I Changed “otherwise `cryptsetup` will use default values” to “otherwise default values will be used” because it's the wrappers not the cryptsetup(8) binary which use crypttab(5) directly. LGTM otherwise, thanks! change to default encryption settings for plain-mode dm-crypt devices ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The default settings for ``dm-crypt`` devices created using ``plain``-mode encryption (see :url-man-stable:`crypttab(5)) have changed to improve security. This will cause problems if you did not record the settings used in ``/etc/crypttab``. The recommended way to configure plain-mode devices is to record the options ``cipher``, ``size`, and ``hash`` in ``/etc/crypttab``; otherwise `cryptsetup` will use default values, and the defaults for cipher and hash algorithm have changed in trixie, which will cause such devices to appear as random data until they are properly configured. This does not apply to LUKS devices because LUKS records the settings in the device itself. To properly configure your plain-mode devices, assuming they were created with the bookworm defaults, you should add ``cipher=aes-cbc-essiv:sha256,size=256,hash=ripemd160`` to ``/etc/crypttab``. To access such devices with ``cryptsetup`` on the command line you can use ``--cipher aes-cbc-essiv:sha256 --key-size 256 --hash ripemd160``. Debian recommends that you configure permanent devices with LUKS, or if you do use plain mode, that you explicitly record all the required encryption settings in ``/etc/crypttab``. The new defaults are ``cipher=aes-xts-plain64`` and ``hash=sha256``. -- Guilhem.
Attachment:
signature.asc
Description: PGP signature