summaryrefslogtreecommitdiffstats
path: root/debian/cryptsetup-bin.NEWS
blob: 48612431c9913545165b5fd703ebdaceb08af331 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
cryptsetup (2:2.3.7-1+deb11u1) bullseye-security; urgency=high

  This release fixes a key truncation issue for standalone dm-integrity
  devices using HMAC integrity protection.  For existing such devices
  with extra long HMAC keys (typically >106 bytes of length, see
  https://bugs.debian.org/949336#78 for the various corner cases), one
  might need to manually truncate the key using integritysetup(8)'s
  `--integrity-key-size` option in order to properly map the device
  under 2:2.3.7-1+deb11u1.

  Only standalone dm-integrity devices are affected.  dm-crypt devices,
  including those using authenticated disk encryption, are unaffected.

 -- Guilhem Moulin <guilhem@debian.org>  Tue, 01 Feb 2022 15:36:35 +0100

cryptsetup (2:1.6.6-1) unstable; urgency=medium

  The whirlpool hash implementation has been broken in gcrypt until version
  1.5.3. This has been fixed in subsequent gcrypt releases. In particular,
  the gcrypt version that is used by cryptsetup starting with this release,
  has the bug fixed. Consequently, LUKS containers created with broken
  whirlpool will fail to open from now on.

  In the case that you're affected by the whirlpool bug, please read section
  '8.3 Gcrypt after 1.5.3 breaks Whirlpool' of the cryptsetup FAQ at
  https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions
  carefully. It explains how to open your LUKS container and reencrypt it
  afterwards.

 -- Jonas Meurer <mejo@debian.org>  Tue, 04 Mar 2014 23:17:37 +0100

cryptsetup (2:1.1.3-1) unstable; urgency=low

  Cryptdisks init scripts changed their behaviour for failures at starting and
  stopping encrypted devices. Cryptdisks init script now raises a warning for
  failures at starting encrypted devices, and cryptdisks-early warns about
  failures at stopping encrypted devices.

 -- Jonas Meurer <mejo@debian.org>  Sat, 10 Jul 2010 14:36:33 +0200

cryptsetup (2:1.1.0-1) unstable; urgency=low

  The default key size for LUKS was changed from 128 to 256 bits, and default
  plain mode changed from aes-cbc-plain to aes-cbc-essiv:sha256.
  In case that you use plain mode encryption and don't have set cipher and hash
  in /etc/crypttab, you should do so now. The new defaults are not backwards
  compatible. See the manpage for crypttab(5) for further information. If your
  dm-crypt setup was done by debian-installer, you can ignore that warning.

  Additionally, the keyscript decrypt_gpg, which was disabled by default up to
  now, has been rewritten and renamed to decrypt_gnupg. If you use a customized
  version of the decrypt_gpg keyscript, please backup it before upgrading the
  package.

 -- Jonas Meurer <mejo@debian.org>  Thu, 04 Mar 2010 17:31:40 +0100

cryptsetup (2:1.1.0~rc2-1) unstable; urgency=low

  The cryptroot initramfs hook script has been changed to include all
  available crypto kernel modules in case that initramfs-tools is configured
  with MODULES=most (default). See /etc/initramfs-tools/initramfs.conf for
  more information.
  If initramfs-tools is configured with MODULES=dep, the cryptroot hook script
  still tries to detect required modules, as it did by default in the past.

 -- Jonas Meurer <mejo@debian.org>  Sun, 27 Sep 2009 16:49:20 +0200

cryptsetup (2:1.0.7-2) unstable; urgency=low

  Checkscripts vol_id and un_vol_id have been replaced by blkid and un_blkid.
  In case that you explicitly set keyscript=vol_id or keyscript=un_vol_id in
  /etc/crypttab, you will need to update your /etc/crypttab manually.
  Replacing 'vol_id' with 'blkid' and 'un_vol_id' with 'un_blkid' should work.
  The new *blkid keyscripts are fully compatible to the old *vol_id scripts.

 -- Jonas Meurer <mejo@debian.org>  Sun, 23 Aug 2009 23:32:49 +0200

cryptsetup (2:1.0.6-8) unstable; urgency=low

  Keyscripts inside the initramfs have been moved from /keyscripts to
  /lib/cryptsetup/scripts. This way they're now available at the same location
  as on the normal system.
  In most cases no manual action is required. Only if you reference a keyscript
  by path in some script that is included in the initramfs, then you need to
  update that reference by updating the path.

 -- Jonas Meurer <mejo@debian.org>  Tue, 23 Dec 2008 00:43:10 +0100

cryptsetup (2:1.0.6-7) unstable; urgency=medium

  Support for the timeout option has been removed from cryptdisks initscripts
  in order to support splash screens and remote shells in boot process.
  The implementation had been unclean and problematic anyway.
  If you used the timeout option on headless systems without physical access,
  then it's a much cleaner solution anyway, to use the 'noauto' option in
  /etc/crypttab, and start the encrypted devices manually with
  '/etc/init.d/cryptdisks force-start'.
  Another approach is to start a minimal ssh-server in the initramfs and unlock
  the encrypted devices after connecting to it. This even supports encrypted
  root filesystems for headless server systems.
  For more information, please see /usr/share/docs/cryptsetup/README.Debian.gz

 -- Jonas Meurer <mejo@debian.org>  Tue, 16 Dec 2008 18:37:16 +0100

cryptsetup (2:1.0.6-4) unstable; urgency=medium

  The obsolete keyscript decrypt_old_ssl and the corresponding example script
  gen-old-ssl-key have been removed from the package. If you're still using
  them, either save a local backup of /lib/cryptsetup/scripts/decrypt_old_ssl
  and put it back after the upgrade finished, or migrate your setup to use
  keyscripts that are still supported.

 -- Jonas Meurer <mejo@debian.org>  Sun, 27 Jul 2008 16:22:57 +0200

cryptsetup (2:1.0.6~pre1+svn45-1) unstable; urgency=low

  The default hash used by the initramfs cryptroot scripts has been changed
  from sha256 to ripemd160 for consistency with the cryptsetup default. If you
  have followed the recommendation to configure the hash in /etc/crypttab this
  change will have no effect on you.

  If you set up disk encryption on your system using the Debian installer
  and/or if you use LUKS encryption, everything is already set up correctly
  and you don't need to do anything.
  If you did *not* use the Debian installer and if you have encrypted devices
  which do *not* use LUKS, you must make sure that the relevant entries in
  /etc/crypttab contain a hash=<hash> setting.

 -- Jonas Meurer <mejo@debian.org>  Tue, 29 Jan 2008 11:46:57 +0100

cryptsetup (2:1.0.5-2) unstable; urgency=low

  The vol_id and un_vol_id check scripts no longer regard minix as a valid
  filesystem, since random data can be mistakenly identified as a minix
  filesystem due to an inadequate signature length.

  If you use minix filesystems, you should not rely on prechecks anymore.

 -- Jonas Meurer <mejo@debian.org>  Mon, 10 Sep 2007 14:39:44 +0200

cryptsetup (2:1.0.4+svn16-1) unstable; urgency=high

  The --key-file=- argument has changed. If a --hash parameter is passed, it
  will now be honoured. This means that the decrypt_derived keyscript will in
  some situations create a different key than previously meaning that any swap
  partitions that rely on the script will have to be recreated. To emulate the
  old behaviour, make sure that you pass "--hash=plain" to cryptsetup.

 -- David Härdeman <david@hardeman.nu>  Tue, 21 Nov 2006 21:29:50 +0100

cryptsetup (2:1.0.4-7) unstable; urgency=low

  The cryptsetup initramfs scripts now also tries to detect swap
  partitions used for software suspend (swsusp/suspend2/uswsusp) and
  to set them up during the initramfs stage. See README.initramfs for
  more details.

 -- David Härdeman <david@hardeman.nu>  Mon, 13 Nov 2006 19:27:02 +0100

cryptsetup (2:1.0.4-1) unstable; urgency=low

   The ssl and gpg options in /etc/crypttab have been deprecated in
   favour of the keyscripts option. The options will still work, but
   generate warnings. You should change any lines containing these
   options to use keyscript=/lib/cryptsetup/scripts/decrypt_old_ssl or
   keyscript=/lib/cryptsetup/scripts/decrypt_gpg instead as support
   will be completely removed in the future.

 -- David Härdeman <david@hardeman.nu>  Mon, 16 Oct 2006 00:00:12 +0200

cryptsetup (2:1.0.3-4) unstable; urgency=low

   Up to now, the us keymap was loaded at the passphrase prompt in the boot
   process and ASCII characters were always used. With this upload this is
   fixed, meaning that the correct keymap is loaded and the keyboard is
   (optionally) set to UTF8 mode before the passphrase prompt.

   This may result in your password not working any more in the boot process.
   In this case, you should add a new key with cryptsetup luksAddKey with your
   correct keymap loaded.

   Additionally, all four fields are now mandatory in /etc/crypttab. An entry
   which does not contain all fields will be ignored. It is recommended to
   set cipher, size and hash anyway, as defaults may change in the future.

   If you didn't set any of these settings yet, then you should add
       cipher=aes-cbc-plain,size=128,hash=ripemd160
   to the the options in /etc/crypttab. See man crypttab(5) for more details.

 -- David Härdeman <david@2gen.com>  Sat, 19 Aug 2006 18:08:40 +0200

cryptsetup (2:1.0.2+1.0.3-rc2-2) unstable; urgency=low

   The crypttab 'retry' has been renamed to 'tries' to reflect upstream's
   functionality. Default is 3 tries now, even if the option is not given.
   See the crypttab.5 manpage for more information.

 -- Jonas Meurer <mejo@debian.org>  Fri, 28 Apr 2006 17:42:15 +0200

cryptsetup (2:1.0.2+1.0.3-rc2-1) unstable; urgency=low

    Since release 2:1.0.1-9, the cryptsetup package uses cryptsetup-luks as
    upstream source. This is a enhanced version of plain cryptsetup which
    includes support for the LUKS extension, a standard on-disk format for
    hard disk encryption. Plain dm-crypt (as provided by the old cryptsetup
    package) is still available, thus backwards compatibility is given.
    Nevertheless it is recommended to update your encrypted partitions to
    LUKS, as this implementation is more secure than the plain dm-crypt.

    Another major change is the check option for crypttab. It allows to
    configure checks that are run after cryptsetup has been invoked, and
    prechecks to be run against the source device before cryptsetup has been
    invoked. See man crypttab(5) or README.Debian for more information.

 -- Jonas Meurer <mejo@debian.org>  Fri,  3 Feb 2006 13:41:35 +0100