-Cryptsetup 1.6.0 Release Notes (RC1)
-====================================
+Cryptsetup 1.6.0 Release Notes
+==============================
+
+Changes since version 1.6.0-rc1
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+ * Change LUKS default cipher to to use XTS encryption mode,
+ aes-xts-plain64 (i.e. using AES128-XTS).
+
+ XTS mode becomes standard in hard disk encryption.
+
+ You can still use any old mode:
+ - compile cryptsetup with old default:
+ configure --with-luks1-cipher=aes --with-luks1-mode=cbc-essiv:sha256 --with-luks1-keybits=256
+ - format LUKS device with old default:
+ cryptsetup luksFormat -c aes-cbc-essiv:sha256 -s 256 <device>
+
+
+ * Skip tests and fix error messages if running on old systems (or with old kernel).
+
+ * Rename configure.in to configure.ac and fix issues with new automake and pkgconfig
+ and --disable-kernel_crypto option to allow compilation with old kernel headers.
+
+ * Allow repair of 512 bits key header.
+
+ * Fix status of device if path argument is used and fix double path prefix
+ for non-existent device path.
+
Changes since version 1.5.1
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Some internal code handling files (loopaes, verity, tcrypt
and crypto backend wrapper) are LGPLv2+.
- Previously code was version 2 only.
+ Previously code was GPL version 2 only.
* Introducing new unified command open and close.
Example:
- cryptseup open --type plain|luks|loopaes|tcrypt <device> <name>
+ cryptsetup open --type plain|luks|loopaes|tcrypt <device> <name>
(type defaults to luks)
with backward-compatible aliases plainOpen, luksOpen, loopaesOpen,
* cryptsetup now support directly TCRYPT (TrueCrypt and compatible tc-play)
on-disk format
- (Code is complete and independent implementation not related to original project).
+ (Code is independent implementation not related to original project).
Only dump (tcryptDump command) and activation (open --type tcrypt or tcryptOpen)
- of TCRYPT device is supported. No header changes are supported.
+ of TCRYPT device are supported. No header changes are supported.
It is intended to easily access containers shared with other operating systems
without need to install 3rd party software. For native Linux installations LUKS
is the preferred format.
- WARNING: TCRYPT extension requires kernel userspace crypto API to be available
- (kernel af_alg and algif_skcipher modules, introduced in Linux kernel 2.6.38).
+ WARNING: TCRYPT extension requires kernel userspace crypto API to be
+ available (introduced in Linux kernel 2.6.38).
+ If you are configuring kernel yourself, enable "User-space interface
+ for symmetric key cipher algorithms" in "Cryptographic API" section
+ (CRYPTO_USER_API_SKCIPHER .config option).
Because TCRYPT header is encrypted, you have to always provide valid
- passphrase and keyfiles. Keyfiles ara handled exactly the same as in original
+ passphrase and keyfiles. Keyfiles are handled exactly the same as in original
format (basically, first 1MB of every keyfile is mixed using CRC32 into pool).
- Cryptsetup should recognize all TCRYPT header variants ever released, except
+ Cryptsetup should recognize all TCRYPT header variants ever released, except
legacy cipher chains using LRW encryption mode with 64 bits encryption block
- (namely Blowfish in LRW mode is not recognized, this is limitation of kernel
+ (namely Blowfish in LRW mode is not recognized, this is limitation of kernel
crypto API).
Device activation is supported only for LRW/XTS modes (again, limitation
* Activation of this container
- # cryptsetup tcryptOpen tst tcrypt_dev
+ # cryptsetup tcryptOpen tst tcrypt_dev
Enter passphrase:
(Chain of dmcrypt devices is activated as /dev/mapper/tcrypt_dev.)
-
+
* See status of active TCRYPT device
# cryptsetup status tcrypt_dev
* And plaintext filesystem now ready to mount
# blkid /dev/mapper/tcrypt_dev
- /dev/mapper/tcrypt_dev: SEC_TYPE="msdos" UUID="9F33-2954" TYPE="vfat"
+ /dev/mapper/tcrypt_dev: SEC_TYPE="msdos" UUID="9F33-2954" TYPE="vfat"
* Add (optional) support for lipwquality for new LUKS passwords.
cipher variants. You can specify you own parameters (--cipher/--key-size
for block ciphers, --hash for PBKDF2).
- See man page for detailed descrition.
+ See man page for detailed description.
- WARNING: benchmark requires kernel userspace crypto API to be available
- (kernel af_alg and algif_skcipher modules, introduced in Linux kernel 2.6.38).
+ WARNING: benchmark command requires kernel userspace crypto API to be
+ available (introduced in Linux kernel 2.6.38).
+ If you are configuring kernel yourself, enable "User-space interface
+ for symmetric key cipher algorithms" in "Cryptographic API" section
+ (CRYPTO_USER_API_SKCIPHER .config option).
EXAMPLE:
# cryptsetup benchmark
Features
~~~~~~~~
- * Do not maintain ChangeLog file anymore, see git log for detailed changes, e.g. here
- http://code.google.com/p/cryptsetup/source/list
+ * Do not maintain ChangeLog file anymore, see git log for detailed changes,
+ e.g. here http://code.google.com/p/cryptsetup/source/list
* Move change key into library, add crypt_keyslot_change_by_passphrase().
This change is useful mainly in FIPS mode, where we cannot
This allows use it in other formats, use library implementations and
also possible use of different KDF function in future.
- * New PBKDF2 bechmark using getrusage().
+ * New PBKDF2 benchmark using getrusage().
Fixes
~~~~~
projects / platform / upstream / cryptsetup.git / blobdiff