* Merge from Debian unstable. LP: #1815484
* Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Invert the "busybox | busybox-static" Recommends, as the latter
is the one we ship in main as part of the ubuntu-standard task.
- Apply patch from Trent Nelson to fix cryptroot-unlock for busybox
compatibility. LP: #1651818
cryptsetup (2:2.1.0-1) unstable; urgency=medium
* New upstream release. Highlights include:
- The on-disk LUKS format version now defaults to LUKS2 (use `luksFormat
--type luks1` to use LUKS1 format). Closes: #919725.
- The cryptographic backend used for LUKS header processing is now libssl
instead of libgcrypt.
- LUKS' default key size is now 512 in XTS mode, half of which is used for
block encryption. XTS mode uses two internal keys, hence the previous
default key size (256) caused AES-128 to be used for block encryption,
while users were expecting AES-256.
[ Guilhem Moulin ]
* Add docs/Keyring.txt and docs/LUKS2-locking.txt to
/usr/share/doc/cryptsetup-run.
* debian/README.Debian: Mention that for non-persistent encrypted swap one
should also disable the resume device.
* debian/README.initramfs: Mention that keyscript=decrypt_derived normally
won't work with LUKS2 sources. (The volume key of LUKS2 devices is by
default offloaded to the kernel keyring service, hence not readable by
userspace.) Since 2:2.0.3-5 the keyscript loudly fails on such sources.
* decrypt_keyctl keyscript: Always use our askpass binary for password
prompt (fail instead of falling back to using stty or `read -s` if askpass
is not available). askpass and decrypt_keyctl are both shipped in our
'cryptsetup-run' and 'cryptsetup-udeb' binary packages, and the cryptsetup
and askpass binaries are added together to the initramfs image.
* decrypt_keyctl: Document the identifier used in the user keyring:
"cryptsetup:$CRYPTTAB_KEY", or merely "cryptsetup" if "$CRYPTTAB_KEY" is
empty or "none". The latter improves compatibility with gdm and
systemd-ask-password(1).
* debian/*: run wrap-and-sort(1).
* debian/doc/crypttab.xml: mention `cryptsetup refresh` and the `--persistent`
option flag.
* debian/control: Bump Standards-Version to 4.3.0 (no changes necessary).
[ Jonas Meurer ]
* Update docs about 'discard' option: Mention in manpage, that it's enabled
per default by Debian Installer. Give advice to add it to new devices in
/etc/crypttab and add it to crypttab example entries in the docs.
-- Dimitri John Ledkov <email address hidden> Wed, 13 Feb 2019 21:28:23 +0000
This bug was fixed in the package cryptsetup - 2:2.1.0-1ubuntu1
---------------
cryptsetup (2:2.1.0-1ubuntu1) disco; urgency=medium
* Merge from Debian unstable. LP: #1815484 lity. LP: #1651818
* Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Invert the "busybox | busybox-static" Recommends, as the latter
is the one we ship in main as part of the ubuntu-standard task.
- Apply patch from Trent Nelson to fix cryptroot-unlock for busybox
compatibi
cryptsetup (2:2.1.0-1) unstable; urgency=medium
* New upstream release. Highlights include:
- The on-disk LUKS format version now defaults to LUKS2 (use `luksFormat
--type luks1` to use LUKS1 format). Closes: #919725.
- The cryptographic backend used for LUKS header processing is now libssl
instead of libgcrypt.
- LUKS' default key size is now 512 in XTS mode, half of which is used for
block encryption. XTS mode uses two internal keys, hence the previous
default key size (256) caused AES-128 to be used for block encryption,
while users were expecting AES-256.
[ Guilhem Moulin ] locking. txt to share/doc/ cryptsetup- run. README. Debian: Mention that for non-persistent encrypted swap one README. initramfs: Mention that keyscript= decrypt_ derived normally -run' and 'cryptsetup-udeb' binary packages, and the cryptsetup :$CRYPTTAB_ KEY", or merely "cryptsetup" if "$CRYPTTAB_KEY" is ask-password( 1). doc/crypttab. xml: mention `cryptsetup refresh` and the `--persistent`
* Add docs/Keyring.txt and docs/LUKS2-
/usr/
* debian/
should also disable the resume device.
* debian/
won't work with LUKS2 sources. (The volume key of LUKS2 devices is by
default offloaded to the kernel keyring service, hence not readable by
userspace.) Since 2:2.0.3-5 the keyscript loudly fails on such sources.
* decrypt_keyctl keyscript: Always use our askpass binary for password
prompt (fail instead of falling back to using stty or `read -s` if askpass
is not available). askpass and decrypt_keyctl are both shipped in our
'cryptsetup
and askpass binaries are added together to the initramfs image.
* decrypt_keyctl: Document the identifier used in the user keyring:
"cryptsetup
empty or "none". The latter improves compatibility with gdm and
systemd-
* debian/*: run wrap-and-sort(1).
* debian/
option flag.
* debian/control: Bump Standards-Version to 4.3.0 (no changes necessary).
[ Jonas Meurer ]
* Update docs about 'discard' option: Mention in manpage, that it's enabled
per default by Debian Installer. Give advice to add it to new devices in
/etc/crypttab and add it to crypttab example entries in the docs.
-- Dimitri John Ledkov <email address hidden> Wed, 13 Feb 2019 21:28:23 +0000