Recommended update for cryptsetup

SUSE Recommended Update: Recommended update for cryptsetup
Announcement ID: SUSE-RU-2020:0952-1
Rating: moderate
References: #1165580
Affected Products:
  • SUSE Linux Enterprise Software Development Kit 12-SP5
  • SUSE Linux Enterprise Server 12-SP5

An update that has one recommended fix can now be installed.

Description:

This update for cryptsetup fixes the following issues:

  • Update from version 2.0.5 to version 2.0.6 (jsc#SLE-5911, bsc#1165580): * Fix support of larger metadata areas in LUKS2 header. This release properly supports all specified metadata areas, as documented in LUKS2 format description (see docs/on-disk-format-luks2.pdf in archive). Currently, only default metadata area size is used (in format or convert). Later cryptsetup versions will allow increasing this metadata area size. * If AEAD (authenticated encryption) is used, cryptsetup now tries to check if the requested AEAD algorithm with specified key size is available in kernel crypto API. This change avoids formatting a device that cannot be later activated. For this function, the kernel must be compiled with the CONFIG_CRYPTO_USER_API_AEAD option enabled. Note that kernel user crypto API options (CONFIG_CRYPTO_USER_API and CONFIG_CRYPTO_USER_API_SKCIPHER) are already mandatory for LUKS2. * Fix setting of integrity no-journal flag. Now you can store this flag to metadata using --persistent option. * Fix cryptsetup-reencrypt to not keep temporary reencryption headers if interrupted during initial password prompt. * Adds early check to plain and LUKS2 formats to disallow device format if device size is not aligned to requested sector size. Previously it was possible, and the device was rejected to activate by kernel later. * Fix checking of hash algorithms availability for PBKDF early. Previously LUKS2 format allowed non-existent hash algorithm with invalid keyslot preventing the device from activation. * Allow Adiantum cipher construction (a non-authenticated length-preserving fast encryption scheme), so it can be used both for data encryption and keyslot encryption in LUKS1/2 devices. For benchmark, use: # cryptsetup benchmark -c xchacha12,aes-adiantum # cryptsetup benchmark -c xchacha20,aes-adiantum For LUKS format: # cryptsetup luksFormat -c xchacha20,aes-adiantum-plain64 -s 256 The support for Adiantum will be merged in Linux kernel 4.21. For more info see the paper https://eprint.iacr.org/2018/720.

Patch Instructions:

To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Software Development Kit 12-SP5:
    zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-952=1
  • SUSE Linux Enterprise Server 12-SP5:
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-952=1

Package List:

  • SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64):
    • cryptsetup-debuginfo-2.0.6-3.3.1
    • cryptsetup-debugsource-2.0.6-3.3.1
    • libcryptsetup-devel-2.0.6-3.3.1
  • SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):
    • cryptsetup-2.0.6-3.3.1
    • cryptsetup-debuginfo-2.0.6-3.3.1
    • cryptsetup-debugsource-2.0.6-3.3.1
    • libcryptsetup12-2.0.6-3.3.1
    • libcryptsetup12-debuginfo-2.0.6-3.3.1
    • libcryptsetup12-hmac-2.0.6-3.3.1
  • SUSE Linux Enterprise Server 12-SP5 (s390x x86_64):
    • libcryptsetup12-32bit-2.0.6-3.3.1
    • libcryptsetup12-debuginfo-32bit-2.0.6-3.3.1
    • libcryptsetup12-hmac-32bit-2.0.6-3.3.1

References: