008b86e60a
- Update to 2.8.3: * Stable bug-fix release with minor extensions. - Update to 2.8.2: * BITLK: Fix for BitLocker metadata validation on big-endian systems.
Pedro Monreal Gonzalez2026-01-09 09:49:50 +00:00
5b8eeb3710
Accepting request 1301272 from security
Ana Guerrero2025-08-26 12:56:15 +00:00
6549a15ee1
- Update to 2.8.1: * Fix status and deactivation of TCRYPT (VeraCrypt compatible) devices that use chained ciphers. * Fix unlocking BITLK (BitLocker compatible) devices with multibyte UTF8 characters in the passphrase. * Do not allow activation of the LUKS2 device if the used keyslot is not encrypted (it uses a null cipher). - Such a configuration cannot be created by cryptsetup, but can be crafted outside of it. - Null cipher is sometimes used to create an empty container for later reencryption. - Only an empty passphrase can activate such a container (the same as in LUKS1). * Do not silently decrease PBKDF parallel cost (threads) if set by an option. - The maximum parallel cost is limited to 4 threads. * Fixes to configuration and installation scripts. - Meson and autoconf tools now properly support --prefix option for temporary directory installation. - Multiple fixes and cleanups to config.h for compatibility between Meson and autoconf. - Fix the luks2-external-tokens-path Meson option to work the same as in autoconf. - Fix Meson install for tool binaries, install fvault2Open man page and include test/fuzz/meson.build in release. * Major update to manual pages. - Try to explain the PBKDF hardcoded limits. - Add a better explanation for automatic integrity tag recalculation. - Mention crypt/verity/integritytab. - Remove or reformulate some misleading warnings present only with old and no longer supported kernels. - Clarify that some commands do not wipe data and unify OPAL reset wording. - Clarify the --label option. - There are also many other grammar and stylistic fixes to unify the man-page style. * Fixes for false-positive and annoying (optional) warnings added in recent compilers.
Lucas Mulling2025-08-25 13:08:27 +00:00
68e7cdffe1
Accepting request 1288922 from security
Ana Guerrero2025-06-30 11:03:54 +00:00
766e121282
- Update to 2.8.0: * Full release notes in: - https://cdn.kernel.org/pub/linux/utils/cryptsetup/v2.8/v2.8.0-ReleaseNotes * Introduce support for inline mode (use HW sectors with additional hardware metadata space). * Finalize use of keyslot context API. * Make all keyslot context types fully self-contained. * Add --key-description and --new-key-description cryptsetup options. * Support more precise keyslot selection in reencryption initialization. * Allow reencryption to resume using token and volume keys. * Cryptsetup repair command now tries to check LUKS keyslot areas for corruption. * Opal2 SED: PSID keyfile is now expected to be 32 alphanumeric characters. * Opal2: Avoid the Erase method and use Secure Erase for locking range. * Opal2: Fix some error description (in debug only). * Opal2: Do not allow deferred deactivation. * Allow --reduce-device-size and --device-size combination for reencryption (encrypt) action. * Fix the userspace storage backend to support kernel "capi:" cipher specification format. * Disallow conversion from LUKS2 to LUKS1 if kernel "capi:" cipher specification is used. * Explicitly disallow kernel "capi:" cipher specification format for LUKS2 keyslot encryption. * Do not allow conversion of LUKS2 to LUKS1 if an unbound keyslot is present. * cryptsetup: Adjust the XTS key size for kernel "capi:" cipher specification. * Remove keyslot warning about possible failure due to low memory. * Do not limit Argon2 KDF memory cost on systems with more than 4GB of available memory. * Properly report out of memory error for cryptographic backends implementing Argon2. * Avoid KDF2 memory cost overflow on 32-bit platforms. * Do not use page size as a fallback for device block size. * veritysetup: Check hash device size in advance. * Print a better error message for unsupported LUKS2 AEAD device resize.
Pedro Monreal Gonzalez2025-06-28 06:12:06 +00:00
25df3d8020
- Add a dependency on device-mapper to libcryptsetup12 to install the required device-mapper udev rules. [bsc#1241612]
Pedro Monreal Gonzalez2025-05-29 10:27:47 +00:00
50eda542af
- Set pbkdf2 as the default PBKDF algorithm in LUKS2 format. [bsc#1236375, bsc#1236164] * The default PBKDF algorithm in the LUKS2 format is now Argon2id but its not FIPS compliant. A system would be unbootable if using Argon2id or Argon2i for disk encryption and then switching to kernel FIPS mode. This can be avoided by setting pbkdf2 as default. * Build using the configure option --with-luks2-pbkdf=pbkdf2.
Pedro Monreal Gonzalez2025-03-14 14:18:28 +00:00
44ca5f7379
Accepting request 1229756 from security
Ana Guerrero2024-12-11 20:00:52 +00:00
885a1330e4
- cryptsetup-fips140-3.patch: extend the password for PBKDF2 benchmarking to be more than 20 chars to meet FIPS 140-3 requirements (bsc#1229975)
Pedro Monreal Gonzalez2024-12-03 09:35:06 +00:00
0c48009205
Accepting request 1200765 from security
Ana Guerrero2024-09-15 10:32:53 +00:00
e7976f0568
- Update to 2.7.5: * Fix possible online reencryption data corruption (only in 2.7.x). In some situations (initializing a suspended device-mapper device), cryptsetup disabled direct-io device access. This caused unsafe online reencryption operations that could lead to data corruption. The code now adds strict checks (and aborts the operation) and changes direct-io detection code to prevent data corruption. * Fix a clang compilation error in SSH token plugin. As clang linker treats missing symbols as errors, the linker phase for the SSH token failed as the optional cryptsetup_token_buffer_free was not defined. * Fix crypto backend initialization in crypt_format_luks2_opal API call.
Pedro Monreal Gonzalez2024-09-13 07:39:51 +00:00
1e4cc6eca2
- cryptsetup 2.4.1 * Fix compilation for libc implementations without dlvsym(). * Fix compilation and tests on systems with non-standard libraries * Try to workaround some issues on systems without udev support. * Fixes for OpenSSL3 crypto backend (including FIPS mode). * Print error message when assigning a token to an inactive keyslot. * Fix offset bug in LUKS2 encryption code if --offset option was used. * Do not allow LUKS2 decryption for devices with data offset. * Fix LUKS1 cryptsetup repair command for some specific problems. - cryptsetup 2.4.0 (jsc#SLE-20275)
Ludwig Nussel2021-09-16 15:25:13 +00:00
cddcbab746
- As YaST passes necessary parameters to cryptsetup anyway, we do not necessarily need to take grub into consideration. So back to Argon2 to see how it goes.
Ludwig Nussel2021-08-25 13:47:31 +00:00
8d2c1398f0
- crypsetup 2.4.0~rc1 * External LUKS token plugins * Experimental SSH token * Default LUKS2 PBKDF is now Argon2id * Increase minimal memory cost for Argon2 benchmark to 64MiB. * Autodetect optimal encryption sector size on LUKS2 format. * Use VeraCrypt option by default and add --disable-veracrypt option. * Support --hash and --cipher to limit opening time for TCRYPT type * Fixed default OpenSSL crypt backend support for OpenSSL3. * integritysetup: add integrity-recalculate-reset flag. * cryptsetup: retains keyslot number in luksChangeKey for LUKS2. * Fix cryptsetup resize using LUKS2 tokens. * Add close --deferred and --cancel-deferred options. * Rewritten command-line option parsing to avoid libpopt arguments memory leaks. * Add --test-args option. - switch to LUKS2 default format
Ludwig Nussel2021-08-02 15:10:27 +00:00
8873d8f729
- New version to 2.3.1 * Support VeraCrypt 128 bytes passwords. VeraCrypt now allows passwords of maximal length 128 bytes (compared to legacy TrueCrypt where it was limited by 64 bytes). * Strip extra newline from BitLocker recovery keys There might be a trailing newline added by the text editor when the recovery passphrase was passed using the --key-file option. * Detect separate libiconv library. It should fix compilation issues on distributions with iconv implemented in a separate library. * Various fixes and workarounds to build on old Linux distributions. * Split lines with hexadecimal digest printing for large key-sizes. * Do not wipe the device with no integrity profile. With --integrity none we performed useless full device wipe. * Workaround for dm-integrity kernel table bug. Some kernels show an invalid dm-integrity mapping table if superblock contains the "recalculate" bit. This causes integritysetup to not recognize the dm-integrity device. Integritysetup now specifies kernel options such a way that even on unpatched kernels mapping table is correct. * Print error message if LUKS1 keyslot cannot be processed. If the crypto backend is missing support for hash algorithms used in PBKDF2, the error message was not visible. * Properly align LUKS2 keyslots area on conversion. If the LUKS1 payload offset (data offset) is not aligned to 4 KiB boundary, new LUKS2 keyslots area in now aligned properly. * Validate LUKS2 earlier on conversion to not corrupt the device if binary keyslots areas metadata are not correct.
Ludwig Nussel2020-04-02 14:27:54 +00:00
277dfb964c
Accepting request 677121 from security
Yuchen Lin2019-02-20 13:08:36 +00:00
b860f84edd
Accepting request 676570 from home:jengelh:branches:security
Ludwig Nussel2019-02-18 12:27:45 +00:00
901c97104c
- New version 2.1.0 * The default size of the LUKS2 header is increased to 16 MB. It includes metadata and the area used for binary keyslots; it means that LUKS header backup is now 16MB in size. * Cryptsetup now doubles LUKS default key size if XTS mode is used (XTS mode uses two internal keys). This does not apply if key size is explicitly specified on the command line and it does not apply for the plain mode. This fixes a confusion with AES and 256bit key in XTS mode where code used AES128 and not AES256 as often expected. * Default cryptographic backend used for LUKS header processing is now OpenSSL. For years, OpenSSL provided better performance for PBKDF. * The Python bindings are no longer supported and the code was removed from cryptsetup distribution. Please use the libblockdev project that already covers most of the libcryptsetup functionality including LUKS2. * Cryptsetup now allows using --offset option also for luksFormat. * Cryptsetup now supports new refresh action (that is the alias for "open --refresh"). * Integritysetup now supports mode with detached data device through new --data-device option. - 2.1.0 would use LUKS2 as default, we stay with LUKS1 for now until someone has time to evaluate the fallout from switching to LUKS2.
Ludwig Nussel2019-02-15 14:36:10 +00:00
b9976bf5b8
- New version 2.0.4 Changes since version 2.0.3 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Use the libblkid (blockid) library to detect foreign signatures on a device before LUKS format and LUKS2 auto-recovery. This change fixes an unexpected recovery using the secondary LUKS2 header after a device was already overwritten with another format (filesystem or LVM physical volume). LUKS2 will not recreate a primary header if it detects a valid foreign signature. In this situation, a user must always use cryptsetup repair command for the recovery. Note that libcryptsetup and utilities are now linked to libblkid as a new dependence. To compile code without blockid support (strongly discouraged), use --disable-blkid configure switch. * Add prompt for format and repair actions in cryptsetup and integritysetup if foreign signatures are detected on the device through the blockid library. After the confirmation, all known signatures are then wiped as part of the format or repair procedure. * Print consistent verbose message about keyslot and token numbers. For keyslot actions: Key slot <number> unlocked/created/removed. For token actions: Token <number> created/removed. * Print error, if a non-existent token is tried to be removed. * Add support for LUKS2 token definition export and import. The token command now can export/import customized token JSON file directly from command line. See the man page for more details. * Add support for new dm-integrity superblock version 2. * Add an error message when nothing was read from a key file. * Update cryptsetup man pages, including --type option usage.
Ludwig Nussel2018-08-21 07:44:40 +00:00
Ana Guerrero
Pedro Monreal Gonzalez
Lucas Mulling
Dominique Leuenberger
Andreas Stieger
Ludwig Nussel
Richard Brown
Yuchen Lin
Marcus Meissner
Alexander Naumov