Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

cryptsetup-2.7.5-1.2 RPM for i586

From OpenSuSE Ports Tumbleweed for i586

Name: cryptsetup Distribution: openSUSE Tumbleweed
Version: 2.7.5 Vendor: openSUSE
Release: 1.2 Build date: Fri Sep 13 09:36:26 2024
Group: System/Base Build host: reproducible
Size: 391920 Source RPM: cryptsetup-2.7.5-1.2.src.rpm
Packager: http://bugs.opensuse.org
Url: https://gitlab.com/cryptsetup/cryptsetup/
Summary: Setup program for dm-crypt Based Encrypted Block Devices
cryptsetup is used to conveniently set up dm-crypt based device-mapper
targets. It allows to set up targets to read cryptoloop compatible
volumes as well as LUKS formatted ones. The package additionally
includes support for automatically setting up encrypted volumes at boot
time via the config file /etc/crypttab.

Provides

Requires

License

CC-BY-SA-4.0 AND LGPL-2.0-or-later WITH cryptsetup-OpenSSL-exception

Changelog

* Fri Sep 13 2024 Pedro Monreal <[email protected]>
  - Update to 2.7.5:
    * Fix possible online reencryption data corruption (only in 2.7.x).
      In some situations (initializing a suspended device-mapper device),
      cryptsetup disabled direct-io device access. This caused unsafe
      online reencryption operations that could lead to data corruption.
      The code now adds strict checks (and aborts the operation) and
      changes direct-io detection code to prevent data corruption.
    * Fix a clang compilation error in SSH token plugin.
      As clang linker treats missing symbols as errors, the linker phase
      for the SSH token failed as the optional cryptsetup_token_buffer_free
      was not defined.
    * Fix crypto backend initialization in crypt_format_luks2_opal API call.
* Wed Jul 31 2024 Martin Schreiner <[email protected]>
  - Update to 2.7.4:
    * Detect device busy failure for device-mapper table-referenced
      devices.
    * Fix shared activation for dm-verity devices.
    * Add --shared option for veritysetup open action.
    * Do not use exclusive flag for the allocated backing loop files.
    * Fixes for problems found by static analyzers and Valgrind.
    * Fixes to tests and CI scripts.
  - Use fdupes to link identical man pages.
* Tue Jul 30 2024 Pedro Monreal <[email protected]>
  - Update to 2.7.3:
    * Do not allow formatting LUKS2 with Opal SED (hardware encryption)
      if the reported logical sector size for the block device and Opal
      encryption logical block differs.
    * Fixes to wiping LUKS2 headers after Opal locking area erase.
    * Mention the need for possible PSID revert before Opal format for some
      drives (man page).
    * Fix Bitlocker-compatible code to ignore newly seen metadata entries.
    * Fix interactive query retry if LUKS2 unbound keyslot is present.
    * Detect unsupported zoned devices for LUKS header devices.
    * Allow "capi" cipher format for benchmark command and fix parsing
      of plain IV in "capi" format.
    * Add support for HCTR2 encryption mode.
    * Source code now uses SPDX license identifiers instead of full
      license preambles.
    * Fix missing includes for cryptographic backend that could cause
      compilation errors for some systems.
    * Fix tests to work correctly in FIPS mode with recent OpenSSL 3.2.
    * Fix various (mostly false positive) issues detected by Coverity.
* Fri Jul 12 2024 Petr Vorel <[email protected]>
  - License: Replace legacy 'AND SUSE-GPL-2.0-with-openssl-exception' with
    'WITH cryptsetup-OpenSSL-exception' (the official SPDX exception).
* Tue Apr 09 2024 Andreas Stieger <[email protected]>
  - update to 2.7.2:
    * Fix activation of OPAL-only encrypted LUKS device with tokens
    * Fix formatting of OPAL devices with 4096-byte sector size
    * Fix incorrect OPAL locking range alignment calculation if
      used over an unaligned device partition.
    * Do not check the passphrase quality for OPAL Admin PIN,
      as this passphrase already exists.
    * Update license for FAQ document to CC BY-SA 4.0.
    NOTE: Please note that with OPAL-only (--hw-opal-only)
    encryption, the configured OPAL administrator PIN (passphrase)
    allows unlocking all configured locking ranges without LUKS
    keyslot decryption (without knowledge of LUKS passphrase).
    Because of many observed problems with compatibility, cryptsetup
    currently DOES NOT use OPAL single-user mode, which would allow
    such decoupling of OPAL admin PIN access.
* Wed Mar 13 2024 Pedro Monreal <[email protected]>
  - Update to 2.7.1:
    * Fix interrupted LUKS1 decryption resume.
    With the replacement of the cryptsetup-reencrypt tool by the cryptsetup
    reencrypt command, resuming the interrupted LUKS1 decryption operation
    could fail. LUKS2 was not affected.
    * Allow --link-vk-to-keyring with --test-passphrase option.
    This option allows uploading the volume key in a user-specified kernel
    keyring without activating the device.
    * Fix crash when --active-name was used in decryption initialization.
    * Updates and changes to man pages, including indentation, sorting options
    alphabetically, fixing mistakes in crypt_set_keyring_to_link, and fixing
    some typos.
    * Fix compilation with libargon2 when --disable-internal-argon2 was used.
    * Do not require installed argon2.h header and never compile internal
    libargon2 code if the crypto library directly supports Argon2.
    * Fixes to regression tests to support older Linux distributions.
* Mon Jan 29 2024 Pedro Monreal <[email protected]>
  - Update to 2.7.0:
    * Full changelog in:
      mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/v2.7/v2.7.0-ReleaseNotes
    * Introduce support for hardware OPAL disk encryption.
    * plain mode: Set default cipher to aes-xts-plain64 and password hashing
      to sha256.
    * Allow activation (open), luksResume, and luksAddKey to use the volume
      key stored in a keyring.
    * Allow to store volume key to a user-specified keyring in open and
      luksResume commands.
    * Do not flush IO operations if resize grows the device.
      This can help performance in specific cases where the encrypted device
      is extended automatically while running many IO operations.
    * Use only half of detected free memory for Argon2 PBKDF on systems
      without swap (for LUKS2 new keyslot or format operations).
    * Add the possibility to specify a directory for external LUKS2 token
      handlers (plugins).
    * Do not allow reencryption/decryption on LUKS2 devices with
      authenticated encryption or hardware (OPAL) encryption.
    * Do not fail LUKS format if the operation was interrupted on subsequent
      device wipe.
    * Fix the LUKS2 keyslot option to be used while activating the device
      by a token.
    * Properly report if the dm-verity device cannot be activated due to
      the inability to verify the signed root hash (ENOKEY).
    * Fix to check passphrase for selected keyslot only when adding
      new keyslot.
    * Fix to not wipe the keyslot area before in-place overwrite.
    * bitlk: Fix segfaults when attempting to verify the volume key.
    * Add --disable-blkid command line option to avoid blkid device check.
    * Add support for the meson build system.
    * Fix wipe operation that overwrites the whole device if used for LUKS2
      header with no keyslot area.
    * Fix luksErase to work with detached LUKS header.
    * Disallow the use of internal kernel crypto driver names in "capi"
      specification.
    * Fix reencryption to fail early for unknown cipher.
    * tcrypt: Support new Blake2 hash for VeraCrypt.
    * tcrypt: use hash values as substring for limiting KDF check.
    * Add Aria cipher support and block size info.
    * Do not decrease PBKDF parameters if the user forces them.
    * Support OpenSSL 3.2 Argon2 implementation.
    * Add support for Argon2 from libgcrypt
      (requires yet unreleased gcrypt 1.11).
    * Used Argon2 PBKDF implementation is now reported in debug mode
      in the cryptographic backend version. For native support in
      OpenSSL 3.2 or libgcrypt 1.11, "argon2" is displayed.
      If libargon2 is used, "cryptsetup libargon2" (for embedded
      library) or "external libargon2" is displayed.
    * Link only libcrypto from OpenSSL.
    * Disable reencryption for Direct-Access (DAX) devices.
    * Print a warning message if the device is not aligned to sector size.
    * Fix sector size and integrity fields display for non-LUKS2 crypt
      devices for the status command.
    * Fix suspend for LUKS2 with authenticated encryption (also suspend
      dm-integrity device underneath).
    * Update keyring and locking documentation and LUKS2 specification
      for OPAL2 support.
    * Remove patches fixed upstream:
    - cryptsetup-Check-for-physical-memory-available-also-in-PBKDF-be.patch
    - cryptsetup-Try-to-avoid-OOM-killer-on-low-memory-systems-withou.patch
    - cryptsetup-Use-only-half-of-detected-free-memory-on-systems-wit.patch
* Thu Jul 13 2023 Pedro Monreal <[email protected]>
  - luksFormat: Handle system with low memory and no swap space [bsc#1211079]
    * Check for physical memory available also in PBKDF benchmark.
    * Try to avoid OOM killer on low-memory systems without swap.
    * Use only half of detected free memory on systems without swap.
    * Add patches:
    - cryptsetup-Check-for-physical-memory-available-also-in-PBKDF-be.patch
    - cryptsetup-Try-to-avoid-OOM-killer-on-low-memory-systems-withou.patch
    - cryptsetup-Use-only-half-of-detected-free-memory-on-systems-wit.patch
* Wed Jun 14 2023 Pedro Monreal <[email protected]>
  - Enable running the regression test suite.
  - Force a regeneration of the man pages from AsciiDoc.
  - Add LUKS1 and LUKS2 On-Disk Format Specification pdfs to doc.
* Wed Jun 14 2023 Pedro Monreal <[email protected]>
  - FIPS: Remove not needed libcryptsetup12-hmac package that contains
    the HMAC checksums for integrity checking for FIPS. [bsc#1185116]
    * Remove the cryptsetup-rpmlintrc file.
    * Remove not needed fipscheck dependency.
* Sun Feb 12 2023 Andreas Stieger <[email protected]>
  - cryptsetup 2.6.1
    * bitlk: Fixes for BitLocker-compatible on-disk metadata parser
    * Fix possible iteration overflow in OpenSSL2 PBKDF2 crypto
      backend
    * portability and compilation fixes
    * verity: Fix possible hash offset setting overflow.
    * bitlk: Fix use of startup BEK key on big-endian platforms.
    * Do not initiate encryption (reencryption command) when the
      header and data devices are the same. If data device reduction
      is not requsted, this leads to data corruption since LUKS
      metadata was written over the data device.
    * Fix possible memory leak if crypt_load() fails.
    * Always use passphrases with a minimal 8 chars length for
      benchmarking, as used in some implementation of FIPS mode
* Tue Dec 27 2022 Ludwig Nussel <[email protected]>
  - Replace transitional %usrmerged macro with regular version check (boo#1206798)
* Mon Nov 28 2022 Paolo Stivanin <[email protected]>
  - cryptsetup 2.6.0:
    * Introduce support for handling macOS FileVault2 devices (FVAULT2).
    * libcryptsetup: no longer use global memory locking through mlockall()
    * libcryptsetup: process priority is increased only for key derivation
      (PBKDF) calls.
    * Add new LUKS keyslot context handling functions and API.
    * The volume key may now be extracted using a passphrase, keyfile, or
      token. For LUKS devices, it also returns the volume key after
      a successful crypt_format call.
    * Fix --disable-luks2-reencryption configuration option.
    * cryptsetup: Print a better error message and warning if the format
      produces an image without space available for data.
    * Print error if anti-forensic LUKS2 hash setting is not available.
      If the specified hash was not available, activation quietly failed.
    * Fix internal crypt segment compare routine if the user
      specified cipher in kernel format (capi: prefix).
    * cryptsetup: Add token unassign action.
      This action allows removing token binding on specific keyslot.
    * veritysetup: add support for --use-tasklets option.
      This option sets try_verify_in_tasklet kernel dm-verity option
      (available since Linux kernel 6.0) to allow some performance
      improvement on specific systems.
    * Provide pkgconfig Require.private settings.
      While we do not completely provide static build on udev systems,
      it helps produce statically linked binaries in certain situations.
    * Always update automake library files if autogen.sh is run.
      For several releases, we distributed older automake scripts by mistake.
    * reencryption: Fix user defined moved segment size in LUKS2 decryption.
      The --hotzone-size argument was ignored in cases where the actual data
      size was less than the original LUKS2 data offset.
    * Delegate FIPS mode detection to configured crypto backend.
      System FIPS mode check no longer depends on /etc/system-fips file.
    * Update documentation, including FAQ and man pages.
* Tue Sep 13 2022 Luca Boccassi <[email protected]>
  - Add virtual provides for 'integritysetup' and 'veritysetup' to match
    package names provided by Fedora/RHEL, to allow the same set of
    dependencies to be used across all RPM distributions.
* Mon Aug 22 2022 Ludwig Nussel <[email protected]>
  - cryptsetup 2.5.0:
    * Split manual pages into per-action pages and use AsciiDoc format.
    * Remove cryptsetup-reencrypt tool from the project and move reencryption
      to already existing "cryptsetup reencrypt" command.
      If you need to emulate the old cryptsetup-reencrypt binary, use simple
      wrappers script running "exec cryptsetup reencrypt $@".
    * LUKS2: implement --decryption option that allows LUKS removal.
    * Fix decryption operation with --active-name option and restrict
      it to be used only with LUKS2.
    * Do not refresh reencryption digest when not needed.
      This should speed up the reencryption resume process.
    * Store proper resilience data in LUKS2 reencrypt initialization.
      Resuming reencryption now does not require specification of resilience
      type parameters if these are the same as during initialization.
    * Properly wipe the unused area after reencryption with datashift in
      the forward direction.
    * Check datashift value against larger sector size.
      For example, it could cause an issue if misaligned 4K sector appears
      during decryption.
    * Do not allow sector size increase reencryption in offline mode.
    * Do not allow dangerous sector size change during reencryption.
    * Ask the user for confirmation before resuming reencryption.
    * Do not resume reencryption with conflicting parameters.
    * Add --force-offline-reencrypt option.
    * Do not allow nested encryption in LUKS reencrypt.
    * Support all options allowed with luksFormat with encrypt action.
    * Add resize action to integritysetup.
    * Remove obsolete dracut plugin reencryption example.
    * Fix possible keyslot area size overflow during conversion to LUKS2.
    * Allow use of --header option for cryptsetup close.
    * Fix activation of LUKS2 device with integrity and detached header.
    * Add ZEROOUT IOCTL support for crypt_wipe API call.
    * VERITY: set loopback sector size according to dm-verity block sizes.
    * veritysetup: dump device sizes.
    * LUKS2 token: prefer token PIN query before passphrase in some cases.
      When a user provides --token-type or specific --token-id, a token PIN
      query is preferred to a passphrase query.
    * LUKS2 token: allow tokens to be replaced with --token-replace option
      for cryptsetup token command.
    * LUKS2 token: do not continue operation when interrupted in PIN prompt.
    * Add --progress-json parameter to utilities.
    * Add support for --key-slot option in luksResume action.
  - move man pages to separate subpackage
  - drop backports handling
* Fri Jan 14 2022 Andreas Stieger <[email protected]>
  - cryptsetup 2.4.3:
    * Fix possible attacks against data confidentiality through
      LUKS2 online reencryption extension crash recovery
      CVE-2021-4122, boo#1194469
    * Add configure option --disable-luks2-reencryption to completely
      disable LUKS2 reencryption code.
    * Improve internal metadata validation code for reencryption
      metadata
    * Add updated documentation for LUKS2 On-Disk Format
      Specification version 1.1.0
    * Fix support for bitlk (BitLocker compatible) startup key with
      new  metadata entry introduced in Windows 11
    * Fix space restriction for LUKS2 reencryption with data shift
* Thu Nov 18 2021 Andreas Stieger <[email protected]>
  - cryptsetup 2.4.2:
    * Fix possible large memory allocation if LUKS2 header size is
      invalid.
    * Fix memory corruption in debug message printing LUKS2
      checksum.
    * veritysetup: remove link to the UUID library for the static
      build.
    * Remove link to pwquality library for integritysetup and
      veritysetup. These tools do not read passphrases.
    * OpenSSL3 backend: avoid remaining deprecated calls in API.
      Crypto backend no longer use API deprecated in OpenSSL 3.0
    * Check if kernel device-mapper create device failed in an early
      phase. This happens when a concurrent creation of device-mapper
      devices meets in the very early state.
    * Do not set compiler optimization flag for Argon2 KDF if the
      memory wipe is implemented in libc.
    * Do not attempt to unload LUKS2 tokens if external tokens are
      disabled. This allows building a static binary with
    - -disable-external-tokens.
    * LUKS convert: also check sysfs for device activity.
      If udev symlink is missing, code fallbacks to sysfs scan to
      prevent data corruption for the active device.
* Thu Sep 16 2021 Ludwig Nussel <[email protected]>
  - cryptsetup 2.4.1
    * Fix compilation for libc implementations without dlvsym().
    * Fix compilation and tests on systems with non-standard libraries
    * Try to workaround some issues on systems without udev support.
    * Fixes for OpenSSL3 crypto backend (including FIPS mode).
    * Print error message when assigning a token to an inactive keyslot.
    * Fix offset bug in LUKS2 encryption code if --offset option was used.
    * Do not allow LUKS2 decryption for devices with data offset.
    * Fix LUKS1 cryptsetup repair command for some specific problems.
* Wed Aug 25 2021 Ludwig Nussel <[email protected]>
  - As YaST passes necessary parameters to cryptsetup anyway, we do
    not necessarily need to take grub into consideration. So back to
    Argon2 to see how it goes.
* Tue Aug 03 2021 Ludwig Nussel <[email protected]>
  - need to use PBKDF2 by default for LUKS2 as grub can't decrypt when
    using Argon.
* Mon Aug 02 2021 Ludwig Nussel <[email protected]>
  - cryptsetup 2.4.0 (jsc#SLE-20275)
    * External LUKS token plugins
    * Experimental SSH token
    * Default LUKS2 PBKDF is now Argon2id
    * Increase minimal memory cost for Argon2 benchmark to 64MiB.
    * Autodetect optimal encryption sector size on LUKS2 format.
    * Use VeraCrypt option by default and add --disable-veracrypt option.
    * Support --hash and --cipher to limit opening time for TCRYPT type
    * Fixed default OpenSSL crypt backend support for OpenSSL3.
    * integritysetup: add integrity-recalculate-reset flag.
    * cryptsetup: retains keyslot number in luksChangeKey for LUKS2.
    * Fix cryptsetup resize using LUKS2 tokens.
    * Add close --deferred and --cancel-deferred options.
    * Rewritten command-line option parsing to avoid libpopt arguments
      memory leaks.
    * Add --test-args option.
* Mon Aug 02 2021 Fabian Vogt <[email protected]>
  - Use LUKS2 as default format on Tumbleweed.
    It provides some additional features which other tools
    (e.g. systemd-cryptenroll) rely on. GRUB 2.06 supports unlocking
    LUKS2 volumes meanwhile.
* Thu Jul 01 2021 Ludwig Nussel <[email protected]>
  - cryptsetup 2.3.6:
    * integritysetup: Fix possible dm-integrity mapping table truncation.
    * cryptsetup: Backup header can be used to activate TCRYPT device.
      Use --header option to specify the header.
    * cryptsetup: Avoid LUKS2 decryption without detached header.
      This feature will be added later and is currently not supported.
    * Additional fixes and workarounds for common warnings produced
      by some static analysis tools (like gcc-11 analyzer) and additional
      code hardening.
    * Fix standalone libintl detection for compiled tests.
    * Add Blake2b and Blake2s hash support for crypto backends.
      Kernel and gcrypt crypto backend support all variants.
      OpenSSL supports only Blake2b-512 and Blake2s-256.
      Crypto backend supports kernel notation e.g. "blake2b-512".
* Sat Mar 13 2021 Andreas Stieger <[email protected]>
  - cryptsetup 2.3.5:
    * Fix partial reads of passphrase from an interactive terminal
    * Fix maximum length of password entered through a terminal
    * integritysetup: support new dm-integrity HMAC recalculation
      options
    * integritysetup: display of recalculating sector in dump command
    * veritysetup: fix verity FEC if stored in the same image with
      hashes
    * veritysetup: run FEC repair check even if root hash fails
    * veritysetup: do not process hash image if hash area is empty
    * veritysetup: store verity hash algorithm in superblock in
      lowercase
    * bitlk: fix a crash if the device disappears during BitLocker
      scan
    * bitlk: show a better error when trying to open an NTFS device
    * bitlk: add support for startup key protected VMKs
    * Fix LUKS1 repair code (regression since version 1.7.x)
    * Fix luksKeyChange for LUKS2 with assigned tokens
    * Fix cryptsetup resize using LUKS2 tokens
    * Print a visible error if device resize is not supported
    * Add error message when suspending wrong non-LUKS device
    * Fix default XTS mode key size in reencryption
    * Rephrase missing locking directory warning and move it to
      debug level
    * Many fixes for the use of cipher_null (empty debug cipher)
    * Fixes for libpasswdqc 2.0.x (optional passphrase quality check)
    * Fixes for problems discovered by various tools for code
      analysis
    * Various fixes to man pages
  - silence hmac packaging warnings
* Fri Mar 12 2021 Dirk Müller <[email protected]>
  - move licenses to licensedir

Files

/run/cryptsetup
/usr/lib/tmpfiles.d/cryptsetup.conf
/usr/sbin/cryptsetup
/usr/sbin/integritysetup
/usr/sbin/veritysetup
/usr/share/licenses/cryptsetup
/usr/share/licenses/cryptsetup/COPYING
/usr/share/licenses/cryptsetup/COPYING.LGPL


Generated by rpm2html 1.8.1

Fabrice Bellet, Sun Dec 1 01:07:54 2024