|
Packit Service |
a9384c |
Cryptsetup 1.6.7 Release Notes
|
|
Packit Service |
a9384c |
==============================
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
Changes since version 1.6.6
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
* Cryptsetup git and wiki are now hosted on GitLab.
|
|
Packit Service |
a9384c |
https://gitlab.com/cryptsetup/cryptsetup
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
Repository of stable releases remains on kernel.org site
|
|
Packit Service |
a9384c |
https://www.kernel.org/pub/linux/utils/cryptsetup/
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
For more info please see README file.
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
* Cryptsetup TCRYPT mode now supports VeraCrypt devices (TrueCrypt extension).
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
The VeraCrypt extension only increases iteration count for the key
|
|
Packit Service |
a9384c |
derivation function (on-disk format is the same as TrueCrypt format).
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
Note that unlocking of a VeraCrypt device can take very long time if used
|
|
Packit Service |
a9384c |
on slow machines.
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
To use this extension, add --veracrypt option, for example
|
|
Packit Service |
a9384c |
cryptsetup open --type tcrypt --veracrypt <container> <name>
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
For use through libcryptsetup, just add CRYPT_TCRYPT_VERA_MODES flag.
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
* Support keyfile-offset and keyfile-size options even for plain volumes.
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
* Support keyfile option for luksAddKey if the master key is specified.
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
* For historic reasons, hashing in the plain mode is not used
|
|
Packit Service |
a9384c |
if keyfile is specified (with exception of --key-file=-).
|
|
Packit Service |
a9384c |
Print a warning if these parameters are ignored.
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
* Support permanent device decryption for cryptsetup-reencrypt.
|
|
Packit Service |
a9384c |
To remove LUKS encryption from a device, you can now use --decrypt option.
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
* Allow to use --header option in all LUKS commands.
|
|
Packit Service |
a9384c |
The --header always takes precedence over positional device argument.
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
* Allow luksSuspend without need to specify a detached header.
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
* Detect if O_DIRECT is usable on a device allocation.
|
|
Packit Service |
a9384c |
There are some strange storage stack configurations which wrongly allows
|
|
Packit Service |
a9384c |
to open devices with direct-io but fails on all IO operations later.
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
Cryptsetup now tries to read the device first sector to ensure it can use
|
|
Packit Service |
a9384c |
direct-io.
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
* Add low-level performance options tuning for dmcrypt (for Linux 4.0 and later).
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
Linux kernel 4.0 contains rewritten dmcrypt code which tries to better utilize
|
|
Packit Service |
a9384c |
encryption on parallel CPU cores.
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
While tests show that this change increases performance on most configurations,
|
|
Packit Service |
a9384c |
dmcrypt now provides some switches to change its new behavior.
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
You can use them (per-device) with these cryptsetup switches:
|
|
Packit Service |
a9384c |
--perf-same_cpu_crypt
|
|
Packit Service |
a9384c |
--perf-submit_from_crypt_cpus
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
Please use these only in the case of serious performance problems.
|
|
Packit Service |
a9384c |
Refer to the cryptsetup man page and dm-crypt documentation
|
|
Packit Service |
a9384c |
(for same_cpu_crypt and submit_from_crypt_cpus options).
|
|
Packit Service |
a9384c |
https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
* Get rid of libfipscheck library.
|
|
Packit Service |
a9384c |
(Note that this option was used only for Red Hat and derived distributions.)
|
|
Packit Service |
a9384c |
With recent FIPS changes we do not need to link to this FIPS monster anymore.
|
|
Packit Service |
a9384c |
Also drop some no longer needed FIPS mode checks.
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
* Many fixes and clarifications to man pages.
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
* Prevent compiler to optimize-out zeroing of buffers for on-stack variables.
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
* Fix a crash if non-GNU strerror_r is used.
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
Cryptsetup API NOTE:
|
|
Packit Service |
a9384c |
The direct terminal handling for passphrase entry will be removed from
|
|
Packit Service |
a9384c |
libcryptsetup in next major version (application should handle it itself).
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
It means that you have to always either provide password in buffer or set
|
|
Packit Service |
a9384c |
your own password callback function through crypt_set_password_callback().
|
|
Packit Service |
a9384c |
See API documentation (or libcryptsetup.h) for more info.
|