"Fossies" - the Fresh Open Source Software Archive

Member "cryptsetup-2.4.3/docs/v2.0.1-ReleaseNotes" (24 Jul 2021, 4864 Bytes) of package /linux/misc/cryptsetup-2.4.3.tar.xz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 Cryptsetup 2.0.1 Release Notes
    2 ==============================
    3 Stable and bug-fix release with experimental features.
    4 
    5 This version introduces a new on-disk LUKS2 format.
    6 
    7 The legacy LUKS (referenced as LUKS1) will be fully supported
    8 forever as well as a traditional and fully backward compatible format.
    9 
   10 Please note that authenticated disk encryption, non-cryptographic
   11 data integrity protection (dm-integrity), use of Argon2 Password-Based
   12 Key Derivation Function and the LUKS2 on-disk format itself are new
   13 features and can contain some bugs.
   14 
   15 To provide all security features of authenticated encryption we need
   16 a better nonce-reuse resistant algorithm in the kernel (see note below).
   17 For now, please use authenticated encryption as an experimental feature.
   18 
   19 Please do not use LUKS2 without properly configured backup or in
   20 production systems that need to be compatible with older systems.
   21 
   22 Changes since version 2.0.0
   23 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
   24 
   25 * To store volume key into kernel keyring, kernel 4.15 with dm-crypt 1.18.1
   26   is required. If a volume key is stored in keyring (LUKS2 only),
   27   the dm-crypt v1.15.0 through v1.18.0 contains a serious bug that may cause
   28   data corruption for ciphers with ESSIV.
   29   (The key for ESSIV is zeroed because of code misplacement.)
   30   This bug is not present for LUKS1 or any other IVs used in LUKS modes.
   31   This change is not visible to the user (except dmsetup output).
   32 
   33 * Increase maximum allowed PBKDF memory-cost limit to 4 GiB.
   34   The Argon2 PBKDF uses 1GiB by default; this is also limited by the amount
   35   of physical memory available (maximum is half of the physical memory).
   36 
   37 * Use /run/cryptsetup as default for cryptsetup locking dir.
   38   There were problems with sharing /run/lock with lockdev, and in the early
   39   boot, the directory was missing.
   40   The directory can be changed with --with-luks2-lock-path and
   41   --with-luks2-lock-dir-perms configure switches.
   42 
   43 * Introduce new 64-bit byte-offset *keyfile_device_offset functions.
   44 
   45   The keyfile interface was designed, well, for keyfiles. Unfortunately,
   46   there are user cases where a keyfile can be placed on a device, and
   47   size_t offset can overflow on 32-bit systems.
   48 
   49   New set of functions that allow 64-bit offsets even on 32bit systems
   50   are now available:
   51 
   52      - crypt_resume_by_keyfile_device_offset
   53      - crypt_keyslot_add_by_keyfile_device_offset
   54      - crypt_activate_by_keyfile_device_offset
   55      - crypt_keyfile_device_read
   56 
   57   The new functions have added the _device_ in name.
   58   Old functions are just internal wrappers around these.
   59 
   60   Also cryptsetup --keyfile-offset and --new-keyfile-offset now allows
   61   64-bit offsets as parameters.
   62 
   63 * Add error hint for wrongly formatted cipher strings in LUKS1 and
   64   properly fail in luksFormat if cipher format is missing required IV.
   65   For now, crypto API quietly used cipher without IV if a cipher
   66   algorithm without IV specification was used (e.g., aes-xts).
   67   This caused fail later during activation.
   68 
   69 * Configure check for a recent Argon2 lib to support mandatory Argon2id.
   70 
   71 * Fix for the cryptsetup-reencrypt static build if pwquality is enabled.
   72 
   73 * Update LUKS1 standard doc (https links in the bibliography).
   74 
   75 
   76 Unfinished things & TODO for next releases
   77 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   78 * There will be better documentation and examples.
   79 
   80 * There will be some more formal definition of the threat model for integrity
   81   protection. (And a link to some papers discussing integrity protection,
   82   once it is, hopefully, accepted and published.)
   83 
   84 * Offline re-encrypt tool LUKS2 support is currently limited.
   85   There will be online LUKS2 re-encryption tool in future.
   86 
   87 * Authenticated encryption will use new algorithms from CAESAR competition
   88   (https://competitions.cr.yp.to/caesar.html) once these algorithms are
   89   available in the kernel (more on this later).
   90   NOTE: Currently available authenticated modes (GCM, Chacha20-poly1305)
   91   in the kernel have too small 96-bit nonces that are problematic with
   92   randomly generated IVs (the collision probability is not negligible).
   93   For the GCM, nonce collision is a fatal problem.
   94 
   95 * Authenticated encryption do not set encryption for a dm-integrity journal.
   96 
   97   While it does not influence data confidentiality or integrity protection,
   98   an attacker can get some more information from data journal or cause that
   99   system will corrupt sectors after journal replay. (That corruption will be
  100   detected though.)
  101 
  102 * There are examples of user-defined tokens inside misc/luks2_keyslot_example
  103   directory (like a simple external program that uses libssh to unlock LUKS2
  104   using remote keyfile).
  105 
  106 * The python binding (pycryptsetup) contains only basic functionality for LUKS1
  107   (it is not updated for new features) and will be deprecated soon in favor
  108   of python bindings to the libblockdev library (that can already handle LUKS1
  109   devices).