mirror of
https://gitlab.com/cryptsetup/cryptsetup.git
synced 2025-12-05 16:00:05 +01:00
man: Remove mentions about archeologic kernel 2.6 and kernel 4.x
This commit is contained in:
Milan Broz
@@ -349,7 +349,7 @@ ifdef::ACTION_LUKSFORMAT[]
|
||||
*--integrity* _<integrity algorithm>_::
|
||||
Specify the integrity algorithm to be used for authenticated disk encryption in LUKS2.
|
||||
+
|
||||
*WARNING: This extension is EXPERIMENTAL* and requires dm-integrity kernel target (available since kernel version 4.12).
|
||||
*WARNING: This extension is EXPERIMENTAL* and requires dm-integrity kernel target.
|
||||
For native AEAD modes, also enable "User-space interface for AEAD cipher algorithms" in the "Cryptographic API" section (CONFIG_CRYPTO_USER_API_AEAD .config option).
|
||||
+
|
||||
For more info, see the _AUTHENTICATED DISK ENCRYPTION_ section in *cryptsetup*(8).
|
||||
@@ -790,7 +790,6 @@ Perform encryption using the same CPU on which that IO was submitted.
|
||||
The default is to use an unbound workqueue so that encryption work is automatically balanced between available CPUs.
|
||||
+
|
||||
*NOTE:* This option is available only for low-level dm-crypt performance tuning, use only if you need a change to the default dm-crypt behaviour.
|
||||
Needs kernel 4.0 or later.
|
||||
endif::[]
|
||||
|
||||
ifdef::ACTION_REFRESH,ACTION_OPEN[]
|
||||
@@ -800,7 +799,6 @@ There are some situations where offloading write bios from the encryption thread
|
||||
The default is to offload write bios to the same thread.
|
||||
+
|
||||
*NOTE:* This option is available only for low-level dm-crypt performance tuning, use only if you need a change to the default dm-crypt behaviour.
|
||||
Needs kernel 4.0 or later.
|
||||
endif::[]
|
||||
|
||||
ifdef::ACTION_OPEN,ACTION_REFRESH[]
|
||||
|
||||
@@ -26,7 +26,7 @@ To benchmark PBKDF you need to specify --pbkdf or --hash with optional cost para
|
||||
This benchmark uses memory only and is only informative.
|
||||
You cannot directly predict real storage encryption speed from it.
|
||||
|
||||
For testing block ciphers, this benchmark requires the kernel userspace crypto API to be available (introduced in Linux kernel 2.6.38).
|
||||
For testing block ciphers, this benchmark requires the kernel userspace crypto API to be available.
|
||||
If you are configuring the kernel yourself, enable "User-space interface for symmetric key cipher algorithms" in "Cryptographic API" section (CRYPTO_USER_API_SKCIPHER .config option).
|
||||
|
||||
*<options>* can be [--cipher, --key-size, --hash, --pbkdf, --iter-time, --pbkdf-memory, --pbkdf-parallel].
|
||||
|
||||
@@ -17,7 +17,6 @@ cryptsetup-luksSuspend - suspends an active device and wipes the key
|
||||
== DESCRIPTION
|
||||
|
||||
Suspends an active device (all IO operations will block and accesses to the device will wait indefinitely) and wipes the encryption key from kernel memory.
|
||||
Needs kernel 2.6.19 or later.
|
||||
|
||||
While the _luksSuspend_ operation wipes encryption keys from memory, it does not remove possible plaintext data in various caches or in-kernel metadata for mounted filesystems.
|
||||
|
||||
|
||||
@@ -241,7 +241,7 @@ See also section 7 of the FAQ and http://loop-aes.sourceforge.net[loop-AES] for
|
||||
Cryptsetup supports mapping of TrueCrypt, tcplay, or VeraCrypt encrypted partitions using a native Linux kernel API.
|
||||
Header formatting and TCRYPT header change are not supported; cryptsetup never changes the TCRYPT header on-device.
|
||||
|
||||
TCRYPT extension requires the kernel userspace crypto API to be available (introduced in Linux kernel 2.6.38).
|
||||
TCRYPT extension requires the kernel userspace crypto API to be available.
|
||||
If you are configuring the kernel yourself, enable "User-space interface for symmetric key cipher algorithms" in "Cryptographic API" section (CRYPTO_USER_API_SKCIPHER .config option).
|
||||
|
||||
Because the TCRYPT header is encrypted, you must always provide a valid passphrase and keyfiles.
|
||||
@@ -547,8 +547,6 @@ See *urandom*(4) for more information.
|
||||
|
||||
=== Authenticated disk encryption (EXPERIMENTAL)
|
||||
|
||||
Since Linux kernel version 4.12 dm-crypt supports authenticated disk encryption.
|
||||
|
||||
Normal disk encryption modes are length-preserving (the plaintext sector is the same size as a ciphertext sector) and can provide only confidentiality protection, not cryptographically sound data integrity protection.
|
||||
|
||||
Authenticated modes require additional space per-sector for the authentication tag and use Authenticated Encryption with Additional Data (AEAD) algorithms.
|
||||
@@ -574,7 +572,6 @@ If, for some reason, you want to have integrity control without using authentica
|
||||
|
||||
Cryptsetup is usually used directly on a block device (disk partition or LVM volume).
|
||||
However, if the device argument is a file, cryptsetup tries to allocate a loopback device and map it into this file.
|
||||
This mode requires a Linux kernel 2.6.25 or more recent, which supports the loop autoclear flag (loop device is cleared on the last close automatically).
|
||||
Of course, you can always map a file to a loop device manually.
|
||||
See the cryptsetup FAQ for an example.
|
||||
|
||||
|
||||
@@ -151,7 +151,6 @@ Disable the journal for the integrity device.
|
||||
*--integrity-recalculate*::
|
||||
Automatically recalculate integrity tags in the kernel on activation.
|
||||
The device can be used during automatic integrity recalculation, but becomes fully integrity protected only after the background operation is finished.
|
||||
This option is available since the Linux kernel version 4.19.
|
||||
|
||||
*--integrity-recalculate-reset*::
|
||||
Restart recalculation from the beginning of the device.
|
||||
@@ -268,7 +267,6 @@ Integritysetup returns *0* on success and a non-zero value on error.
|
||||
Error codes are: *1* wrong parameters, *2* no permission, *3* out of memory, *4* wrong device specified, *5* device already exists or device is busy.
|
||||
|
||||
== NOTES
|
||||
The dm-integrity target is available since Linux kernel version 4.12.
|
||||
|
||||
Format and activation of an integrity device always require superuser privilege because the superblock is calculated and handled in the dm-integrity kernel target.
|
||||
|
||||
|
||||
@@ -106,7 +106,6 @@ Cancels a previously configured deferred device removal in the *close* command.
|
||||
Instruct the kernel to verify blocks only once they are read from the data device, rather than every time.
|
||||
+
|
||||
*WARNING:* It provides a reduced level of security because only offline tampering of the data device's content will be detected, not online tampering.
|
||||
This option is available since Linux kernel version 4.17.
|
||||
|
||||
*--data-blocks* _blocks_::
|
||||
Size of the data device used in verification.
|
||||
@@ -182,13 +181,11 @@ With --restart-on-corruption or --panic-on-corruption, the kernel is restarted (
|
||||
(You have to provide a way to avoid restart loops.)
|
||||
+
|
||||
*WARNING:* Use these options only for very specific cases.
|
||||
These options are available since Linux kernel version 4.1.
|
||||
|
||||
*--ignore-zero-blocks*::
|
||||
Instruct the kernel not to verify blocks expected to contain zeroes and always directly return zeroes instead.
|
||||
+
|
||||
*WARNING:* Use this option only in very specific cases.
|
||||
This option is available since Linux kernel version 4.5.
|
||||
|
||||
*--no-superblock*::
|
||||
Create or use dm-verity without a permanent on-disk superblock.
|
||||
|
||||
Reference in New Issue
Block a user