main/cryptsetup: specify explicit key size for swap encryption (!59671) · Merge requests · alpine / aports

Sören Tempel requested to merge nmeum/aports:cryptsetup-dmcrypt-key-size into master Jan 26, 2024

cryptsetup 2.7.0 contains some changes to the plain mode. Among other things, the default cipher and hashing algorithm has been changed. Additionally, since changes to the default in this regard are likely to occur in the future, cryptsetup also prints a warning now if key-size, hash, or cipher are not specified when using the plain mode.

From the cryptsetup 2.7.0 release notes:

Always specify cipher, hash, and key size for plain mode […]. As we need to upgrade algorithms from time to time because of security reasons, cryptsetup now warns users to specify these options explicitly in the open cryptsetup command if plain mode is used.

In Alpine, we use the plain mode in the dmcrypt.initd service for swap partition encryption. The dmcrypt services does presently not specify a key size in the default options for swap encryption. This causes a warning to be emitted on boot. This commit fixes this warning by specifying a key size (256-bit, the current default).

We could also consider using more sophisticated algorithms for swap partition encryption here in the future. Gentoo (where this services originated) also still uses these options. While at it, also remove the hash parameter as this is ignored in plain mode with a keyfile specified (also causes a warning).

Edited Jan 26, 2024 by Sören Tempel

main/cryptsetup: specify explicit key size for swap encryption

Merge request reports