1.7.528 Apr 2017 18:25
to luksFormat to properly support recent kernel running in FIPS mode.
Cryptsetup must never use a weak key even if it is just used for testing
of algorithm availability. In FIPS mode, weak keys are always rejected.
A weak key is for example detected if the XTS encryption mode use.
The same key for the tweak and the encryption part.
Accesses to unaligned hidden legacy TrueCrypt header.
On a native 4k-sector device the old hidden TrueCrypt header is not.
Aligned with the hw sector size (this problem was in later TrueCrypt
on-disk format versions).
Cryptsetup now properly aligns the read so it does not fail.
to optional dracut ramdisk scripts for offline re-encryption on initial boot.
1.7.417 Mar 2017 06:25
Allow to specify LUKS1 hash algorithm in Python luksFormat wrapper.
Use LUKS1 compiled-in defaults also in Python wrapper.
OpenSSL backend: OpenSSL 1.1.0 support without backward compatible API.
OpenSSL backend: LibreSSL compatibility.
Check for data device and hash device area overlap in veritysetup.
a possible race while allocating a free loop device.
possible file descriptor leaks if libcryptsetup is run from a forked process.
missing same_cpu_crypt flag in status command.
Various updates to FAQ and man pages.
1.7.331 Oct 2016 22:45
Device access to hash offsets located beyond the 2GB device boundary in veritysetup.
Set configured (compile-time) default iteration time for devices created directly through.
Libcryptsetup (default was hardcoded 1 second, the configured value applied only
For cryptsetup application).
PBKDF2 benchmark to not double iteration count for specific corner case.
If the measurement function returns exactly 500 ms, the iteration calculation loop.
Doubled iteration count but instead of repeating measurement it used this value directly.
OpenSSL backend: memory leak if hash context was repeatedly reused.
OpenSSL backend: add support for OpenSSL 1.1.0.
Several minor spelling errors.
1.7.206 Jun 2016 00:25
Update LUKS documentation format.
Clarify sector size and keyslots alignment.
Support activation options for error handling modes in Linux kernel
ignore-corruption - dm-verity just logs detected corruption.
restart-on-corruption - dm-verity restarts the kernel if corruption is detected.
If the options above are not specified, default behavior for dm-verity remains.
Default is that I/O operation fails with I/O error if corrupted block is detected.
ignore-zero-blocks - Instructs dm-verity to not verify blocks that are expected
to contain zeroes and always return zeroes directly instead.
NOTE that these options could have security or functional impacts,
do not use them without assessing the risks!.
help text for cipher benchmark specification (mention --cipher option).
off-by-one error in maximum keyfile size.
Allow keyfiles up to compiled-in default and not that value minus one.
Support resume of interrupted decryption in cryptsetup-reencrypt utility.
To resume decryption, LUKS device UUID (--uuid option) option must be used.
Do not use direct-io for LUKS header with unaligned keyslots.
Such headers were used only by the first cryptsetup-luks-1.0.0 release (2005).
device block size detection to properly work on particular file-based
containers over underlying devices with 4k sectors.
1.7.129 Feb 2016 21:45
Code now uses kernel crypto API backend according to new
changes introduced in mainline kernel.
While mainline kernel should contain backward compatible
changes, some stable series kernels do not contain fully
backported compatibility patches.
Without these patches most of cryptsetup operations.
like unlocking device) fail.
This change in cryptsetup ensures that all operations using
kernel crypto API works even on these kernels.
The cryptsetup-reencrypt utility now properly detects removal
of underlying link to block device and does not remove
ongoing re-encryption log.
This allows proper recovery (resume) of reencrypt operation later.
NOTE: Never use /dev/disk/by-uuid/ path for reencryption utility,
this link disappears once the device metadata is temporarily
removed from device.
Cryptsetup now allows special "-" (standard input) keyfile handling
even for TCRYPT (TrueCrypt and VeraCrypt compatible) devices.
Cryptsetup now fails if there are more keyfiles specified
for non-TCRYPT device.
The luksKillSlot command now does not suppress provided password
in batch mode (if password is wrong slot is not destroyed).
Note that not providing password in batch mode means that keyslot
is destroyed unconditionally.
1.7.005 Nov 2015 01:25
Default hash function is now SHA256 (used in key derivation function
and anti-forensic splitter).
Note that replacing SHA1 with SHA256 is not for security reasons.
LUKS does not have problems even if collisions are found for SHA1,
for details see FAQ item 5.20).
Using SHA256 as default is mainly to prevent compatibility problems
on hardened systems where SHA1 is already be phased out.
Note that all checks (kernel crypto API availability check) now uses
SHA256 as well.
Default iteration time for PBKDF2 is now 2 seconds.
Increasing iteration time is in combination with PBKDF2 benchmark
a try to keep PBKDF2 iteration count still high enough and
also still acceptable for users.
N.B. Long term is to replace PBKDF2 algorithm with Password Hashing
Competition winner - Argon2.
Distributions can still change these defaults in compilation time.
You can change iteration time and used hash function in existing LUKS
header with cryptsetup-reencrypt utility even without full reencryption
of device (see --keep-key option).
PBKDF2 iteration benchmark for longer key sizes.
The previous PBKDF2 benchmark code did not take into account
output key length properly.
For SHA1 (with 160-bits output) and 256-bit keys (and longer)
it means that the final iteration value was higher than it should be.
For other hash algorithms (like SHA256 or SHA512) it caused
that iteration count was lower (in comparison to SHA1) than
expected for the requested time period.
The PBKDF2 benchmark code is now to use the key size for
the formatted device (or default LUKS key size if running in informational
Thanks to A.Visconti, S.Bossi, A.Calo and H.Ragab.
http://www.club.di.unimi.it/) for point this out.
Based on "What users should know about Full Disk Encryption
based on LUKS" paper to be presented on CANS2015).
Remove experimental warning for reencrypt tool.
The strong request for full backup before using reencryption utility
still applies :).
Add optional libpasswdqc support for new LUKS pass
1.6.810 Sep 2015 09:25
If the null cipher (no encryption) is used, allow only empty password for LUKS.
Previously cryptsetup accepted any password in this case.).
The null cipher can be used only for testing and it is used temporarily during
offline encrypting not yet encrypted device (cryptsetup-reencrypt tool).
Accepting only empty password prevents situation when someone adds another
LUKS device using the same UUID (UUID of existing LUKS device) with faked
header containing null cipher.
This could force user to use different LUKS device (with no encryption)
IOW it prevents situation when attacker intentionally forces
user to boot into different system just by LUKS header manipulation.).
Properly configured systems should have an additional integrity protection
in place here (LUKS here provides only confidentiality) but it is better
to not allow this situation in the first place.
For more info see QubesOS Security Bulletin QSB-019-2015.).
Properly support stdin "-" handling for luksAddKey for both new and old
If encrypted device is file-backed (it uses underlying loop device),
cryptsetup resize will try to resize underlying loop device as well.
It can be used to grow up file-backed device in one step.).
Cryptsetup now allows to use empty password through stdin pipe.
Intended only for testing in scripts.).
Cryptsetup API NOTE:
Direct terminal handling and password calling callback for passphrase.
entry will be removed from libcryptsetup in next major (2.x) version
application should handle it itself).
It means that application have to always provide password in API calls.
Functions returning last error will be removed in next major version (2.x).
These functions did not work properly for early initialization errors
and application can implement better function easily using own error callback.
See comments in libcryptsetup.h for more info about deprecated functions.
1.6.725 Mar 2015 14:25
Cryptsetup git and wiki are now hosted on GitLab.
Repository of stable releases remains on kernel.org site
For more info please see README file.
Cryptsetup TCRYPT mode now supports VeraCrypt devices (TrueCrypt extension).
The VeraCrypt extension only increases iteration count for the key
derivation function (on-disk format is the same as TrueCrypt format).
Note that unlocking of a VeraCrypt device can take very long time if used
on slow machines.
To use this extension, add --veracrypt option, for example
cryptsetup open --type tcrypt --veracrypt. .
For use through libcryptsetup, just add CRYPT_TCRYPT_VERA_MODES flag.
Support keyfile-offset and keyfile-size options even for plain volumes.
Support keyfile option for luksAddKey if the master key is specified.
For historic reasons, hashing in the plain mode is not used
if keyfile is specified (with exception of --key-file=-).
Print a warning if these parameters are ignored.
Support permanent device decryption for cryptsetup-reencrypt.
To remove LUKS encryption from a device, you can now use --decrypt option.
Allow to use --header option in all LUKS commands.
The --header always takes precedence over positional device argument.
Allow luksSuspend without need to specify a detached header.
Detect if O_DIRECT is usable on a device allocation.
There are some strange storage stack configurations which wrongly allows
to open devices with direct-io but fails on all IO operations later.
Cryptsetup now tries to read the device first sector to ensure it can use
Add low-level performance options tuning for dmcrypt (for Linux 4.0 and later).
Linux kernel 4.0 contains rewritten dmcrypt code which tries to better utilize
encryption on parallel CPU cores.
While tests show that this change increases performance on most configurations,
dmcrypt now provides some switches to change its new behavior.
You can use them (per-device) with th
1.6.618 Aug 2014 14:34
LUKS: Fix keyslot device access for devices which do not support direct IO operations.
(Regression in 1.6.5.)
LUKS: Fallback to old temporary keyslot device mapping method if hash (for ESSIV)
is not supported by userspace crypto library.
(Regression in 1.6.5.)
Properly activate device with discard (TRIM for SSDs) if requested even if dm_crypt module is not yet loaded.
Only if discard is not supported by the old kernel then the discard option is ignored.
Fix some static analysis build warnings (scan-build).
Report crypto lib version only once (and always add kernel version) in debug output.