"Fossies" - the Fresh Open Source Software Archive

Member "cryptsetup-2.4.3/docs/v1.4.0-ReleaseNotes" (24 Jul 2021, 5317 Bytes) of package /linux/misc/cryptsetup-2.4.3.tar.xz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 Cryptsetup 1.4.0 Release Notes
    2 ==============================
    3 
    4 Changes since version 1.3.1
    5 
    6 Important changes
    7 ~~~~~~~~~~~~~~~~~
    8 
    9 WARNING: This release removes old deprecated API from libcryptsetup
   10          (all functions using struct crypt_options).
   11 
   12          This require libcrypsetup version change and
   13          rebuild of applications using cryptsetup library.
   14          All new API symbols are backward compatible.
   15 
   16 * If device is not rotational disk, cryptsetup no longer tries
   17   to wipe keyslot with Gutmann algorithm for magnetic media erase
   18   but simply rewrites area once by random data.
   19 
   20 * The on-disk LUKS header can now be detached (e.g. placed on separate
   21   device or in file) using new --header option.
   22 
   23   This option is only relevant for LUKS devices and can be used in
   24   luksFormat, luksOpen, luksSuspend, luksResume and resize commands.
   25 
   26   If used with luksFormat the --align-payload option is taken
   27   as absolute sector alignment on ciphertext device and can be zero.
   28 
   29   Example:
   30     Create LUKS device with ciphertext device on /dev/sdb and header
   31     on device /dev/sdc. Use all space on /dev/sdb (no reserved area for header).
   32 
   33           cryptsetup luksFormat /dev/sdb --header /dev/sdc --align-payload 0
   34 
   35    Activate such device:
   36           cryptsetup luksOpen /dev/sdb --header /dev/sdc test_disk
   37 
   38    You can use file for LUKS header (loop device will be used while
   39    manipulating with such detached header), just you have to create
   40    large enough file in advance.
   41 
   42           dd if=/dev/zero of=/mnt/luks_header bs=1M count=4
   43           cryptsetup luksFormat /dev/sdb --header /mnt/luks_header --align-payload 0
   44 
   45    Activation is the same as above.
   46 
   47           cryptsetup luksOpen /dev/sdb --header /mnt/luks_header test_disk
   48 
   49    All keyslot operations need to be run on _header_ not on ciphertext device,
   50    an example:
   51 
   52           cryptsetup luksAddKey /mnt/luks_header
   53 
   54    If you do not use --align-payload 0, you can later restore LUKS header
   55    on device itself (and use it as normal LUKS device without detached header).
   56 
   57    WARNING: There is no possible check that specified ciphertext device
   58             matches detached on-disk header. Use with care, it can destroy
   59             your data in case of a mistake.
   60 
   61    WARNING: Storing LUKS header in a file means that anti-forensic splitter
   62             cannot properly work (there is filesystem allocation layer between
   63             header and disk).
   64 
   65 * Support --allow-discards option to allow discards/TRIM requests.
   66 
   67    Since kernel 3.1, dm-crypt devices optionally (not by default) support
   68    block discards (TRIM) commands.
   69    If you want to enable this operation, you have to enable it manually
   70    on every activation using --allow-discards
   71 
   72           cryptsetup luksOpen --allow-discards /dev/sdb test_disk
   73 
   74    WARNING: There are several security consequences, please read at least
   75             http://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html
   76             before you enable it.
   77 
   78 * Add --shared option for creating non-overlapping crypt segments.
   79 
   80    The --shared options checks that mapped segments are not overlapping
   81    and allows non-exclusive access to underlying device.
   82    Only plain crypt devices can be used in this mode.
   83 
   84    Example - map 64M of device disk and following 32 M area as another disk.
   85 
   86      cryptsetup create outer_disk /dev/sdb --offset 0 --size 65536
   87      cryptsetup create inner_disk /dev/sdb --offset 65536 --size 32768 --shared
   88 
   89  (It can be used to simulate trivial hidden disk concepts.)
   90 
   91 libcryptsetup API changes:
   92   * Added options to support detached metadata device
   93      crypt_init_by_name_and_header()
   94      crypt_set_data_device()
   95   * Add crypt_last_error() API call.
   96   * Fix plain crypt format parameters to include size option.
   97   * Add crypt_get_iv_offset() function.
   98 
   99   * Remove old API functions (all functions using crypt_options).
  100 
  101 * Support key-slot option for luksOpen (use only explicit keyslot).
  102 
  103    You can now specify key slot in luksOpen and limit checking
  104    only to specified slot.
  105 
  106 * Support retries and timeout parameters for luksSuspend.
  107   (The same way as in luksOpen.)
  108 
  109 * Add doxygen-like documentation (it will be available on project page later).
  110   (To generate it manually run doxygen in docs directory.)
  111 
  112 Other changes
  113 ~~~~~~~~~~~~~
  114 * Fix crypt_load to properly check device size.
  115 * Do not allow context format of already formatted device.
  116 * Do not allow key retrieval while suspended (key could be wiped).
  117 * Do not allow suspend for non-LUKS devices.
  118 * Fix luksKillSLot exit code if slot is inactive or invalid.
  119 * Fix exit code if passphrases do not match in luksAddKey.
  120 * Fix return code for status command when device doesn't exists.
  121 * Fix verbose messages in isLuks command.
  122 * Support Nettle 2.4 crypto backend (supports ripemd160).
  123 * Add LUKS on-disk format description into package.
  124 * Enhance check of device size before writing LUKS header.
  125 * Add more paranoid checks for LUKS header and keyslot attributes.
  126 * Use new /dev/loop-control (kernel 3.1) if possible.
  127 * Remove hash/hmac restart from crypto backend and make it part of hash/hmac final.
  128 * Improve check for invalid offset and size values.
  129 * Revert default initialisation of volume key in crypt_init_by_name().
  130 * Add more regression tests.
  131 * Add some libcryptsetup example files (see docs/examples).