[19.04 FEAT] Upgrade cryptsetup 2.1.0

Bug #1815484 reported by bugproxy
16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
High
Canonical Foundations Team
cryptsetup (Ubuntu)
Fix Released
Undecided
Skipper Bug Screeners

Bug Description

Cryptsetup is utility used to conveniently setup disk encryption based
on DMCrypt kernel module.

These include plain dm-crypt volumes, LUKS volumes, loop-AES
and TrueCrypt (including VeraCrypt extension) format.
Project also includes veritysetup utility used to conveniently setup
DMVerity block integrity checking kernel module
and, since version 2.0, integritysetup to setup
DMIntegrity block integrity kernel module.

Cryptsetup 2.1.0 Release Notes
==============================
Stable release with new features and bug fixes.

Cryptsetup 2.1 version uses a new on-disk LUKS2 format as the default
LUKS format and increases default LUKS2 header size.

The legacy LUKS (referenced as LUKS1) will be fully supported forever
as well as a traditional and fully backward compatible format.

When upgrading a stable distribution, please use configure option
--with-default-luks-format=LUKS1 to maintain backward compatibility.

This release also switches to OpenSSL as a default cryptographic
backend for LUKS header processing. Use --with-crypto_backend=gcrypt
configure option if you need to preserve legacy libgcrypt backend.

Please do not use LUKS2 without properly configured backup or
in production systems that need to be compatible with older systems.

bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-175405 severity-high targetmilestone-inin1904
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → cryptsetup (Ubuntu)
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: New → Triaged
importance: Undecided → High
assignee: nobody → Canonical Foundations Team (canonical-foundations)
information type: Private → Public
tags: added: id-5c61cb1e0c59e30c7bfaa331
Frank Heimes (fheimes)
Changed in cryptsetup (Ubuntu):
status: New → Fix Committed
Changed in ubuntu-z-systems:
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cryptsetup - 2:2.1.0-1ubuntu1

---------------
cryptsetup (2:2.1.0-1ubuntu1) disco; urgency=medium

  * Merge from Debian unstable. LP: #1815484
  * Remaining changes:
    - debian/control:
      + Recommend plymouth.
      + Invert the "busybox | busybox-static" Recommends, as the latter
        is the one we ship in main as part of the ubuntu-standard task.
    - Apply patch from Trent Nelson to fix cryptroot-unlock for busybox
      compatibility. LP: #1651818

cryptsetup (2:2.1.0-1) unstable; urgency=medium

  * New upstream release. Highlights include:
    - The on-disk LUKS format version now defaults to LUKS2 (use `luksFormat
      --type luks1` to use LUKS1 format). Closes: #919725.
    - The cryptographic backend used for LUKS header processing is now libssl
      instead of libgcrypt.
    - LUKS' default key size is now 512 in XTS mode, half of which is used for
      block encryption. XTS mode uses two internal keys, hence the previous
      default key size (256) caused AES-128 to be used for block encryption,
      while users were expecting AES-256.

  [ Guilhem Moulin ]
  * Add docs/Keyring.txt and docs/LUKS2-locking.txt to
    /usr/share/doc/cryptsetup-run.
  * debian/README.Debian: Mention that for non-persistent encrypted swap one
    should also disable the resume device.
  * debian/README.initramfs: Mention that keyscript=decrypt_derived normally
    won't work with LUKS2 sources. (The volume key of LUKS2 devices is by
    default offloaded to the kernel keyring service, hence not readable by
    userspace.) Since 2:2.0.3-5 the keyscript loudly fails on such sources.
  * decrypt_keyctl keyscript: Always use our askpass binary for password
    prompt (fail instead of falling back to using stty or `read -s` if askpass
    is not available). askpass and decrypt_keyctl are both shipped in our
    'cryptsetup-run' and 'cryptsetup-udeb' binary packages, and the cryptsetup
    and askpass binaries are added together to the initramfs image.
  * decrypt_keyctl: Document the identifier used in the user keyring:
    "cryptsetup:$CRYPTTAB_KEY", or merely "cryptsetup" if "$CRYPTTAB_KEY" is
    empty or "none". The latter improves compatibility with gdm and
    systemd-ask-password(1).
  * debian/*: run wrap-and-sort(1).
  * debian/doc/crypttab.xml: mention `cryptsetup refresh` and the `--persistent`
    option flag.
  * debian/control: Bump Standards-Version to 4.3.0 (no changes necessary).

  [ Jonas Meurer ]
  * Update docs about 'discard' option: Mention in manpage, that it's enabled
    per default by Debian Installer. Give advice to add it to new devices in
    /etc/crypttab and add it to crypttab example entries in the docs.

 -- Dimitri John Ledkov <email address hidden> Wed, 13 Feb 2019 21:28:23 +0000

Changed in cryptsetup (Ubuntu):
status: Fix Committed → Fix Released
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2019-02-22 03:35 EDT-------
IBM bugzilla status -> closed, Fix Released with disco

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.