Control: reassign -1 cryptsetup-bin Hi,
On Thu, 29 Feb 2024 at 11:57:52 +0000, Jurij Smakov wrote:
> While this change is mentioned in the upstream release notes, I could not
> find any mention of it in the Debian's changelog or NEWS file.
The (upstream) change is in the cryptsetup-bin binary package not cryptsetup.
Its NEWS file reads:
cryptsetup (2:2.7.0~rc0-1) experimental; urgency=medium
Default cipher and password hashing for plain mode have respectively
been changed to aes-xts-plain64 and sha256 (from aes-cbc-essiv:sha256
resp. ripemd160).
The new values matches what is used for LUKS, but the change does NOT
affect LUKS volumes.
This is a backward incompatible change for plain mode when relying on
the defaults, which (for plain mode only) is strongly advised against.
For many releases the Debian wrappers found in the ‘cryptsetup’ binary
package have spewed a loud warning for plain devices from crypttab(5)
where ‘cipher=’ or ‘hash=’ are not explicitly specified. The
cryptsetup(8) executable now issue such a warning as well.
-- Guilhem Moulin <guil...@debian.org> Wed, 29 Nov 2023 17:19:10 +0100
Also the source package has the following changelog entry:
cryptsetup (2:2.7.0~rc0-1) experimental; urgency=medium
* New upstream release candidate 2.7.0:
[…]
+ plain mode: Set default cipher to aes-xts-plain64 and password hashing
to sha256. This is a backward incompatible change for plain mode when
relying on the defaults. It doesn't affect LUKS volumes. Defaults
for
plain mode should not be relied upon anyway; for many releases the
Debian wrappers found in the ‘cryptsetup’ binary package spew a loud
warning when ‘cipher=’ or ‘hash=’ are not explicitly specified in the
crypttab(5) options of plain devices. The cryptsetup(8) executable
now
issue such a warning as well.
[…]
-- Guilhem Moulin <guil...@debian.org> Wed, 29 Nov 2023 17:19:10 +0100
--
Guilhem.
signature.asc
Description: PGP signature
