + (LUKS_is_last_keyslot): Added LUKS_is_last_keyslot function. + + * Applied patch from Bill Nottingham fixing a lot of prototypes. + + * src/cryptsetup.c (action_luksOpen): Add support for -r flag. + + * configure.in: Version bump 1.0.1 + +2005-06-16 Clemens Fruhwirth <clemens@endorphin.org> + + * lib/setup.c (__crypt_luks_open): Remove mem leaking of dmCipherSpec. + (get_key): Fix missing zero termination for read string. + +2005-06-12 Clemens Fruhwirth <clemens@endorphin.org> + + * luks/keyencryption.c (setup_mapping): Added CRYPT_FLAG_READONLY in case of O_RDONLY mode + +2005-06-11 Clemens Fruhwirth <clemens@endorphin.org> + + * configure.in: Version bump 1.0.1-pre + +2005-06-09 Clemens Fruhwirth <clemens@endorphin.org> + + * lib/utils.c: Added write_llseek_blocksize method to support sector wiping on sector_size != 512 + media + +2005-05-23 Clemens Fruhwirth <clemens@endorphin.org> + + * lib/setup.c (crypt_luksDelKey): Added missing return statement + (setup_leave): Added missing return statement + + * luks/keyencryption.c (clear_mapping): Added missing return statement + +2005-05-19 Clemens Fruhwirth <clemens@endorphin.org> + + * lib/utils.c (write_blockwise, read_blockwise): Changed to soft bsize instead of SECTOR_SIZE + + * luks/keymanage.c (wipe): Changed open mode to O_DIRECT | O_SYNC, and changed write + to use the blockwise write helper + +2005-04-21 Clemens Fruhwirth <clemens@endorphin.org> + + * man/cryptsetup.8: Corrected an error, thanks to Dick Middleton. + +2005-04-09 Clemens Fruhwirth <clemens@endorphin.org> + + * luks/sha/hmac.c: Add 64 bit bug fix courtesy to + Oliver Paukstadt <pstadt@sourcentral.org>. + + * luks/pbkdf.c, luks/keyencryption.c, luks/keymanage.c, luks/af.c: Added a license + disclaimer and remove option for "any future GPL versions". + +2005-03-25 Clemens Fruhwirth <clemens@endorphin.org> + + * configure.in: man page Makefile. Version bump 1.0. + + * man/cryptsetup.8: finalize man page and move to section 8. + + * src/cryptsetup.c (action_luksFormat): Add "are you sure" for interactive sessions. + + * lib/setup.c (crypt_luksDump), src/cryptsetup.c: add LUKS dump command + +2005-03-24 Clemens Fruhwirth <clemens@endorphin.org> + + * src/cryptsetup.c, luks/Makefile.am (test), lib/setup.c (setup_enter): + rename luksInit to luksFormat + +2005-03-12 Clemens Fruhwirth <clemens@endorphin.org> + + * man/cryptsetup.1: Add man page. + + * lib/setup.c: Remove unnecessary LUKS_write_phdr call, so the + phdr is written after passphrase reading, so the user can change + his mind, and not have a partial written LUKS header on it's disk. + +2005-02-09 Clemens Fruhwirth <clemens@endorphin.org> + + * luks/keymanage.c (LUKS_write_phdr): converted argument phdr to + pointer, and make a copy of phdr for conversion + + * configure.in: Version dump. + + * luks/keyencryption.c: Convert to read|write_blockwise. + + * luks/keymanage.c: Convert to read|write_blockwise. + + * lib/utils.c: Add read|write_blockwise functions, to use in + O_DIRECT file accesses. + +2004-03-11 Thursday 15:52 Jana Saout <jana@saout.de> + + * lib/blockdev.h: BLKGETSIZE64 really uses size_t as third + argument, the rest is wrong. + +2004-03-10 Wednesday 17:50 Jana Saout <jana@saout.de> + + * lib/: libcryptsetup.h, libdevmapper.c: Small fixes. + +2004-03-09 Tuesday 21:41 Jana Saout <jana@saout.de> + + * lib/internal.h, lib/libcryptsetup.h, lib/libdevmapper.c, + lib/setup.c, po/de.po, src/cryptsetup.c: Added internal flags to + keep track of malloc'ed return values in struct crypt_options and + add a function to free the memory. Also add a readonly flag to + libcryptsetup. + +2004-03-09 Tuesday 16:03 Jana Saout <jana@saout.de> + + * ChangeLog, configure.in, setup-gettext, lib/Makefile.am, + lib/backends.c, lib/blockdev.h, lib/gcrypt.c, lib/internal.h, + lib/libcryptsetup.h, lib/libdevmapper.c, lib/setup.c, + lib/utils.c, po/de.po, src/Makefile.am, src/cryptsetup.c: More + reorganization work. + +2004-03-08 Monday 01:38 Jana Saout <jana@saout.de> + + * ChangeLog, Makefile.am, acinclude.m4, configure.in, + lib/Makefile.am, lib/backends.c, lib/blockdev.h, lib/gcrypt.c, + lib/libdevmapper.c, lib/setup.c, lib/utils.c, po/de.po, + src/Makefile.am: BLKGETSIZE64 fixes and started modularity + enhancements + +2004-03-04 Thursday 21:06 Jana Saout <jana@saout.de> + + * Makefile.am, po/de.po, src/cryptsetup.c, src/cryptsetup.h: First + backward compatible working version. + +2004-03-04 Thursday 00:42 Jana Saout <jana@saout.de> + + * NEWS, AUTHORS, ChangeLog, Makefile.am, README, autogen.sh, + configure.in, setup-gettext, po/ChangeLog, po/LINGUAS, + po/POTFILES.in, po/de.po, src/cryptsetup.c, src/cryptsetup.h, + src/Makefile.am (utags: initial): Initial checkin. + +2004-03-04 Thursday 00:42 Jana Saout <jana@saout.de> + + * NEWS, AUTHORS, ChangeLog, Makefile.am, README, autogen.sh, + configure.in, setup-gettext, po/ChangeLog, po/LINGUAS, + po/POTFILES.in, po/de.po, src/cryptsetup.c, src/cryptsetup.h, + src/Makefile.am: Initial revision diff --git a/docs/Keyring.txt b/docs/Keyring.txt new file mode 100644 index 0000000..bdcc838 --- /dev/null +++ b/docs/Keyring.txt @@ -0,0 +1,56 @@ +Integration with kernel keyring service +--------------------------------------- + +We have two different use cases for kernel keyring service: + +I) Volume keys + +Since upstream kernel 4.10 dm-crypt device mapper target allows loading volume +key (VK) in kernel keyring service. The key offloaded in kernel keyring service +is only referenced (by key description) in dm-crypt target and the VK is therefore +no longer stored directly in dm-crypt target. Starting with cryptsetup 2.0 we +load VK in kernel keyring by default for LUKSv2 devices (when dm-crypt with the +feature is available). + +Currently cryptsetup loads VK in 'logon' type kernel key so that VK is passed in +the kernel and can't be read from userspace afterward. Also cryptsetup loads VK in +thread keyring (before passing the reference to dm-crypt target) so that the key +lifetime is directly bound to the process that performs the dm-crypt setup. When +cryptsetup process exits (for whatever reason) the key gets unlinked in kernel +automatically. In summary, the key description visible in dm-crypt table line is +a reference to VK that usually no longer exists in kernel keyring service if you +used cryptsetup to for device activation. + +Using this feature dm-crypt no longer maintains a direct key copy (but there's +always at least one copy in kernel crypto layer). + +II) Keyslot passphrase +The second use case for kernel keyring is to allow cryptsetup reading the keyslot +passphrase stored in kernel keyring instead. The user may load passphrase in kernel +keyring and notify cryptsetup to read it from there later. Currently, cryptsetup +cli supports kernel keyring for passphrase only via LUKS2 internal token +(luks2-keyring). Library also provides a general method for device activation by +reading passphrase from keyring: crypt_activate_by_keyring(). The key type +for use case II) must always be 'user' since we need to read the actual key +data from userspace unlike with VK in I). Ability to read keyslot passphrase +from kernel keyring also allows easily auto-activate LUKS2 devices. + +Simple example how to use kernel keyring for keyslot passphrase: + +1) create LUKS2 keyring token for keyslot 0 (in LUKS2 device/image) +cryptsetup token add --key-description my:key -S 0 /dev/device + +2) Load keyslot passphrase in user keyring +read -s -p "Keyslot passphrase: "; echo -n $REPLY | keyctl padd user my:key @u + +3) Activate device using passphrase stored in kernel keyring +cryptsetup open /dev/device my_unlocked_device + +4a) unlink the key when no longer needed by +keyctl unlink %user:my:key @u + +4b) or revoke it immediately by +keyctl revoke %user:my:key + +If cryptsetup asks for passphrase in step 3) something went wrong with keyring +activation. See --debug output then. diff --git a/docs/LUKS2-locking.txt b/docs/LUKS2-locking.txt new file mode 100644 index 0000000..e401b61 --- /dev/null +++ b/docs/LUKS2-locking.txt @@ -0,0 +1,61 @@ +LUKS2 device locking overview +============================= + +Why +~~~ + +LUKS2 format keeps two identical copies of metadata stored consecutively +at the head of metadata device (file or bdev). The metadata +area (both copies) must be updated in a single atomic operation to avoid +header corruption during concurrent write. + +While with LUKS1 users may have clear knowledge of when a LUKS header is +being updated (written to) or when it's being read solely the need for +locking with legacy format was not so obvious as it is with the LUKSv2 format. + +With LUKS2 the boundary between read-only and read-write is blurry and what +used to be the exclusively read-only operation (i.e., cryptsetup open command) may +easily become read-update operation silently without user's knowledge. +Major feature of LUKS2 format is resilience against accidental +corruption of metadata (i.e., partial header overwrite by parted or cfdisk +while creating partition on mistaken block device). +Such header corruption is detected early on header read and auto-recovery +procedure takes place (the corrupted header with checksum mismatch is being +replaced by the secondary one if that one is intact). +On current Linux systems header load operation may be triggered without user +direct intervention for example by udev rule or from systemd service. +Such clash of header read and auto-recovery procedure could have severe +consequences with the worst case of having LUKS2 device unaccessible or being +broken beyond repair. + +The whole locking of LUKSv2 device headers split into two categories depending +what backend the header is stored on: + +I) block device +~~~~~~~~~~~~~~~ + +We perform flock() on file descriptors of files stored in a private +directory (by default /run/lock/cryptsetup). The file name is derived +from major:minor couple of affected block device. Note we recommend +that access to private locking directory is supposed to be limited +to superuser only. For this method to work the distribution needs +to install the locking directory with appropriate access rights. + +II) regular files +~~~~~~~~~~~~~~~~~ + +First notable difference between headers stored in a file +vs. headers stored in a block device is that headers in a file may be +manipulated by the regular user unlike headers on block devices. Therefore +we perform flock() protection on file with the luks2 header directly. + +Limitations +~~~~~~~~~~~ + +a) In general, the locking model provides serialization of I/Os targeting +the header only. It means the header is always written or read at once +while locking is enabled. +We do not suppress any other negative effect that two or more concurrent +writers of the same header may cause. + +b) The locking is not cluster aware in any way. diff --git a/docs/doxyfile b/docs/doxyfile new file mode 100644 index 0000000..a8c84db --- /dev/null +++ b/docs/doxyfile @@ -0,0 +1,313 @@ +# Doxyfile 1.8.8 + +#--------------------------------------------------------------------------- +# Project related configuration options +#--------------------------------------------------------------------------- +DOXYFILE_ENCODING = UTF-8 +PROJECT_NAME = "cryptsetup API" +PROJECT_NUMBER = +PROJECT_BRIEF = "Public cryptsetup API" +PROJECT_LOGO = +OUTPUT_DIRECTORY = doxygen_api_docs +CREATE_SUBDIRS = NO +ALLOW_UNICODE_NAMES = NO +OUTPUT_LANGUAGE = English +BRIEF_MEMBER_DESC = YES +REPEAT_BRIEF = YES +ABBREVIATE_BRIEF = +ALWAYS_DETAILED_SEC = NO +INLINE_INHERITED_MEMB = NO +FULL_PATH_NAMES = YES +STRIP_FROM_PATH = +STRIP_FROM_INC_PATH = +SHORT_NAMES = NO +JAVADOC_AUTOBRIEF = NO +QT_AUTOBRIEF = NO +MULTILINE_CPP_IS_BRIEF = NO +INHERIT_DOCS = YES +SEPARATE_MEMBER_PAGES = NO +TAB_SIZE = 8 +ALIASES = +TCL_SUBST = +OPTIMIZE_OUTPUT_FOR_C = YES +OPTIMIZE_OUTPUT_JAVA = NO +OPTIMIZE_FOR_FORTRAN = NO +OPTIMIZE_OUTPUT_VHDL = NO +EXTENSION_MAPPING = +MARKDOWN_SUPPORT = YES +AUTOLINK_SUPPORT = YES +BUILTIN_STL_SUPPORT = NO +CPP_CLI_SUPPORT = NO +SIP_SUPPORT = NO +IDL_PROPERTY_SUPPORT = YES +DISTRIBUTE_GROUP_DOC = NO +SUBGROUPING = YES +INLINE_GROUPED_CLASSES = NO +INLINE_SIMPLE_STRUCTS = NO +TYPEDEF_HIDES_STRUCT = YES +LOOKUP_CACHE_SIZE = 0 +#--------------------------------------------------------------------------- +# Build related configuration options +#--------------------------------------------------------------------------- +EXTRACT_ALL = NO +EXTRACT_PRIVATE = NO +EXTRACT_PACKAGE = NO +EXTRACT_STATIC = NO +EXTRACT_LOCAL_CLASSES = YES +EXTRACT_LOCAL_METHODS = NO +EXTRACT_ANON_NSPACES = NO +HIDE_UNDOC_MEMBERS = NO +HIDE_UNDOC_CLASSES = NO +HIDE_FRIEND_COMPOUNDS = NO +HIDE_IN_BODY_DOCS = NO +INTERNAL_DOCS = NO +CASE_SENSE_NAMES = YES +HIDE_SCOPE_NAMES = NO +SHOW_INCLUDE_FILES = YES +SHOW_GROUPED_MEMB_INC = NO +FORCE_LOCAL_INCLUDES = NO +INLINE_INFO = YES +SORT_MEMBER_DOCS = YES +SORT_BRIEF_DOCS = NO +SORT_MEMBERS_CTORS_1ST = NO +SORT_GROUP_NAMES = NO +SORT_BY_SCOPE_NAME = NO +STRICT_PROTO_MATCHING = NO +GENERATE_TODOLIST = YES +GENERATE_TESTLIST = YES +GENERATE_BUGLIST = YES +GENERATE_DEPRECATEDLIST= YES +ENABLED_SECTIONS = +MAX_INITIALIZER_LINES = 30 +SHOW_USED_FILES = YES +SHOW_FILES = YES +SHOW_NAMESPACES = YES +FILE_VERSION_FILTER = +LAYOUT_FILE = +CITE_BIB_FILES = +#--------------------------------------------------------------------------- +# Configuration options related to warning and progress messages +#--------------------------------------------------------------------------- +QUIET = NO +WARNINGS = YES +WARN_IF_UNDOCUMENTED = YES +WARN_IF_DOC_ERROR = YES +WARN_NO_PARAMDOC = NO +WARN_FORMAT = "$file:$line: $text" +WARN_LOGFILE = +#--------------------------------------------------------------------------- +# Configuration options related to the input files +#--------------------------------------------------------------------------- +INPUT = "doxygen_index.h" \ + "../lib/libcryptsetup.h" +INPUT_ENCODING = UTF-8 +FILE_PATTERNS = +RECURSIVE = NO +EXCLUDE = +EXCLUDE_SYMLINKS = NO +EXCLUDE_PATTERNS = +EXCLUDE_SYMBOLS = +EXAMPLE_PATH = "examples" +EXAMPLE_PATTERNS = +EXAMPLE_RECURSIVE = NO +IMAGE_PATH = +INPUT_FILTER = +FILTER_PATTERNS = +FILTER_SOURCE_FILES = NO +FILTER_SOURCE_PATTERNS = +USE_MDFILE_AS_MAINPAGE = +#--------------------------------------------------------------------------- +# Configuration options related to source browsing +#--------------------------------------------------------------------------- +SOURCE_BROWSER = NO +INLINE_SOURCES = NO +STRIP_CODE_COMMENTS = YES +REFERENCED_BY_RELATION = NO +REFERENCES_RELATION = NO +REFERENCES_LINK_SOURCE = YES +SOURCE_TOOLTIPS = YES +USE_HTAGS = NO +VERBATIM_HEADERS = YES +CLANG_ASSISTED_PARSING = NO +CLANG_OPTIONS = +#--------------------------------------------------------------------------- +# Configuration options related to the alphabetical class index +#--------------------------------------------------------------------------- +ALPHABETICAL_INDEX = YES +COLS_IN_ALPHA_INDEX = 5 +IGNORE_PREFIX = +#--------------------------------------------------------------------------- +# Configuration options related to the HTML output +#--------------------------------------------------------------------------- +GENERATE_HTML = YES +HTML_OUTPUT = html +HTML_FILE_EXTENSION = .html +HTML_HEADER = +HTML_FOOTER = +HTML_STYLESHEET = +HTML_EXTRA_STYLESHEET = +HTML_EXTRA_FILES = +HTML_COLORSTYLE_HUE = 220 +HTML_COLORSTYLE_SAT = 100 +HTML_COLORSTYLE_GAMMA = 80 +HTML_TIMESTAMP = YES +HTML_DYNAMIC_SECTIONS = NO +HTML_INDEX_NUM_ENTRIES = 100 +GENERATE_DOCSET = NO +DOCSET_FEEDNAME = "Doxygen generated docs" +DOCSET_BUNDLE_ID = org.doxygen.Project +DOCSET_PUBLISHER_ID = org.doxygen.Publisher +DOCSET_PUBLISHER_NAME = Publisher +GENERATE_HTMLHELP = NO +CHM_FILE = +HHC_LOCATION = +GENERATE_CHI = NO +CHM_INDEX_ENCODING = +BINARY_TOC = NO +TOC_EXPAND = NO +GENERATE_QHP = NO +QCH_FILE = +QHP_NAMESPACE = org.doxygen.Project +QHP_VIRTUAL_FOLDER = doc +QHP_CUST_FILTER_NAME = +QHP_CUST_FILTER_ATTRS = +QHP_SECT_FILTER_ATTRS = +QHG_LOCATION = +GENERATE_ECLIPSEHELP = NO +ECLIPSE_DOC_ID = org.doxygen.Project +DISABLE_INDEX = NO +GENERATE_TREEVIEW = NO +ENUM_VALUES_PER_LINE = 4 +TREEVIEW_WIDTH = 250 +EXT_LINKS_IN_WINDOW = NO +FORMULA_FONTSIZE = 10 +FORMULA_TRANSPARENT = YES +USE_MATHJAX = NO +MATHJAX_FORMAT = HTML-CSS +MATHJAX_RELPATH = http://www.mathjax.org/mathjax +MATHJAX_EXTENSIONS = +MATHJAX_CODEFILE = +SEARCHENGINE = YES +SERVER_BASED_SEARCH = NO +EXTERNAL_SEARCH = NO +SEARCHENGINE_URL = +SEARCHDATA_FILE = searchdata.xml +EXTERNAL_SEARCH_ID = +EXTRA_SEARCH_MAPPINGS = +#--------------------------------------------------------------------------- +# Configuration options related to the LaTeX output +#--------------------------------------------------------------------------- +GENERATE_LATEX = YES +LATEX_OUTPUT = latex +LATEX_CMD_NAME = latex +MAKEINDEX_CMD_NAME = makeindex +COMPACT_LATEX = NO +PAPER_TYPE = a4 +EXTRA_PACKAGES = +LATEX_HEADER = +LATEX_FOOTER = +LATEX_EXTRA_FILES = +PDF_HYPERLINKS = YES +USE_PDFLATEX = YES +LATEX_BATCHMODE = NO +LATEX_HIDE_INDICES = NO +LATEX_SOURCE_CODE = NO +LATEX_BIB_STYLE = plain +#--------------------------------------------------------------------------- +# Configuration options related to the RTF output +#--------------------------------------------------------------------------- +GENERATE_RTF = NO +RTF_OUTPUT = rtf +COMPACT_RTF = NO +RTF_HYPERLINKS = NO +RTF_STYLESHEET_FILE = +RTF_EXTENSIONS_FILE = +#--------------------------------------------------------------------------- +# Configuration options related to the man page output +#--------------------------------------------------------------------------- +GENERATE_MAN = NO +MAN_OUTPUT = man +MAN_EXTENSION = .3 +MAN_SUBDIR = +MAN_LINKS = NO +#--------------------------------------------------------------------------- +# Configuration options related to the XML output +#--------------------------------------------------------------------------- +GENERATE_XML = NO +XML_OUTPUT = xml +XML_PROGRAMLISTING = YES +#--------------------------------------------------------------------------- +# Configuration options related to the DOCBOOK output +#--------------------------------------------------------------------------- +GENERATE_DOCBOOK = NO +DOCBOOK_OUTPUT = docbook +DOCBOOK_PROGRAMLISTING = NO +#--------------------------------------------------------------------------- +# Configuration options for the AutoGen Definitions output +#--------------------------------------------------------------------------- +GENERATE_AUTOGEN_DEF = NO +#--------------------------------------------------------------------------- +# Configuration options related to the Perl module output +#--------------------------------------------------------------------------- +GENERATE_PERLMOD = NO +PERLMOD_LATEX = NO +PERLMOD_PRETTY = YES +PERLMOD_MAKEVAR_PREFIX = +#--------------------------------------------------------------------------- +# Configuration options related to the preprocessor +#--------------------------------------------------------------------------- +ENABLE_PREPROCESSING = YES +MACRO_EXPANSION = NO +EXPAND_ONLY_PREDEF = NO +SEARCH_INCLUDES = YES +INCLUDE_PATH = +INCLUDE_FILE_PATTERNS = +PREDEFINED = +EXPAND_AS_DEFINED = +SKIP_FUNCTION_MACROS = YES +#--------------------------------------------------------------------------- +# Configuration options related to external references +#--------------------------------------------------------------------------- +TAGFILES = +GENERATE_TAGFILE = +ALLEXTERNALS = NO +EXTERNAL_GROUPS = YES +EXTERNAL_PAGES = YES +PERL_PATH = +#--------------------------------------------------------------------------- +# Configuration options related to the dot tool +#--------------------------------------------------------------------------- +CLASS_DIAGRAMS = YES +MSCGEN_PATH = +DIA_PATH = +HIDE_UNDOC_RELATIONS = YES +HAVE_DOT = NO +DOT_NUM_THREADS = 0 +DOT_FONTNAME = Helvetica +DOT_FONTSIZE = 10 +DOT_FONTPATH = +CLASS_GRAPH = YES +COLLABORATION_GRAPH = YES +GROUP_GRAPHS = YES +UML_LOOK = NO +UML_LIMIT_NUM_FIELDS = 10 +TEMPLATE_RELATIONS = NO +INCLUDE_GRAPH = YES +INCLUDED_BY_GRAPH = YES +CALL_GRAPH = NO +CALLER_GRAPH = NO +GRAPHICAL_HIERARCHY = YES +DIRECTORY_GRAPH = YES +DOT_IMAGE_FORMAT = png +INTERACTIVE_SVG = NO +DOT_PATH = +DOTFILE_DIRS = +MSCFILE_DIRS = +DIAFILE_DIRS = +PLANTUML_JAR_PATH = +DOT_GRAPH_MAX_NODES = 50 +MAX_DOT_GRAPH_DEPTH = 0 +DOT_TRANSPARENT = NO +DOT_MULTI_TARGETS = NO +GENERATE_LEGEND = YES +DOT_CLEANUP = YES diff --git a/docs/doxygen_index.h b/docs/doxygen_index.h new file mode 100644 index 0000000..8bdf05f --- /dev/null +++ b/docs/doxygen_index.h @@ -0,0 +1,110 @@ +/*! \mainpage Cryptsetup API + * + * <b>The</b> documentation covers public parts of cryptsetup API. In the following sections you'll find + * the examples that describe some features of cryptsetup API. + * For more info about libcryptsetup API versions see + * <a href="https://gitlab.com/cryptsetup/cryptsetup/wikis/ABI-tracker/timeline/libcryptsetup/index.html">API Tracker</a>. + * + * <OL type="A"> + * <LI>@ref cexamples "Cryptsetup API examples"</LI> + * <OL type="1"> + * <LI>@ref cluks "crypt_luks_usage" - cryptsetup LUKS device type usage examples</LI> + * <UL> + * <LI>@ref cinit "crypt_init()"</LI> + * <LI>@ref cformat "crypt_format()" - header and payload on mutual device</LI> + * <LI>@ref ckeys "Keyslot operations" </LI> + * <UL> + * <LI>@ref ckeyslot_vol "crypt_keyslot_add_by_volume_key()"</LI> + * <LI>@ref ckeyslot_pass "crypt_keyslot_add_by_passphrase()"</LI> + * </UL> + * <LI>@ref cload "crypt_load()" + * <LI>@ref cactivate "crypt_activate_by_passphrase()"</LI> + * <LI>@ref cactive_pars "crypt_get_active_device()"</LI> + * <LI>@ref cinit_by_name "crypt_init_by_name()"</LI> + * <LI>@ref cdeactivate "crypt_deactivate()"</LI> + * <LI>@ref cluks_ex "crypt_luks_usage.c"</LI> + * </UL> + * <LI>@ref clog "crypt_log_usage" - cryptsetup logging API examples</LI> + * </OL> + * </OL> + * + * @section cexamples Cryptsetup API examples + * @section cluks crypt_luks_usage - cryptsetup LUKS device type usage + * @subsection cinit crypt_init() + * Every time you need to do something with cryptsetup or dmcrypt device + * you need a valid context. The first step to start your work is + * @ref crypt_init call. You can call it either with path + * to the block device or path to the regular file. If you don't supply the path, + * empty context is initialized. + * + * @subsection cformat crypt_format() - header and payload on mutual device + * This section covers basic use cases for formatting LUKS devices. Format operation + * sets device type in context and in case of LUKS header is written at the beginning + * of block device. In the example below we use the scenario where LUKS header and data + * are both stored on the same device. There's also a possibility to store header and + * data separately. + * + * <B>Bear in mind</B> that @ref crypt_format() is destructive operation and it + * overwrites part of the backing block device. + * + * @subsection ckeys Keyslot operations examples + * After successful @ref crypt_format of LUKS device, volume key is not stored + * in a persistent way on the device. Keyslot area is an array beyond LUKS header, where + * volume key is stored in the encrypted form using user input passphrase. For more info about + * LUKS keyslots and how it's actually protected, please look at + * <A HREF="https://gitlab.com/cryptsetup/cryptsetup/wikis/Specification">LUKS specification</A>. + * There are two basic methods to create a new keyslot: + * + * @subsection ckeyslot_vol crypt_keyslot_add_by_volume_key() + * Creates a new keyslot directly by encrypting volume_key stored in the device + * context. Passphrase should be supplied or user is prompted if passphrase param is + * NULL. + * + * @subsection ckeyslot_pass crypt_keyslot_add_by_passphrase() + * Creates a new keyslot for the volume key by opening existing active keyslot, + * extracting volume key from it and storing it into a new keyslot + * protected by a new passphrase + * + * @subsection cload crypt_load() + * Function loads header from backing block device into device context. + * + * @subsection cactivate crypt_activate_by_passphrase() + * Activates crypt device by user supplied password for keyslot containing the volume_key. + * If <I>keyslot</I> parameter is set to <I>CRYPT_ANY_SLOT</I> then all active keyslots + * are tried one by one until the volume key is found. + * + * @subsection cactive_pars crypt_get_active_device() + * This call returns structure containing runtime attributes of active device. + * + * @subsection cinit_by_name crypt_init_by_name() + * In case you need to do operations with active device (device which already + * has its corresponding mapping) and you miss valid device context stored in + * *crypt_device reference, you should use this call. Function tries to + * get path to backing device from DM, initializes context for it and loads LUKS + * header. + * + * @subsection cdeactivate crypt_deactivate() + * Deactivates crypt device (removes DM mapping and safely erases volume key from kernel). + * + * @subsection cluks_ex crypt_luks_usage.c - Complex example + * To compile and run use following commands in examples directory: + * + * @code + * make + * ./crypt_luks_usage _path_to_[block_device]_file + * @endcode + * Note that you need to have the cryptsetup library compiled. @include crypt_luks_usage.c + * + * @section clog crypt_log_usage - cryptsetup logging API example + * Example describes basic use case for cryptsetup logging. To compile and run + * use following commands in examples directory: + * + * @code + * make + * ./crypt_log_usage + * @endcode + * Note that you need to have the cryptsetup library compiled. @include crypt_log_usage.c + * + * @example crypt_luks_usage.c + * @example crypt_log_usage.c + */ diff --git a/docs/examples/Makefile b/docs/examples/Makefile new file mode 100644 index 0000000..845b6cb --- /dev/null +++ b/docs/examples/Makefile @@ -0,0 +1,17 @@ +TARGETS=crypt_log_usage crypt_luks_usage +CFLAGS=-O0 -g -Wall -D_GNU_SOURCE +LDLIBS=-lcryptsetup +CC=gcc + +all: $(TARGETS) + +crypt_log_usage: crypt_log_usage.o + $(CC) -o $@ $^ $(LDLIBS) + +crypt_luks_usage: crypt_luks_usage.o + $(CC) -o $@ $^ $(LDLIBS) + +clean: + rm -f *.o *~ core $(TARGETS) + +.PHONY: clean diff --git a/docs/examples/crypt_log_usage.c b/docs/examples/crypt_log_usage.c new file mode 100644 index 0000000..b0cdd56 --- /dev/null +++ b/docs/examples/crypt_log_usage.c @@ -0,0 +1,94 @@ +/* + * libcryptsetup API log example + * + * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved. + * + * This file is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This file is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this file; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#include <stdio.h> +#include <sys/types.h> +#include <syslog.h> +#include <unistd.h> +#include <libcryptsetup.h> + +/* + * This is an example of crypt_set_log_callback API callback. + * + */ +static void simple_syslog_wrapper(int level, const char *msg, void *usrptr) +{ + const char *prefix = (const char *)usrptr; + int priority; + + switch(level) { + case CRYPT_LOG_NORMAL: priority = LOG_NOTICE; break; + case CRYPT_LOG_ERROR: priority = LOG_ERR; break; + case CRYPT_LOG_VERBOSE: priority = LOG_INFO; break; + case CRYPT_LOG_DEBUG: priority = LOG_DEBUG; break; + default: + fprintf(stderr, "Unsupported log level requested!\n"); + return; + } + + if (prefix) + syslog(priority, "%s:%s", prefix, msg); + else + syslog(priority, "%s", msg); +} + +int main(void) +{ + struct crypt_device *cd; + char usrprefix[] = "cslog_example"; + int r; + + if (geteuid()) { + printf("Using of libcryptsetup requires super user privileges.\n"); + return 1; + } + + openlog("cryptsetup", LOG_CONS | LOG_PID, LOG_USER); + + /* Initialize empty crypt device context */ + r = crypt_init(&cd, NULL); + if (r < 0) { + printf("crypt_init() failed.\n"); + return 2; + } + + /* crypt_set_log_callback() - register a log callback for crypt context */ + crypt_set_log_callback(cd, &simple_syslog_wrapper, (void *)usrprefix); + + /* send messages ithrough the crypt_log() interface */ + crypt_log(cd, CRYPT_LOG_NORMAL, "This is normal log message"); + crypt_log(cd, CRYPT_LOG_ERROR, "This is error log message"); + crypt_log(cd, CRYPT_LOG_VERBOSE, "This is verbose log message"); + crypt_log(cd, CRYPT_LOG_DEBUG, "This is debug message"); + + /* release crypt context */ + crypt_free(cd); + + /* Initialize default (global) log callback */ + crypt_set_log_callback(NULL, &simple_syslog_wrapper, NULL); + + crypt_log(NULL, CRYPT_LOG_NORMAL, "This is normal log message"); + crypt_log(NULL, CRYPT_LOG_ERROR, "This is error log message"); + crypt_log(NULL, CRYPT_LOG_VERBOSE, "This is verbose log message"); + crypt_log(NULL, CRYPT_LOG_DEBUG, "This is debug message"); + + closelog(); + return 0; +} diff --git a/docs/examples/crypt_luks_usage.c b/docs/examples/crypt_luks_usage.c new file mode 100644 index 0000000..f99bfc7 --- /dev/null +++ b/docs/examples/crypt_luks_usage.c @@ -0,0 +1,250 @@ +/* + * libcryptsetup API - using LUKS device example + * + * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved. + * + * This file is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This file is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this file; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> +#include <inttypes.h> +#include <sys/types.h> +#include <libcryptsetup.h> + +static int format_and_add_keyslots(const char *path) +{ + struct crypt_device *cd; + int r; + + /* + * The crypt_init() call is used to initialize crypt_device context, + * The path parameter specifies a device path. + * + * For path, you can use either link to a file or block device. + * The loopback device will be detached automatically. + */ + + r = crypt_init(&cd, path); + if (r < 0) { + printf("crypt_init() failed for %s.\n", path); + return r; + } + + printf("Context is attached to block device %s.\n", crypt_get_device_name(cd)); + + /* + * So far, no data were written to the device. + */ + printf("Device %s will be formatted as a LUKS device after 5 seconds.\n" + "Press CTRL+C now if you want to cancel this operation.\n", path); + sleep(5); + + /* + * NULLs for uuid and volume_key means that these attributes will be + * generated during crypt_format(). + */ + r = crypt_format(cd, /* crypt context */ + CRYPT_LUKS2, /* LUKS2 is a new LUKS format; use CRYPT_LUKS1 for LUKS1 */ + "aes", /* used cipher */ + "xts-plain64", /* used block mode and IV */ + NULL, /* generate UUID */ + NULL, /* generate volume key from RNG */ + 512 / 8, /* 512bit key - here AES-256 in XTS mode, size is in bytes */ + NULL); /* default parameters */ + + if (r < 0) { + printf("crypt_format() failed on device %s\n", crypt_get_device_name(cd)); + crypt_free(cd); + return r; + } + + /* + * The device now contains a LUKS header, but there is no active keyslot. + * + * crypt_keyslot_add_* call stores the volume_key in the encrypted form into the keyslot. + * + * After format, the volume key is stored internally. + */ + r = crypt_keyslot_add_by_volume_key(cd, /* crypt context */ + CRYPT_ANY_SLOT, /* just use first free slot */ + NULL, /* use internal volume key */ + 0, /* unused (size of volume key) */ + "foo", /* passphrase - NULL means query*/ + 3); /* size of passphrase */ + + if (r < 0) { + printf("Adding keyslot failed.\n"); + crypt_free(cd); + return r; + } + + printf("The first keyslot is initialized.\n"); + + /* + * Add another keyslot, now authenticating with the first keyslot. + * It decrypts the volume key from the first keyslot and creates a new one with the specified passphrase. + */ + r = crypt_keyslot_add_by_passphrase(cd, /* crypt context */ + CRYPT_ANY_SLOT, /* just use first free slot */ + "foo", 3, /* passphrase for the old keyslot */ + "bar", 3); /* passphrase for the new kesylot */ + if (r < 0) { + printf("Adding keyslot failed.\n"); + crypt_free(cd); + return r; + } + + printf("The second keyslot is initialized.\n"); + + crypt_free(cd); + return 0; +} + +static int activate_and_check_status(const char *path, const char *device_name) +{ + struct crypt_device *cd; + struct crypt_active_device cad; + int r; + + /* + * LUKS device activation example. + */ + r = crypt_init(&cd, path); + if (r < 0) { + printf("crypt_init() failed for %s.\n", path); + return r; + } + + /* + * crypt_load() is used to load existing LUKS header from a block device + */ + r = crypt_load(cd, /* crypt context */ + CRYPT_LUKS, /* requested type - here LUKS of any type */ + NULL); /* additional parameters (not used) */ + + if (r < 0) { + printf("crypt_load() failed on device %s.\n", crypt_get_device_name(cd)); + crypt_free(cd); + return r; + } + + /* + * Device activation creates a device-mapper device with the specified name. + */ + r = crypt_activate_by_passphrase(cd, /* crypt context */ + device_name, /* device name to activate */ + CRYPT_ANY_SLOT,/* the keyslot use (try all here) */ + "foo", 3, /* passphrase */ + CRYPT_ACTIVATE_READONLY); /* flags */ + if (r < 0) { + printf("Device %s activation failed.\n", device_name); + crypt_free(cd); + return r; + } + + printf("%s device %s/%s is active.\n", crypt_get_type(cd), crypt_get_dir(), device_name); + printf("\tcipher used: %s\n", crypt_get_cipher(cd)); + printf("\tcipher mode: %s\n", crypt_get_cipher_mode(cd)); + printf("\tdevice UUID: %s\n", crypt_get_uuid(cd)); + + /* + * Get info about the active device. + */ + r = crypt_get_active_device(cd, device_name, &cad); + if (r < 0) { + printf("Get info about active device %s failed.\n", device_name); + crypt_deactivate(cd, device_name); + crypt_free(cd); + return r; + } + + printf("Active device parameters for %s:\n" + "\tDevice offset (in sectors): %" PRIu64 "\n" + "\tIV offset (in sectors) : %" PRIu64 "\n" + "\tdevice size (in sectors) : %" PRIu64 "\n" + "\tread-only flag : %s\n", + device_name, cad.offset, cad.iv_offset, cad.size, + cad.flags & CRYPT_ACTIVATE_READONLY ? "1" : "0"); + + crypt_free(cd); + return 0; +} + +static int handle_active_device(const char *device_name) +{ + struct crypt_device *cd; + int r; + + /* + * crypt_init_by_name() initializes context by an active device-mapper name + */ + r = crypt_init_by_name(&cd, device_name); + if (r < 0) { + printf("crypt_init_by_name() failed for %s.\n", device_name); + return r; + } + + if (crypt_status(cd, device_name) == CRYPT_ACTIVE) + printf("Device %s is still active.\n", device_name); + else { + printf("Something failed perhaps, device %s is not active.\n", device_name); + crypt_free(cd); + return -1; + } + + /* + * crypt_deactivate() is used to deactivate a device + */ + r = crypt_deactivate(cd, device_name); + if (r < 0) { + printf("crypt_deactivate() failed.\n"); + crypt_free(cd); + return r; + } + + printf("Device %s is now deactivated.\n", device_name); + + crypt_free(cd); + return 0; +} + +int main(int argc, char **argv) +{ + if (geteuid()) { + printf("Using of libcryptsetup requires super user privileges.\n"); + return 1; + } + + if (argc != 2) { + printf("usage: ./crypt_luks_usage <path>\n" + "<path> refers to either a regular file or a block device.\n" + " WARNING: the file or device will be wiped.\n"); + return 2; + } + + if (format_and_add_keyslots(argv[1])) + return 3; + + if (activate_and_check_status(argv[1], "example_device")) + return 4; + + if (handle_active_device("example_device")) + return 5; + + return 0; +} diff --git a/docs/on-disk-format-luks2.pdf b/docs/on-disk-format-luks2.pdf Binary files differnew file mode 100644 index 0000000..3f09952 --- /dev/null +++ b/docs/on-disk-format-luks2.pdf diff --git a/docs/on-disk-format.pdf b/docs/on-disk-format.pdf Binary files differnew file mode 100644 index 0000000..7f6e5e7 --- /dev/null +++ b/docs/on-disk-format.pdf diff --git a/docs/v1.0.7-ReleaseNotes b/docs/v1.0.7-ReleaseNotes new file mode 100644 index 0000000..9288c60 --- /dev/null +++ b/docs/v1.0.7-ReleaseNotes @@ -0,0 +1,92 @@ +cryptsetup 1.0.7 Release Notes (2009-07-22) +=========================================== + +Changes since 1.0.7-rc1 +------------------------ +[committer name] + + * Allow removal of last slot in luksRemoveKey +and luksKillSlot. [Milan Broz] + + * Add --disable-selinux option and fix static build if selinux +is required. [Milan Broz] + + * Reject unsupported --offset and --skip options for luksFormat +and update man page. [Milan Broz] + + +Changes since 1.0.6 +-------------------- +[committer name] + +* Various man page fixes. Also merged some Debian/Ubuntu man page +fixes. (thanks to Martin Pitt) [Milan Broz] + +* Set UUID in device-mapper for LUKS devices. [Milan Broz] + +* Retain readahead of underlying device. [Milan Broz] + +* Display device name when asking for password. (thanks to Till +Maas) [Milan Broz] + +* Check device size when loading LUKS header. Remove misleading +error message later. [Milan Broz] + +* Add error hint if dm-crypt mapping failed. (Key size and kernel +version check for XTS and LRW mode for now.) [Milan Broz] + +* Use better error messages if device doesn't exist or is already +used by other mapping. [Milan Broz] + +* Fix make distcheck. (thanks to Mike Kelly) [Milan Broz] + +* Check if all slots are full during luksAddKey. [Clemens Fruhwirth] + +* Fix segfault in set_error (thanks to Oliver Metz). [Clemens Fruhwirth] + +* Remove precompiled pot files. Fix uninitialized return value +variable in setup.c. [Clemens Fruhwirth] + +* Code cleanups. (thanks to Ivan Stankovic) [Clemens Fruhwirth] + +* Remove unnecessary files from po directory. They will be +regenerated by autogen.sh. [Clemens Fruhwirth] + +* Fix wrong output for remaining key at key deletion. Allow deletion +of key slot while other keys have the same key information. [Clemens +Fruhwirth] + +* Add missing AM_PROG_CC_C_O to configure.in [Milan Broz] + +* Remove duplicate sentence in man page (thanks to Till Maas). +[Milan Broz] + +* Wipe start of device (possible fs signature) before +LUKS-formatting. [Milan Broz] + +* Do not process configure.in in hidden directories. [Milan Broz] + +* Return more descriptive error in case of IO or header format +error. [Milan Broz] + +* Use remapping to error target instead of calling udevsettle +for temporary crypt device. [Milan Broz] + +* Check device mapper communication and warn user in case the +communication fails. (thanks to Milan Broz) [Clemens Fruhwirth] + +* Fix signal handler to proper close device. (thanks to Milan Broz) +[Clemens Fruhwirth] + +* write_lseek_blockwise: declare innerCount outside the if block, +add -Wall to the default CFLAGS, * fix some signedness issues +(thanks to Ivan Stankovic) [Clemens Fruhwirth] + +* Error handling improvement. (thanks to Erik Edin) [Clemens Fruhwirth] + +* Add non-exclusive override to interface definition. [Clemens +Fruhwirth] + +* Refactor key slot selection into keyslot_from_option. Either +autoselect next free keyslot or honor user choice (after checking). +[Clemens Fruhwirth] diff --git a/docs/v1.1.0-ReleaseNotes b/docs/v1.1.0-ReleaseNotes new file mode 100644 index 0000000..7ee6dea --- /dev/null +++ b/docs/v1.1.0-ReleaseNotes @@ -0,0 +1,110 @@ +Cryptsetup 1.1.0 Release Notes +============================== + +Changes since version 1.0.7 +---------------------------- + +Important changes: +~~~~~~~~~~~~~~~~~~ + + * IMPORTANT: the default compiled-in cipher parameters changed + plain mode: aes-cbc-essiv:sha256 (default is backward incompatible!). + LUKS mode: aes-cbc-essiv:sha256 (only key size increased) + In both modes is now default key size 256bits. + + * Default compiled-in parameters are now configurable through configure options: + --with-plain-* / --with-luks1-* (see configure --help) + + * If you need backward compatible defaults for distribution use + configure --with-plain-mode=cbc-plain --with-luks1-keybits=128 + + Default compiled-in modes are printed in "cryptsetup --help" output. + + * Change in iterations count (LUKS): + The slot and key digest iteration minimum count is now 1000. + The key digest iteration count is calculated from iteration time (approx 1/8 of req. time). + For more info about above items see discussion here: http://tinyurl.com/yaug97y + + * New libcryptsetup API (documented in libcryptsetup.h). + + The old API (using crypt_options struct) is still available but will remain + frozen and not used for new functions. + Soname of library changed to libcryptsetup.so.1.0.0. + (But only recompilation should be needed for old programs.) + + The new API provides much more flexible operation over LUKS device for + applications, it is preferred that new applications will use libcryptsetup + and not wrapper around cryptsetup binary. + + * New luksHeaderBackup and luksHeaderRestore commands. + + These commands allows binary backup of LUKS header. + Please read man page about possible security issues with backup files. + + * New luksSuspend (freeze device and wipe key) and luksResume (with provided passphrase). + + luksSuspend wipe encryption key in kernel memory and set device to suspend + (blocking all IO) state. This option can be used for situations when you need + temporary wipe encryption key (like suspend to RAM etc.) + Please read man page for more information. + + * New --master-key-file option for luksFormat and luksAddKey. + + User can now specify pre-generated master key in file, which allows regenerating + LUKS header or add key with only master key knowledge. + + * Uses libgcrypt and enables all gcrypt hash algorithms for LUKS through -h luksFormat option. + + Please note that using different hash for LUKS header make device incompatible with + old cryptsetup releases. + + * Introduces --debug parameter. + + Use when reporting bugs (just run cryptsetup with --debug and attach output + to issue report.) Sensitive data are never printed to this log. + + * Moves command successful messages to verbose level. + + * Requires device-mapper library and libgcrypt to build. + + * Uses dm-uuid for all crypt devices, contains device type and name now. + + * Removes support for dangerous non-exclusive option + (it is ignored now, LUKS device must be always opened exclusive) + +Other changes: +~~~~~~~~~~~~~~ + * Fixed localization to work again. Also cryptsetup is now translated by translationproject.org. + * Fix some libcryptsetup problems, including + * exported symbols and versions in libcryptsetup (properly use versioned symbols) + * Add crypt_log library function. + * Add CRYPT_ prefix to enum defined in libcryptsetup.h. + * Move duplicate Command failed message to verbose level (error is printed always). + * Fix several problems in build system + * use autopoint and clean gettext processing. + * Check in configure if selinux libraries are required in static version. + * Fix build for non-standard location of gcrypt library. + * Add temporary debug code to find processes locking internal device. + * Fix error handling during reading passphrase. + * Fail passphrase read if piped input no longer exists. + * Fix man page to not require --size which expands to device size by default. + * Clean up Makefiles and configure script. + * Try to read first sector from device to properly check that device is ready. + * Move memory locking and dm initialization to command layer. + * Increase priority of process if memory is locked. + * Add log macros and make logging more consistent. + * Keyfile now must be provided by path, only stdin file descriptor is used (api only). + * Do not call isatty() on closed keyfile descriptor. + * Move key slot manipulation function into LUKS specific code. + * Replace global options struct with separate parameters in helper functions. + * Implement old API calls using new functions. + * Allow using passphrase provided in options struct for LuksOpen. + * Allow restrict keys size in LuksOpen. + * Fix errors when compiled with LUKS_DEBUG. + * Print error when getline fails. + * Completely remove internal SHA1 implementation code, not needed anymore. + * Pad luks header to 512 sector size. + * Rework read/write blockwise to not split operation to many pieces. + * Use posix_memalign if available. + * Fix segfault if provided slot in luksKillslot is invalid. + * Remove unneeded timeout when remove of temporary device succeeded. diff --git a/docs/v1.1.1-ReleaseNotes b/docs/v1.1.1-ReleaseNotes new file mode 100644 index 0000000..e85107c --- /dev/null +++ b/docs/v1.1.1-ReleaseNotes @@ -0,0 +1,47 @@ +Cryptsetup 1.1.1 Release Notes +============================== + +Changes since version 1.1.1-rc2 +* Fix luksClose error if underlying device is LVM logical volume. + +Changes since version 1.1.1-rc1 +* Fix automatic dm-crypt module loading. + +Changes since version 1.1.0 + +Important changes: +~~~~~~~~~~~~~~~~~~ + +* Detects and use device-mapper udev support if available. + + This should allow synchronisation with udev rules and avoid races with udev. + + If package maintainer want to use old, direct libdevmapper device node creation, + use configure option --disable-udev. + +* Supports device topology detection for data alignment. + + If kernel provides device topology ioctl calls, the LUKS data area + alignment is automatically set to optimal value. + + This means that stacked devices (like LUKS over MD/LVM) + should use the most optimal data alignment. + + (You can still overwrite this calculation using --align-payload option.) + +* Prefers some device paths in status display. + (So status command will try to find top level device name, like /dev/sdb.) + +* Fix package config file to use proper package version. + +Other changes: +~~~~~~~~~~~~~~ +* Fix luksOpen reading of passphrase on stdin (if "-" keyfile specified). +* Fix isLuks to initialise crypto backend (blkid instead is suggested anyway). +* Properly initialise crypto backend in header backup/restore commands. +* Do not verify unlocking passphrase in luksAddKey command. +* Allow no hash specification in plain device constructor - user can provide volume key directly. +* Try to use pkgconfig for device mapper library in configuration script. +* Add some compatibility checks and disable LUKS suspend/resume if not supported. +* Rearrange tests, "make check" now run all available test for package. +* Avoid class C++ keyword in library header. diff --git a/docs/v1.1.2-ReleaseNotes b/docs/v1.1.2-ReleaseNotes new file mode 100644 index 0000000..9931f05 --- /dev/null +++ b/docs/v1.1.2-ReleaseNotes @@ -0,0 +1,33 @@ +== Cryptsetup 1.1.2 Release Notes == + +This release fixes a regression (introduced in 1.1.1 version) in handling +key files containing new line characters (affects only files read from +standard input). + +Cryptsetup can accept passphrase on stdin (standard input). + +Handling of new line (\n) character is defined by input specification: + + * if keyfile is specified as "-" (using --key-file=- of by "-" positional argument + in luksFormat and luksAddKey, like cat file | cryptsetup --key-file=- <action>), + input is processed as normal binary file and no new line is interpreted. + + * if there is no key file specification (with default input from stdin pipe + like echo passphrase | cryptsetup <action>) input is processed as input from terminal, + reading will stop after new line is detected. + +Moreover, luksFormat now understands --key-file (in addition to positional key +file argument). + +N.B. Using of standard input and pipes for passphrases should be avoided if possible, +cryptsetup have no control of used pipe buffers between commands in scripts and cannot +guarantee that all passphrase/key-file buffers are properly wiped after use. + +=== changes since version 1.1.1 === + + * Fix luksFormat/luksOpen reading passphrase from stdin and "-" keyfile. + * Support --key-file/-d option for luksFormat. + * Fix description of --key-file and add --verbose and --debug options to man page. + * Add verbose log level and move unlocking message there. + * Remove device even if underlying device disappeared (remove, luksClose). + * Fix (deprecated) reload device command to accept new device argument. diff --git a/docs/v1.1.3-ReleaseNotes b/docs/v1.1.3-ReleaseNotes new file mode 100644 index 0000000..94ee73e --- /dev/null +++ b/docs/v1.1.3-ReleaseNotes @@ -0,0 +1,13 @@ +== Cryptsetup 1.1.3 Release Notes == + +=== changes since version 1.1.2 === + +* Fix device alignment ioctl calls parameters. + (Device alignment code was not working properly on some architectures like ppc64.) + +* Fix activate_by_* API calls to handle NULL device name as documented. + (To enable check of passphrase/keyfile using libcryptsetup without activating the device.) + +* Fix udev support for old libdevmapper with not compatible definition. + +* Added Polish translation file. diff --git a/docs/v1.2.0-ReleaseNotes b/docs/v1.2.0-ReleaseNotes new file mode 100644 index 0000000..f3061d9 --- /dev/null +++ b/docs/v1.2.0-ReleaseNotes @@ -0,0 +1,126 @@ +Cryptsetup 1.2.0 Release Notes +============================== + +Changes since version 1.2.0-rc1 + + * Fix crypt_activate_by_keyfile() to work with PLAIN devices. + * Fix plain create command to properly handle keyfile size. + * Update translations. + +Changes since version 1.1.3 + +Important changes +~~~~~~~~~~~~~~~~~ + + * Add text version of *FAQ* (Frequently Asked Questions) to distribution. + + * Add selection of random/urandom number generator for luksFormat + (option --use-random and --use-urandom). + + (This affects only long term volume key in *luksFormat*, + not RNG used for salt and AF splitter). + + You can also set the default to /dev/random during compilation with + --enable-dev-random. Compiled-in default is printed in --help output. + + Be very careful before changing default to blocking /dev/random use here. + + * Fix *luksRemoveKey* to not ask for remaining keyslot passphrase, + only for removed one. + + * No longer support *luksDelKey* (replaced with luksKillSlot). + * if you want to remove particular passphrase, use *luksKeyRemove* + * if you want to remove particular keyslot, use *luksKillSlot* + + Note that in batch mode *luksKillSlot* allows removing of any keyslot + without question, in normal mode requires passphrase or keyfile from + other keyslot. + + * *Default alignment* for device (if not overridden by topology info) + is now (multiple of) *1MiB*. + This reflects trends in storage technologies and aligns to the same + defaults for partitions and volume management. + + * Allow explicit UUID setting in *luksFormat* and allow change it later + in *luksUUID* (--uuid parameter). + + * All commands using key file now allows limited read from keyfile using + --keyfile-size and --new-keyfile-size parameters (in bytes). + + This change also disallows overloading of --key-size parameter which + is now exclusively used for key size specification (in bits.) + + * *luksFormat* using pre-generated master key now properly allows + using key file (only passphrase was allowed prior to this update). + + * Add --dump-master-key option for *luksDump* to perform volume (master) + key dump. Note that printed information allows accessing device without + passphrase so it must be stored encrypted. + + This operation is useful for simple Key Escrow function (volume key and + encryption parameters printed on paper on safe place). + + This operation requires passphrase or key file. + + * The reload command is no longer supported. + (Use dmsetup reload instead if needed. There is no real use for this + function except explicit data corruption:-) + + * Cryptsetup now properly checks if underlying device is in use and + disallows *luksFormat*, *luksOpen* and *create* commands on open + (e.g. already mapped or mounted) device. + + * Option --non-exclusive (already deprecated) is removed. + +Libcryptsetup API additions: + + * new functions + * crypt_get_type() - explicit query to crypt device context type + * crypt_resize() - new resize command using context + * crypt_keyslot_max() - helper to get number of supported keyslots + * crypt_get_active_device() - get active device info + * crypt_set/get_rng_type() - random/urandom RNG setting + * crypt_set_uuid() - explicit UUID change of existing device + * crypt_get_device_name() - get underlying device name + + * Fix optional password callback handling. + + * Allow to activate by internally cached volume key immediately after + crypt_format() without active slot (for temporary devices with + on-disk metadata) + + * libcryptsetup is binary compatible with 1.1.x release and still + supports legacy API calls + + * cryptsetup binary now uses only new API calls. + + * Static compilation of both library (--enable-static) and cryptsetup + binary (--enable-static-cryptsetup) is now properly implemented by common + libtool logic. + + Prior to this it produced miscompiled dynamic cryptsetup binary with + statically linked libcryptsetup. + + The static binary is compiled as src/cryptsetup.static in parallel + with dynamic build if requested. + +Other changes +~~~~~~~~~~~~~ + * Fix default plain password entry from terminal in activate_by_passphrase. + * Initialize volume key from active device in crypt_init_by_name() + * Fix cryptsetup binary exit codes. + 0 - success, otherwise fail + 1 - wrong parameters + 2 - no permission + 3 - out of memory + 4 - wrong device specified + 5 - device already exists or device is busy + * Remove some obsolete info from man page. + * Add more regression tests for commands. + * Fix possible double free when handling master key file. + * Fix pkg-config use in automake scripts. + * Wipe iteration and salt after luksKillSlot in LUKS header. + * Rewrite file differ test to C (and fix it to really work). + * Do not query non-existent device twice (cryptsetup status /dev/nonexistent). + * Check if requested hash is supported before writing LUKS header. + * Fix problems reported by clang scan-build. diff --git a/docs/v1.3.0-ReleaseNotes b/docs/v1.3.0-ReleaseNotes new file mode 100644 index 0000000..b7ae977 --- /dev/null +++ b/docs/v1.3.0-ReleaseNotes @@ -0,0 +1,101 @@ +Cryptsetup 1.3.0 Release Notes +============================== + +Changes since version 1.2.0 + +Important changes +~~~~~~~~~~~~~~~~~ + * Several userspace crypto backends support + + cryptsetup now supports generic crypto backend interface which allows + compile package with various crypto libraries, these are already implemented: + + * gcrypt (default, used in previous versions) + * OpenSSL + * NSS (because of missing ripemd160 it cannot provide full backward compatibility) + * kernel userspace API (provided by kernel 2.6.38 and above) + (Note that kernel userspace backend is very slow for this type of operation. + But it can be useful for embedded systems, because you can avoid userspace + crypto library completely.) + + Backend is selected during configure time, using --with-crypto_backend option. + + configure --with-crypto_backend=BACKEND (gcrypt/openssl/nss/kernel) [gcrypt] + + Note that performance checked (iterations) in LUKS header will cause that + real iteration time will differ with different backends. + (There are huge differences in speed between libraries.) + + * Cryptsetup now automatically allocates loopback device (/dev/loop) if device + argument is file and not plain device. + + This require Linux kernel 2.6.25 and above (which implements loop autoclear flag). + + You can see backing file in cryptsetup status output if underlying device is loopback. + + * Introduce maximum default keyfile size, add configure option, visible in --help. + + Cryptsetup now fails if read from keyfile exceeds internal limit. + You can always specify keyfile size (overrides limit) by using --keyfile-size option. + + * Adds luksChangeKey command + + cryptestup luksChangeKey --key-file <old keyfile> <new keyfile> [--key-slot X] + cryptestup luksChangeKey [--key-slot X] (for passphrase change) + + This command allows passphrase/keyfile change in one step. If no key slot is + specified (and there is still free key slot on device) new slot is allocated before + the old is purged. + + If --key-slot option is specified (or there is no free slot) command will overwrite + existing slot. + WARNING: Be sure you have another slot active or header backup when using explicit + key slot (so you can unlock the device even after possible media failure). + + * Adds compatible support for loop-AES encryption type in loopaesOpen command. + + Linux dm-crypt in 2.6.38 and above supports loop-AES compatible mapping + (including multi-key and special CBC mode, all three modes are supported). + + If you have raw loop-AES keyfile (text file with uuencoded per-line keys), you can + access loop-AES volume using + cryptsetup loopaesOpen <device> <name> [--key-size 128] --key-file <key-file> + + If you are using GPG encrypted keyfile + gpg --decrypt <key-file> | cryptsetup loopaesOpen --key-file=- <device> <name> + + Do not forget to specify key size. Version and hash is automatically detected + according to number of lines in key file. For special configuration you can + override IV sector offset using --skip option, device offset with --offset + and hash algorithm using --hash, see man page for details. + + Please note that loopAES dm-crypt mode is provided for compatibility reasons + (so you do not need to patch kernel and util-linux to map existing volumes) + but it is not, and never will be, optimized for speed. + It is experimental feature for now. + + * Require the whole key read from keyfile in create command (regression in 1.2.0). + + * WARNING: This is the last cryptsetup release which supports library with + old API (using struct crypt_options). + These calls are deprecated since 1.1.0 and AFAIK no application + is using it in recent distros. Removing compatible code will allow + new features to be implemented easily. + +Other changes +~~~~~~~~~~~~~ + * Lock memory also in luksDump command. + * Fix return code when passphrase is read from pipe. + * Increase libcryptsetup version (loopAES change), still fully backward compatible. + * Fixes static build (--disable-static-cryptsetup now works properly). + * Supports secure data flag for device-mapper ioctl (will be in 2.6.39, + forcing kernel to wipe all ioctl buffers with possible key data). + To enable this flag you need new device-mapper library, in LVM2 2.02.84. + * Add copyright texts into some files and adds GPL exception allowing + to distribute resulting binaries linked with OpenSSL. + * Update FAQ. + * Fix message when locking memory fails. + * Fix luksAddKey return code if master key is used. + * Update some text files in distributions. + * Add docs directory with Release Notes archive. + * Do not hardcode loopback device name in tests, use internal loopback library. diff --git a/docs/v1.3.1-ReleaseNotes b/docs/v1.3.1-ReleaseNotes new file mode 100644 index 0000000..8b2d1dd --- /dev/null +++ b/docs/v1.3.1-ReleaseNotes @@ -0,0 +1,14 @@ +Cryptsetup 1.3.1 Release Notes +============================== + +Changes since version 1.3.0 + + * Fix keyfile=- processing in create command (regression in 1.3.0). + + * Simplify device path status check (use /sys and do not scan /dev). + + * Do not ignore device size argument for create command (regression in 1.2.0). + + * Fix error paths in blockwise code and lseek_write call. + + * Add optional Nettle crypto backend support. diff --git a/docs/v1.4.0-ReleaseNotes b/docs/v1.4.0-ReleaseNotes new file mode 100644 index 0000000..bef4e74 --- /dev/null +++ b/docs/v1.4.0-ReleaseNotes @@ -0,0 +1,131 @@ +Cryptsetup 1.4.0 Release Notes +============================== + +Changes since version 1.3.1 + +Important changes +~~~~~~~~~~~~~~~~~ + +WARNING: This release removes old deprecated API from libcryptsetup + (all functions using struct crypt_options). + + This require libcrypsetup version change and + rebuild of applications using cryptsetup library. + All new API symbols are backward compatible. + +* If device is not rotational disk, cryptsetup no longer tries + to wipe keyslot with Gutmann algorithm for magnetic media erase + but simply rewrites area once by random data. + +* The on-disk LUKS header can now be detached (e.g. placed on separate + device or in file) using new --header option. + + This option is only relevant for LUKS devices and can be used in + luksFormat, luksOpen, luksSuspend, luksResume and resize commands. + + If used with luksFormat the --align-payload option is taken + as absolute sector alignment on ciphertext device and can be zero. + + Example: + Create LUKS device with ciphertext device on /dev/sdb and header + on device /dev/sdc. Use all space on /dev/sdb (no reserved area for header). + + cryptsetup luksFormat /dev/sdb --header /dev/sdc --align-payload 0 + + Activate such device: + cryptsetup luksOpen /dev/sdb --header /dev/sdc test_disk + + You can use file for LUKS header (loop device will be used while + manipulating with such detached header), just you have to create + large enough file in advance. + + dd if=/dev/zero of=/mnt/luks_header bs=1M count=4 + cryptsetup luksFormat /dev/sdb --header /mnt/luks_header --align-payload 0 + + Activation is the same as above. + + cryptsetup luksOpen /dev/sdb --header /mnt/luks_header test_disk + + All keyslot operations need to be run on _header_ not on ciphertext device, + an example: + + cryptsetup luksAddKey /mnt/luks_header + + If you do not use --align-payload 0, you can later restore LUKS header + on device itself (and use it as normal LUKS device without detached header). + + WARNING: There is no possible check that specified ciphertext device + matches detached on-disk header. Use with care, it can destroy + your data in case of a mistake. + + WARNING: Storing LUKS header in a file means that anti-forensic splitter + cannot properly work (there is filesystem allocation layer between + header and disk). + +* Support --allow-discards option to allow discards/TRIM requests. + + Since kernel 3.1, dm-crypt devices optionally (not by default) support + block discards (TRIM) commands. + If you want to enable this operation, you have to enable it manually + on every activation using --allow-discards + + cryptsetup luksOpen --allow-discards /dev/sdb test_disk + + WARNING: There are several security consequences, please read at least + http://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html + before you enable it. + +* Add --shared option for creating non-overlapping crypt segments. + + The --shared options checks that mapped segments are not overlapping + and allows non-exclusive access to underlying device. + Only plain crypt devices can be used in this mode. + + Example - map 64M of device disk and following 32 M area as another disk. + + cryptsetup create outer_disk /dev/sdb --offset 0 --size 65536 + cryptsetup create inner_disk /dev/sdb --offset 65536 --size 32768 --shared + + (It can be used to simulate trivial hidden disk concepts.) + +libcryptsetup API changes: + * Added options to support detached metadata device + crypt_init_by_name_and_header() + crypt_set_data_device() + * Add crypt_last_error() API call. + * Fix plain crypt format parameters to include size option. + * Add crypt_get_iv_offset() function. + + * Remove old API functions (all functions using crypt_options). + +* Support key-slot option for luksOpen (use only explicit keyslot). + + You can now specify key slot in luksOpen and limit checking + only to specified slot. + +* Support retries and timeout parameters for luksSuspend. + (The same way as in luksOpen.) + +* Add doxygen-like documentation (it will be available on project page later). + (To generate it manually run doxygen in docs directory.) + +Other changes +~~~~~~~~~~~~~ +* Fix crypt_load to properly check device size. +* Do not allow context format of already formatted device. +* Do not allow key retrieval while suspended (key could be wiped). +* Do not allow suspend for non-LUKS devices. +* Fix luksKillSLot exit code if slot is inactive or invalid. +* Fix exit code if passphrases do not match in luksAddKey. +* Fix return code for status command when device doesn't exists. +* Fix verbose messages in isLuks command. +* Support Nettle 2.4 crypto backend (supports ripemd160). +* Add LUKS on-disk format description into package. +* Enhance check of device size before writing LUKS header. +* Add more paranoid checks for LUKS header and keyslot attributes. +* Use new /dev/loop-control (kernel 3.1) if possible. +* Remove hash/hmac restart from crypto backend and make it part of hash/hmac final. +* Improve check for invalid offset and size values. +* Revert default initialisation of volume key in crypt_init_by_name(). +* Add more regression tests. +* Add some libcryptsetup example files (see docs/examples). diff --git a/docs/v1.4.1-ReleaseNotes b/docs/v1.4.1-ReleaseNotes new file mode 100644 index 0000000..ea68cb8 --- /dev/null +++ b/docs/v1.4.1-ReleaseNotes @@ -0,0 +1,25 @@ +Cryptsetup 1.4.1 Release Notes +============================== + +Changes since version 1.4.0 + +* Merge experimental Python cryptsetup (pycryptsetup) binding. + + This option is disabled by default, you can enable build of Python binding + with --enable--python configure switch. + + Note that binding currently covers only partial libcryptsetup functions, + mainly LUKS device handling needed for Anaconda installer. + Until now provided separately as python-cryptsetup. + Thanks to Martin Sivak for the code. + + See python subdirectory for more info. + + Python binding code is experimental for now, no stable API guarantee. + +* Fix crypt_get_volume_key_size() for plain device. + (cryptsetup status reported zero key size for plain crypt devices). + +* Fix typo in set_iteration_time API call (old name remains for compatibility reasons). + +* Fix FSF address in license and add LGPL license text. diff --git a/docs/v1.4.2-ReleaseNotes b/docs/v1.4.2-ReleaseNotes new file mode 100644 index 0000000..9dbeb46 --- /dev/null +++ b/docs/v1.4.2-ReleaseNotes @@ -0,0 +1,44 @@ +Cryptsetup 1.4.2 Release Notes +============================== + +Changes since version 1.4.1 + +* Add --keyfile-offset and --new-keyfile-offset parameters to API and CLI. + These options can be used to skip start of keyfile or device used as keyfile. + +* Add repair command and crypt_repair() for known LUKS metadata problems repair. + + Some well-known LUKS metadata corruptions are easy to repair, this + command should provide a way to fix these problems. + + Always create binary backup of header device before running repair, + (only 4kB - visible header) for example by using dd: + dd if=/dev/<LUKS header device> of=repair_bck.img bs=1k count=4 + + Then you can try to run repair: + cryptsetup repair <device> + + Note, not all problems are possible to repair and if keyslot or some header + parameters are overwritten, device is lost permanently. + +* Fix header check to support old (cryptsetup 1.0.0) header alignment. + (Regression in 1.4.0) + +* Allow to specify --align-payload only for luksFormat. + +* Add --master-key-file option to luksOpen (open using volume key). + +* Support UUID=<LUKS_UUID> format for device specification. + You can open device by UUID (only shortcut to /dev/disk/by-uuid/ symlinks). + +* Support password verification with quiet flag if possible. (1.2.0) + Password verification can be still possible if input is terminal. + +* Fix retry if entered passphrases (with verify option) do not match. + (It should retry if requested, not fail.) + +* Fix use of empty keyfile. + +* Fix error message for luksClose and detached LUKS header. + +* Allow --header for status command to get full info with detached header. diff --git a/docs/v1.4.3-ReleaseNotes b/docs/v1.4.3-ReleaseNotes new file mode 100644 index 0000000..f084e06 --- /dev/null +++ b/docs/v1.4.3-ReleaseNotes @@ -0,0 +1,62 @@ +Cryptsetup 1.4.3 Release Notes +============================== + +Changes since version 1.4.2 + +* Fix readonly activation if underlying device is readonly (1.4.0). + +* Fix loop mapping on readonly file. + +* Include stddef.h in libdevmapper.h (size_t definition). + +* Fix keyslot removal for device with 4k hw block (1.4.0). +(Wipe keyslot failed in this case.) + +* Relax --shared flag to allow mapping even for overlapping segments. + + The --shared flag (and API CRYPT_ACTIVATE_SHARED flag) is now able + to map arbitrary overlapping area. From API it is even usable + for LUKS devices. + It is user responsibility to not cause data corruption though. + + This allows e.g. scubed to work again and also allows some + tricky extensions later. + +* Allow empty cipher (cipher_null) for testing. + + You can now use "null" (or directly cipher_null-ecb) in cryptsetup. + This means no encryption, useful for performance tests + (measure dm-crypt layer overhead). + +* Switch on retry on device remove for libdevmapper. + Device-mapper now retry removal if device is busy. + +* Allow "private" activation (skip some udev global rules) flag. + Cryptsetup library API now allows to specify CRYPT_ACTIVATE_PRIVATE, + which means that some udev rules are not processed. + (Used for temporary devices, like internal keyslot mappings where + it is not desirable to run any device scans.) + +* This release also includes some Red Hat/Fedora specific extensions +related to FIPS140-2 compliance. + +In fact, all these patches are more formal changes and are just subset +of building blocks for FIPS certification. See FAQ for more details +about FIPS. + +FIPS extensions are enabled by using --enable-fips configure switch. + +In FIPS mode (kernel booted with fips=1 and gcrypt in FIPS mode) + + - it provides library and binary integrity verification using + libfipscheck (requires pre-generated checksums) + + - it uses FIPS approved RNG for encryption key and salt generation + (note that using /dev/random is not formally FIPS compliant RNG). + + - only gcrypt crypto backend is currently supported in FIPS mode. + +The FIPS RNG requirement for salt comes from NIST SP 800-132 recommendation. +(Recommendation for Password-Based Key Derivation. Part 1: Storage Applications. +http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf) +LUKS should be aligned to this recommendation otherwise. diff --git a/docs/v1.5.0-ReleaseNotes b/docs/v1.5.0-ReleaseNotes new file mode 100644 index 0000000..9f1e1d1 --- /dev/null +++ b/docs/v1.5.0-ReleaseNotes @@ -0,0 +1,241 @@ +Cryptsetup 1.5.0 Release Notes +============================== + +This release covers mainly inclusion of: + + * Veritysetup tool (and related libcryptsetup extensions for dm-verity). + + * Experimental cryptsetup-reencrypt tool (LUKS offline reencryption). + +Changes since version 1.5.0-rc2 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + * Add --device-size option for reencryption tool. + + * Switch to use unit suffix for --reduce-device-size option. + + * Remove open device debugging feature (no longer needed). + + * Fix library name for FIPS check. + + * Add example of using reencryption inside dracut (see misc/dracut). + +Changes since version 1.5.0-rc1 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Introduce cryptsetup-reencrypt - experimental offline LUKS reencryption tool. + +! cryptsetup-reencrypt tool is EXPERIMENTAL +! ALWAYS BE SURE YOU HAVE RELIABLE BACKUP BEFORE USING THIS TOOL + +This tool tries to simplify situation when you need to re-encrypt the whole +LUKS device in situ (without need to move data elsewhere). + +This can happen for example when you want to change volume (master) key, +encryption algorithm, or other encryption parameter. + +Cryptsetup-reencrypt can even optionally shift data on device +(reducing data device size - you need some free space at the end of device). + +In general, cryptsetup-reencrypt can be used to + + - re-generate volume key + - change arbitrary encryption parameters + - add encryption to not yet encrypted drive + +Side effect of reencryption is that final device will contain +only ciphertext (for all sectors) so even if device was not properly +wiped by random data, after reencryption you cannot distinguish +which sectors are used. +(Reencryption is done always for the whole device.) + +There are for sure bugs, please TEST IT IN TEST ENVIRONMENT before +use for your data. + +This tool is not resistant to HW and kernel failures - hw crash +will cause serious data corruption. + +You can enable compilation of this tool with --enable-cryptsetup-reencrypt +configure option (it is switched off by default). +(Tool requires libcryptsetup 1.4.3 and later.) + +You have to provide all keyslot passphrases or use --keyslot-option +(then all other keyslots will be disabled). + +EXAMPLES (from man page) + +Reencrypt /dev/sdb1 (change volume key) + # cryptsetup-reencrypt /dev/sdb1 + +Reencrypt and also change cipher and cipher mode + # cryptsetup-reencrypt /dev/sdb1 -c aes-xts-plain64 + + Note: if you are changing key size, there must be enough space + for keyslots in header or you have to use --reduce-device size and + reduce fs in advance. + +Add LUKS encryption to not yet encrypted device + First, be sure you have space added to disk. + Or, alternatively, shrink filesystem in advance. + + Here we need 4096 512-bytes sectors (enough for 2x128 bit key). + + # fdisk -u /dev/sdb # move sdb1 partition end + 4096 sectors + + # cryptsetup-reencrypt /dev/sdb1 --new --reduce-device-size 4096 + +There are some options which can improve performance (depends on system), +namely --use-directio (use direct IO for all operations) can be faster +on some systems. See man page. + +Progress and estimated time is printed during reencryption. + +You can suspend reencryption (using ctrl+c or term signal). +To continue reencryption you have to provide only +the device parameter (offset is stored in temporary log file). + +Please note LUKS device is marked invalid during reencryption and +you have to retain tool temporary files until reencryption finishes. + +Temporary files are LUKS-<uuid>.[log|org|new] + +Other changes +~~~~~~~~~~~~~ + + * Fix luks-header-from-active script (do not use LUKS header on-disk, add UUID). + + * Add --test-passphrase option for luksOpen (check passphrase only). + + * Fix parsing of hexadecimal string (salt or root hash) in veritysetup. + +Changes since version 1.4.3 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Introduce veritysetup tool for dm-verity target management. + +The dm-verity device-mapper target was added to Linux kernel 3.4 and +provides transparent integrity checking of block devices using a cryptographic +digest provided by the kernel crypto API. This target is read-only. + +It is meant to be setup as part of a verified boot path (it was originally +developed by Chrome OS authors as part of verified boot infrastructure). + +For deeper description please see http://code.google.com/p/cryptsetup/wiki/DMVerity +and kernel dm-verity documentation. + +The libcryptsetup library was extended to support manipulation +with dm-verity kernel module and new veritysetup CLI tool is added. + +There are no additional library requirements (it uses the same crypto +backend as cryptsetup). + +If you want compile cryptsetup without veritysetup tool, +use --disable-veritysetup configure option. +For other configuration option see configure --help and veritysetup --help +(e.g. default parameters). + +Supported libcryptsetup functions new CRYPT_VERITY type: + crypt_init + crypt_init_by_name + crypt_set_data device + crypt_get_type + crypt_format + crypt_load + crypt_get_active_device + crypt_activate_by_volume_key (volume key == root hash here) + crypt_dump +and new introduced function + crypt_get_verity_info + +Please see comments in libcryptsetup.h and veritysetup.c as an code example +how to use CRYPT_VERITY API. + +The veritysetup tool supports these operations: + + veritysetup format <data_device> <hash_device> + Formats <hash_device> (calculates all hash areas according to <data_device>). + This is initial command to prepare device <hash_device> for later verification. + + veritysetup create <name> <data_device> <hash_device> <root_hash> + Creates (activates) a dm-verity mapping with <name> backed by device <data_device> + and using <hash_device> for in-kernel verification. + + veritysetup verify <data_device> <hash_device> <root_hash> + Verifies data in userspace (no kernel device is activated). + + veritysetup remove <name> + Removes activated device from kernel (similar to dmsetup remove). + + veritysetup status <name> + Reports status for the active kernel dm-verity device. + + veritysetup dump <hash_device> + Reports parameters of verity device from on-disk stored superblock. + +For more info see veritysetup --help and veritysetup man page. + +Other changes +~~~~~~~~~~~~~ + + * Both data and header device can now be a file and + loop device is automatically allocated. + + * Require only up to last keyslot area for header device, previously + backup (and activation) required device/file of size up to data start + offset (data payload). + + * Fix header backup and restore to work on files with large data offset. + Backup and restore now works even if backup file is smaller than data offset. + +Appendix: Examples of veritysetup use +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + Format device using default parameters, info and final root hash is printed: + # veritysetup format /dev/sdb /dev/sdc + VERITY header information for /dev/sdc + UUID: fad30431-0c59-4fa6-9b57-732a90501f75 + Hash type: 1 + Data blocks: 52224 + Data block size: 4096 + Hash block size: 4096 + Hash algorithm: sha256 + Salt: 5cc52759af76a092e0c21829cd0ef6938f69831bf86926525106f92a7e9e3aa9 + Root hash: 7aefa4506f7af497ac491a27f862cf8005ea782a5d97f6426945a6896ab557a1 + + Activation of device in-kernel: + # veritysetup create vr /dev/sdb /dev/sdc 7aefa4506f7af497ac491a27f862cf8005ea782a5d97f6426945a6896ab557a1 + Note - if device is corrupted, kernel mapping is created but will report failure: + Verity device detected corruption after activation. + + Userspace verification: + # veritysetup verify /dev/sdb /dev/sdc 7aefa4506f7af497ac491a27f862cf8005ea782a5d97f6426945a6896ab557a1 + Verification failed at position 8192. + Verification of data area failed. + + Active device status report: + # veritysetup status vr + /dev/mapper/vr is active. + type: VERITY + status: verified + hash type: 1 + data block: 4096 + hash block: 4096 + hash name: sha256 + salt: 5cc52759af76a092e0c21829cd0ef6938f69831bf86926525106f92a7e9e3aa9 + data device: /dev/sdb + size: 417792 sectors + mode: readonly + hash device: /dev/sdc + hash offset: 8 sectors + + Dump of on-disk superblock information: + # veritysetup dump /dev/sdc + VERITY header information for /dev/sdc + UUID: fad30431-0c59-4fa6-9b57-732a90501f75 + Hash type: 1 + Data blocks: 52224 + Data block size: 4096 + Hash block size: 4096 + Hash algorithm: sha256 + Salt: 5cc52759af76a092e0c21829cd0ef6938f69831bf86926525106f92a7e9e3aa9 + + Remove mapping: + # veritysetup remove vr diff --git a/docs/v1.5.1-ReleaseNotes b/docs/v1.5.1-ReleaseNotes new file mode 100644 index 0000000..7202a8c --- /dev/null +++ b/docs/v1.5.1-ReleaseNotes @@ -0,0 +1,32 @@ +Cryptsetup 1.5.1 Release Notes +============================== + +Changes since version 1.5.0 + +* The libcryptsetup library now tries to initialize device-mapper backend and + loop devices only if they are really needed (lazy initializations). + This allows some operations to be run by a non-root user. + + (Unfortunately LUKS header keyslot operations still require temporary dm-crypt + device and device-mapper subsystem is available only to superuser.) + + Also clear error messages are provided if running as non-root user and + operation requires privileged user. + +* Veritysetup can be now used by a normal user for creating hash image to file + and also it can create hash image if doesn't exist. + (Previously it required pre-allocated space.) + +* Added crypt_keyslot_area() API call which allows external tools + to get exact keyslot offsets and analyse content. + + An example of a tool that searches the keyslot area of a LUKS container + for positions where entropy is low and hence there is a high probability + of damage is in misc/kesylot_checker. + (Thanks to Arno Wagner for the code.) + +* Optimized seek to keyfile-offset if key offset is large. + +* Fixed luksHeaderBackup for very old v1.0 unaligned LUKS headers. + +* Various fixes for problems found by a several static analysis tools. diff --git a/docs/v1.6.0-ReleaseNotes b/docs/v1.6.0-ReleaseNotes new file mode 100644 index 0000000..fe8770d --- /dev/null +++ b/docs/v1.6.0-ReleaseNotes @@ -0,0 +1,261 @@ +Cryptsetup 1.6.0 Release Notes +============================== + +Changes since version 1.6.0-rc1 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + * Change LUKS default cipher to to use XTS encryption mode, + aes-xts-plain64 (i.e. using AES128-XTS). + + XTS mode becomes standard in hard disk encryption. + + You can still use any old mode: + - compile cryptsetup with old default: + configure --with-luks1-cipher=aes --with-luks1-mode=cbc-essiv:sha256 --with-luks1-keybits=256 + - format LUKS device with old default: + cryptsetup luksFormat -c aes-cbc-essiv:sha256 -s 256 <device> + + + * Skip tests and fix error messages if running on old systems (or with old kernel). + + * Rename configure.in to configure.ac and fix issues with new automake and pkgconfig + and --disable-kernel_crypto option to allow compilation with old kernel headers. + + * Allow repair of 512 bits key header. + + * Fix status of device if path argument is used and fix double path prefix + for non-existent device path. + + +Changes since version 1.5.1 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Important changes +~~~~~~~~~~~~~~~~~ + + * Cryptsetup and libcryptsetup is now released under GPLv2+ + (GPL version 2 or any later). + Some internal code handling files (loopaes, verity, tcrypt + and crypto backend wrapper) are LGPLv2+. + + Previously code was GPL version 2 only. + + + * Introducing new unified command open and close. + + Example: + cryptsetup open --type plain|luks|loopaes|tcrypt <device> <name> + (type defaults to luks) + + with backward-compatible aliases plainOpen, luksOpen, loopaesOpen, + tcryptOpen. Basically "open --type xyz" has alias "xyzOpen". + + The "create" command (plain device create) is DEPRECATED but will + be still supported. + (This command is confusing because of switched arguments order.) + + The close command is generic command to remove mapping and have + backward compatible aliases (remove, luksClose, ...) which behaves + exactly the same. + + While all old syntax is still supported, I strongly suggest to use + new command syntax which is common for all device types (and possible + new formats added in future). + + + * cryptsetup now support directly TCRYPT (TrueCrypt and compatible tc-play) + on-disk format + (Code is independent implementation not related to original project). + + Only dump (tcryptDump command) and activation (open --type tcrypt or tcryptOpen) + of TCRYPT device are supported. No header changes are supported. + + It is intended to easily access containers shared with other operating systems + without need to install 3rd party software. For native Linux installations LUKS + is the preferred format. + + WARNING: TCRYPT extension requires kernel userspace crypto API to be + available (introduced in Linux kernel 2.6.38). + If you are configuring kernel yourself, enable "User-space interface + for symmetric key cipher algorithms" in "Cryptographic API" section + (CRYPTO_USER_API_SKCIPHER .config option). + + Because TCRYPT header is encrypted, you have to always provide valid + passphrase and keyfiles. Keyfiles are handled exactly the same as in original + format (basically, first 1MB of every keyfile is mixed using CRC32 into pool). + + Cryptsetup should recognize all TCRYPT header variants ever released, except + legacy cipher chains using LRW encryption mode with 64 bits encryption block + (namely Blowfish in LRW mode is not recognized, this is limitation of kernel + crypto API). + + Device activation is supported only for LRW/XTS modes (again, limitation + of kernel dmcrypt which do not implements TCRYPT extensions to CBC mode). + (So old containers cannot be activated, but you can use libcryptsetup + for lost password search, example of such code is included in misc directory.) + + Hidden header are supported using --tcrypt-hidden option, system encryption + using --tcrypt-system option. + + For detailed description see man page. + + EXAMPLE: + * Dump device parameters of container in file: + + # cryptsetup tcryptDump tst + Enter passphrase: + + TCRYPT header information for tst + Version: 5 + Driver req.: 7 + Sector size: 512 + MK offset: 131072 + PBKDF2 hash: sha512 + Cipher chain: serpent-twofish-aes + Cipher mode: xts-plain64 + MK bits: 1536 + + You can also dump master key using --dump-master-key. + Dump does not require superuser privilege. + + * Activation of this container + + # cryptsetup tcryptOpen tst tcrypt_dev + Enter passphrase: + (Chain of dmcrypt devices is activated as /dev/mapper/tcrypt_dev.) + + * See status of active TCRYPT device + + # cryptsetup status tcrypt_dev + + /dev/mapper/tcrypt_dev is active. + type: TCRYPT + cipher: serpent-twofish-aes-xts-plain64 + keysize: 1536 bits + device: /dev/loop0 + loop: /tmp/tst + offset: 256 sectors + size: 65024 sectors + skipped: 256 sectors + mode: read/write + + * And plaintext filesystem now ready to mount + + # blkid /dev/mapper/tcrypt_dev + /dev/mapper/tcrypt_dev: SEC_TYPE="msdos" UUID="9F33-2954" TYPE="vfat" + + + * Add (optional) support for lipwquality for new LUKS passwords. + + If password is entered through terminal (no keyfile specified) + and cryptsetup is compiled with --enable-pwquality, default + system pwquality settings are used to check password quality. + + You can always override this check by using new --force-password option. + + For more info about pwquality project see http://libpwquality.fedorahosted.org/ + + + * Proper handle interrupt signals (ctrl+c and TERM signal) in tools + + Code should now handle interrupt properly, release and explicitly wipe + in-memory key materials on interrupt. + (Direct users of libcryptsetup should always call crypt_free() when + code is interrupted to wipe all resources. There is no signal handling + in library, it is up to the tool using it.) + + + * Add new benchmark command + + The "benchmark" command now tries to benchmark PBKDF2 and some block + cipher variants. You can specify you own parameters (--cipher/--key-size + for block ciphers, --hash for PBKDF2). + + See man page for detailed description. + + WARNING: benchmark command requires kernel userspace crypto API to be + available (introduced in Linux kernel 2.6.38). + If you are configuring kernel yourself, enable "User-space interface + for symmetric key cipher algorithms" in "Cryptographic API" section + (CRYPTO_USER_API_SKCIPHER .config option). + + EXAMPLE: + # cryptsetup benchmark + # Tests are approximate using memory only (no storage IO). + PBKDF2-sha1 111077 iterations per second + PBKDF2-sha256 53718 iterations per second + PBKDF2-sha512 18832 iterations per second + PBKDF2-ripemd160 89775 iterations per second + PBKDF2-whirlpool 23918 iterations per second + # Algorithm | Key | Encryption | Decryption + aes-cbc 128b 212.0 MiB/s 428.0 MiB/s + serpent-cbc 128b 23.1 MiB/s 66.0 MiB/s + twofish-cbc 128b 46.1 MiB/s 50.5 MiB/s + aes-cbc 256b 163.0 MiB/s 350.0 MiB/s + serpent-cbc 256b 23.1 MiB/s 66.0 MiB/s + twofish-cbc 256b 47.0 MiB/s 50.0 MiB/s + aes-xts 256b 190.0 MiB/s 190.0 MiB/s + serpent-xts 256b 58.4 MiB/s 58.0 MiB/s + twofish-xts 256b 49.0 MiB/s 49.5 MiB/s + aes-xts 512b 175.0 MiB/s 175.0 MiB/s + serpent-xts 512b 59.0 MiB/s 58.0 MiB/s + twofish-xts 512b 48.5 MiB/s 49.5 MiB/s + + Or you can specify cipher yourself: + # cryptsetup benchmark --cipher cast5-cbc-essiv:sha256 -s 128 + # Tests are approximate using memory only (no storage IO). + # Algorithm | Key | Encryption | Decryption + cast5-cbc 128b 32.4 MiB/s 35.0 MiB/s + + WARNING: these tests do not use dmcrypt, only crypto API. + You have to benchmark the whole device stack and you can get completely + different results. But is is usable for basic comparison. + (Note for example AES-NI decryption optimization effect in example above.) + +Features +~~~~~~~~ + + * Do not maintain ChangeLog file anymore, see git log for detailed changes, + e.g. here http://code.google.com/p/cryptsetup/source/list + + * Move change key into library, add crypt_keyslot_change_by_passphrase(). + This change is useful mainly in FIPS mode, where we cannot + extract volume key directly from libcryptsetup. + + * Add verbose messages during reencryption. + + * Default LUKS PBKDF2 iteration time is now configurable. + + * Add simple cipher benchmarking API. + + * Add kernel skcipher backend. + + * Add CRC32 implementation (for TCRYPT). + + * Move PBKDF2 into crypto backend wrapper. + This allows use it in other formats, use library implementations and + also possible use of different KDF function in future. + + * New PBKDF2 benchmark using getrusage(). + +Fixes +~~~~~ + + * Avoid O_DIRECT open if underlying storage doesn't support it. + + * Fix some non-translated messages. + + * Fix regression in header backup (1.5.1) with container in file. + + * Fix blockwise read/write for end writes near end of device. + (was not used in previous versions) + + * Ignore setpriority failure. + + * Code changes to fix/ignore problems found by Coverity static analysis, including + - Get page size should never fail. + - Fix time of check/use (TOCTOU test) in tools + - Fix time of check/use in loop/wipe utils. + - Fix time of check/use in device utils. + + * Disallow header restore if context is non-LUKS device. diff --git a/docs/v1.6.1-ReleaseNotes b/docs/v1.6.1-ReleaseNotes new file mode 100644 index 0000000..8fdc7d0 --- /dev/null +++ b/docs/v1.6.1-ReleaseNotes @@ -0,0 +1,32 @@ +Cryptsetup 1.6.1 Release Notes +============================== + +Changes since version 1.6.0 + +* Fix loop-AES keyfile parsing. + Loop-AES keyfile should be text keyfile, reject keyfiles which + are not properly terminated. + +* Fix passphrase pool overflow for too long TCRYPT passphrase. + (Maximal TCRYPT passphrase length is 64 characters.) + +* Return EPERM (translated to exit code 2) for too long TCRYPT passphrase. + +* Fix deactivation of device when failed underlying node disappeared. + +* Fix API deactivate call for TCRYPT format and NULL context parameter. + +* Improve keyslot checker example documentation. + +* Report error message if deactivation fails and device is still busy. + +* Make passphrase prompts more consistent (and remove "LUKS" form prompt). + +* Fix some missing headers (compilation failed with alternative libc). + +* Remove not functional API UUID support for plain & loopaes devices. + (not persistent activation UUID). + +* Properly cleanup devices on interrupt in api-test. + +* Support all tests run if kernel is in FIPS mode. diff --git a/docs/v1.6.2-ReleaseNotes b/docs/v1.6.2-ReleaseNotes new file mode 100644 index 0000000..192f4a6 --- /dev/null +++ b/docs/v1.6.2-ReleaseNotes @@ -0,0 +1,25 @@ +Cryptsetup 1.6.2 Release Notes +============================== + +Changes since version 1.6.1 + +* Print error and fail if more device arguments are present for isLuks command. + +* Fix cipher specification string parsing (found by gcc -fsanitize=address option). + +* Try to map TCRYPT system encryption through partition + (allows to activate mapping when other partition on the same device is mounted). + +* Print a warning if system encryption is used and device is a partition. + (TCRYPT system encryption uses whole device argument.) + +* Disallow explicit small payload offset for LUKS detached header. + LUKS detached header only allows data payload 0 (whole data device is used) + or explicit offset larger than header + keyslots size. + +* Fix boundary condition for verity device that caused failure for certain device sizes. + +* Various fixes to documentation, including update FAQ, default modes + and TCRYPT description. + +* Workaround for some recent changes in automake (serial-tests). diff --git a/docs/v1.6.3-ReleaseNotes b/docs/v1.6.3-ReleaseNotes new file mode 100644 index 0000000..24254b8 --- /dev/null +++ b/docs/v1.6.3-ReleaseNotes @@ -0,0 +1,50 @@ +Cryptsetup 1.6.3 Release Notes +============================== + +Changes since version 1.6.2 + +* Fix cryptsetup reencryption tool to work properly + with devices using 4kB sectors. + +* Always use page size if running through loop device, + this fixes failures for external LUKS header and + filesystem requiring 4kB block size. + +* Fix TCRYPT system encryption mapping for multiple partitions. + Since this commit, one can use partition directly as device parameter. + If you need to activate such partition from image in file, + please first use map partitioned loop device (losetup -P) + on image. + (Cryptsetup require partition offsets visible in kernel sysfs + in this mode.) + +* Support activation of old TrueCrypt containers using CBC mode + and whitening (created in TrueCrypt version < 4.1). + This requires Linux kernel 3.13 or later. + (Containers with cascade CBC ciphers are not supported.) + +* Properly display keys in dump --dump-master-key command + for TrueCrypt CBC containers. + +* Rewrite cipher benchmark loop which was unreliable + on very fast machines. + +* Add warning if LUKS device was activated using non-cryptsetup + library which did not set UUID properly (e.g. cryptmount). + (Some commands, like luksSuspend, are not available then.) + +* Support length limitation also for plain (no hash) length. + This can be used for mapping problematic cryptosystems which + wipes some key (losetup sometimes set last 32 byte to zero, + which can be now configured as --hash plain:31 parameter). + +* Fix hash limit if parameter is not a number. + (The whole key was set to zero instead of command failure.) + +* Unify --key-slot behavior in cryptsetup_reencrypt tool. + +* Update dracut example scripts for system reencryption on first boot. + +* Add command line option --tcrypt-backup to access TCRYPT backup header. + +* Fix static compilation with OpenSSL. diff --git a/docs/v1.6.4-ReleaseNotes b/docs/v1.6.4-ReleaseNotes new file mode 100644 index 0000000..ebc71cb --- /dev/null +++ b/docs/v1.6.4-ReleaseNotes @@ -0,0 +1,57 @@ +Cryptsetup 1.6.4 Release Notes +============================== + +Changes since version 1.6.3 + +* Implement new erase (with alias luksErase) command. + + The erase cryptsetup command can be used to permanently erase + all keyslots and make the LUKS container inaccessible. + (The only way to unlock such device is to use LUKS header backup + created before erase command was used.) + + You do not need to provide any password for this operation. + + This operation is irreversible. + +* Add internal "whirlpool_gcryptbug hash" for accessing flawed + Whirlpool hash in gcrypt (requires gcrypt 1.6.1 or above). + + The gcrypt version of Whirlpool hash algorithm was flawed in some + situations. + + This means that if you used Whirlpool in LUKS header and upgraded + to new gcrypt library your LUKS container become inaccessible. + + Please refer to cryptsetup FAQ for detail how to fix this situation. + +* Allow to use --disable-gcrypt-pbkdf2 during configuration + to force use internal PBKDF2 code. + +* Require gcrypt 1.6.1 for imported implementation of PBKDF2 + (PBKDF2 in gcrypt 1.6.0 is too slow). + +* Add --keep-key to cryptsetup-reencrypt. + + This allows change of LUKS header hash (and iteration count) without + the need to reencrypt the whole data area. + (Reencryption of LUKS header only without master key change.) + +* By default verify new passphrase in luksChangeKey and luksAddKey + commands (if input is from terminal). + +* Fix memory leak in Nettle crypto backend. + +* Support --tries option even for TCRYPT devices in cryptsetup. + +* Support --allow-discards option even for TCRYPT devices. + (Note that this could destroy hidden volume and it is not suggested + by original TrueCrypt security model.) + +* Link against -lrt for clock_gettime to fix undefined reference + to clock_gettime error (introduced in 1.6.2). + +* Fix misleading error message when some algorithms are not available. + +* Count system time in PBKDF2 benchmark if kernel returns no self usage info. + (Workaround to broken getrusage() syscall with some hypervisors.) diff --git a/docs/v1.6.5-ReleaseNotes b/docs/v1.6.5-ReleaseNotes new file mode 100644 index 0000000..dc9f525 --- /dev/null +++ b/docs/v1.6.5-ReleaseNotes @@ -0,0 +1,54 @@ +Cryptsetup 1.6.5 Release Notes +============================== + +Changes since version 1.6.4 + +* Allow LUKS header operation handling without requiring root privilege. + It means that you can manipulate with keyslots as a regular user, only + write access to device (or image) is required. + + This requires kernel crypto wrapper (similar to TrueCrypt device handling) + to be available (CRYPTO_USER_API_SKCIPHER kernel option). + If this kernel interface is not available, code fallbacks to old temporary + keyslot device creation (where root privilege is required). + + Note that activation, deactivation, resize and suspend operations still + need root privilege (limitation of kernel device-mapper backend). + +* Fix internal PBKDF2 key derivation function implementation for alternative + crypto backends (kernel, NSS) which do not support PBKDF2 directly and have + issues with longer HMAC keys. + + This fixes the problem for long keyfiles where either calculation is too slow + (because of internal rehashing in every iteration) or there is a limit + (kernel backend seems to not support HMAC key longer than 20480 bytes). + + (Note that for recent version of gcrypt, nettle or openssl the internal + PBKDF2 code is not compiled in and crypto library internal functions are + used instead.) + +* Support for Python3 for simple Python binding. + Python >= 2.6 is now required. You can set Python compiled version by setting + --with-python_version configure option (together with --enable-python). + +* Use internal PBKDF2 in Nettle library for Nettle crypto backend. + Cryptsetup compilation requires Nettle >= 2.6 (if using Nettle crypto backend). + +* Allow simple status of crypt device without providing metadata header. + The command "cryptsetup status" will print basic info, even if you + do not provide detached header argument. + +* Allow to specify ECB mode in cryptsetup benchmark. + +* Add some LUKS images for regression testing. + Note that if image with Whirlpool fails, the most probable cause is that + you have old gcrypt library with flawed whirlpool hash. + Read FAQ section 8.3 for more info. + +Cryptsetup API NOTE: +The direct terminal handling for passphrase entry will be removed from +libcryptsetup in next major version (application should handle it itself). + +It means that you have to always either provide password in buffer or set +your own password callback function trhough crypt_set_password_callback(). +See API documentation (or libcryptsetup.h) for more info. diff --git a/docs/v1.6.6-ReleaseNotes b/docs/v1.6.6-ReleaseNotes new file mode 100644 index 0000000..9d1fbee --- /dev/null +++ b/docs/v1.6.6-ReleaseNotes @@ -0,0 +1,29 @@ +Cryptsetup 1.6.6 Release Notes +============================== + +Changes since version 1.6.5 + +* LUKS: Fix keyslot device access for devices which + do not support direct IO operations. (Regression in 1.6.5.) + +* LUKS: Fallback to old temporary keyslot device mapping method + if hash (for ESSIV) is not supported by userspace crypto + library. (Regression in 1.6.5.) + +* Properly activate device with discard (TRIM for SSDs) + if requested even if dm_crypt module is not yet loaded. + Only if discard is not supported by the old kernel then + the discard option is ignored. + +* Fix some static analysis build warnings (scan-build). + +* Report crypto lib version only once (and always add kernel + version) in debug output. + +Cryptsetup API NOTE: +The direct terminal handling for passphrase entry will be removed from +libcryptsetup in next major version (application should handle it itself). + +It means that you have to always either provide password in buffer or set +your own password callback function through crypt_set_password_callback(). +See API documentation (or libcryptsetup.h) for more info. diff --git a/docs/v1.6.7-ReleaseNotes b/docs/v1.6.7-ReleaseNotes new file mode 100644 index 0000000..edb73e5 --- /dev/null +++ b/docs/v1.6.7-ReleaseNotes @@ -0,0 +1,84 @@ +Cryptsetup 1.6.7 Release Notes +============================== + +Changes since version 1.6.6 + +* Cryptsetup git and wiki are now hosted on GitLab. + https://gitlab.com/cryptsetup/cryptsetup + + Repository of stable releases remains on kernel.org site + https://www.kernel.org/pub/linux/utils/cryptsetup/ + + For more info please see README file. + +* Cryptsetup TCRYPT mode now supports VeraCrypt devices (TrueCrypt extension). + + The VeraCrypt extension only increases iteration count for the key + derivation function (on-disk format is the same as TrueCrypt format). + + Note that unlocking of a VeraCrypt device can take very long time if used + on slow machines. + + To use this extension, add --veracrypt option, for example + cryptsetup open --type tcrypt --veracrypt <container> <name> + + For use through libcryptsetup, just add CRYPT_TCRYPT_VERA_MODES flag. + +* Support keyfile-offset and keyfile-size options even for plain volumes. + +* Support keyfile option for luksAddKey if the master key is specified. + +* For historic reasons, hashing in the plain mode is not used + if keyfile is specified (with exception of --key-file=-). + Print a warning if these parameters are ignored. + +* Support permanent device decryption for cryptsetup-reencrypt. + To remove LUKS encryption from a device, you can now use --decrypt option. + +* Allow to use --header option in all LUKS commands. + The --header always takes precedence over positional device argument. + +* Allow luksSuspend without need to specify a detached header. + +* Detect if O_DIRECT is usable on a device allocation. + There are some strange storage stack configurations which wrongly allows + to open devices with direct-io but fails on all IO operations later. + + Cryptsetup now tries to read the device first sector to ensure it can use + direct-io. + +* Add low-level performance options tuning for dmcrypt (for Linux 4.0 and later). + + Linux kernel 4.0 contains rewritten dmcrypt code which tries to better utilize + encryption on parallel CPU cores. + + While tests show that this change increases performance on most configurations, + dmcrypt now provides some switches to change its new behavior. + + You can use them (per-device) with these cryptsetup switches: + --perf-same_cpu_crypt + --perf-submit_from_crypt_cpus + + Please use these only in the case of serious performance problems. + Refer to the cryptsetup man page and dm-crypt documentation + (for same_cpu_crypt and submit_from_crypt_cpus options). + https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt + +* Get rid of libfipscheck library. + (Note that this option was used only for Red Hat and derived distributions.) + With recent FIPS changes we do not need to link to this FIPS monster anymore. + Also drop some no longer needed FIPS mode checks. + +* Many fixes and clarifications to man pages. + +* Prevent compiler to optimize-out zeroing of buffers for on-stack variables. + +* Fix a crash if non-GNU strerror_r is used. + +Cryptsetup API NOTE: +The direct terminal handling for passphrase entry will be removed from +libcryptsetup in next major version (application should handle it itself). + +It means that you have to always either provide password in buffer or set +your own password callback function through crypt_set_password_callback(). +See API documentation (or libcryptsetup.h) for more info. diff --git a/docs/v1.6.8-ReleaseNotes b/docs/v1.6.8-ReleaseNotes new file mode 100644 index 0000000..43b4f2c --- /dev/null +++ b/docs/v1.6.8-ReleaseNotes @@ -0,0 +1,47 @@ +Cryptsetup 1.6.8 Release Notes +============================== + +Changes since version 1.6.7 + +* If the null cipher (no encryption) is used, allow only empty password for LUKS. + (Previously cryptsetup accepted any password in this case.) + + The null cipher can be used only for testing and it is used temporarily during + offline encrypting not yet encrypted device (cryptsetup-reencrypt tool). + + Accepting only empty password prevents situation when someone adds another + LUKS device using the same UUID (UUID of existing LUKS device) with faked + header containing null cipher. + This could force user to use different LUKS device (with no encryption) + without noticing. + (IOW it prevents situation when attacker intentionally forces + user to boot into different system just by LUKS header manipulation.) + + Properly configured systems should have an additional integrity protection + in place here (LUKS here provides only confidentiality) but it is better + to not allow this situation in the first place. + + (For more info see QubesOS Security Bulletin QSB-019-2015.) + +* Properly support stdin "-" handling for luksAddKey for both new and old + keyfile parameters. + +* If encrypted device is file-backed (it uses underlying loop device), + cryptsetup resize will try to resize underlying loop device as well. + (It can be used to grow up file-backed device in one step.) + +* Cryptsetup now allows to use empty password through stdin pipe. + (Intended only for testing in scripts.) + +Cryptsetup API NOTE: + +Direct terminal handling and password calling callback for passphrase +entry will be removed from libcryptsetup in next major (2.x) version +(application should handle it itself). +It means that application have to always provide password in API calls. + +Functions returning last error will be removed in next major version (2.x). +These functions did not work properly for early initialization errors +and application can implement better function easily using own error callback. + +See comments in libcryptsetup.h for more info about deprecated functions. diff --git a/docs/v1.7.0-ReleaseNotes b/docs/v1.7.0-ReleaseNotes new file mode 100644 index 0000000..cd568c1 --- /dev/null +++ b/docs/v1.7.0-ReleaseNotes @@ -0,0 +1,81 @@ +Cryptsetup 1.7.0 Release Notes +============================== + +The cryptsetup 1.7 release changes defaults for LUKS, +there are no API changes. + +Changes since version 1.6.8 + +* Default hash function is now SHA256 (used in key derivation function + and anti-forensic splitter). + + Note that replacing SHA1 with SHA256 is not for security reasons. + (LUKS does not have problems even if collisions are found for SHA1, + for details see FAQ item 5.20). + + Using SHA256 as default is mainly to prevent compatibility problems + on hardened systems where SHA1 is already be phased out. + + Note that all checks (kernel crypto API availability check) now uses + SHA256 as well. + +* Default iteration time for PBKDF2 is now 2 seconds. + + Increasing iteration time is in combination with PBKDF2 benchmark + fixes a try to keep PBKDF2 iteration count still high enough and + also still acceptable for users. + + N.B. Long term is to replace PBKDF2 algorithm with Password Hashing + Competition winner - Argon2. + + Distributions can still change these defaults in compilation time. + + You can change iteration time and used hash function in existing LUKS + header with cryptsetup-reencrypt utility even without full reencryption + of device (see --keep-key option). + +* Fix PBKDF2 iteration benchmark for longer key sizes. + + The previous PBKDF2 benchmark code did not take into account + output key length properly. + + For SHA1 (with 160-bits output) and 256-bit keys (and longer) + it means that the final iteration value was higher than it should be. + + For other hash algorithms (like SHA256 or SHA512) it caused + that iteration count was lower (in comparison to SHA1) than + expected for the requested time period. + + The PBKDF2 benchmark code is now fixed to use the key size for + the formatted device (or default LUKS key size if running in informational + benchmark mode). + + Thanks to A.Visconti, S.Bossi, A.Calo and H.Ragab + (http://www.club.di.unimi.it/) for point this out. + (Based on "What users should know about Full Disk Encryption + based on LUKS" paper to be presented on CANS2015). + +* Remove experimental warning for reencrypt tool. + The strong request for full backup before using reencryption utility + still applies :) + +* Add optional libpasswdqc support for new LUKS passwords. + + If password is entered through terminal (no keyfile specified) and + cryptsetup is compiled with --enable-passwdqc[=/etc/passwdqc.conf], + configured system passwdqc settings are used to check password quality. + +* Update FAQ document. + +Cryptsetup API NOTE: + +Direct terminal handling and password calling callback for passphrase +entry will be removed from libcryptsetup in next major (2.x) version +(application should handle it itself). +It means that application have to always provide password in API calls. + +Functions returning last error will be removed in next major version (2.x). +These functions did not work properly for early initialization errors +and application can implement better function easily using own error callback. + +See comments in libcryptsetup.h for more info about deprecated functions. diff --git a/docs/v1.7.1-ReleaseNotes b/docs/v1.7.1-ReleaseNotes new file mode 100644 index 0000000..057c135 --- /dev/null +++ b/docs/v1.7.1-ReleaseNotes @@ -0,0 +1,36 @@ +Cryptsetup 1.7.1 Release Notes +============================== + +Changes since version 1.7.0 + +* Code now uses kernel crypto API backend according to new + changes introduced in mainline kernel + + While mainline kernel should contain backward compatible + changes, some stable series kernels do not contain fully + backported compatibility patches. + Without these patches most of cryptsetup operations + (like unlocking device) fail. + + This change in cryptsetup ensures that all operations using + kernel crypto API works even on these kernels. + +* The cryptsetup-reencrypt utility now properly detects removal + of underlying link to block device and does not remove + ongoing re-encryption log. + This allows proper recovery (resume) of reencrypt operation later. + + NOTE: Never use /dev/disk/by-uuid/ path for reencryption utility, + this link disappears once the device metadata is temporarily + removed from device. + +* Cryptsetup now allows special "-" (standard input) keyfile handling + even for TCRYPT (TrueCrypt and VeraCrypt compatible) devices. + +* Cryptsetup now fails if there are more keyfiles specified + for non-TCRYPT device. + +* The luksKillSlot command now does not suppress provided password + in batch mode (if password is wrong slot is not destroyed). + Note that not providing password in batch mode means that keyslot + is destroyed unconditionally. diff --git a/docs/v1.7.2-ReleaseNotes b/docs/v1.7.2-ReleaseNotes new file mode 100644 index 0000000..6323430 --- /dev/null +++ b/docs/v1.7.2-ReleaseNotes @@ -0,0 +1,37 @@ +Cryptsetup 1.7.2 Release Notes +============================== + +Changes since version 1.7.1 + +* Update LUKS documentation format. + Clarify fixed sector size and keyslots alignment. + +* Support activation options for error handling modes in Linux kernel + dm-verity module: + + --ignore-corruption - dm-verity just logs detected corruption + + --restart-on-corruption - dm-verity restarts the kernel if corruption is detected + + If the options above are not specified, default behavior for dm-verity remains. + Default is that I/O operation fails with I/O error if corrupted block is detected. + + --ignore-zero-blocks - Instructs dm-verity to not verify blocks that are expected + to contain zeroes and always return zeroes directly instead. + + NOTE that these options could have security or functional impacts, + do not use them without assessing the risks! + +* Fix help text for cipher benchmark specification (mention --cipher option). + +* Fix off-by-one error in maximum keyfile size. + Allow keyfiles up to compiled-in default and not that value minus one. + +* Support resume of interrupted decryption in cryptsetup-reencrypt utility. + To resume decryption, LUKS device UUID (--uuid option) option must be used. + +* Do not use direct-io for LUKS header with unaligned keyslots. + Such headers were used only by the first cryptsetup-luks-1.0.0 release (2005). + +* Fix device block size detection to properly work on particular file-based + containers over underlying devices with 4k sectors. diff --git a/docs/v1.7.3-ReleaseNotes b/docs/v1.7.3-ReleaseNotes new file mode 100644 index 0000000..4a2757c --- /dev/null +++ b/docs/v1.7.3-ReleaseNotes @@ -0,0 +1,20 @@ +Cryptsetup 1.7.3 Release Notes +============================== + +Changes since version 1.7.2 + +* Fix device access to hash offsets located beyond the 2GB device boundary in veritysetup. + +* Set configured (compile-time) default iteration time for devices created directly through + libcryptsetup (default was hardcoded 1 second, the configured value applied only + for cryptsetup application). + +* Fix PBKDF2 benchmark to not double iteration count for specific corner case. + If the measurement function returns exactly 500 ms, the iteration calculation loop + doubled iteration count but instead of repeating measurement it used this value directly. + +* OpenSSL backend: fix memory leak if hash context was repeatedly reused. + +* OpenSSL backend: add support for OpenSSL 1.1.0. + +* Fix several minor spelling errors. diff --git a/docs/v1.7.4-ReleaseNotes b/docs/v1.7.4-ReleaseNotes new file mode 100644 index 0000000..73dbaa7 --- /dev/null +++ b/docs/v1.7.4-ReleaseNotes @@ -0,0 +1,22 @@ +Cryptsetup 1.7.4 Release Notes +============================== + +Changes since version 1.7.3 + +* Allow to specify LUKS1 hash algorithm in Python luksFormat wrapper. + +* Use LUKS1 compiled-in defaults also in Python wrapper. + +* OpenSSL backend: Fix OpenSSL 1.1.0 support without backward compatible API. + +* OpenSSL backend: Fix LibreSSL compatibility. + +* Check for data device and hash device area overlap in veritysetup. + +* Fix a possible race while allocating a free loop device. + +* Fix possible file descriptor leaks if libcryptsetup is run from a forked process. + +* Fix missing same_cpu_crypt flag in status command. + +* Various updates to FAQ and man pages. diff --git a/docs/v1.7.5-ReleaseNotes b/docs/v1.7.5-ReleaseNotes new file mode 100644 index 0000000..eec4315 --- /dev/null +++ b/docs/v1.7.5-ReleaseNotes @@ -0,0 +1,22 @@ +Cryptsetup 1.7.5 Release Notes +============================== + +Changes since version 1.7.4 + +* Fixes to luksFormat to properly support recent kernel running in FIPS mode. + + Cryptsetup must never use a weak key even if it is just used for testing + of algorithm availability. In FIPS mode, weak keys are always rejected. + + A weak key is for example detected if the XTS encryption mode use + the same key for the tweak and the encryption part. + +* Fixes accesses to unaligned hidden legacy TrueCrypt header. + + On a native 4k-sector device the old hidden TrueCrypt header is not + aligned with the hw sector size (this problem was fixed in later TrueCrypt + on-disk format versions). + + Cryptsetup now properly aligns the read so it does not fail. + +* Fixes to optional dracut ramdisk scripts for offline re-encryption on initial boot. diff --git a/docs/v2.0.0-ReleaseNotes b/docs/v2.0.0-ReleaseNotes new file mode 100644 index 0000000..779dcb0 --- /dev/null +++ b/docs/v2.0.0-ReleaseNotes @@ -0,0 +1,605 @@ +Cryptsetup 2.0.0 Release Notes +============================== +Stable release with experimental features. + +This version introduces a new on-disk LUKS2 format. + +The legacy LUKS (referenced as LUKS1) will be fully supported +forever as well as a traditional and fully backward compatible format. + +NOTE: This version changes soname of libcryptsetup library and increases +major version for all public symbols. +Most of the old functions are fully backward compatible, so only +recompilation of programs should be needed. + +Please note that authenticated disk encryption, non-cryptographic +data integrity protection (dm-integrity), use of Argon2 Password-Based +Key Derivation Function and the LUKS2 on-disk format itself are new +features and can contain some bugs. + +To provide all security features of authenticated encryption we need +better nonce-reuse resistant algorithm in kernel (see note below). +For now, please use authenticated encryption as experimental feature. + +Please do not use LUKS2 without properly configured backup or in +production systems that need to be compatible with older systems. + +Changes since version 2.0.0-RC1 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +* Limit KDF requested (for format) memory by available physical memory. + On some systems too high requested amount of memory causes OOM killer + to kill the process (instead of returning ENOMEM). + We never try to use more than half of available physical memory. + +* Ignore device alignment if it is not multiple of minimal-io. + Some USB enclosures seems to report bogus topology info that + prevents to use LUKS detached header. + +Changes since version 2.0.0-RC0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* Enable to use system libargon2 instead of bundled version. + Renames --disable-argon2 to --disable-internal-argon2 option + and adds --enable-libargon2 flag to allow system libargon2. + +* Changes in build system (Automake) + - The build system now uses non-recursive automake (except for tests). + (Tools binaries are now located in buildroot directory.) + - New --disable-cryptsetup option to disable build of cryptsetup tool. + - Enable build of cryptsetup-reencrypt by default. + +* Install tmpfiles.d configuration for LUKS2 locking directory. + You can overwrite this using --with-tmpfilesdir configure option. + If your distro does not support tmpfiles.d directory, you have + to create locking directory (/run/lock/cryptsetup) in cryptsetup + package (or init scripts). + +* Adds limited support for offline reencryption of LUKS2 format. + +* Decrease size of testing images (and the whole release archive). + +* Fixes for several memory leaks found by Valgrind and Coverity tools. + +* Fixes for several typos in man pages and error messages. + +* LUKS header file in luksFormat is now automatically created + if it does not exist. + +* Do not allow resize if device size is not aligned to sector size. + +Cryptsetup 2.0.0 RC0 Release Notes +================================== + +Important features +~~~~~~~~~~~~~~~~~~ + +* New command integritysetup: support for the new dm-integrity kernel target. + + The dm-integrity is a new kernel device-mapper target that introduces + software emulation of per-sector integrity fields on the disk sector level. + It is available since Linux kernel version 4.12. + + The provided per-sector metadata fields can be used for storing a data + integrity checksum (for example CRC32). + The dm-integrity implements data journal that enforces atomic update + of a sector and its integrity metadata. + + Integritysetup is a CLI utility that can setup standalone dm-integrity + devices (that internally check integrity of data). + + Integritysetup is intended to be used for settings that require + non-cryptographic data integrity protection with no data encryption. + Fo setting integrity protected encrypted devices, see disk authenticated + encryption below. + + Note that after formatting the checksums need to be initialized; + otherwise device reads will fail because of integrity errors. + Integritysetup by default tries to wipe the device with zero blocks + to avoid this problem. Device wipe can be time-consuming, you can skip + this step by specifying --no-wipe option. + (But note that not wiping device can cause some operations to fail + if a write is not multiple of page size and kernel page cache tries + to read sectors with not yet initialized checksums.) + + The default setting is tag size 4 bytes per-sector and CRC32C protection. + To format device with these defaults: + $ integritysetup format <device> + $ integritysetup open <device> <name> + + Note that used algorithm (unlike tag size) is NOT stored in device + kernel superblock and if you use different algorithm, you MUST specify + it in every open command, for example: + $ integritysetup format <device> --tag-size 32 --integrity sha256 + $ integritysetup open <device> <name> --integrity sha256 + + For more info, see integrity man page. + +* Veritysetup command can now format and activate dm-verity devices + that contain Forward Error Correction (FEC) (Reed-Solomon code is used). + This feature is used on most of Android devices already (available since + Linux kernel 4.5). + + There are new options --fec-device, --fec-offset to specify data area + with correction code and --fec-roots that set Redd-Solomon generator roots. + This setting can be used for format command (veritysetup will calculate + and store RS codes) or open command (veritysetup configures kernel + dm-verity to use RS codes). + + For more info see veritysetup man page. + +* Support for larger sector sizes for crypt devices. + + LUKS2 and plain crypt devices can be now configured with larger encryption + sector (typically 4096 bytes, sector size must be the power of two, + maximal sector size is 4096 bytes for portability). + Large sector size can decrease encryption overhead and can also help + with some specific crypto hardware accelerators that perform very + badly with 512 bytes sectors. + + Note that if you configure such a larger sector of the device that does use + smaller physical sector, there is a possibility of a data corruption during + power fail (partial sector writes). + + WARNING: If you use different sector size for a plain device after data were + stored, the decryption will produce garbage. + + For LUKS2, the sector size is stored in metadata and cannot be changed later. + +LUKS2 format and features +~~~~~~~~~~~~~~~~~~~~~~~~~ +The LUKS2 is an on-disk storage format designed to provide simple key +management, primarily intended for Full Disk Encryption based on dm-crypt. + +The LUKS2 is inspired by LUKS1 format and in some specific situations (most +of the default configurations) can be converted in-place from LUKS1. + +The LUKS2 format is designed to allow future updates of various +parts without the need to modify binary structures and internally +uses JSON text format for metadata. Compilation now requires the json-c library +that is used for JSON data processing. + +On-disk format provides redundancy of metadata, detection +of metadata corruption and automatic repair from metadata copy. + +NOTE: For security reasons, there is no redundancy in keyslots binary data +(encrypted keys) but the format allows adding such a feature in future. + +NOTE: to operate correctly, LUKS2 requires locking of metadata. +Locking is performed by using flock() system call for images in file +and for block device by using a specific lock file in /run/lock/cryptsetup. + +This directory must be created by distribution (do not rely on internal +fallback). For systemd-based distribution, you can simply install +scripts/cryptsetup.conf into tmpfiles.d directory. + +For more details see LUKS2-format.txt and LUKS2-locking.txt in the docs +directory. (Please note this is just overview, there will be more formal +documentation later.) + +LUKS2 use +~~~~~~~~~ + +LUKS2 allows using all possible configurations as LUKS1. + +To format device as LUKS2, you have to add "--type luks2" during format: + + $ cryptsetup luksFormat --type luks2 <device> + +All commands issued later will recognize the new format automatically. + +The newly added features in LUKS2 include: + +* Authenticated disk (sector) encryption (EXPERIMENTAL) + + Legacy Full disk encryption (FDE), for example, LUKS1, is a length-preserving + encryption (plaintext is the same size as a ciphertext). + Such FDE can provide data confidentiality, but cannot provide sound data + integrity protection. + + Full disk authenticated encryption is a way how to provide both + confidentiality and data integrity protection. Integrity protection here means + not only detection of random data corruption (silent data corruption) but also + prevention of an unauthorized intentional change of disk sector content. + + NOTE: Integrity protection of this type cannot prevent a replay attack. + An attacker can replace the device or its part of the old content, and it + cannot be detected. + If you need such protection, better use integrity protection on a higher layer. + + For data integrity protection on the sector level, we need additional + per-sector metadata space. In LUKS2 this space is provided by a new + device-mapper dm-integrity target (available since kernel 4.12). + Here the integrity target provides only reliable per-sector metadata store, + and the whole authenticated encryption is performed inside dm-crypt stacked + over the dm-integrity device. + + For encryption, Authenticated Encryption with Additional Data (AEAD) is used. + Every sector is processed as a encryption request of this format: + + |----- AAD -------|------ DATA -------|-- AUTH TAG --| + | (authenticated) | (auth+encryption) | | + | sector_LE | IV | sector in/out | tag in/out | + + AEAD encrypts the whole sector and also authenticates sector number + (to detect sector relocation) and also authenticates Initialization Vector. + + AEAD encryption produces encrypted data and authentication tag. + The authenticated tag is then stored in per-sector metadata space provided + by dm-integrity. + + Most of the current AEAD algorithms requires IV as a nonce, value that is + never reused. Because sector number, as an IV, cannot be used in this + environment, we use a new random IV (IV is a random value generated by system + RNG on every write). This random IV is then stored in the per-sector metadata + as well. + + Because the authentication tag (and IV) requires additional space, the device + provided for a user has less capacity. Also, the data journalling means that + writes are performed twice, decreasing throughput. + + This integrity protection works better with SSDs. If you want to ignore + dm-integrity data journal (because journalling is performed on some higher + layer or you just want to trade-off performance to safe recovery), you can + switch journal off with --integrity-no-journal option. + (This flag can be stored persistently as well.) + + Note that (similar to integritysetup) the device read will fail if + authentication tag is not initialized (no previous write). + By default cryptsetup run wipe of a device (writing zeroes) to initialize + authentication tags. This operation can be very time-consuming. + You can skip device wipe using --integrity-no-wipe option. + + To format LUKS2 device with integrity protection, use new --integrity option. + + For now, there are very few AEAD algorithms that can be used, and some + of them are known to be problematic. In this release we support only + a few of AEAD algorithms (options are for now hard coded), later this + extension will be completely algorithm-agnostic. + + For testing of authenticated encryption, these algorithms work for now: + + 1) aes-xts-plain64 with hmac-sha256 or hmac-sha512 as the authentication tag. + (Common FDE mode + independent authentication tag. Authentication key + for HMAC is independently generated. This mode is very slow.) + $ cryptsetup luksFormat --type luks2 <device> --cipher aes-xts-plain64 --integrity hmac-sha256 + + 2) aes-gcm-random (native AEAD mode) + DO NOT USE in production! The GCM mode uses only 96-bit nonce, + and possible collision means fatal security problem. + GCM mode has very good hardware support through AES-NI, so it is useful + for performance testing. + $ cryptsetup luksFormat --type luks2 <device> --cipher aes-gcm-random --integrity aead + + 3) ChaCha20 with Poly1305 authenticator (according to RFC7539) + $ cryptsetup luksFormat --type luks2 <device> --cipher chacha20-random --integrity poly1305 + + To specify AES128/AES256 just specify proper key size (without possible + authentication key). Other symmetric ciphers, like Serpent or Twofish, + should work as well. The mode 1) and 2) should be compatible with IEEE 1619.1 + standard recommendation. + + There will be better suitable authenticated modes available soon + For now we are just preparing framework to enable it (and hopefully improve security of FDE). + + FDE authenticated encryption is not a replacement for filesystem layer + authenticated encryption. The goal is to provide at least something because + data integrity protection is often completely ignored in today systems. + +* New memory-hard PBKDF + + LUKS1 introduced Password-Based Key Derivation Function v2 as a tool to + increase attacker cost for a dictionary and brute force attacks. + The PBKDF2 uses iteration count to increase time of key derivation. + Unfortunately, with modern GPUs, the PBKDF2 calculations can be run + in parallel and PBKDF2 can no longer provide the best available protection. + Increasing iteration count just cannot prevent massive parallel dictionary + password attacks in long-term. + + To solve this problem, a new PBKDF, based on so-called memory-hard functions + can be used. Key derivation with memory-hard function requires a certain + amount of memory to compute its output. The memory requirement is very + costly for GPUs and prevents these systems to operate effectively, + increasing cost for attackers. + + LUKS2 introduces support for Argon2i and Argon2id as a PBKDF. + Argon2 is the winner of Password Hashing Competition and is currently + in final RFC draft specification. + + For now, libcryptsetup contains the embedded copy of reference implementation + of Argon2 (that is easily portable to all architectures). + Later, once this function is available in common crypto libraries, it will + switch to external implementation. (This happened for LUKS1 and PBKDF2 + as well years ago.) + With using reference implementation (that is not optimized for speed), there + is some performance penalty. However, using memory-hard PBKDF should still + significantly complicate GPU-optimized dictionary and brute force attacks. + + The Argon2 uses three costs: memory, time (number of iterations) and parallel + (number of threads). + Note that time and memory cost highly influences each other (accessing a lot + of memory takes more time). + + There is a new benchmark that tries to calculate costs to take similar way as + in LUKS1 (where iteration is measured to take 1-2 seconds on user system). + Because now there are more cost variables, it prefers time cost (iterations) + and tries to find required memory that fits. (IOW required memory cost can be + lower if the benchmarks are not able to find required parameters.) + The benchmark cannot run too long, so it tries to approximate next step + for benchmarking. + + For now, default LUKS2 PBKDF algorithm is Argon2i (data independent variant) + with memory cost set to 128MB, time to 800ms and parallel thread according + to available CPU cores but no more than 4. + + All default parameters can be set during compile time and also set on + the command line by using --pbkdf, --pbkdf-memory, --pbkdf-parallel and + --iter-time options. + (Or without benchmark directly by using --pbkdf-force-iterations, see below.) + + You can still use PBKDF2 even for LUKS2 by specifying --pbkdf pbkdf2 option. + (Then only iteration count is applied.) + +* Use of kernel keyring + + Kernel keyring is a storage for sensitive material (like cryptographic keys) + inside Linux kernel. + + LUKS2 uses keyring for two major functions: + + - To store volume key for dm-crypt where it avoids sending volume key in + every device-mapper ioctl structure. Volume key is also no longer directly + visible in a dm-crypt mapping table. The key is not available for the user + after dm-crypt configuration (obviously except direct memory scan). + Use of kernel keyring can be disabled in runtime by --disable-keyring option. + + - As a tool to automatically unlock LUKS device if a passphrase is put into + kernel keyring and proper keyring token is configured. + + This allows storing a secret (passphrase) to kernel per-user keyring by + some external tool (for example some TPM handler) and LUKS2, if configured, + will automatically search in the keyring and unlock the system. + For more info see Tokens section below. + +* Persistent flags + The activation flags (like allow-discards) can be stored in metadata and used + automatically by all later activations (even without using crypttab). + + To store activation flags permanently, use activation command with required + flags and add --persistent option. + + For example, to mark device to always activate with TRIM enabled, + use (for LUKS2 type): + + $ cryptsetup open <device> <name> --allow-discards --persistent + + You can check persistent flags in dump command output: + + $ cryptsetup luksDump <device> + +* Tokens and auto-activation + + A LUKS2 token is an object that can be described "how to get passphrase or key" + to unlock particular keyslot. + (Also it can be used to store any additional metadata, and with + the libcryptsetup interface it can be used to define user token types.) + + Cryptsetup internally implements keyring token. Cryptsetup tries to use + available tokens before asking for the passphrase. For keyring token, + it means that if the passphrase is available under specified identifier + inside kernel keyring, the device is automatically activated using this + stored passphrase. + + Example of using LUKS2 keyring token: + + # Adding token to metadata with "my_token" identifier (by default it applies to all keyslots). + $ cryptsetup token add --key-description "my_token" <device> + + # Storing passphrase to user keyring (this can be done by an external application) + $ echo -n <passphrase> | keyctl padd user my_token @u + + # Now cryptsetup activates automatically if it finds correct passphrase + $ cryptsetup open <device> <name> + + The main reason to use tokens this way is to separate possible hardware + handlers from cryptsetup code. + +* Keyslot priorities + + LUKS2 keyslot can have a new priority attribute. + The default is "normal". The "prefer" priority tell the keyslot to be tried + before other keyslots. Priority "ignore" means that keyslot will never be + used if not specified explicitly (it can be used for backup administrator + passwords that are used only situations when a user forgets own passphrase). + + The priority of keyslot can be set with new config command, for example + $ cryptsetup config <device> --key-slot 1 --priority prefer + + Setting priority to normal will reset slot to normal state. + +* LUKS2 label and subsystem + + The header now contains additional fields for label and subsystem (additional + label). These fields can be used similar to filesystem label and will be + visible in udev rules to possible filtering. (Note that blkid do not yet + contain the LUKS scanning code). + + By default both labels are empty. Label and subsystem are always set together + (no option means clear the label) with the config command: + + $ cryptsetup config <device> --label my_device --subsystem "" + +* In-place conversion form LUKS1 + + To allow easy testing and transition to the new LUKS2 format, there is a new + convert command that allows in-place conversion from the LUKS1 format and, + if there are no incompatible options, also conversion back from LUKS2 + to LUKS1 format. + + Note this command can be used only on some LUKS1 devices (some device header + sizes are not supported). + This command is dangerous, never run it without header backup! + If something fails in the middle of conversion (IO error), the header + is destroyed. (Note that conversion requires move of keyslot data area to + a different offset.) + + To convert header in-place to LUKS2 format, use + $ cryptsetup convert <device> --type luks2 + + To convert it back to LUKS1 format, use + $ cryptsetup convert <device> --type luks1 + + You can verify LUKS version with luksDump command. + $ cryptsetup luksDump <device> + + Note that some LUKS2 features will make header incompatible with LUKS1 and + conversion will be rejected (for example using new Argon2 PBKDF or integrity + extensions). Some minor attributes can be lost in conversion. + +Other changes +~~~~~~~~~~~~~ + +* Explicit KDF iterations count setting + + With new PBKDF interface, there is also the possibility to setup PBKDF costs + directly, avoiding benchmarks. This can be useful if device is formatted to be + primarily used on a different system. + + The option --pbkdf-force-iterations is available for both LUKS1 and LUKS2 + format. Using this option can cause device to have either very low or very + high PBKDF costs. + In the first case it means bad protection to dictionary attacks, in the second + case, it can mean extremely high unlocking time or memory requirements. + Use only if you are sure what you are doing! + + Not that this setting also affects iteration count for the key digest. + For LUKS1 iteration count for digest will be approximately 1/8 of requested + value, for LUKS2 and "pbkdf2" digest minimal PBKDF2 iteration count (1000) + will be used. You cannot set lower iteration count than the internal minimum + (1000 for PBKDF2). + + To format LUKS1 device with forced iteration count (and no benchmarking), use + $ cryptsetup luksFormat <device> --pbkdf-force-iterations 22222 + + For LUKS2 it is always better to specify full settings (do not rely on default + cost values). + For example, we can set to use Argon2id with iteration cost 5, memory 128000 + and parallel set 1: + $ cryptsetup luksFormat --type luks2 <device> \ + --pbkdf argon2id --pbkdf-force-iterations 5 --pbkdf-memory 128000 --pbkdf-parallel 1 + +* VeraCrypt PIM + + Cryptsetup can now also open VeraCrypt device that uses Personal Iteration + Multiplier (PIM). PIM is an integer value that user must remember additionally + to passphrase and influences PBKDF2 iteration count (without it VeraCrypt uses + a fixed number of iterations). + + To open VeraCrypt device with PIM settings, use --veracrypt-pim (to specify + PIM on the command line) or --veracrypt-query-pim to query PIM interactively. + +* Support for plain64be IV + + The plain64be is big-endian variant of plain64 Initialization Vector. It is + used in some images of hardware-based disk encryption systems. Supporting this + variant allows using dm-crypt to map such images through cryptsetup. + +* Deferral removal + + Cryptsetup now can mark device for deferred removal by using a new option + --deferred. This means that close command will not fail if the device is still + in use, but will instruct the kernel to remove the device automatically after + use count drops to zero (for example, once the filesystem is unmounted). + +* A lot of updates to man pages and many minor changes that would make this + release notes too long ;-) + +Libcryptsetup API changes +~~~~~~~~~~~~~~~~~~~~~~~~~ + +These API functions were removed, libcryptsetup no longer handles password +retries from terminal (application should handle terminal operations itself): + crypt_set_password_callback; + crypt_set_timeout; + crypt_set_password_retry; + crypt_set_password_verify; + +This call is removed (no need to keep typo backward compatibility, +the proper function is crypt_set_iteration_time :-) + crypt_set_iterarion_time; + +These calls were removed because are not safe, use per-context +error callbacks instead: + crypt_last_error; + crypt_get_error; + +The PBKDF benchmark was replaced by a new function that uses new KDF structure + crypt_benchmark_kdf; (removed) + crypt_benchmark_pbkdf; (new API call) + +These new calls are now exported, for details see libcryptsetup.h: + crypt_keyslot_add_by_key; + crypt_keyslot_set_priority; + crypt_keyslot_get_priority; + + crypt_token_json_get; + crypt_token_json_set; + crypt_token_status; + crypt_token_luks2_keyring_get; + crypt_token_luks2_keyring_set; + crypt_token_assign_keyslot; + crypt_token_unassign_keyslot; + crypt_token_register; + + crypt_activate_by_token; + crypt_activate_by_keyring; + crypt_deactivate_by_name; + + crypt_metadata_locking; + crypt_volume_key_keyring; + crypt_get_integrity_info; + crypt_get_sector_size; + crypt_persistent_flags_set; + crypt_persistent_flags_get; + crypt_set_pbkdf_type; + crypt_get_pbkdf_type; + + crypt_convert; + crypt_keyfile_read; + crypt_wipe; + +Unfinished things & TODO for next releases +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +* There will be better documentation and examples. + +* There will be some more formal definition of the threat model for integrity + protection. (And a link to some papers discussing integrity protection, + once it is, hopefully, accepted and published.) + +* Offline re-encrypt tool LUKS2 support is currently limited. + There will be online LUKS2 re-encryption tool in future. + +* Authenticated encryption will use new algorithms from CAESAR competition + (https://competitions.cr.yp.to/caesar.html) once these algorithms are available + in kernel (more on this later). + NOTE: Currently available authenticated modes (GCM, Chacha20-poly1305) + in kernel have too small 96-bit nonces that are problematic with + randomly generated IVs (the collison probability is not negligible). + For the GCM, nonce collision is a fatal problem. + +* Authenticated encryption do not set encryption for dm-integrity journal. + + While it does not influence data confidentiality or integrity protection, + an attacker can get some more information from data journal or cause that + system will corrupt sectors after journal replay. (That corruption will be + detected though.) + +* Some utilities (blkid, systemd-cryptsetup) have already support for LUKS + but not yet in released version (support in crypttab etc). + +* There are some examples of user-defined tokens inside misc/luks2_keyslot_example + directory (like a simple external program that uses libssh to unlock LUKS2 + using remote keyfile). + +* The python binding (pycryptsetup) contains only basic functionality for LUKS1 + (it is not updated for new features) and will be deprecated soon in favor + of python bindings to libblockdev library (that can already handle LUKS1 devices). diff --git a/docs/v2.0.1-ReleaseNotes b/docs/v2.0.1-ReleaseNotes new file mode 100644 index 0000000..0cc13b9 --- /dev/null +++ b/docs/v2.0.1-ReleaseNotes @@ -0,0 +1,109 @@ +Cryptsetup 2.0.1 Release Notes +============================== +Stable and bug-fix release with experimental features. + +This version introduces a new on-disk LUKS2 format. + +The legacy LUKS (referenced as LUKS1) will be fully supported +forever as well as a traditional and fully backward compatible format. + +Please note that authenticated disk encryption, non-cryptographic +data integrity protection (dm-integrity), use of Argon2 Password-Based +Key Derivation Function and the LUKS2 on-disk format itself are new +features and can contain some bugs. + +To provide all security features of authenticated encryption we need +a better nonce-reuse resistant algorithm in the kernel (see note below). +For now, please use authenticated encryption as an experimental feature. + +Please do not use LUKS2 without properly configured backup or in +production systems that need to be compatible with older systems. + +Changes since version 2.0.0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* To store volume key into kernel keyring, kernel 4.15 with dm-crypt 1.18.1 + is required. If a volume key is stored in keyring (LUKS2 only), + the dm-crypt v1.15.0 through v1.18.0 contains a serious bug that may cause + data corruption for ciphers with ESSIV. + (The key for ESSIV is zeroed because of code misplacement.) + This bug is not present for LUKS1 or any other IVs used in LUKS modes. + This change is not visible to the user (except dmsetup output). + +* Increase maximum allowed PBKDF memory-cost limit to 4 GiB. + The Argon2 PBKDF uses 1GiB by default; this is also limited by the amount + of physical memory available (maximum is half of the physical memory). + +* Use /run/cryptsetup as default for cryptsetup locking dir. + There were problems with sharing /run/lock with lockdev, and in the early + boot, the directory was missing. + The directory can be changed with --with-luks2-lock-path and + --with-luks2-lock-dir-perms configure switches. + +* Introduce new 64-bit byte-offset *keyfile_device_offset functions. + + The keyfile interface was designed, well, for keyfiles. Unfortunately, + there are user cases where a keyfile can be placed on a device, and + size_t offset can overflow on 32-bit systems. + + New set of functions that allow 64-bit offsets even on 32bit systems + are now available: + + - crypt_resume_by_keyfile_device_offset + - crypt_keyslot_add_by_keyfile_device_offset + - crypt_activate_by_keyfile_device_offset + - crypt_keyfile_device_read + + The new functions have added the _device_ in name. + Old functions are just internal wrappers around these. + + Also cryptsetup --keyfile-offset and --new-keyfile-offset now allows + 64-bit offsets as parameters. + +* Add error hint for wrongly formatted cipher strings in LUKS1 and + properly fail in luksFormat if cipher format is missing required IV. + For now, crypto API quietly used cipher without IV if a cipher + algorithm without IV specification was used (e.g., aes-xts). + This caused fail later during activation. + +* Configure check for a recent Argon2 lib to support mandatory Argon2id. + +* Fix for the cryptsetup-reencrypt static build if pwquality is enabled. + +* Update LUKS1 standard doc (https links in the bibliography). + + +Unfinished things & TODO for next releases +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +* There will be better documentation and examples. + +* There will be some more formal definition of the threat model for integrity + protection. (And a link to some papers discussing integrity protection, + once it is, hopefully, accepted and published.) + +* Offline re-encrypt tool LUKS2 support is currently limited. + There will be online LUKS2 re-encryption tool in future. + +* Authenticated encryption will use new algorithms from CAESAR competition + (https://competitions.cr.yp.to/caesar.html) once these algorithms are + available in the kernel (more on this later). + NOTE: Currently available authenticated modes (GCM, Chacha20-poly1305) + in the kernel have too small 96-bit nonces that are problematic with + randomly generated IVs (the collision probability is not negligible). + For the GCM, nonce collision is a fatal problem. + +* Authenticated encryption do not set encryption for a dm-integrity journal. + + While it does not influence data confidentiality or integrity protection, + an attacker can get some more information from data journal or cause that + system will corrupt sectors after journal replay. (That corruption will be + detected though.) + +* There are examples of user-defined tokens inside misc/luks2_keyslot_example + directory (like a simple external program that uses libssh to unlock LUKS2 + using remote keyfile). + +* The python binding (pycryptsetup) contains only basic functionality for LUKS1 + (it is not updated for new features) and will be deprecated soon in favor + of python bindings to the libblockdev library (that can already handle LUKS1 + devices). diff --git a/docs/v2.0.2-ReleaseNotes b/docs/v2.0.2-ReleaseNotes new file mode 100644 index 0000000..a85a248 --- /dev/null +++ b/docs/v2.0.2-ReleaseNotes @@ -0,0 +1,93 @@ +Cryptsetup 2.0.2 Release Notes +============================== +Stable and bug-fix release with experimental features. + +Cryptsetup 2.x version introduces a new on-disk LUKS2 format. + +The legacy LUKS (referenced as LUKS1) will be fully supported +forever as well as a traditional and fully backward compatible format. + +Please note that authenticated disk encryption, non-cryptographic +data integrity protection (dm-integrity), use of Argon2 Password-Based +Key Derivation Function and the LUKS2 on-disk format itself are new +features and can contain some bugs. + +To provide all security features of authenticated encryption, we need +a better nonce-reuse resistant algorithm in the kernel (see note below). +For now, please use authenticated encryption as an experimental feature. + +Please do not use LUKS2 without properly configured backup or in +production systems that need to be compatible with older systems. + +Changes since version 2.0.1 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* Fix a regression in early detection of inactive keyslot for luksKillSlot. + It tried to ask for passphrase even for already erased keyslot. + +* Fix a regression in loopaesOpen processing for keyfile on standard input. + Use of "-" argument was not working properly. + +* Add LUKS2 specific options for cryptsetup-reencrypt. + Tokens and persistent flags are now transferred during reencryption; + change of PBKDF keyslot parameters is now supported and allows + to set precalculated values (no benchmarks). + +* Do not allow LUKS2 --persistent and --test-passphrase cryptsetup flags + combination. Persistent flags are now stored only if the device was + successfully activated with the specified flags. + +* Fix integritysetup format after recent Linux kernel changes that + requires to setup key for HMAC in all cases. + Previously integritysetup allowed HMAC with zero key that behaves + like a plain hash. + +* Fix VeraCrypt PIM handling that modified internal iteration counts + even for subsequent activations. The PIM count is no longer printed + in debug log as it is sensitive information. + Also, the code now skips legacy TrueCrypt algorithms if a PIM + is specified (they cannot be used with PIM anyway). + +* PBKDF values cannot be set (even with force parameters) below + hardcoded minimums. For PBKDF2 is it 1000 iterations, for Argon2 + it is 4 iterations and 32 KiB of memory cost. + +* Introduce new crypt_token_is_assigned() API function for reporting + the binding between token and keyslots. + +* Allow crypt_token_json_set() API function to create internal token types. + Do not allow unknown fields in internal token objects. + +* Print message in cryptsetup that about was aborted if a user did not + answer YES in a query. + +Unfinished things & TODO for next releases +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +* There will be better documentation and examples. + +* There will be some more formal definition of the threat model for integrity + protection. (And a link to some papers discussing integrity protection, + once it is, hopefully, accepted and published.) + +* Authenticated encryption will use new algorithms from CAESAR competition + https://competitions.cr.yp.to/caesar-submissions.html. + We plan to use AEGIS and MORUS, as CAESAR finalists. + + NOTE: Currently available authenticated modes (GCM, Chacha20-poly1305) + in the kernel have too small 96-bit nonces that are problematic with + randomly generated IVs (the collision probability is not negligible). + +* Authenticated encryption do not set encryption for a dm-integrity journal. + + While it does not influence data confidentiality or integrity protection, + an attacker can get some more information from data journal or cause that + system will corrupt sectors after journal replay. (That corruption will be + detected though.) + +* There are examples of user-defined tokens inside misc/luks2_keyslot_example + directory (like a simple external program that uses libssh to unlock LUKS2 + using remote keyfile). + +* The python binding (pycryptsetup) contains only basic functionality for LUKS1 + (it is not updated for new features) and will be deprecated in version 2.1 + in favor of python bindings to the libblockdev library. diff --git a/docs/v2.0.3-ReleaseNotes b/docs/v2.0.3-ReleaseNotes new file mode 100644 index 0000000..030a1b4 --- /dev/null +++ b/docs/v2.0.3-ReleaseNotes @@ -0,0 +1,121 @@ +Cryptsetup 2.0.3 Release Notes +============================== +Stable bug-fix release with new features. + +Cryptsetup 2.x version introduces a new on-disk LUKS2 format. + +The legacy LUKS (referenced as LUKS1) will be fully supported +forever as well as a traditional and fully backward compatible format. + +Please note that authenticated disk encryption, non-cryptographic +data integrity protection (dm-integrity), use of Argon2 Password-Based +Key Derivation Function and the LUKS2 on-disk format itself are new +features and can contain some bugs. + +To provide all security features of authenticated encryption, we need +a better nonce-reuse resistant algorithm in the kernel (see note below). +For now, please use authenticated encryption as an experimental feature. + +Please do not use LUKS2 without properly configured backup or in +production systems that need to be compatible with older systems. + +Changes since version 2.0.2 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* Expose interface to unbound LUKS2 keyslots. + Unbound LUKS2 keyslot allows storing a key material that is independent + of master volume key (it is not bound to encrypted data segment). + +* New API extensions for unbound keyslots (LUKS2 only) + crypt_keyslot_get_key_size() and crypt_volume_key_get() + These functions allow to get key and key size for unbound keyslots. + +* New enum value CRYPT_SLOT_UNBOUND for keyslot status (LUKS2 only). + +* Add --unbound keyslot option to the cryptsetup luksAddKey command. + +* Add crypt_get_active_integrity_failures() call to get integrity + failure count for dm-integrity devices. + +* Add crypt_get_pbkdf_default() function to get per-type PBKDF default + setting. + +* Add new flag to crypt_keyslot_add_by_key() to force update device + volume key. This call is mainly intended for a wrapped key change. + +* Allow volume key store in a file with cryptsetup. + The --dump-master-key together with --master-key-file allows cryptsetup + to store the binary volume key to a file instead of standard output. + +* Add support detached header for cryptsetup-reencrypt command. + +* Fix VeraCrypt PIM handling - use proper iterations count formula + for PBKDF2-SHA512 and PBKDF2-Whirlpool used in system volumes. + +* Fix cryptsetup tcryptDump for VeraCrypt PIM (support --veracrypt-pim). + +* Add --with-default-luks-format configure time option. + (Option to override default LUKS format version.) + +* Fix LUKS version conversion for detached (and trimmed) LUKS headers. + +* Add luksConvertKey cryptsetup command that converts specific keyslot + from one PBKDF to another. + +* Do not allow conversion to LUKS2 if LUKSMETA (external tool metadata) + header is detected. + +* More cleanup and hardening of LUKS2 keyslot specific validation options. + Add more checks for cipher validity before writing metadata on-disk. + +* Do not allow LUKS1 version downconversion if the header contains tokens. + +* Add "paes" family ciphers (AES wrapped key scheme for mainframes) + to allowed ciphers. + Specific wrapped ley configuration logic must be done by 3rd party tool, + LUKS2 stores only keyslot material and allow activation of the device. + +* Add support for --check-at-most-once option (kernel 4.17) to veritysetup. + This flag can be dangerous; if you can control underlying device + (you can change its content after it was verified) it will no longer + prevent reading tampered data and also it does not prevent silent + data corruptions that appear after the block was once read. + +* Fix return code (EPERM instead of EINVAL) and retry count for bad + passphrase on non-tty input. + +* Enable support for FEC decoding in veritysetup to check dm-verity devices + with additional Reed-Solomon code in userspace (verify command). + +Unfinished things & TODO for next releases +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +* There will be better documentation and examples (planned for 2.0.4). + +* There will be some more formal definition of the threat model for integrity + protection. (And a link to some papers discussing integrity protection, + once it is, hopefully, accepted and published.) + +* Authenticated encryption will use new algorithms from CAESAR competition + https://competitions.cr.yp.to/caesar-submissions.html. + We plan to use AEGIS and MORUS, as CAESAR finalists. + + NOTE: Currently available authenticated modes (GCM, Chacha20-poly1305) + in the kernel have too small 96-bit nonces that are problematic with + randomly generated IVs (the collision probability is not negligible). + +* Authenticated encryption do not set encryption for a dm-integrity journal. + + While it does not influence data confidentiality or integrity protection, + an attacker can get some more information from data journal or cause that + system will corrupt sectors after journal replay. (That corruption will be + detected though.) + +* There are examples of user-defined tokens inside misc/luks2_keyslot_example + directory (like a simple external program that uses libssh to unlock LUKS2 + using remote keyfile). + +* The python binding (pycryptsetup) contains only basic functionality for LUKS1 + (it is not updated for new features) and will be REMOVED in version 2.1 + in favor of python bindings to the libblockdev library. + See https://github.com/storaged-project/libblockdev/releases/tag/2.17-1 that + already supports LUKS2 and VeraCrypt devices handling through libcryptsetup. diff --git a/docs/v2.0.4-ReleaseNotes b/docs/v2.0.4-ReleaseNotes new file mode 100644 index 0000000..9731f59 --- /dev/null +++ b/docs/v2.0.4-ReleaseNotes @@ -0,0 +1,119 @@ +Cryptsetup 2.0.4 Release Notes +============================== +Stable bug-fix release with new features. + +Cryptsetup 2.x version introduces a new on-disk LUKS2 format. + +The legacy LUKS (referenced as LUKS1) will be fully supported +forever as well as a traditional and fully backward compatible format. + +Please note that authenticated disk encryption, non-cryptographic +data integrity protection (dm-integrity), use of Argon2 Password-Based +Key Derivation Function and the LUKS2 on-disk format itself are new +features and can contain some bugs. + +To provide all security features of authenticated encryption, we need +a better nonce-reuse resistant algorithm in the kernel (see note below). +For now, please use authenticated encryption as an experimental feature. + +Please do not use LUKS2 without properly configured backup or in +production systems that need to be compatible with older systems. + +Changes since version 2.0.3 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* Use the libblkid (blockid) library to detect foreign signatures + on a device before LUKS format and LUKS2 auto-recovery. + + This change fixes an unexpected recovery using the secondary + LUKS2 header after a device was already overwritten with + another format (filesystem or LVM physical volume). + + LUKS2 will not recreate a primary header if it detects a valid + foreign signature. In this situation, a user must always + use cryptsetup repair command for the recovery. + + Note that libcryptsetup and utilities are now linked to libblkid + as a new dependence. + + To compile code without blockid support (strongly discouraged), + use --disable-blkid configure switch. + +* Add prompt for format and repair actions in cryptsetup and + integritysetup if foreign signatures are detected on the device + through the blockid library. + + After the confirmation, all known signatures are then wiped as + part of the format or repair procedure. + +* Print consistent verbose message about keyslot and token numbers. + For keyslot actions: Key slot <number> unlocked/created/removed. + For token actions: Token <number> created/removed. + +* Print error, if a non-existent token is tried to be removed. + +* Add support for LUKS2 token definition export and import. + + The token command now can export/import customized token JSON file + directly from command line. See the man page for more details. + +* Add support for new dm-integrity superblock version 2. + +* Add an error message when nothing was read from a key file. + +* Update cryptsetup man pages, including --type option usage. + +* Add a snapshot of LUKS2 format specification to documentation + and accordingly fix supported secondary header offsets. + +* Add bundled optimized Argon2 SSE (X86_64 platform) code. + + If the bundled Argon2 code is used and the new configure switch + --enable-internal-sse-argon2 option is present, and compiler flags + support required optimization, the code will try to use optimized + and faster variant. + + Always use the shared library (--enable-libargon2) if possible. + + This option was added because an enterprise distribution + rejected to support the shared Argon2 library and native support + in generic cryptographic libraries is not ready yet. + +* Fix compilation with crypto backend for LibreSSL >= 2.7.0. + LibreSSL introduced OpenSSL 1.1.x API functions, so compatibility + wrapper must be commented out. + +* Fix on-disk header size calculation for LUKS2 format if a specific + data alignment is requested. Until now, the code used default size + that could be wrong for converted devices. + +Unfinished things & TODO for next releases +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +* Authenticated encryption will use new algorithms from CAESAR competition + https://competitions.cr.yp.to/caesar-submissions.html. + We plan to use AEGIS and MORUS (in kernel 4.18), as CAESAR finalists. + + NOTE: Currently available authenticated modes (GCM, Chacha20-poly1305) + in the kernel have too small 96-bit nonces that are problematic with + randomly generated IVs (the collision probability is not negligible). + + For more info about LUKS2 authenticated encryption, please see our paper + https://arxiv.org/abs/1807.00309 + +* Authenticated encryption do not set encryption for a dm-integrity journal. + + While it does not influence data confidentiality or integrity protection, + an attacker can get some more information from data journal or cause that + system will corrupt sectors after journal replay. (That corruption will be + detected though.) + +* There are examples of user-defined tokens inside misc/luks2_keyslot_example + directory (like a simple external program that uses libssh to unlock LUKS2 + using remote keyfile). + +* The python binding (pycryptsetup) contains only basic functionality for LUKS1 + (it is not updated for new features) and will be REMOVED in version 2.1 + in favor of python bindings to the libblockdev library. + See https://github.com/storaged-project/libblockdev/releases that + already supports LUKS2 and VeraCrypt devices handling through libcryptsetup. + diff --git a/docs/v2.0.5-ReleaseNotes b/docs/v2.0.5-ReleaseNotes new file mode 100644 index 0000000..907d5aa --- /dev/null +++ b/docs/v2.0.5-ReleaseNotes @@ -0,0 +1,102 @@ +Cryptsetup 2.0.5 Release Notes +============================== +Stable bug-fix release with new features. + +Cryptsetup 2.x version introduces a new on-disk LUKS2 format. + +The legacy LUKS (referenced as LUKS1) will be fully supported +forever as well as a traditional and fully backward compatible format. + +Please note that authenticated disk encryption, non-cryptographic +data integrity protection (dm-integrity), use of Argon2 Password-Based +Key Derivation Function and the LUKS2 on-disk format itself are new +features and can contain some bugs. + +Please do not use LUKS2 without properly configured backup or in +production systems that need to be compatible with older systems. + +Changes since version 2.0.4 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* Wipe full header areas (including unused) during LUKS format. + + Since this version, the whole area up to the data offset is zeroed, + and subsequently, all keyslots areas are wiped with random data. + This ensures that no remaining old data remains in the LUKS header + areas, but it could slow down format operation on some devices. + Previously only first 4k (or 32k for LUKS2) and the used keyslot + was overwritten in the format operation. + +* Several fixes to error messages that were unintentionally replaced + in previous versions with a silent exit code. + More descriptive error messages were added, including error + messages if + - a device is unusable (not a block device, no access, etc.), + - a LUKS device is not detected, + - LUKS header load code detects unsupported version, + - a keyslot decryption fails (also happens in the cipher check), + - converting an inactive keyslot. + +* Device activation fails if data area overlaps with LUKS header. + +* Code now uses explicit_bzero to wipe memory if available + (instead of own implementation). + +* Additional VeraCrypt modes are now supported, including Camellia + and Kuznyechik symmetric ciphers (and cipher chains) and Streebog + hash function. These were introduced in a recent VeraCrypt upstream. + + Note that Kuznyechik requires out-of-tree kernel module and + Streebog hash function is available only with the gcrypt cryptographic + backend for now. + +* Fixes static build for integritysetup if the pwquality library is used. + +* Allows passphrase change for unbound keyslots. + +* Fixes removed keyslot number in verbose message for luksKillSlot, + luksRemoveKey and erase command. + +* Adds blkid scan when attempting to open a plain device and warn the user + about existing device signatures in a ciphertext device. + +* Remove LUKS header signature if luksFormat fails to add the first keyslot. + +* Remove O_SYNC from device open and use fsync() to speed up + wipe operation considerably. + +* Create --master-key-file in luksDump and fail if the file already exists. + +* Fixes a bug when LUKS2 authenticated encryption with a detached header + wiped the header device instead of dm-integrity data device area (causing + unnecessary LUKS2 header auto recovery). + +Unfinished things & TODO for next releases +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +* Authenticated encryption should use new algorithms from CAESAR competition + https://competitions.cr.yp.to/caesar-submissions.html. + AEGIS and MORUS are already available in kernel 4.18. + + For more info about LUKS2 authenticated encryption, please see our paper + https://arxiv.org/abs/1807.00309 + + Please note that authenticated encryption is still an experimental feature + and can have performance problems for hish-speed devices and device + with larger IO blocks (like RAID). + +* Authenticated encryption do not set encryption for a dm-integrity journal. + + While it does not influence data confidentiality or integrity protection, + an attacker can get some more information from data journal or cause that + system will corrupt sectors after journal replay. (That corruption will be + detected though.) + +* There are examples of user-defined tokens inside misc/luks2_keyslot_example + directory (like a simple external program that uses libssh to unlock LUKS2 + using remote keyfile). + +* The python binding (pycryptsetup) contains only basic functionality for LUKS1 + (it is not updated for new features) and will be REMOVED in version 2.1 + in favor of python bindings to the libblockdev library. + See https://github.com/storaged-project/libblockdev/releases that + already supports LUKS2 and VeraCrypt devices handling through libcryptsetup. diff --git a/docs/v2.0.6-ReleaseNotes b/docs/v2.0.6-ReleaseNotes new file mode 100644 index 0000000..7fe276a --- /dev/null +++ b/docs/v2.0.6-ReleaseNotes @@ -0,0 +1,97 @@ +Cryptsetup 2.0.6 Release Notes +============================== +Stable bug-fix release. +All users of cryptsetup 2.0.x should upgrade to this version. + +Cryptsetup 2.x version introduces a new on-disk LUKS2 format. + +The legacy LUKS (referenced as LUKS1) will be fully supported +forever as well as a traditional and fully backward compatible format. + +Please note that authenticated disk encryption, non-cryptographic +data integrity protection (dm-integrity), use of Argon2 Password-Based +Key Derivation Function and the LUKS2 on-disk format itself are new +features and can contain some bugs. + +Please do not use LUKS2 without properly configured backup or in +production systems that need to be compatible with older systems. + +Changes since version 2.0.5 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* Fix support of larger metadata areas in LUKS2 header. + + This release properly supports all specified metadata areas, as documented + in LUKS2 format description (see docs/on-disk-format-luks2.pdf in archive). + + Currently, only default metadata area size is used (in format or convert). + Later cryptsetup versions will allow increasing this metadata area size. + +* If AEAD (authenticated encryption) is used, cryptsetup now tries to check + if the requested AEAD algorithm with specified key size is available + in kernel crypto API. + This change avoids formatting a device that cannot be later activated. + + For this function, the kernel must be compiled with the + CONFIG_CRYPTO_USER_API_AEAD option enabled. + Note that kernel user crypto API options (CONFIG_CRYPTO_USER_API and + CONFIG_CRYPTO_USER_API_SKCIPHER) are already mandatory for LUKS2. + +* Fix setting of integrity no-journal flag. + Now you can store this flag to metadata using --persistent option. + +* Fix cryptsetup-reencrypt to not keep temporary reencryption headers + if interrupted during initial password prompt. + +* Adds early check to plain and LUKS2 formats to disallow device format + if device size is not aligned to requested sector size. + Previously it was possible, and the device was rejected to activate by + kernel later. + +* Fix checking of hash algorithms availability for PBKDF early. + Previously LUKS2 format allowed non-existent hash algorithm with + invalid keyslot preventing the device from activation. + +* Allow Adiantum cipher construction (a non-authenticated length-preserving + fast encryption scheme), so it can be used both for data encryption and + keyslot encryption in LUKS1/2 devices. + + For benchmark, use: + # cryptsetup benchmark -c xchacha12,aes-adiantum + # cryptsetup benchmark -c xchacha20,aes-adiantum + + For LUKS format: + # cryptsetup luksFormat -c xchacha20,aes-adiantum-plain64 -s 256 <device> + + The support for Adiantum will be merged in Linux kernel 4.21. + For more info see the paper https://eprint.iacr.org/2018/720. + +Unfinished things & TODO for next releases +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +* Authenticated encryption should use new algorithms from CAESAR competition + https://competitions.cr.yp.to/caesar-submissions.html. + AEGIS and MORUS are already available in kernel 4.18. + + For more info about LUKS2 authenticated encryption, please see our paper + https://arxiv.org/abs/1807.00309 + + Please note that authenticated encryption is still an experimental feature + and can have performance problems for high-speed devices and device + with larger IO blocks (like RAID). + +* Authenticated encryption do not set encryption for a dm-integrity journal. + + While it does not influence data confidentiality or integrity protection, + an attacker can get some more information from data journal or cause that + system will corrupt sectors after journal replay. (That corruption will be + detected though.) + +* There are examples of user-defined tokens inside misc/luks2_keyslot_example + directory (like a simple external program that uses libssh to unlock LUKS2 + using remote keyfile). + +* The python binding (pycryptsetup) contains only basic functionality for LUKS1 + (it is not updated for new features) and will be REMOVED in version 2.1 + in favor of python bindings to the libblockdev library. + See https://github.com/storaged-project/libblockdev/releases that + already supports LUKS2 and VeraCrypt devices handling through libcryptsetup. diff --git a/docs/v2.1.0-ReleaseNotes b/docs/v2.1.0-ReleaseNotes new file mode 100644 index 0000000..36d2247 --- /dev/null +++ b/docs/v2.1.0-ReleaseNotes @@ -0,0 +1,210 @@ +Cryptsetup 2.1.0 Release Notes +============================== +Stable release with new features and bug fixes. + +Cryptsetup 2.1 version uses a new on-disk LUKS2 format as the default +LUKS format and increases default LUKS2 header size. + +The legacy LUKS (referenced as LUKS1) will be fully supported forever +as well as a traditional and fully backward compatible format. + +When upgrading a stable distribution, please use configure option +--with-default-luks-format=LUKS1 to maintain backward compatibility. + +This release also switches to OpenSSL as a default cryptographic +backend for LUKS header processing. Use --with-crypto_backend=gcrypt +configure option if you need to preserve legacy libgcrypt backend. + +Please do not use LUKS2 without properly configured backup or +in production systems that need to be compatible with older systems. + +Changes since version 2.0.6 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* The default for cryptsetup LUKS format action is now LUKS2. + You can use LUKS1 with cryptsetup option --type luks1. + +* The default size of the LUKS2 header is increased to 16 MB. + It includes metadata and the area used for binary keyslots; + it means that LUKS header backup is now 16MB in size. + + Note, that used keyslot area is much smaller, but this increase + of reserved space allows implementation of later extensions + (like online reencryption). + It is fully compatible with older cryptsetup 2.0.x versions. + If you require to create LUKS2 header with the same size as + in the 2.0.x version, use --offset 8192 option for luksFormat + (units are in 512-bytes sectors; see notes below). + +* Cryptsetup now doubles LUKS default key size if XTS mode is used + (XTS mode uses two internal keys). This does not apply if key size + is explicitly specified on the command line and it does not apply + for the plain mode. + This fixes a confusion with AES and 256bit key in XTS mode where + code used AES128 and not AES256 as often expected. + + Also, the default keyslot encryption algorithm (if cannot be derived + from data encryption algorithm) is now available as configure + options --with-luks2-keyslot-cipher and --with-luks2-keyslot-keybits. + The default is aes-xts-plain64 with 2 * 256-bits key. + +* Default cryptographic backend used for LUKS header processing is now + OpenSSL. For years, OpenSSL provided better performance for PBKDF. + + NOTE: Cryptsetup/libcryptsetup supports several cryptographic + library backends. The fully supported are libgcrypt, OpenSSL and + kernel crypto API. FIPS mode extensions are maintained only for + libgcrypt and OpenSSL. Nettle and NSS are usable only for some + subset of algorithms and cannot provide full backward compatibility. + You can always switch to other backends by using a configure switch, + for libgcrypt (compatibility for older distributions) use: + --with-crypto_backend=gcrypt + +* The Python bindings are no longer supported and the code was removed + from cryptsetup distribution. Please use the libblockdev project + that already covers most of the libcryptsetup functionality + including LUKS2. + +* Cryptsetup now allows using --offset option also for luksFormat. + It means that the specified offset value is used for data offset. + LUKS2 header areas are automatically adjusted according to this value. + (Note units are in 512-byte sectors due to the previous definition + of this option in plain mode.) + This option can replace --align-payload with absolute alignment value. + +* Cryptsetup now supports new refresh action (that is the alias for + "open --refresh"). + It allows changes of parameters for an active device (like root + device mapping), for example, it can enable or disable TRIM support + on-the-fly. + It is supported for LUKS1, LUKS2, plain and loop-AES devices. + +* Integritysetup now supports mode with detached data device through + new --data-device option. + Since kernel 4.18 there is a possibility to specify external data + device for dm-integrity that stores all integrity tags. + +* Integritysetup now supports automatic integrity recalculation + through new --integrity-recalculate option. + Linux kernel since version 4.18 supports automatic background + recalculation of integrity tags for dm-integrity. + +Other changes and fixes +~~~~~~~~~~~~~~~~~~~~~~~ + +* Fix for crypt_wipe call to allocate space if the header is backed + by a file. This means that if you use detached header file, it will + now have always the full size after luksFormat, even if only + a few keyslots are used. + +* Fixes to offline cryptsetup-reencrypt to preserve LUKS2 keyslots + area sizes after reencryption and fixes for some other issues when + creating temporary reencryption headers. + +* Added some FIPS mode workarounds. We cannot (yet) use Argon2 in + FIPS mode, libcryptsetup now fallbacks to use PBKDF2 in FIPS mode. + +* Rejects conversion to LUKS1 if PBKDF2 hash algorithms + in keyslots differ. + +* The hash setting on command line now applies also to LUKS2 PBKDF2 + digest. In previous versions, the LUKS2 key digest used PBKDF2-SHA256 + (except for converted headers). + +* Allow LUKS2 keyslots area to increase if data offset allows it. + Cryptsetup can fine-tune LUKS2 metadata area sizes through + --luks2-metadata-size=BYTES and --luks2-keyslots-size=BYTES. + Please DO NOT use these low-level options until you need it for + some very specific additional feature. + Also, the code now prints these LUKS2 header area sizes in dump + command. + +* For LUKS2, keyslot can use different encryption that data with + new options --keyslot-key-size=BITS and --keyslot-cipher=STRING + in all commands that create new LUKS keyslot. + Please DO NOT use these low-level options until you need it for + some very specific additional feature. + +* Code now avoids data flush when reading device status through + device-mapper. + +* The Nettle crypto backend and the userspace kernel crypto API + backend were enhanced to allow more available hash functions + (like SHA3 variants). + +* Upstream code now does not require libgcrypt-devel + for autoconfigure, because OpenSSL is the default. + The libgcrypt does not use standard pkgconfig detection and + requires specific macro (part of libgcrypt development files) + to be always present during autoconfigure. + With other crypto backends, like OpenSSL, this makes no sense, + so this part of autoconfigure is now optional. + +* Cryptsetup now understands new --debug-json option that allows + an additional dump of some JSON information. These are no longer + present in standard debug output because it could contain some + specific LUKS header parameters. + +* The luksDump contains the hash algorithm used in Anti-Forensic + function. + +* All debug messages are now sent through configured log callback + functions, so an application can easily use own debug messages + handling. In previous versions debug messages were printed directly + to standard output.) + +Libcryptsetup API additions +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +These new calls are now exported, for details see libcryptsetup.h: + + * crypt_init_data_device + * crypt_get_metadata_device_name + functions to init devices with separate metadata and data device + before a format function is called. + + * crypt_set_data_offset + sets the data offset for LUKS to the specified value + in 512-byte sectors. + It should replace alignment calculation in LUKS param structures. + + * crypt_get_metadata_size + * crypt_set_metadata_size + allows to set/get area sizes in LUKS header + (according to specification). + + * crypt_get_default_type + get default compiled-in LUKS type (version). + + * crypt_get_pbkdf_type_params + allows to get compiled-in PBKDF parameters. + + * crypt_keyslot_set_encryption + * crypt_keyslot_get_encryption + allows to set/get per-keyslot encryption algorithm for LUKS2. + + * crypt_keyslot_get_pbkdf + allows to get PBKDF parameters per-keyslot. + + and these new defines: + * CRYPT_LOG_DEBUG_JSON (message type for JSON debug) + * CRYPT_DEBUG_JSON (log level for JSON debug) + * CRYPT_ACTIVATE_RECALCULATE (dm-integrity recalculate flag) + * CRYPT_ACTIVATE_REFRESH (new open with refresh flag) + +All existing API calls should remain backward compatible. + +Unfinished things & TODO for next releases +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +* Optional authenticated encryption is still an experimental feature + and can have performance problems for high-speed devices and device + with larger IO blocks (like RAID). + +* Authenticated encryption does not use encryption for a dm-integrity + journal. While it does not influence data confidentiality or + integrity protection, an attacker can get some more information + from data journal or cause that system will corrupt sectors after + journal replay. (That corruption will be detected though.) + +* The LUKS2 metadata area increase is mainly needed for the new online + reencryption as the major feature for the next release. diff --git a/docs/v2.2.0-ReleaseNotes b/docs/v2.2.0-ReleaseNotes new file mode 100644 index 0000000..b1fd363 --- /dev/null +++ b/docs/v2.2.0-ReleaseNotes @@ -0,0 +1,279 @@ +Cryptsetup 2.2.0 Release Notes +============================== +Stable release with new experimental features and bug fixes. + +Cryptsetup 2.2 version introduces a new LUKS2 online reencryption +extension that allows reencryption of mounted LUKS2 devices +(device in use) in the background. + +Online reencryption is a complex feature. Please be sure you +have a full data backup before using this feature. + +Changes since version 2.1.0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +LUKS2 online reencryption +~~~~~~~~~~~~~~~~~~~~~~~~~ + +The reencryption is intended to provide a reliable way to change +volume key or an algorithm change while the encrypted device is still +in use. + +It is based on userspace-only approach (no kernel changes needed) +that uses the device-mapper subsystem to remap active devices on-the-fly +dynamically. The device is split into several segments (encrypted by old +key, new key and so-called hotzone, where reencryption is actively running). + +The flexible LUKS2 metadata format is used to store intermediate states +(segment mappings) and both version of keyslots (old and new keys). +Also, it provides a binary area (in the unused keyslot area space) +to provide recovery metadata in the case of unexpected failure during +reencryption. LUKS2 header is during the reencryption marked with +"online-reencryption" keyword. After the reencryption is finished, +this keyword is removed, and the device is backward compatible with all +older cryptsetup tools (that support LUKS2). + +The recovery supports three resilience modes: + + - checksum: default mode, where individual checksums of ciphertext hotzone + sectors are stored, so the recovery process can detect which sectors were + already reencrypted. It requires that the device sector write is atomic. + + - journal: the hotzone is journaled in the binary area + (so the data are written twice) + + - none: performance mode; there is no protection + (similar to old offline reencryption) + +These resilience modes are not available if reencryption uses data shift. + +Note: until we have full documentation (both of the process and metadata), +please refer to Ondrej's slides (some slight details are no longer relevant) +https://okozina.fedorapeople.org/online-disk-reencryption-with-luks2-compact.pdf + +The offline reencryption tool (cryptsetup-reencrypt) is still supported +for both LUKS1 and LUKS2 format. + +Cryptsetup examples for reencryption +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The reencryption feature is integrated directly into cryptsetup utility +as the new "reencrypt" action (command). + +There are three basic modes - to perform reencryption (change of already +existing LUKS2 device), to add encryption to plaintext device and to remove +encryption from a device (decryption). + +In all cases, if existing LUKS2 metadata contains information about +the ongoing reencryption process, following reencrypt command continues +with the ongoing reencryption process until it is finished. + +You can activate a device with ongoing reencryption as the standard LUKS2 +device, but the reencryption process will not continue until the cryptsetup +reencrypt command is issued. + + +1) Reencryption +~~~~~~~~~~~~~~~ +This mode is intended to change any attribute of the data encryption +(change of the volume key, algorithm or sector size). +Note that authenticated encryption is not yet supported. + +You can start the reencryption process by specifying a LUKS2 device or with +a detached LUKS2 header. +The code should automatically recognize if the device is in use (and if it +should use online mode of reencryption). + +If you do not specify parameters, only volume key is changed +(a new random key is generated). + +# cryptsetup reencrypt <device> [--header <hdr>] + +You can also start reencryption using active mapped device name: + # cryptsetup reencrypt --active-name <name> + +You can also specify the resilience mode (none, checksum, journal) with +--resilience=<mode> option, for checksum mode also the hash algorithm with +--resilience-hash=<alg> (only hash algorithms supported by cryptographic +backend are available). + +The maximal size of reencryption hotzone can be limited by +--hotzone-size=<size> option and applies to all reencryption modes. +Note that for checksum and journal mode hotzone size is also limited +by available space in binary keyslot area. + +2) Encryption +~~~~~~~~~~~~~ +This mode provides a way to encrypt a plaintext device to LUKS2 format. +This option requires reduction of device size (for LUKS2 header) or new +detached header. + + # cryptsetup reencrypt <device> --encrypt --reduce-device-size <size> + +Or with detached header: + # cryptsetup reencrypt <device> --encrypt --header <hdr> + +3) Decryption +~~~~~~~~~~~~~ +This mode provides the removal of existing LUKS2 encryption and replacing +a device with plaintext content only. +For now, we support only decryption with a detached header. + + # cryptsetup reencrypt <device> --decrypt --header <hdr> + +For all three modes, you can split the process to metadata initialization +(prepare keyslots and segments but do not run reencryption yet) and the data +reencryption step by using --init-only option. + +Prepares metadata: + # cryptsetup reencrypt --init-only <parameters> + +Starts the data processing: + # cryptsetup reencrypt <device> + +Please note, that due to the Linux kernel limitation, the encryption or +decryption process cannot be run entirely online - there must be at least +short offline window where operation adds/removes device-mapper crypt (LUKS2) layer. +This step should also include modification of /etc/crypttab and fstab UUIDs, +but it is out of the scope of cryptsetup tools. + +Limitations +~~~~~~~~~~~ +Most of these limitations will be (hopefully) fixed in next versions. + +* Only one active keyslot is supported (all old keyslots will be removed + after reencryption). + +* Only block devices are now supported as parameters. As a workaround + for images in a file, please explicitly map a loop device over the image + and use the loop device as the parameter. + +* Devices with authenticated encryption are not supported. (Later it will + be limited by the fixed per-sector metadata, per-sector metadata size + cannot be changed without a new device format operation.) + +* The reencryption uses userspace crypto library, with fallback to + the kernel (if available). There can be some specific configurations + where the fallback does not provide optimal performance. + +* There are no translations of error messages until the final release + (some messages can be rephrased as well). + +* The repair command is not finished; the recovery of interrupted + reencryption is made automatically on the first device activation. + +* Reencryption triggers too many udev scans on metadata updates (on closing + write enabled file descriptors). This has a negative performance impact on the whole + reencryption and generates excessive I/O load on the system. + +New libcryptsetup reencryption API +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +The libcryptsetup contains new API calls that are used to setup and +run the reencryption. + +Note that there can be some changes in API implementation of these functions +and/or some new function can be introduced in final cryptsetup 2.2 release. + +New API symbols (see documentation in libcryptsetup.h) +* struct crypt_params_reencrypt - reencryption parameters + +* crypt_reencrypt_init_by_passphrase +* crypt_reencrypt_init_by_keyring + - function to configure LUKS2 metadata for reencryption; + if metadata already exists, it configures the context from this metadata + +* crypt_reencrypt + - run the reencryption process (processing the data) + - the optional callback function can be used to interrupt the reencryption + or report the progress. + +* crypt_reencrypt_status + - function to query LUKS2 metadata about the reencryption state + +Other changes and fixes +~~~~~~~~~~~~~~~~~~~~~~~ +* Add optional global serialization lock for memory hard PBKDF. + (The --serialize-memory-hard-pbkdf option in cryptsetup and + CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF in activation flag.) + + This is an "ugly" optional workaround for a situation when multiple devices + are being activated in parallel (like systemd crypttab activation). + The system instead of returning ENOMEM (no memory available) starts + out-of-memory (OOM) killer to kill processes randomly. + + Until we find a reliable way how to work with memory-hard function + in these situations, cryptsetup provide a way how to serialize memory-hard + unlocking among parallel cryptsetup instances to workaround this problem. + This flag is intended to be used only in very specific situations, + never use it directly :-) + +* Abort conversion to LUKS1 with incompatible sector size that is + not supported in LUKS1. + +* Report error (-ENOENT) if no LUKS keyslots are available. User can now + distinguish between a wrong passphrase and no keyslot available. + +* Fix a possible segfault in detached header handling (double free). + +* Add integritysetup support for bitmap mode introduced in Linux kernel 5.2. + Integritysetup now supports --integrity-bitmap-mode option and + --bitmap-sector-per-bit and --bitmap-flush-time commandline options. + + In the bitmap operation mode, if a bit in the bitmap is 1, the corresponding + region's data and integrity tags are not synchronized - if the machine + crashes, the unsynchronized regions will be recalculated. + The bitmap mode is faster than the journal mode because we don't have + to write the data twice, but it is also less reliable, because if data + corruption happens when the machine crashes, it may not be detected. + This can be used only for standalone devices, not with dm-crypt. + +* The libcryptsetup now keeps all file descriptors to underlying device + open during the whole lifetime of crypt device context to avoid excessive + scanning in udev (udev run scan on every descriptor close). + +* The luksDump command now prints more info for reencryption keyslot + (when a device is in-reencryption). + +* New --device-size parameter is supported for LUKS2 reencryption. + It may be used to encrypt/reencrypt only the initial part of the data + device if the user is aware that the rest of the device is empty. + + Note: This change causes API break since the last rc0 release + (crypt_params_reencrypt structure contains additional field). + +* New --resume-only parameter is supported for LUKS2 reencryption. + This flag resumes reencryption process if it exists (not starting + new reencryption). + +* The repair command now tries LUKS2 reencryption recovery if needed. + +* If reencryption device is a file image, an interactive dialog now + asks if reencryption should be run safely in offline mode + (if autodetection of active devices failed). + +* Fix activation through a token where dm-crypt volume key was not + set through keyring (but using old device-mapper table parameter mode). + +* Online reencryption can now retain all keyslots (if all passphrases + are provided). Note that keyslot numbers will change in this case. + +* Allow volume key file to be used if no LUKS2 keyslots are present. + If all keyslots are removed, LUKS2 has no longer information about + the volume key size (there is only key digest present). + Please use --key-size option to open the device or add a new keyslot + in these cases. + +* Print a warning if online reencrypt is called over LUKS1 (not supported). + +* Fix TCRYPT KDF failure in FIPS mode. + Some crypto backends support plain hash in FIPS mode but not for PBKDF2. + +* Remove FIPS mode restriction for crypt_volume_key_get. + It is an application responsibility to use this API in the proper context. + +* Reduce keyslots area size in luksFormat when the header device is too small. + Unless user explicitly asks for keyslots areas size (either via + --luks2-keyslots-size or --offset) reduce keyslots size so that it fits + in metadata device. + +* Make resize action accept --device-size parameter (supports units suffix). diff --git a/docs/v2.2.1-ReleaseNotes b/docs/v2.2.1-ReleaseNotes new file mode 100644 index 0000000..34bacc1 --- /dev/null +++ b/docs/v2.2.1-ReleaseNotes @@ -0,0 +1,36 @@ +Cryptsetup 2.2.1 Release Notes +============================== +Stable bug-fix release. + +This version contains a fix for a possible data corruption bug +on 32-bit platforms. +All users of cryptsetup 2.1 and 2.2 should upgrade to this version. + +Changes since version 2.2.0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* Fix possible data length and IV offset overflow on 32bit architectures. + Other 64-bit architectures are not affected. + + The flawed helper function prototypes (introduced in version 2.1.0) used + size_t type, that is 32-bit integer on 32-bit systems. + This patch fixes the problem to properly use 64-bit types. + + If the offset parameter addresses devices larger than 2TB, the value + overflows and stores incorrect information in the metadata. + For example, integrity device is smaller than expected size if used + over large disk on 32-bit architecture. + + This issue is not present with the standard LUKS1/LUKS2 devices without + integrity extensions. + +* Fix a regression in TrueCrypt/VeraCrypt system partition activation. + +* Reinstate missing backing file hint for loop device. + + If the encrypted device is backed by a file (loopback), cryptsetup now + shows the path to the backing file in passphrase query (as in 1.x version). + +* LUKS2 reencryption block size is now aligned to reported optimal IO size. + This change eliminates possible non-aligned device warnings in kernel log + during reencryption. diff --git a/docs/v2.2.2-ReleaseNotes b/docs/v2.2.2-ReleaseNotes new file mode 100644 index 0000000..9e68641 --- /dev/null +++ b/docs/v2.2.2-ReleaseNotes @@ -0,0 +1,56 @@ +Cryptsetup 2.2.2 Release Notes +============================== +Stable bug-fix release. + +All users of cryptsetup 2.1 and 2.2 should upgrade to this version. + +Changes since version 2.2.1 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* Print error message if a keyslot open failed for a different reason + than wrong passwords (for example there is not enough memory). + Only an exit code was present in this case. + +* The progress function switches unit sizes (B/s to GiB/s) according + to the actual speed. Also, it properly calculates speed in the case + of a resumed reencryption operation. + +* The --version now supports short -V short option and better handles + common option priorities. + +* If cryptsetup wipes signatures during format actions through blkid, + it also prints signature device offsets. + +* Compilation now properly uses LTLIBINTL gettext setting in Makefiles. + +* Device-mapper backend now supports new DM_GET_TARGET_VERSION ioctl + (available since Linux kernel 5.4). + This should help to detect some kernel/userspace incompatibilities + earlier later after a failed device activation. + +* Fixes LUKS2 reencryption on systems without kernel keyring. + +* Fixes unlocking prompt for partitions mapped through loop devices + (to properly show the backing device). + +* For LUKS2 decryption, a device is now marked for deferred removal + to be automatically deactivated. + +* Reencryption now limits hotzone size to be maximal 1 GiB or 1/4 + system memory (if lower). + +* Reencryption now retains activation flags during online reencryption. + +* Reencryption now allows LUKS2 device to activate device right after + LUKS2 encryption is initialized through optional active device name + for cryptsetup reencrypt --encrypt command. + This could help with automated encryption during boot. + + NOTE: It means that part of the device is still not encrypted during + activation. Use with care! + +* Fixes failure in resize and plain format activation if activated device + size was not aligned to underlying logical device size. + +* Fixes conversion to LUKS2 format with detached header if a detached + header size was smaller than the expected aligned LUKS1 header size. diff --git a/docs/v2.3.0-ReleaseNotes b/docs/v2.3.0-ReleaseNotes new file mode 100644 index 0000000..2b582c3 --- /dev/null +++ b/docs/v2.3.0-ReleaseNotes @@ -0,0 +1,209 @@ +Cryptsetup 2.3.0 Release Notes +============================== +Stable release with new experimental features and bug fixes. + +Cryptsetup 2.3 version introduces support for BitLocker-compatible +devices (BITLK format). This format is used in Windows systems, +and in combination with a filesystem driver, cryptsetup now provides +native read-write access to BitLocker Full Disk Encryption devices. + +The BITLK implementation is based on publicly available information +and it is an independent and opensource implementation that allows +to access this proprietary disk encryption. + +Changes since version 2.2.2 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* BITLK (Windows BitLocker compatible) device access + + BITLK userspace implementation is based on the master thesis and code + provided by Vojtech Trefny. Also, thanks to other opensource projects + like libbde (that provide alternative approach to decode this format) + we were able to verify cryptsetup implementation. + + NOTE: Support for the BITLK device is EXPERIMENTAL and will require + a lot of testing. If you get some error message (mainly unsupported + metadata in the on-disk header), please help us by submitting an issue + to cryptsetup project, so we can fix it. Thank you! + + Cryptsetup supports BITLK activation through passphrase or recovery + passphrase for existing devices (BitLocker and Bitlocker to Go). + + Activation through TPM, SmartCard, or any other key protector + is not supported. And in some situations, mainly for TPM bind to some + PCR registers, it could be even impossible on Linux in the future. + + All metadata (key protectors) are handled read-only, cryptsetup cannot + create or modify them. Except for old devices (created in old Vista + systems), all format variants should be recognized. + + Data devices can be activated read-write (followed by mounting through + the proper filesystem driver). To access filesystem on the decrypted device + you need properly installed driver (vfat, NTFS or exFAT). + + Foe AES-XTS, activation is supported on all recent Linux kernels. + + For older AES-CBC encryption, Linux Kernel version 5.3 is required + (support for special IV variant); for AES-CBC with Elephant diffuser, + Linux Kernel 5.6 is required. + + Please note that CBC variants are legacy, and we provide it only + for backward compatibility (to be able to access old drives). + + Cryptsetup command now supports the new "bitlk" format and implement dump, + open, status, and close actions. + + To activate a BITLK device, use + + # cryptsetup open --type bitlk <device> <name> + or with alias + # cryptsetup bitlkOpen <device> <name> + + Then with properly installed fs driver (usually NTFS, vfat or exFAT), + you can mount the plaintext device /dev/mapper<name> device as a common + filesystem. + + To print metadata information about BITLK device, use + # crypotsetup bitlkDump <device> + + To print information about the active device, use + # cryptsetup status <name> + + Example (activation of disk image): + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + # Recent blkid recognizes BitLocker device,just to verity + # blkid bitlocker_xts_ntfs.img + bitlocker_xts_ntfs.img: TYPE="BitLocker" + + # Print visible metadata information (on-disk, form the image) + # cryptsetup bitlkDump bitlocker_xts_ntfs.img + Info for BITLK device bitlocker_xts_ntfs.img. + Version: 2 + GUID: ... + Created: Wed Oct 23 17:38:15 2019 + Description: DESKTOP-xxxxxxx E: 23.10.2019 + Cipher name: aes + Cipher mode: xts-plain64 + Cipher key: 128 bits + + Keyslots: + 0: VMK + GUID: ... + Protection: VMK protected with passphrase + Salt: ... + Key data size: 44 [bytes] + 1: VMK + GUID: ... + Protection: VMK protected with recovery passphrase + Salt: ... + Key data size: 44 [bytes] + 2: FVEK + Key data size: 44 [bytes] + + # Activation (recovery passphrase works the same as password) + # cryptsetup bitlkOpen bitlocker_xts_ntfs.img test -v + Enter passphrase for bitlocker_xts_ntfs.img: + Command successful. + + # Information about the active device + # cryptsetup status test + /dev/mapper/test is active. + type: BITLK + cipher: aes-xts-plain64 + keysize: 128 bits + ... + + # Plaintext device should now contain decrypted NTFS filesystem + # blkid /dev/mapper/test + /dev/mapper/test: UUID="..." TYPE="ntfs" + + # And can be mounted + # mount /dev/mapper/test /mnt/tst + + # Deactivation + # umount /mnt/tst + # cryptsetup close test + +* Veritysetup now supports activation with additional PKCS7 signature + of root hash through --root-hash-signature option. + The signature uses an in-kernel trusted key to validate the signature + of the root hash during activation. This option requires Linux kernel + 5.4 with DM_VERITY_VERIFY_ROOTHASH_SIG option. + + Verity devices activated with signature now has a special flag + (with signature) active in device status (veritysetup status <name>). + + Usage: + # veritysetup open <data_device> name <hash_device> <root_hash> \ + --root-hash-signature=<roothash_p7_sig_file> + +* Integritysetup now calculates hash integrity size according to algorithm + instead of requiring an explicit tag size. + + Previously, when integritysetup formats a device with hash or + HMAC integrity checksums, it required explicitly tag size entry from + a user (or used default value). + This led to confusion and unexpected shortened tag sizes. + + Now, libcryptsetup calculates tag size according to real hash output. + Tag size can also be specified, then it warns if these values differ. + +* Integritysetup now supports fixed padding for dm-integrity devices. + + There was an in-kernel bug that wasted a lot of space when using metadata + areas for integrity-protected devices if a larger sector size than + 512 bytes was used. + This problem affects both stand-alone dm-integrity and also LUKS2 with + authenticated encryption and larger sector size. + + The new extension to dm-integrity superblock is needed, so devices + with the new optimal padding cannot be activated on older systems. + + Integritysetup/Cryptsetup will use new padding automatically if it + detects the proper kernel. To create a compatible device with + the old padding, use --integrity-legacy-padding option. + +* A lot of fixes to online LUKS2 reecryption. + +* Add crypt_resume_by_volume_key() function to libcryptsetup. + If a user has a volume key available, the LUKS device can be resumed + directly using the provided volume key. + No keyslot derivation is needed, only the key digest is checked. + +* Implement active device suspend info. + Add CRYPT_ACTIVATE_SUSPENDED bit to crypt_get_active_device() flags + that informs the caller that device is suspended (luksSuspend). + +* Allow --test-passphrase for a detached header. + Before this fix, we required a data device specified on the command + line even though it was not necessary for the passphrase check. + +* Allow --key-file option in legacy offline encryption. + The option was ignored for LUKS1 encryption initialization. + +* Export memory safe functions. + To make developing of some extensions simpler, we now export + functions to handle memory with proper wipe on deallocation. + +* Fail crypt_keyslot_get_pbkdf for inactive LUKS1 keyslot. + +Libcryptsetup API extensions +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +The libcryptsetup API is backward compatible for existing symbols. + +New symbols + crypt_set_compatibility + crypt_get_compatibility; + crypt_resume_by_volume_key; + crypt_activate_by_signed_key; + crypt_safe_alloc; + crypt_safe_realloc; + crypt_safe_free; + crypt_safe_memzero; + +New defines introduced : + CRYPT_BITLK "BITLK" - BITLK (BitLocker-compatible mode + CRYPT_COMPAT_LEGACY_INTEGRITY_PADDING - dm-integrity legacy padding + CRYPT_VERITY_ROOT_HASH_SIGNATURE - dm-verity root hash signature + CRYPT_ACTIVATE_SUSPENDED - device suspended info flag diff --git a/docs/v2.3.1-ReleaseNotes b/docs/v2.3.1-ReleaseNotes new file mode 100644 index 0000000..1c1d365 --- /dev/null +++ b/docs/v2.3.1-ReleaseNotes @@ -0,0 +1,45 @@ +Cryptsetup 2.3.1 Release Notes +============================== +Stable bug-fix release. + +All users of cryptsetup 2.x should upgrade to this version. + +Changes since version 2.3.0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* Support VeraCrypt 128 bytes passwords. + VeraCrypt now allows passwords of maximal length 128 bytes + (compared to legacy TrueCrypt where it was limited by 64 bytes). + +* Strip extra newline from BitLocker recovery keys + There might be a trailing newline added by the text editor when + the recovery passphrase was passed using the --key-file option. + +* Detect separate libiconv library. + It should fix compilation issues on distributions with iconv + implemented in a separate library. + +* Various fixes and workarounds to build on old Linux distributions. + +* Split lines with hexadecimal digest printing for large key-sizes. + +* Do not wipe the device with no integrity profile. + With --integrity none we performed useless full device wipe. + +* Workaround for dm-integrity kernel table bug. + Some kernels show an invalid dm-integrity mapping table + if superblock contains the "recalculate" bit. This causes + integritysetup to not recognize the dm-integrity device. + Integritysetup now specifies kernel options such a way that + even on unpatched kernels mapping table is correct. + +* Print error message if LUKS1 keyslot cannot be processed. + If the crypto backend is missing support for hash algorithms + used in PBKDF2, the error message was not visible. + +* Properly align LUKS2 keyslots area on conversion. + If the LUKS1 payload offset (data offset) is not aligned + to 4 KiB boundary, new LUKS2 keyslots area in now aligned properly. + +* Validate LUKS2 earlier on conversion to not corrupt the device + if binary keyslots areas metadata are not correct. diff --git a/docs/v2.3.2-ReleaseNotes b/docs/v2.3.2-ReleaseNotes new file mode 100644 index 0000000..eb0d447 --- /dev/null +++ b/docs/v2.3.2-ReleaseNotes @@ -0,0 +1,42 @@ +Cryptsetup 2.3.2 Release Notes +============================== +Stable bug-fix release. + +All users of cryptsetup 2.x should upgrade to this version. + +Changes since version 2.3.1 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* Support compilation with json-c library version 0.14. + +* Update FAQ document for some LUKS2 specific information. + +* Add option to dump content of LUKS2 unbound keyslot: + cryptsetup luksDump --unbound -S <slot> <device> + or optionally with --master-key-file option. + + The slot number --key-slot (-S) option is mandatory here. + + An unbound keyslot store a key is that is not assigned to data + area on disk (LUKS2 allows to store arbitrary keys). + +* Rephrase some error messages and remove redundant end-of-lines. + +* Add support for discards (TRIM) for standalone dm-integrity devices. + Linux kernel 5.7 adds support for optional discard/TRIM operation + over dm-integrity devices. + + It is now supported through --allow-discards integritysetup option. + Note you need to add this flag in all activation calls. + + Note that this option cannot be used for LUKS2 authenticated encryption + (that uses dm-integrity for storing additional per-sector metadata). + +* Fix cryptsetup-reencrypt to work on devices that do not allow + direct-io device access. + +* Fix a crash in the BitLocker-compatible code error path. + +* Fix Veracrypt compatible support for longer (>64 bytes) passphrases. + It allows some older images to be correctly opened again. + The issue was introduced in version 2.3.1. diff --git a/docs/v2.3.3-ReleaseNotes b/docs/v2.3.3-ReleaseNotes new file mode 100644 index 0000000..75471ac --- /dev/null +++ b/docs/v2.3.3-ReleaseNotes @@ -0,0 +1,42 @@ +Cryptsetup 2.3.3 Release Notes +============================== +Stable bug-fix release. + +All users of cryptsetup 2.x should upgrade to this version. + +Changes since version 2.3.2 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* Fix BitLocker compatible device access that uses native 4kB sectors. + + Devices formatted with storage that natively support 4096-bytes + sectors can also use this sector size for encryption units. + +* Support large IV count (--iv-large-sectors) cryptsetup option + for plain device mapping. + + The large IV count is supported in dm-crypt together with larger + sector encryption. It counts the Initialization Vector (IV) in + a larger sector size instead of 512-bytes sectors. + + This option does not have any performance or security impact, + but it can be used for accessing incompatible existing disk images + from other systems. + + Only open action with plain device type and sector size > 512 bytes + are supported. + +* Fix a memory leak in BitLocker compatible handling. + +* Allow EBOIV (Initialization Vector algorithm) use. + + The EBOIV initialization vector is intended to be used internally + with BitLocker devices (for CBC mode). It can now be used also + outside of the BitLocker compatible code. + +* Require both keyslot cipher and key size options. + + If these LUKS2 keyslot parameters were not specified together, + cryptsetup silently failed. + +* Update to man pages and FAQ. diff --git a/docs/v2.3.4-ReleaseNotes b/docs/v2.3.4-ReleaseNotes new file mode 100644 index 0000000..fb5a411 --- /dev/null +++ b/docs/v2.3.4-ReleaseNotes @@ -0,0 +1,112 @@ +Cryptsetup 2.3.4 Release Notes +============================== +Stable bug-fix release with a security fix (32-bit only). + +All users of cryptsetup 2.2.x and later should upgrade to this version. + +Changes since version 2.3.3 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* Fix a possible out-of-bounds memory write while validating LUKS2 data + segments metadata (CVE-2020-14382). + + This problem can be triggered only on 32-bit builds (64-bit systems + are not affected). + + LUKS2 format validation code contains a bug in segments validation code + where the code does not check for possible overflow on memory allocation. + + Due to the bug, the libcryptsetup can be tricked to expect such allocation + was successful. Later it may read data from image crafted by an attacker and + actually write such data beyond allocated memory. + + The bug was introduced in cryptsetup 2.2.0. All later releases until 2.3.4 + are affected. + + If you only backport the fix for this CVE, these master branch git commits + should be backported: + 52f5cb8cedf22fb3e14c744814ec8af7614146c7 + 46ee71edcd13e1dad50815ad65c28779aa6f7503 + 752c9a52798f11d3b765b673ebaa3058eb25316e + + Thanks to Tobias Stoeckmann for discovering this issue. + +* Ignore reported optimal IO size if not aligned to minimal page size. + + Some USB enclosures report bogus block device topology (see lsblk -t) that + prevents LUKS2 format with 4k sector size (reported values are not correctly + aligned). The code now ignores such values and uses the default alignment. + +* Added support for new no_read/write_wrokqueue dm-crypt options (kernel 5.9). + + These performance options, introduced in kernel 5.9, configure dm-crypt + to bypass read or write workqueues and run encryption synchronously. + + Use --perf-no_read_workqueue or --perf-no_write_workqueue cryptsetup arguments + to use these dm-crypt flags. + + These options are available only for low-level dm-crypt performance tuning, + use only if you need a change to default dm-crypt behavior. + + For LUKS2, these flags can be persistently stored in metadata with + the --persistent option. + +* Added support panic_on_corruption option for dm-verity devices (kernel 5.9). + + Veritysetup now supports --panic-on-corruption argument that configures + the dm-verity device to panics kernel if a corruption is detected. + + This option is intended for specific configurations, do not use it in + standard configurations. + +* Support --master-key-file option for online LUKS2 reencryption + + This can be used for reencryption of devices that uses protected key AES cipher + on some mainframes crypto accelerators. + +* Always return EEXIST error code if a device already exists. + + Some libcryptsetup functions (activate_by*) now return EEXIST error code, + so the caller can distinguish that call fails because some parallel process + already activated the device. + Previously all fails returned EINVAL (invalid value). + +* Fix a problem in integritysetup if a hash algorithm has dash in the name. + + If users want to use blake2b/blake2s, the kernel algorithm name includes + a dash (like "blake2s-256"). + Theses algorithms can now be used for integritysetup devices. + +* Fix crypto backend to properly handle ECB mode. + + Even though it should never be used, it should still work for testing :) + This fixes a bug introduced in cryptsetup version 2.3.2. + +* TrueCrypt/VeraCrypt compatible mode now supports the activation of devices + with a larger sector. + + TrueCrypt/VeraCrypt always uses 512-byte sector for encryption, but for devices + with a larger native sector, it stores this value in the header. + + This patch allows activation of such devices, basically ignoring + the mentioned sector size. + +* LUKS2: Do not create excessively large headers. + + When creating a LUKS2 header with a specified --offset larger than + the LUKS2 header size, do not create a larger file than needed. + +* Fix unspecified sector size for BitLocker compatible mode. + + Some BitLocker devices can contain zeroed sector size in the header. + In this case, the 512-byte sector should be used. + The bug was introduced in version 2.3.3. + +* Fix reading key data size in metadata for BitLocker compatible mode. + + Such devices with an unexpected entry in metadata can now be activated. + + Thanks to all users reporting these problems, BitLocker metadata documentation + is not publicly available, and we depend only on these reports. + +* Fix typos in documentation. diff --git a/docs/v2.3.5-ReleaseNotes b/docs/v2.3.5-ReleaseNotes new file mode 100644 index 0000000..bad4fdf --- /dev/null +++ b/docs/v2.3.5-ReleaseNotes @@ -0,0 +1,181 @@ +Cryptsetup 2.3.5 Release Notes +============================== +Stable bug-fix release with minor extensions. + +All users of cryptsetup 2.x and later should upgrade to this version. + +Changes since version 2.3.4 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* Fix partial reads of passphrase from an interactive terminal. + Some stable kernels (5.3.11) started to return buffer from a terminal + in parts of maximal size 64 bytes. + This breaks the reading of passphrases longer than 64 characters + entered through an interactive terminal. The change is already fixed + in later kernel releases, but tools now support such partial read from + terminal properly. + +* Fix maximal length of password entered through a terminal. + Now the maximal interactive passphrase length is exactly + 512 characters (not 511). + +* integritysetup: support new dm-integrity HMAC recalculation options. + + In older kernels (since version 4.19), an attacker can force + an automatic recalculation of integrity tags by modifying + the dm-integrity superblock. + This is a problem with a keyed algorithms (HMAC), where it expects + nobody can trigger such recalculation without the key. + (Automatic recalculation will start after the next activation.) + + Note that dm-integrity in standalone mode was *not* supposed + to provide cryptographic data integrity protection. + Despite that, we try to keep the system secure if keyed algorithms + are used. + Thank Daniel Glöckner for the original report of this problem. + + Authenticated encryption that provides data integrity protection (in + combination with dm-crypt and LUKS2) is not affected by this problem. + + The fix in the kernel for this problem contains two parts. + + Firstly, the dm-integrity kernel module disables integrity + recalculation if keyed algorithms (HMAC) are used. + This change is included in long-term stable kernels. + + Secondly, since the kernel version 5.11, dm-integrity introduces + modified protection where a journal-integrity algorithm guards + superblock; also, journal sections are protected. An attacker cannot + copy sectors from one journal section to another, and the superblock + also contains salt to prevent header replacement from another device. + + If you want to protect data with HMAC, you should always also use HMAC + for --journal-integrity. Keys can be independent. + If HMAC is used for data but not for the journal, the recalculation + option is disabled. + + If you need to use (insecure) backward compatibility implementation, + two new integritysetup options are introduced: + - Use --integrity-legacy-recalc (instead of --integrity-recalc) + to allow recalculation on legacy devices. + - Use --integrity-legacy-hmac in format action to force old insecure + HMAC format. + + Libcryptsetup API also introduces flags + CRYPT_COMPAT_LEGACY_INTEGRITY_HMAC and + CRYPT_COMPAT_LEGACY_INTEGRITY_RECALC + to set these through crypt_set_compatibility() call. + +* integritysetup: display of recalculating sector in dump command. + +* veritysetup: fix verity FEC if stored in the same image with hashes. + + Optional FEC (Forward Error Correction) data should cover the whole + data area, hashes (Merkle tree), and optionally additional metadata + (located after hash area). + + Unfortunately, if FEC data is stored in the same file as hash, + the calculation wrongly used the whole file size, thus overlaps with + the FEC area itself. This produced unusable and too large FEC data. + There is no problem if the FEC image is a separate image. + + The problem is now fixed, introducing FEC blocks calculation as: + - If the hash device is in a separate image, metadata covers the + whole rest of the image after the hash area. (Unchanged behavior.) + - If hash and FEC device is in the image, metadata ends on the FEC + area offset. + + Note: there is also a fix for FEC in the dm-verity kernel (on the way + to stable kernels) that fixes error correction with larger RS roots. + +* veritysetup: run FEC repair check even if root hash fails. + + Note: The userspace FEC verify command reports are only informational + for now. Code does not check verity hash after FEC recovery in + userspace. The Reed-Solomon decoder can then report the possibility + that it fixed data even if parity is too damaged. + This will be fixed in the next major release. + +* veritysetup: do not process hash image if hash area is empty. + + Sometimes the device is so small that there is only a root hash + needed, and the hash area is not used. + Also, the size of the hash image is not increased for hash block + alignment in this case. + +* veritysetup: store verity hash algorithm in superblock in lowercase. + + Otherwise, the kernel could refuse the activation of the device. + +* bitlk: fix a crash if the device disappears during BitLocker scan. + +* bitlk: show a better error when trying to open an NTFS device. + + Both BitLocker version 1 and NTFS have the same signature. + If a user opens an NTFS device without BitLocker, it now correctly + informs that it is not a BITLK device. + +* bitlk: add support for startup key protected VMKs. + + The startup key can be provided in --key-file option for open command. + +* Fix LUKS1 repair code (regression since version 1.7.x). + + We cannot trust possibly broken keyslots metadata in repair, so the + code recalculates them instead. + This makes the repair code working again when the master boot record + signature overwrites the LUKS header. + +* Fix luksKeyChange for LUKS2 with assigned tokens. + + The token references are now correctly assigned to the new keyslot + number. + +* Fix cryptsetup resize using LUKS2 tokens. + + Code needlessly asked for passphrase even though volume key was + already unlocked via LUKS2 token. + +* Print a visible error if device resize is not supported. + +* Add error message when suspending wrong non-LUKS device. + +* Fix default XTS mode key size in reencryption. + + The same luksFormat logic (double key size because XTS uses two keys) + is applied in the reencryption code. + +* Rephrase missing locking directory warning and move it to debug level. + + The system should later provide a safe transition to tempdir + configuration, so creating locking directory inside libcryptsetup + call is safe. + +* Many fixes for the use of cipher_null (empty debug cipher). + + Support for this empty cipher was intended as a debug feature and for + measuring performance overhead. Unfortunately, many systems started to + use it as an "empty shell" for LUKS (to enable encryption later). + + This use is very dangerous and it creates a false sense of security. + + Anyway, to not break such systems, we try to support these + configurations. + Using cipher_null in any production system is strongly discouraged! + + Fixes include: + - allow LUKS resume for a device with cipher_null. + - do not upload key in keyring when data cipher is null. + - switch to default cipher when reencrypting cipher_null device. + - replace possible bogus cipher_null keyslots before reencryption. + - fix broken detection of null cipher in LUKS2. + cipher_null is no longer possible to be used in keyslot encryption + in LUKS2, it can be used only for data for debugging purposes. + +* Fixes for libpasswdqc 2.0.x (optional passphrase quality check). + +* Fixes for problems discovered by various tools for code analysis. + + Fixes include a rework of libpopt command line option string leaks. + +* Various fixes to man pages. diff --git a/docs/v2.3.6-ReleaseNotes b/docs/v2.3.6-ReleaseNotes new file mode 100644 index 0000000..deb975e --- /dev/null +++ b/docs/v2.3.6-ReleaseNotes @@ -0,0 +1,56 @@ +Cryptsetup 2.3.6 Release Notes +============================== +Stable bug-fix release with minor extensions. + +All users of cryptsetup 2.x and later should upgrade to this version. + +Changes since version 2.3.5 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* integritysetup: Fix possible dm-integrity mapping table truncation. + + While integritysetup in standalone mode (no encryption) was not + designed to provide keyed (and cryptographically strong) data + integrity protection, some options can use such algorithms (HMAC). + + If a key is used, it is directly sent to the kernel dm-integrity as + a mapping table option (no key derivation is performed). + For HMAC, such a key could be quite long (up to 4096 bytes in + integritysetup CLI). + + Unfortunately, due to fixed buffers and not correctly checking string + truncation, some parameter combinations could cause truncation + of the dm-integrity mapping table. + In most cases, the table was rejected by the kernel. + The worst possible case was key truncation for HMAC options + (internal_hash and journal_mac dm-integrity table options). + + This release fixes possible truncation and also adds more sanity + checks to reject truncated options. + Also, integritysetup now mentions maximal allowed key size + in --help output. + + For old standalone dm-integrity devices where the key length was + truncated, you have to modify (shorten) --integrity-key-size + resp. --journal-integrity-key-size option now. + + This bug is _not_ present for dm-crypt/LUKS, LUKS2 (including + integrity protection), or dm-verity devices; it affects only + standalone dm-integrity with HMAC integrity protection. + +* cryptsetup: Backup header can be used to activate TCRYPT device. + Use --header option to specify the header. + +* cryptsetup: Avoid LUKS2 decryption without detached header. + This feature will be added later and is currently not supported. + +* Additional fixes and workarounds for common warnings produced + by some static analysis tools (like gcc-11 analyzer) and additional + code hardening. + +* Fix standalone libintl detection for compiled tests. + +* Add Blake2b and Blake2s hash support for crypto backends. + Kernel and gcrypt crypto backend support all variants. + OpenSSL supports only Blake2b-512 and Blake2s-256. + Crypto backend supports kernel notation e.g. "blake2b-512". diff --git a/docs/v2.3.7-ReleaseNotes b/docs/v2.3.7-ReleaseNotes new file mode 100644 index 0000000..5305d6f --- /dev/null +++ b/docs/v2.3.7-ReleaseNotes @@ -0,0 +1,95 @@ +Cryptsetup 2.3.7 Release Notes +============================== +Stable security bug-fix release that fixes CVE-2021-4122. + +All users of cryptsetup 2.3.x must upgrade to this version. + +Changes since version 2.3.6 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* Fix possible attacks against data confidentiality through LUKS2 online + reencryption extension crash recovery (CVE-2021-4122). + + An attacker can modify on-disk metadata to simulate decryption in + progress with crashed (unfinished) reencryption step and persistently + decrypt part of the LUKS device. + + This attack requires repeated physical access to the LUKS device but + no knowledge of user passphrases. + + The decryption step is performed after a valid user activates + the device with a correct passphrase and modified metadata. + There are no visible warnings for the user that such recovery happened + (except using the luksDump command). The attack can also be reversed + afterward (simulating crashed encryption from a plaintext) with + possible modification of revealed plaintext. + + The size of possible decrypted data depends on configured LUKS2 header + size (metadata size is configurable for LUKS2). + With the default parameters (16 MiB LUKS2 header) and only one + allocated keyslot (512 bit key for AES-XTS), simulated decryption with + checksum resilience SHA1 (20 bytes checksum for 4096-byte blocks), + the maximal decrypted size can be over 3GiB. + + The attack is not applicable to LUKS1 format, but the attacker can + update metadata in place to LUKS2 format as an additional step. + For such a converted LUKS2 header, the keyslot area is limited to + decrypted size (with SHA1 checksums) over 300 MiB. + + The issue is present in all cryptsetup releases since 2.2.0. + Versions 1.x, 2.0.x, and 2.1.x are not affected, as these do not + contain LUKS2 reencryption extension. + + The problem was caused by reusing a mechanism designed for actual + reencryption operation without reassessing the security impact for new + encryption and decryption operations. While the reencryption requires + calculating and verifying both key digests, no digest was needed to + initiate decryption recovery if the destination is plaintext (no + encryption key). Also, some metadata (like encryption cipher) is not + protected, and an attacker could change it. Note that LUKS2 protects + visible metadata only when a random change occurs. It does not protect + against intentional modification but such modification must not cause + a violation of data confidentiality. + + The fix introduces additional digest protection of reencryption + metadata. The digest is calculated from known keys and critical + reencryption metadata. Now an attacker cannot create correct metadata + digest without knowledge of a passphrase for used keyslots. + For more details, see LUKS2 On-Disk Format Specification version 1.1.0. + + The former reencryption operation (without the additional digest) is no + longer supported (reencryption with the digest is not backward + compatible). You need to finish in-progress reencryption before + updating to new packages. The alternative approach is to perform + a repair command from the updated package to recalculate reencryption + digest and fix metadata. + The reencryption repair operation always require a user passphrase. + + WARNING: Devices with older reencryption in progress can be no longer + activated without performing the action mentioned above. + + Encryption in progress can be detected by running the luksDump command + (output includes reencrypt keyslot with reencryption parameters). Also, + during the active reencryption, no keyslot operations are available + (change of passphrases, etc.). + + The issue was found by Milan Broz as cryptsetup maintainer. + +Other changes +~~~~~~~~~~~~~ +* Add configure option --disable-luks2-reencryption to completely disable + LUKS2 reencryption code. + + When used, the libcryptsetup library can read metadata with + reencryption code, but all reencryption API calls and cryptsetup + reencrypt commands are disabled. + + Devices with online reencryption in progress cannot be activated. + This option can cause some incompatibilities. Please use with care. + +* Improve internal metadata validation code for reencryption metadata. + +* Add updated documentation for LUKS2 On-Disk Format Specification + version 1.1.0 (with reencryption extension description and updated + metadata description). See docs/on-disk-format-luks2.pdf or online + version in https://gitlab.com/cryptsetup/LUKS2-docs repository. |