Cryptsetup 1.4.0 Release Notes ============================== Changes since version 1.3.1 Important changes ~~~~~~~~~~~~~~~~~ WARNING: This release removes old deprecated API from libcryptsetup (all functions using struct crypt_options). This require libcrypsetup version change and rebuild of applications using cryptsetup library. All new API symbols are backward compatible. * If device is not rotational disk, cryptsetup no longer tries to wipe keyslot with Gutmann algorithm for magnetic media erase but simply rewrites area once by random data. * The on-disk LUKS header can now be detached (e.g. placed on separate device or in file) using new --header option. This option is only relevant for LUKS devices and can be used in luksFormat, luksOpen, luksSuspend, luksResume and resize commands. If used with luksFormat the --align-payload option is taken as absolute sector alignment on ciphertext device and can be zero. Example: Create LUKS device with ciphertext device on /dev/sdb and header on device /dev/sdc. Use all space on /dev/sdb (no reserved area for header). cryptsetup luksFormat /dev/sdb --header /dev/sdc --align-payload 0 Activate such device: cryptsetup luksOpen /dev/sdb --header /dev/sdc test_disk You can use file for LUKS header (loop device will be used while manipulating with such detached header), just you have to create large enough file in advance. dd if=/dev/zero of=/mnt/luks_header bs=1M count=4 cryptsetup luksFormat /dev/sdb --header /mnt/luks_header --align-payload 0 Activation is the same as above. cryptsetup luksOpen /dev/sdb --header /mnt/luks_header test_disk All keyslot operations need to be run on _header_ not on ciphertext device, an example: cryptsetup luksAddKey /mnt/luks_header If you do not use --align-payload 0, you can later restore LUKS header on device itself (and use it as normal LUKS device without detached header). WARNING: There is no possible check that specified ciphertext device matches detached on-disk header. Use with care, it can destroy your data in case of a mistake. WARNING: Storing LUKS header in a file means that anti-forensic splitter cannot properly work (there is filesystem allocation layer between header and disk). * Support --allow-discards option to allow discards/TRIM requests. Since kernel 3.1, dm-crypt devices optionally (not by default) support block discards (TRIM) commands. If you want to enable this operation, you have to enable it manually on every activation using --allow-discards cryptsetup luksOpen --allow-discards /dev/sdb test_disk WARNING: There are several security consequences, please read at least http://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html before you enable it. * Add --shared option for creating non-overlapping crypt segments. The --shared options checks that mapped segments are not overlapping and allows non-exclusive access to underlying device. Only plain crypt devices can be used in this mode. Example - map 64M of device disk and following 32 M area as another disk. cryptsetup create outer_disk /dev/sdb --offset 0 --size 65536 cryptsetup create inner_disk /dev/sdb --offset 65536 --size 32768 --shared (It can be used to simulate trivial hidden disk concepts.) libcryptsetup API changes: * Added options to suport detached metadata device crypt_init_by_name_and_header() crypt_set_data_device() * Add crypt_last_error() API call. * Fix plain crypt format parameters to include size option. * Add crypt_get_iv_offset() function. * Remove old API functions (all functions using crypt_options). * Support key-slot option for luksOpen (use only explicit keyslot). You can now specify key slot in luksOpen and limit checking only to specified slot. * Support retries and timeout parameters for luksSuspend. (The same way as in luksOpen.) * Add doxygen-like documentation (it will be available on project page later). (To generate it manually run doxygen in docs directory.) Other changes ~~~~~~~~~~~~~ * Fix crypt_load to properly check device size. * Do not allow context format of already formatted device. * Do not allow key retrieval while suspended (key could be wiped). * Do not allow suspend for non-LUKS devices. * Fix luksKillSLot exit code if slot is inactive or invalid. * Fix exit code if passphrases do not match in luksAddKey. * Fix return code for status command when device doesn't exists. * Fix verbose messages in isLuks command. * Support Nettle 2.4 crypto backend (supports ripemd160). * Add LUKS on-disk format description into package. * Enhance check of device size before writing LUKS header. * Add more paranoid checks for LUKS header and keyslot attributes. * Use new /dev/loop-control (kernel 3.1) if possible. * Remove hash/hmac restart from crypto backend and make it part of hash/hmac final. * Improve check for invalid offset and size values. * Revert default initialisation of volume key in crypt_init_by_name(). * Add more regression tests. * Add some libcryptsetup example files (see docs/examples).