|
Packit |
94f725 |
Cryptsetup 1.6.5 Release Notes
|
|
Packit |
94f725 |
==============================
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Changes since version 1.6.4
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* Allow LUKS header operation handling without requiring root privilege.
|
|
Packit |
94f725 |
It means that you can manipulate with keyslots as a regular user, only
|
|
Packit |
94f725 |
write access to device (or image) is required.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
This requires kernel crypto wrapper (similar to TrueCrypt device handling)
|
|
Packit |
94f725 |
to be available (CRYPTO_USER_API_SKCIPHER kernel option).
|
|
Packit |
94f725 |
If this kernel interface is not available, code fallbacks to old temporary
|
|
Packit |
94f725 |
keyslot device creation (where root privilege is required).
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Note that activation, deactivation, resize and suspend operations still
|
|
Packit |
94f725 |
need root privilege (limitation of kernel device-mapper backend).
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* Fix internal PBKDF2 key derivation function implementation for alternative
|
|
Packit |
94f725 |
crypto backends (kernel, NSS) which do not support PBKDF2 directly and have
|
|
Packit |
94f725 |
issues with longer HMAC keys.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
This fixes the problem for long keyfiles where either calculation is too slow
|
|
Packit |
94f725 |
(because of internal rehashing in every iteration) or there is a limit
|
|
Packit |
94f725 |
(kernel backend seems to not support HMAC key longer than 20480 bytes).
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
(Note that for recent version of gcrypt, nettle or openssl the internal
|
|
Packit |
94f725 |
PBKDF2 code is not compiled in and crypto library internal functions are
|
|
Packit |
94f725 |
used instead.)
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* Support for Python3 for simple Python binding.
|
|
Packit |
94f725 |
Python >= 2.6 is now required. You can set Python compiled version by setting
|
|
Packit |
94f725 |
--with-python_version configure option (together with --enable-python).
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* Use internal PBKDF2 in Nettle library for Nettle crypto backend.
|
|
Packit |
94f725 |
Cryptsetup compilation requires Nettle >= 2.6 (if using Nettle crypto backend).
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* Allow simple status of crypt device without providing metadata header.
|
|
Packit |
94f725 |
The command "cryptsetup status" will print basic info, even if you
|
|
Packit |
94f725 |
do not provide detached header argument.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* Allow to specify ECB mode in cryptsetup benchmark.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* Add some LUKS images for regression testing.
|
|
Packit |
94f725 |
Note that if image with Whirlpool fails, the most probable cause is that
|
|
Packit |
94f725 |
you have old gcrypt library with flawed whirlpool hash.
|
|
Packit |
94f725 |
Read FAQ section 8.3 for more info.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Cryptsetup API NOTE:
|
|
Packit |
94f725 |
The direct terminal handling for passphrase entry will be removed from
|
|
Packit |
94f725 |
libcryptsetup in next major version (application should handle it itself).
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
It means that you have to always either provide password in buffer or set
|
|
Packit |
94f725 |
your own password callback function trhough crypt_set_password_callback().
|
|
Packit |
94f725 |
See API documentation (or libcryptsetup.h) for more info.
|