On Mon, Oct 10, 2011 at 09:25:07PM +0200, Milan Broz wrote: > > The first cryptsetup 1.4.0-rc1 release candidate is available at > > http://code.google.com/p/cryptsetup/ > > Feedback and bug reports are welcomed. > > > Cryptsetup 1.4.0 Release Notes > ============================== > > Changes since version 1.3.1 > > Important changes > ~~~~~~~~~~~~~~~~~ > > WARNING: This release removes old deprecated API from libcryptsetup > (all functions using struct crypt_options). > > This require libcrypsetup version change and > rebuild of applications using cryptsetup library. > All new API symbols are backward compatible. > > * If device is not rotational disk, cryptsetup no longer tries > to wipe keyslot with Gutmann algorithm for magnetic media erase > but simply rewrites area once by random data. Hmm. How do you determine that? Not that I see any fundamental problem, > * The on-disk LUKS header can now be detached (e.g. placed on separate > device or in file) using new --header option. Nice! > This option is only relevant for LUKS devices and can be used in > luksFormat, luksOpen, luksSuspend, luksResume and resize commands. > > If used with luksFormat the --align-payload option is taken > as absolute sector alignment on ciphertext device and can be zero. > > Example: > Create LUKS device with ciphertext device on /dev/sdb and header > on device /dev/sdc. Use all space on /dev/sdb (no reserved area for header). > > cryptsetup luksFormat /dev/sdb --header /dev/sdc --align-payload 0 > > Activate such device: > cryptsetup luksOpen /dev/sdb --header /dev/sdc test_disk > > You can use file for LUKS header (loop device will be used while > manipulating with such detached header), just you have to create > large enough file in advance. > > dd if=/dev/zero of=/mnt/luks_header bs=1M count=4 > cryptsetup luksFormat /dev/sdb --header /mnt/luks_header --align-payload 0 > > Activation is the same as above. > > cryptsetup luksOpen /dev/sdb --header /mnt/luks_header test_disk > > All keyslot operations need to be run on _header_ not on ciphertext device, > an example: > > cryptsetup luksAddKey /mnt/luks_header > > If you do not use --align-payload 0, you can later restore LUKS header > on device itself (and use it as normal LUKS device without detached header). > > WARNING: There is no possible check that specified ciphertext device > matches detached on-disk header. Use with care, it can destroy > your data in case of a mistake. It should refuse to mount though, just like a plain dm-crypt device if you enter the wrong passphrase. > WARNING: Storing LUKS header in a file means that anti-forensic splitter > cannot properly work (there is filesystem allocation layer between > header and disk). You mean the splitted data may end up all over the disk making wiping problematic, especially if the filesystem does "overwrites" to different places? > * Support --enable-discards option to allow discards/TRIM requests. > > Since kernel 3.1, dm-crypt devices optionally (not by default) support > block discards (TRIM) comands. > If you want to enable this operation, you have to enable it manually > on every activation using --enable-discards > > cryptsetup luksOpen --enable-discards /dev/sdb test_disk > > WARNING: There are several security consequences, please read at least > http://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html > before you enable it. > > * Add --shared option for creating non-overlapping crypt segments. > > The --shared options checks that mapped segments are not overlapping > and allows non-exclusive access to underlying device. > Only plain crypt devices can be used in this mode. > > Example - map 64M of device disk and following 32 M area as another disk. > > cryptsetup create outer_disk /dev/sdb --offset 0 --size 65536 > cryptsetup create inner_disk /dev/sdb --offset 65536 --size 32768 --shared > > (It can be used to simulate trivial hidden disk concepts.) > > libcryptsetup API changes: > * Added options to suport detached metadata device > crypt_init_by_name_and_header() > crypt_set_data_device() > * Add crypt_last_error() API call. > * Fix plain crypt format parameters to include size option. > * Add crypt_get_iv_offset() function. > > * Remove old API functions (all functions using crypt_options). > > * Support key-slot option for luksOpen (use only explicit keyslot). > > You can now specify key slot in luksOpen and limit checking > only to specified slot. > > * Support retries and timeout parameters for luksSuspend. > (The same way as in luksOpen.) > > * Add doxygen-like documentation (it will be available on project page later). > (To generate it manually run doxygen in docs directory.) > > Other changes > ~~~~~~~~~~~~~ > * Fix crypt_load to properly check device size. > * Do not allow context format of already formatted device. > * Do not allow key retrieval while suspended (key could be wiped). > * Do not allow suspend for non-LUKS devices. > * Fix luksKillSLot exit code if slot is inactive or invalid. > * Fix exit code if passphrases do not match in luksAddKey. > * Fix return code for status command when device doesn't exists. > * Support Nettle 2.4 crypto backend (supports ripemd160). > * Add LUKS on-disk format description into package. Good. > * Enhance check of device size before writing LUKS header. To prevent problems if the device is smaller than the header? > * Add more paranoid checks for LUKS header and keyslot attributes. > * Use new /dev/loop-control (kernel 3.1) if possible. > * Remove hash/hmac restart from crypto backend and make it part of hash/hmac final. > * Improve check for invalid offset and size values. > * Revert default initialisation of volume key in crypt_init_by_name(). > * Add more regression tests. > * Add some libcryptsetup example files (see docs/examples). Good. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
