* [ANNOUNCE] cryptsetup 1.4.0
@ 2011-10-26 18:46 Milan Broz
[not found] ` <4EA85582.3080904-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
0 siblings, 1 reply; 5+ messages in thread
From: Milan Broz @ 2011-10-26 18:46 UTC (permalink / raw)
To: dm-crypt; +Cc: device-mapper development
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The stable cryptsetup 1.4.0 release is available at
http://code.google.com/p/cryptsetup/
Feedback and bug reports are welcomed.
Cryptsetup 1.4.0 Release Notes
==============================
Changes since version 1.4.0 RC1
* Fix verbose messages in isLuks command.
* Update on-disk format specification document.
Changes since version 1.3.1
Important changes
~~~~~~~~~~~~~~~~~
WARNING: This release removes old deprecated API from libcryptsetup
(all functions using struct crypt_options).
This require libcrypsetup version change and
rebuild of applications using cryptsetup library.
All new API symbols are backward compatible.
* If device is not rotational disk, cryptsetup no longer tries
to wipe keyslot with Gutmann algorithm for magnetic media erase
but simply rewrites area once by random data.
* The on-disk LUKS header can now be detached (e.g. placed on separate
device or in file) using new --header option.
This option is only relevant for LUKS devices and can be used in
luksFormat, luksOpen, luksSuspend, luksResume and resize commands.
If used with luksFormat the --align-payload option is taken
as absolute sector alignment on ciphertext device and can be zero.
Example:
Create LUKS device with ciphertext device on /dev/sdb and header
on device /dev/sdc. Use all space on /dev/sdb (no reserved area for header).
cryptsetup luksFormat /dev/sdb --header /dev/sdc --align-payload 0
Activate such device:
cryptsetup luksOpen /dev/sdb --header /dev/sdc test_disk
You can use file for LUKS header (loop device will be used while
manipulating with such detached header), just you have to create
large enough file in advance.
dd if=/dev/zero of=/mnt/luks_header bs=1M count=4
cryptsetup luksFormat /dev/sdb --header /mnt/luks_header --align-payload 0
Activation is the same as above.
cryptsetup luksOpen /dev/sdb --header /mnt/luks_header test_disk
All keyslot operations need to be run on _header_ not on ciphertext device,
an example:
cryptsetup luksAddKey /mnt/luks_header
If you do not use --align-payload 0, you can later restore LUKS header
on device itself (and use it as normal LUKS device without detached header).
WARNING: There is no possible check that specified ciphertext device
matches detached on-disk header. Use with care, it can destroy
your data in case of a mistake.
WARNING: Storing LUKS header in a file means that anti-forensic splitter
cannot properly work (there is filesystem allocation layer between
header and disk).
* Support --enable-discards option to allow discards/TRIM requests.
Since kernel 3.1, dm-crypt devices optionally (not by default) support
block discards (TRIM) comands.
If you want to enable this operation, you have to enable it manually
on every activation using --enable-discards
cryptsetup luksOpen --enable-discards /dev/sdb test_disk
WARNING: There are several security consequences, please read at least
http://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html
before you enable it.
* Add --shared option for creating non-overlapping crypt segments.
The --shared options checks that mapped segments are not overlapping
and allows non-exclusive access to underlying device.
Only plain crypt devices can be used in this mode.
Example - map 64M of device disk and following 32 M area as another disk.
cryptsetup create outer_disk /dev/sdb --offset 0 --size 65536
cryptsetup create inner_disk /dev/sdb --offset 65536 --size 32768 --shared
(It can be used to simulate trivial hidden disk concepts.)
libcryptsetup API changes:
* Added options to suport detached metadata device
crypt_init_by_name_and_header()
crypt_set_data_device()
* Add crypt_last_error() API call.
* Fix plain crypt format parameters to include size option.
* Add crypt_get_iv_offset() function.
* Remove old API functions (all functions using crypt_options).
* Support key-slot option for luksOpen (use only explicit keyslot).
You can now specify key slot in luksOpen and limit checking
only to specified slot.
* Support retries and timeout parameters for luksSuspend.
(The same way as in luksOpen.)
* Add doxygen-like documentation (it will be available on project page later).
(To generate it manually run doxygen in docs directory.)
Other changes
~~~~~~~~~~~~~
* Fix crypt_load to properly check device size.
* Do not allow context format of already formatted device.
* Do not allow key retrieval while suspended (key could be wiped).
* Do not allow suspend for non-LUKS devices.
* Fix luksKillSLot exit code if slot is inactive or invalid.
* Fix exit code if passphrases do not match in luksAddKey.
* Fix return code for status command when device doesn't exists.
* Support Nettle 2.4 crypto backend (supports ripemd160).
* Add LUKS on-disk format description into package.
* Enhance check of device size before writing LUKS header.
* Add more paranoid checks for LUKS header and keyslot attributes.
* Use new /dev/loop-control (kernel 3.1) if possible.
* Remove hash/hmac restart from crypto backend and make it part of hash/hmac final.
* Improve check for invalid offset and size values.
* Revert default initialisation of volume key in crypt_init_by_name().
* Add more regression tests.
* Add some libcryptsetup example files (see docs/examples).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk6oVYIACgkQf1Jlc7shgi8GgACfQA/SbQfTftOZe+VvRxJUfh1L
9sQAn3KEByrXgQ71NrJs+Sxei7I3bfbE
=3A0M
-----END PGP SIGNATURE-----
_______________________________________________
dm-crypt mailing list
dm-crypt-4q3lyFh4P1g@public.gmane.org
http://www.saout.de/mailman/listinfo/dm-crypt
^ permalink raw reply [flat|nested] 5+ messages in thread[parent not found: <4EA85582.3080904-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>]
* [ANNOUNCE] cryptsetup 1.4.1 [not found] ` <4EA85582.3080904-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> @ 2011-11-09 12:46 ` Milan Broz 2012-04-12 8:38 ` [ANNOUNCE] cryptsetup 1.4.2 Milan Broz 2012-05-31 8:38 ` [ANNOUNCE] cryptsetup 1.4.3 Milan Broz 2 siblings, 0 replies; 5+ messages in thread From: Milan Broz @ 2011-11-09 12:46 UTC (permalink / raw) To: dm-crypt; +Cc: device-mapper development -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The stable cryptsetup 1.4.1 release is available at http://code.google.com/p/cryptsetup/ Feedback and bug reports are welcomed. Cryptsetup 1.4.1 Release Notes ============================== Changes since version 1.4.0 * Merge experimental Python cryptsetup (pycryptsetup) binding. This option is disabled by default, you can enable build of Python binding with --enable--python configure switch. Note that binding currently covers only partial libcryptsetup functions, mainly LUKS device handling needed for Anaconda installer. Until now provided separately as python-cryptsetup. Thanks to Martin Sivak for the code. See python subdirectory for more info. Python binding code is experimental for now, no stable API guarantee. * Fix crypt_get_volume_key_size() for plain device. (cryptsetup status reported zero key size for plain crypt devices). * Fix typo in set_iteration_time API call (old name remains for compatibility reasons). * Fix FSF address in license and add LGPL license text. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk66dhcACgkQf1Jlc7shgi8RCgCfXkzU1oUSDpsEiSxHQ/rd51l1 uuEAn3zxefcqXz7JiW3hjW4GlEnAl1gj =ePPt -----END PGP SIGNATURE----- _______________________________________________ dm-crypt mailing list dm-crypt-4q3lyFh4P1g@public.gmane.org http://www.saout.de/mailman/listinfo/dm-crypt ^ permalink raw reply [flat|nested] 5+ messages in thread
* [ANNOUNCE] cryptsetup 1.4.2 [not found] ` <4EA85582.3080904-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> 2011-11-09 12:46 ` [ANNOUNCE] cryptsetup 1.4.1 Milan Broz @ 2012-04-12 8:38 ` Milan Broz 2012-05-31 8:38 ` [ANNOUNCE] cryptsetup 1.4.3 Milan Broz 2 siblings, 0 replies; 5+ messages in thread From: Milan Broz @ 2012-04-12 8:38 UTC (permalink / raw) To: dm-crypt; +Cc: device-mapper development -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The stable cryptsetup 1.4.2 release is available at http://code.google.com/p/cryptsetup/ Feedback and bug reports are welcomed. Cryptsetup 1.4.2 Release Notes ============================== Changes since version 1.4.1 * Add --keyfile-offset and --new-keyfile-offset parameters to API and CLI. These options can be used to skip start of keyfile or device used as keyfile. * Add repair command and crypt_repair() for known LUKS metadata problems repair. Some well-known LUKS metadata corruptions are easy to repair, this command should provide a way to fix these problems. Always create binary backup of header device before running repair, (only 4kB - visible header) for example by using dd: dd if=/dev/<LUKS header device> of=repair_bck.img bs=1k count=4 Then you can try to run repair: cryptsetup repair <device> Note, not all problems are possible to repair and if keyslot or some header parameters are overwritten, device is lost permanently. * Fix header check to support old (cryptsetup 1.0.0) header alignment. (Regression in 1.4.0) * Allow to specify --align-payload only for luksFormat. * Add --master-key-file option to luksOpen (open using volume key). * Support UUID=<LUKS_UUID> format for device specification. You can open device by UUID (only shortcut to /dev/disk/by-uuid/ symlinks). * Support password verification with quiet flag if possible. (1.2.0) Password verification can be still possible if input is terminal. * Fix retry if entered passphrases (with verify option) do not match. (It should retry if requested, not fail.) * Fix use of empty keyfile. * Fix error message for luksClose and detached LUKS header. * Allow --header for status command to get full info with detached header. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJPhpShAAoJENmwV3vZPpj8vIoQAKmnjPd6x3s6nJjq0FRrFBZl W+75LCImLInAZ4qOzGJys2m7rVBsrBPymcR59RDz/J6uY8QZh5gN7Fi4h59klOB5 Hi6JSsCl516z8c4fZ5m7qJA5FEX6Hn+PlpXaGzDqud+xjFz1Xd3sDC63GRMoUDlZ N5HRbofC9PK+Cdq6joFwvPRvJCwp96cB2D7wR4b+bDy/Iau+Ydu0Ce+GcR99tyl5 kZ+umlQfgahYM0+wKnPYQZ3e9EKWS9h4746hnMLS0SmHEyczCx466tfm0DMxkRp3 hrx6LJ1goCIhuBwuYWMOahSMZNREjQ9HCCm2uBeHzIKBN1PtHm4vOTQ+VQWJ3ThI WgMh7W7ezXGaJY8z2Xo1y5pNsspRin/kmsnogBvjd02CTyuda8ZDl2D2JpQcFbbO JTz8vCAKJlZFB5NHoifhR8NAHsrcvc4aYUw4wu97hC+XzCkvrYXq3jrRCQ77yrYg 7CP3/MGyvWHPc5PbQVRBORO2R8UMKsPwcYqOuPzJFWlH7vxydvoXPa+5JXmlJTxZ qW0Mf9ww8OioxqQat0uLI88Mgd2cA2Ys8Iv4Rp1TbAUvrTYjLS8qso+lkG7s7zcc wmVaXz1WgyOwmjbsyV95qRKiCIA0NOqPUSNnKajmUjGuxBpHUjTQwsXPsMdbVXS/ c6+vm3SIWinLkje3bSbd =QRJh -----END PGP SIGNATURE----- _______________________________________________ dm-crypt mailing list dm-crypt-4q3lyFh4P1g@public.gmane.org http://www.saout.de/mailman/listinfo/dm-crypt ^ permalink raw reply [flat|nested] 5+ messages in thread
* [ANNOUNCE] cryptsetup 1.4.3 [not found] ` <4EA85582.3080904-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> 2011-11-09 12:46 ` [ANNOUNCE] cryptsetup 1.4.1 Milan Broz 2012-04-12 8:38 ` [ANNOUNCE] cryptsetup 1.4.2 Milan Broz @ 2012-05-31 8:38 ` Milan Broz [not found] ` <4FC72DF2.9070106-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> 2 siblings, 1 reply; 5+ messages in thread From: Milan Broz @ 2012-05-31 8:38 UTC (permalink / raw) To: dm-crypt; +Cc: device-mapper development -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The stable cryptsetup 1.4.3 release is available at http://code.google.com/p/cryptsetup/ Feedback and bug reports are welcomed. Cryptsetup 1.4.3 Release Notes ============================== Changes since version 1.4.2 * Fix readonly activation if underlying device is readonly (1.4.0). * Fix loop mapping on readonly file. * Include stddef.h in libdevmapper.h (size_t definition). * Fix keyslot removal for device with 4k hw block (1.4.0). (Wipe keyslot failed in this case.) * Relax --shared flag to allow mapping even for overlapping segments. The --shared flag (and API CRYPT_ACTIVATE_SHARED flag) is now able to map arbitrary overlapping area. From API it is even usable for LUKS devices. It is user responsibility to not cause data corruption though. This allows e.g. scubed to work again and also allows some tricky extensions later. * Allow empty cipher (cipher_null) for testing. You can now use "null" (or directly cipher_null-ecb) in cryptsetup. This means no encryption, useful for performance tests (measure dm-crypt layer overhead). * Switch on retry on device remove for libdevmapper. Device-mapper now retry removal if device is busy. * Allow "private" activation (skip some udev global rules) flag. Cryptsetup library API now allows to specify CRYPT_ACTIVATE_PRIVATE, which means that some udev rules are not processed. (Used for temporary devices, like internal keyslot mappings where it is not desirable to run any device scans.) * This release also includes some Red Hat/Fedora specific extensions related to FIPS140-2 compliance. In fact, all these patches are more formal changes and are just subset of building blocks for FIPS certification. See FAQ for more details about FIPS. FIPS extensions are enabled by using --enable-fips configure switch. In FIPS mode (kernel booted with fips=1 and gcrypt in FIPS mode) - it provides library and binary integrity verification using libfipscheck (requires pre-generated checksums) - it uses FIPS approved RNG for encryption key and salt generation (note that using /dev/random is not formally FIPS compliant RNG). - only gcrypt crypto backend is currently supported in FIPS mode. The FIPS RNG requirement for salt comes from NIST SP 800-132 recommendation. (Recommendation for Password-Based Key Derivation. Part 1: Storage Applications. http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf) LUKS should be aligned to this recommendation otherwise. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJPxy3yAAoJENmwV3vZPpj8338QAKV7PFpTuW8aIcx2wqM2C9QQ JWudHWLwPml88YYQt00FhaBQgN6zklElp9TQTGf/6l0tqluDgxc3ALuMi9+jCDb0 yQGpgv1JE3ZhCb0OVpOBhp2p495J5zPVyBdOWEXIq0Go/pREoEbdQ9c5XANaKzF2 oYCpw1QhXIf2z6cUMiTMfN3Ivb4E4KDmaAJpuWLdkqrrdOMrepEneYs4VSH+feQ4 anmikqHqVSzkOQjmZ5cZYcfdMZCQlrJKdOpqwTQCLSzMvMLo3e/bb8J1l7+I1AIu Rkap0ODlCVX+QsddI1b38GLPVn3wxtme4wC6/gsGRi+uHThtjnCEOFq5wn2mlveN w6g3+F+sle+YjQsT5S9fgXlOMT4D6MaobTHQppDFa2ajYHsEJKWjX/yRALMBo7zq pN0sVHUT/dEj06RoPTEnObJmL/y3wY+ibE19+PdmBewYPr1uhwLlA/vCwnLiItxr GnRgXxex+rhJjrtCoJRrYNLeA6fFldrIovaoiHRft9bvJv9q3QYNgKLDJdCegUUT 9OO/HlzkB7Vsds4xtgRgHXJNP9dZqOd9ccX4a2bAUj45n8FJ9F/u/n9G5uS7X6c8 tOQCUmB+MS+WIINmSCP7wI3sDYfBaW4w0KxZvDyGQca6dddQPWabVARwKPG3q4Mi eoxGYC+mPiCL0kENLY4M =hmEH -----END PGP SIGNATURE----- _______________________________________________ dm-crypt mailing list dm-crypt-4q3lyFh4P1g@public.gmane.org http://www.saout.de/mailman/listinfo/dm-crypt ^ permalink raw reply [flat|nested] 5+ messages in thread
[parent not found: <4FC72DF2.9070106-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>]
* Re: [ANNOUNCE] cryptsetup 1.4.3 [not found] ` <4FC72DF2.9070106-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> @ 2012-05-31 9:26 ` Milan Broz 0 siblings, 0 replies; 5+ messages in thread From: Milan Broz @ 2012-05-31 9:26 UTC (permalink / raw) To: dm-crypt; +Cc: device-mapper development -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/31/2012 10:38 AM, Milan Broz wrote: > Cryptsetup 1.4.3 Release Notes > ============================== > > Changes since version 1.4.2 Obviously I forgot the most important thing in this release notes... * Man page rewrite and fixes by Arno Wagner. Thanks! Milan (apparently still in need of more sleep:-) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJPxzk2AAoJENmwV3vZPpj8CtEP/i5fXbA9Aw1Ij9LkGUH0gmRf ZqO+Pw8xVoGD196bdHj5BfQOHtUAp7fSD0flwrFfDA+UTFR0gkHkOMThCgTBsl9t SsDvr+iO2VChm7l87nk6+BCQhFllHva0d6GqDwvqG+He4Lg7LLqjbE/HYwgObUZ4 baBCPNcRApjPmTDxdnLfslaCr5I5xmwA2pbF1mK+yAuzkrnlzw7ASvF3/817kHr6 nieWLyeOTV+8hbv1LdZ+uBIG60QANOcEilZW60h0F5ycBO3HuyY2GAWz+sMelLkl uDCTBeDn1hRjmG3ZLM4P6v4iP2pc4hoeTPTY+vur84Eb8CmdvzmG5e+937T0ZeRC lwpxt6PbPZK365oJi6S7IfpJ7MH4S/868KvpFJDeU+TG5294HjCsVPOQSOS6up+y lC4Lo6ZgvchM7rjjoRySI/2TIkU13ci1TkSy+5adIOJGk2w+bZ5nUE9OMkiWWsaS 9YKmGs5C6mKe7RQQ20uke+YnKVD4LGPtpG/K4BMGvneGksYXWzFiGWSgbEHMt0lX AF0vrd2WHrmN8JGtuU96Ef+Q/JE1EBvoNNqXxC0ehJqxZtBPUKdljKd8KxhckTLE EtJColIwdPqPYrf9jJe5vtwsAP9MDLcXCYtcpFyWbVMjtESlbrB7XV5OTJEhdjek O3C8XHiwwqfYx5but6HG =T3KV -----END PGP SIGNATURE----- _______________________________________________ dm-crypt mailing list dm-crypt-4q3lyFh4P1g@public.gmane.org http://www.saout.de/mailman/listinfo/dm-crypt ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2012-05-31 9:26 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-10-26 18:46 [ANNOUNCE] cryptsetup 1.4.0 Milan Broz
[not found] ` <4EA85582.3080904-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-11-09 12:46 ` [ANNOUNCE] cryptsetup 1.4.1 Milan Broz
2012-04-12 8:38 ` [ANNOUNCE] cryptsetup 1.4.2 Milan Broz
2012-05-31 8:38 ` [ANNOUNCE] cryptsetup 1.4.3 Milan Broz
[not found] ` <4FC72DF2.9070106-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2012-05-31 9:26 ` Milan Broz
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).