Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

cryptsetup-2.7.0-150600.1.4 RPM for s390x

From OpenSuSE Leap 15.6 for s390x

Name: cryptsetup Distribution: SUSE Linux Enterprise 15
Version: 2.7.0 Vendor: SUSE LLC <https://www.suse.com/>
Release: 150600.1.4 Build date: Thu May 9 16:53:09 2024
Group: System/Base Build host: s390zl3a
Size: 434948 Source RPM: cryptsetup-2.7.0-150600.1.4.src.rpm
Packager: https://www.suse.com/
Url: https://gitlab.com/cryptsetup/cryptsetup/
Summary: Setup program for dm-crypt Based Encrypted Block Devices
cryptsetup is used to conveniently set up dm-crypt based device-mapper
targets. It allows to set up targets to read cryptoloop compatible
volumes as well as LUKS formatted ones. The package additionally
includes support for automatically setting up encrypted volumes at boot
time via the config file /etc/crypttab.

Provides

Requires

License

LGPL-2.0-or-later AND SUSE-GPL-2.0-with-openssl-exception

Changelog

* Mon Jan 29 2024 [email protected]
  - Update to 2.7.0:
    * Full changelog in:
      mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/v2.7/v2.7.0-ReleaseNotes
    * Introduce support for hardware OPAL disk encryption.
    * plain mode: Set default cipher to aes-xts-plain64 and password hashing
      to sha256.
    * Allow activation (open), luksResume, and luksAddKey to use the volume
      key stored in a keyring.
    * Allow to store volume key to a user-specified keyring in open and
      luksResume commands.
    * Do not flush IO operations if resize grows the device.
      This can help performance in specific cases where the encrypted device
      is extended automatically while running many IO operations.
    * Use only half of detected free memory for Argon2 PBKDF on systems
      without swap (for LUKS2 new keyslot or format operations).
    * Add the possibility to specify a directory for external LUKS2 token
      handlers (plugins).
    * Do not allow reencryption/decryption on LUKS2 devices with
      authenticated encryption or hardware (OPAL) encryption.
    * Do not fail LUKS format if the operation was interrupted on subsequent
      device wipe.
    * Fix the LUKS2 keyslot option to be used while activating the device
      by a token.
    * Properly report if the dm-verity device cannot be activated due to
      the inability to verify the signed root hash (ENOKEY).
    * Fix to check passphrase for selected keyslot only when adding
      new keyslot.
    * Fix to not wipe the keyslot area before in-place overwrite.
    * bitlk: Fix segfaults when attempting to verify the volume key.
    * Add --disable-blkid command line option to avoid blkid device check.
    * Add support for the meson build system.
    * Fix wipe operation that overwrites the whole device if used for LUKS2
      header with no keyslot area.
    * Fix luksErase to work with detached LUKS header.
    * Disallow the use of internal kernel crypto driver names in "capi"
      specification.
    * Fix reencryption to fail early for unknown cipher.
    * tcrypt: Support new Blake2 hash for VeraCrypt.
    * tcrypt: use hash values as substring for limiting KDF check.
    * Add Aria cipher support and block size info.
    * Do not decrease PBKDF parameters if the user forces them.
    * Support OpenSSL 3.2 Argon2 implementation.
    * Add support for Argon2 from libgcrypt
      (requires yet unreleased gcrypt 1.11).
    * Used Argon2 PBKDF implementation is now reported in debug mode
      in the cryptographic backend version. For native support in
      OpenSSL 3.2 or libgcrypt 1.11, "argon2" is displayed.
      If libargon2 is used, "cryptsetup libargon2" (for embedded
      library) or "external libargon2" is displayed.
    * Link only libcrypto from OpenSSL.
    * Disable reencryption for Direct-Access (DAX) devices.
    * Print a warning message if the device is not aligned to sector size.
    * Fix sector size and integrity fields display for non-LUKS2 crypt
      devices for the status command.
    * Fix suspend for LUKS2 with authenticated encryption (also suspend
      dm-integrity device underneath).
    * Update keyring and locking documentation and LUKS2 specification
      for OPAL2 support.
    * Remove patches fixed upstream:
    - cryptsetup-Check-for-physical-memory-available-also-in-PBKDF-be.patch
    - cryptsetup-Try-to-avoid-OOM-killer-on-low-memory-systems-withou.patch
    - cryptsetup-Use-only-half-of-detected-free-memory-on-systems-wit.patch
* Thu Jul 13 2023 [email protected]
  - luksFormat: Handle system with low memory and no swap space [bsc#1211079]
    * Check for physical memory available also in PBKDF benchmark.
    * Try to avoid OOM killer on low-memory systems without swap.
    * Use only half of detected free memory on systems without swap.
    * Add patches:
    - cryptsetup-Check-for-physical-memory-available-also-in-PBKDF-be.patch
    - cryptsetup-Try-to-avoid-OOM-killer-on-low-memory-systems-withou.patch
    - cryptsetup-Use-only-half-of-detected-free-memory-on-systems-wit.patch
* Wed Jun 14 2023 [email protected]
  - Enable running the regression test suite.
  - Force a regeneration of the man pages from AsciiDoc.
  - Add LUKS1 and LUKS2 On-Disk Format Specification pdfs to doc.
* Wed Jun 14 2023 [email protected]
  - FIPS: Remove not needed libcryptsetup12-hmac package that contains
    the HMAC checksums for integrity checking for FIPS. [bsc#1185116]
    * Remove the cryptsetup-rpmlintrc file.
    * Remove not needed fipscheck dependency.
* Sun Feb 12 2023 [email protected]
  - cryptsetup 2.6.1
    * bitlk: Fixes for BitLocker-compatible on-disk metadata parser
    * Fix possible iteration overflow in OpenSSL2 PBKDF2 crypto
      backend
    * portability and compilation fixes
    * verity: Fix possible hash offset setting overflow.
    * bitlk: Fix use of startup BEK key on big-endian platforms.
    * Do not initiate encryption (reencryption command) when the
      header and data devices are the same. If data device reduction
      is not requsted, this leads to data corruption since LUKS
      metadata was written over the data device.
    * Fix possible memory leak if crypt_load() fails.
    * Always use passphrases with a minimal 8 chars length for
      benchmarking, as used in some implementation of FIPS mode
* Tue Dec 27 2022 [email protected]
  - Replace transitional %usrmerged macro with regular version check (boo#1206798)
* Mon Nov 28 2022 [email protected]
  - cryptsetup 2.6.0:
    * Introduce support for handling macOS FileVault2 devices (FVAULT2).
    * libcryptsetup: no longer use global memory locking through mlockall()
    * libcryptsetup: process priority is increased only for key derivation
      (PBKDF) calls.
    * Add new LUKS keyslot context handling functions and API.
    * The volume key may now be extracted using a passphrase, keyfile, or
      token. For LUKS devices, it also returns the volume key after
      a successful crypt_format call.
    * Fix --disable-luks2-reencryption configuration option.
    * cryptsetup: Print a better error message and warning if the format
      produces an image without space available for data.
    * Print error if anti-forensic LUKS2 hash setting is not available.
      If the specified hash was not available, activation quietly failed.
    * Fix internal crypt segment compare routine if the user
      specified cipher in kernel format (capi: prefix).
    * cryptsetup: Add token unassign action.
      This action allows removing token binding on specific keyslot.
    * veritysetup: add support for --use-tasklets option.
      This option sets try_verify_in_tasklet kernel dm-verity option
      (available since Linux kernel 6.0) to allow some performance
      improvement on specific systems.
    * Provide pkgconfig Require.private settings.
      While we do not completely provide static build on udev systems,
      it helps produce statically linked binaries in certain situations.
    * Always update automake library files if autogen.sh is run.
      For several releases, we distributed older automake scripts by mistake.
    * reencryption: Fix user defined moved segment size in LUKS2 decryption.
      The --hotzone-size argument was ignored in cases where the actual data
      size was less than the original LUKS2 data offset.
    * Delegate FIPS mode detection to configured crypto backend.
      System FIPS mode check no longer depends on /etc/system-fips file.
    * Update documentation, including FAQ and man pages.
* Tue Sep 13 2022 [email protected]
  - Add virtual provides for 'integritysetup' and 'veritysetup' to match
    package names provided by Fedora/RHEL, to allow the same set of
    dependencies to be used across all RPM distributions.
* Mon Aug 22 2022 [email protected]
  - cryptsetup 2.5.0:
    * Split manual pages into per-action pages and use AsciiDoc format.
    * Remove cryptsetup-reencrypt tool from the project and move reencryption
      to already existing "cryptsetup reencrypt" command.
      If you need to emulate the old cryptsetup-reencrypt binary, use simple
      wrappers script running "exec cryptsetup reencrypt $@".
    * LUKS2: implement --decryption option that allows LUKS removal.
    * Fix decryption operation with --active-name option and restrict
      it to be used only with LUKS2.
    * Do not refresh reencryption digest when not needed.
      This should speed up the reencryption resume process.
    * Store proper resilience data in LUKS2 reencrypt initialization.
      Resuming reencryption now does not require specification of resilience
      type parameters if these are the same as during initialization.
    * Properly wipe the unused area after reencryption with datashift in
      the forward direction.
    * Check datashift value against larger sector size.
      For example, it could cause an issue if misaligned 4K sector appears
      during decryption.
    * Do not allow sector size increase reencryption in offline mode.
    * Do not allow dangerous sector size change during reencryption.
    * Ask the user for confirmation before resuming reencryption.
    * Do not resume reencryption with conflicting parameters.
    * Add --force-offline-reencrypt option.
    * Do not allow nested encryption in LUKS reencrypt.
    * Support all options allowed with luksFormat with encrypt action.
    * Add resize action to integritysetup.
    * Remove obsolete dracut plugin reencryption example.
    * Fix possible keyslot area size overflow during conversion to LUKS2.
    * Allow use of --header option for cryptsetup close.
    * Fix activation of LUKS2 device with integrity and detached header.
    * Add ZEROOUT IOCTL support for crypt_wipe API call.
    * VERITY: set loopback sector size according to dm-verity block sizes.
    * veritysetup: dump device sizes.
    * LUKS2 token: prefer token PIN query before passphrase in some cases.
      When a user provides --token-type or specific --token-id, a token PIN
      query is preferred to a passphrase query.
    * LUKS2 token: allow tokens to be replaced with --token-replace option
      for cryptsetup token command.
    * LUKS2 token: do not continue operation when interrupted in PIN prompt.
    * Add --progress-json parameter to utilities.
    * Add support for --key-slot option in luksResume action.
  - move man pages to separate subpackage
  - drop backports handling
* Fri Jan 14 2022 [email protected]
  - cryptsetup 2.4.3:
    * Fix possible attacks against data confidentiality through
      LUKS2 online reencryption extension crash recovery
      CVE-2021-4122, boo#1194469
    * Add configure option --disable-luks2-reencryption to completely
      disable LUKS2 reencryption code.
    * Improve internal metadata validation code for reencryption
      metadata
    * Add updated documentation for LUKS2 On-Disk Format
      Specification version 1.1.0
    * Fix support for bitlk (BitLocker compatible) startup key with
      new  metadata entry introduced in Windows 11
    * Fix space restriction for LUKS2 reencryption with data shift
* Thu Nov 18 2021 [email protected]
  - cryptsetup 2.4.2:
    * Fix possible large memory allocation if LUKS2 header size is
      invalid.
    * Fix memory corruption in debug message printing LUKS2
      checksum.
    * veritysetup: remove link to the UUID library for the static
      build.
    * Remove link to pwquality library for integritysetup and
      veritysetup. These tools do not read passphrases.
    * OpenSSL3 backend: avoid remaining deprecated calls in API.
      Crypto backend no longer use API deprecated in OpenSSL 3.0
    * Check if kernel device-mapper create device failed in an early
      phase. This happens when a concurrent creation of device-mapper
      devices meets in the very early state.
    * Do not set compiler optimization flag for Argon2 KDF if the
      memory wipe is implemented in libc.
    * Do not attempt to unload LUKS2 tokens if external tokens are
      disabled. This allows building a static binary with
    - -disable-external-tokens.
    * LUKS convert: also check sysfs for device activity.
      If udev symlink is missing, code fallbacks to sysfs scan to
      prevent data corruption for the active device.
* Thu Sep 16 2021 [email protected]
  - cryptsetup 2.4.1
    * Fix compilation for libc implementations without dlvsym().
    * Fix compilation and tests on systems with non-standard libraries
    * Try to workaround some issues on systems without udev support.
    * Fixes for OpenSSL3 crypto backend (including FIPS mode).
    * Print error message when assigning a token to an inactive keyslot.
    * Fix offset bug in LUKS2 encryption code if --offset option was used.
    * Do not allow LUKS2 decryption for devices with data offset.
    * Fix LUKS1 cryptsetup repair command for some specific problems.
* Wed Aug 25 2021 [email protected]
  - As YaST passes necessary parameters to cryptsetup anyway, we do
    not necessarily need to take grub into consideration. So back to
    Argon2 to see how it goes.
* Tue Aug 03 2021 [email protected]
  - need to use PBKDF2 by default for LUKS2 as grub can't decrypt when
    using Argon.
* Mon Aug 02 2021 [email protected]
  - cryptsetup 2.4.0 (jsc#SLE-20275)
    * External LUKS token plugins
    * Experimental SSH token
    * Default LUKS2 PBKDF is now Argon2id
    * Increase minimal memory cost for Argon2 benchmark to 64MiB.
    * Autodetect optimal encryption sector size on LUKS2 format.
    * Use VeraCrypt option by default and add --disable-veracrypt option.
    * Support --hash and --cipher to limit opening time for TCRYPT type
    * Fixed default OpenSSL crypt backend support for OpenSSL3.
    * integritysetup: add integrity-recalculate-reset flag.
    * cryptsetup: retains keyslot number in luksChangeKey for LUKS2.
    * Fix cryptsetup resize using LUKS2 tokens.
    * Add close --deferred and --cancel-deferred options.
    * Rewritten command-line option parsing to avoid libpopt arguments
      memory leaks.
    * Add --test-args option.
* Mon Aug 02 2021 [email protected]
  - Use LUKS2 as default format on Tumbleweed.
    It provides some additional features which other tools
    (e.g. systemd-cryptenroll) rely on. GRUB 2.06 supports unlocking
    LUKS2 volumes meanwhile.
* Thu Jul 01 2021 [email protected]
  - cryptsetup 2.3.6:
    * integritysetup: Fix possible dm-integrity mapping table truncation.
    * cryptsetup: Backup header can be used to activate TCRYPT device.
      Use --header option to specify the header.
    * cryptsetup: Avoid LUKS2 decryption without detached header.
      This feature will be added later and is currently not supported.
    * Additional fixes and workarounds for common warnings produced
      by some static analysis tools (like gcc-11 analyzer) and additional
      code hardening.
    * Fix standalone libintl detection for compiled tests.
    * Add Blake2b and Blake2s hash support for crypto backends.
      Kernel and gcrypt crypto backend support all variants.
      OpenSSL supports only Blake2b-512 and Blake2s-256.
      Crypto backend supports kernel notation e.g. "blake2b-512".
* Sat Mar 13 2021 [email protected]
  - cryptsetup 2.3.5:
    * Fix partial reads of passphrase from an interactive terminal
    * Fix maximum length of password entered through a terminal
    * integritysetup: support new dm-integrity HMAC recalculation
      options
    * integritysetup: display of recalculating sector in dump command
    * veritysetup: fix verity FEC if stored in the same image with
      hashes
    * veritysetup: run FEC repair check even if root hash fails
    * veritysetup: do not process hash image if hash area is empty
    * veritysetup: store verity hash algorithm in superblock in
      lowercase
    * bitlk: fix a crash if the device disappears during BitLocker
      scan
    * bitlk: show a better error when trying to open an NTFS device
    * bitlk: add support for startup key protected VMKs
    * Fix LUKS1 repair code (regression since version 1.7.x)
    * Fix luksKeyChange for LUKS2 with assigned tokens
    * Fix cryptsetup resize using LUKS2 tokens
    * Print a visible error if device resize is not supported
    * Add error message when suspending wrong non-LUKS device
    * Fix default XTS mode key size in reencryption
    * Rephrase missing locking directory warning and move it to
      debug level
    * Many fixes for the use of cipher_null (empty debug cipher)
    * Fixes for libpasswdqc 2.0.x (optional passphrase quality check)
    * Fixes for problems discovered by various tools for code
      analysis
    * Various fixes to man pages
  - silence hmac packaging warnings
* Fri Mar 12 2021 [email protected]
  - move licenses to licensedir
* Tue Dec 08 2020 [email protected]
  - SLE marker: implements jsc#SLE-5911, bsc#1165580, jsc#SLE-145149
* Wed Nov 04 2020 [email protected]
  - prepare usrmerge (boo#1029961)
* Fri Sep 04 2020 [email protected]
  - Update to 2.3.4:
    * Fix a possible out-of-bounds memory write while validating LUKS2 data
      segments metadata (CVE-2020-14382, boo#1176128).
    * Ignore reported optimal IO size if not aligned to minimal page size.
    * Added support for new no_read/write_wrokqueue dm-crypt options (kernel 5.9).
    * Added support panic_on_corruption option for dm-verity devices (kernel 5.9).
    * Support --master-key-file option for online LUKS2 reencryption
    * Always return EEXIST error code if a device already exists.
    * Fix a problem in integritysetup if a hash algorithm has dash in the name.
    * Fix crypto backend to properly handle ECB mode.
    * TrueCrypt/VeraCrypt compatible mode now supports the activation of devices
      with a larger sector.
    * LUKS2: Do not create excessively large headers.
    * Fix unspecified sector size for BitLocker compatible mode.
    * Fix reading key data size in metadata for BitLocker compatible mode.
* Thu May 28 2020 [email protected]
  - Update to 2.3.3:
    * Fix BitLocker compatible device access that uses native 4kB
      sectors
    * Support large IV count (--iv-large-sectors) cryptsetup option
      for plain device mapping
    * Fix a memory leak in BitLocker compatible handling
    * Allow EBOIV (Initialization Vector algorithm) use
    * LUKS2: Require both keyslot cipher and key size option, do
      not fail silently
  - includes changes from 2.3.2:
    * Add option to dump content of LUKS2 unbound keyslot
    * Add support for discards (TRIM) for standalone dm-integrity
      devices (Kernel 5.7) via --allow-discards, not for LUKS2
    * Fix cryptsetup-reencrypt to work on devices that do not allow
      direct-io device access.
    * Fix a crash in the BitLocker-compatible code error path
    * Fix Veracrypt compatible support for longer (>64 bytes)
      passphrases
* Thu Apr 02 2020 [email protected]
  - Split translations to -lang package
  - New version to 2.3.1
    * Support VeraCrypt 128 bytes passwords.
      VeraCrypt now allows passwords of maximal length 128 bytes
      (compared to legacy TrueCrypt where it was limited by 64 bytes).
    * Strip extra newline from BitLocker recovery keys
      There might be a trailing newline added by the text editor when
      the recovery passphrase was passed using the --key-file option.
    * Detect separate libiconv library.
      It should fix compilation issues on distributions with iconv
      implemented in a separate library.
    * Various fixes and workarounds to build on old Linux distributions.
    * Split lines with hexadecimal digest printing for large key-sizes.
    * Do not wipe the device with no integrity profile.
      With --integrity none we performed useless full device wipe.
    * Workaround for dm-integrity kernel table bug.
      Some kernels show an invalid dm-integrity mapping table
      if superblock contains the "recalculate" bit. This causes
      integritysetup to not recognize the dm-integrity device.
      Integritysetup now specifies kernel options such a way that
      even on unpatched kernels mapping table is correct.
    * Print error message if LUKS1 keyslot cannot be processed.
      If the crypto backend is missing support for hash algorithms
      used in PBKDF2, the error message was not visible.
    * Properly align LUKS2 keyslots area on conversion.
      If the LUKS1 payload offset (data offset) is not aligned
      to 4 KiB boundary, new LUKS2 keyslots area in now aligned properly.
    * Validate LUKS2 earlier on conversion to not corrupt the device
      if binary keyslots areas metadata are not correct.
* Tue Feb 04 2020 [email protected]
  - Update to 2.3.0 (include release notes for 2.2.0)
    * BITLK (Windows BitLocker compatible) device access
    * Veritysetup now supports activation with additional PKCS7 signature
      of root hash through --root-hash-signature option.
    * Integritysetup now calculates hash integrity size according to algorithm
      instead of requiring an explicit tag size.
    * Integritysetup now supports fixed padding for dm-integrity devices.
    * A lot of fixes to online LUKS2 reecryption.
    * Add crypt_resume_by_volume_key() function to libcryptsetup.
      If a user has a volume key available, the LUKS device can be resumed
      directly using the provided volume key.
      No keyslot derivation is needed, only the key digest is checked.
    * Implement active device suspend info.
      Add CRYPT_ACTIVATE_SUSPENDED bit to crypt_get_active_device() flags
      that informs the caller that device is suspended (luksSuspend).
    * Allow --test-passphrase for a detached header.
      Before this fix, we required a data device specified on the command
      line even though it was not necessary for the passphrase check.
    * Allow --key-file option in legacy offline encryption.
      The option was ignored for LUKS1 encryption initialization.
    * Export memory safe functions.
      To make developing of some extensions simpler, we now export
      functions to handle memory with proper wipe on deallocation.
    * Fail crypt_keyslot_get_pbkdf for inactive LUKS1 keyslot.
    * Add optional global serialization lock for memory hard PBKDF.
    * Abort conversion to LUKS1 with incompatible sector size that is
      not supported in LUKS1.
    * Report error (-ENOENT) if no LUKS keyslots are available. User can now
      distinguish between a wrong passphrase and no keyslot available.
    * Fix a possible segfault in detached header handling (double free).
    * Add integritysetup support for bitmap mode introduced in Linux kernel 5.2.
    * The libcryptsetup now keeps all file descriptors to underlying device
      open during the whole lifetime of crypt device context to avoid excessive
      scanning in udev (udev run scan on every descriptor close).
    * The luksDump command now prints more info for reencryption keyslot
      (when a device is in-reencryption).
    * New --device-size parameter is supported for LUKS2 reencryption.
    * New --resume-only parameter is supported for LUKS2 reencryption.
    * The repair command now tries LUKS2 reencryption recovery if needed.
    * If reencryption device is a file image, an interactive dialog now
      asks if reencryption should be run safely in offline mode
      (if autodetection of active devices failed).
    * Fix activation through a token where dm-crypt volume key was not
      set through keyring (but using old device-mapper table parameter mode).
    * Online reencryption can now retain all keyslots (if all passphrases
      are provided). Note that keyslot numbers will change in this case.
    * Allow volume key file to be used if no LUKS2 keyslots are present.
    * Print a warning if online reencrypt is called over LUKS1 (not supported).
    * Fix TCRYPT KDF failure in FIPS mode.
    * Remove FIPS mode restriction for crypt_volume_key_get.
    * Reduce keyslots area size in luksFormat when the header device is too small.
    * Make resize action accept --device-size parameter (supports units suffix).
* Thu Oct 17 2019 [email protected]
  - Create a weak dependency cycle between libcryptsetup and
    libcryptsetup-hmac to make sure they are installed together
    (bsc#1090768)
* Fri Feb 15 2019 [email protected]
  - Use noun phrase in summary.
* Fri Feb 15 2019 [email protected]
  - New version 2.1.0
    * The default size of the LUKS2 header is increased to 16 MB.
      It includes metadata and the area used for binary keyslots;
      it means that LUKS header backup is now 16MB in size.
    * Cryptsetup now doubles LUKS default key size if XTS mode is used
      (XTS mode uses two internal keys). This does not apply if key size
      is explicitly specified on the command line and it does not apply
      for the plain mode.
      This fixes a confusion with AES and 256bit key in XTS mode where
      code used AES128 and not AES256 as often expected.
    * Default cryptographic backend used for LUKS header processing is now
      OpenSSL. For years, OpenSSL provided better performance for PBKDF.
    * The Python bindings are no longer supported and the code was removed
      from cryptsetup distribution. Please use the libblockdev project
      that already covers most of the libcryptsetup functionality
      including LUKS2.
    * Cryptsetup now allows using --offset option also for luksFormat.
    * Cryptsetup now supports new refresh action (that is the alias for
      "open --refresh").
    * Integritysetup now supports mode with detached data device through
      new --data-device option.
  - 2.1.0 would use LUKS2 as default, we stay with LUKS1 for now until
    someone has time to evaluate the fallout from switching to LUKS2.
* Tue Oct 30 2018 [email protected]
  - Suggest hmac package (boo#1090768)
  - remove old upgrade hack for upgrades from 12.1
  - New version 2.0.5
    Changes since version 2.0.4
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    * Wipe full header areas (including unused) during LUKS format.
      Since this version, the whole area up to the data offset is zeroed,
      and subsequently, all keyslots areas are wiped with random data.
      This ensures that no remaining old data remains in the LUKS header
      areas, but it could slow down format operation on some devices.
      Previously only first 4k (or 32k for LUKS2) and the used keyslot
      was overwritten in the format operation.
    * Several fixes to error messages that were unintentionally replaced
      in previous versions with a silent exit code.
      More descriptive error messages were added, including error
      messages if
    - a device is unusable (not a block device, no access, etc.),
    - a LUKS device is not detected,
    - LUKS header load code detects unsupported version,
    - a keyslot decryption fails (also happens in the cipher check),
    - converting an inactive keyslot.
    * Device activation fails if data area overlaps with LUKS header.
    * Code now uses explicit_bzero to wipe memory if available
      (instead of own implementation).
    * Additional VeraCrypt modes are now supported, including Camellia
      and Kuznyechik symmetric ciphers (and cipher chains) and Streebog
      hash function. These were introduced in a recent VeraCrypt upstream.
      Note that Kuznyechik requires out-of-tree kernel module and
      Streebog hash function is available only with the gcrypt cryptographic
      backend for now.
    * Fixes static build for integritysetup if the pwquality library is used.
    * Allows passphrase change for unbound keyslots.
    * Fixes removed keyslot number in verbose message for luksKillSlot,
      luksRemoveKey and erase command.
    * Adds blkid scan when attempting to open a plain device and warn the user
      about existing device signatures in a ciphertext device.
    * Remove LUKS header signature if luksFormat fails to add the first keyslot.
    * Remove O_SYNC from device open and use fsync() to speed up
      wipe operation considerably.
    * Create --master-key-file in luksDump and fail if the file already exists.
    * Fixes a bug when LUKS2 authenticated encryption with a detached header
      wiped the header device instead of dm-integrity data device area (causing
      unnecessary LUKS2 header auto recovery).
* Tue Oct 30 2018 [email protected]
  - make parallell installable version for SLE12
* Tue Aug 21 2018 [email protected]
  - New version 2.0.4
    Changes since version 2.0.3
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    * Use the libblkid (blockid) library to detect foreign signatures
      on a device before LUKS format and LUKS2 auto-recovery.
      This change fixes an unexpected recovery using the secondary
      LUKS2 header after a device was already overwritten with
      another format (filesystem or LVM physical volume).
      LUKS2 will not recreate a primary header if it detects a valid
      foreign signature. In this situation, a user must always
      use cryptsetup repair command for the recovery.
      Note that libcryptsetup and utilities are now linked to libblkid
      as a new dependence.
      To compile code without blockid support (strongly discouraged),
      use --disable-blkid configure switch.
    * Add prompt for format and repair actions in cryptsetup and
      integritysetup if foreign signatures are detected on the device
      through the blockid library.
      After the confirmation, all known signatures are then wiped as
      part of the format or repair procedure.
    * Print consistent verbose message about keyslot and token numbers.
      For keyslot actions: Key slot <number> unlocked/created/removed.
      For token actions: Token <number> created/removed.
    * Print error, if a non-existent token is tried to be removed.
    * Add support for LUKS2 token definition export and import.
      The token command now can export/import customized token JSON file
      directly from command line. See the man page for more details.
    * Add support for new dm-integrity superblock version 2.
    * Add an error message when nothing was read from a key file.
    * Update cryptsetup man pages, including --type option usage.
    * Add a snapshot of LUKS2 format specification to documentation
      and accordingly fix supported secondary header offsets.
    * Add bundled optimized Argon2 SSE (X86_64 platform) code.
      If the bundled Argon2 code is used and the new configure switch
    - -enable-internal-sse-argon2 option is present, and compiler flags
      support required optimization, the code will try to use optimized
      and faster variant.
      Always use the shared library (--enable-libargon2) if possible.
      This option was added because an enterprise distribution
      rejected to support the shared Argon2 library and native support
      in generic cryptographic libraries is not ready yet.
    * Fix compilation with crypto backend for LibreSSL >= 2.7.0.
      LibreSSL introduced OpenSSL 1.1.x API functions, so compatibility
      wrapper must be commented out.
    * Fix on-disk header size calculation for LUKS2 format if a specific
      data alignment is requested. Until now, the code used default size
      that could be wrong for converted devices.
    Changes since version 2.0.2
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    * Expose interface to unbound LUKS2 keyslots.
      Unbound LUKS2 keyslot allows storing a key material that is independent
      of master volume key (it is not bound to encrypted data segment).
    * New API extensions for unbound keyslots (LUKS2 only)
      crypt_keyslot_get_key_size() and crypt_volume_key_get()
      These functions allow to get key and key size for unbound keyslots.
    * New enum value CRYPT_SLOT_UNBOUND for keyslot status (LUKS2 only).
    * Add --unbound keyslot option to the cryptsetup luksAddKey command.
    * Add crypt_get_active_integrity_failures() call to get integrity
      failure count for dm-integrity devices.
    * Add crypt_get_pbkdf_default() function to get per-type PBKDF default
      setting.
    * Add new flag to crypt_keyslot_add_by_key() to force update device
      volume key. This call is mainly intended for a wrapped key change.
    * Allow volume key store in a file with cryptsetup.
      The --dump-master-key together with --master-key-file allows cryptsetup
      to store the binary volume key to a file instead of standard output.
    * Add support detached header for cryptsetup-reencrypt command.
    * Fix VeraCrypt PIM handling - use proper iterations count formula
      for PBKDF2-SHA512 and PBKDF2-Whirlpool used in system volumes.
    * Fix cryptsetup tcryptDump for VeraCrypt PIM (support --veracrypt-pim).
    * Add --with-default-luks-format configure time option.
      (Option to override default LUKS format version.)
    * Fix LUKS version conversion for detached (and trimmed) LUKS headers.
    * Add luksConvertKey cryptsetup command that converts specific keyslot
      from one PBKDF to another.
    * Do not allow conversion to LUKS2 if LUKSMETA (external tool metadata)
      header is detected.
    * More cleanup and hardening of LUKS2 keyslot specific validation options.
      Add more checks for cipher validity before writing metadata on-disk.
    * Do not allow LUKS1 version downconversion if the header contains tokens.
    * Add "paes" family ciphers (AES wrapped key scheme for mainframes)
      to allowed ciphers.
      Specific wrapped ley configuration logic must be done by 3rd party tool,
      LUKS2 stores only keyslot material and allow activation of the device.
    * Add support for --check-at-most-once option (kernel 4.17) to veritysetup.
      This flag can be dangerous; if you can control underlying device
      (you can change its content after it was verified) it will no longer
      prevent reading tampered data and also it does not prevent silent
      data corruptions that appear after the block was once read.
    * Fix return code (EPERM instead of EINVAL) and retry count for bad
      passphrase on non-tty input.
    * Enable support for FEC decoding in veritysetup to check dm-verity devices
      with additional Reed-Solomon code in userspace (verify command).
    Changes since version 2.0.1
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    * Fix a regression in early detection of inactive keyslot for luksKillSlot.
      It tried to ask for passphrase even for already erased keyslot.
    * Fix a regression in loopaesOpen processing for keyfile on standard input.
      Use of "-" argument was not working properly.
    * Add LUKS2 specific options for cryptsetup-reencrypt.
      Tokens and persistent flags are now transferred during reencryption;
      change of PBKDF keyslot parameters is now supported and allows
      to set precalculated values (no benchmarks).
    * Do not allow LUKS2 --persistent and --test-passphrase cryptsetup flags
      combination. Persistent flags are now stored only if the device was
      successfully activated with the specified flags.
    * Fix integritysetup format after recent Linux kernel changes that
      requires to setup key for HMAC in all cases.
      Previously integritysetup allowed HMAC with zero key that behaves
      like a plain hash.
    * Fix VeraCrypt PIM handling that modified internal iteration counts
      even for subsequent activations. The PIM count is no longer printed
      in debug log as it is sensitive information.
      Also, the code now skips legacy TrueCrypt algorithms if a PIM
      is specified (they cannot be used with PIM anyway).
    * PBKDF values cannot be set (even with force parameters) below
      hardcoded minimums. For PBKDF2 is it 1000 iterations, for Argon2
      it is 4 iterations and 32 KiB of memory cost.
    * Introduce new crypt_token_is_assigned() API function for reporting
      the binding between token and keyslots.
    * Allow crypt_token_json_set() API function to create internal token types.
      Do not allow unknown fields in internal token objects.
    * Print message in cryptsetup that about was aborted if a user did not
      answer YES in a query.
* Tue Jan 30 2018 [email protected]
  - update to 2.0.1:
    * To store volume key into kernel keyring, kernel 4.15 with
      dm-crypt 1.18.1 is required
    * Increase maximum allowed PBKDF memory-cost limit to 4 GiB
    * Use /run/cryptsetup as default for cryptsetup locking dir
    * Introduce new 64-bit byte-offset *keyfile_device_offset functions.
    * New set of fucntions that allows 64-bit offsets even on 32bit systems
      are now availeble:
    - crypt_resume_by_keyfile_device_offset
    - crypt_keyslot_add_by_keyfile_device_offset
    - crypt_activate_by_keyfile_device_offset
    - crypt_keyfile_device_read
      The new functions have added the _device_ in name.
      Old functions are just internal wrappers around these.
    * Also cryptsetup --keyfile-offset and --new-keyfile-offset now
      allows 64-bit offsets as parameters.
    * Add error hint for wrongly formatted cipher strings in LUKS1 and
      properly fail in luksFormat if cipher format is missing required IV.
* Fri Dec 22 2017 [email protected]
  - Update to version 2.0.0:
    * Add support for new on-disk LUKS2 format
    * Enable to use system libargon2 instead of bundled version
    * Install tmpfiles.d configuration for LUKS2 locking directory
    * New command integritysetup: support for the new dm-integrity kernel target
    * Support for larger sector sizes for crypt devices
    * Miscellaneous fixes and improvements
* Sat Apr 29 2017 [email protected]
  - Update to version 1.7.5:
    * Fixes to luksFormat to properly support recent kernel running
      in FIPS mode (bsc#1031998).
    * Fixes accesses to unaligned hidden legacy TrueCrypt header.
    * Fixes to optional dracut ramdisk scripts for offline
      re-encryption on initial boot.
* Fri Mar 17 2017 [email protected]
  - Update to version 1.7.4:
    * Allow to specify LUKS1 hash algorithm in Python luksFormat
      wrapper.
    * Use LUKS1 compiled-in defaults also in Python wrapper.
    * OpenSSL backend: Fix OpenSSL 1.1.0 support without backward
      compatible API.
    * OpenSSL backend: Fix LibreSSL compatibility.
    * Check for data device and hash device area overlap in
      veritysetup.
    * Fix a possible race while allocating a free loop device.
    * Fix possible file descriptor leaks if libcryptsetup is run from
      a forked process.
    * Fix missing same_cpu_crypt flag in status command.
    * Various updates to FAQ and man pages.
  - Changes for version 1.7.3:
    * Fix device access to hash offsets located beyond the 2GB device
      boundary in veritysetup.
    * Set configured (compile-time) default iteration time for
      devices created directly through libcryptsetup
    * Fix PBKDF2 benchmark to not double iteration count for specific
      corner case.
    * Verify passphrase in cryptsetup-reencrypt when encrypting a new
      drive.
    * OpenSSL backend: fix memory leak if hash context was repeatedly
      reused.
    * OpenSSL backend: add support for OpenSSL 1.1.0.
    * Fix several minor spelling errors.
    * Properly check maximal buffer size when parsing UUID from
      /dev/disk/.
* Thu Aug 25 2016 [email protected]
  - Update to version 1.7.2:
    * Update LUKS documentation format.
      Clarify fixed sector size and keyslots alignment.
    * Support activation options for error handling modes in
      Linux kernel dm-verity module:
    - -ignore-corruption - dm-verity just logs detected corruption
    - -restart-on-corruption - dm-verity restarts the kernel if
      corruption is detected
      If the options above are not specified, default behavior for
      dm-verity remains. Default is that I/O operation fails with
      I/O error if corrupted block is detected.
    - -ignore-zero-blocks - Instructs dm-verity to not verify
      blocks that are expected to contain zeroes and always
      return zeroes directly instead.
      NOTE that these options could have security or functional
      impacts, do not use them without assessing the risks!
    * Fix help text for cipher benchmark specification
      (mention --cipher option).
    * Fix off-by-one error in maximum keyfile size.
      Allow keyfiles up to compiled-in default and not that value
      minus one.
    * Support resume of interrupted decryption in cryptsetup-reencrypt
      utility. To resume decryption, LUKS device UUID (--uuid option)
      option must be used.
    * Do not use direct-io for LUKS header with unaligned keyslots.
      Such headers were used only by the first cryptsetup-luks-1.0.0
      release (2005).
    * Fix device block size detection to properly work on particular
      file-based containers over underlying devices with 4k sectors.
  - Update to version 1.7.1:
    * Code now uses kernel crypto API backend according to new
      changes introduced in mainline kernel
      While mainline kernel should contain backward compatible
      changes, some stable series kernels do not contain fully
      backported compatibility patches.
      Without these patches  most of cryptsetup operations
      (like unlocking device) fail.
      This change in cryptsetup ensures that all operations using
      kernel crypto API works even on these kernels.
    * The cryptsetup-reencrypt utility now properly detects removal
      of underlying link to block device and does not remove
      ongoing re-encryption log.
      This allows proper recovery (resume) of reencrypt operation later.
      NOTE: Never use /dev/disk/by-uuid/ path for reencryption utility,
      this link disappears once the device metadata is temporarily
      removed from device.
    * Cryptsetup now allows special "-" (standard input) keyfile handling
      even for TCRYPT (TrueCrypt and VeraCrypt compatible) devices.
    * Cryptsetup now fails if there are more keyfiles specified
      for non-TCRYPT device.
    * The luksKillSlot command now does not suppress provided password
      in batch mode (if password is wrong slot is not destroyed).
      Note that not providing password in batch mode means that keyslot
      is destroyed unconditionally.
* Sat Jan 09 2016 [email protected]
  - update to 1.7.0:
    * The cryptsetup 1.7 release changes defaults for LUKS,
      there are no API changes.
    * Default hash function is now SHA256 (used in key derivation
      function and anti-forensic splitter).
    * Default iteration time for PBKDF2 is now 2 seconds.
    * Fix PBKDF2 iteration benchmark for longer key sizes.
    * Remove experimental warning for reencrypt tool.
    * Add optional libpasswdqc support for new LUKS passwords.
    * Update FAQ document.
* Thu Dec 10 2015 [email protected]
  - Fix missing dependency on coreutils for initrd macros (boo#958562)
  - Call missing initrd macro at postun (boo#958562)
* Tue Sep 08 2015 [email protected]
  - Update to 1.6.8
    * If the null cipher (no encryption) is used, allow only empty
      password for LUKS. (Previously cryptsetup accepted any password
      in this case.)
      The null cipher can be used only for testing and it is used
      temporarily during offline encrypting not yet encrypted device
      (cryptsetup-reencrypt tool).
      Accepting only empty password prevents situation when someone
      adds another LUKS device using the same UUID (UUID of existing
      LUKS device) with faked header containing null cipher.
      This could force user to use different LUKS device (with no
      encryption) without noticing.
      (IOW it prevents situation when attacker intentionally forces
      user to boot into different system just by LUKS header
      manipulation.)
      Properly configured systems should have an additional integrity
      protection in place here (LUKS here provides only
      confidentiality) but it is better to not allow this situation
      in the first place.
      (For more info see QubesOS Security Bulletin QSB-019-2015.)
    * Properly support stdin "-" handling for luksAddKey for both new
      and old keyfile parameters.
    * If encrypted device is file-backed (it uses underlying loop
      device), cryptsetup resize will try to resize underlying loop
      device as well. (It can be used to grow up file-backed device
      in one step.)
    * Cryptsetup now allows to use empty password through stdin pipe.
      (Intended only for testing in scripts.)
* Sun Apr 12 2015 [email protected]
  - Enable verbose build log.
* Sun Apr 12 2015 [email protected]
  - regenerate the initrd if cryptsetup tool changes
    (wanted by 90crypt dracut module)
* Thu Apr 02 2015 [email protected]
  - Update to 1.6.7
    * Cryptsetup TCRYPT mode now supports VeraCrypt devices
      (TrueCrypt extension)
    * Support keyfile-offset and keyfile-size options even for plain
      volumes.
    * Support keyfile option for luksAddKey if the master key is
      specified.
    * For historic reasons, hashing in the plain mode is not used if
      keyfile is specified (with exception of --key-file=-). Print
      a warning if these parameters are ignored.
    * Support permanent device decryption for cryptsetup-reencrypt.
      To remove LUKS encryption from a device, you can now use
    - -decrypt option.
    * Allow to use --header option in all LUKS commands. The
    - -header always takes precedence over positional device argument.
    * Allow luksSuspend without need to specify a detached header.
    * Detect if O_DIRECT is usable on a device allocation. There are
      some strange storage stack configurations which wrongly allows
      to open devices with direct-io but fails on all IO operations later.
    * Add low-level performance options tuning for dmcrypt (for
      Linux 4.0 and later).
    * Get rid of libfipscheck library.
      (Note that this option was used only for Red Hat and derived
      distributions.) With recent FIPS changes we do not need to
      link to this FIPS monster anymore. Also drop some no longer
      needed FIPS mode checks.
    * Many fixes and clarifications to man pages.
    * Prevent compiler to optimize-out zeroing of buffers for on-stack
      variables.
    * Fix a crash if non-GNU strerror_r is used.

Files

/run/cryptsetup
/sbin/cryptsetup
/usr/lib/tmpfiles.d/cryptsetup.conf
/usr/sbin/cryptsetup
/usr/sbin/integritysetup
/usr/sbin/veritysetup
/usr/share/licenses/cryptsetup
/usr/share/licenses/cryptsetup/COPYING
/usr/share/licenses/cryptsetup/COPYING.LGPL


Generated by rpm2html 1.8.1

Fabrice Bellet, Tue Jul 9 20:22:04 2024