openSUSE Recommended Update: Recommended update for cryptsetup ______________________________________________________________________________ Announcement ID: openSUSE-RU-2020:1451-1 Rating: moderate References: #1165580 Affected Products: openSUSE Leap 15.1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for cryptsetup fixes the following issues: Update from version 2.0.5 to version 2.0.6. (jsc#SLE-5911, bsc#1165580) - Fix support of larger metadata areas in *LUKS2* header. This release properly supports all specified metadata areas, as documented in *LUKS2* format description. Currently, only default metadata area size is used (in format or convert). Later cryptsetup versions will allow increasing this metadata area size. - If *AEAD* (authenticated encryption) is used, cryptsetup now tries to check if the requested *AEAD* algorithm with specified key size is available in kernel crypto API. This change avoids formatting a device that cannot be later activated. For this function, the kernel must be compiled with the *CONFIG_CRYPTO_USER_API_AEAD* option enabled. Note that kernel user crypto API options (*CONFIG_CRYPTO_USER_API* and *CONFIG_CRYPTO_USER_API_SKCIPHER*) are already mandatory for LUKS2. - Fix setting of integrity no-journal flag. Now you can store this flag to metadata using *\--persistent* option. - Fix cryptsetup-reencrypt to not keep temporary reencryption headers if interrupted during initial password prompt. - Adds early check to plain and LUKS2 formats to disallow device format if device size is not aligned to requested sector size. Previously it was possible, and the device was rejected to activate by kernel later. - Fix checking of hash algorithms availability for *PBKDF* early. Previously *LUKS2* format allowed non-existent hash algorithm with invalid keyslot preventing the device from activation. - Allow Adiantum cipher construction (a non-authenticated length-preserving fast encryption scheme), so it can be used both for data encryption and keyslot encryption in *LUKS1/2* devices. For benchmark, use: # cryptsetup benchmark -c xchacha12,aes-adiantum # cryptsetup benchmark -c xchacha20,aes-adiantum For LUKS format: # cryptsetup luksFormat -c xchacha20,aes-adiantum-plain64 -s 256 <device> This update was imported from the SUSE:SLE-15-SP1:Update update project. Patch Instructions: To install this openSUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.1: zypper in -t patch openSUSE-2020-1451=1 Package List: - openSUSE Leap 15.1 (i586 x86_64): cryptsetup-2.0.6-lp151.2.3.1 cryptsetup-debuginfo-2.0.6-lp151.2.3.1 cryptsetup-debugsource-2.0.6-lp151.2.3.1 libcryptsetup-devel-2.0.6-lp151.2.3.1 libcryptsetup12-2.0.6-lp151.2.3.1 libcryptsetup12-debuginfo-2.0.6-lp151.2.3.1 libcryptsetup12-hmac-2.0.6-lp151.2.3.1 - openSUSE Leap 15.1 (x86_64): libcryptsetup12-32bit-2.0.6-lp151.2.3.1 libcryptsetup12-32bit-debuginfo-2.0.6-lp151.2.3.1 libcryptsetup12-hmac-32bit-2.0.6-lp151.2.3.1 References: https://bugzilla.suse.com/1165580