- Suggest hmac package (boo#1090768)
- remove old upgrade hack for upgrades from 12.1
- New version 2.0.5
Changes since version 2.0.4
~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Wipe full header areas (including unused) during LUKS format.
Since this version, the whole area up to the data offset is zeroed,
and subsequently, all keyslots areas are wiped with random data.
This ensures that no remaining old data remains in the LUKS header
areas, but it could slow down format operation on some devices.
Previously only first 4k (or 32k for LUKS2) and the used keyslot
was overwritten in the format operation.
* Several fixes to error messages that were unintentionally replaced
in previous versions with a silent exit code.
More descriptive error messages were added, including error
messages if
- a device is unusable (not a block device, no access, etc.),
- a LUKS device is not detected,
- LUKS header load code detects unsupported version,
- a keyslot decryption fails (also happens in the cipher check),
- converting an inactive keyslot.
* Device activation fails if data area overlaps with LUKS header.
* Code now uses explicit_bzero to wipe memory if available
(instead of own implementation).
* Additional VeraCrypt modes are now supported, including Camellia
and Kuznyechik symmetric ciphers (and cipher chains) and Streebog
hash function. These were introduced in a recent VeraCrypt upstream.
Note that Kuznyechik requires out-of-tree kernel module and
Streebog hash function is available only with the gcrypt cryptographic
backend for now.
OBS-URL: https://build.opensuse.org/request/show/645498
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=144
- New version 2.0.4
Changes since version 2.0.3
~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Use the libblkid (blockid) library to detect foreign signatures
on a device before LUKS format and LUKS2 auto-recovery.
This change fixes an unexpected recovery using the secondary
LUKS2 header after a device was already overwritten with
another format (filesystem or LVM physical volume).
LUKS2 will not recreate a primary header if it detects a valid
foreign signature. In this situation, a user must always
use cryptsetup repair command for the recovery.
Note that libcryptsetup and utilities are now linked to libblkid
as a new dependence.
To compile code without blockid support (strongly discouraged),
use --disable-blkid configure switch.
* Add prompt for format and repair actions in cryptsetup and
integritysetup if foreign signatures are detected on the device
through the blockid library.
After the confirmation, all known signatures are then wiped as
part of the format or repair procedure.
* Print consistent verbose message about keyslot and token numbers.
For keyslot actions: Key slot <number> unlocked/created/removed.
For token actions: Token <number> created/removed.
* Print error, if a non-existent token is tried to be removed.
* Add support for LUKS2 token definition export and import.
The token command now can export/import customized token JSON file
directly from command line. See the man page for more details.
* Add support for new dm-integrity superblock version 2.
* Add an error message when nothing was read from a key file.
* Update cryptsetup man pages, including --type option usage.
OBS-URL: https://build.opensuse.org/request/show/630730
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=102
Changes since version 2.0.3
~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Use the libblkid (blockid) library to detect foreign signatures
on a device before LUKS format and LUKS2 auto-recovery.
This change fixes an unexpected recovery using the secondary
LUKS2 header after a device was already overwritten with
another format (filesystem or LVM physical volume).
LUKS2 will not recreate a primary header if it detects a valid
foreign signature. In this situation, a user must always
use cryptsetup repair command for the recovery.
Note that libcryptsetup and utilities are now linked to libblkid
as a new dependence.
To compile code without blockid support (strongly discouraged),
use --disable-blkid configure switch.
* Add prompt for format and repair actions in cryptsetup and
integritysetup if foreign signatures are detected on the device
through the blockid library.
After the confirmation, all known signatures are then wiped as
part of the format or repair procedure.
* Print consistent verbose message about keyslot and token numbers.
For keyslot actions: Key slot <number> unlocked/created/removed.
For token actions: Token <number> created/removed.
* Print error, if a non-existent token is tried to be removed.
* Add support for LUKS2 token definition export and import.
The token command now can export/import customized token JSON file
directly from command line. See the man page for more details.
* Add support for new dm-integrity superblock version 2.
* Add an error message when nothing was read from a key file.
* Update cryptsetup man pages, including --type option usage.
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=141
- Update to version 2.0.0:
* Add support for new on-disk LUKS2 format
* Enable to use system libargon2 instead of bundled version
* Install tmpfiles.d configuration for LUKS2 locking directory
* New command integritysetup: support for the new dm-integrity kernel target
* Support for larger sector sizes for crypt devices
* Miscellaneous fixes and improvements
OBS-URL: https://build.opensuse.org/request/show/561151
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=136
- version 1.6.4
- new tarball / signature location
* Implement new erase (with alias luksErase) command.
* Add internal "whirlpool_gcryptbug hash" for accessing flawed
Whirlpool hash in gcrypt (requires gcrypt 1.6.1 or above).
* Allow to use --disable-gcrypt-pbkdf2 during configuration
to force use internal PBKDF2 code.
* Require gcrypt 1.6.1 for imported implementation of PBKDF2
(PBKDF2 in gcrypt 1.6.0 is too slow).
* Add --keep-key to cryptsetup-reencrypt.
* By default verify new passphrase in luksChangeKey and luksAddKey
commands (if input is from terminal).
* Fix memory leak in Nettle crypto backend.
* Support --tries option even for TCRYPT devices in cryptsetup.
* Support --allow-discards option even for TCRYPT devices.
(Note that this could destroy hidden volume and it is not suggested
by original TrueCrypt security model.)
* Link against -lrt for clock_gettime to fix undefined reference
to clock_gettime error (introduced in 1.6.2).
* Fix misleading error message when some algorithms are not available.
* Count system time in PBKDF2 benchmark if kernel returns no self
usage info.
OBS-URL: https://build.opensuse.org/request/show/235564
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=111
- cryptsetup 1.6.1
* Fix loop-AES keyfile parsing.
* Fix passphrase pool overflow for too long TCRYPT passphrase.
* Fix deactivation of device when failed underlying node disappeared.
- There is a bug in the released tarball, due to HAVE_BYTESWAP_H
and HAVE_ENDIAN_H not properly handled by the buildsystem. A
patch with permanent solution was sent and accepted upstream
and will appear in the next release, for now an spec file workaround
is in place, remove in the next update. (forwarded request 181807 from elvigia)
OBS-URL: https://build.opensuse.org/request/show/181818
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=82
- cryptsetup 1.6.1
* Fix loop-AES keyfile parsing.
* Fix passphrase pool overflow for too long TCRYPT passphrase.
* Fix deactivation of device when failed underlying node disappeared.
- There is a bug in the released tarball, due to HAVE_BYTESWAP_H
and HAVE_ENDIAN_H not properly handled by the buildsystem. A
patch with permanent solution was sent and accepted upstream
and will appear in the next release, for now an spec file workaround
is in place, remove in the next update.
OBS-URL: https://build.opensuse.org/request/show/181807
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=103
ATTENTION: wait for cryptsetup-mkinitrd before checkin, otherwise installation
with root on crypto no longer boot
- version 1.5.1:
* Added keyslot checker
* Add crypt_keyslot_area() API call.
* Optimize seek to keyfile-offset (Issue #135, thx to dreisner).
* Fix luksHeaderBackup for very old v1.0 unaligned LUKS headers.
* Allocate loop device late (only when real block device needed).
* Rework underlying device/file access functions.
* Create hash image if doesn't exist in veritysetup format.
* Provide better error message if running as non-root user (device-mapper, loop).
- split off hashalot and boot.crypto
- move to /usr (forwarded request 145274 from lnussel)
OBS-URL: https://build.opensuse.org/request/show/145279
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=78
ATTENTION: wait for cryptsetup-mkinitrd before checkin, otherwise installation
with root on crypto no longer boot
- version 1.5.1:
* Added keyslot checker
* Add crypt_keyslot_area() API call.
* Optimize seek to keyfile-offset (Issue #135, thx to dreisner).
* Fix luksHeaderBackup for very old v1.0 unaligned LUKS headers.
* Allocate loop device late (only when real block device needed).
* Rework underlying device/file access functions.
* Create hash image if doesn't exist in veritysetup format.
* Provide better error message if running as non-root user (device-mapper, loop).
- split off hashalot and boot.crypto
- move to /usr
OBS-URL: https://build.opensuse.org/request/show/145274
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=97
Verify GPG signature: Perform build-time offline GPG verification.
Please verify that included keyring matches your needs.
For manipulation with the offline keyring, please use gpg-offline tool from openSUSE:Factory, devel-tools-building or Base:System.
See the man page and/or /usr/share/doc/packages/gpg-offline/PACKAGING.HOWTO.
If you need to build your package for older products and don't want to mess spec file with ifs, please follow PACKAGING.HOWTO:
you can link or aggregate gpg-offline from
devel:tools:building or use following trick with "osc meta prjconf":
--- Cut here ----
%if 0%{?suse_version} <= 1220
Substitute: gpg-offline
%endif
Macros:
%gpg_verify(dnf) \
%if 0%{?suse_version} > 1220\
echo "WARNING: Using %%gpg_verify macro from prjconf, not from gpg-offline package."\
gpg-offline --directory="%{-d:%{-d*}}%{!-d:%{_sourcedir}}" --package="%{-n:%{-n*}}%{!-n:%{name}}""%{-f: %{-f*}}" --verify %{**}\
%else\
echo "WARNING: Dummy prjconf macro. gpg-offline is not available, skipping %{**} GPG signature verification!"\
%endif\
%nil
-----------------
OBS-URL: https://build.opensuse.org/request/show/143882
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=96
