[Bug 1781912] Comment bridged from LTC Bugzilla

bugproxy bugproxy at us.ibm.com
Mon Aug 20 09:49:23 UTC 2018 

------- Comment From heinz-werner_seeck at de.ibm.com 2018-08-20 05:46 EDT-------
================================
==         Request for Ubuntu 18.04      ===
================================

Prerequisites:
- pkey kernel module              -> kernel 4.11
- paes cipher kernel module   -> kernel 4.12

s390-tools
- zkey tool (first version)                               -> s390-tools-1.39.0
- zkey enhancements for secure key store  -> s390-tools-2.4.0

- zkey-cryptsetup support for HSM master key change with LUKS2
this need to be backported due to             -> s390-tools-2.6.0

- dm-crypt with protected keys (LUKS2 part in cryptsetup ) -> cryptsetup
2.0.3

/ect/crypttab Sector Size Support
Ubuntu: support f?r sector size parameter in Debian/Ubuntu crypttab parser shipped in distro specific cryptsetup package

-> not available yet , need to be done by Distro or crypttab parser
maintainers

Installer support
The Ubuntu installer when suggesting to use encrypted disks on IBM Z the installer should support the option to use the PAES cipher using the paes-xts-plain64 cipher mode (with key sizes 512 bits or 1024 bits).

Before offering the  the usage of the PAES cipher the installer should
check whether a CCA adapter (CEX4C, CEX5C, CEX6X, ...) is available on
the system.

For Ubuntu 18.04.x the following upgrades/backports are required
cryptsetup: upgrade version 2.0.2 to version >= 2.0.3
s390tools: backport
zkey as of version >= 2.4.0
zkey-cryptsetup as of version 2.6.0 (requires cryptsetup >= 2.0.3)
upgrade /etc/crypttab support

The Ubuntu 18.10 outlook is good wrt to protected key dm-crypt (PE for
data at-rest).

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/1781912

Title:
  Upgrade cryptsetup >= 2.0.3

Status in Ubuntu on IBM z Systems:
  Fix Released
Status in cryptsetup package in Ubuntu:
  Fix Released

Bug description:
  Cryptsetup is utility used to conveniently setup disk encryption based
  on DMCrypt kernel module.

  These include plain dm-crypt volumes, LUKS volumes, loop-AES
  and TrueCrypt (including VeraCrypt extension) format.

  Project also includes veritysetup utility used to conveniently setup
  DMVerity block integrity checking kernel module
  and, since version 2.0,  integritysetup to setup
  DMIntegrity block integrity kernel module.

  Version 2.0.3 include all z code for dm-crypt with protected keys

  Without cryptsetup 2.0.3 (the 3 is important) we won't be able to use
  secure key encryption with LUKS2 and the paes cipher. Only plain mode
  will be usable with cryptsetup version 2.0.1.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1781912/+subscriptions

More information about the foundations-bugs mailing list