Cryptsetup 2.2.0 Release Notes ============================== Stable release with new experimental features and bug fixes. Cryptsetup 2.2 version introduces a new LUKS2 online reencryption extension that allows reencryption of mounted LUKS2 devices (device in use) in the background. Online reencryption is a complex feature. Please be sure you have a full data backup before using this feature. Changes since version 2.1.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ LUKS2 online reencryption ~~~~~~~~~~~~~~~~~~~~~~~~~ The reencryption is intended to provide a reliable way to change volume key or an algorithm change while the encrypted device is still in use. It is based on userspace-only approach (no kernel changes needed) that uses the device-mapper subsystem to remap active devices on-the-fly dynamically. The device is split into several segments (encrypted by old key, new key and so-called hotzone, where reencryption is actively running). The flexible LUKS2 metadata format is used to store intermediate states (segment mappings) and both version of keyslots (old and new keys). Also, it provides a binary area (in the unused keyslot area space) to provide recovery metadata in the case of unexpected failure during reencryption. LUKS2 header is during the reencryption marked with "online-reencryption" keyword. After the reencryption is finished, this keyword is removed, and the device is backward compatible with all older cryptsetup tools (that support LUKS2). The recovery supports three resilience modes: - checksum: default mode, where individual checksums of ciphertext hotzone sectors are stored, so the recovery process can detect which sectors were already reencrypted. It requires that the device sector write is atomic. - journal: the hotzone is journaled in the binary area (so the data are written twice) - none: performance mode; there is no protection (similar to old offline reencryption) These resilience modes are not available if reencryption uses data shift. Note: until we have full documentation (both of the process and metadata), please refer to Ondrej's slides (some slight details are no longer relevant) https://okozina.fedorapeople.org/online-disk-reencryption-with-luks2-compact.pdf The offline reencryption tool (cryptsetup-reencrypt) is still supported for both LUKS1 and LUKS2 format. Cryptsetup examples for reencryption ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The reencryption feature is integrated directly into cryptsetup utility as the new "reencrypt" action (command). There are three basic modes - to perform reencryption (change of already existing LUKS2 device), to add encryption to plaintext device and to remove encryption from a device (decryption). In all cases, if existing LUKS2 metadata contains information about the ongoing reencryption process, following reencrypt command continues with the ongoing reencryption process until it is finished. You can activate a device with ongoing reencryption as the standard LUKS2 device, but the reencryption process will not continue until the cryptsetup reencrypt command is issued. 1) Reencryption ~~~~~~~~~~~~~~~ This mode is intended to change any attribute of the data encryption (change of the volume key, algorithm or sector size). Note that authenticated encryption is not yet supported. You can start the reencryption process by specifying a LUKS2 device or with a detached LUKS2 header. The code should automatically recognize if the device is in use (and if it should use online mode of reencryption). If you do not specify parameters, only volume key is changed (a new random key is generated). # cryptsetup reencrypt [--header ] You can also start reencryption using active mapped device name: # cryptsetup reencrypt --active-name You can also specify the resilience mode (none, checksum, journal) with --resilience= option, for checksum mode also the hash algorithm with --resilience-hash= (only hash algorithms supported by cryptographic backend are available). The maximal size of reencryption hotzone can be limited by --hotzone-size= option and applies to all reencryption modes. Note that for checksum and journal mode hotzone size is also limited by available space in binary keyslot area. 2) Encryption ~~~~~~~~~~~~~ This mode provides a way to encrypt a plaintext device to LUKS2 format. This option requires reduction of device size (for LUKS2 header) or new detached header. # cryptsetup reencrypt --encrypt --reduce-device-size Or with detached header: # cryptsetup reencrypt --encrypt --header 3) Decryption ~~~~~~~~~~~~~ This mode provides the removal of existing LUKS2 encryption and replacing a device with plaintext content only. For now, we support only decryption with a detached header. # cryptsetup reencrypt --decrypt --header For all three modes, you can split the process to metadata initialization (prepare keyslots and segments but do not run reencryption yet) and the data reencryption step by using --init-only option. Prepares metadata: # cryptsetup reencrypt --init-only Starts the data processing: # cryptsetup reencrypt Please note, that due to the Linux kernel limitation, the encryption or decryption process cannot be run entirely online - there must be at least short offline window where operation adds/removes device-mapper crypt (LUKS2) layer. This step should also include modification of /etc/crypttab and fstab UUIDs, but it is out of the scope of cryptsetup tools. Limitations ~~~~~~~~~~~ Most of these limitations will be (hopefully) fixed in next versions. * Only one active keyslot is supported (all old keyslots will be removed after reencryption). * Only block devices are now supported as parameters. As a workaround for images in a file, please explicitly map a loop device over the image and use the loop device as the parameter. * Devices with authenticated encryption are not supported. (Later it will be limited by the fixed per-sector metadata, per-sector metadata size cannot be changed without a new device format operation.) * The reencryption uses userspace crypto library, with fallback to the kernel (if available). There can be some specific configurations where the fallback does not provide optimal performance. * There are no translations of error messages until the final release (some messages can be rephrased as well). * The repair command is not finished; the recovery of interrupted reencryption is made automatically on the first device activation. * Reencryption triggers too many udev scans on metadata updates (on closing write enabled file descriptors). This has a negative performance impact on the whole reencryption and generates excessive I/O load on the system. New libcryptsetup reencryption API ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The libcryptsetup contains new API calls that are used to setup and run the reencryption. Note that there can be some changes in API implementation of these functions and/or some new function can be introduced in final cryptsetup 2.2 release. New API symbols (see documentation in libcryptsetup.h) * struct crypt_params_reencrypt - reencryption parameters * crypt_reencrypt_init_by_passphrase * crypt_reencrypt_init_by_keyring - function to configure LUKS2 metadata for reencryption; if metadata already exists, it configures the context from this metadata * crypt_reencrypt - run the reencryption process (processing the data) - the optional callback function can be used to interrupt the reencryption or report the progress. * crypt_reencrypt_status - function to query LUKS2 metadata about the reencryption state Other changes and fixes ~~~~~~~~~~~~~~~~~~~~~~~ * Add optional global serialization lock for memory hard PBKDF. (The --serialize-memory-hard-pbkdf option in cryptsetup and CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF in activation flag.) This is an "ugly" optional workaround for a situation when multiple devices are being activated in parallel (like systemd crypttab activation). The system instead of returning ENOMEM (no memory available) starts out-of-memory (OOM) killer to kill processes randomly. Until we find a reliable way how to work with memory-hard function in these situations, cryptsetup provide a way how to serialize memory-hard unlocking among parallel cryptsetup instances to workaround this problem. This flag is intended to be used only in very specific situations, never use it directly :-) * Abort conversion to LUKS1 with incompatible sector size that is not supported in LUKS1. * Report error (-ENOENT) if no LUKS keyslots are available. User can now distinguish between a wrong passphrase and no keyslot available. * Fix a possible segfault in detached header handling (double free). * Add integritysetup support for bitmap mode introduced in Linux kernel 5.2. Integritysetup now supports --integrity-bitmap-mode option and --bitmap-sector-per-bit and --bitmap-flush-time commandline options. In the bitmap operation mode, if a bit in the bitmap is 1, the corresponding region's data and integrity tags are not synchronized - if the machine crashes, the unsynchronized regions will be recalculated. The bitmap mode is faster than the journal mode because we don't have to write the data twice, but it is also less reliable, because if data corruption happens when the machine crashes, it may not be detected. This can be used only for standalone devices, not with dm-crypt. * The libcryptsetup now keeps all file descriptors to underlying device open during the whole lifetime of crypt device context to avoid excessive scanning in udev (udev run scan on every descriptor close). * The luksDump command now prints more info for reencryption keyslot (when a device is in-reencryption). * New --device-size parameter is supported for LUKS2 reencryption. It may be used to encrypt/reencrypt only the initial part of the data device if the user is aware that the rest of the device is empty. Note: This change causes API break since the last rc0 release (crypt_params_reencrypt structure contains additional field). * New --resume-only parameter is supported for LUKS2 reencryption. This flag resumes reencryption process if it exists (not starting new reencryption). * The repair command now tries LUKS2 reencryption recovery if needed. * If reencryption device is a file image, an interactive dialog now asks if reencryption should be run safely in offline mode (if autodetection of active devices failed). * Fix activation through a token where dm-crypt volume key was not set through keyring (but using old device-mapper table parameter mode). * Online reencryption can now retain all keyslots (if all passphrases are provided). Note that keyslot numbers will change in this case. * Allow volume key file to be used if no LUKS2 keyslots are present. If all keyslots are removed, LUKS2 has no longer information about the volume key size (there is only key digest present). Please use --key-size option to open the device or add a new keyslot in these cases. * Print a warning if online reencrypt is called over LUKS1 (not supported). * Fix TCRYPT KDF failure in FIPS mode. Some crypto backends support plain hash in FIPS mode but not for PBKDF2. * Remove FIPS mode restriction for crypt_volume_key_get. It is an application responsibility to use this API in the proper context. * Reduce keyslots area size in luksFormat when the header device is too small. Unless user explicitly asks for keyslots areas size (either via --luks2-keyslots-size or --offset) reduce keyslots size so that it fits in metadata device. * Make resize action accept --device-size parameter (supports units suffix).