A set of Cryptsetup 2.6 utilities has been published for configuring encryption of disk partitions in Linux using the dm-crypt module. Work with dm-crypt, LUKS, LUKS2, BITLK, loop-AES and TrueCrypt/VeraCrypt partitions is supported. It also includes the veritysetup and integritysetup utilities to configure data integrity controls based on the dm-verity and dm-integrity modules.
Key improvements:
- Added support for storage devices encrypted using the FileVault2 mechanism used for full disk encryption in macOS. Cryptsetup, in combination with the hfsplus driver, can now open FileVault2-encrypted USB drives in read-write mode on systems with a regular Linux kernel. Access to drives with the HFS + file system and with Core Storage partitions is supported (partitions with APFS are not supported yet).
- The libcryptsetup library is spared the global lock on all memory via the mlockall() call, which was used to prevent leakage of sensitive data to the swap partition. Due to exceeding the limit on the maximum size of the blocked memory when running without root rights, the new version applies selective locking only to those areas of memory that store encryption keys.
- Increased the priority of processes performing key generation (PBKDF).
- Functions have been added to add LUKS2 tokens and binary keys to the LUKS key slot (keyslot), in addition to previously supported passphrases and key files.
- The ability to extract a partition key using a passphrase, a key file, or a token has been provided.
- Added "--use-tasklets" option to veritysetup to improve performance on some Linux 6.x kernel systems.
Source: opennet.ru