On 31/07/2018 09:53, Guilhem Moulin wrote: > On Tue, 31 Jul 2018 at 06:00:30 +0000, Michael Kjörling wrote: >> Obviously, there's nothing stopping whoever is installing the system >> from dropping to a shell and setting up a container themselves, _even >> if_ the installer _only_ does one version of on-disk format for LUKS. >> So even if the installer _only_ does LUKS1, and the tools are built >> with LUKS1 as default, it's not like that will _prevent_ people from >> using the LUKS2 format if they really want to. > > Sure, but now we can tell people wanting the installer to default to > LUKS2 that it'll be the new upstream default in the future, and also > give a rough ETA. It's more efficient at appeasing them than replying > they need to drop to a shell and manually format & unlock the volume :-) Hi, just an update to LUKS2 as a default: I had to postpone a plan to release 2.1 with LUKS2 as default format (to January/February 2019), and we will release very soon 2.0.6 with some fixes of LUKS2 format validation that need to be in place before we switch the default. And the reason (long story): The LUKS2 format supports variable sizes of metadata and keyslot areas, and documentation clearly defines the supported sizes. Cryptsetup uses validation functions that should stop reading/writing invalid header from disk (to hit not only coding mistakes but also intentional header corruptions). Unfortunately, we kept too strict validation in code by mistake so only default LUKS2 header size is recognized as a valid header now. Currently only these default headers are present (both conversion and format create only the default size), but in 2.1 we will provide an interface to use different LUKS2 header sizes. And these headers will be not usable with cryptsetup older than 2.0.6. (Larger metadata areas are requested by some other projects that plan to use LUKS2 header for storing own metadata used for unlocking LUKS2 devices.) IOW the format is ok. We just messed up tests and validation code. Sorry about that. Milan _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
