SUSE-RU-2020:0952-1: moderate: Recommended update for cryptsetup

sle-updates at sle-updates at
Wed Apr 8 07:15:16 MDT 2020

   SUSE Recommended Update: Recommended update for cryptsetup

Announcement ID:    SUSE-RU-2020:0952-1
Rating:             moderate
References:         #1165580 
Affected Products:
                    SUSE Linux Enterprise Software Development Kit 12-SP5
                    SUSE Linux Enterprise Server 12-SP5

   An update that has one recommended fix can now be installed.


   This update for cryptsetup fixes the following issues:

   - Update from version 2.0.5 to version 2.0.6 (jsc#SLE-5911, bsc#1165580):
     * Fix support of larger metadata areas in LUKS2 header. This release
       properly supports all specified metadata areas, as documented in LUKS2
       format description (see docs/on-disk-format-luks2.pdf in archive).
       Currently, only default metadata area size is used (in format or
       convert). Later cryptsetup versions will allow increasing this
       metadata area size.
     * If AEAD (authenticated encryption) is used, cryptsetup now tries to
       check if the requested AEAD algorithm with specified key size is
       available in kernel crypto API. This change avoids formatting a device
       that cannot be later activated. For this function, the kernel must be
       compiled with the CONFIG_CRYPTO_USER_API_AEAD option enabled. Note
       that kernel user crypto API options (CONFIG_CRYPTO_USER_API and
       CONFIG_CRYPTO_USER_API_SKCIPHER) are already mandatory for LUKS2.
     * Fix setting of integrity no-journal flag. Now you can store this flag
       to metadata using --persistent option.
     * Fix cryptsetup-reencrypt to not keep temporary reencryption headers if
       interrupted during initial password prompt.
     * Adds early check to plain and LUKS2 formats to disallow device format
       if device size is not aligned to requested sector size. Previously it
       was possible, and the device was rejected to activate by kernel later.
     * Fix checking of hash algorithms availability for PBKDF early.
       Previously LUKS2 format allowed non-existent hash algorithm with
       invalid keyslot preventing the device from activation.
     * Allow Adiantum cipher construction (a non-authenticated
       length-preserving fast encryption scheme), so it can be used both for
       data encryption and keyslot encryption in LUKS1/2 devices. For
       benchmark, use: # cryptsetup benchmark -c xchacha12,aes-adiantum #
       cryptsetup benchmark -c xchacha20,aes-adiantum For LUKS format: #
       cryptsetup luksFormat -c xchacha20,aes-adiantum-plain64 -s 256
       <device> The support for Adiantum will be merged in Linux kernel 4.21.
       For more info see the paper

Patch Instructions:

   To install this SUSE Recommended Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Software Development Kit 12-SP5:

      zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-952=1

   - SUSE Linux Enterprise Server 12-SP5:

      zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-952=1

Package List:

   - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64):


   - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):


   - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64):



More information about the sle-updates mailing list