diff --git a/FAQ.md b/FAQ.md index ecbcb160..efa26bde 100644 --- a/FAQ.md +++ b/FAQ.md @@ -1192,7 +1192,7 @@ More references can be found at the end of this document. Note that these are estimates from the defender side, so assuming something is - easier than it actually is is fine. An attacker may still have + easier than it actually is fine. An attacker may still have significantly higher cost than estimated here. LUKS1 used SHA1 (since version 1.7.0 it uses SHA256) for hashing per @@ -1864,11 +1864,11 @@ This basically means that if you already have a slot-key, and you have set the PBKDF2 iteration count to 1 (it is > 10'000 normally), you could - (maybe) derive a different passphrase that gives you the the same - slot-key. But if you have the slot-key, you can already unlock the - key-slot and get the volume key, breaking everything. So basically, - this SHA-1 vulnerability allows you to open a LUKS1 container with high - effort when you already have it open. + (maybe) derive a different passphrase that gives you the same slot-key. + But if you have the slot-key, you can already unlock the key-slot and + get the volume key, breaking everything. So basically, this SHA-1 + vulnerability allows you to open a LUKS1 container with high effort when + you already have it open. The real problem here is people that do not understand crypto and claim things are broken just because some mechanism is used that has been @@ -3014,9 +3014,9 @@ offset length name data type description currently associated with any data/crypt segment (encrypted area) in the LUKS2 'Segments' section (displayed by luksDump). - This is a bit of a more general idea. It basically allows to use a keyslot - as a container for a key to be used in other things than decrypting a - data segment. + This is a bit of a more general idea. It basically allows one to use a + keyslot as a container for a key to be used in other things than decrypting + a data segment. As of April 2020, the following uses are defined: diff --git a/docs/ChangeLog.old b/docs/ChangeLog.old index 7a4027c4..516ea176 100644 --- a/docs/ChangeLog.old +++ b/docs/ChangeLog.old @@ -74,7 +74,7 @@ 2012-03-16 Milan Broz * Add --keyfile-offset and --new-keyfile-offset parameters to API and CLI. * Add repair command and crypt_repair() for known LUKS metadata problems repair. - * Allow to specify --align-payload only for luksFormat. + * Allow one to specify --align-payload only for luksFormat. 2012-03-16 Milan Broz * Unify password verification option. @@ -228,7 +228,7 @@ * Fix password callback call. * Fix default plain password entry from terminal in activate_by_passphrase. * Add --dump-master-key option for luksDump to allow volume key dump. - * Allow to activate by internally cached volume key + * Allow one to activate by internally cached volume key (format/activate without keyslots active - used for temporary devices). * Initialize volume key from active device in crypt_init_by_name() * Fix cryptsetup binary exitcodes. diff --git a/docs/v1.2.0-ReleaseNotes b/docs/v1.2.0-ReleaseNotes index f3061d98..77fbedf1 100644 --- a/docs/v1.2.0-ReleaseNotes +++ b/docs/v1.2.0-ReleaseNotes @@ -85,7 +85,7 @@ Libcryptsetup API additions: * Fix optional password callback handling. - * Allow to activate by internally cached volume key immediately after + * Allow one to activate by internally cached volume key immediately after crypt_format() without active slot (for temporary devices with on-disk metadata) diff --git a/docs/v1.4.2-ReleaseNotes b/docs/v1.4.2-ReleaseNotes index 9dbeb46a..a3c29122 100644 --- a/docs/v1.4.2-ReleaseNotes +++ b/docs/v1.4.2-ReleaseNotes @@ -24,7 +24,7 @@ Changes since version 1.4.1 * Fix header check to support old (cryptsetup 1.0.0) header alignment. (Regression in 1.4.0) -* Allow to specify --align-payload only for luksFormat. +* Allow one to specify --align-payload only for luksFormat. * Add --master-key-file option to luksOpen (open using volume key). diff --git a/docs/v1.4.3-ReleaseNotes b/docs/v1.4.3-ReleaseNotes index f084e061..16792a57 100644 --- a/docs/v1.4.3-ReleaseNotes +++ b/docs/v1.4.3-ReleaseNotes @@ -32,7 +32,7 @@ Changes since version 1.4.2 Device-mapper now retry removal if device is busy. * Allow "private" activation (skip some udev global rules) flag. - Cryptsetup library API now allows to specify CRYPT_ACTIVATE_PRIVATE, + Cryptsetup library API now allows one to specify CRYPT_ACTIVATE_PRIVATE, which means that some udev rules are not processed. (Used for temporary devices, like internal keyslot mappings where it is not desirable to run any device scans.) diff --git a/docs/v1.6.0-ReleaseNotes b/docs/v1.6.0-ReleaseNotes index fe8770d1..8ee64a06 100644 --- a/docs/v1.6.0-ReleaseNotes +++ b/docs/v1.6.0-ReleaseNotes @@ -4,7 +4,7 @@ Cryptsetup 1.6.0 Release Notes Changes since version 1.6.0-rc1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * Change LUKS default cipher to to use XTS encryption mode, + * Change LUKS default cipher to use XTS encryption mode, aes-xts-plain64 (i.e. using AES128-XTS). XTS mode becomes standard in hard disk encryption. @@ -209,7 +209,7 @@ Important changes WARNING: these tests do not use dmcrypt, only crypto API. You have to benchmark the whole device stack and you can get completely - different results. But is is usable for basic comparison. + different results. But it is usable for basic comparison. (Note for example AES-NI decryption optimization effect in example above.) Features diff --git a/docs/v1.6.2-ReleaseNotes b/docs/v1.6.2-ReleaseNotes index 192f4a65..fba39909 100644 --- a/docs/v1.6.2-ReleaseNotes +++ b/docs/v1.6.2-ReleaseNotes @@ -8,7 +8,7 @@ Changes since version 1.6.1 * Fix cipher specification string parsing (found by gcc -fsanitize=address option). * Try to map TCRYPT system encryption through partition - (allows to activate mapping when other partition on the same device is mounted). + (allows one to activate mapping when other partition on the same device is mounted). * Print a warning if system encryption is used and device is a partition. (TCRYPT system encryption uses whole device argument.) diff --git a/docs/v1.6.4-ReleaseNotes b/docs/v1.6.4-ReleaseNotes index ebc71cb6..010ba5fa 100644 --- a/docs/v1.6.4-ReleaseNotes +++ b/docs/v1.6.4-ReleaseNotes @@ -25,7 +25,7 @@ Changes since version 1.6.3 Please refer to cryptsetup FAQ for detail how to fix this situation. -* Allow to use --disable-gcrypt-pbkdf2 during configuration +* Allow one to use --disable-gcrypt-pbkdf2 during configuration to force use internal PBKDF2 code. * Require gcrypt 1.6.1 for imported implementation of PBKDF2 diff --git a/docs/v1.6.5-ReleaseNotes b/docs/v1.6.5-ReleaseNotes index dc9f525e..0f469647 100644 --- a/docs/v1.6.5-ReleaseNotes +++ b/docs/v1.6.5-ReleaseNotes @@ -38,7 +38,7 @@ Changes since version 1.6.4 The command "cryptsetup status" will print basic info, even if you do not provide detached header argument. -* Allow to specify ECB mode in cryptsetup benchmark. +* Allow one to specify ECB mode in cryptsetup benchmark. * Add some LUKS images for regression testing. Note that if image with Whirlpool fails, the most probable cause is that diff --git a/docs/v1.6.7-ReleaseNotes b/docs/v1.6.7-ReleaseNotes index edb73e55..bb7c6712 100644 --- a/docs/v1.6.7-ReleaseNotes +++ b/docs/v1.6.7-ReleaseNotes @@ -35,14 +35,14 @@ Changes since version 1.6.6 * Support permanent device decryption for cryptsetup-reencrypt. To remove LUKS encryption from a device, you can now use --decrypt option. -* Allow to use --header option in all LUKS commands. +* Allow one to use --header option in all LUKS commands. The --header always takes precedence over positional device argument. * Allow luksSuspend without need to specify a detached header. * Detect if O_DIRECT is usable on a device allocation. There are some strange storage stack configurations which wrongly allows - to open devices with direct-io but fails on all IO operations later. + one to open devices with direct-io but fails on all IO operations later. Cryptsetup now tries to read the device first sector to ensure it can use direct-io. diff --git a/docs/v1.6.8-ReleaseNotes b/docs/v1.6.8-ReleaseNotes index 43b4f2c4..8ae0da9f 100644 --- a/docs/v1.6.8-ReleaseNotes +++ b/docs/v1.6.8-ReleaseNotes @@ -30,7 +30,7 @@ Changes since version 1.6.7 cryptsetup resize will try to resize underlying loop device as well. (It can be used to grow up file-backed device in one step.) -* Cryptsetup now allows to use empty password through stdin pipe. +* Cryptsetup now allows one to use empty password through stdin pipe. (Intended only for testing in scripts.) Cryptsetup API NOTE: diff --git a/docs/v1.7.4-ReleaseNotes b/docs/v1.7.4-ReleaseNotes index 73dbaa72..2b24754b 100644 --- a/docs/v1.7.4-ReleaseNotes +++ b/docs/v1.7.4-ReleaseNotes @@ -3,7 +3,7 @@ Cryptsetup 1.7.4 Release Notes Changes since version 1.7.3 -* Allow to specify LUKS1 hash algorithm in Python luksFormat wrapper. +* Allow one to specify LUKS1 hash algorithm in Python luksFormat wrapper. * Use LUKS1 compiled-in defaults also in Python wrapper. diff --git a/docs/v2.0.2-ReleaseNotes b/docs/v2.0.2-ReleaseNotes index a85a2489..bda57fd3 100644 --- a/docs/v2.0.2-ReleaseNotes +++ b/docs/v2.0.2-ReleaseNotes @@ -30,7 +30,7 @@ Changes since version 2.0.1 * Add LUKS2 specific options for cryptsetup-reencrypt. Tokens and persistent flags are now transferred during reencryption; - change of PBKDF keyslot parameters is now supported and allows + change of PBKDF keyslot parameters is now supported and allows one to set precalculated values (no benchmarks). * Do not allow LUKS2 --persistent and --test-passphrase cryptsetup flags diff --git a/docs/v2.0.3-ReleaseNotes b/docs/v2.0.3-ReleaseNotes index 030a1b4a..d2b209b1 100644 --- a/docs/v2.0.3-ReleaseNotes +++ b/docs/v2.0.3-ReleaseNotes @@ -28,7 +28,7 @@ Changes since version 2.0.2 * New API extensions for unbound keyslots (LUKS2 only) crypt_keyslot_get_key_size() and crypt_volume_key_get() - These functions allow to get key and key size for unbound keyslots. + These functions allow one to get key and key size for unbound keyslots. * New enum value CRYPT_SLOT_UNBOUND for keyslot status (LUKS2 only). diff --git a/docs/v2.1.0-ReleaseNotes b/docs/v2.1.0-ReleaseNotes index 36d22472..87222cbd 100644 --- a/docs/v2.1.0-ReleaseNotes +++ b/docs/v2.1.0-ReleaseNotes @@ -170,21 +170,21 @@ These new calls are now exported, for details see libcryptsetup.h: * crypt_get_metadata_size * crypt_set_metadata_size - allows to set/get area sizes in LUKS header + allows one to set/get area sizes in LUKS header (according to specification). * crypt_get_default_type get default compiled-in LUKS type (version). * crypt_get_pbkdf_type_params - allows to get compiled-in PBKDF parameters. + allows one to get compiled-in PBKDF parameters. * crypt_keyslot_set_encryption * crypt_keyslot_get_encryption - allows to set/get per-keyslot encryption algorithm for LUKS2. + allows one to set/get per-keyslot encryption algorithm for LUKS2. * crypt_keyslot_get_pbkdf - allows to get PBKDF parameters per-keyslot. + allows one to get PBKDF parameters per-keyslot. and these new defines: * CRYPT_LOG_DEBUG_JSON (message type for JSON debug) diff --git a/docs/v2.3.0-ReleaseNotes b/docs/v2.3.0-ReleaseNotes index 2b582c34..a3eb3ece 100644 --- a/docs/v2.3.0-ReleaseNotes +++ b/docs/v2.3.0-ReleaseNotes @@ -9,7 +9,7 @@ native read-write access to BitLocker Full Disk Encryption devices. The BITLK implementation is based on publicly available information and it is an independent and opensource implementation that allows -to access this proprietary disk encryption. +one to access this proprietary disk encryption. Changes since version 2.2.2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/docs/v2.3.2-ReleaseNotes b/docs/v2.3.2-ReleaseNotes index eb0d4477..b8b82506 100644 --- a/docs/v2.3.2-ReleaseNotes +++ b/docs/v2.3.2-ReleaseNotes @@ -18,7 +18,7 @@ Changes since version 2.3.1 The slot number --key-slot (-S) option is mandatory here. An unbound keyslot store a key is that is not assigned to data - area on disk (LUKS2 allows to store arbitrary keys). + area on disk (LUKS2 allows one to store arbitrary keys). * Rephrase some error messages and remove redundant end-of-lines. diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c index d00010ef..0b78ed7d 100644 --- a/lib/libdevmapper.c +++ b/lib/libdevmapper.c @@ -2736,7 +2736,7 @@ static int _dm_query_device(struct crypt_device *cd, const char *name, goto out; } - /* Never allow to return empty key */ + /* Never allow one to return empty key */ if ((get_flags & DM_ACTIVE_CRYPT_KEY) && dmi.suspended) { log_dbg(cd, "Cannot read volume key while suspended."); r = -EINVAL; diff --git a/lib/luks2/luks2_token.c b/lib/luks2/luks2_token.c index 61be376e..26467253 100644 --- a/lib/luks2/luks2_token.c +++ b/lib/luks2/luks2_token.c @@ -726,7 +726,7 @@ int LUKS2_token_unlock_volume_key(struct crypt_device *cd, /* * return priorities (ordered form least to most significant): * ENOENT - unusable for activation (no token handler, invalid token metadata, not assigned to volume segment, etc) - * EPERM - usable but token provided passphrase did not not unlock any assigned keyslot + * EPERM - usable but token provided passphrase did not unlock any assigned keyslot * EAGAIN - usable but not ready (token HW is missing) * ENOANO - ready, but token pin is wrong or missing * diff --git a/man/common_options.adoc b/man/common_options.adoc index 507df29c..e2d0c147 100644 --- a/man/common_options.adoc +++ b/man/common_options.adoc @@ -350,7 +350,7 @@ endif::[] + ifndef::ACTION_OPEN[] The --offset option sets the data offset (payload) of data -device and must be be aligned to 4096-byte sectors (must be multiple of +device and must be aligned to 4096-byte sectors (must be multiple of 8). This option cannot be combined with --align-payload option. endif::[] endif::[] @@ -935,10 +935,9 @@ Creates new or dumps existing LUKS2 unbound keyslot. + endif::[] ifdef::ACTION_OPEN[] -Allowed only only together with --test-passphrase parameter, it allows -to test passphrase for unbound LUKS2 keyslot. Otherwise, unbound keyslot -passphrase can be tested only when specific keyslot is selected via ---key-slot parameter. +Allowed only together with --test-passphrase parameter, it allows one to test +passphrase for unbound LUKS2 keyslot. Otherwise, unbound keyslot passphrase +can be tested only when specific keyslot is selected via --key-slot parameter. endif::[] endif::[] diff --git a/misc/keyslot_checker/chk_luks_keyslots.c b/misc/keyslot_checker/chk_luks_keyslots.c index d05aad80..308b0024 100644 --- a/misc/keyslot_checker/chk_luks_keyslots.c +++ b/misc/keyslot_checker/chk_luks_keyslots.c @@ -45,7 +45,7 @@ const char *help = "\n" "This tool checks all keyslots of a LUKS device for \n" "low entropy sections. If any are found, they are reported. \n" -"This allows to find areas damaged by things like filesystem \n" +"This allows one to find areas damaged by things like filesystem \n" "creation or RAID superblocks. \n" "\n" "Options: \n" diff --git a/src/utils_reencrypt.c b/src/utils_reencrypt.c index 71dba20f..51c9619f 100644 --- a/src/utils_reencrypt.c +++ b/src/utils_reencrypt.c @@ -138,7 +138,7 @@ static int get_active_device_name(struct crypt_device *cd, r = noDialog(msg, _("Operation aborted.\n")) ? 0 : -EINVAL; free(msg); } else { - /* FIXME: This is temporary message to be replaced in before final relase. */ + /* FIXME: This is temporary message to be replaced in before final release. */ log_err("Unable to decide if device %s is activated or not.\n" "Use --force-offline-reencrypt to bypass the check and run in offline mode (dangerous!).", data_device); } diff --git a/tests/api-test-2.c b/tests/api-test-2.c index b2cc69f5..5513c08c 100644 --- a/tests/api-test-2.c +++ b/tests/api-test-2.c @@ -4606,7 +4606,7 @@ static void Luks2Reencryption(void) OK_(crypt_init_data_device(&cd, DMDIR H_DEVICE, DMDIR L_DEVICE_OK)); OK_(crypt_load(cd, CRYPT_LUKS2, NULL)); FAIL_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 0, CRYPT_ANY_SLOT, NULL, NULL, &rparams), "Illegal data offset"); - /* reencryption must not initalize */ + /* reencryption must not initialize */ EQ_(crypt_reencrypt_status(cd, NULL), CRYPT_REENCRYPT_NONE); CRYPT_FREE(cd); /* original data device must stay untouched */ diff --git a/tests/compat-test2 b/tests/compat-test2 index e9aa7db5..750c1e33 100755 --- a/tests/compat-test2 +++ b/tests/compat-test2 @@ -991,7 +991,7 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2 (unbound)" || fail # unbound key size is required echo $PWD1 | $CRYPTSETUP -q luksAddKey --unbound $LOOPDEV 2>/dev/null && fail echo $PWD3 | $CRYPTSETUP -q luksAddKey --unbound --volume-key-file /dev/urandom $LOOPDEV 2> /dev/null && fail -# do not allow to replace keyslot by unbound slot +# do not allow one to replace keyslot by unbound slot echo $PWD1 | $CRYPTSETUP -q luksAddKey -S5 --unbound -s 32 $LOOPDEV 2>/dev/null && fail echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV $DEV_NAME 2> /dev/null && fail diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test index 26dc1380..4311ded9 100755 --- a/tests/luks2-reencryption-test +++ b/tests/luks2-reencryption-test @@ -1590,14 +1590,14 @@ echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -S2 $DEV -q $FAST_PBKDF_ARGON || # there is not enough space in binary area for keyslot id 4 (replacement for id 2) echo -e "$PWD1\n$PWD2\n$PWD2" | $CRYPTSETUP reencrypt $DEV --init-only -q 2>/dev/null && fail $CRYPTSETUP luksDump $DEV | grep -q "online-reencrypt" && fail -# check cli removed all unbound keyslots created in-before reencryption intialization +# check cli removed all unbound keyslots created in-before reencryption initialization $CRYPTSETUP luksDump $DEV | grep -q "unbound" && fail echo $PWD1 | $CRYPTSETUP luksKillSlot $DEV 2 || fail # there is not enough space in binary area for reencryption keyslot echo -e "$PWD1\n$PWD2" | $CRYPTSETUP reencrypt $DEV --init-only -q 2>/dev/null && fail $CRYPTSETUP luksDump $DEV | grep -q "online-reencrypt" && fail -# check cli removed all unbound keyslots created in-before reencryption intialization +# check cli removed all unbound keyslots created in-before reencryption initialization $CRYPTSETUP luksDump $DEV | grep -q "unbound" && fail echo "[23] Reencryption with specified new volume key" diff --git a/tests/unit-wipe-test b/tests/unit-wipe-test index 208e05fa..7d28da25 100755 --- a/tests/unit-wipe-test +++ b/tests/unit-wipe-test @@ -70,7 +70,7 @@ function init_hash_dd() # $1 dev, $dev orig function add_file() { - dd if=/dev/zero of=$FILE bs=1M count=$DEVSIZEMB 2> /dev/null || fial + dd if=/dev/zero of=$FILE bs=1M count=$DEVSIZEMB 2> /dev/null || fail dd if=/dev/zero of=$FILE_RAND bs=1M count=$DEVSIZEMB 2> /dev/null || fail check_hash $FILE $HASH_EMPTY || fail check_hash $FILE_RAND $HASH_EMPTY || fail