| Cryptsetup 1.1.0 Release Notes |
| ============================== |
| |
| Changes since version 1.0.7 |
| ---------------------------- |
| |
| Important changes: |
| ~~~~~~~~~~~~~~~~~~ |
| |
| * IMPORTANT: the default compiled-in cipher parameters changed |
| plain mode: aes-cbc-essiv:sha256 (default is backward incompatible!). |
| LUKS mode: aes-cbc-essiv:sha256 (only key size increased) |
| In both modes is now default key size 256bits. |
| |
| * Default compiled-in parameters are now configurable through configure options: |
| --with-plain-* / --with-luks1-* (see configure --help) |
| |
| * If you need backward compatible defaults for distribution use |
| configure --with-plain-mode=cbc-plain --with-luks1-keybits=128 |
| |
| Default compiled-in modes are printed in "cryptsetup --help" output. |
| |
| * Change in iterations count (LUKS): |
| The slot and key digest iteration minimum count is now 1000. |
| The key digest iteration count is calculated from iteration time (approx 1/8 of req. time). |
| For more info about above items see discussion here: http://tinyurl.com/yaug97y |
| |
| * New libcryptsetup API (documented in libcryptsetup.h). |
| |
| The old API (using crypt_options struct) is still available but will remain |
| frozen and not used for new functions. |
| Soname of library changed to libcryptsetup.so.1.0.0. |
| (But only recompilation should be needed for old programs.) |
| |
| The new API provides much more flexible operation over LUKS device for |
| applications, it is preferred that new applications will use libcryptsetup |
| and not wrapper around cryptsetup binary. |
| |
| * New luksHeaderBackup and luksHeaderRestore commands. |
| |
| These commands allows binary backup of LUKS header. |
| Please read man page about possible security issues with backup files. |
| |
| * New luksSuspend (freeze device and wipe key) and luksResume (with provided passphrase). |
| |
| luksSuspend wipe encryption key in kernel memory and set device to suspend |
| (blocking all IO) state. This option can be used for situations when you need |
| temporary wipe encryption key (like suspend to RAM etc.) |
| Please read man page for more information. |
| |
| * New --master-key-file option for luksFormat and luksAddKey. |
| |
| User can now specify pre-generated master key in file, which allows regenerating |
| LUKS header or add key with only master key knowledge. |
| |
| * Uses libgcrypt and enables all gcrypt hash algorithms for LUKS through -h luksFormat option. |
| |
| Please note that using different hash for LUKS header make device incompatible with |
| old cryptsetup releases. |
| |
| * Introduces --debug parameter. |
| |
| Use when reporting bugs (just run cryptsetup with --debug and attach output |
| to issue report.) Sensitive data are never printed to this log. |
| |
| * Moves command successful messages to verbose level. |
| |
| * Requires device-mapper library and libgcrypt to build. |
| |
| * Uses dm-uuid for all crypt devices, contains device type and name now. |
| |
| * Removes support for dangerous non-exclusive option |
| (it is ignored now, LUKS device must be always opened exclusive) |
| |
| Other changes: |
| ~~~~~~~~~~~~~~ |
| * Fixed localization to work again. Also cryptsetup is now translated by translationproject.org. |
| * Fix some libcryptsetup problems, including |
| * exported symbols and versions in libcryptsetup (properly use versioned symbols) |
| * Add crypt_log library function. |
| * Add CRYPT_ prefix to enum defined in libcryptsetup.h. |
| * Move duplicate Command failed message to verbose level (error is printed always). |
| * Fix several problems in build system |
| * use autopoint and clean gettext processing. |
| * Check in configure if selinux libraries are required in static version. |
| * Fix build for non-standard location of gcrypt library. |
| * Add temporary debug code to find processes locking internal device. |
| * Fix error handling during reading passphrase. |
| * Fail passphrase read if piped input no longer exists. |
| * Fix man page to not require --size which expands to device size by default. |
| * Clean up Makefiles and configure script. |
| * Try to read first sector from device to properly check that device is ready. |
| * Move memory locking and dm initialization to command layer. |
| * Increase priority of process if memory is locked. |
| * Add log macros and make logging more consistent. |
| * Keyfile now must be provided by path, only stdin file descriptor is used (api only). |
| * Do not call isatty() on closed keyfile descriptor. |
| * Move key slot manipulation function into LUKS specific code. |
| * Replace global options struct with separate parameters in helper functions. |
| * Implement old API calls using new functions. |
| * Allow using passphrase provided in options struct for LuksOpen. |
| * Allow restrict keys size in LuksOpen. |
| * Fix errors when compiled with LUKS_DEBUG. |
| * Print error when getline fails. |
| * Completely remove internal SHA1 implementation code, not needed anymore. |
| * Pad luks header to 512 sector size. |
| * Rework read/write blockwise to not split operation to many pieces. |
| * Use posix_memalign if available. |
| * Fix segfault if provided slot in luksKillslot is invalid. |
| * Remove unneeded timeout when remove of temporary device succeeded. |