Date: Tue, 7 May 2019 14:36:03 -0600 From: Warner Losh <imp@bsdimp.com> To: John Baldwin <jhb@freebsd.org> Cc: "freebsd-arch@freebsd.org" <arch@freebsd.org> Subject: Re: Deprecating crypto algorithms in the kernel Message-ID: <CANCZdfoYzE3b7ZPsxeFWyPyZeTbaMer=O7aHFGKoRGAEXzLcpQ@mail.gmail.com> In-Reply-To: <41ed59c2-f06c-710b-0e77-3b78add85ca3@FreeBSD.org> References: <41ed59c2-f06c-710b-0e77-3b78add85ca3@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[[ trimmed ]]
On Mon, May 6, 2019 at 7:14 PM John Baldwin <jhb@freebsd.org> wrote:
> commit 18e69bec6ee11ca2c7e89752ddab97bb8f776c7b
> Author: John Baldwin <jhb@FreeBSD.org>
> Date: Mon May 6 17:54:33 2019 -0700
>
> Add additional warnings to /dev/crypto for deprecated algorithms.
>
> If these algorithms are removed from geli(4) then there will no longer
> be
> any in-kernel consumers:
> - 3DES
> - Blowfish
> - MD5-HMAC
>
This freaked me out when I saw it, since I have GELI volumes going back a
about a decade. However, checking into it showed no cause for concern.
The default was changed in this commit:
pjd | Thu Sep 23 11:58:36 2010 +0000 | r213070
Add support for AES-XTS. This will be the default now.
All my GELI volumes are AES-XTS (though some pre-date this change, I may
have converted somehow along the way). Camilla support was added in 2007,
and that's not on the chopping block, but wasn't made the default.
So all GELI volumes created in the last 8 years aren't affected (plus or
minus for time to get into a release) and even older ones likely are still
supported. So I expect the practical impact of this to be minimal.
Warner
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANCZdfoYzE3b7ZPsxeFWyPyZeTbaMer=O7aHFGKoRGAEXzLcpQ>