v2.1.0-ReleaseNotes 8.68 KB
Newer Older
Milan Broz's avatar
Milan Broz committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210
Cryptsetup 2.1.0 Release Notes
Stable release with new features and bug fixes.

Cryptsetup 2.1 version uses a new on-disk LUKS2 format as the default
LUKS format and increases default LUKS2 header size.

The legacy LUKS (referenced as LUKS1) will be fully supported forever
as well as a traditional and fully backward compatible format.

When upgrading a stable distribution, please use configure option
--with-default-luks-format=LUKS1 to maintain backward compatibility.

This release also switches to OpenSSL as a default cryptographic
backend for LUKS header processing. Use --with-crypto_backend=gcrypt
configure option if you need to preserve legacy libgcrypt backend.

Please do not use LUKS2 without properly configured backup or
in production systems that need to be compatible with older systems.

Changes since version 2.0.6

* The default for cryptsetup LUKS format action is now LUKS2.
  You can use LUKS1 with cryptsetup option --type luks1.

* The default size of the LUKS2 header is increased to 16 MB.
  It includes metadata and the area used for binary keyslots;
  it means that LUKS header backup is now 16MB in size.

  Note, that used keyslot area is much smaller, but this increase
  of reserved space allows implementation of later extensions
  (like online reencryption).
  It is fully compatible with older cryptsetup 2.0.x versions.
  If you require to create LUKS2 header with the same size as
  in the 2.0.x version, use --offset 8192 option for luksFormat
  (units are in 512-bytes sectors; see notes below).

* Cryptsetup now doubles LUKS default key size if XTS mode is used
  (XTS mode uses two internal keys). This does not apply if key size
  is explicitly specified on the command line and it does not apply
  for the plain mode.
  This fixes a confusion with AES and 256bit key in XTS mode where
  code used AES128 and not AES256 as often expected.

  Also, the default keyslot encryption algorithm (if cannot be derived
  from data encryption algorithm) is now available as configure
  options --with-luks2-keyslot-cipher and --with-luks2-keyslot-keybits.
  The default is aes-xts-plain64 with 2 * 256-bits key.

* Default cryptographic backend used for LUKS header processing is now
  OpenSSL. For years, OpenSSL provided better performance for PBKDF.

  NOTE: Cryptsetup/libcryptsetup supports several cryptographic
  library backends. The fully supported are libgcrypt, OpenSSL and
  kernel crypto API. FIPS mode extensions are maintained only for
  libgcrypt and OpenSSL. Nettle and NSS are usable only for some
  subset of algorithms and cannot provide full backward compatibility.
  You can always switch to other backends by using a configure switch,
  for libgcrypt (compatibility for older distributions) use:

* The Python bindings are no longer supported and the code was removed
  from cryptsetup distribution. Please use the libblockdev project
  that already covers most of the libcryptsetup functionality
  including LUKS2.

* Cryptsetup now allows using --offset option also for luksFormat.
  It means that the specified offset value is used for data offset.
  LUKS2 header areas are automatically adjusted according to this value.
  (Note units are in 512-byte sectors due to the previous definition
  of this option in plain mode.)
  This option can replace --align-payload with absolute alignment value.

* Cryptsetup now supports new refresh action (that is the alias for
  "open --refresh").
  It allows changes of parameters for an active device (like root
  device mapping), for example, it can enable or disable TRIM support
  It is supported for LUKS1, LUKS2, plain and loop-AES devices.

* Integritysetup now supports mode with detached data device through
  new --data-device option.
  Since kernel 4.18 there is a possibility to specify external data
  device for dm-integrity that stores all integrity tags.

* Integritysetup now supports automatic integrity recalculation
  through new --integrity-recalculate option.
  Linux kernel since version 4.18 supports automatic background
  recalculation of integrity tags for dm-integrity.

Other changes and fixes

* Fix for crypt_wipe call to allocate space if the header is backed
  by a file. This means that if you use detached header file, it will
  now have always the full size after luksFormat, even if only
  a few keyslots are used.

* Fixes to offline cryptsetup-reencrypt to preserve LUKS2 keyslots
  area sizes after reencryption and fixes for some other issues when
  creating temporary reencryption headers.

* Added some FIPS mode workarounds. We cannot (yet) use Argon2 in
  FIPS mode, libcryptsetup now fallbacks to use PBKDF2 in FIPS mode.

* Rejects conversion to LUKS1 if PBKDF2 hash algorithms
  in keyslots differ.

* The hash setting on command line now applies also to LUKS2 PBKDF2
  digest. In previous versions, the LUKS2 key digest used PBKDF2-SHA256
  (except for converted headers).

* Allow LUKS2 keyslots area to increase if data offset allows it.
  Cryptsetup can fine-tune LUKS2 metadata area sizes through
  --luks2-metadata-size=BYTES and --luks2-keyslots-size=BYTES.
  Please DO NOT use these low-level options until you need it for
  some very specific additional feature.
  Also, the code now prints these LUKS2 header area sizes in dump

* For LUKS2, keyslot can use different encryption that data with
  new options --keyslot-key-size=BITS and --keyslot-cipher=STRING
  in all commands that create new LUKS keyslot.
  Please DO NOT use these low-level options until you need it for
  some very specific additional feature.

* Code now avoids data flush when reading device status through

* The Nettle crypto backend and the userspace kernel crypto API
  backend were enhanced to allow more available hash functions
  (like SHA3 variants).

* Upstream code now does not require libgcrypt-devel
  for autoconfigure, because OpenSSL is the default.
  The libgcrypt does not use standard pkgconfig detection and
  requires specific macro (part of libgcrypt development files)
  to be always present during autoconfigure.
  With other crypto backends, like OpenSSL, this makes no sense,
  so this part of autoconfigure is now optional.

* Cryptsetup now understands new --debug-json option that allows
  an additional dump of some JSON information. These are no longer
  present in standard debug output because it could contain some
  specific LUKS header parameters.

* The luksDump contains the hash algorithm used in Anti-Forensic

* All debug messages are now sent through configured log callback
  functions, so an application can easily use own debug messages
  handling. In previous versions debug messages were printed directly
  to standard output.)

Libcryptsetup API additions

These new calls are now exported, for details see libcryptsetup.h:

 * crypt_init_data_device
 * crypt_get_metadata_device_name
     functions to init devices with separate metadata and data device
     before a format function is called.

 * crypt_set_data_offset
     sets the data offset for LUKS to the specified value
     in 512-byte sectors.
     It should replace alignment calculation in LUKS param structures.

 * crypt_get_metadata_size
 * crypt_set_metadata_size
     allows to set/get area sizes in LUKS header
     (according to specification).

 * crypt_get_default_type
     get default compiled-in LUKS type (version).

 * crypt_get_pbkdf_type_params
     allows to get compiled-in PBKDF parameters.

 * crypt_keyslot_set_encryption
 * crypt_keyslot_get_encryption
     allows to set/get per-keyslot encryption algorithm for LUKS2.

 * crypt_keyslot_get_pbkdf
     allows to get PBKDF parameters per-keyslot.

 and these new defines:
 * CRYPT_LOG_DEBUG_JSON (message type for JSON debug)
 * CRYPT_DEBUG_JSON (log level for JSON debug)
 * CRYPT_ACTIVATE_RECALCULATE (dm-integrity recalculate flag)
 * CRYPT_ACTIVATE_REFRESH (new open with refresh flag)

All existing API calls should remain backward compatible.

Unfinished things & TODO for next releases
* Optional authenticated encryption is still an experimental feature
  and can have performance problems for high-speed devices and device
  with larger IO blocks (like RAID).

* Authenticated encryption does not use encryption for a dm-integrity
  journal. While it does not influence data confidentiality or
  integrity protection, an attacker can get some more information
  from data journal or cause that system will corrupt sectors after
  journal replay. (That corruption will be detected though.)

* The LUKS2 metadata area increase is mainly needed for the new online
  reencryption as the major feature for the next release.