[arch-dev-public] [signoff] cryptsetup 1.2.0-1
guillaume at archlinux.org
Sun Dec 26 16:57:10 EST 2010
On Thu, 2010-12-23 at 23:28 +0100, Thomas Bächler wrote:
> Upstream update, please sign off.
> From the announcement:
> Changes since version 1.1.3
> Important changes
> * Add text version of *FAQ* (Frequently Asked Questions) to distribution.
> * Add selection of random/urandom number generator for luksFormat
> (option --use-random and --use-urandom).
> (This affects only long term volume key in *luksFormat*,
> not RNG used for salt and AF splitter).
> You can also set the default to /dev/random during compilation with
> --enable-dev-random. Compiled-in default is printed in --help output.
> Be very careful before changing default to blocking /dev/random use here.
> * Fix *luksRemoveKey* to not ask for remaining keyslot passphrase,
> only for removed one.
> * No longer support *luksDelKey* (replaced with luksKillSlot).
> * if you want to remove particular passphrase, use *luksKeyRemove*
> * if you want to remove particular keyslot, use *luksKillSlot*
> Note that in batch mode *luksKillSlot* allows removing of any keyslot
> without question, in normal mode requires passphrase or keyfile from
> other keyslot.
> * *Default alignment* for device (if not overridden by topology info)
> is now (multiple of) *1MiB*.
> This reflects trends in storage technologies and aligns to the same
> defaults for partitions and volume management.
> * Allow explicit UUID setting in *luksFormat* and allow change it later
> in *luksUUID* (--uuid parameter).
> * All commands using key file now allows limited read from keyfile using
> --keyfile-size and --new-keyfile-size parameters (in bytes).
> This change also disallows overloading of --key-size parameter which
> is now exclusively used for key size specification (in bits.)
> * *luksFormat* using pre-generated master key now properly allows
> using key file (only passphrase was allowed prior to this update).
> * Add --dump-master-key option for *luksDump* to perform volume (master)
> key dump. Note that printed information allows accessing device without
> passphrase so it must be stored encrypted.
> This operation is useful for simple Key Escrow function (volume key and
> encryption parameters printed on paper on safe place).
> This operation requires passphrase or key file.
> * The reload command is no longer supported.
> (Use dmsetup reload instead if needed. There is no real use for this
> function except explicit data corruption:-)
> * Cryptsetup now properly checks if underlying device is in use and
> disallows *luksFormat*, *luksOpen* and *create* commands on open
> (e.g. already mapped or mounted) device.
> * Option --non-exclusive (already deprecated) is removed.
> Libcryptsetup API additions:
> * new functions
> * crypt_get_type() - explicit query to crypt device context type
> * crypt_resize() - new resize command using context
> * crypt_keyslot_max() - helper to get number of supported keyslots
> * crypt_get_active_device() - get active device info
> * crypt_set/get_rng_type() - random/urandom RNG setting
> * crypt_set_uuid() - explicit UUID change of existing device
> * crypt_get_device_name() - get underlying device name
> * Fix optional password callback handling.
> * Allow to activate by internally cached volume key immediately after
> crypt_format() without active slot (for temporary devices with
> on-disk metadata)
> * libcryptsetup is binary compatible with 1.1.x release and still
> supports legacy API calls
> * cryptsetup binary now uses only new API calls.
> * Static compilation of both library (--enable-static) and cryptsetup
> binary (--enable-static-cryptsetup) is now properly implemented by common
> libtool logic.
> Prior to this it produced miscompiled dynamic cryptsetup binary with
> statically linked libcryptsetup.
> The static binary is compiled as src/cryptsetup.static in parallel
> with dynamic build if requested.
> Other changes
> * Fix default plain password entry from terminal in activate_by_passphrase.
> * Initialize volume key from active device in crypt_init_by_name()
> * Fix cryptsetup binary exit codes.
> 0 - success, otherwise fail
> 1 - wrong parameters
> 2 - no permission
> 3 - out of memory
> 4 - wrong device specified
> 5 - device already exists or device is busy
> * Remove some obsolete info from man page.
> * Add more regression tests for commands.
> * Fix possible double free when handling master key file.
> * Fix pkg-config use in automake scripts.
> * Wipe iteration and salt after luksKillSlot in LUKS header.
> * Rewrite file differ test to C (and fix it to really work).
> * Do not query non-existent device twice (cryptsetup status
> * Check if requested hash is supported before writing LUKS header.
> * Fix problems reported by clang scan-build.
Works like a charm.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 230 bytes
Desc: This is a digitally signed message part
More information about the arch-dev-public