This change will allocate space if underlying device is smaller file
and fail if it is block device.
Previously smaller device was quietly ignored, leading to keyslot
access failure with older dm-crypt mapped keyslot encryption
(disabled kernel user crypto API).
In most cases we do not need to create large files for new headers.
crypt_format already allocates enough space for all keyslots in files
during internal header wipe.
Fixes#410.
Cryptsetup/libcryptsetup currently supports several cryptographic
library backends.
The fully supported are libgcrypt, OpenSSL and kernel crypto API.
FIPS mode extensions are maintained only for libgcrypt and OpenSSL.
(Nettle and NSS are usable only for some subset of algorithms and
cannot provide full backward compatibility.)
For years, OpenSSL provided better performance for PBKDF.
Since this commit, cryptsetup uses OpenSSL as the default backend.
You can always switch to other backend by using a configure switch,
for libgcrypt (compatibility for older distributions) use:
--with-crypto_backend=gcrypt
For now, the hash was set to sha256 (except for converted LUKS1 header).
This patch adds the same logic as in LUKS1 - hash aglorithms is
loaded from PBKDF setting.
Fixes#396.
The gcrypt does not use standard pkgconfig detection and requires
specific macro (part of gcrypt development fileS) to be present
during autoconfigure.
With other crypto backend, like OpenSSL, this makes no sense,
so make this part of autoconfigure optional.
The JSON structures should not be printed by default to debug log.
This flag introduces new debug level that prints JSON structures
and keeps default debug output separate.
This patch makes available LUKS2 per-keyslot encryption settings to user.
In LUKS2, keyslot can use different encryption that data.
We can use new crypt_keyslot_get_encryption and crypt_keyslot_set_encryption
API calls to set/get this encryption.
For cryptsetup new --keyslot-cipher and --keyslot-key-size options are added.
The default keyslot encryption algorithm (if cannot be derived from data encryption)
is now available as configure options (default is aes-xts-plain64 with 512-bits key).
NOTE: default was increased from 256-bits.
