ATTENTION: wait for cryptsetup-mkinitrd before checkin, otherwise installation
with root on crypto no longer boot
- version 1.5.1:
* Added keyslot checker
* Add crypt_keyslot_area() API call.
* Optimize seek to keyfile-offset (Issue #135, thx to dreisner).
* Fix luksHeaderBackup for very old v1.0 unaligned LUKS headers.
* Allocate loop device late (only when real block device needed).
* Rework underlying device/file access functions.
* Create hash image if doesn't exist in veritysetup format.
* Provide better error message if running as non-root user (device-mapper, loop).
- split off hashalot and boot.crypto
- move to /usr
OBS-URL: https://build.opensuse.org/request/show/145274
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=97
Verify GPG signature: Perform build-time offline GPG verification.
Please verify that included keyring matches your needs.
For manipulation with the offline keyring, please use gpg-offline tool from openSUSE:Factory, devel-tools-building or Base:System.
See the man page and/or /usr/share/doc/packages/gpg-offline/PACKAGING.HOWTO.
If you need to build your package for older products and don't want to mess spec file with ifs, please follow PACKAGING.HOWTO:
you can link or aggregate gpg-offline from
devel:tools:building or use following trick with "osc meta prjconf":
--- Cut here ----
%if 0%{?suse_version} <= 1220
Substitute: gpg-offline
%endif
Macros:
%gpg_verify(dnf) \
%if 0%{?suse_version} > 1220\
echo "WARNING: Using %%gpg_verify macro from prjconf, not from gpg-offline package."\
gpg-offline --directory="%{-d:%{-d*}}%{!-d:%{_sourcedir}}" --package="%{-n:%{-n*}}%{!-n:%{name}}""%{-f: %{-f*}}" --verify %{**}\
%else\
echo "WARNING: Dummy prjconf macro. gpg-offline is not available, skipping %{**} GPG signature verification!"\
%endif\
%nil
-----------------
OBS-URL: https://build.opensuse.org/request/show/143882
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=96
* Add --device-size option for reencryption tool.
* Switch to use unit suffix for --reduce-device-size option.
* Remove open device debugging feature (no longer needed).
* Introduce cryptsetup-reencrypt - experimental offline LUKS reencryption tool.
* Fix luks-header-from-active script (do not use LUKS header on-disk, add UUID).
* Add --test-passphrase option for luksOpen (check passphrase only).
* Introduce veritysetup for dm-verity target management.
* Both data and header device can now be a file.
* Loop is automatically allocated in crypt_set_data_device().
* Require only up to last keyslot area for header device (ignore data offset).
* Fix header backup and restore to work on files with large data offset.
* Fix readonly activation if underlying device is readonly (1.4.0).
* Fix keyslot removal (wipe keyslot) for device with 4k hw block (1.4.0).
* Allow empty cipher (cipher_null) for testing.
* Fix loop mapping on readonly file.
* Relax --shared test, allow mapping even for overlapping segments.
* Support shared flag for LUKS devices (dangerous).
* Switch on retry on device remove for libdevmapper.
* Allow "private" activation (skip some udev global rules) flag.
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=91
* Fix header check to support old (cryptsetup 1.0.0) header alignment. (1.4.0)
* Add --keyfile-offset and --new-keyfile-offset parameters to API and CLI.
* Add repair command and crypt_repair() for known LUKS metadata problems repair.
* Allow to specify --align-payload only for luksFormat.
* Unify password verification option.
* Support password verification with quiet flag if possible. (1.2.0)
* Fix retry if entered passphrases (with verify option) do not match.
* Support UUID=<LUKS_UUID> format for device specification.
* Add --master-key-file option to luksOpen (open using volume key).
* Fix use of empty keyfile.
* Fix error message for luksClose and detached LUKS header.
* Allow --header for status command to get full info with detached header.
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=83
* Add selection of random/urandom number generator for luksFormat
(option --use-random and --use-urandom).
* Fix luksRemoveKey to not ask for remaining keyslot passphrase,
only for removed one.
* No longer support luksDelKey (replaced with luksKillSlot).
* if you want to remove particular passphrase, use luksKeyRemove
* if you want to remove particular keyslot, use luksKillSlot
Note that in batch mode luksKillSlot allows removing of any keyslot
without question, in normal mode requires passphrase or keyfile from
other keyslot.
* Default alignment for device (if not overridden by topology info)
is now (multiple of) *1MiB*.
This reflects trends in storage technologies and aligns to the same
defaults for partitions and volume management.
* Allow explicit UUID setting in luksFormat and allow change it later
in luksUUID (--uuid parameter).
* All commands using key file now allows limited read from keyfile using
--keyfile-size and --new-keyfile-size parameters (in bytes).
This change also disallows overloading of --key-size parameter which
is now exclusively used for key size specification (in bits.)
* luksFormat using pre-generated master key now properly allows
using key file (only passphrase was allowed prior to this update).
* Add --dump-master-key option for luksDump to perform volume (master)
key dump. Note that printed information allows accessing device without
passphrase so it must be stored encrypted.
This operation is useful for simple Key Escrow function (volume key and
encryption parameters printed on paper on safe place).
This operation requires passphrase or key file.
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=58
* Fix device alignment ioctl calls parameters. (Device alignment
code was not working properly on some architectures like ppc64.)
* Fix activate_by_* API calls to handle NULL device name as
documented. (To enable check of passphrase/keyfile using
libcryptsetup without activating the device.)
* Fix udev support for old libdevmapper with not compatible definition.
* Added Polish translation file.
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=50
* Fix luksFormat/luksOpen reading passphrase from stdin and "-" keyfile.
* Support --key-file/-d option for luksFormat.
* Fix description of --key-file and add --verbose and --debug options to man page.
* Add verbose log level and move unlocking message there.
* Remove device even if underlying device disappeared (remove, luksClose).
* Fix (deprecated) reload device command to accept new device argument.
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=45
* Detects and use device-mapper udev support if available.
* Supports device topology detection for data alignment.
* Fix luksOpen reading of passphrase on stdin (if "-" keyfile specified).
* Fix isLuks to initialise crypto backend (blkid instead is suggested anyway).
* Properly initialise crypto backend in header backup/restore commands.
* Do not verify unlocking passphrase in luksAddKey command.
* Allow no hash specification in plain device constructor - user can provide volume key directly.
* Try to use pkgconfig for device mapper library in configuration script.
* Add some compatibility checks and disable LUKS suspend/resume if not supported.
* Rearrange tests, "make check" now run all available test for package.
* Avoid class C++ keyword in library header.
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=43
