Get rid of RIPEMD160 hash and CBC mode in plain crypt
The plain crypt mode is the basic interface to dm-crypt; it stores no metadata on disk, so the user must specify all parameters. We have a default (aes-cbc-essiv:sha256 and ripemd160 hash), but changing always causes problems as "cryptsetup open --type plain " will use different encryption than previous version.
Also, plain crypt mode uses trivial hashing of the passphrase (with ripemd160 hash as default). The hash does not apply if --key-file is used (IOW, if you encrypt swap with keyfile set to /dev/urandom, it does not use hashing).
Some known problems with plain crypt:
- ripemd160 hash is obsolete (OpenSSL3 has it in legacy provider), FIPS mode disallows this,
- CBC mode should be deprecated; we should switch to AES-XTS, similar to LUKS,
- we should allow using PBKDF (password-based key derivation function) instead of hashalot-like hashing
There are two possibilities:
- change crypto defaults, and add support for --pbkdf options => risking user data corruption if they rely on defaults,
- keep plain as legacy mode and introduce a new one ("raw" ?) mode -> this will need massive changes in systemd, GRUB, and other wrappers as the new mode is not supported.
Please add comments to this issue if you know about possible problems, ideally this change should happen in cryptsetup 2.6 (next major release).