[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: cryptsetup 2.1.0-1 in sid: new default LUKS version, and more changes


On Mon, 15 Apr 2019 at 22:46:16 +0200, Cyril Brulebois wrote:
> And sorry for the lag. While I understand why one might want to use
> LUKS2, this switch seems to be happening very late in the release cycle…

The discussion started in summer 2018 though.  We I objected to
‘partman-crypto/merge_requests/1’ the plan was to default to LUKS2 ready
in late 2018, so time for Buster.  Sorry for rushing this now.  In
retrospect a better path would have been to leave ‘--type=luks2’ in d-i,
at least for early tests.

> but I haven't spotted anything like that when testing the guided
> encrypted LVM recipe (that's one of the usual tests I run before
> deciding a release can be prepared).

cryptsetup doesn't directly use getrandom() at the moment; instead it
open()s /dev/urandom (resp. /dev/random if `--use-random` is set) and
read()s from it.  Reading from /dev/urandom isn't blocking, unless
`--use-random` is set the change won't affect entropy starvation.

However getrandom(,16, GRND_NONBLOCK) is used indirectly by libuuid's
uuid_generate().  However changing the LUKS version (or downgrading
cryptsetup) has no impact here; and FWIW `mkfs` generates UUIDs as well.


Attachment: signature.asc
Description: PGP signature

Reply to: