[prev in list] [next in list] [prev in thread] [next in thread]
List: dm-crypt
Subject: [dm-crypt] [ANNOUNCE] cryptsetup 1.1.0-rc4 (test release candidate)
From: mbroz () redhat ! com (Milan Broz)
Date: 2009-12-30 21:09:55
Message-ID: 4B3BC1A3.4040906 () redhat ! com
[Download RAW message or body]
Hi all,
because of some important changes I want include in cryptsetup 1.1
I released yet another testing release of cryptsetup.
Thanks,
Milan
--
mbroz at redhat.com
Cryptsetup 1.1.0-rc4 Release Notes
==================================
The cryptsetup 1.1.0-rc4 release candidate is available at
http://code.google.com/p/cryptsetup/
Feedback and bug reports are welcomed.
The rc should be last release before 1.1 stable version, the reason for another
testing compilation is important change in default parameters.
Changes since version 1.1.0-rc1
-------------------------------
IMPORTANT: the default compiled-in cipher parameters changed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* plain mode: aes-cbc-essiv:sha256 (default is backward incompatible!).
* LUKS mode: aes-cbc-essiv:sha256 (only key size increased)
In both modes is now default key size 256bits.
* Default compiled-in parameters are now cofigurable through configure options:
--with-plain-* / --with-luks1-* (see configure --help)
* If you need backward compatible defaults for distribution use
configure --with-plain-mode=cbc-plain --with-luks1-keybits=128
(This is mainly important for plain mode when the mode is stored in /etc/crypttab file.)
Default compiled-in modes are printed in "cryptsetup --help" output.
IMPORTANT: change in iterations count:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* The slot and key digest iteration minimum is now 1000.
* The key digest iteration # is calculated from iteration time (approx 1/8 of req. time).
For more info about above items see discussion here: http://tinyurl.com/yaug97y
Other changes:
~~~~~~~~~~~~~~
* Fixed localisation to work again. Also cryptsetup is now translated by transaltionproject.org.
* Added French, Indonesian and updated Swedish translation for now.
* Fix some libcryptsetup probles, including
* exported symbols and versions in libcryptsetup (properly use versioned symbols)
* Add crypt_log library function.
* Add CRYPT_ prefix to enum defined in libcryptsetup.h.
* Move duplicate Command failed message to verbose level (error is printed always).
* Fix several problems in build system
* use autopoint and clean gettext processing.
* Check in configure if selinux libraries are required in static version.
* Fix build for non-standard location of gcrypt library.
* Add temporary debug code to debug processes locking internal keyslot device.
* Fix error handling during reading passhrase.
Changes since version 1.0.7
---------------------------
Important changes:
~~~~~~~~~~~~~~~~~~
* Adds new libcryptsetup API (documented in libcryptsetup.h).
The old API (using crypt_options struct) is still available but will remain
frozen and not used for new functions.
Soname of library changed to libcryptsetup.so.1.0.0.
(But only recompilation should be needed for old programs.)
The new API provides much more flexible operation over LUKS device for
applications, it is preffered that new applications will use libcryptsetup
and not wrapper around cryptsetup binary.
* Adds luksHeaderBackup and luksHeaderRestore commands.
These commands allows binary backup of LUKS header.
Please read man page about possible security issues with backup files.
* Adds luksSuspend (freeze device and wipe key) and luksResume (with provided passphrase).
luksSuspend wipe encryption key in kernel memory and set device to suspend
(blocking all IO) state. This option can be used for situations when you need
temporary wipe encryption key (like suspend to RAM etc.)
Please read man page for more information.
* Adds --master-key-file option for luksFormat and luksAddKey.
User can now specify pre-generated master key in file, which allows regenerating
LUKS header or add key with only master key knowledge.
* Uses libgcrypt and enables all gcrypt hash algorithms for LUKS through -h luksFormat option.
Please note that using different hash for LUKS header make device incompatible with
old cryptsetup releases.
* Introduce --debug parameter.
Use when reporting bugs (just run cryptsetup with --debug and attach output
to issue report.) Sensitive data are never printed to this log.
* Move command successful messages to verbose level.
* Require device-mapper library and libgcrypt to build.
* Use dm-uuid for all crypt devices, contains device type and name now.
* Remove support for dangerous non-exclusive option
(it is ignored now, LUKS device must be always opened exclusive)
Other changes:
~~~~~~~~~~~~~~
* Fail passphrase read if piped input no longer exists.
* Fix manpage to not require --size which expands to device size by default.
* Clean up Makefiles and configure script.
* Try to read first sector from device to properly check that device is ready.
* Move memory locking and dm initialization to command layer.
* Increase priority of process if memory is locked.
* Add log macros and make logging more consitent.
* Keyfile now must be provided by path, only stdin file descriptor is used (api only).
* Do not call isatty() on closed keyfile descriptor.
* Move key slot manuipulation function into LUKS specific code.
* Replace global options struct with separate parameters in helper functions.
* Implement old API calls using new functions.
* Allow using passphrase provided in options struct for LuksOpen.
* Allow restrict keys size in LuksOpen.
* Fix errors when compiled with LUKS_DEBUG.
* Print error when getline fails.
* Completely remove internal SHA1 implementanion code, not needed anymore.
* Pad luks header to 512 sector size.
* Rework read/write blockwise to not split operation to many pieces.
* Use posix_memalign if available.
* Fix segfault if provided slot in luksKillslot is invalid.
* Remove unneeded timeout when remove of temporary device succeeded.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic