On Fri, 11 Jul 2025 23:39:24 +0200 Guilhem Moulin <guil...@debian.org> wrote:
> On Sun, 5 May 2024 at 17:29:03 +0100, Justin B Rye wrote: > > L wrote (https://lists.debian.org/debian-doc/2024/05/msg00003.html): > >> Guilhem Moulin <guil...@debian.org> writes: > >>> cryptsetup 2:2.7.0~rc0-1 has a backward incompatible change for plain > >>> mode when relying on defaults cipher and password hashing algorithm. > plain mode is the default when the crypttab(5) option field doesn't > specify any other type (luks, tcrypt, etc.). However I suspect most > users don't edit crypttab(5) manually, but instead do it automatically > at installation time (via d-i) which always sets the type explicitly. > d-i's default “LVM-over-crypt” setup sets up LUKS devices, but users can > choose (explicit) plain in the menu too if they choose to do so. I think what i understand from this (which may be very wrong) is: The default settings for LUKS filesystems (see crypttab(5)) have changed to improve security, which may cause issues if you did not explicitly include the settings in [/etc/cryptab]. To access encrypted filesystems, [/etc/crypttab] should specify the ``cypher`` and ``hash`` that were used to create the filesystem: these are usually set to the correct values automatically (for example the debian installer usually writes them to the file), but if they are not present, LUKS falls back to default values. Because the default values have changed in trixie, filesystems created in bookworm will not be accessible, which may prevent you from booting the system. To access such filesystems, assuming they were created with the previous defaults, you should add ``cipher=aes-cbc-essiv:sha256,hash=ripemd160`` to [/etc/crypttab]. If you use [LUKS on the command line] you can use ``--cipher aes-cbc-essiv:sha256 --hash ripemd160``. Debian recommends you always explicitly set the exact values used to create a filesystem in [/etc/crypttab]. The new defaults are ``cipher=aes-xts-plain64,hash=sha256``: you can change LUKS filesystems to use the new defaults by [???]. please check!
