Deprecating crypto algorithms in the kernel
Warner Losh
imp at bsdimp.com
Tue May 7 20:36:17 UTC 2019
[[ trimmed ]]
On Mon, May 6, 2019 at 7:14 PM John Baldwin <jhb at freebsd.org> wrote:
> commit 18e69bec6ee11ca2c7e89752ddab97bb8f776c7b
> Author: John Baldwin <jhb at FreeBSD.org>
> Date: Mon May 6 17:54:33 2019 -0700
>
> Add additional warnings to /dev/crypto for deprecated algorithms.
>
> If these algorithms are removed from geli(4) then there will no longer
> be
> any in-kernel consumers:
> - 3DES
> - Blowfish
> - MD5-HMAC
>
This freaked me out when I saw it, since I have GELI volumes going back a
about a decade. However, checking into it showed no cause for concern.
The default was changed in this commit:
pjd | Thu Sep 23 11:58:36 2010 +0000 | r213070
Add support for AES-XTS. This will be the default now.
All my GELI volumes are AES-XTS (though some pre-date this change, I may
have converted somehow along the way). Camilla support was added in 2007,
and that's not on the chopping block, but wasn't made the default.
So all GELI volumes created in the last 8 years aren't affected (plus or
minus for time to get into a release) and even older ones likely are still
supported. So I expect the practical impact of this to be minimal.
Warner
More information about the freebsd-arch
mailing list