Provides example of loadable token handler for activation
json validation and metadata dump.
For creating new ssh example token use special cryptsetup-ssh
binary.
This reverts mostly these commits:
42692418c2a985c12659
The library was ment to export common functions shared by
all cryptsetup tools and planned LUKS2 tokens plugins.
It is no longer needed.
Introducing new library supposed to be used in
cryptsetup tools and future cryptsetup loadable plugins
TODO:
- distribution
- cleanup header files
- incorporate also plugin API?
Cryptsetup/libcryptsetup currently supports several cryptographic
library backends.
The fully supported are libgcrypt, OpenSSL and kernel crypto API.
FIPS mode extensions are maintained only for libgcrypt and OpenSSL.
(Nettle and NSS are usable only for some subset of algorithms and
cannot provide full backward compatibility.)
For years, OpenSSL provided better performance for PBKDF.
Since this commit, cryptsetup uses OpenSSL as the default backend.
You can always switch to other backend by using a configure switch,
for libgcrypt (compatibility for older distributions) use:
--with-crypto_backend=gcrypt
The gcrypt does not use standard pkgconfig detection and requires
specific macro (part of gcrypt development fileS) to be present
during autoconfigure.
With other crypto backend, like OpenSSL, this makes no sense,
so make this part of autoconfigure optional.
This patch makes available LUKS2 per-keyslot encryption settings to user.
In LUKS2, keyslot can use different encryption that data.
We can use new crypt_keyslot_get_encryption and crypt_keyslot_set_encryption
API calls to set/get this encryption.
For cryptsetup new --keyslot-cipher and --keyslot-key-size options are added.
The default keyslot encryption algorithm (if cannot be derived from data encryption)
is now available as configure options (default is aes-xts-plain64 with 512-bits key).
NOTE: default was increased from 256-bits.
Currently, AC_ARG_[ENABLE|WITH] are used in multiple different ways.
This change makes all their uses the same by following the style of
the GNU manual:
- AC_ARG_ENABLE(foo) should only define $enable_foo
- Use the 2 argument form with a --enable_foo flag
- Use the 4 argument form with a --disable_foo flag
- Format all uses the same way
- Always compare using: test "x$enable_foo" = "xyes"
This makes the easier to debug, more readable, and shorter.
This formatting fix also revealed a bug (fix submitted seperately).
