[dm-crypt] [ANNOUNCE] cryptsetup 1.4.0-rc1 (test release candidate)

[dm-crypt] [ANNOUNCE] cryptsetup 1.4.0-rc1 (test release candidate)

[Milan Broz]

The first cryptsetup 1.4.0-rc1 release candidate is available at

   http://code.google.com/p/cryptsetup/

Feedback and bug reports are welcomed.


Cryptsetup 1.4.0 Release Notes
==============================

Changes since version 1.3.1

Important changes
~~~~~~~~~~~~~~~~~

WARNING: This release removes old deprecated API from libcryptsetup
         (all functions using struct crypt_options).

         This require libcrypsetup version change and
         rebuild of applications using cryptsetup library.
         All new API symbols are backward compatible.

* If device is not rotational disk, cryptsetup no longer tries
  to wipe keyslot with Gutmann algorithm for magnetic media erase
  but simply rewrites area once by random data.

* The on-disk LUKS header can now be detached (e.g. placed on separate
  device or in file) using new --header option.

  This option is only relevant for LUKS devices and can be used in
  luksFormat, luksOpen, luksSuspend, luksResume and resize commands.

  If used with luksFormat the --align-payload option is taken
  as absolute sector alignment on ciphertext device and can be zero.

  Example:
    Create LUKS device with ciphertext device on /dev/sdb and header
    on device /dev/sdc. Use all space on /dev/sdb (no reserved area for header).

          cryptsetup luksFormat /dev/sdb --header /dev/sdc --align-payload 0

   Activate such device:
          cryptsetup luksOpen /dev/sdb --header /dev/sdc test_disk

   You can use file for LUKS header (loop device will be used while
   manipulating with such detached header), just you have to create
   large enough file in advance.

          dd if=/dev/zero of=/mnt/luks_header bs=1M count=4
          cryptsetup luksFormat /dev/sdb --header /mnt/luks_header --align-payload 0

   Activation is the same as above.

          cryptsetup luksOpen /dev/sdb --header /mnt/luks_header test_disk

   All keyslot operations need to be run on _header_ not on ciphertext device,
   an example:

          cryptsetup luksAddKey /mnt/luks_header

   If you do not use --align-payload 0, you can later restore LUKS header
   on device itself (and use it as normal LUKS device without detached header).

   WARNING: There is no possible check that specified ciphertext device
            matches detached on-disk header. Use with care, it can destroy
            your data in case of a mistake.

   WARNING: Storing LUKS header in a file means that anti-forensic splitter
            cannot properly work (there is filesystem allocation layer between
            header and disk).

* Support --enable-discards option to allow discards/TRIM requests.

   Since kernel 3.1, dm-crypt devices optionally (not by default) support
   block discards (TRIM) comands.
   If you want to enable this operation, you have to enable it manually
   on every activation using --enable-discards

          cryptsetup luksOpen --enable-discards /dev/sdb test_disk

   WARNING: There are several security consequences, please read at least
            http://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html
            before you enable it.

* Add --shared option for creating non-overlapping crypt segments.

   The --shared options checks that mapped segments are not overlapping
   and allows non-exclusive access to underlying device.
   Only plain crypt devices can be used in this mode.

   Example - map 64M of device disk and following 32 M area as another disk.

     cryptsetup create outer_disk /dev/sdb --offset 0 --size 65536
     cryptsetup create inner_disk /dev/sdb --offset 65536 --size 32768 --shared

 (It can be used to simulate trivial hidden disk concepts.)

libcryptsetup API changes:
  * Added options to suport detached metadata device
     crypt_init_by_name_and_header()
     crypt_set_data_device()
  * Add crypt_last_error() API call.
  * Fix plain crypt format parameters to include size option.
  * Add crypt_get_iv_offset() function.

  * Remove old API functions (all functions using crypt_options).

* Support key-slot option for luksOpen (use only explicit keyslot).

   You can now specify key slot in luksOpen and limit checking
   only to specified slot.

* Support retries and timeout parameters for luksSuspend.
  (The same way as in luksOpen.)

* Add doxygen-like documentation (it will be available on project page later).
  (To generate it manually run doxygen in docs directory.)

Other changes
~~~~~~~~~~~~~
* Fix crypt_load to properly check device size.
* Do not allow context format of already formatted device.
* Do not allow key retrieval while suspended (key could be wiped).
* Do not allow suspend for non-LUKS devices.
* Fix luksKillSLot exit code if slot is inactive or invalid.
* Fix exit code if passphrases do not match in luksAddKey.
* Fix return code for status command when device doesn't exists.
* Support Nettle 2.4 crypto backend (supports ripemd160).
* Add LUKS on-disk format description into package.
* Enhance check of device size before writing LUKS header.
* Add more paranoid checks for LUKS header and keyslot attributes.
* Use new /dev/loop-control (kernel 3.1) if possible.
* Remove hash/hmac restart from crypto backend and make it part of hash/hmac final.
* Improve check for invalid offset and size values.
* Revert default initialisation of volume key in crypt_init_by_name().
* Add more regression tests.
* Add some libcryptsetup example files (see docs/examples).

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.4.0-rc1 (test release candidate)

[Arno Wagner]

On Mon, Oct 10, 2011 at 09:25:07PM +0200, Milan Broz wrote:
> 
> The first cryptsetup 1.4.0-rc1 release candidate is available at
> 
>    http://code.google.com/p/cryptsetup/
> 
> Feedback and bug reports are welcomed.
> 
> 
> Cryptsetup 1.4.0 Release Notes
> ==============================
> 
> Changes since version 1.3.1
> 
> Important changes
> ~~~~~~~~~~~~~~~~~
> 
> WARNING: This release removes old deprecated API from libcryptsetup
>          (all functions using struct crypt_options).
> 
>          This require libcrypsetup version change and
>          rebuild of applications using cryptsetup library.
>          All new API symbols are backward compatible.
> 
> * If device is not rotational disk, cryptsetup no longer tries
>   to wipe keyslot with Gutmann algorithm for magnetic media erase
>   but simply rewrites area once by random data.

Hmm. How do you determine that? Not that I see any fundamental
problem,
 
> * The on-disk LUKS header can now be detached (e.g. placed on separate
>   device or in file) using new --header option.

Nice!

>   This option is only relevant for LUKS devices and can be used in
>   luksFormat, luksOpen, luksSuspend, luksResume and resize commands.
> 
>   If used with luksFormat the --align-payload option is taken
>   as absolute sector alignment on ciphertext device and can be zero.
> 
>   Example:
>     Create LUKS device with ciphertext device on /dev/sdb and header
>     on device /dev/sdc. Use all space on /dev/sdb (no reserved area for header).
> 
>           cryptsetup luksFormat /dev/sdb --header /dev/sdc --align-payload 0
> 
>    Activate such device:
>           cryptsetup luksOpen /dev/sdb --header /dev/sdc test_disk
> 
>    You can use file for LUKS header (loop device will be used while
>    manipulating with such detached header), just you have to create
>    large enough file in advance.
> 
>           dd if=/dev/zero of=/mnt/luks_header bs=1M count=4
>           cryptsetup luksFormat /dev/sdb --header /mnt/luks_header --align-payload 0
> 
>    Activation is the same as above.
> 
>           cryptsetup luksOpen /dev/sdb --header /mnt/luks_header test_disk
> 
>    All keyslot operations need to be run on _header_ not on ciphertext device,
>    an example:
> 
>           cryptsetup luksAddKey /mnt/luks_header
> 
>    If you do not use --align-payload 0, you can later restore LUKS header
>    on device itself (and use it as normal LUKS device without detached header).
> 
>    WARNING: There is no possible check that specified ciphertext device
>             matches detached on-disk header. Use with care, it can destroy
>             your data in case of a mistake.

It should refuse to mount though, just like a plain dm-crypt
device if you enter the wrong passphrase.

>    WARNING: Storing LUKS header in a file means that anti-forensic splitter
>             cannot properly work (there is filesystem allocation layer between
>             header and disk).

You mean the splitted data may end up all over the disk making
wiping problematic, especially if the filesystem does "overwrites" 
to different places?

> * Support --enable-discards option to allow discards/TRIM requests.
> 
>    Since kernel 3.1, dm-crypt devices optionally (not by default) support
>    block discards (TRIM) comands.
>    If you want to enable this operation, you have to enable it manually
>    on every activation using --enable-discards
> 
>           cryptsetup luksOpen --enable-discards /dev/sdb test_disk
> 
>    WARNING: There are several security consequences, please read at least
>             http://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html
>             before you enable it.
> 
> * Add --shared option for creating non-overlapping crypt segments.
> 
>    The --shared options checks that mapped segments are not overlapping
>    and allows non-exclusive access to underlying device.
>    Only plain crypt devices can be used in this mode.
> 
>    Example - map 64M of device disk and following 32 M area as another disk.
> 
>      cryptsetup create outer_disk /dev/sdb --offset 0 --size 65536
>      cryptsetup create inner_disk /dev/sdb --offset 65536 --size 32768 --shared
> 
>  (It can be used to simulate trivial hidden disk concepts.)
> 
> libcryptsetup API changes:
>   * Added options to suport detached metadata device
>      crypt_init_by_name_and_header()
>      crypt_set_data_device()
>   * Add crypt_last_error() API call.
>   * Fix plain crypt format parameters to include size option.
>   * Add crypt_get_iv_offset() function.
> 
>   * Remove old API functions (all functions using crypt_options).
> 
> * Support key-slot option for luksOpen (use only explicit keyslot).
> 
>    You can now specify key slot in luksOpen and limit checking
>    only to specified slot.
> 
> * Support retries and timeout parameters for luksSuspend.
>   (The same way as in luksOpen.)
> 
> * Add doxygen-like documentation (it will be available on project page later).
>   (To generate it manually run doxygen in docs directory.)
> 
> Other changes
> ~~~~~~~~~~~~~
> * Fix crypt_load to properly check device size.
> * Do not allow context format of already formatted device.
> * Do not allow key retrieval while suspended (key could be wiped).
> * Do not allow suspend for non-LUKS devices.
> * Fix luksKillSLot exit code if slot is inactive or invalid.
> * Fix exit code if passphrases do not match in luksAddKey.
> * Fix return code for status command when device doesn't exists.
> * Support Nettle 2.4 crypto backend (supports ripemd160).
> * Add LUKS on-disk format description into package.

Good.

> * Enhance check of device size before writing LUKS header.

To prevent problems if the device is smaller than the header?

> * Add more paranoid checks for LUKS header and keyslot attributes.
> * Use new /dev/loop-control (kernel 3.1) if possible.
> * Remove hash/hmac restart from crypto backend and make it part of hash/hmac final.
> * Improve check for invalid offset and size values.
> * Revert default initialisation of volume key in crypt_init_by_name().
> * Add more regression tests.
> * Add some libcryptsetup example files (see docs/examples).

Good.

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.4.0-rc1 (test release candidate)

[Milan Broz]

On 10/10/2011 10:03 PM, Arno Wagner wrote:
>> * If device is not rotational disk, cryptsetup no longer tries
>>   to wipe keyslot with Gutmann algorithm for magnetic media erase
>>   but simply rewrites area once by random data.
> 
> Hmm. How do you determine that? Not that I see any fundamental
> problem,

Through kernel sysfs, rotational flag:
/sys/dev/block/<major>:<minor>/queue/rotational

If not available, then it is expected that device is rotational.

(This flag should be authoritative, e.g. filesystems like btrfs uses it
as well to determine allocation strategies.)

>>    WARNING: There is no possible check that specified ciphertext device
>>             matches detached on-disk header. Use with care, it can destroy
>>             your data in case of a mistake.
> 
> It should refuse to mount though, just like a plain dm-crypt
> device if you enter the wrong passphrase.

yes. I just want to say that by separating header user is responsible
to proper pair header and ciphertext device.
 
>>    WARNING: Storing LUKS header in a file means that anti-forensic splitter
>>             cannot properly work (there is filesystem allocation layer between
>>             header and disk).
> 
> You mean the splitted data may end up all over the disk making
> wiping problematic, especially if the filesystem does "overwrites" 
> to different places?

You cannot be sure how is the file represented on disk, it can be fragmented
etc. (AF has perhaps problems with SSD wear-leveling so it is nothing new.
We should analyse AF with new storage types anyway...)

Anyway, header in file is exactly as the same situation as header backup to file.

In fact, I forgot to mention that header backup can be directly used
in --header parameter.

>> * Enhance check of device size before writing LUKS header.
> 
> To prevent problems if the device is smaller than the header?

Old code did not checked if header + all keyslots fit on device 
(but device activation was not possible because payload offset
exceeded device size then).

But now with separate header it is needed - header write is refused
if device is too small.

Milan