[Bug 1814769] Comment bridged from LTC Bugzilla

bugproxy bugproxy at us.ibm.com
Tue Feb 12 11:50:04 UTC 2019 

------- Comment From heinz-werner_seeck at de.ibm.com 2019-02-12 06:43 EDT-------
IBM bugzilla status -> closed, Fix Released for disco

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/1814769

Title:
  [19.04 FEAT] Upgrade cryptsetup  2.0.6

Status in Ubuntu on IBM z Systems:
  Fix Released
Status in cryptsetup package in Ubuntu:
  Fix Released

Bug description:
  Cryptsetup is utility used to conveniently setup disk encryption based
  on DMCrypt kernel module.

  These include plain dm-crypt volumes, LUKS volumes, loop-AES
  and TrueCrypt (including VeraCrypt extension) format.

  Project also includes veritysetup utility used to conveniently setup
  DMVerity block integrity checking kernel module
  and, since version 2.0,  integritysetup to setup
  DMIntegrity block integrity kernel module.

  Version 2.0.3 include all z code for dm-crypt with protected keys
  Version 2.0.4 
  * Fix on-disk header size calculation for LUKS2 format if a specific
    data alignment is requested. Until now, the code used default size
    that could be wrong for converted devices.
  Cryptsetup is utility used to conveniently setup disk encryption based on DMCrypt kernel module.

  These include plain dm-crypt volumes, LUKS volumes, loop-AES and
  TrueCrypt (including VeraCrypt extension) format.

  Project also includes veritysetup utility used to conveniently setup
  DMVerity block integrity checking kernel module
  and, since version 2.0,  integritysetup to setup
  DMIntegrity block integrity kernel module.

  Cryptsetup 2.0.6 Release Notes
  ==============================
  Stable bug-fix release.
  All users of cryptsetup 2.0.x should upgrade to this version.

  Cryptsetup 2.x version introduces a new on-disk LUKS2 format.

  The legacy LUKS (referenced as LUKS1) will be fully supported
  forever as well as a traditional and fully backward compatible format.

  Please note that authenticated disk encryption, non-cryptographic
  data integrity protection (dm-integrity), use of Argon2 Password-Based
  Key Derivation Function and the LUKS2 on-disk format itself are new
  features and can contain some bugs.

  Please do not use LUKS2 without properly configured backup or in
  production systems that need to be compatible with older systems.

  Changes since version 2.0.5
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~

  * Fix support of larger metadata areas in LUKS2 header.

    This release properly supports all specified metadata areas, as documented
    in LUKS2 format description (see docs/on-disk-format-luks2.pdf in archive).

    Currently, only default metadata area size is used (in format or convert).
    Later cryptsetup versions will allow increasing this metadata area size.

  * If AEAD (authenticated encryption) is used, cryptsetup now tries to check
    if the requested AEAD algorithm with specified key size is available
    in kernel crypto API.
    This change avoids formatting a device that cannot be later activated.

    For this function, the kernel must be compiled with the
    CONFIG_CRYPTO_USER_API_AEAD option enabled.
    Note that kernel user crypto API options (CONFIG_CRYPTO_USER_API and
    CONFIG_CRYPTO_USER_API_SKCIPHER) are already mandatory for LUKS2.

  * Fix setting of integrity no-journal flag.
    Now you can store this flag to metadata using --persistent option.

  * Fix cryptsetup-reencrypt to not keep temporary reencryption headers
    if interrupted during initial password prompt.

  * Adds early check to plain and LUKS2 formats to disallow device format
    if device size is not aligned to requested sector size.
    Previously it was possible, and the device was rejected to activate by
    kernel later.

  * Fix checking of hash algorithms availability for PBKDF early.
    Previously LUKS2 format allowed non-existent hash algorithm with
    invalid keyslot preventing the device from activation.

  * Allow Adiantum cipher construction (a non-authenticated length-preserving
    fast encryption scheme), so it can be used both for data encryption and
    keyslot encryption in LUKS1/2 devices.

    For benchmark, use:
      # cryptsetup benchmark -c xchacha12,aes-adiantum
      # cryptsetup benchmark -c xchacha20,aes-adiantum

    For LUKS format:
      # cryptsetup luksFormat -c xchacha20,aes-adiantum-plain64 -s 256 <device>

    The support for Adiantum will be merged in Linux kernel 4.21.
    For more info see the paper https://eprint.iacr.org/2018/720.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1814769/+subscriptions

More information about the foundations-bugs mailing list