Bug#1109117: release-notes: cryptsetup: Document cipher and password ha
From Guilhem Moulin@21:1/5 to All on Fri Jul 11 18:20:01 2025
XPost: linux.debian.doc
Package: release-notes
Severity: normal
Hi,
cryptsetup ≥2:2.7.0~ has new default default cipher and password hashing algorithms for plain mode, which might break some existing setups and
therefore should be mentioned in the release notes. The following text
from cryptsetup=2:2.7.0~rc0-1's NEWS entry can probably be copied
verbatim.
Default cipher and password hashing for plain mode have respectively
been changed to aes-xts-plain64 and sha256 (from aes-cbc-essiv:sha256
resp. ripemd160).
The new values matches what is used for LUKS, but the change does NOT
affect LUKS volumes.
This is a backward incompatible change for plain mode when relying on
the defaults, which (for plain mode only) is strongly advised against.
For many releases the Debian wrappers found in the ‘cryptsetup’ binary
package have spewed a loud warning for plain devices from crypttab(5)
where ‘cipher=’ or ‘hash=’ are not explicitly specified. The
cryptsetup(8) executable now issue such a warning as well.