Bug#759588: [pkg-cryptsetup-devel] Bug#759588: release-notes: Disk encrypted with cryptsetup LUKS whirlpool needs to be migrated manually

[Niels Thykier]

On Thu, 11 Sep 2014 23:15:00 +0200 Jonas Meurer <jo...@freesources.org>
wrote:
> Am 11.09.2014 um 16:43 schrieb Osamu Aoki:
> > Hi,
> > 
> > [...]
> 
> Agreed. Though I'm not sure whether the change should be mentioned in
> release notes at all. My impression is that few people use whirlpool
> with cryptsetup. And for users skilled enough chose a different hash
> function the warning in NEWS.Debian might be enough, no?
> 
> I have to admit that I don't know much about the scope of Debian release
> notes, so I don't want to argue over whether the cryptsetup whirlpool
> issues should be mentioned there ;)
> 
> Kind regards,
>  jonas
> 

Hi,

Thanks for filing this bug; I am in the process of writing a section for
it.  Please see attached patch for the actual wording - comments and
feedback welcome.

@Jonas: Is it correctly asserted of me that it is possible to check if
your disk is affected by running:

   /sbin/cryptsetup luksDump <disk-device> | grep -i whirlpool

If so, we can add this as a simple test to the release notes.

Thanks,
~Niels


diff --git a/en/issues.dbk b/en/issues.dbk
index dd74a5c..67da7d4 100644
--- a/en/issues.dbk
+++ b/en/issues.dbk
@@ -184,4 +184,38 @@ the current ESR releases for stable.
     "nofail" option.
   </para>
 </section>
+
+<section id="cryptsetup-luks-whirlpool">
+  <!-- Wheezy to Jessie -->
+  <title>Manual migration of disks encrypted with LUKS whirlpool
+  (non-standard setup)</title>
+  <note>
+    <para>
+      This section is only for people have set up such disks
+      themselves.  The debian-installer <emphasis>never</emphasis>
+      supported creating such disks.
+    </para>
+  </note>
+  <para>
+    If you have <emphasis>manually</emphasis> setup an encrypted disk
+    with LUKS whirlpool, you will need to migrate it manually to a
+    stronger hash.
+  </para>
+  <para>
+    For more information on migrating, please see item "8.3 Gcrypt
+    1.6.x and later break Whirlpool" of the <ulink
+    url="https://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions";>cryptsetup
+    FAQ</ulink>.
+  </para>
+  <caution>
+    <para>
+      If you have such a disk, <systemitem
+      role="package">cryptsetup</systemitem> will refuse to decrypt by
+      default.  If your rootdisk or other system disks (e.g. /usr) are
+      encrypted with whirlpool, you should migrate them prior to the
+      first reboot after upgrading <systemitem
+      role="package">cryptsetup</systemitem>.
+    </para>
+  </caution>
+</section>
 </chapter>