Isethi yezinsiza ze-Crypsetup 2.7 ishicilelwe, eklanyelwe ukulungisa ukubethela kwezingxenye zediski ku-Linux kusetshenziswa imojula ye-dm-crypt. Isekela i-dm-crypt, LUKS, LUKS2, BITLK, loop-AES kanye ne-TrueCrypt/VeraCrypt partitions. Iphinde ihlanganise i-veritysetup nezinsiza ze-integritysetup yokulungiselela izilawuli zobuqotho bedatha ngokusekelwe kumamojula we-dm-verity kanye ne-dm-integrity.
Ukuthuthukiswa Okubalulekile:
- Kungenzeka ukusebenzisa indlela ye-OPAL hardware disk encryption mechanism, esekelwe ku-SED (Self-Encrypting Drives) SATA kanye ne-NVMe drives ngesixhumi esibonakalayo se-OPAL2 TCG, lapho idivayisi yokubethela yehadiwe yakhiwe khona ngqo kusilawuli. Ngakolunye uhlangothi, ukubethela kwe-OPAL kuhlanganiswe ne-hardware yobunikazi futhi akutholakali ukuze kuhlolwe umphakathi, kodwa, ngakolunye uhlangothi, kungasetshenziswa njengezinga elingeziwe lokuvikela phezu kokubethela kwesofthiwe, okungaholeli ekwehleni kokusebenza. futhi ayidali umthwalo ku-CPU.
Ukusebenzisa i-OPAL ku-LUKS2 kudinga ukwakha i-Linux kernel ngenketho ye-CONFIG_BLK_SED_OPAL futhi uyivumele ku-Crypsetup (usekelo lwe-OPAL lukhutshazwe ngokuzenzakalelayo). Ukusetha i-LUKS2 OPAL kwenziwa ngendlela efanayo nokubethela kwesofthiwe - imethadatha igcinwa kunhlokweni ye-LUKS2. Ukhiye uhlukaniswe waba ukhiye wokuhlukanisa wokubethela kwesofthiwe (i-dm-crypt) kanye nokhiye wokuvula we-OPAL. I-OPAL ingasetshenziswa kanye ne-software encryption (cryptsetup luksFormat --hw-opal ), futhi ngokwehlukana (cryptsetup luksFormat βhw-opal-only ). I-OPAL icushiwe futhi ivaliwe ngendlela efanayo (vula, vala, luksSuspend, luksResume) njengamadivayisi we-LUKS2.
- Kumodi ecacile, lapho ukhiye oyinhloko kanye nesihloko kungagcinwanga kudiski, i-cipher ezenzakalelayo i-aes-xts-plain64 kanye ne-algorithm ye-hashing sha256 (i-XTS isetshenziswa esikhundleni semodi ye-CBC, enezinkinga zokusebenza, futhi sha160 isetshenziswa. esikhundleni se-ripemd256 hash ephelelwe yisikhathi ).
- Imiyalo evuliwe kanye ne-luksResume ivumela ukhiye wokuhlukanisa ukuthi ugcinwe kukhiye okhethwe ngumsebenzisi we-kernel (keyring). Ukuze ufinyelele ekufakweni kokhiye, inketho ethi β--volume-key-keyringβ yengezwe emiyalweni eminingi yokusetha i-cryptsetup (isibonelo 'i-cryptsetup open. --link-vk-to-keyring "@s::%user:testkey" tst').
- Kumasistimu angenayo i-swap partition, ukwenza ifomethi noma ukudala i-slot yokhiye ye-PBKDF Argon2 manje isebenzisa uhhafu wememori yamahhala, exazulula inkinga yokuphelelwa yimemori etholakalayo kumasistimu anenani elincane le-RAM.
- Kwengezwe inketho ethi "--external-tokens-path" ukuze ucacise uhla lwemibhalo lwezibambi zamathokheni ze-LUKS2 zangaphandle (ama-plugin).
- I-tcrypt ingeze ukusekelwa kwe-algorithm ye-Blake2 hashing ye-VeraCrypt.
- Kungezwe usekelo lwe-Aria block cipher.
- Usekelo olungeziwe lwe-Argon2 ku-OpenSSL 3.2 kanye nokusetshenziswa kwe-libgcrypt, okuqeda isidingo se-libargon.
Source: opennet.ru