"Fossies" - the Fresh Open Source Software Archive

Member "cryptsetup-2.4.3/docs/v1.6.0-ReleaseNotes" (9 Jan 2013, 9529 Bytes) of package /linux/misc/cryptsetup-2.4.3.tar.xz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 Cryptsetup 1.6.0 Release Notes
    2 ==============================
    3 
    4 Changes since version 1.6.0-rc1
    5 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    6 
    7  * Change LUKS default cipher to to use XTS encryption mode,
    8    aes-xts-plain64 (i.e. using AES128-XTS).
    9 
   10    XTS mode becomes standard in hard disk encryption.
   11 
   12    You can still use any old mode:
   13     - compile cryptsetup with old default:
   14       configure --with-luks1-cipher=aes --with-luks1-mode=cbc-essiv:sha256 --with-luks1-keybits=256
   15     - format LUKS device with old default:
   16       cryptsetup luksFormat -c aes-cbc-essiv:sha256 -s 256 <device>
   17 
   18 
   19  * Skip tests and fix error messages if running on old systems (or with old kernel).
   20 
   21  * Rename configure.in to configure.ac and fix issues with new automake and pkgconfig
   22    and --disable-kernel_crypto option to allow compilation with old kernel headers.
   23 
   24  * Allow repair of 512 bits key header.
   25 
   26  * Fix status of device if path argument is used and fix double path prefix
   27    for non-existent device path.
   28 
   29 
   30 Changes since version 1.5.1
   31 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
   32 
   33 Important changes
   34 ~~~~~~~~~~~~~~~~~
   35 
   36  * Cryptsetup and libcryptsetup is now released under GPLv2+
   37    (GPL version 2 or any later).
   38    Some internal code handling files (loopaes, verity, tcrypt
   39    and crypto backend wrapper) are LGPLv2+.
   40 
   41    Previously code was GPL version 2 only.
   42 
   43 
   44  * Introducing new unified command open and close.
   45 
   46    Example:
   47       cryptsetup open --type plain|luks|loopaes|tcrypt <device> <name>
   48       (type defaults to luks)
   49 
   50    with backward-compatible aliases plainOpen, luksOpen, loopaesOpen,
   51    tcryptOpen. Basically "open --type xyz" has alias "xyzOpen".
   52 
   53    The "create" command (plain device create) is DEPRECATED but will
   54    be still supported.
   55    (This command is confusing because of switched arguments order.)
   56 
   57    The close command is generic command to remove mapping and have
   58    backward compatible aliases (remove, luksClose, ...) which behaves
   59    exactly the same.
   60 
   61    While all old syntax is still supported, I strongly suggest to use
   62    new command syntax which is common for all device types (and possible
   63    new formats added in future).
   64 
   65 
   66  * cryptsetup now support directly TCRYPT (TrueCrypt and compatible tc-play)
   67    on-disk format
   68    (Code is independent implementation not related to original project).
   69 
   70    Only dump (tcryptDump command) and activation (open --type tcrypt or tcryptOpen)
   71    of TCRYPT device are supported. No header changes are supported.
   72 
   73    It is intended to easily access containers shared with other operating systems
   74    without need to install 3rd party software. For native Linux installations LUKS
   75    is the preferred format.
   76 
   77    WARNING: TCRYPT extension requires kernel userspace crypto API to be
   78    available (introduced in Linux kernel 2.6.38).
   79    If you are configuring kernel yourself, enable "User-space interface
   80    for symmetric key cipher algorithms" in "Cryptographic API" section
   81    (CRYPTO_USER_API_SKCIPHER .config option).
   82 
   83    Because  TCRYPT  header  is encrypted, you have to always provide valid
   84    passphrase and keyfiles. Keyfiles are handled exactly the same as in original
   85    format (basically, first 1MB of every keyfile is mixed using CRC32 into pool).
   86 
   87    Cryptsetup should recognize all TCRYPT header variants ever released, except
   88    legacy  cipher chains  using LRW encryption mode with 64 bits encryption block
   89    (namely Blowfish in LRW mode is not recognized, this is limitation of kernel
   90    crypto API).
   91 
   92    Device activation is supported only for LRW/XTS modes (again, limitation
   93    of kernel dmcrypt which do not implements TCRYPT extensions to CBC mode).
   94    (So old containers cannot be activated, but you can use libcryptsetup
   95    for lost password search, example of such code is included in misc directory.)
   96 
   97    Hidden header are supported using --tcrypt-hidden option, system encryption
   98    using --tcrypt-system option.
   99 
  100    For detailed description see man page.
  101 
  102    EXAMPLE:
  103      * Dump device parameters of container in file:
  104 
  105      # cryptsetup tcryptDump tst
  106        Enter passphrase: 
  107 
  108      TCRYPT header information for tst
  109      Version:        5
  110      Driver req.:    7
  111      Sector size:    512
  112      MK offset:      131072
  113      PBKDF2 hash:    sha512
  114      Cipher chain:   serpent-twofish-aes
  115      Cipher mode:    xts-plain64
  116      MK bits:        1536
  117 
  118      You can also dump master key using --dump-master-key.
  119      Dump does not require superuser privilege.
  120 
  121      * Activation of this container
  122 
  123      # cryptsetup tcryptOpen tst tcrypt_dev
  124        Enter passphrase: 
  125       (Chain of dmcrypt devices is activated as /dev/mapper/tcrypt_dev.)
  126 
  127      * See status of active TCRYPT device
  128 
  129      # cryptsetup status tcrypt_dev
  130 
  131      /dev/mapper/tcrypt_dev is active.
  132      type:    TCRYPT
  133      cipher:  serpent-twofish-aes-xts-plain64
  134      keysize: 1536 bits
  135      device:  /dev/loop0
  136      loop:    /tmp/tst
  137      offset:  256 sectors
  138      size:    65024 sectors
  139      skipped: 256 sectors
  140      mode:    read/write
  141 
  142     * And plaintext filesystem now ready to mount
  143 
  144     # blkid /dev/mapper/tcrypt_dev
  145     /dev/mapper/tcrypt_dev: SEC_TYPE="msdos" UUID="9F33-2954" TYPE="vfat"
  146 
  147 
  148  * Add (optional) support for lipwquality for new LUKS passwords.
  149 
  150    If password is entered through terminal (no keyfile specified)
  151    and cryptsetup is compiled with --enable-pwquality, default
  152    system pwquality settings are used to check password quality.
  153 
  154    You can always override this check by using new --force-password option.
  155 
  156    For more info about pwquality project see http://libpwquality.fedorahosted.org/
  157 
  158 
  159  * Proper handle interrupt signals (ctrl+c and TERM signal) in tools
  160 
  161    Code should now handle interrupt properly, release and explicitly wipe
  162    in-memory key materials on interrupt.
  163    (Direct users of libcryptsetup should always call crypt_free() when
  164    code is interrupted to wipe all resources. There is no signal handling
  165    in library, it is up to the tool using it.)
  166 
  167  
  168  * Add new benchmark command
  169 
  170    The "benchmark" command now tries to benchmark PBKDF2 and some block
  171    cipher variants. You can specify you own parameters (--cipher/--key-size
  172    for block ciphers, --hash for PBKDF2).
  173 
  174    See man page for detailed description.
  175 
  176    WARNING: benchmark command requires kernel userspace crypto API to be
  177    available (introduced in Linux kernel 2.6.38).
  178    If you are configuring kernel yourself, enable "User-space interface
  179    for symmetric key cipher algorithms" in "Cryptographic API" section
  180    (CRYPTO_USER_API_SKCIPHER .config option).
  181 
  182    EXAMPLE:
  183      # cryptsetup benchmark
  184      # Tests are approximate using memory only (no storage IO).
  185      PBKDF2-sha1       111077 iterations per second
  186      PBKDF2-sha256      53718 iterations per second
  187      PBKDF2-sha512      18832 iterations per second
  188      PBKDF2-ripemd160   89775 iterations per second
  189      PBKDF2-whirlpool   23918 iterations per second
  190             #  Algorithm | Key | Encryption | Decryption
  191           aes-cbc   128b  212.0 MiB/s  428.0 MiB/s
  192       serpent-cbc   128b   23.1 MiB/s   66.0 MiB/s
  193       twofish-cbc   128b   46.1 MiB/s   50.5 MiB/s
  194           aes-cbc   256b  163.0 MiB/s  350.0 MiB/s
  195       serpent-cbc   256b   23.1 MiB/s   66.0 MiB/s
  196       twofish-cbc   256b   47.0 MiB/s   50.0 MiB/s
  197           aes-xts   256b  190.0 MiB/s  190.0 MiB/s
  198       serpent-xts   256b   58.4 MiB/s   58.0 MiB/s
  199       twofish-xts   256b   49.0 MiB/s   49.5 MiB/s
  200           aes-xts   512b  175.0 MiB/s  175.0 MiB/s
  201       serpent-xts   512b   59.0 MiB/s   58.0 MiB/s
  202       twofish-xts   512b   48.5 MiB/s   49.5 MiB/s
  203 
  204      Or you can specify cipher yourself:
  205      # cryptsetup benchmark --cipher cast5-cbc-essiv:sha256 -s 128
  206      # Tests are approximate using memory only (no storage IO).
  207      #  Algorithm | Key | Encryption | Decryption
  208         cast5-cbc   128b   32.4 MiB/s   35.0 MiB/s
  209 
  210      WARNING: these tests do not use dmcrypt, only crypto API.
  211      You have to benchmark the whole device stack and you can get completely
  212      different results. But is is usable for basic comparison.
  213      (Note for example AES-NI decryption optimization effect in example above.)
  214 
  215 Features
  216 ~~~~~~~~
  217 
  218  * Do not maintain ChangeLog file anymore, see git log for detailed changes,
  219    e.g. here http://code.google.com/p/cryptsetup/source/list
  220 
  221  * Move change key into library, add crypt_keyslot_change_by_passphrase().
  222    This change is useful mainly in FIPS mode, where we cannot
  223    extract volume key directly from libcryptsetup.
  224 
  225  * Add verbose messages during reencryption.
  226 
  227  * Default LUKS PBKDF2 iteration time is now configurable.
  228 
  229  * Add simple cipher benchmarking API.
  230 
  231  * Add kernel skcipher backend.
  232 
  233  * Add CRC32 implementation (for TCRYPT).
  234 
  235  * Move PBKDF2 into crypto backend wrapper.
  236    This allows use it in other formats, use library implementations and
  237    also possible use of different KDF function in future.
  238 
  239  * New PBKDF2 benchmark using getrusage().
  240 
  241 Fixes
  242 ~~~~~
  243 
  244  * Avoid O_DIRECT open if underlying storage doesn't support it.
  245 
  246  * Fix some non-translated messages.
  247 
  248  * Fix regression in header backup (1.5.1) with container in file.
  249 
  250  * Fix blockwise read/write for end writes near end of device.
  251    (was not used in previous versions)
  252 
  253  * Ignore setpriority failure.
  254 
  255  * Code changes to fix/ignore problems found by Coverity static analysis, including
  256    - Get page size should never fail.
  257    - Fix time of check/use (TOCTOU test) in tools
  258    - Fix time of check/use in loop/wipe utils.
  259    - Fix time of check/use in device utils.
  260 
  261  * Disallow header restore if context is non-LUKS device.