Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 7 May 2019 14:14:37 -0700
From:      John Baldwin <jhb@FreeBSD.org>
To:        Warner Losh <imp@bsdimp.com>
Cc:        "freebsd-arch@freebsd.org" <arch@freebsd.org>
Subject:   Re: Deprecating crypto algorithms in the kernel
Message-ID:  <eda0a9c1-8d83-3b62-dbfe-ee01cc5bdcac@FreeBSD.org>
In-Reply-To: <CANCZdfoYzE3b7ZPsxeFWyPyZeTbaMer=O7aHFGKoRGAEXzLcpQ@mail.gmail.com>
References:  <41ed59c2-f06c-710b-0e77-3b78add85ca3@FreeBSD.org> <CANCZdfoYzE3b7ZPsxeFWyPyZeTbaMer=O7aHFGKoRGAEXzLcpQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 5/7/19 1:36 PM, Warner Losh wrote:
> [[ trimmed ]]
> On Mon, May 6, 2019 at 7:14 PM John Baldwin <jhb@freebsd.org> wrote:
> 
>> commit 18e69bec6ee11ca2c7e89752ddab97bb8f776c7b
>> Author: John Baldwin <jhb@FreeBSD.org>
>> Date:   Mon May 6 17:54:33 2019 -0700
>>
>>     Add additional warnings to /dev/crypto for deprecated algorithms.
>>
>>     If these algorithms are removed from geli(4) then there will no longer
>> be
>>     any in-kernel consumers:
>>     - 3DES
>>     - Blowfish
>>     - MD5-HMAC
>>
> 
> This freaked me out when I saw it, since I have GELI volumes going back a
> about a decade. However, checking into it showed no cause for concern.
> 
> The default was changed in this commit:
> 
>     pjd | Thu Sep 23 11:58:36 2010 +0000 | r213070
>     Add support for AES-XTS. This will be the default now.
> 
> All my GELI volumes are AES-XTS (though some pre-date this change, I may
> have converted somehow along the way). Camilla support was added in 2007,
> and that's not on the chopping block, but wasn't made the default.
> 
> So all GELI volumes created in the last 8 years aren't affected (plus or
> minus for time to get into a release) and even older ones likely are still
> supported. So I expect the practical impact of this to be minimal.

To be clear, the default has never been 3DES or Blowfish, but today you can
still choose to create one via 'geli create -e', so they may still exist,
but only if you have explicitly chosen to use it.

-- 
John Baldwin

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?eda0a9c1-8d83-3b62-dbfe-ee01cc5bdcac>