diff --git a/ChangeLog b/ChangeLog
index 86a2df0c..0590fd8b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,6 @@
+2010-01-17  Milan Broz  <mbroz@redhat.com>
+	* If gcrypt compiled with capabilities, document workaround for cryptsetup (see lib/gcrypt.c).
+
 2010-01-10  Milan Broz  <mbroz@redhat.com>
 	* Fix initialisation of gcrypt duting luksFormat.
 	* Convert hash name to lower case in header (fix sha1 backward comatible header)
diff --git a/lib/gcrypt.c b/lib/gcrypt.c
index 630f18f7..269dc523 100644
--- a/lib/gcrypt.c
+++ b/lib/gcrypt.c
@@ -15,9 +15,20 @@ int init_crypto(void)
 	if (!gcry_control (GCRYCTL_INITIALIZATION_FINISHED_P)) {
 		if (!gcry_check_version (GCRYPT_REQ_VERSION))
 			return -ENOSYS;
+
+/* FIXME: If gcrypt compiled to support POSIX 1003.1e capabilities,
+ * it drops all privileges during secure memory initialisation.
+ * For now, the only workaround is to disable secure memory in gcrypt.
+ * cryptsetup always need at least cap_sys_admin privilege for dm-ioctl
+ * and it locks its memory space anyway.
+ */
+#if 0
+		gcry_control (GCRYCTL_DISABLE_SECMEM);
+#else
 		gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN);
 		gcry_control (GCRYCTL_INIT_SECMEM, 16384, 0);
 		gcry_control (GCRYCTL_RESUME_SECMEM_WARN);
+#endif
 		gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
 	}