Cryptsetup 1.2.0 Release Notes

==============================

Changes since version 1.2.0-rc1

 * Fix crypt_activate_by_keyfile() to work with PLAIN devices.

 * Fix plain create command to properly handle keyfile size.

 * Update translations.

Changes since version 1.1.3

Important changes

~~~~~~~~~~~~~~~~~

 * Add text version of *FAQ* (Frequently Asked Questions) to distribution.

 * Add selection of random/urandom number generator for luksFormat

 (option --use-random and --use-urandom).

 (This affects only long term volume key in *luksFormat*,

 not RNG used for salt and AF splitter).

  You can also set the default to /dev/random during compilation with

  --enable-dev-random. Compiled-in default is printed in --help output.

  Be very careful before changing default to blocking /dev/random use here.

 * Fix *luksRemoveKey* to not ask for remaining keyslot passphrase,

 only for removed one.

 * No longer support *luksDelKey* (replaced with luksKillSlot).

  * if you want to remove particular passphrase, use *luksKeyRemove*

  * if you want to remove particular keyslot, use *luksKillSlot*

 Note that in batch mode *luksKillSlot* allows removing of any keyslot

 without question, in normal mode requires passphrase or keyfile from

 other keyslot.

 * *Default alignment* for device (if not overridden by topology info)

 is now (multiple of) *1MiB*.

 This reflects trends in storage technologies and aligns to the same

 defaults for partitions and volume management.

 * Allow explicit UUID setting in *luksFormat* and allow change it later

 in *luksUUID* (--uuid parameter).

 * All commands using key file now allows limited read from keyfile using

 --keyfile-size and --new-keyfile-size parameters (in bytes).

 This change also disallows overloading of --key-size parameter which

 is now exclusively used for key size specification (in bits.)

 * *luksFormat* using pre-generated master key now properly allows

 using key file (only passphrase was allowed prior to this update).

 * Add --dump-master-key option for *luksDump* to perform volume (master)

 key dump. Note that printed information allows accessing device without

 passphrase so it must be stored encrypted.

 This operation is useful for simple Key Escrow function (volume key and

 encryption parameters printed on paper on safe place).

 This operation requires passphrase or key file.

 * The reload command is no longer supported.

 (Use dmsetup reload instead if needed. There is no real use for this

 function except explicit data corruption:-)

 * Cryptsetup now properly checks if underlying device is in use and

 disallows *luksFormat*, *luksOpen* and *create* commands on open

 (e.g. already mapped or mounted) device.

 * Option --non-exclusive (already deprecated) is removed.

Libcryptsetup API additions:

 * new functions

  * crypt_get_type() - explicit query to crypt device context type

  * crypt_resize() - new resize command using context

  * crypt_keyslot_max() - helper to get number of supported keyslots

  * crypt_get_active_device() - get active device info

  * crypt_set/get_rng_type() - random/urandom RNG setting

  * crypt_set_uuid() - explicit UUID change of existing device

  * crypt_get_device_name() - get underlying device name

 * Fix optional password callback handling.

 * Allow to activate by internally cached volume key immediately after

 crypt_format() without active slot (for temporary devices with

 on-disk metadata)

 * libcryptsetup is binary compatible with 1.1.x release and still

 supports legacy API calls

 * cryptsetup binary now uses only new API calls.

 * Static compilation of both library (--enable-static) and cryptsetup

 binary (--enable-static-cryptsetup) is now properly implemented by common

 libtool logic.

 Prior to this it produced miscompiled dynamic cryptsetup binary with

 statically linked libcryptsetup.

 The static binary is compiled as src/cryptsetup.static in parallel

 with dynamic build if requested.

Other changes

~~~~~~~~~~~~~

 * Fix default plain password entry from terminal in activate_by_passphrase.

 * Initialize volume key from active device in crypt_init_by_name()

 * Fix cryptsetup binary exit codes.

   0 - success, otherwise fail

   1 - wrong parameters

   2 - no permission

   3 - out of memory

   4 - wrong device specified

   5 - device already exists or device is busy

 * Remove some obsolete info from man page.

 * Add more regression tests for commands.

 * Fix possible double free when handling master key file.

 * Fix pkg-config use in automake scripts.

 * Wipe iteration and salt after luksKillSlot in LUKS header.

 * Rewrite file differ test to C (and fix it to really work).

 * Do not query non-existent device twice (cryptsetup status /dev/nonexistent).

 * Check if requested hash is supported before writing LUKS header.

 * Fix problems reported by clang scan-build.