[dm-crypt] [ANNOUNCE] cryptsetup 1.6.7

Milan Broz gmazyland at gmail.com
Mon Mar 23 18:54:08 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

The stable cryptsetup 1.6.7 release is available at

    https://gitlab.com/cryptsetup/cryptsetup

Please note that release packages are located on kernel.org

    https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/

Feedback and bug reports are welcomed.

Cryptsetup 1.6.7 Release Notes
==============================

Changes since version 1.6.6

* Cryptsetup git and wiki are now hosted on GitLab.
  https://gitlab.com/cryptsetup/cryptsetup

  Repository of stable releases remains on kernel.org site
  https://www.kernel.org/pub/linux/utils/cryptsetup/

  For more info please see README file.

* Cryptsetup TCRYPT mode now supports VeraCrypt devices (TrueCrypt extension).

  The VeraCrypt extension only increases iteration count for the key
  derivation function (on-disk format is the same as TrueCrypt format).

  Note that unlocking of a VeraCrypt device can take very long time if used
  on slow machines.

  To use this extension, add --veracrypt option, for example
    cryptsetup open --type tcrypt --veracrypt <container> <name>

  For use through libcryptsetup, just add CRYPT_TCRYPT_VERA_MODES flag.

* Support keyfile-offset and keyfile-size options even for plain volumes.

* Support keyfile option for luksAddKey if the master key is specified.

* For historic reasons, hashing in the plain mode is not used
  if keyfile is specified (with exception of --key-file=-).
  Print a warning if these parameters are ignored.

* Support permanent device decryption for cryptsetup-reencrypt.
  To remove LUKS encryption from a device, you can now use --decrypt option.

* Allow to use --header option in all LUKS commands.
  The --header always takes precedence over positional device argument.

* Allow luksSuspend without need to specify a detached header.

* Detect if O_DIRECT is usable on a device allocation.
  There are some strange storage stack configurations which wrongly allows
  to open devices with direct-io but fails on all IO operations later.

  Cryptsetup now tries to read the device first sector to ensure it can use
  direct-io.

* Add low-level performance options tuning for dmcrypt (for Linux 4.0 and later).

  Linux kernel 4.0 contains rewritten dmcrypt code which tries to better utilize
  encryption on parallel CPU cores.

  While tests show that this change increases performance on most configurations,
  dmcrypt now provides some switches to change its new behavior.

  You can use them (per-device) with these cryptsetup switches:
     --perf-same_cpu_crypt
     --perf-submit_from_crypt_cpus

  Please use these only in the case of serious performance problems.
  Refer to the cryptsetup man page and dm-crypt documentation
  (for same_cpu_crypt and submit_from_crypt_cpus options).
  https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt

* Get rid of libfipscheck library.
  (Note that this option was used only for Red Hat and derived distributions.)
  With recent FIPS changes we do not need to link to this FIPS monster anymore.
  Also drop some no longer needed FIPS mode checks.

* Many fixes and clarifications to man pages.

* Prevent compiler to optimize-out zeroing of buffers for on-stack variables.

* Fix a crash if non-GNU strerror_r is used.

Cryptsetup API NOTE:
The direct terminal handling for passphrase entry will be removed from
libcryptsetup in next major version (application should handle it itself).

It means that you have to always either provide password in buffer or set
your own password callback function through crypt_set_password_callback().
See API documentation (or libcryptsetup.h) for more info.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVEFM/AAoJENmwV3vZPpj8LJQP/jAexv33vfIVKcpV6XRe+3nm
WloMa9KGgyGJ/b0I/TvEKa/RdWxExv5ZMOGACe+0KhwwudCo+NKfWs6uY8THqLuF
yiev2879MPNLUbQiU4yELOvJA+rt5rhhUqMk4zKcFJv+PO77CtuUTqd7AIJ8Pjb5
htHN6fJp83wZCVO0j0CuQ5LfPajK1nNbGYk2vTuAR4Z0tj6ci5bP2eefPLD3gnhc
DXMT9oS4RypLEtyzzxWUqBmYq+7UnOQqByyrwaPRrZp6fecOamR6Fr9QHVsXO1KM
5ws2OOcjnW+6lvSZZnsykc7TplyxZwMAv9XPkuc8ZtPD2tMMmSp3g0raL+8/YiTZ
nlf0CCPPtp7p5aIlINe0g7sZ1Gax9EnMyPulaifHRE7KprR3A8yYSxRl7gVUupId
EYKNMjrenq7dzIE8DQ2a6qFZukmzBcVAsTCsW//P/5YJXVJnPi0L2XuopGnXBms8
tUj04M25/yi/HU51XbbHY8GaYehFz4yDggAxy3u0041hx66XCGx2tMYc/Y6JJ4jc
HolrCi2ijjx37QePWNftJZ9LyDscPI0VFsGEH+ywA+kN5wueOBXthC4r8g30exDd
TIibtIbg3Yb0YsVnz9Zb/MUhc+8MFEFOnMvS21ib/a1lDSOQNL74idBOKcvghVp3
wdpC6Zx8RlhI6s7tmwep
=OA+S
-----END PGP SIGNATURE-----


More information about the dm-crypt mailing list