From: Milan Broz Date: Mon, 14 Mar 2011 16:45:05 +0000 (+0000) Subject: Add 1.3.0 Release Notes. X-Git-Tag: upstream/1.6~488 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=e937feb1a7fe753f0e7556559fa6ff65c484faf0;p=platform%2Fupstream%2Fcryptsetup.git Add 1.3.0 Release Notes. git-svn-id: https://cryptsetup.googlecode.com/svn/trunk@464 36d66b0a-2a48-0410-832c-cd162a569da5 --- diff --git a/docs/v1.3.0-ReleaseNotes b/docs/v1.3.0-ReleaseNotes new file mode 100644 index 0000000..cd48c9d --- /dev/null +++ b/docs/v1.3.0-ReleaseNotes @@ -0,0 +1,91 @@ +Cryptsetup 1.3.0 Release Notes +============================== + +Changes since version 1.2.0 + +Important changes +~~~~~~~~~~~~~~~~~ + * Several userspace crypto backends support + + cryptsetup now supports generic crypto backend interface which allows + compile package with various crypto library, these are already implemented: + + * gcrypt (default, used in previous versions) + * OpenSSL + * NSS (because of missing ripemd160 it cannot provide full backward compatibility) + * kernel userspace API (provided by kernel 2.6.38 and above) + (Note that kernel userspace backend is very slow for this type of operation. + But it can be usefull for embedded systems, because you can avoid userspace + crypto library completely.) + + Backend is selected during configure time, using --with-crypto_backend option. + + configure --with-crypto_backend=BACKEND (gcrypt/openssl/nss/kernel) [gcrypt] + + Note that performance checked (iterations) in LUKS header will cause that + real iteration time will differ with different backends. + (There are huge differences in speed between libraries.) + + * Cryptsetup now automatically allocates loopback device (/dev/loop) if device + argument is file and not plain device. + + This require Linux kernel 2.6.25 and above (which implements loop autoclear flag). + + You can see backing file in cryptsetup status output if underlying device is loopback. + + * Adds luksChangeKey command + + cryptestup luksChangeKey --key-file [--key-slot X] + cryptestup luksChangeKey [--key-slot X] (for passphrase change) + + This command allows passphrase/keyfile change in one step. If no key slot is + specified (and there is still free key slot on device) new slot is allocated before + the old is purged. + + If --key-slot option is specified (or there is no free slot) command will overwrite + existing slot. + WARNING: Be sure you have another slot active or header backup when using explicit + key slot (so you can unlock the device even after possible media failure). + + * Adds compatible support for loop-AES encryption type in loopaesOpen command. + + Linux dm-crypt in 2.6.38 and above supports loop-AES compatible mapping + (including multi-key and special CBC mode, all three modes are supported). + + If you have raw loop-AES keyfile (text file with uuencoded per-line keys), you can + access loop-AES volume using + cryptsetup loopaesOpen [--key-size 128] --key-file + + If you are using GPG encrypted keyfile + gpg --decrypt | cryptsetup loopaesOpen --key-file=- + + Do not forget to specify key size. Other ciphers than AES should work but were + not tested. Version and hash is automatically detected according to number + of lines in key file. + + Please note that loopAES dm-crypt mode is provided for compatibility reasons + (so you do not need to patch kernel and util-linux to map existing volumes) + but is is not, and never will be, optimized for speed. + It is experimental feature for now. + + * WARNING: This is the last cryptsetup release which supports library with + old API (using struct crypt_options). + These calls are deprecated since 1.1.0 and AFAIK no application + is using it in recent distros. Removing compatible code will allow + new features to be implemented easily. + +Other changes +~~~~~~~~~~~~~ + * Increase libcryptsetup version (loopAES change), still fully backward compatible. + * Fixes static build (--disable-static-cryptsetup now works properly). + * Supports secure data flag for device-mapper iotcl (will be in 2.6.39, + forcing kernel to wipe all ioctl buffers with possible key data). + To enable this flag you need new device-mapper library, in LVM2 2.02.84. + * Add copyright texts into some files and adds GPL exception allowing + to distribute resulting binaries linked with OpenSSL. + * Update FAQ. + * Fix message when locking memory fails. + * Fix luksAddKey return code if master key is used. + * Update some text files in distributions. + * Add docs directory with Release Notes archive. + * Do not hardcode loopback device name in tests, use internal loopback library.