path: root/docs/v2.6.0-ReleaseNotes

Cryptsetup 2.6.0 Release Notes
==============================
Stable release with new features and bug fixes.

Changes since version 2.5.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~

* Introduce support for handling macOS FileVault2 devices (FVAULT2).

  Cryptsetup now supports the mapping of FileVault2 full-disk encryption
  by Apple for the macOS operating system using a native Linux kernel.
  You can open an existing USB FileVault portable device and (with
  the hfsplus filesystem driver) access the native data read/write.

  Cryptsetup supports only (legacy) FileVault2 based on Core Storage
  and HFS+ filesystem (introduced in MacOS X 10.7 Lion).
  It does NOT support the new version of FileVault based on the APFS
  filesystem used in recent macOS versions.

  Header formatting and changes are not supported; cryptsetup never
  changes the metadata on the device.

  FVAULT2 extension requires kernel userspace crypto API and kernel
  driver for HFS+ (hfsplus) filesystem (available on most systems today).

  Example of using FileVault2 formatted USB device:

  A typical encrypted device contains three partitions; the FileVault
  encrypted partition is here sda2:

  $ lsblk -o NAME,FSTYPE,LABEL /dev/sda
    NAME   FSTYPE  LABEL
    sda
    |-sda1 vfat    EFI
    |-sda2
    `-sda3 hfsplus Boot OS X

  Note: blkid does not recognize FileVault2 format yet.

  To dump metadata information about the device, you can use
  the fvault2Dump command:

  $ cryptsetup fvault2Dump /dev/sda2
    Header information for FVAULT2 device /dev/sda2.
    Physical volume UUID:   6f353c05-daae-4e76-a0ee-6a9569a22d81
    Family UUID:            f82cceb0-a788-4815-945a-53d57fcd55a8
    Logical volume offset:  67108864 [bytes]
    Logical volume size:    3288334336 [bytes]
    Cipher:                 aes
    Cipher mode:            xts-plain64
    PBKDF2 iterations:      97962
    PBKDF2 salt:            173a4ec7447662ec79ca7a47df6c2a01

 To activate the device, use open --type fvault2 option:

 $ cryptsetup open --type fvault2 /dev/sda2 test
   Enter passphrase for /dev/sda2: ...

 And check the status of the active device:

 $ cryptsetup status test
   /dev/mapper/test is active.
   type:    FVAULT2
   cipher:  aes-xts-plain64
   keysize: 256 bits
   key location: dm-crypt
   device:  /dev/sda2
   sector size:  512
   offset:  131072 sectors
   size:    6422528 sectors
   mode:    read/write

 Now, if the kernel contains hfsplus filesystem driver, you can mount
 decrypted content:

 $ mount /dev/mapper/test /mnt/test

 For more info about implementation, please refer to the master thesis
 by Pavel Tobias, which was the source for this extension.
 https://is.muni.cz/th/p0aok/?lang=en

* libcryptsetup: no longer use global memory locking through mlockall()

  For many years, libcryptsetup locked all memory (including dependent
  library address space) to prevent swapping sensitive content outside
  of RAM.

  This strategy no longer works as the locking of basic libraries exceeds
  the memory locking limit if running as a non-root user.

  Libcryptsetup now locks only memory ranges containing sensitive
  material (keys) through crypt_safe_alloc() calls.

  This change solves many reported mysterious problems of unexpected
  failures. If the initial lock was still under the limit and succeeded,
  some following memory allocation could fail later as it exceeded
  the locking limit. If the initial locking fails,  memory locking
  was quietly ignored completely.

  The whole crypt_memory_lock() API call is deprecated; it no longer
  calls memlockall().

* libcryptsetup: process priority is increased only for key derivation
  (PBKDF) calls.

  Increasing priority was tight to memory locking and works only if
  running under superuser.
  Only PBKDF calls and benchmarking now increase the process priority.

* Add new LUKS keyslot context handling functions and API.

  In practice, the luksAddKey action does two operations.
  It unlocks the existing device volume key and stores the unlocked
  volume key in a new keyslot.
  Previously the options were limited to key files and passphrases.

  Newly available methods (keyslot contexts) are passphrase, keyfile,
  key (binary representation), and LUKS2 token.

  To unlock a keyslot user may:
    - provide existing passphrase via interactive prompt (default method)
    - use --key-file option to provide a file with a valid passphrase
    - provide volume key directly via --volume-key-file
    - unlock keyslot via all available LUKS2 tokens by --token-only
    - unlock keyslot via specific token with --token-id
    - unlock keyslot via specific token type by --token-type

  To provide the passphrase for a new keyslot, a user may:
    - provide existing passphrase via interactive prompt (default method)
    - use --new-keyfile to read the passphrase from the file
    - use --new-token-id to select LUKS2 token to get passphrase
      for new keyslot. The new keyslot is assigned to the selected token
      id if the operation is successful.

* The volume key may now be extracted using a passphrase, keyfile, or
  token. For LUKS devices, it also returns the volume key after
  a successful crypt_format call.

* Fix --disable-luks2-reencryption configuration option.

* cryptsetup: Print a better error message and warning if the format
  produces an image without space available for data.

  Activation now fails early with a more descriptive message.

* Print error if anti-forensic LUKS2 hash setting is not available.
  If the specified hash was not available, activation quietly failed.

* Fix internal crypt segment compare routine if the user
  specified cipher in kernel format (capi: prefix).

* cryptsetup: Add token unassign action.

  This action allows removing token binding on specific keyslot.

* veritysetup: add support for --use-tasklets option.

  This option sets try_verify_in_tasklet kernel dm-verity option
  (available since Linux kernel 6.0) to allow some performance
  improvement on specific systems.

* Provide pkgconfig Require.private settings.

  While we do not completely provide static build on udev systems,
  it helps produce statically linked binaries in certain situations.

* Always update automake library files if autogen.sh is run.

  For several releases, we distributed older automake scripts by mistake.

* reencryption: Fix user defined moved segment size in LUKS2 decryption.

  The --hotzone-size argument was ignored in cases where the actual data
  size was less than the original LUKS2 data offset.

* Delegate FIPS mode detection to configured crypto backend.
  System FIPS mode check no longer depends on /etc/system-fips file.

* tests: externally provided systemd plugin is now optionally compiled
  from systemd git and tested with cryptsetup

* tests: initial integration to OSS-fuzz project with basic crypt_load()
  test for LUKS2 and JSON mutated fuzzing.

  For more info, see README in tests/fuzz directory.

* Update documentation, including FAQ and man pages.

Libcryptsetup API extensions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The libcryptsetup API is backward compatible with existing symbols.

New symbols:
  crypt_keyslot_context_init_by_passphrase
  crypt_keyslot_context_init_by_keyfile
  crypt_keyslot_context_init_by_token
  crypt_keyslot_context_init_by_volume_key
  crypt_keyslot_context_get_error
  crypt_keyslot_context_set_pin
  crypt_keyslot_context_get_type
  crypt_keyslot_context_free
  crypt_keyslot_add_by_keyslot_context
  crypt_volume_key_get_by_keyslot_context

New defines:
  CRYPT_FVAULT2 "FVAULT2" (FileVault2 compatible mode)

Keyslot context types:
  CRYPT_KC_TYPE_PASSPHRASE
  CRYPT_KC_TYPE_KEYFILE
  CRYPT_KC_TYPE_TOKEN
  CRYPT_KC_TYPE_KEY

  CRYPT_ACTIVATE_TASKLETS (dm-verity: use tasklets activation flag)

WARNING!
~~~~~~~~
The next version of cryptsetup will change the encryption mode and key
derivation option for the PLAIN format.

This change will cause backward incompatibility.
For this reason, the user will have to specify the exact parameters
for cipher, key size, and key derivation parameters for plain format.

The default encryption mode will be AES-XTS with 512bit key (AES-256).
The CBC mode is no longer considered the best default, as it allows easy
bit-flipped ciphertext modification attacks and performance problems.

For the passphrase hashing in plain mode, the encryption key is directly
derived through iterative hashing from a user-provided passphrase
(except a keyfile that is not hashed).

The default hash is RIPEMD160, which is no longer the best default
option. The exact change will be yet discussed but should include
the possibility of using a password-based key derivation function
instead of iterative hashing.