[Pkg-cryptsetup-devel] Siignificance of default hash change in cryptsetup#
jonas at freesources.org
Sat Feb 16 16:26:49 UTC 2008
On 15/02/2008 Ross Boylan wrote:
> This is a request for clarification about whether upgrading to the new
> cryptsetup will render my system unbootable unless I change something.
> The news item
> cryptsetup (2:1.0.6~pre1+svn45-1) unstable; urgency=low
> The default hash used by the initramfs cryptroot scripts has been
> from sha256 to ripemd160 for consistency with the cryptsetup default.
> It is
> recommented to configure the hash in use in /etc/crypttab anyway, thus
> change should not have any impact on your system.
> confused me. My system, setup with the Debian etch beta installer, has
> all my partitions built on top of an encrypted physical partition. To
> clarify: one partition of my hard disk is encrypted; I use the encrypted
> partition as a physical volume for LVM; and I carve all the partitions
> my system runs on out of logical volumes taken from that physical
sorry for confusion. Another sentence has been appended to the note in
the meantime, but it didn't make it into debian yet:
The default hash used by the initramfs cryptroot scripts has been changed
from sha256 to ripemd160 for consistency with the cryptsetup default. It is
recommented to configure the hash in use in /etc/crypttab anyway, thus this
change should not have any impact on your system.
Note that LUKS doesn't need a hash option, so this applies only to plain
> The references to a changing hash suggest that perhaps my existing
> system, made with the old defaults, will stop working if the defaults
> change. Is it safe for me to upgrade without taking further action?
Indeed it is safe. Only plain dm-crypt devices use the hash option, so
LUKS devices are safe to upgrade.
> /etc/cryptab currently holds
> sda6_crypt /dev/sda6 none luks
> It does not have an explicit hash option. man partman suggests
> (ambiguously) that such options are not relevant with LUKS.
The partman manpage indeed is correct ,-)
> Part of my problem is that, since the installer did most of the work, I
> don't know what's going on under the hood. Presumably others are in the
> same boat. It might be good to clarify this issue in the NEWS too.
Do you think that the appended sentence (see above) clarifies this
More information about the Pkg-cryptsetup-devel