The patch adds the two options
--perf-same_cpu_crypt
--perf-submit_from_crypt_cpus
that set the same named options inside dmcrypt
(available in Linux kernel 3.20 and later).
For historic reasons, in the plain mode the hashing is not used
if keyfile is used (with exception of --key-file=-).
Print warning if the parameters are ignored.
For other cases, uses keyfile offset, keyfile size and hash
as psecified on commandline.
Partially fixes issue#243
If AddKey was called with master key argument, the code always asked
for a passphrase ignoring the keyfile argument.
Now it is properly processed as the same as if no master key is specified.
The --header always takes precedence over positional device argument.
Also allow specify UUID= for luksSuspend and luksResume if used with
detached header.
Apparently there are some people using ECB.
This mode by design do not use any IV, unfortunately
kernel dmcrypt allows to specify them (but userspace crypto api don't).
Let support activation as it was in previous version.
Should fix issue#238.
If LUKS device was configured to use detached header, suspend operation
required --header option. For now it is enough that active device in-kernel
UUID type is set properly.
FIxes issue#229.
- cryptsetup library is not required to be FIPS certified anymore
due to fact gcrypt PBKDF2 algorithm can be used instead of
cryptsetup internal one.
- check in library constructor is no longer needed and therefore
removed.
- all other checks regarding MK extraction or random generator
restrictions remain the same
The strerror_r call exists in POSIX and GNU variant,
if POSIX variant is used (like in musl libc replacement)
we cannot rely on char* pointer.
Fixes issue#237.
The partial read usually happens only on IO error,
so reencrypt at least part what is read properly.
For EINTR code must restart read completely.
Fixes issue#226.
O_DIRECT operations directed towards filesystem are problematic:
There's no sane way how to detect specific filesystem requirements
for such operations.
This patch is replacing O_DIRECT flag with O_SYNC flag for all
open() calls related to reencrypt log. The O_SYNC flag is used
when --use-fsync option is detected.
Man page is modified accordingly.
