summaryrefslogtreecommitdiffstats
path: root/docs/v1.3.0-ReleaseNotes
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-17 08:06:26 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-17 08:06:26 +0000
commit1660d4b7a65d9ad2ce0deaa19d35579ca4084ac5 (patch)
tree6cf8220b628ebd2ccfc1375dd6516c6996e9abcc /docs/v1.3.0-ReleaseNotes
parentInitial commit. (diff)
downloadcryptsetup-upstream.tar.xz
cryptsetup-upstream.zip
Adding upstream version 2:2.6.1.upstream/2%2.6.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--docs/v1.3.0-ReleaseNotes101
1 files changed, 101 insertions, 0 deletions
diff --git a/docs/v1.3.0-ReleaseNotes b/docs/v1.3.0-ReleaseNotes
new file mode 100644
index 0000000..b7ae977
--- /dev/null
+++ b/docs/v1.3.0-ReleaseNotes
@@ -0,0 +1,101 @@
+Cryptsetup 1.3.0 Release Notes
+==============================
+
+Changes since version 1.2.0
+
+Important changes
+~~~~~~~~~~~~~~~~~
+ * Several userspace crypto backends support
+
+ cryptsetup now supports generic crypto backend interface which allows
+ compile package with various crypto libraries, these are already implemented:
+
+ * gcrypt (default, used in previous versions)
+ * OpenSSL
+ * NSS (because of missing ripemd160 it cannot provide full backward compatibility)
+ * kernel userspace API (provided by kernel 2.6.38 and above)
+ (Note that kernel userspace backend is very slow for this type of operation.
+ But it can be useful for embedded systems, because you can avoid userspace
+ crypto library completely.)
+
+ Backend is selected during configure time, using --with-crypto_backend option.
+
+ configure --with-crypto_backend=BACKEND (gcrypt/openssl/nss/kernel) [gcrypt]
+
+ Note that performance checked (iterations) in LUKS header will cause that
+ real iteration time will differ with different backends.
+ (There are huge differences in speed between libraries.)
+
+ * Cryptsetup now automatically allocates loopback device (/dev/loop) if device
+ argument is file and not plain device.
+
+ This require Linux kernel 2.6.25 and above (which implements loop autoclear flag).
+
+ You can see backing file in cryptsetup status output if underlying device is loopback.
+
+ * Introduce maximum default keyfile size, add configure option, visible in --help.
+
+ Cryptsetup now fails if read from keyfile exceeds internal limit.
+ You can always specify keyfile size (overrides limit) by using --keyfile-size option.
+
+ * Adds luksChangeKey command
+
+ cryptestup luksChangeKey --key-file <old keyfile> <new keyfile> [--key-slot X]
+ cryptestup luksChangeKey [--key-slot X] (for passphrase change)
+
+ This command allows passphrase/keyfile change in one step. If no key slot is
+ specified (and there is still free key slot on device) new slot is allocated before
+ the old is purged.
+
+ If --key-slot option is specified (or there is no free slot) command will overwrite
+ existing slot.
+ WARNING: Be sure you have another slot active or header backup when using explicit
+ key slot (so you can unlock the device even after possible media failure).
+
+ * Adds compatible support for loop-AES encryption type in loopaesOpen command.
+
+ Linux dm-crypt in 2.6.38 and above supports loop-AES compatible mapping
+ (including multi-key and special CBC mode, all three modes are supported).
+
+ If you have raw loop-AES keyfile (text file with uuencoded per-line keys), you can
+ access loop-AES volume using
+ cryptsetup loopaesOpen <device> <name> [--key-size 128] --key-file <key-file>
+
+ If you are using GPG encrypted keyfile
+ gpg --decrypt <key-file> | cryptsetup loopaesOpen --key-file=- <device> <name>
+
+ Do not forget to specify key size. Version and hash is automatically detected
+ according to number of lines in key file. For special configuration you can
+ override IV sector offset using --skip option, device offset with --offset
+ and hash algorithm using --hash, see man page for details.
+
+ Please note that loopAES dm-crypt mode is provided for compatibility reasons
+ (so you do not need to patch kernel and util-linux to map existing volumes)
+ but it is not, and never will be, optimized for speed.
+ It is experimental feature for now.
+
+ * Require the whole key read from keyfile in create command (regression in 1.2.0).
+
+ * WARNING: This is the last cryptsetup release which supports library with
+ old API (using struct crypt_options).
+ These calls are deprecated since 1.1.0 and AFAIK no application
+ is using it in recent distros. Removing compatible code will allow
+ new features to be implemented easily.
+
+Other changes
+~~~~~~~~~~~~~
+ * Lock memory also in luksDump command.
+ * Fix return code when passphrase is read from pipe.
+ * Increase libcryptsetup version (loopAES change), still fully backward compatible.
+ * Fixes static build (--disable-static-cryptsetup now works properly).
+ * Supports secure data flag for device-mapper ioctl (will be in 2.6.39,
+ forcing kernel to wipe all ioctl buffers with possible key data).
+ To enable this flag you need new device-mapper library, in LVM2 2.02.84.
+ * Add copyright texts into some files and adds GPL exception allowing
+ to distribute resulting binaries linked with OpenSSL.
+ * Update FAQ.
+ * Fix message when locking memory fails.
+ * Fix luksAddKey return code if master key is used.
+ * Update some text files in distributions.
+ * Add docs directory with Release Notes archive.
+ * Do not hardcode loopback device name in tests, use internal loopback library.