Commit a0b795be authored by Milan Broz's avatar Milan Broz

Enable LUKS hash setting and document it.



git-svn-id: https://cryptsetup.googlecode.com/svn/trunk@83 36d66b0a-2a48-0410-832c-cd162a569da5
parent 1a10c59b
......@@ -7,6 +7,7 @@
* Add required parameters for changing hash used in LUKS key setup scheme.
* Do not export simple XOR helper now used only inside AF functions.
* Completely remove internal SHA1 implementanion code, not needed anymore.
* Enable hash algorithm selection for LUKS through -h luksFormat option.
2009-07-28 Milan Broz <mbroz@redhat.com>
* Pad luks header to 512 sector size.
......
......@@ -78,6 +78,12 @@ test:
@sync
testing/fileDiffer.py $(IMG) $(ORIG_IMG) $(LUKS_HEADER) $(KEY_SLOT0) $(KEY_MATERIAL0)
@echo Case: format using hash sha512
@cp $(IMG) $(ORIG_IMG)
echo "key0" | ../src/cryptsetup -v -i 1000 -h sha512 -c aes-cbc-essiv:sha256 luksFormat $(LOOPDEV)
@sync
testing/fileDiffer.py $(IMG) $(ORIG_IMG) $(LUKS_HEADER) $(KEY_SLOT0) $(KEY_MATERIAL0)
@echo Case: open
# Image must not change
@cp $(IMG) $(ORIG_IMG)
......
......@@ -84,7 +84,14 @@ For more information about LUKS, see \fBhttp://code.google.com/p/cryptsetup/wiki
.SH OPTIONS
.TP
.B "\-\-hash, \-h"
specifies hash to use for password hashing. This option is only relevant for \fIcreate\fR action. The hash string is passed to libgcrypt, so all hashes accepted by gcrypt are supported. Default is "ripemd160".
For \fIcreate\fR action specifies hash to use for password hashing.
For \fIluksFormat\fR action specifies hash used in LUKS key setup scheme and volume key digest.
\fBWARNING:\fR setting hash other than \fBsha1\fR causes LUKS device incompatible with older version of cryptsetup.
The hash string is passed to libgcrypt, so all hashes accepted by gcrypt are supported.
Default is \fB"ripemd160"\fR for \fIcreate\fR action and \fB"sha1"\fR for \fIluksFormat\fR.
.TP
.B "\-\-cipher, \-c"
set cipher specification string. For plain dm-crypt mappings, the default is "aes-cbc-plain", for LUKS mappings it's "aes-cbc-essiv:sha256". For pre-2.6.10 kernels, use "aes-plain" as they don't understand the new cipher spec strings. To use ESSIV, use "aes-cbc-essiv:sha256".
......
......@@ -258,9 +258,7 @@ static int action_luksFormat(int arg)
.key_slot = opt_key_slot,
.device = action_argv[0],
.cipher = opt_cipher?opt_cipher:DEFAULT_LUKS_CIPHER,
.hash = DEFAULT_LUKS_HASH,
// FIXME: enable other hash use here
//.hash = opt_hash ?: DEFAULT_LUKS_HASH,
.hash = opt_hash ?: DEFAULT_LUKS_HASH,
.new_key_file = action_argc > 1 ? action_argv[1] : NULL,
.flags = opt_verify_passphrase ? CRYPT_FLAG_VERIFY : (!opt_batch_mode?CRYPT_FLAG_VERIFY_IF_POSSIBLE : 0),
.iteration_time = opt_iteration_time,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment