Cryptsetup 2.7.x plain type default cipher and hash will change

[Milan Broz <gmazyland@gmail.com>]

Hi,

As RIPEMD160 hash will be phased out soon, we must change
default hashing algorithm for plain type in cryptsetup.

(There is nothing related to LUKS; plain type is the old simple
wrapper around dm-crypt mapping.)

While at it, we also change the default cipher from AES-CBC with ESSIV
to AES-XTS with plain64 initial vector (the same default as in LUKS,
just with 256-bit key size, thus AES128, as XTS uses two keys).

As this is a backward incompatible change, we will also add a warning
if an open command is used without explicit --cipher, --key-size,
and --hash options. (These should be already mandatory for /etc/crypttab
plain type use).

You can still use whatever mode and hash you want, but it must be explicitly
specified on the command line (and must be supported by used cryptographic
library or kernel).

Plain mode with passphrase is actually not a good practice as it directly
derives key from passphrase and no standard password-based key derivation
algorithm is used. You should prefer LUKS anyway :-)

Also note that if keyfile is specified for plain mode, there is no password
hashing at all (keyfile is used directly as the encryption key).

For more info, please read issue 758
https://gitlab.com/cryptsetup/cryptsetup/-/issues/758

The draft merge request for planned change is here
https://gitlab.com/cryptsetup/cryptsetup/-/merge_requests/543

For downstream maintainers:

To update stable distros, you can still configure old defaults with configure options
  --with-plain-hash=ripemd160 --with-plain-cipher=aes --with-plain-mode=cbc-essiv:sha256

If you see problems with this change, reply to this mail or comment on the issue
mentioned above. We postponed this change already for several years, though.

Milan

p.s.
Cryptsetup 2.7.0 release candidate/testing is planned in the next few weeks.