[dm-crypt] [ANNOUNCE] cryptsetup 1.1.0-rc4 (test release candidate)

[dm-crypt] [ANNOUNCE] cryptsetup 1.1.0-rc4 (test release candidate)

[Milan Broz]

Hi all,

because of some important changes I want include in cryptsetup 1.1
I released yet another testing release of cryptsetup.

Thanks,
Milan
--
mbroz@redhat.com

Cryptsetup 1.1.0-rc4 Release Notes
==================================

The cryptsetup 1.1.0-rc4 release candidate is available at

   http://code.google.com/p/cryptsetup/

Feedback and bug reports are welcomed.

The rc should be last release before 1.1 stable version, the reason for another
testing compilation is important change in default parameters.

Changes since version 1.1.0-rc1
-------------------------------

IMPORTANT: the default compiled-in cipher parameters changed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 * plain mode: aes-cbc-essiv:sha256 (default is backward incompatible!).
 * LUKS mode: aes-cbc-essiv:sha256 (only key size increased)
   In both modes is now default key size 256bits.

 * Default compiled-in parameters are now cofigurable through configure options:
   --with-plain-* / --with-luks1-* (see configure --help)

 * If you need backward compatible defaults for distribution use
   configure --with-plain-mode=cbc-plain --with-luks1-keybits=128

 (This is mainly important for plain mode when the mode is stored in /etc/crypttab file.)

 Default compiled-in modes are printed in "cryptsetup --help" output.

IMPORTANT: change in iterations count:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 * The slot and key digest iteration minimum is now 1000.
 * The key digest iteration # is calculated from iteration time (approx 1/8 of req. time).

 For more info about above items see discussion here: http://tinyurl.com/yaug97y

Other changes:
~~~~~~~~~~~~~~
 * Fixed localisation to work again. Also cryptsetup is now translated by transaltionproject.org.
 * Added French, Indonesian and updated Swedish translation for now.
 * Fix some libcryptsetup probles, including
    * exported symbols and versions in libcryptsetup (properly use versioned symbols)
    * Add crypt_log library function.
    * Add CRYPT_ prefix to enum defined in libcryptsetup.h.
 * Move duplicate Command failed message to verbose level (error is printed always).
 * Fix several problems in build system
    * use autopoint and clean gettext processing.
    * Check in configure if selinux libraries are required in static version.
    * Fix build for non-standard location of gcrypt library.
 * Add temporary debug code to debug processes locking internal keyslot device.
 * Fix error handling during reading passhrase.



Changes since version 1.0.7
---------------------------

Important changes:
~~~~~~~~~~~~~~~~~~

 * Adds new libcryptsetup API (documented in libcryptsetup.h).

	The old API (using crypt_options struct) is still available but will remain
	frozen and not used for new functions.
	Soname of library changed to libcryptsetup.so.1.0.0.
	(But only recompilation should be needed for old programs.)

	The new API provides much more flexible operation over LUKS device for
	applications, it is preffered that new applications will use libcryptsetup
	and not wrapper around cryptsetup binary.

 * Adds luksHeaderBackup and luksHeaderRestore commands.

	These commands allows binary backup of LUKS header.
	Please read man page about possible security issues with backup files.

 * Adds luksSuspend (freeze device and wipe key) and luksResume (with provided passphrase).

	luksSuspend wipe encryption key in kernel memory and set device to suspend
	(blocking all IO) state. This option can be used for situations when you need
	temporary wipe encryption key (like suspend to RAM etc.)
	Please read man page for more information.

 * Adds --master-key-file option for luksFormat and luksAddKey.

	User can now specify pre-generated master key in file, which allows regenerating
	LUKS header or add key with only master key knowledge.

 * Uses libgcrypt and enables all gcrypt hash algorithms for LUKS through -h luksFormat option.

	Please note that using different hash for LUKS header make device incompatible with
	old cryptsetup releases.

 * Introduce --debug parameter.

	Use when reporting bugs (just run cryptsetup with --debug and attach output
	to issue report.) Sensitive data are never printed to this log.

 * Move command successful messages to verbose level.

 * Require device-mapper library and libgcrypt to build.

 * Use dm-uuid for all crypt devices, contains device type and name now.

 * Remove support for dangerous non-exclusive option
	(it is ignored now, LUKS device must be always opened exclusive)

Other changes:
~~~~~~~~~~~~~~
 * Fail passphrase read if piped input no longer exists.
 * Fix manpage to not require --size which expands to device size by default.
 * Clean up Makefiles and configure script.
 * Try to read first sector from device to properly check that device is ready.
 * Move memory locking and dm initialization to command layer.
 * Increase priority of process if memory is locked.
 * Add log macros and make logging more consitent.
 * Keyfile now must be provided by path, only stdin file descriptor is used (api only).
 * Do not call isatty() on closed keyfile descriptor.
 * Move key slot manuipulation function into LUKS specific code.
 * Replace global options struct with separate parameters in helper functions.
 * Implement old API calls using new functions.
 * Allow using passphrase provided in options struct for LuksOpen.
 * Allow restrict keys size in LuksOpen.
 * Fix errors when compiled with LUKS_DEBUG.
 * Print error when getline fails.
 * Completely remove internal SHA1 implementanion code, not needed anymore.
 * Pad luks header to 512 sector size.
 * Rework read/write blockwise to not split operation to many pieces.
 * Use posix_memalign if available.
 * Fix segfault if provided slot in luksKillslot is invalid.
 * Remove unneeded timeout when remove of temporary device succeeded.

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.1.0-rc4 (test release candidate)

[Arno Wagner]

Compiles and works with Debian stable (lenny), after I cleaned 
away some old libdevmapper libraries and include files in
/usr/local/. The configure script does not detect the old versions, 
the build just fails.

Needs packages libdevmapper and libdevmapper-dev, version 1.02.27-4 
is fine.

Arno


On Wed, Dec 30, 2009 at 10:09:55PM +0100, Milan Broz wrote:
> Hi all,
> 
> because of some important changes I want include in cryptsetup 1.1
> I released yet another testing release of cryptsetup.
> 
> Thanks,
> Milan
> --
> mbroz@redhat.com
> 
> Cryptsetup 1.1.0-rc4 Release Notes
> ==================================
> 
> The cryptsetup 1.1.0-rc4 release candidate is available at
> 
>    http://code.google.com/p/cryptsetup/
> 
> Feedback and bug reports are welcomed.
> 
> The rc should be last release before 1.1 stable version, the reason for another
> testing compilation is important change in default parameters.
> 
> Changes since version 1.1.0-rc1
> -------------------------------
> 
> IMPORTANT: the default compiled-in cipher parameters changed
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>  * plain mode: aes-cbc-essiv:sha256 (default is backward incompatible!).
>  * LUKS mode: aes-cbc-essiv:sha256 (only key size increased)
>    In both modes is now default key size 256bits.
> 
>  * Default compiled-in parameters are now cofigurable through configure options:
>    --with-plain-* / --with-luks1-* (see configure --help)
> 
>  * If you need backward compatible defaults for distribution use
>    configure --with-plain-mode=cbc-plain --with-luks1-keybits=128
> 
>  (This is mainly important for plain mode when the mode is stored in /etc/crypttab file.)
> 
>  Default compiled-in modes are printed in "cryptsetup --help" output.
> 
> IMPORTANT: change in iterations count:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>  * The slot and key digest iteration minimum is now 1000.
>  * The key digest iteration # is calculated from iteration time (approx 1/8 of req. time).
> 
>  For more info about above items see discussion here: http://tinyurl.com/yaug97y
> 
> Other changes:
> ~~~~~~~~~~~~~~
>  * Fixed localisation to work again. Also cryptsetup is now translated by transaltionproject.org.
>  * Added French, Indonesian and updated Swedish translation for now.
>  * Fix some libcryptsetup probles, including
>     * exported symbols and versions in libcryptsetup (properly use versioned symbols)
>     * Add crypt_log library function.
>     * Add CRYPT_ prefix to enum defined in libcryptsetup.h.
>  * Move duplicate Command failed message to verbose level (error is printed always).
>  * Fix several problems in build system
>     * use autopoint and clean gettext processing.
>     * Check in configure if selinux libraries are required in static version.
>     * Fix build for non-standard location of gcrypt library.
>  * Add temporary debug code to debug processes locking internal keyslot device.
>  * Fix error handling during reading passhrase.
> 
> 
> 
> Changes since version 1.0.7
> ---------------------------
> 
> Important changes:
> ~~~~~~~~~~~~~~~~~~
> 
>  * Adds new libcryptsetup API (documented in libcryptsetup.h).
> 
> 	The old API (using crypt_options struct) is still available but will remain
> 	frozen and not used for new functions.
> 	Soname of library changed to libcryptsetup.so.1.0.0.
> 	(But only recompilation should be needed for old programs.)
> 
> 	The new API provides much more flexible operation over LUKS device for
> 	applications, it is preffered that new applications will use libcryptsetup
> 	and not wrapper around cryptsetup binary.
> 
>  * Adds luksHeaderBackup and luksHeaderRestore commands.
> 
> 	These commands allows binary backup of LUKS header.
> 	Please read man page about possible security issues with backup files.
> 
>  * Adds luksSuspend (freeze device and wipe key) and luksResume (with provided passphrase).
> 
> 	luksSuspend wipe encryption key in kernel memory and set device to suspend
> 	(blocking all IO) state. This option can be used for situations when you need
> 	temporary wipe encryption key (like suspend to RAM etc.)
> 	Please read man page for more information.
> 
>  * Adds --master-key-file option for luksFormat and luksAddKey.
> 
> 	User can now specify pre-generated master key in file, which allows regenerating
> 	LUKS header or add key with only master key knowledge.
> 
>  * Uses libgcrypt and enables all gcrypt hash algorithms for LUKS through -h luksFormat option.
> 
> 	Please note that using different hash for LUKS header make device incompatible with
> 	old cryptsetup releases.
> 
>  * Introduce --debug parameter.
> 
> 	Use when reporting bugs (just run cryptsetup with --debug and attach output
> 	to issue report.) Sensitive data are never printed to this log.
> 
>  * Move command successful messages to verbose level.
> 
>  * Require device-mapper library and libgcrypt to build.
> 
>  * Use dm-uuid for all crypt devices, contains device type and name now.
> 
>  * Remove support for dangerous non-exclusive option
> 	(it is ignored now, LUKS device must be always opened exclusive)
> 
> Other changes:
> ~~~~~~~~~~~~~~
>  * Fail passphrase read if piped input no longer exists.
>  * Fix manpage to not require --size which expands to device size by default.
>  * Clean up Makefiles and configure script.
>  * Try to read first sector from device to properly check that device is ready.
>  * Move memory locking and dm initialization to command layer.
>  * Increase priority of process if memory is locked.
>  * Add log macros and make logging more consitent.
>  * Keyfile now must be provided by path, only stdin file descriptor is used (api only).
>  * Do not call isatty() on closed keyfile descriptor.
>  * Move key slot manuipulation function into LUKS specific code.
>  * Replace global options struct with separate parameters in helper functions.
>  * Implement old API calls using new functions.
>  * Allow using passphrase provided in options struct for LuksOpen.
>  * Allow restrict keys size in LuksOpen.
>  * Fix errors when compiled with LUKS_DEBUG.
>  * Print error when getline fails.
>  * Completely remove internal SHA1 implementanion code, not needed anymore.
>  * Pad luks header to 512 sector size.
>  * Rework read/write blockwise to not split operation to many pieces.
>  * Use posix_memalign if available.
>  * Fix segfault if provided slot in luksKillslot is invalid.
>  * Remove unneeded timeout when remove of temporary device succeeded.
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
> 

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.1.0-rc4 (test release candidate)

[Heinz Diehl]

On 30.12.2009, Milan Broz wrote: 

> because of some important changes I want include in cryptsetup 1.1
> I released yet another testing release of cryptsetup.

No problems so far on an opensuse 11.1 and 11.2. Compiles and runs
flawlessly.