"Fossies" - the Fresh Open Source Software Archive

Member "cryptsetup-2.4.3/docs/v1.7.0-ReleaseNotes" (20 Aug 2019, 3101 Bytes) of package /linux/misc/cryptsetup-2.4.3.tar.xz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 Cryptsetup 1.7.0 Release Notes
    2 ==============================
    3 
    4 The cryptsetup 1.7 release changes defaults for LUKS,
    5 there are no API changes.
    6 
    7 Changes since version 1.6.8
    8 
    9 * Default hash function is now SHA256 (used in key derivation function
   10   and anti-forensic splitter).
   11 
   12   Note that replacing SHA1 with SHA256 is not for security reasons.
   13   (LUKS does not have problems even if collisions are found for SHA1,
   14   for details see FAQ item 5.20).
   15 
   16   Using SHA256 as default is mainly to prevent compatibility problems
   17   on hardened systems where SHA1 is already be phased out.
   18 
   19   Note that all checks (kernel crypto API availability check) now uses
   20   SHA256 as well.
   21 
   22 * Default iteration time for PBKDF2 is now 2 seconds.
   23 
   24   Increasing iteration time is in combination with PBKDF2 benchmark
   25   fixes a try to keep PBKDF2 iteration count still high enough and
   26   also still acceptable for users.
   27 
   28   N.B. Long term is to replace PBKDF2 algorithm with Password Hashing
   29   Competition winner - Argon2.
   30 
   31   Distributions can still change these defaults in compilation time.
   32 
   33   You can change iteration time and used hash function in existing LUKS
   34   header with cryptsetup-reencrypt utility even without full reencryption
   35   of device (see --keep-key option).
   36 
   37 * Fix PBKDF2 iteration benchmark for longer key sizes.
   38 
   39   The previous PBKDF2 benchmark code did not take into account
   40   output key length properly.
   41 
   42   For SHA1 (with 160-bits output) and 256-bit keys (and longer)
   43   it means that the final iteration value was higher than it should be.
   44 
   45   For other hash algorithms (like SHA256 or SHA512) it caused
   46   that iteration count was lower (in comparison to SHA1) than
   47   expected for the requested time period.
   48 
   49   The PBKDF2 benchmark code is now fixed to use the key size for
   50   the formatted device (or default LUKS key size if running in informational
   51   benchmark mode).
   52 
   53   Thanks to A.Visconti, S.Bossi, A.Calo and H.Ragab
   54   (http://www.club.di.unimi.it/) for point this out.
   55   (Based on "What users should know about Full Disk Encryption
   56   based on LUKS" paper to be presented on CANS2015).
   57 
   58 * Remove experimental warning for reencrypt tool.
   59   The strong request for full backup before using reencryption utility
   60   still applies :)
   61 
   62 * Add optional libpasswdqc support for new LUKS passwords.
   63 
   64   If password is entered through terminal (no keyfile specified) and
   65   cryptsetup is compiled with --enable-passwdqc[=/etc/passwdqc.conf],
   66   configured system passwdqc settings are used to check password quality.
   67 
   68 * Update FAQ document.
   69 
   70 Cryptsetup API NOTE:
   71 
   72 Direct terminal handling and password calling callback for passphrase
   73 entry will be removed from libcryptsetup in next major (2.x) version
   74 (application should handle it itself).
   75 It means that application have to always provide password in API calls.
   76 
   77 Functions returning last error will be removed in next major version (2.x).
   78 These functions did not work properly for early initialization errors
   79 and application can implement better function easily using own error callback.
   80 
   81 See comments in libcryptsetup.h for more info about deprecated functions.