SUSE-RU-2020:2638-1: moderate: Recommended update for cryptsetup

sle-updates at lists.suse.com sle-updates at lists.suse.com
Tue Sep 15 13:15:55 MDT 2020 

   SUSE Recommended Update: Recommended update for cryptsetup
______________________________________________________________________________

Announcement ID:    SUSE-RU-2020:2638-1
Rating:             moderate
References:         #1165580 SLE-5911 
Affected Products:
                    SUSE Linux Enterprise Module for Basesystem 15-SP2
                    SUSE Linux Enterprise Module for Basesystem 15-SP1
______________________________________________________________________________

   An update that has one recommended fix and contains one
   feature can now be installed.

Description:

   This update for cryptsetup fixes the following issues:

   Update from version 2.0.5 to version 2.0.6. (jsc#SLE-5911, bsc#1165580)

   - Fix support of larger metadata areas in *LUKS2* header.

     This release properly supports all specified metadata areas, as
   documented in *LUKS2* format description. Currently, only default metadata
   area size is used (in format or convert). Later cryptsetup versions will
   allow increasing this metadata area size.

   - If *AEAD* (authenticated encryption) is used, cryptsetup now tries to
     check if the requested *AEAD* algorithm with specified key size is
     available in kernel crypto API. This change avoids formatting a device
     that cannot be later activated.

     For this function, the kernel must be compiled with the
   *CONFIG_CRYPTO_USER_API_AEAD* option enabled. Note that kernel user crypto
   API options (*CONFIG_CRYPTO_USER_API* and
   *CONFIG_CRYPTO_USER_API_SKCIPHER*) are already mandatory for LUKS2.

   - Fix setting of integrity no-journal flag. Now you can store this flag to
     metadata using *\--persistent* option.

   - Fix cryptsetup-reencrypt to not keep temporary reencryption headers if
     interrupted during initial password prompt.

   - Adds early check to plain and LUKS2 formats to disallow device format if
     device size is not aligned to requested sector size. Previously it was
     possible, and the device was rejected to activate by kernel later.

   - Fix checking of hash algorithms availability for *PBKDF* early.
     Previously *LUKS2* format allowed non-existent hash algorithm with
     invalid keyslot preventing the device from activation.

   - Allow Adiantum cipher construction (a non-authenticated
     length-preserving fast encryption scheme), so it can be used both for
     data encryption and keyslot encryption in *LUKS1/2* devices.

     For benchmark, use:

         # cryptsetup benchmark -c xchacha12,aes-adiantum # cryptsetup
   benchmark -c xchacha20,aes-adiantum

     For LUKS format:

         # cryptsetup luksFormat -c xchacha20,aes-adiantum-plain64 -s 256
   <device>


Patch Instructions:

   To install this SUSE Recommended Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Basesystem 15-SP2:

      zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-2638=1

   - SUSE Linux Enterprise Module for Basesystem 15-SP1:

      zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-2638=1



Package List:

   - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64):

      cryptsetup-2.0.6-4.3.1
      cryptsetup-debuginfo-2.0.6-4.3.1
      cryptsetup-debugsource-2.0.6-4.3.1
      libcryptsetup-devel-2.0.6-4.3.1
      libcryptsetup12-2.0.6-4.3.1
      libcryptsetup12-debuginfo-2.0.6-4.3.1
      libcryptsetup12-hmac-2.0.6-4.3.1

   - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64):

      libcryptsetup12-32bit-2.0.6-4.3.1
      libcryptsetup12-32bit-debuginfo-2.0.6-4.3.1
      libcryptsetup12-hmac-32bit-2.0.6-4.3.1

   - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64):

      cryptsetup-2.0.6-4.3.1
      cryptsetup-debuginfo-2.0.6-4.3.1
      cryptsetup-debugsource-2.0.6-4.3.1
      libcryptsetup-devel-2.0.6-4.3.1
      libcryptsetup12-2.0.6-4.3.1
      libcryptsetup12-debuginfo-2.0.6-4.3.1
      libcryptsetup12-hmac-2.0.6-4.3.1

   - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64):

      libcryptsetup12-32bit-2.0.6-4.3.1
      libcryptsetup12-32bit-debuginfo-2.0.6-4.3.1
      libcryptsetup12-hmac-32bit-2.0.6-4.3.1


References:

   https://bugzilla.suse.com/1165580

More information about the sle-updates mailing list