-Cryptsetup 1.6.0 Release Notes (RC1)
-====================================
+Cryptsetup 1.6.0 Release Notes
+==============================
+
+Changes since version 1.6.0-rc1
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+ * Change LUKS default cipher to to use XTS encryption mode,
+ aes-xts-plain64 (i.e. using AES128-XTS).
+
+ XTS mode becomes standard in hard disk encryption.
+
+ You can still use any old mode:
+ - compile cryptsetup with old default:
+ configure --with-luks1-cipher=aes --with-luks1-mode=cbc-essiv:sha256 --with-luks1-keybits=256
+ - format LUKS device with old default:
+ cryptsetup luksFormat -c aes-cbc-essiv:sha256 -s 256 <device>
+
+
+ * Skip tests and fix error messages if running on old systems (or with old kernel).
+
+ * Rename configure.in to configure.ac and fix issues with new automake and pkgconfig
+ and --disable-kernel_crypto option to allow compilation with old kernel headers.
+
+ * Allow repair of 512 bits key header.
+
+ * Fix status of device if path argument is used and fix double path prefix
+ for non-existent device path.
+
Changes since version 1.5.1
~~~~~~~~~~~~~~~~~~~~~~~~~~~
without need to install 3rd party software. For native Linux installations LUKS
is the preferred format.
- WARNING: TCRYPT extension requires kernel userspace crypto API to be available
- (kernel af_alg and algif_skcipher modules, introduced in Linux kernel 2.6.38).
+ WARNING: TCRYPT extension requires kernel userspace crypto API to be
+ available (introduced in Linux kernel 2.6.38).
+ If you are configuring kernel yourself, enable "User-space interface
+ for symmetric key cipher algorithms" in "Cryptographic API" section
+ (CRYPTO_USER_API_SKCIPHER .config option).
Because TCRYPT header is encrypted, you have to always provide valid
passphrase and keyfiles. Keyfiles are handled exactly the same as in original
format (basically, first 1MB of every keyfile is mixed using CRC32 into pool).
- Cryptsetup should recognize all TCRYPT header variants ever released, except
+ Cryptsetup should recognize all TCRYPT header variants ever released, except
legacy cipher chains using LRW encryption mode with 64 bits encryption block
(namely Blowfish in LRW mode is not recognized, this is limitation of kernel
crypto API).
* Activation of this container
- # cryptsetup tcryptOpen tst tcrypt_dev
+ # cryptsetup tcryptOpen tst tcrypt_dev
Enter passphrase:
(Chain of dmcrypt devices is activated as /dev/mapper/tcrypt_dev.)
-
+
* See status of active TCRYPT device
# cryptsetup status tcrypt_dev
* And plaintext filesystem now ready to mount
# blkid /dev/mapper/tcrypt_dev
- /dev/mapper/tcrypt_dev: SEC_TYPE="msdos" UUID="9F33-2954" TYPE="vfat"
+ /dev/mapper/tcrypt_dev: SEC_TYPE="msdos" UUID="9F33-2954" TYPE="vfat"
* Add (optional) support for lipwquality for new LUKS passwords.
See man page for detailed description.
- WARNING: benchmark requires kernel userspace crypto API to be available
- (kernel af_alg and algif_skcipher modules, introduced in Linux kernel 2.6.38).
+ WARNING: benchmark command requires kernel userspace crypto API to be
+ available (introduced in Linux kernel 2.6.38).
+ If you are configuring kernel yourself, enable "User-space interface
+ for symmetric key cipher algorithms" in "Cryptographic API" section
+ (CRYPTO_USER_API_SKCIPHER .config option).
EXAMPLE:
# cryptsetup benchmark
Header formatting and TCRYPT header change is not supported, cryptsetup
never changes TCRYPT header on-device.
-TCRYPT extension requires kernel userspace crypto API to be available
-(kernel af_alg and algif_skcipher modules, introduced in Linux kernel 2.6.38).
+TCRYPT extension requires kernel userspace
+crypto API to be available (introduced in Linux kernel 2.6.38).
+If you are configuring kernel yourself, enable
+"User-space interface for symmetric key cipher algorithms" in
+"Cryptographic API" section (CRYPTO_USER_API_SKCIPHER .config option).
Because TCRYPT header is encrypted, you have to always provide valid
passphrase and keyfiles.
You cannot directly predict real storage encryption speed from it.
For testing block ciphers, this benchmark requires kernel userspace
-crypto API to be available (kernel af_alg and algif_skcipher modules,
-introduced in Linux kernel 2.6.38).
+crypto API to be available (introduced in Linux kernel 2.6.38).
+If you are configuring kernel yourself, enable
+"User-space interface for symmetric key cipher algorithms" in
+"Cryptographic API" section (CRYPTO_USER_API_SKCIPHER .config option).
\fB<options>\fR can be [\-\-cipher, \-\-key-size, \-\-hash].
.SH OPTIONS