From: Lennart Poettering Date: Wed, 8 Nov 2023 10:21:53 +0000 (+0100) Subject: man: explicitly document compat guarantees of cryptenroll vs. cryptsetup X-Git-Tag: v255-rc2~80^2~4 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=244101876ccd8dc28e8527d02e3a8ac822dc19ac;p=thirdparty%2Fsystemd.git man: explicitly document compat guarantees of cryptenroll vs. cryptsetup Fixes: #29743 --- diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml index ad32bf68f2a..b40d2022339 100644 --- a/man/systemd-cryptenroll.xml +++ b/man/systemd-cryptenroll.xml @@ -235,6 +235,30 @@ limitation does not apply to PKCS#11 tokens. + + Compatibility + + Security technology both in systemd and in the general industry constantly evolves. In order to + provide best security guarantees, the way TPM2, FIDO2, PKCS#11 devices are enrolled is regularly updated + in newer versions of systemd. Whenever this happens the following compatibility guarantees are given: + + + Old enrollments continue to be supported and may be unlocked with newer versions of + systemd-cryptsetup@.service8. + + The opposite is not guaranteed however: it might not be possible to unlock volumes with + enrollments done with a newer version of systemd-cryptenroll with an older version + of systemd-cryptsetup. + + + That said, it is generally recommended to use matching versions of + systemd-cryptenroll and systemd-cryptsetup, since this is best + tested and supported. + + It might be advisable to re-enroll existing enrollments to take benefit of newer security features, + as they are added to systemd. + + Options