summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/ChangeLog.old16
-rw-r--r--docs/doxygen_index2
-rw-r--r--docs/v1.6.3-ReleaseNotes50
-rw-r--r--docs/v1.6.4-ReleaseNotes57
-rw-r--r--docs/v1.6.5-ReleaseNotes54
-rw-r--r--docs/v1.6.6-ReleaseNotes29
-rw-r--r--docs/v1.6.7-ReleaseNotes84
7 files changed, 283 insertions, 9 deletions
diff --git a/docs/ChangeLog.old b/docs/ChangeLog.old
index 970c25d..e51d362 100644
--- a/docs/ChangeLog.old
+++ b/docs/ChangeLog.old
@@ -834,16 +834,16 @@
* lib/utils.c: Add read|write_blockwise functions, to use in
O_DIRECT file accesses.
-2004-03-11 Thursday 15:52 Christophe Saout <christophe@saout.de>
+2004-03-11 Thursday 15:52 Jana Saout <jana@saout.de>
* lib/blockdev.h: BLKGETSIZE64 really uses size_t as third
argument, the rest is wrong.
-2004-03-10 Wednesday 17:50 Christophe Saout <christophe@saout.de>
+2004-03-10 Wednesday 17:50 Jana Saout <jana@saout.de>
* lib/: libcryptsetup.h, libdevmapper.c: Small fixes.
-2004-03-09 Tuesday 21:41 Christophe Saout <christophe@saout.de>
+2004-03-09 Tuesday 21:41 Jana Saout <jana@saout.de>
* lib/internal.h, lib/libcryptsetup.h, lib/libdevmapper.c,
lib/setup.c, po/de.po, src/cryptsetup.c: Added internal flags to
@@ -851,7 +851,7 @@
add a function to free the memory. Also add a readonly flag to
libcryptsetup.
-2004-03-09 Tuesday 16:03 Christophe Saout <christophe@saout.de>
+2004-03-09 Tuesday 16:03 Jana Saout <jana@saout.de>
* ChangeLog, configure.in, setup-gettext, lib/Makefile.am,
lib/backends.c, lib/blockdev.h, lib/gcrypt.c, lib/internal.h,
@@ -859,7 +859,7 @@
lib/utils.c, po/de.po, src/Makefile.am, src/cryptsetup.c: More
reorganization work.
-2004-03-08 Monday 01:38 Christophe Saout <christophe@saout.de>
+2004-03-08 Monday 01:38 Jana Saout <jana@saout.de>
* ChangeLog, Makefile.am, acinclude.m4, configure.in,
lib/Makefile.am, lib/backends.c, lib/blockdev.h, lib/gcrypt.c,
@@ -867,19 +867,19 @@
src/Makefile.am: BLKGETSIZE64 fixes and started modularity
enhancements
-2004-03-04 Thursday 21:06 Christophe Saout <christophe@saout.de>
+2004-03-04 Thursday 21:06 Jana Saout <jana@saout.de>
* Makefile.am, po/de.po, src/cryptsetup.c, src/cryptsetup.h: First
backward compatible working version.
-2004-03-04 Thursday 00:42 Christophe Saout <christophe@saout.de>
+2004-03-04 Thursday 00:42 Jana Saout <jana@saout.de>
* NEWS, AUTHORS, ChangeLog, Makefile.am, README, autogen.sh,
configure.in, setup-gettext, po/ChangeLog, po/LINGUAS,
po/POTFILES.in, po/de.po, src/cryptsetup.c, src/cryptsetup.h,
src/Makefile.am (utags: initial): Initial checkin.
-2004-03-04 Thursday 00:42 Christophe Saout <christophe@saout.de>
+2004-03-04 Thursday 00:42 Jana Saout <jana@saout.de>
* NEWS, AUTHORS, ChangeLog, Makefile.am, README, autogen.sh,
configure.in, setup-gettext, po/ChangeLog, po/LINGUAS,
diff --git a/docs/doxygen_index b/docs/doxygen_index
index 3bca941..ec394ad 100644
--- a/docs/doxygen_index
+++ b/docs/doxygen_index
@@ -56,7 +56,7 @@
* in a persistent way on the device. Keyslot area is an array beyond LUKS header, where
* volume key is stored in the encrypted form using user input passphrase. For more info about
* LUKS keyslots and how it's actually protected, please look at
- * <A HREF="http://code.google.com/p/cryptsetup/wiki/Specification">LUKS specification</A>.
+ * <A HREF="https://gitlab.com/cryptsetup/cryptsetup/wikis/Specification">LUKS specification</A>.
* There are two basic methods to create a new keyslot:
*
* @subsection ckeyslot_vol crypt_keyslot_add_by_volume_key()
diff --git a/docs/v1.6.3-ReleaseNotes b/docs/v1.6.3-ReleaseNotes
new file mode 100644
index 0000000..24254b8
--- /dev/null
+++ b/docs/v1.6.3-ReleaseNotes
@@ -0,0 +1,50 @@
+Cryptsetup 1.6.3 Release Notes
+==============================
+
+Changes since version 1.6.2
+
+* Fix cryptsetup reencryption tool to work properly
+ with devices using 4kB sectors.
+
+* Always use page size if running through loop device,
+ this fixes failures for external LUKS header and
+ filesystem requiring 4kB block size.
+
+* Fix TCRYPT system encryption mapping for multiple partitions.
+ Since this commit, one can use partition directly as device parameter.
+ If you need to activate such partition from image in file,
+ please first use map partitioned loop device (losetup -P)
+ on image.
+ (Cryptsetup require partition offsets visible in kernel sysfs
+ in this mode.)
+
+* Support activation of old TrueCrypt containers using CBC mode
+ and whitening (created in TrueCrypt version < 4.1).
+ This requires Linux kernel 3.13 or later.
+ (Containers with cascade CBC ciphers are not supported.)
+
+* Properly display keys in dump --dump-master-key command
+ for TrueCrypt CBC containers.
+
+* Rewrite cipher benchmark loop which was unreliable
+ on very fast machines.
+
+* Add warning if LUKS device was activated using non-cryptsetup
+ library which did not set UUID properly (e.g. cryptmount).
+ (Some commands, like luksSuspend, are not available then.)
+
+* Support length limitation also for plain (no hash) length.
+ This can be used for mapping problematic cryptosystems which
+ wipes some key (losetup sometimes set last 32 byte to zero,
+ which can be now configured as --hash plain:31 parameter).
+
+* Fix hash limit if parameter is not a number.
+ (The whole key was set to zero instead of command failure.)
+
+* Unify --key-slot behavior in cryptsetup_reencrypt tool.
+
+* Update dracut example scripts for system reencryption on first boot.
+
+* Add command line option --tcrypt-backup to access TCRYPT backup header.
+
+* Fix static compilation with OpenSSL.
diff --git a/docs/v1.6.4-ReleaseNotes b/docs/v1.6.4-ReleaseNotes
new file mode 100644
index 0000000..ebc71cb
--- /dev/null
+++ b/docs/v1.6.4-ReleaseNotes
@@ -0,0 +1,57 @@
+Cryptsetup 1.6.4 Release Notes
+==============================
+
+Changes since version 1.6.3
+
+* Implement new erase (with alias luksErase) command.
+
+ The erase cryptsetup command can be used to permanently erase
+ all keyslots and make the LUKS container inaccessible.
+ (The only way to unlock such device is to use LUKS header backup
+ created before erase command was used.)
+
+ You do not need to provide any password for this operation.
+
+ This operation is irreversible.
+
+* Add internal "whirlpool_gcryptbug hash" for accessing flawed
+ Whirlpool hash in gcrypt (requires gcrypt 1.6.1 or above).
+
+ The gcrypt version of Whirlpool hash algorithm was flawed in some
+ situations.
+
+ This means that if you used Whirlpool in LUKS header and upgraded
+ to new gcrypt library your LUKS container become inaccessible.
+
+ Please refer to cryptsetup FAQ for detail how to fix this situation.
+
+* Allow to use --disable-gcrypt-pbkdf2 during configuration
+ to force use internal PBKDF2 code.
+
+* Require gcrypt 1.6.1 for imported implementation of PBKDF2
+ (PBKDF2 in gcrypt 1.6.0 is too slow).
+
+* Add --keep-key to cryptsetup-reencrypt.
+
+ This allows change of LUKS header hash (and iteration count) without
+ the need to reencrypt the whole data area.
+ (Reencryption of LUKS header only without master key change.)
+
+* By default verify new passphrase in luksChangeKey and luksAddKey
+ commands (if input is from terminal).
+
+* Fix memory leak in Nettle crypto backend.
+
+* Support --tries option even for TCRYPT devices in cryptsetup.
+
+* Support --allow-discards option even for TCRYPT devices.
+ (Note that this could destroy hidden volume and it is not suggested
+ by original TrueCrypt security model.)
+
+* Link against -lrt for clock_gettime to fix undefined reference
+ to clock_gettime error (introduced in 1.6.2).
+
+* Fix misleading error message when some algorithms are not available.
+
+* Count system time in PBKDF2 benchmark if kernel returns no self usage info.
+ (Workaround to broken getrusage() syscall with some hypervisors.)
diff --git a/docs/v1.6.5-ReleaseNotes b/docs/v1.6.5-ReleaseNotes
new file mode 100644
index 0000000..dc9f525
--- /dev/null
+++ b/docs/v1.6.5-ReleaseNotes
@@ -0,0 +1,54 @@
+Cryptsetup 1.6.5 Release Notes
+==============================
+
+Changes since version 1.6.4
+
+* Allow LUKS header operation handling without requiring root privilege.
+ It means that you can manipulate with keyslots as a regular user, only
+ write access to device (or image) is required.
+
+ This requires kernel crypto wrapper (similar to TrueCrypt device handling)
+ to be available (CRYPTO_USER_API_SKCIPHER kernel option).
+ If this kernel interface is not available, code fallbacks to old temporary
+ keyslot device creation (where root privilege is required).
+
+ Note that activation, deactivation, resize and suspend operations still
+ need root privilege (limitation of kernel device-mapper backend).
+
+* Fix internal PBKDF2 key derivation function implementation for alternative
+ crypto backends (kernel, NSS) which do not support PBKDF2 directly and have
+ issues with longer HMAC keys.
+
+ This fixes the problem for long keyfiles where either calculation is too slow
+ (because of internal rehashing in every iteration) or there is a limit
+ (kernel backend seems to not support HMAC key longer than 20480 bytes).
+
+ (Note that for recent version of gcrypt, nettle or openssl the internal
+ PBKDF2 code is not compiled in and crypto library internal functions are
+ used instead.)
+
+* Support for Python3 for simple Python binding.
+ Python >= 2.6 is now required. You can set Python compiled version by setting
+ --with-python_version configure option (together with --enable-python).
+
+* Use internal PBKDF2 in Nettle library for Nettle crypto backend.
+ Cryptsetup compilation requires Nettle >= 2.6 (if using Nettle crypto backend).
+
+* Allow simple status of crypt device without providing metadata header.
+ The command "cryptsetup status" will print basic info, even if you
+ do not provide detached header argument.
+
+* Allow to specify ECB mode in cryptsetup benchmark.
+
+* Add some LUKS images for regression testing.
+ Note that if image with Whirlpool fails, the most probable cause is that
+ you have old gcrypt library with flawed whirlpool hash.
+ Read FAQ section 8.3 for more info.
+
+Cryptsetup API NOTE:
+The direct terminal handling for passphrase entry will be removed from
+libcryptsetup in next major version (application should handle it itself).
+
+It means that you have to always either provide password in buffer or set
+your own password callback function trhough crypt_set_password_callback().
+See API documentation (or libcryptsetup.h) for more info.
diff --git a/docs/v1.6.6-ReleaseNotes b/docs/v1.6.6-ReleaseNotes
new file mode 100644
index 0000000..9d1fbee
--- /dev/null
+++ b/docs/v1.6.6-ReleaseNotes
@@ -0,0 +1,29 @@
+Cryptsetup 1.6.6 Release Notes
+==============================
+
+Changes since version 1.6.5
+
+* LUKS: Fix keyslot device access for devices which
+ do not support direct IO operations. (Regression in 1.6.5.)
+
+* LUKS: Fallback to old temporary keyslot device mapping method
+ if hash (for ESSIV) is not supported by userspace crypto
+ library. (Regression in 1.6.5.)
+
+* Properly activate device with discard (TRIM for SSDs)
+ if requested even if dm_crypt module is not yet loaded.
+ Only if discard is not supported by the old kernel then
+ the discard option is ignored.
+
+* Fix some static analysis build warnings (scan-build).
+
+* Report crypto lib version only once (and always add kernel
+ version) in debug output.
+
+Cryptsetup API NOTE:
+The direct terminal handling for passphrase entry will be removed from
+libcryptsetup in next major version (application should handle it itself).
+
+It means that you have to always either provide password in buffer or set
+your own password callback function through crypt_set_password_callback().
+See API documentation (or libcryptsetup.h) for more info.
diff --git a/docs/v1.6.7-ReleaseNotes b/docs/v1.6.7-ReleaseNotes
new file mode 100644
index 0000000..edb73e5
--- /dev/null
+++ b/docs/v1.6.7-ReleaseNotes
@@ -0,0 +1,84 @@
+Cryptsetup 1.6.7 Release Notes
+==============================
+
+Changes since version 1.6.6
+
+* Cryptsetup git and wiki are now hosted on GitLab.
+ https://gitlab.com/cryptsetup/cryptsetup
+
+ Repository of stable releases remains on kernel.org site
+ https://www.kernel.org/pub/linux/utils/cryptsetup/
+
+ For more info please see README file.
+
+* Cryptsetup TCRYPT mode now supports VeraCrypt devices (TrueCrypt extension).
+
+ The VeraCrypt extension only increases iteration count for the key
+ derivation function (on-disk format is the same as TrueCrypt format).
+
+ Note that unlocking of a VeraCrypt device can take very long time if used
+ on slow machines.
+
+ To use this extension, add --veracrypt option, for example
+ cryptsetup open --type tcrypt --veracrypt <container> <name>
+
+ For use through libcryptsetup, just add CRYPT_TCRYPT_VERA_MODES flag.
+
+* Support keyfile-offset and keyfile-size options even for plain volumes.
+
+* Support keyfile option for luksAddKey if the master key is specified.
+
+* For historic reasons, hashing in the plain mode is not used
+ if keyfile is specified (with exception of --key-file=-).
+ Print a warning if these parameters are ignored.
+
+* Support permanent device decryption for cryptsetup-reencrypt.
+ To remove LUKS encryption from a device, you can now use --decrypt option.
+
+* Allow to use --header option in all LUKS commands.
+ The --header always takes precedence over positional device argument.
+
+* Allow luksSuspend without need to specify a detached header.
+
+* Detect if O_DIRECT is usable on a device allocation.
+ There are some strange storage stack configurations which wrongly allows
+ to open devices with direct-io but fails on all IO operations later.
+
+ Cryptsetup now tries to read the device first sector to ensure it can use
+ direct-io.
+
+* Add low-level performance options tuning for dmcrypt (for Linux 4.0 and later).
+
+ Linux kernel 4.0 contains rewritten dmcrypt code which tries to better utilize
+ encryption on parallel CPU cores.
+
+ While tests show that this change increases performance on most configurations,
+ dmcrypt now provides some switches to change its new behavior.
+
+ You can use them (per-device) with these cryptsetup switches:
+ --perf-same_cpu_crypt
+ --perf-submit_from_crypt_cpus
+
+ Please use these only in the case of serious performance problems.
+ Refer to the cryptsetup man page and dm-crypt documentation
+ (for same_cpu_crypt and submit_from_crypt_cpus options).
+ https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt
+
+* Get rid of libfipscheck library.
+ (Note that this option was used only for Red Hat and derived distributions.)
+ With recent FIPS changes we do not need to link to this FIPS monster anymore.
+ Also drop some no longer needed FIPS mode checks.
+
+* Many fixes and clarifications to man pages.
+
+* Prevent compiler to optimize-out zeroing of buffers for on-stack variables.
+
+* Fix a crash if non-GNU strerror_r is used.
+
+Cryptsetup API NOTE:
+The direct terminal handling for passphrase entry will be removed from
+libcryptsetup in next major version (application should handle it itself).
+
+It means that you have to always either provide password in buffer or set
+your own password callback function through crypt_set_password_callback().
+See API documentation (or libcryptsetup.h) for more info.
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-26 04:38:10 +0000