[dm-crypt] [ANNOUNCE] cryptsetup 1.6.7

[dm-crypt] [ANNOUNCE] cryptsetup 1.6.7

[Milan Broz]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

The stable cryptsetup 1.6.7 release is available at

    https://gitlab.com/cryptsetup/cryptsetup

Please note that release packages are located on kernel.org

    https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/

Feedback and bug reports are welcomed.

Cryptsetup 1.6.7 Release Notes
==============================

Changes since version 1.6.6

* Cryptsetup git and wiki are now hosted on GitLab.
  https://gitlab.com/cryptsetup/cryptsetup

  Repository of stable releases remains on kernel.org site
  https://www.kernel.org/pub/linux/utils/cryptsetup/

  For more info please see README file.

* Cryptsetup TCRYPT mode now supports VeraCrypt devices (TrueCrypt extension).

  The VeraCrypt extension only increases iteration count for the key
  derivation function (on-disk format is the same as TrueCrypt format).

  Note that unlocking of a VeraCrypt device can take very long time if used
  on slow machines.

  To use this extension, add --veracrypt option, for example
    cryptsetup open --type tcrypt --veracrypt <container> <name>

  For use through libcryptsetup, just add CRYPT_TCRYPT_VERA_MODES flag.

* Support keyfile-offset and keyfile-size options even for plain volumes.

* Support keyfile option for luksAddKey if the master key is specified.

* For historic reasons, hashing in the plain mode is not used
  if keyfile is specified (with exception of --key-file=-).
  Print a warning if these parameters are ignored.

* Support permanent device decryption for cryptsetup-reencrypt.
  To remove LUKS encryption from a device, you can now use --decrypt option.

* Allow to use --header option in all LUKS commands.
  The --header always takes precedence over positional device argument.

* Allow luksSuspend without need to specify a detached header.

* Detect if O_DIRECT is usable on a device allocation.
  There are some strange storage stack configurations which wrongly allows
  to open devices with direct-io but fails on all IO operations later.

  Cryptsetup now tries to read the device first sector to ensure it can use
  direct-io.

* Add low-level performance options tuning for dmcrypt (for Linux 4.0 and later).

  Linux kernel 4.0 contains rewritten dmcrypt code which tries to better utilize
  encryption on parallel CPU cores.

  While tests show that this change increases performance on most configurations,
  dmcrypt now provides some switches to change its new behavior.

  You can use them (per-device) with these cryptsetup switches:
     --perf-same_cpu_crypt
     --perf-submit_from_crypt_cpus

  Please use these only in the case of serious performance problems.
  Refer to the cryptsetup man page and dm-crypt documentation
  (for same_cpu_crypt and submit_from_crypt_cpus options).
  https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt

* Get rid of libfipscheck library.
  (Note that this option was used only for Red Hat and derived distributions.)
  With recent FIPS changes we do not need to link to this FIPS monster anymore.
  Also drop some no longer needed FIPS mode checks.

* Many fixes and clarifications to man pages.

* Prevent compiler to optimize-out zeroing of buffers for on-stack variables.

* Fix a crash if non-GNU strerror_r is used.

Cryptsetup API NOTE:
The direct terminal handling for passphrase entry will be removed from
libcryptsetup in next major version (application should handle it itself).

It means that you have to always either provide password in buffer or set
your own password callback function through crypt_set_password_callback().
See API documentation (or libcryptsetup.h) for more info.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVEFM/AAoJENmwV3vZPpj8LJQP/jAexv33vfIVKcpV6XRe+3nm
WloMa9KGgyGJ/b0I/TvEKa/RdWxExv5ZMOGACe+0KhwwudCo+NKfWs6uY8THqLuF
yiev2879MPNLUbQiU4yELOvJA+rt5rhhUqMk4zKcFJv+PO77CtuUTqd7AIJ8Pjb5
htHN6fJp83wZCVO0j0CuQ5LfPajK1nNbGYk2vTuAR4Z0tj6ci5bP2eefPLD3gnhc
DXMT9oS4RypLEtyzzxWUqBmYq+7UnOQqByyrwaPRrZp6fecOamR6Fr9QHVsXO1KM
5ws2OOcjnW+6lvSZZnsykc7TplyxZwMAv9XPkuc8ZtPD2tMMmSp3g0raL+8/YiTZ
nlf0CCPPtp7p5aIlINe0g7sZ1Gax9EnMyPulaifHRE7KprR3A8yYSxRl7gVUupId
EYKNMjrenq7dzIE8DQ2a6qFZukmzBcVAsTCsW//P/5YJXVJnPi0L2XuopGnXBms8
tUj04M25/yi/HU51XbbHY8GaYehFz4yDggAxy3u0041hx66XCGx2tMYc/Y6JJ4jc
HolrCi2ijjx37QePWNftJZ9LyDscPI0VFsGEH+ywA+kN5wueOBXthC4r8g30exDd
TIibtIbg3Yb0YsVnz9Zb/MUhc+8MFEFOnMvS21ib/a1lDSOQNL74idBOKcvghVp3
wdpC6Zx8RlhI6s7tmwep
=OA+S
-----END PGP SIGNATURE-----

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.6.7

[wintonian]

I hope you won't mind me mentioning, but the following sections in the 
FAQ (on Gitlab) still link back to Google Code; 1.1, 1.6 and 9.

In the case of section 1.1 this informs the reader where the latest 
version can be found - I assume Gitlab will now be the up-to-date version?

My apologies if you have already planned to make the amendments.

p.s. Many thanks for all your hard work in providing this important utility.

Regards

Robert Gilmour

On 23/03/15 17:54, Milan Broz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> The stable cryptsetup 1.6.7 release is available at
>
>      https://gitlab.com/cryptsetup/cryptsetup
>
> Please note that release packages are located on kernel.org
>
>      https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/
>
> Feedback and bug reports are welcomed.
>
> Cryptsetup 1.6.7 Release Notes
> ==============================
>
> Changes since version 1.6.6
>
> * Cryptsetup git and wiki are now hosted on GitLab.
>    https://gitlab.com/cryptsetup/cryptsetup
>
>    Repository of stable releases remains on kernel.org site
>    https://www.kernel.org/pub/linux/utils/cryptsetup/
>
>    For more info please see README file.
>
> * Cryptsetup TCRYPT mode now supports VeraCrypt devices (TrueCrypt extension).
>
>    The VeraCrypt extension only increases iteration count for the key
>    derivation function (on-disk format is the same as TrueCrypt format).
>
>    Note that unlocking of a VeraCrypt device can take very long time if used
>    on slow machines.
>
>    To use this extension, add --veracrypt option, for example
>      cryptsetup open --type tcrypt --veracrypt <container> <name>
>
>    For use through libcryptsetup, just add CRYPT_TCRYPT_VERA_MODES flag.
>
> * Support keyfile-offset and keyfile-size options even for plain volumes.
>
> * Support keyfile option for luksAddKey if the master key is specified.
>
> * For historic reasons, hashing in the plain mode is not used
>    if keyfile is specified (with exception of --key-file=-).
>    Print a warning if these parameters are ignored.
>
> * Support permanent device decryption for cryptsetup-reencrypt.
>    To remove LUKS encryption from a device, you can now use --decrypt option.
>
> * Allow to use --header option in all LUKS commands.
>    The --header always takes precedence over positional device argument.
>
> * Allow luksSuspend without need to specify a detached header.
>
> * Detect if O_DIRECT is usable on a device allocation.
>    There are some strange storage stack configurations which wrongly allows
>    to open devices with direct-io but fails on all IO operations later.
>
>    Cryptsetup now tries to read the device first sector to ensure it can use
>    direct-io.
>
> * Add low-level performance options tuning for dmcrypt (for Linux 4.0 and later).
>
>    Linux kernel 4.0 contains rewritten dmcrypt code which tries to better utilize
>    encryption on parallel CPU cores.
>
>    While tests show that this change increases performance on most configurations,
>    dmcrypt now provides some switches to change its new behavior.
>
>    You can use them (per-device) with these cryptsetup switches:
>       --perf-same_cpu_crypt
>       --perf-submit_from_crypt_cpus
>
>    Please use these only in the case of serious performance problems.
>    Refer to the cryptsetup man page and dm-crypt documentation
>    (for same_cpu_crypt and submit_from_crypt_cpus options).
>    https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt
>
> * Get rid of libfipscheck library.
>    (Note that this option was used only for Red Hat and derived distributions.)
>    With recent FIPS changes we do not need to link to this FIPS monster anymore.
>    Also drop some no longer needed FIPS mode checks.
>
> * Many fixes and clarifications to man pages.
>
> * Prevent compiler to optimize-out zeroing of buffers for on-stack variables.
>
> * Fix a crash if non-GNU strerror_r is used.
>
> Cryptsetup API NOTE:
> The direct terminal handling for passphrase entry will be removed from
> libcryptsetup in next major version (application should handle it itself).
>
> It means that you have to always either provide password in buffer or set
> your own password callback function through crypt_set_password_callback().
> See API documentation (or libcryptsetup.h) for more info.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBCAAGBQJVEFM/AAoJENmwV3vZPpj8LJQP/jAexv33vfIVKcpV6XRe+3nm
> WloMa9KGgyGJ/b0I/TvEKa/RdWxExv5ZMOGACe+0KhwwudCo+NKfWs6uY8THqLuF
> yiev2879MPNLUbQiU4yELOvJA+rt5rhhUqMk4zKcFJv+PO77CtuUTqd7AIJ8Pjb5
> htHN6fJp83wZCVO0j0CuQ5LfPajK1nNbGYk2vTuAR4Z0tj6ci5bP2eefPLD3gnhc
> DXMT9oS4RypLEtyzzxWUqBmYq+7UnOQqByyrwaPRrZp6fecOamR6Fr9QHVsXO1KM
> 5ws2OOcjnW+6lvSZZnsykc7TplyxZwMAv9XPkuc8ZtPD2tMMmSp3g0raL+8/YiTZ
> nlf0CCPPtp7p5aIlINe0g7sZ1Gax9EnMyPulaifHRE7KprR3A8yYSxRl7gVUupId
> EYKNMjrenq7dzIE8DQ2a6qFZukmzBcVAsTCsW//P/5YJXVJnPi0L2XuopGnXBms8
> tUj04M25/yi/HU51XbbHY8GaYehFz4yDggAxy3u0041hx66XCGx2tMYc/Y6JJ4jc
> HolrCi2ijjx37QePWNftJZ9LyDscPI0VFsGEH+ywA+kN5wueOBXthC4r8g30exDd
> TIibtIbg3Yb0YsVnz9Zb/MUhc+8MFEFOnMvS21ib/a1lDSOQNL74idBOKcvghVp3
> wdpC6Zx8RlhI6s7tmwep
> =OA+S
> -----END PGP SIGNATURE-----
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.6.7

[.. ink ..]

On Mon, Mar 23, 2015 at 8:54 PM, Milan Broz <gmazyland@gmail.com> wrote:

> Feedback and bug reports are welcomed.
>

It build fine but there is a warning when building with gcc 4.9.2

 CC       libcryptsetup_la-utils_fips.lo
  CC       libcryptsetup_la-utils_device.lo
  CC       libcryptsetup_la-libdevmapper.lo
libdevmapper.c: In function 'dm_status_device':
libdevmapper.c:765:2: warning: implicit declaration of function 'stat'
[-Wimplicit-function-declaration]
  if (strchr(name, '/') && stat(name, &st) < 0)
  ^
  CC       libcryptsetup_la-volumekey.lo
  CC       libcryptsetup_la-random.lo
  CC       libcryptsetup_la-crypt_plain.lo
  CCLD     libcryptsetup.la
make[3]: Leaving directory

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.6.7

[Milan Broz]

On 03/23/2015 07:15 PM, wintonian wrote:
> I hope you won't mind me mentioning, but the following sections in the 
> FAQ (on Gitlab) still link back to Google Code; 1.1, 1.6 and 9.
> 
> In the case of section 1.1 this informs the reader where the latest 
> version can be found - I assume Gitlab will now be the up-to-date version?

Ah, thanks, should be fixed now.

(Arno will need to update FAQ workflow later anyway...)

I sm sure there will be more such issues, please let me know.

Thanks,
Milan

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.6.7

[Milan Broz]

On 03/23/2015 07:38 PM, .. ink .. wrote:
> On Mon, Mar 23, 2015 at 8:54 PM, Milan Broz <gmazyland@gmail.com> wrote:
> 
>> Feedback and bug reports are welcomed.
>>
> 
> It build fine but there is a warning when building with gcc 4.9.2
> 
>  CC       libcryptsetup_la-utils_fips.lo
>   CC       libcryptsetup_la-utils_device.lo
>   CC       libcryptsetup_la-libdevmapper.lo
> libdevmapper.c: In function 'dm_status_device':
> libdevmapper.c:765:2: warning: implicit declaration of function 'stat'
> [-Wimplicit-function-declaration]
>   if (strchr(name, '/') && stat(name, &st) < 0)
>   ^

Strange. (btw it builds without warning on gcc5, at least in Fedora).

Anyway, if you see some missing include there, please send me a patch.
I do not see this error here...

Thanks,
Milan

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.6.7

[Arno Wagner]

On Mon, Mar 23, 2015 at 19:49:25 CET, Milan Broz wrote:
> On 03/23/2015 07:15 PM, wintonian wrote:
> > I hope you won't mind me mentioning, but the following sections in the 
> > FAQ (on Gitlab) still link back to Google Code; 1.1, 1.6 and 9.
> > 
> > In the case of section 1.1 this informs the reader where the latest 
> > version can be found - I assume Gitlab will now be the up-to-date version?
> 
> Ah, thanks, should be fixed now.
> 
> (Arno will need to update FAQ workflow later anyway...)

It will take a few days at least until I find the time. 
At this time both copies of the FAQ are still the same, 
hence no harm done.

Arno

 
> I sm sure there will be more such issues, please let me know.
> 
> Thanks,
> Milan
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.6.7

[.. ink ..]

On Mon, Mar 23, 2015 at 9:54 PM, Milan Broz <gmazyland@gmail.com> wrote:
> On 03/23/2015 07:38 PM, .. ink .. wrote:
>> On Mon, Mar 23, 2015 at 8:54 PM, Milan Broz <gmazyland@gmail.com> wrote:
>>
>>> Feedback and bug reports are welcomed.
>>>
>>
>> It build fine but there is a warning when building with gcc 4.9.2
>>
>>  CC       libcryptsetup_la-utils_fips.lo
>>   CC       libcryptsetup_la-utils_device.lo
>>   CC       libcryptsetup_la-libdevmapper.lo
>> libdevmapper.c: In function 'dm_status_device':
>> libdevmapper.c:765:2: warning: implicit declaration of function 'stat'
>> [-Wimplicit-function-declaration]
>>   if (strchr(name, '/') && stat(name, &st) < 0)
>>   ^
>
> Strange. (btw it builds without warning on gcc5, at least in Fedora).
>
> Anyway, if you see some missing include there, please send me a patch.
> I do not see this error here...
>
> Thanks,
> Milan

this link[1] says stat() is defined in <sys/stat.h>.This header is not
included in libdevmapper.c and i think thats the source of the
warning.Adding the missing include here silenced the warning.

is sending a patch still necessary?
i have prepared or send one :-) and doing so will probably take much
more time that you just adding the missing header file(IMHO)

[1] http://pubs.opengroup.org/onlinepubs/7908799/xsh/sysstat.h.html

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.6.7

[.. ink ..]

> i have prepared or send one :-) and doing so will probably take much
> more time that you just adding the missing header file(IMHO)
>

correction, i have never prepared or send on ..

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.6.7

[Milan Broz]

On 03/23/2015 08:18 PM, .. ink .. wrote:
> this link[1] says stat() is defined in <sys/stat.h>.This header is not
> included in libdevmapper.c and i think thats the source of the
> warning.Adding the missing include here silenced the warning.

Fixed in git.

Thanks,
Milan