Commit 3e6935b7 authored by Milan Broz's avatar Milan Broz

Add ReleaseNotes texts into distribution.

git-svn-id: 36d66b0a-2a48-0410-832c-cd162a569da5
parent cf902b0e
lib \
src \
cryptsetup 1.0.7 Release Notes (2009-07-22)
Changes since 1.0.7-rc1
[committer name]
* Allow removal of last slot in luksRemoveKey
and luksKillSlot. [Milan Broz]
* Add --disable-selinux option and fix static build if selinux
is required. [Milan Broz]
* Reject unsupported --offset and --skip options for luksFormat
and update man page. [Milan Broz]
Changes since 1.0.6
[committer name]
* Various man page fixes. Also merged some Debian/Ubuntu man page
fixes. (thanks to Martin Pitt) [Milan Broz]
* Set UUID in device-mapper for LUKS devices. [Milan Broz]
* Retain readahead of underlying device. [Milan Broz]
* Display device name when asking for password. (thanks to Till
Maas) [Milan Broz]
* Check device size when loading LUKS header. Remove misleading
error message later. [Milan Broz]
* Add error hint if dm-crypt mapping failed. (Key size and kernel
version check for XTS and LRW mode for now.) [Milan Broz]
* Use better error messages if device doesn't exist or is already
used by other mapping. [Milan Broz]
* Fix make distcheck. (thanks to Mike Kelly) [Milan Broz]
* Check if all slots are full during luksAddKey. [Clemens Fruhwirth]
* Fix segfault in set_error (thanks to Oliver Metz). [Clemens Fruhwirth]
* Remove precompiled pot files. Fix uninitialized return value
variable in setup.c. [Clemens Fruhwirth]
* Code cleanups. (thanks to Ivan Stankovic) [Clemens Fruhwirth]
* Remove unnecessary files from po directory. They will be
regenerated by [Clemens Fruhwirth]
* Fix wrong output for remaining key at key deletion. Allow deletion
of key slot while other keys have the same key information. [Clemens
* Add missing AM_PROG_CC_C_O to [Milan Broz]
* Remove duplicate sentence in man page (thanks to Till Maas).
[Milan Broz]
* Wipe start of device (possible fs signature) before
LUKS-formatting. [Milan Broz]
* Do not process in hidden directories. [Milan Broz]
* Return more descriptive error in case of IO or header format
error. [Milan Broz]
* Use remapping to error target instead of calling udevsettle
for temporary crypt device. [Milan Broz]
* Check device mapper communication and warn user in case the
communication fails. (thanks to Milan Broz) [Clemens Fruhwirth]
* Fix signal handler to proper close device. (thanks to Milan Broz)
[Clemens Fruhwirth]
* write_lseek_blockwise: declare innerCount outside the if block,
add -Wall to the default CFLAGS, * fix some signedness issues
(thanks to Ivan Stankovic) [Clemens Fruhwirth]
* Error handling improvement. (thanks to Erik Edin) [Clemens Fruhwirth]
* Add non-exclusive override to interface definition. [Clemens
* Refactor key slot selection into keyslot_from_option. Either
autoselect next free keyslot or honor user choice (after checking).
[Clemens Fruhwirth]
Cryptsetup 1.1.0 Release Notes
Changes since version 1.0.7
Important changes:
* IMPORTANT: the default compiled-in cipher parameters changed
plain mode: aes-cbc-essiv:sha256 (default is backward incompatible!).
LUKS mode: aes-cbc-essiv:sha256 (only key size increased)
In both modes is now default key size 256bits.
* Default compiled-in parameters are now configurable through configure options:
--with-plain-* / --with-luks1-* (see configure --help)
* If you need backward compatible defaults for distribution use
configure --with-plain-mode=cbc-plain --with-luks1-keybits=128
Default compiled-in modes are printed in "cryptsetup --help" output.
* Change in iterations count (LUKS):
The slot and key digest iteration minimum count is now 1000.
The key digest iteration count is calculated from iteration time (approx 1/8 of req. time).
For more info about above items see discussion here:
* New libcryptsetup API (documented in libcryptsetup.h).
The old API (using crypt_options struct) is still available but will remain
frozen and not used for new functions.
Soname of library changed to
(But only recompilation should be needed for old programs.)
The new API provides much more flexible operation over LUKS device for
applications, it is preferred that new applications will use libcryptsetup
and not wrapper around cryptsetup binary.
* New luksHeaderBackup and luksHeaderRestore commands.
These commands allows binary backup of LUKS header.
Please read man page about possible security issues with backup files.
* New luksSuspend (freeze device and wipe key) and luksResume (with provided passphrase).
luksSuspend wipe encryption key in kernel memory and set device to suspend
(blocking all IO) state. This option can be used for situations when you need
temporary wipe encryption key (like suspend to RAM etc.)
Please read man page for more information.
* New --master-key-file option for luksFormat and luksAddKey.
User can now specify pre-generated master key in file, which allows regenerating
LUKS header or add key with only master key knowledge.
* Uses libgcrypt and enables all gcrypt hash algorithms for LUKS through -h luksFormat option.
Please note that using different hash for LUKS header make device incompatible with
old cryptsetup releases.
* Introduces --debug parameter.
Use when reporting bugs (just run cryptsetup with --debug and attach output
to issue report.) Sensitive data are never printed to this log.
* Moves command successful messages to verbose level.
* Requires device-mapper library and libgcrypt to build.
* Uses dm-uuid for all crypt devices, contains device type and name now.
* Removes support for dangerous non-exclusive option
(it is ignored now, LUKS device must be always opened exclusive)
Other changes:
* Fixed localization to work again. Also cryptsetup is now translated by
* Fix some libcryptsetup problems, including
* exported symbols and versions in libcryptsetup (properly use versioned symbols)
* Add crypt_log library function.
* Add CRYPT_ prefix to enum defined in libcryptsetup.h.
* Move duplicate Command failed message to verbose level (error is printed always).
* Fix several problems in build system
* use autopoint and clean gettext processing.
* Check in configure if selinux libraries are required in static version.
* Fix build for non-standard location of gcrypt library.
* Add temporary debug code to find processes locking internal device.
* Fix error handling during reading passphrase.
* Fail passphrase read if piped input no longer exists.
* Fix man page to not require --size which expands to device size by default.
* Clean up Makefiles and configure script.
* Try to read first sector from device to properly check that device is ready.
* Move memory locking and dm initialization to command layer.
* Increase priority of process if memory is locked.
* Add log macros and make logging more consistent.
* Keyfile now must be provided by path, only stdin file descriptor is used (api only).
* Do not call isatty() on closed keyfile descriptor.
* Move key slot manipulation function into LUKS specific code.
* Replace global options struct with separate parameters in helper functions.
* Implement old API calls using new functions.
* Allow using passphrase provided in options struct for LuksOpen.
* Allow restrict keys size in LuksOpen.
* Fix errors when compiled with LUKS_DEBUG.
* Print error when getline fails.
* Completely remove internal SHA1 implementation code, not needed anymore.
* Pad luks header to 512 sector size.
* Rework read/write blockwise to not split operation to many pieces.
* Use posix_memalign if available.
* Fix segfault if provided slot in luksKillslot is invalid.
* Remove unneeded timeout when remove of temporary device succeeded.
Cryptsetup 1.1.1 Release Notes
Changes since version 1.1.1-rc2
* Fix luksClose error if underlying device is LVM logical volume.
Changes since version 1.1.1-rc1
* Fix automatic dm-crypt module loading.
Changes since version 1.1.0
Important changes:
* Detects and use device-mapper udev support if available.
This should allow synchronisation with udev rules and avoid races with udev.
If package maintainer want to use old, direct libdevmapper device node creation,
use configure option --disable-udev.
* Supports device topology detection for data alignment.
If kernel provides device topology ioctl calls, the LUKS data area
alignment is automatically set to optimal value.
This means that stacked devices (like LUKS over MD/LVM)
should use the most optimal data alignment.
(You can still overwrite this calculation using --align-payload option.)
* Prefers some device paths in status display.
(So status command will try to find top level device name, like /dev/sdb.)
* Fix package config file to use proper package version.
Other changes:
* Fix luksOpen reading of passphrase on stdin (if "-" keyfile specified).
* Fix isLuks to initialise crypto backend (blkid instead is suggested anyway).
* Properly initialise crypto backend in header backup/restore commands.
* Do not verify unlocking passphrase in luksAddKey command.
* Allow no hash specification in plain device constructor - user can provide volume key directly.
* Try to use pkgconfig for device mapper library in configuration script.
* Add some compatibility checks and disable LUKS suspend/resume if not supported.
* Rearrange tests, "make check" now run all available test for package.
* Avoid class C++ keyword in library header.
== Cryptsetup 1.1.2 Release Notes ==
This release fixes a regression (introduced in 1.1.1 version) in handling
key files containing new line characters (affects only files read from
standard input).
Cryptsetup can accept passphrase on stdin (standard input).
Handling of new line (\n) character is defined by input specification:
* if keyfile is specified as "-" (using --key-file=- of by "-" positional argument
in luksFormat and luksAddKey, like cat file | cryptsetup --key-file=- <action>),
input is processed as normal binary file and no new line is interpreted.
* if there is no key file specification (with default input from stdin pipe
like echo passphrase | cryptsetup <action>) input is processed as input from terminal,
reading will stop after new line is detected.
Moreover, luksFormat now understands --key-file (in addition to positional key
file argument).
N.B. Using of standard input and pipes for passphrases should be avoided if possible,
cryptsetup have no control of used pipe buffers between commands in scripts and cannot
guarantee that all passphrase/key-file buffers are properly wiped after use.
=== changes since version 1.1.1 ===
* Fix luksFormat/luksOpen reading passphrase from stdin and "-" keyfile.
* Support --key-file/-d option for luksFormat.
* Fix description of --key-file and add --verbose and --debug options to man page.
* Add verbose log level and move unlocking message there.
* Remove device even if underlying device disappeared (remove, luksClose).
* Fix (deprecated) reload device command to accept new device argument.
== Cryptsetup 1.1.3 Release Notes ==
=== changes since version 1.1.2 ===
* Fix device alignment ioctl calls parameters.
(Device alignment code was not working properly on some architectures like ppc64.)
* Fix activate_by_* API calls to handle NULL device name as documented.
(To enable check of passphrase/keyfile using libcryptsetup without activating the device.)
* Fix udev support for old libdevmapper with not compatible definition.
* Added Polish translation file.
Cryptsetup 1.2.0 Release Notes
Changes since version 1.2.0-rc1
* Fix crypt_activate_by_keyfile() to work with PLAIN devices.
* Fix plain create command to properly handle keyfile size.
* Update translations.
Changes since version 1.1.3
Important changes
* Add text version of *FAQ* (Frequently Asked Questions) to distribution.
* Add selection of random/urandom number generator for luksFormat
(option --use-random and --use-urandom).
(This affects only long term volume key in *luksFormat*,
not RNG used for salt and AF splitter).
You can also set the default to /dev/random during compilation with
--enable-dev-random. Compiled-in default is printed in --help output.
Be very careful before changing default to blocking /dev/random use here.
* Fix *luksRemoveKey* to not ask for remaining keyslot passphrase,
only for removed one.
* No longer support *luksDelKey* (replaced with luksKillSlot).
* if you want to remove particular passphrase, use *luksKeyRemove*
* if you want to remove particular keyslot, use *luksKillSlot*
Note that in batch mode *luksKillSlot* allows removing of any keyslot
without question, in normal mode requires passphrase or keyfile from
other keyslot.
* *Default alignment* for device (if not overridden by topology info)
is now (multiple of) *1MiB*.
This reflects trends in storage technologies and aligns to the same
defaults for partitions and volume management.
* Allow explicit UUID setting in *luksFormat* and allow change it later
in *luksUUID* (--uuid parameter).
* All commands using key file now allows limited read from keyfile using
--keyfile-size and --new-keyfile-size parameters (in bytes).
This change also disallows overloading of --key-size parameter which
is now exclusively used for key size specification (in bits.)
* *luksFormat* using pre-generated master key now properly allows
using key file (only passphrase was allowed prior to this update).
* Add --dump-master-key option for *luksDump* to perform volume (master)
key dump. Note that printed information allows accessing device without
passphrase so it must be stored encrypted.
This operation is useful for simple Key Escrow function (volume key and
encryption parameters printed on paper on safe place).
This operation requires passphrase or key file.
* The reload command is no longer supported.
(Use dmsetup reload instead if needed. There is no real use for this
function except explicit data corruption:-)
* Cryptsetup now properly checks if underlying device is in use and
disallows *luksFormat*, *luksOpen* and *create* commands on open
(e.g. already mapped or mounted) device.
* Option --non-exclusive (already deprecated) is removed.
Libcryptsetup API additions:
* new functions
* crypt_get_type() - explicit query to crypt device context type
* crypt_resize() - new resize command using context
* crypt_keyslot_max() - helper to get number of supported keyslots
* crypt_get_active_device() - get active device info
* crypt_set/get_rng_type() - random/urandom RNG setting
* crypt_set_uuid() - explicit UUID change of existing device
* crypt_get_device_name() - get underlying device name
* Fix optional password callback handling.
* Allow to activate by internally cached volume key immediately after
crypt_format() without active slot (for temporary devices with
on-disk metadata)
* libcryptsetup is binary compatible with 1.1.x release and still
supports legacy API calls
* cryptsetup binary now uses only new API calls.
* Static compilation of both library (--enable-static) and cryptsetup
binary (--enable-static-cryptsetup) is now properly implemented by common
libtool logic.
Prior to this it produced miscompiled dynamic cryptsetup binary with
statically linked libcryptsetup.
The static binary is compiled as src/cryptsetup.static in parallel
with dynamic build if requested.
Other changes
* Fix default plain password entry from terminal in activate_by_passphrase.
* Initialize volume key from active device in crypt_init_by_name()
* Fix cryptsetup binary exit codes.
0 - success, otherwise fail
1 - wrong parameters
2 - no permission
3 - out of memory
4 - wrong device specified
5 - device already exists or device is busy
* Remove some obsolete info from man page.
* Add more regression tests for commands.
* Fix possible double free when handling master key file.
* Fix pkg-config use in automake scripts.
* Wipe iteration and salt after luksKillSlot in LUKS header.
* Rewrite file differ test to C (and fix it to really work).
* Do not query non-existent device twice (cryptsetup status /dev/nonexistent).
* Check if requested hash is supported before writing LUKS header.
* Fix problems reported by clang scan-build.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment