1 files changed, 279 insertions, 0 deletions

diff --git a/docs/v2.2.0-ReleaseNotes b/docs/v2.2.0-ReleaseNotes
new file mode 100644
index 0000000..b1fd363
--- /dev/null
+++ b/docs/v2.2.0-ReleaseNotes
@@ -0,0 +1,279 @@
+Cryptsetup 2.2.0 Release Notes
+==============================
+Stable release with new experimental features and bug fixes.
+
+Cryptsetup 2.2 version introduces a new LUKS2 online reencryption
+extension that allows reencryption of mounted LUKS2 devices
+(device in use) in the background.
+
+Online reencryption is a complex feature. Please be sure you
+have a full data backup before using this feature.
+
+Changes since version 2.1.0
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+LUKS2 online reencryption
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The reencryption is intended to provide a reliable way to change
+volume key or an algorithm change while the encrypted device is still
+in use.
+
+It is based on userspace-only approach (no kernel changes needed)
+that uses the device-mapper subsystem to remap active devices on-the-fly
+dynamically. The device is split into several segments (encrypted by old
+key, new key and so-called hotzone, where reencryption is actively running).
+
+The flexible LUKS2 metadata format is used to store intermediate states
+(segment mappings) and both version of keyslots (old and new keys).
+Also, it provides a binary area (in the unused keyslot area space)
+to provide recovery metadata in the case of unexpected failure during
+reencryption. LUKS2 header is during the reencryption marked with
+"online-reencryption" keyword. After the reencryption is finished,
+this keyword is removed, and the device is backward compatible with all
+older cryptsetup tools (that support LUKS2).
+
+The recovery supports three resilience modes:
+
+  - checksum: default mode, where individual checksums of ciphertext hotzone
+    sectors are stored, so the recovery process can detect which sectors were
+    already reencrypted. It requires that the device sector write is atomic.
+
+  - journal: the hotzone is journaled in the binary area
+    (so the data are written twice)
+
+  - none: performance mode; there is no protection
+    (similar to old offline reencryption)
+
+These resilience modes are not available if reencryption uses data shift.
+
+Note: until we have full documentation (both of the process and metadata),
+please refer to Ondrej's slides (some slight details are no longer relevant)
+https://okozina.fedorapeople.org/online-disk-reencryption-with-luks2-compact.pdf
+
+The offline reencryption tool (cryptsetup-reencrypt) is still supported
+for both LUKS1 and LUKS2 format.
+
+Cryptsetup examples for reencryption
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The reencryption feature is integrated directly into cryptsetup utility
+as the new "reencrypt" action (command).
+
+There are three basic modes - to perform reencryption (change of already
+existing LUKS2 device), to add encryption to plaintext device and to remove
+encryption from a device (decryption).
+
+In all cases, if existing LUKS2 metadata contains information about
+the ongoing reencryption process, following reencrypt command continues
+with the ongoing reencryption process until it is finished.
+
+You can activate a device with ongoing reencryption as the standard LUKS2
+device, but the reencryption process will not continue until the cryptsetup
+reencrypt command is issued.
+
+
+1) Reencryption
+~~~~~~~~~~~~~~~
+This mode is intended to change any attribute of the data encryption
+(change of the volume key, algorithm or sector size).
+Note that authenticated encryption is not yet supported.
+
+You can start the reencryption process by specifying a LUKS2 device or with
+a detached LUKS2 header.
+The code should automatically recognize if the device is in use (and if it
+should use online mode of reencryption).
+
+If you do not specify parameters, only volume key is changed
+(a new random key is generated).
+
+# cryptsetup reencrypt <device> [--header <hdr>]
+
+You can also start reencryption using active mapped device name:
+  # cryptsetup reencrypt --active-name <name>
+
+You can also specify the resilience mode (none, checksum, journal) with
+--resilience=<mode> option, for checksum mode also the hash algorithm with
+--resilience-hash=<alg> (only hash algorithms supported by cryptographic
+backend are available).
+
+The maximal size of reencryption hotzone can be limited by
+--hotzone-size=<size> option and applies to all reencryption modes.
+Note that for checksum and journal mode hotzone size is also limited
+by available space in binary keyslot area.
+
+2) Encryption
+~~~~~~~~~~~~~
+This mode provides a way to encrypt a plaintext device to LUKS2 format.
+This option requires reduction of device size (for LUKS2 header) or new
+detached header.
+
+  # cryptsetup reencrypt <device> --encrypt --reduce-device-size <size>
+
+Or with detached header:
+  # cryptsetup reencrypt <device> --encrypt --header <hdr>
+
+3) Decryption
+~~~~~~~~~~~~~
+This mode provides the removal of existing LUKS2 encryption and replacing
+a device with plaintext content only.
+For now, we support only decryption with a detached header.
+
+  # cryptsetup reencrypt <device> --decrypt --header <hdr>
+
+For all three modes, you can split the process to metadata initialization
+(prepare keyslots and segments but do not run reencryption yet) and the data
+reencryption step by using --init-only option.
+
+Prepares metadata:
+  # cryptsetup reencrypt --init-only <parameters>
+
+Starts the data processing:
+  # cryptsetup reencrypt <device>
+
+Please note, that due to the Linux kernel limitation, the encryption or
+decryption process cannot be run entirely online - there must be at least
+short offline window where operation adds/removes device-mapper crypt (LUKS2) layer.
+This step should also include modification of /etc/crypttab and fstab UUIDs,
+but it is out of the scope of cryptsetup tools.
+
+Limitations
+~~~~~~~~~~~
+Most of these limitations will be (hopefully) fixed in next versions.
+
+* Only one active keyslot is supported (all old keyslots will be removed
+  after reencryption).
+
+* Only block devices are now supported as parameters. As a workaround
+  for images in a file, please explicitly map a loop device over the image
+  and use the loop device as the parameter.
+
+* Devices with authenticated encryption are not supported. (Later it will
+  be limited by the fixed per-sector metadata, per-sector metadata size
+  cannot be changed without a new device format operation.)
+
+* The reencryption uses userspace crypto library, with fallback to
+  the kernel (if available). There can be some specific configurations
+  where the fallback does not provide optimal performance.
+
+* There are no translations of error messages until the final release
+  (some messages can be rephrased as well).
+
+* The repair command is not finished; the recovery of interrupted
+  reencryption is made automatically on the first device activation.
+
+* Reencryption triggers too many udev scans on metadata updates (on closing
+  write enabled file descriptors). This has a negative performance impact on the whole
+  reencryption and generates excessive I/O load on the system.
+
+New libcryptsetup reencryption API
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The libcryptsetup contains new API calls that are used to setup and
+run the reencryption.
+
+Note that there can be some changes in API implementation of these functions
+and/or some new function can be introduced in final cryptsetup 2.2 release.
+
+New API symbols (see documentation in libcryptsetup.h)
+* struct crypt_params_reencrypt - reencryption parameters
+
+* crypt_reencrypt_init_by_passphrase
+* crypt_reencrypt_init_by_keyring
+  - function to configure LUKS2 metadata for reencryption;
+    if metadata already exists, it configures the context from this metadata
+
+* crypt_reencrypt
+  - run the reencryption process (processing the data)
+  - the optional callback function can be used to interrupt the reencryption
+    or report the progress.
+
+* crypt_reencrypt_status
+  - function to query LUKS2 metadata about the reencryption state
+
+Other changes and fixes
+~~~~~~~~~~~~~~~~~~~~~~~
+* Add optional global serialization lock for memory hard PBKDF.
+  (The --serialize-memory-hard-pbkdf option in cryptsetup and
+  CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF in activation flag.)
+
+  This is an "ugly" optional workaround for a situation when multiple devices
+  are being activated in parallel (like systemd crypttab activation).
+  The system instead of returning ENOMEM (no memory available) starts
+  out-of-memory (OOM) killer to kill processes randomly.
+
+  Until we find a reliable way how to work with memory-hard function
+  in these situations, cryptsetup provide a way how to serialize memory-hard
+  unlocking among parallel cryptsetup instances to workaround this problem.
+  This flag is intended to be used only in very specific situations,
+  never use it directly :-)
+
+* Abort conversion to LUKS1 with incompatible sector size that is
+  not supported in LUKS1.
+
+* Report error (-ENOENT) if no LUKS keyslots are available. User can now
+  distinguish between a wrong passphrase and no keyslot available.
+
+* Fix a possible segfault in detached header handling (double free).
+
+* Add integritysetup support for bitmap mode introduced in Linux kernel 5.2.
+  Integritysetup now supports --integrity-bitmap-mode option and
+  --bitmap-sector-per-bit and --bitmap-flush-time commandline options.
+
+  In the bitmap operation mode, if a bit in the bitmap is 1, the corresponding
+  region's data and integrity tags are not synchronized - if the machine
+  crashes, the unsynchronized regions will be recalculated.
+  The bitmap mode is faster than the journal mode because we don't have
+  to write the data twice, but it is also less reliable, because if data
+  corruption happens when the machine crashes, it may not be detected.
+  This can be used only for standalone devices, not with dm-crypt.
+
+* The libcryptsetup now keeps all file descriptors to underlying device
+  open during the whole lifetime of crypt device context to avoid excessive
+  scanning in udev (udev run scan on every descriptor close).
+
+* The luksDump command now prints more info for reencryption keyslot
+  (when a device is in-reencryption).
+
+* New --device-size parameter is supported for LUKS2 reencryption.
+  It may be used to encrypt/reencrypt only the initial part of the data
+  device if the user is aware that the rest of the device is empty.
+
+  Note: This change causes API break since the last rc0 release
+  (crypt_params_reencrypt structure contains additional field).
+
+* New --resume-only parameter is supported for LUKS2 reencryption.
+  This flag resumes reencryption process if it exists (not starting
+  new reencryption).
+
+* The repair command now tries LUKS2 reencryption recovery if needed.
+
+* If reencryption device is a file image, an interactive dialog now
+  asks if reencryption should be run safely in offline mode
+  (if autodetection of active devices failed).
+
+* Fix activation through a token where dm-crypt volume key was not
+  set through keyring (but using old device-mapper table parameter mode).
+
+* Online reencryption can now retain all keyslots (if all passphrases
+  are provided). Note that keyslot numbers will change in this case.
+
+* Allow volume key file to be used if no LUKS2 keyslots are present.
+  If all keyslots are removed, LUKS2 has no longer information about
+  the volume key size (there is only key digest present).
+  Please use --key-size option to open the device or add a new keyslot
+  in these cases.
+
+* Print a warning if online reencrypt is called over LUKS1 (not supported).
+
+* Fix TCRYPT KDF failure in FIPS mode.
+  Some crypto backends support plain hash in FIPS mode but not for PBKDF2.
+
+* Remove FIPS mode restriction for crypt_volume_key_get.
+  It is an application responsibility to use this API in the proper context.
+
+* Reduce keyslots area size in luksFormat when the header device is too small.
+  Unless user explicitly asks for keyslots areas size  (either via
+  --luks2-keyslots-size or --offset) reduce keyslots size so that it fits
+  in metadata device.
+
+* Make resize action accept --device-size parameter (supports units suffix).