|
Packit |
94f725 |
Cryptsetup 2.0.1 Release Notes
|
|
Packit |
94f725 |
==============================
|
|
Packit |
94f725 |
Stable and bug-fix release with experimental features.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
This version introduces a new on-disk LUKS2 format.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The legacy LUKS (referenced as LUKS1) will be fully supported
|
|
Packit |
94f725 |
forever as well as a traditional and fully backward compatible format.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Please note that authenticated disk encryption, non-cryptographic
|
|
Packit |
94f725 |
data integrity protection (dm-integrity), use of Argon2 Password-Based
|
|
Packit |
94f725 |
Key Derivation Function and the LUKS2 on-disk format itself are new
|
|
Packit |
94f725 |
features and can contain some bugs.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
To provide all security features of authenticated encryption we need
|
|
Packit |
94f725 |
a better nonce-reuse resistant algorithm in the kernel (see note below).
|
|
Packit |
94f725 |
For now, please use authenticated encryption as an experimental feature.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Please do not use LUKS2 without properly configured backup or in
|
|
Packit |
94f725 |
production systems that need to be compatible with older systems.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Changes since version 2.0.0
|
|
Packit |
94f725 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* To store volume key into kernel keyring, kernel 4.15 with dm-crypt 1.18.1
|
|
Packit |
94f725 |
is required. If a volume key is stored in keyring (LUKS2 only),
|
|
Packit |
94f725 |
the dm-crypt v1.15.0 through v1.18.0 contains a serious bug that may cause
|
|
Packit |
94f725 |
data corruption for ciphers with ESSIV.
|
|
Packit |
94f725 |
(The key for ESSIV is zeroed because of code misplacement.)
|
|
Packit |
94f725 |
This bug is not present for LUKS1 or any other IVs used in LUKS modes.
|
|
Packit |
94f725 |
This change is not visible to the user (except dmsetup output).
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* Increase maximum allowed PBKDF memory-cost limit to 4 GiB.
|
|
Packit |
94f725 |
The Argon2 PBKDF uses 1GiB by default; this is also limited by the amount
|
|
Packit |
94f725 |
of physical memory available (maximum is half of the physical memory).
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* Use /run/cryptsetup as default for cryptsetup locking dir.
|
|
Packit |
94f725 |
There were problems with sharing /run/lock with lockdev, and in the early
|
|
Packit |
94f725 |
boot, the directory was missing.
|
|
Packit |
94f725 |
The directory can be changed with --with-luks2-lock-path and
|
|
Packit |
94f725 |
--with-luks2-lock-dir-perms configure switches.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* Introduce new 64-bit byte-offset *keyfile_device_offset functions.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The keyfile interface was designed, well, for keyfiles. Unfortunately,
|
|
Packit |
94f725 |
there are user cases where a keyfile can be placed on a device, and
|
|
Packit |
94f725 |
size_t offset can overflow on 32-bit systems.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
New set of functions that allow 64-bit offsets even on 32bit systems
|
|
Packit |
94f725 |
are now available:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- crypt_resume_by_keyfile_device_offset
|
|
Packit |
94f725 |
- crypt_keyslot_add_by_keyfile_device_offset
|
|
Packit |
94f725 |
- crypt_activate_by_keyfile_device_offset
|
|
Packit |
94f725 |
- crypt_keyfile_device_read
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The new functions have added the _device_ in name.
|
|
Packit |
94f725 |
Old functions are just internal wrappers around these.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Also cryptsetup --keyfile-offset and --new-keyfile-offset now allows
|
|
Packit |
94f725 |
64-bit offsets as parameters.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* Add error hint for wrongly formatted cipher strings in LUKS1 and
|
|
Packit |
94f725 |
properly fail in luksFormat if cipher format is missing required IV.
|
|
Packit |
94f725 |
For now, crypto API quietly used cipher without IV if a cipher
|
|
Packit |
94f725 |
algorithm without IV specification was used (e.g., aes-xts).
|
|
Packit |
94f725 |
This caused fail later during activation.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* Configure check for a recent Argon2 lib to support mandatory Argon2id.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* Fix for the cryptsetup-reencrypt static build if pwquality is enabled.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* Update LUKS1 standard doc (https links in the bibliography).
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Unfinished things & TODO for next releases
|
|
Packit |
94f725 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
94f725 |
* There will be better documentation and examples.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* There will be some more formal definition of the threat model for integrity
|
|
Packit |
94f725 |
protection. (And a link to some papers discussing integrity protection,
|
|
Packit |
94f725 |
once it is, hopefully, accepted and published.)
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* Offline re-encrypt tool LUKS2 support is currently limited.
|
|
Packit |
94f725 |
There will be online LUKS2 re-encryption tool in future.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* Authenticated encryption will use new algorithms from CAESAR competition
|
|
Packit |
94f725 |
(https://competitions.cr.yp.to/caesar.html) once these algorithms are
|
|
Packit |
94f725 |
available in the kernel (more on this later).
|
|
Packit |
94f725 |
NOTE: Currently available authenticated modes (GCM, Chacha20-poly1305)
|
|
Packit |
94f725 |
in the kernel have too small 96-bit nonces that are problematic with
|
|
Packit |
94f725 |
randomly generated IVs (the collision probability is not negligible).
|
|
Packit |
94f725 |
For the GCM, nonce collision is a fatal problem.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* Authenticated encryption do not set encryption for a dm-integrity journal.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
While it does not influence data confidentiality or integrity protection,
|
|
Packit |
94f725 |
an attacker can get some more information from data journal or cause that
|
|
Packit |
94f725 |
system will corrupt sectors after journal replay. (That corruption will be
|
|
Packit |
94f725 |
detected though.)
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* There are examples of user-defined tokens inside misc/luks2_keyslot_example
|
|
Packit |
94f725 |
directory (like a simple external program that uses libssh to unlock LUKS2
|
|
Packit |
94f725 |
using remote keyfile).
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* The python binding (pycryptsetup) contains only basic functionality for LUKS1
|
|
Packit |
94f725 |
(it is not updated for new features) and will be deprecated soon in favor
|
|
Packit |
94f725 |
of python bindings to the libblockdev library (that can already handle LUKS1
|
|
Packit |
94f725 |
devices).
|