Hmm. Fails to build because it does not find linux/if_alg.h This is on Debian with a self-compiled 3.4.19. I suspect some link to the kernel-headers is missing. Can anybody tell me what I should link where? Kernel dir is linked to /usr/src/linux as traditional. Arno On Sat, Dec 29, 2012 at 10:40:44PM +0100, Milan Broz wrote: > > The testing release candidate cryptsetup 1.6.0-rc1 is available at > > http://code.google.com/p/cryptsetup/ > > Feedback and bug reports are welcomed. > > Cryptsetup 1.6.0 Release Notes (RC1) > ==================================== > > Changes since version 1.5.1 > ~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Important changes > ~~~~~~~~~~~~~~~~~ > > * Cryptsetup and libcryptsetup is now released under GPLv2+ > (GPL version 2 or any later). > Some internal code handling files (loopaes, verity, tcrypt > and crypto backend wrapper) are LGPLv2+. > > Previously code was GPL version 2 only. > > > * Introducing new unified command open and close. > > Example: > cryptsetup open --type plain|luks|loopaes|tcrypt <device> <name> > (type defaults to luks) > > with backward-compatible aliases plainOpen, luksOpen, loopaesOpen, > tcryptOpen. Basically "open --type xyz" has alias "xyzOpen". > > The "create" command (plain device create) is DEPRECATED but will > be still supported. > (This command is confusing because of switched arguments order.) > > The close command is generic command to remove mapping and have > backward compatible aliases (remove, luksClose, ...) which behaves > exactly the same. > > While all old syntax is still supported, I strongly suggest to use > new command syntax which is common for all device types (and possible > new formats added in future). > > > * cryptsetup now support directly TCRYPT (TrueCrypt and compatible tc-play) > on-disk format > (Code is independent implementation not related to original project). > > Only dump (tcryptDump command) and activation (open --type tcrypt or tcryptOpen) > of TCRYPT device are supported. No header changes are supported. > > It is intended to easily access containers shared with other operating systems > without need to install 3rd party software. For native Linux installations LUKS > is the preferred format. > > WARNING: TCRYPT extension requires kernel userspace crypto API to be available > (kernel af_alg and algif_skcipher modules, introduced in Linux kernel 2.6.38). > > Because TCRYPT header is encrypted, you have to always provide valid > passphrase and keyfiles. Keyfiles are handled exactly the same as in original > format (basically, first 1MB of every keyfile is mixed using CRC32 into pool). > > Cryptsetup should recognize all TCRYPT header variants ever released, except > legacy cipher chains using LRW encryption mode with 64 bits encryption block > (namely Blowfish in LRW mode is not recognized, this is limitation of kernel > crypto API). > > Device activation is supported only for LRW/XTS modes (again, limitation > of kernel dmcrypt which do not implements TCRYPT extensions to CBC mode). > (So old containers cannot be activated, but you can use libcryptsetup > for lost password search, example of such code is included in misc directory.) > > Hidden header are supported using --tcrypt-hidden option, system encryption > using --tcrypt-system option. > > For detailed description see man page. > > EXAMPLE: > * Dump device parameters of container in file: > > # cryptsetup tcryptDump tst > Enter passphrase: > > TCRYPT header information for tst > Version: 5 > Driver req.: 7 > Sector size: 512 > MK offset: 131072 > PBKDF2 hash: sha512 > Cipher chain: serpent-twofish-aes > Cipher mode: xts-plain64 > MK bits: 1536 > > You can also dump master key using --dump-master-key. > Dump does not require superuser privilege. > > * Activation of this container > > # cryptsetup tcryptOpen tst tcrypt_dev > Enter passphrase: > (Chain of dmcrypt devices is activated as /dev/mapper/tcrypt_dev.) > > * See status of active TCRYPT device > > # cryptsetup status tcrypt_dev > > /dev/mapper/tcrypt_dev is active. > type: TCRYPT > cipher: serpent-twofish-aes-xts-plain64 > keysize: 1536 bits > device: /dev/loop0 > loop: /tmp/tst > offset: 256 sectors > size: 65024 sectors > skipped: 256 sectors > mode: read/write > > * And plaintext filesystem now ready to mount > > # blkid /dev/mapper/tcrypt_dev > /dev/mapper/tcrypt_dev: SEC_TYPE="msdos" UUID="9F33-2954" TYPE="vfat" > > > * Add (optional) support for lipwquality for new LUKS passwords. > > If password is entered through terminal (no keyfile specified) > and cryptsetup is compiled with --enable-pwquality, default > system pwquality settings are used to check password quality. > > You can always override this check by using new --force-password option. > > For more info about pwquality project see http://libpwquality.fedorahosted.org/ > > > * Proper handle interrupt signals (ctrl+c and TERM signal) in tools > > Code should now handle interrupt properly, release and explicitly wipe > in-memory key materials on interrupt. > (Direct users of libcryptsetup should always call crypt_free() when > code is interrupted to wipe all resources. There is no signal handling > in library, it is up to the tool using it.) > > > * Add new benchmark command > > The "benchmark" command now tries to benchmark PBKDF2 and some block > cipher variants. You can specify you own parameters (--cipher/--key-size > for block ciphers, --hash for PBKDF2). > > See man page for detailed description. > > WARNING: benchmark requires kernel userspace crypto API to be available > (kernel af_alg and algif_skcipher modules, introduced in Linux kernel 2.6.38). > > EXAMPLE: > # cryptsetup benchmark > # Tests are approximate using memory only (no storage IO). > PBKDF2-sha1 111077 iterations per second > PBKDF2-sha256 53718 iterations per second > PBKDF2-sha512 18832 iterations per second > PBKDF2-ripemd160 89775 iterations per second > PBKDF2-whirlpool 23918 iterations per second > # Algorithm | Key | Encryption | Decryption > aes-cbc 128b 212.0 MiB/s 428.0 MiB/s > serpent-cbc 128b 23.1 MiB/s 66.0 MiB/s > twofish-cbc 128b 46.1 MiB/s 50.5 MiB/s > aes-cbc 256b 163.0 MiB/s 350.0 MiB/s > serpent-cbc 256b 23.1 MiB/s 66.0 MiB/s > twofish-cbc 256b 47.0 MiB/s 50.0 MiB/s > aes-xts 256b 190.0 MiB/s 190.0 MiB/s > serpent-xts 256b 58.4 MiB/s 58.0 MiB/s > twofish-xts 256b 49.0 MiB/s 49.5 MiB/s > aes-xts 512b 175.0 MiB/s 175.0 MiB/s > serpent-xts 512b 59.0 MiB/s 58.0 MiB/s > twofish-xts 512b 48.5 MiB/s 49.5 MiB/s > > Or you can specify cipher yourself: > # cryptsetup benchmark --cipher cast5-cbc-essiv:sha256 -s 128 > # Tests are approximate using memory only (no storage IO). > # Algorithm | Key | Encryption | Decryption > cast5-cbc 128b 32.4 MiB/s 35.0 MiB/s > > WARNING: these tests do not use dmcrypt, only crypto API. > You have to benchmark the whole device stack and you can get completely > different results. But is is usable for basic comparison. > (Note for example AES-NI decryption optimization effect in example above.) > > Features > ~~~~~~~~ > > * Do not maintain ChangeLog file anymore, see git log for detailed changes, > e.g. here http://code.google.com/p/cryptsetup/source/list > > * Move change key into library, add crypt_keyslot_change_by_passphrase(). > This change is useful mainly in FIPS mode, where we cannot > extract volume key directly from libcryptsetup. > > * Add verbose messages during reencryption. > > * Default LUKS PBKDF2 iteration time is now configurable. > > * Add simple cipher benchmarking API. > > * Add kernel skcipher backend. > > * Add CRC32 implementation (for TCRYPT). > > * Move PBKDF2 into crypto backend wrapper. > This allows use it in other formats, use library implementations and > also possible use of different KDF function in future. > > * New PBKDF2 benchmark using getrusage(). > > Fixes > ~~~~~ > > * Avoid O_DIRECT open if underlying storage doesn't support it. > > * Fix some non-translated messages. > > * Fix regression in header backup (1.5.1) with container in file. > > * Fix blockwise read/write for end writes near end of device. > (was not used in previous versions) > > * Ignore setpriority failure. > > * Code changes to fix/ignore problems found by Coverity static analysis, including > - Get page size should never fail. > - Fix time of check/use (TOCTOU test) in tools > - Fix time of check/use in loop/wipe utils. > - Fix time of check/use in device utils. > > * Disallow header restore if context is non-LUKS device. > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision. -- Bertrand Russell _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
