- Update to 2.8.4:
* Fix integritysetup resize (grow) of the device if integrity bitmap
mode is used. Increasing the integrity device in bitmap mode did
not work as integritysetup incorrectly used journal settings that
were not applicable.
* Fix device size status reports in cryptsetup and integritysetup.
If the device uses a sector size larger than 512 bytes, the newly
reported byte sizes (introduced in 2.8.0) in the status report
were incorrectly displayed.
* BITLK: Fix unlocking BitLocker device with recovery passphrase.
If the recovery passphrase was present in the first keyslot, the
device failed to unlock. This bug was introduced in 2.8.2 with
Clear Key support.
OBS-URL: https://build.opensuse.org/request/show/1330392
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=219
- Update to 2.8.1:
* Fix status and deactivation of TCRYPT (VeraCrypt compatible) devices that use chained ciphers.
* Fix unlocking BITLK (BitLocker compatible) devices with multibyte UTF8 characters in the passphrase.
* Do not allow activation of the LUKS2 device if the used keyslot is not encrypted (it uses a null cipher).
- Such a configuration cannot be created by cryptsetup, but can be crafted outside of it.
- Null cipher is sometimes used to create an empty container for later reencryption.
- Only an empty passphrase can activate such a container (the same as in LUKS1).
* Do not silently decrease PBKDF parallel cost (threads) if set by an option.
- The maximum parallel cost is limited to 4 threads.
* Fixes to configuration and installation scripts.
- Meson and autoconf tools now properly support --prefix option for temporary directory installation.
- Multiple fixes and cleanups to config.h for compatibility between Meson and autoconf.
- Fix the luks2-external-tokens-path Meson option to work the same as in autoconf.
- Fix Meson install for tool binaries, install fvault2Open man page and include test/fuzz/meson.build in release.
* Major update to manual pages.
- Try to explain the PBKDF hardcoded limits.
- Add a better explanation for automatic integrity tag recalculation.
- Mention crypt/verity/integritytab.
- Remove or reformulate some misleading warnings present only with old and no longer supported kernels.
- Clarify that some commands do not wipe data and unify OPAL reset wording.
- Clarify the --label option.
- There are also many other grammar and stylistic fixes to unify the man-page style.
* Fixes for false-positive and annoying (optional) warnings added in recent compilers. (forwarded request 1300733 from pmonrealgonzalez)
OBS-URL: https://build.opensuse.org/request/show/1301272
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=134
- Update to 2.8.1:
* Fix status and deactivation of TCRYPT (VeraCrypt compatible) devices that use chained ciphers.
* Fix unlocking BITLK (BitLocker compatible) devices with multibyte UTF8 characters in the passphrase.
* Do not allow activation of the LUKS2 device if the used keyslot is not encrypted (it uses a null cipher).
- Such a configuration cannot be created by cryptsetup, but can be crafted outside of it.
- Null cipher is sometimes used to create an empty container for later reencryption.
- Only an empty passphrase can activate such a container (the same as in LUKS1).
* Do not silently decrease PBKDF parallel cost (threads) if set by an option.
- The maximum parallel cost is limited to 4 threads.
* Fixes to configuration and installation scripts.
- Meson and autoconf tools now properly support --prefix option for temporary directory installation.
- Multiple fixes and cleanups to config.h for compatibility between Meson and autoconf.
- Fix the luks2-external-tokens-path Meson option to work the same as in autoconf.
- Fix Meson install for tool binaries, install fvault2Open man page and include test/fuzz/meson.build in release.
* Major update to manual pages.
- Try to explain the PBKDF hardcoded limits.
- Add a better explanation for automatic integrity tag recalculation.
- Mention crypt/verity/integritytab.
- Remove or reformulate some misleading warnings present only with old and no longer supported kernels.
- Clarify that some commands do not wipe data and unify OPAL reset wording.
- Clarify the --label option.
- There are also many other grammar and stylistic fixes to unify the man-page style.
* Fixes for false-positive and annoying (optional) warnings added in recent compilers.
OBS-URL: https://build.opensuse.org/request/show/1300733
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=215
- Update to 2.8.0:
* Full release notes in:
- https://cdn.kernel.org/pub/linux/utils/cryptsetup/v2.8/v2.8.0-ReleaseNotes
* Introduce support for inline mode (use HW sectors with additional hardware
metadata space).
* Finalize use of keyslot context API.
* Make all keyslot context types fully self-contained.
* Add --key-description and --new-key-description cryptsetup options.
* Support more precise keyslot selection in reencryption initialization.
* Allow reencryption to resume using token and volume keys.
* Cryptsetup repair command now tries to check LUKS keyslot areas for corruption.
* Opal2 SED: PSID keyfile is now expected to be 32 alphanumeric characters.
* Opal2: Avoid the Erase method and use Secure Erase for locking range.
* Opal2: Fix some error description (in debug only).
* Opal2: Do not allow deferred deactivation.
* Allow --reduce-device-size and --device-size combination for reencryption
(encrypt) action.
* Fix the userspace storage backend to support kernel "capi:" cipher specification format.
* Disallow conversion from LUKS2 to LUKS1 if kernel "capi:" cipher specification is used.
* Explicitly disallow kernel "capi:" cipher specification format for LUKS2
keyslot encryption.
* Do not allow conversion of LUKS2 to LUKS1 if an unbound keyslot is present.
* cryptsetup: Adjust the XTS key size for kernel "capi:" cipher specification.
* Remove keyslot warning about possible failure due to low memory.
* Do not limit Argon2 KDF memory cost on systems with more than 4GB of available memory.
* Properly report out of memory error for cryptographic backends implementing Argon2.
* Avoid KDF2 memory cost overflow on 32-bit platforms.
* Do not use page size as a fallback for device block size.
* veritysetup: Check hash device size in advance.
* Print a better error message for unsupported LUKS2 AEAD device resize.
OBS-URL: https://build.opensuse.org/request/show/1288645
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=213
- Set pbkdf2 as the default PBKDF algorithm in LUKS2 format.
[bsc#1236375, bsc#1236164]
* The default PBKDF algorithm in the LUKS2 format is now Argon2id
but its not FIPS compliant. A system would be unbootable if using
Argon2id or Argon2i for disk encryption and then switching to
kernel FIPS mode. This can be avoided by setting pbkdf2 as default.
* Build using the configure option --with-luks2-pbkdf=pbkdf2.
OBS-URL: https://build.opensuse.org/request/show/1253039
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=208
- Update to 2.7.5:
* Fix possible online reencryption data corruption (only in 2.7.x).
In some situations (initializing a suspended device-mapper device),
cryptsetup disabled direct-io device access. This caused unsafe
online reencryption operations that could lead to data corruption.
The code now adds strict checks (and aborts the operation) and
changes direct-io detection code to prevent data corruption.
* Fix a clang compilation error in SSH token plugin.
As clang linker treats missing symbols as errors, the linker phase
for the SSH token failed as the optional cryptsetup_token_buffer_free
was not defined.
* Fix crypto backend initialization in crypt_format_luks2_opal API call.
OBS-URL: https://build.opensuse.org/request/show/1200764
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=204
- Update to 2.7.4:
* Detect device busy failure for device-mapper table-referenced
devices.
* Fix shared activation for dm-verity devices.
* Add --shared option for veritysetup open action.
* Do not use exclusive flag for the allocated backing loop files.
* Fixes for problems found by static analyzers and Valgrind.
* Fixes to tests and CI scripts.
- Use fdupes to link identical man pages.
OBS-URL: https://build.opensuse.org/request/show/1190586
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=200
- Update to 2.7.3:
* Do not allow formatting LUKS2 with Opal SED (hardware encryption)
if the reported logical sector size for the block device and Opal
encryption logical block differs.
* Fixes to wiping LUKS2 headers after Opal locking area erase.
* Mention the need for possible PSID revert before Opal format for some
drives (man page).
* Fix Bitlocker-compatible code to ignore newly seen metadata entries.
* Fix interactive query retry if LUKS2 unbound keyslot is present.
* Detect unsupported zoned devices for LUKS header devices.
* Allow "capi" cipher format for benchmark command and fix parsing
of plain IV in "capi" format.
* Add support for HCTR2 encryption mode.
* Source code now uses SPDX license identifiers instead of full
license preambles.
* Fix missing includes for cryptographic backend that could cause
compilation errors for some systems.
* Fix tests to work correctly in FIPS mode with recent OpenSSL 3.2.
* Fix various (mostly false positive) issues detected by Coverity.
OBS-URL: https://build.opensuse.org/request/show/1190462
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=199
- Update to 2.7.1:
* Fix interrupted LUKS1 decryption resume.
With the replacement of the cryptsetup-reencrypt tool by the cryptsetup
reencrypt command, resuming the interrupted LUKS1 decryption operation
could fail. LUKS2 was not affected.
* Allow --link-vk-to-keyring with --test-passphrase option.
This option allows uploading the volume key in a user-specified kernel
keyring without activating the device.
* Fix crash when --active-name was used in decryption initialization.
* Updates and changes to man pages, including indentation, sorting options
alphabetically, fixing mistakes in crypt_set_keyring_to_link, and fixing
some typos.
* Fix compilation with libargon2 when --disable-internal-argon2 was used.
* Do not require installed argon2.h header and never compile internal
libargon2 code if the crypto library directly supports Argon2.
* Fixes to regression tests to support older Linux distributions.
OBS-URL: https://build.opensuse.org/request/show/1157608
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=194
- Update to 2.7.0:
* Full changelog in:
mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/v2.7/v2.7.0-ReleaseNotes
* Introduce support for hardware OPAL disk encryption.
* plain mode: Set default cipher to aes-xts-plain64 and password hashing
to sha256.
* Allow activation (open), luksResume, and luksAddKey to use the volume
key stored in a keyring.
* Allow to store volume key to a user-specified keyring in open and
luksResume commands.
* Do not flush IO operations if resize grows the device.
This can help performance in specific cases where the encrypted device
is extended automatically while running many IO operations.
* Use only half of detected free memory for Argon2 PBKDF on systems
without swap (for LUKS2 new keyslot or format operations).
* Add the possibility to specify a directory for external LUKS2 token
handlers (plugins).
* Do not allow reencryption/decryption on LUKS2 devices with
authenticated encryption or hardware (OPAL) encryption.
* Do not fail LUKS format if the operation was interrupted on subsequent
device wipe.
* Fix the LUKS2 keyslot option to be used while activating the device
by a token.
* Properly report if the dm-verity device cannot be activated due to
the inability to verify the signed root hash (ENOKEY).
* Fix to check passphrase for selected keyslot only when adding
new keyslot.
* Fix to not wipe the keyslot area before in-place overwrite.
* bitlk: Fix segfaults when attempting to verify the volume key.
* Add --disable-blkid command line option to avoid blkid device check.
OBS-URL: https://build.opensuse.org/request/show/1142596
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=192
- luksFormat: Handle system with low memory and no swap space [bsc#1211079]
* Check for physical memory available also in PBKDF benchmark.
* Try to avoid OOM killer on low-memory systems without swap.
* Use only half of detected free memory on systems without swap.
* Add patches:
- cryptsetup-Check-for-physical-memory-available-also-in-PBKDF-be.patch
- cryptsetup-Try-to-avoid-OOM-killer-on-low-memory-systems-withou.patch
- cryptsetup-Use-only-half-of-detected-free-memory-on-systems-wit.patch
OBS-URL: https://build.opensuse.org/request/show/1098511
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=190
- Enable running the regression test suite.
- Force a regeneration of the man pages from AsciiDoc.
- Add LUKS1 and LUKS2 On-Disk Format Specification pdfs to doc.
- FIPS: Remove not needed libcryptsetup12-hmac package that contains
the HMAC checksums for integrity checking for FIPS. [bsc#1185116]
* Remove the cryptsetup-rpmlintrc file.
* Remove not needed fipscheck dependency.
OBS-URL: https://build.opensuse.org/request/show/1093121
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=188
- cryptsetup 2.6.0:
* Introduce support for handling macOS FileVault2 devices (FVAULT2).
* libcryptsetup: no longer use global memory locking through mlockall()
* libcryptsetup: process priority is increased only for key derivation
(PBKDF) calls.
* Add new LUKS keyslot context handling functions and API.
* The volume key may now be extracted using a passphrase, keyfile, or
token. For LUKS devices, it also returns the volume key after
a successful crypt_format call.
* Fix --disable-luks2-reencryption configuration option.
* cryptsetup: Print a better error message and warning if the format
produces an image without space available for data.
* Print error if anti-forensic LUKS2 hash setting is not available.
If the specified hash was not available, activation quietly failed.
* Fix internal crypt segment compare routine if the user
specified cipher in kernel format (capi: prefix).
* cryptsetup: Add token unassign action.
This action allows removing token binding on specific keyslot.
* veritysetup: add support for --use-tasklets option.
This option sets try_verify_in_tasklet kernel dm-verity option
(available since Linux kernel 6.0) to allow some performance
improvement on specific systems.
* Provide pkgconfig Require.private settings.
While we do not completely provide static build on udev systems,
it helps produce statically linked binaries in certain situations.
* Always update automake library files if autogen.sh is run.
For several releases, we distributed older automake scripts by mistake.
* reencryption: Fix user defined moved segment size in LUKS2 decryption.
The --hotzone-size argument was ignored in cases where the actual data
size was less than the original LUKS2 data offset.
* Delegate FIPS mode detection to configured crypto backend.
System FIPS mode check no longer depends on /etc/system-fips file.
* Update documentation, including FAQ and man pages.
OBS-URL: https://build.opensuse.org/request/show/1038690
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=182
- cryptsetup 2.5.0:
* Split manual pages into per-action pages and use AsciiDoc format.
* Remove cryptsetup-reencrypt tool from the project and move reencryption
to already existing "cryptsetup reencrypt" command.
If you need to emulate the old cryptsetup-reencrypt binary, use simple
wrappers script running "exec cryptsetup reencrypt $@".
* LUKS2: implement --decryption option that allows LUKS removal.
* Fix decryption operation with --active-name option and restrict
it to be used only with LUKS2.
* Do not refresh reencryption digest when not needed.
This should speed up the reencryption resume process.
* Store proper resilience data in LUKS2 reencrypt initialization.
Resuming reencryption now does not require specification of resilience
type parameters if these are the same as during initialization.
* Properly wipe the unused area after reencryption with datashift in
the forward direction.
* Check datashift value against larger sector size.
For example, it could cause an issue if misaligned 4K sector appears
during decryption.
* Do not allow sector size increase reencryption in offline mode.
* Do not allow dangerous sector size change during reencryption.
* Ask the user for confirmation before resuming reencryption.
* Do not resume reencryption with conflicting parameters.
* Add --force-offline-reencrypt option.
* Do not allow nested encryption in LUKS reencrypt.
* Support all options allowed with luksFormat with encrypt action.
* Add resize action to integritysetup.
* Remove obsolete dracut plugin reencryption example.
* Fix possible keyslot area size overflow during conversion to LUKS2.
* Allow use of --header option for cryptsetup close. (forwarded request 999046 from lnussel)
OBS-URL: https://build.opensuse.org/request/show/999047
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=118
- cryptsetup 2.5.0:
* Split manual pages into per-action pages and use AsciiDoc format.
* Remove cryptsetup-reencrypt tool from the project and move reencryption
to already existing "cryptsetup reencrypt" command.
If you need to emulate the old cryptsetup-reencrypt binary, use simple
wrappers script running "exec cryptsetup reencrypt $@".
* LUKS2: implement --decryption option that allows LUKS removal.
* Fix decryption operation with --active-name option and restrict
it to be used only with LUKS2.
* Do not refresh reencryption digest when not needed.
This should speed up the reencryption resume process.
* Store proper resilience data in LUKS2 reencrypt initialization.
Resuming reencryption now does not require specification of resilience
type parameters if these are the same as during initialization.
* Properly wipe the unused area after reencryption with datashift in
the forward direction.
* Check datashift value against larger sector size.
For example, it could cause an issue if misaligned 4K sector appears
during decryption.
* Do not allow sector size increase reencryption in offline mode.
* Do not allow dangerous sector size change during reencryption.
* Ask the user for confirmation before resuming reencryption.
* Do not resume reencryption with conflicting parameters.
* Add --force-offline-reencrypt option.
* Do not allow nested encryption in LUKS reencrypt.
* Support all options allowed with luksFormat with encrypt action.
* Add resize action to integritysetup.
* Remove obsolete dracut plugin reencryption example.
* Fix possible keyslot area size overflow during conversion to LUKS2.
* Allow use of --header option for cryptsetup close.
OBS-URL: https://build.opensuse.org/request/show/999046
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=178
- cryptsetup 2.4.1
* Fix compilation for libc implementations without dlvsym().
* Fix compilation and tests on systems with non-standard libraries
* Try to workaround some issues on systems without udev support.
* Fixes for OpenSSL3 crypto backend (including FIPS mode).
* Print error message when assigning a token to an inactive keyslot.
* Fix offset bug in LUKS2 encryption code if --offset option was used.
* Do not allow LUKS2 decryption for devices with data offset.
* Fix LUKS1 cryptsetup repair command for some specific problems.
- cryptsetup 2.4.0 (jsc#SLE-20275)
OBS-URL: https://build.opensuse.org/request/show/919547
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=116
* Fix compilation for libc implementations without dlvsym().
* Fix compilation and tests on systems with non-standard libraries
* Try to workaround some issues on systems without udev support.
* Fixes for OpenSSL3 crypto backend (including FIPS mode).
* Print error message when assigning a token to an inactive keyslot.
* Fix offset bug in LUKS2 encryption code if --offset option was used.
* Do not allow LUKS2 decryption for devices with data offset.
* Fix LUKS1 cryptsetup repair command for some specific problems.
- cryptsetup 2.4.0 (jsc#SLE-20275)
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=176
