Provision: updating cryptsetup parameters

diff --git a/share/hydractl/provision b/share/hydractl/provision
index b3638099e474c713bbad4c3dbd56ee8616fe6f4e..5fac217522ca412d6d91f867329b1f9d19eb1e6f 100755 (executable)
--- a/share/hydractl/provision
+++ b/share/hydractl/provision
@@ -58,7 +58,7 @@ function hydra_provision_create_volume {
 
   if [ "$encrypt" == "y" ]; then
     echo "Creating encrypted $volume device..."
-    hydra_safe_run cryptsetup -h sha256 -c aes-cbc-essiv:sha256 -s 256 luksFormat /dev/mapper/$vg-$volume
+    hydra_safe_run cryptsetup --cipher aes-xts-plain64:sha256 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/mapper/$vg-$volume
     hydra_safe_run cryptsetup luksOpen /dev/mapper/$vg-$volume provision-$volume
     hydra_safe_run mkfs.ext4 /dev/mapper/provision-$volume
 
@@ -284,25 +284,25 @@ echo "# <target name> <source device>   <key file>  <options>" > /tmp/debootstra
 
 if [ "$encrypt" == "y" ]; then
   cat > /tmp/debootstrap/etc/crypttab <<-EOF
-root            /dev/mapper/$vg-root      none            luks,cipher=aes-cbc-essiv:sha256
+root            /dev/mapper/$vg-root      none            luks
 EOF
 fi
 
 if [ "$home_size" != "0" ] && [ "$encrypt" == "y" ]; then
   cat >> /tmp/debootstrap/etc/crypttab <<-EOF
-home            /dev/mapper/$vg-home      none            luks,cipher=aes-cbc-essiv:sha256
+home            /dev/mapper/$vg-home      none            luks
 EOF
 fi
 
 if [ "$var_size" != "0" ] && [ "$encrypt" == "y" ]; then
   cat >> /tmp/debootstrap/etc/crypttab <<-EOF
-var             /dev/mapper/$vg-var       none            luks,cipher=aes-cbc-essiv:sha256
+var             /dev/mapper/$vg-var       none            luks
 EOF
 fi
 
 if [ "$swap" != "0" ]; then
   cat >> /tmp/debootstrap/etc/crypttab <<-EOF
-cswap           $swap_device                  /dev/random     swap,cipher=aes-cbc-essiv:sha256
+cswap           $swap_device                  /dev/random     swap,cipher=aes-xts-plain64:sha256
 EOF
 fi