Brother
Professional
- Messages
- 2,590
- Reaction score
- 496
- Points
- 83
A set of Cryptsetup 2.7 utilities has been published.
Key improvements:
• It is possible to use the OPAL hardware disk encryption mechanism, supported on self-encrypting (SED - Self-Encrypting Drives) SATA and NVMe drives with the OPAL2 TCG interface, in which the hardware encryption device is built directly into the controller. On the one hand, OPAL encryption is tied to proprietary hardware and is not available for public audit, but, on the other hand, it can be used as an additional level of protection over software encryption, which does not lead to a decrease in performance and does not create a load on the CPU.
Using OPAL in LUKS2 requires building the Linux kernel with the CONFIG_BLK_SED_OPAL option and enabling it in Cryptsetup (OPAL support is disabled by default). Setting up LUKS2 OPAL is carried out in a similar way to software encryption - metadata is stored in the LUKS2 header. The key is split into a partition key for software encryption (dm-crypt) and an unlock key for OPAL. OPAL can be used either together with software encryption (cryptsetup luksFormat --hw-opal <device>) or separately (cryptsetup luksFormat --hw-opal-only <device>). OPAL is activated and deactivated in the same way (open, close, luksSuspend, luksResume) as for LUKS2 devices.
• In plain mode, in which the master key and header are not stored on disk, the aes-xts-plain64 cipher and sha256 hashing algorithm are used by default (XTS is used instead of the CBC mode, which has performance problems, and instead of the outdated ripemd160 hash - sha256).
• The open and luksResume commands allow the partition key to be stored in a user-selected kernel keyring (keyring). To access the keyring, the "--volume-key-keyring" option has been added to many cryptsetup commands (for example 'cryptsetup open <device> --link-vk-to-keyring "@s::%user:testkey" tst').
• On systems without a swap partition, performing a format or creating a key slot for PBKDF Argon2 now only uses half of the free memory, which solved the problem of running out of available memory on systems with a small amount of RAM.
• Added option "--external-tokens-path" to specify the directory for external LUKS2 token handlers (plugins).
• tcrypt has added support for the Blake2 hashing algorithm for VeraCrypt.
• Added support for the Aria block cipher.
• Added support for Argon2 in OpenSSL 3.2 and libgcrypt implementations, eliminating the need for libargon.
Key improvements:
• It is possible to use the OPAL hardware disk encryption mechanism, supported on self-encrypting (SED - Self-Encrypting Drives) SATA and NVMe drives with the OPAL2 TCG interface, in which the hardware encryption device is built directly into the controller. On the one hand, OPAL encryption is tied to proprietary hardware and is not available for public audit, but, on the other hand, it can be used as an additional level of protection over software encryption, which does not lead to a decrease in performance and does not create a load on the CPU.
Using OPAL in LUKS2 requires building the Linux kernel with the CONFIG_BLK_SED_OPAL option and enabling it in Cryptsetup (OPAL support is disabled by default). Setting up LUKS2 OPAL is carried out in a similar way to software encryption - metadata is stored in the LUKS2 header. The key is split into a partition key for software encryption (dm-crypt) and an unlock key for OPAL. OPAL can be used either together with software encryption (cryptsetup luksFormat --hw-opal <device>) or separately (cryptsetup luksFormat --hw-opal-only <device>). OPAL is activated and deactivated in the same way (open, close, luksSuspend, luksResume) as for LUKS2 devices.
• In plain mode, in which the master key and header are not stored on disk, the aes-xts-plain64 cipher and sha256 hashing algorithm are used by default (XTS is used instead of the CBC mode, which has performance problems, and instead of the outdated ripemd160 hash - sha256).
• The open and luksResume commands allow the partition key to be stored in a user-selected kernel keyring (keyring). To access the keyring, the "--volume-key-keyring" option has been added to many cryptsetup commands (for example 'cryptsetup open <device> --link-vk-to-keyring "@s::%user:testkey" tst').
• On systems without a swap partition, performing a format or creating a key slot for PBKDF Argon2 now only uses half of the free memory, which solved the problem of running out of available memory on systems with a small amount of RAM.
• Added option "--external-tokens-path" to specify the directory for external LUKS2 token handlers (plugins).
• tcrypt has added support for the Blake2 hashing algorithm for VeraCrypt.
• Added support for the Aria block cipher.
• Added support for Argon2 in OpenSSL 3.2 and libgcrypt implementations, eliminating the need for libargon.
