Changelog for
cryptsetup-1.7.1-5.74.x86_64.rpm :
* Sat Jan 09 2016 benoit.moninAATTgmx.fr- update to 1.7.0:
* The cryptsetup 1.7 release changes defaults for LUKS, there are no API changes.
* Default hash function is now SHA256 (used in key derivation function and anti-forensic splitter).
* Default iteration time for PBKDF2 is now 2 seconds.
* Fix PBKDF2 iteration benchmark for longer key sizes.
* Remove experimental warning for reencrypt tool.
* Add optional libpasswdqc support for new LUKS passwords.
* Update FAQ document.
* Thu Dec 10 2015 tiwaiAATTsuse.de- Fix missing dependency on coreutils for initrd macros (boo#958562)- Call missing initrd macro at postun (boo#958562)
* Tue Sep 08 2015 asterios.dramisAATTgmail.com- Update to 1.6.8
* If the null cipher (no encryption) is used, allow only empty password for LUKS. (Previously cryptsetup accepted any password in this case.) The null cipher can be used only for testing and it is used temporarily during offline encrypting not yet encrypted device (cryptsetup-reencrypt tool). Accepting only empty password prevents situation when someone adds another LUKS device using the same UUID (UUID of existing LUKS device) with faked header containing null cipher. This could force user to use different LUKS device (with no encryption) without noticing. (IOW it prevents situation when attacker intentionally forces user to boot into different system just by LUKS header manipulation.) Properly configured systems should have an additional integrity protection in place here (LUKS here provides only confidentiality) but it is better to not allow this situation in the first place. (For more info see QubesOS Security Bulletin QSB-019-2015.)
* Properly support stdin \"-\" handling for luksAddKey for both new and old keyfile parameters.
* If encrypted device is file-backed (it uses underlying loop device), cryptsetup resize will try to resize underlying loop device as well. (It can be used to grow up file-backed device in one step.)
* Cryptsetup now allows to use empty password through stdin pipe. (Intended only for testing in scripts.)
* Sun Apr 12 2015 crrodriguezAATTopensuse.org- Enable verbose build log.
* Sun Apr 12 2015 crrodriguezAATTopensuse.org- regenerate the initrd if cryptsetup tool changes (wanted by 90crypt dracut module)
* Thu Apr 02 2015 mpluskalAATTsuse.com- Update to 1.6.7
* Cryptsetup TCRYPT mode now supports VeraCrypt devices (TrueCrypt extension)
* Support keyfile-offset and keyfile-size options even for plain volumes.
* Support keyfile option for luksAddKey if the master key is specified.
* For historic reasons, hashing in the plain mode is not used if keyfile is specified (with exception of --key-file=-). Print a warning if these parameters are ignored.
* Support permanent device decryption for cryptsetup-reencrypt. To remove LUKS encryption from a device, you can now use - -decrypt option.
* Allow to use --header option in all LUKS commands. The - -header always takes precedence over positional device argument.
* Allow luksSuspend without need to specify a detached header.
* Detect if O_DIRECT is usable on a device allocation. There are some strange storage stack configurations which wrongly allows to open devices with direct-io but fails on all IO operations later.
* Add low-level performance options tuning for dmcrypt (for Linux 4.0 and later).
* Get rid of libfipscheck library. (Note that this option was used only for Red Hat and derived distributions.) With recent FIPS changes we do not need to link to this FIPS monster anymore. Also drop some no longer needed FIPS mode checks.
* Many fixes and clarifications to man pages.
* Prevent compiler to optimize-out zeroing of buffers for on-stack variables.
* Fix a crash if non-GNU strerror_r is used.
* Sun Sep 14 2014 asterios.dramisAATTgmail.com- version 1.6.6
* LUKS: Fix keyslot device access for devices which do not support direct IO operations. (Regression in 1.6.5.)
* LUKS: Fallback to old temporary keyslot device mapping method if hash (for ESSIV) is not supported by userspace crypto library. (Regression in 1.6.5.)
* Properly activate device with discard (TRIM for SSDs) if requested even if dm_crypt module is not yet loaded. Only if discard is not supported by the old kernel then the discard option is ignored.
* Fix some static analysis build warnings (scan-build).
* Report crypto lib version only once (and always add kernel version) in debug output.
* Fri Aug 22 2014 meissnerAATTsuse.com- Use --enable-gcrypt-pbkdf2 to use the PBKDFv2 method from libgcrypt.
* Tue Aug 12 2014 asterios.dramisAATTgmail.com- version 1.6.5
* Allow LUKS header operation handling without requiring root privilege. It means that you can manipulate with keyslots as a regular user, only write access to device (or image) is required.
* Fix internal PBKDF2 key derivation function implementation for alternative crypto backends (kernel, NSS) which do not support PBKDF2 directly and have issues with longer HMAC keys.
* Support for Python3 for simple Python binding. Python >= 2.6 is now required. You can set Python compiled version by setting - -with-python_version configure option (together with --enable-python).
* Use internal PBKDF2 in Nettle library for Nettle crypto backend. Cryptsetup compilation requires Nettle >= 2.6 (if using Nettle crypto backend).
* Allow simple status of crypt device without providing metadata header. The command \"cryptsetup status\" will print basic info, even if you do not provide detached header argument.
* Allow to specify ECB mode in cryptsetup benchmark.
* Add some LUKS images for regression testing. Note that if image with Whirlpool fails, the most probable cause is that you have old gcrypt library with flawed whirlpool hash. Read FAQ section 8.3 for more info.- Removed e2fsprogs-devel and libtool build requirements (not needed).- Added libpwquality-devel and libuuid-devel build requirements.
* Mon Aug 11 2014 meissnerAATTsuse.com- libcryptsetup4-hmac split off contain the hmac for FIPS certification