Cryptsetup 1.6.7 Release Notes

==============================

Changes since version 1.6.6

* Cryptsetup git and wiki are now hosted on GitLab.

  https://gitlab.com/cryptsetup/cryptsetup

  Repository of stable releases remains on kernel.org site

  https://www.kernel.org/pub/linux/utils/cryptsetup/

  For more info please see README file.

* Cryptsetup TCRYPT mode now supports VeraCrypt devices (TrueCrypt extension).

  The VeraCrypt extension only increases iteration count for the key

  derivation function (on-disk format is the same as TrueCrypt format).

  Note that unlocking of a VeraCrypt device can take very long time if used

  on slow machines.

  To use this extension, add --veracrypt option, for example

    cryptsetup open --type tcrypt --veracrypt <container> <name>

  For use through libcryptsetup, just add CRYPT_TCRYPT_VERA_MODES flag.

* Support keyfile-offset and keyfile-size options even for plain volumes.

* Support keyfile option for luksAddKey if the master key is specified.

* For historic reasons, hashing in the plain mode is not used

  if keyfile is specified (with exception of --key-file=-).

  Print a warning if these parameters are ignored.

* Support permanent device decryption for cryptsetup-reencrypt.

  To remove LUKS encryption from a device, you can now use --decrypt option.

* Allow to use --header option in all LUKS commands.

  The --header always takes precedence over positional device argument.

* Allow luksSuspend without need to specify a detached header.

* Detect if O_DIRECT is usable on a device allocation.

  There are some strange storage stack configurations which wrongly allows

  to open devices with direct-io but fails on all IO operations later.

  Cryptsetup now tries to read the device first sector to ensure it can use

  direct-io.

*  Add low-level performance options tuning for dmcrypt (for Linux 4.0 and later).

   Linux kernel 4.0 contains rewritten dmcrypt code which tries to better utilize

   encryption on parallel CPU cores.

   While tests show that this change increases performance on most configurations,

   dmcrypt now provides some switches to change its new behavior.

   You can use them (per-device) with these cryptsetup switches:

      --perf-same_cpu_crypt

      --perf-submit_from_crypt_cpus

  Please use these only in the case of serious performance problems.

  Refer to the cryptsetup man page and dm-crypt documentation

  (for same_cpu_crypt and submit_from_crypt_cpus options).

  https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt

* Get rid of libfipscheck library.

  (Note that this option was used only for Red Hat and derived distributions.)

  With recent FIPS changes we do not need to link to this FIPS monster anymore.

  Also drop some no longer needed FIPS mode checks.

* Many fixes and clarifications to man pages.

* Prevent compiler to optimize-out zeroing of buffers for on-stack variables.

* Fix a crash if non-GNU strerror_r is used.

Cryptsetup API NOTE:

The direct terminal handling for passphrase entry will be removed from

libcryptsetup in next major version (application should handle it itself).

It means that you have to always either provide password in buffer or set

your own password callback function through crypt_set_password_callback().

See API documentation (or libcryptsetup.h) for more info.