The option --disable-luks2-reencryption completely disable
LUKS2 reencryption code.
When used, the libcryptsetup library can read metadata with
reencryption code, but all reencryption API calls and cryptsetup
reencrypt commands are disabled.
Devices with online reencryption in progress cannot be activated.
This option can cause some incompatibilities. Please use with care.
Starting with version 2.0.0, libpasswdqc can use memory allocation
when loading configuration that contains new optional parameters.
It's therefore recommended to free all memory allocated by
passwdqc_params_load using new passwdqc_params_free function
introduced in the same version of libpasswdqc.
[slightly modified by mbroz]
Cryptsetup/libcryptsetup currently supports several cryptographic
library backends.
The fully supported are libgcrypt, OpenSSL and kernel crypto API.
FIPS mode extensions are maintained only for libgcrypt and OpenSSL.
(Nettle and NSS are usable only for some subset of algorithms and
cannot provide full backward compatibility.)
For years, OpenSSL provided better performance for PBKDF.
Since this commit, cryptsetup uses OpenSSL as the default backend.
You can always switch to other backend by using a configure switch,
for libgcrypt (compatibility for older distributions) use:
--with-crypto_backend=gcrypt
The gcrypt does not use standard pkgconfig detection and requires
specific macro (part of gcrypt development fileS) to be present
during autoconfigure.
With other crypto backend, like OpenSSL, this makes no sense,
so make this part of autoconfigure optional.
This patch makes available LUKS2 per-keyslot encryption settings to user.
In LUKS2, keyslot can use different encryption that data.
We can use new crypt_keyslot_get_encryption and crypt_keyslot_set_encryption
API calls to set/get this encryption.
For cryptsetup new --keyslot-cipher and --keyslot-key-size options are added.
The default keyslot encryption algorithm (if cannot be derived from data encryption)
is now available as configure options (default is aes-xts-plain64 with 512-bits key).
NOTE: default was increased from 256-bits.
