2 * cryptsetup - setup cryptographic volumes for dm-crypt
4 * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
5 * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
6 * Copyright (C) 2009-2011, Red Hat, Inc. All rights reserved.
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * version 2 as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
32 #include <libcryptsetup.h>
35 #include "cryptsetup.h"
37 static int opt_verbose = 0;
38 static int opt_debug = 0;
39 static const char *opt_cipher = NULL;
40 static const char *opt_hash = NULL;
41 static int opt_verify_passphrase = 0;
42 static const char *opt_key_file = NULL;
43 static const char *opt_master_key_file = NULL;
44 static const char *opt_header_backup_file = NULL;
45 static const char *opt_uuid = NULL;
46 static int opt_key_size = 0;
47 static long opt_keyfile_size = 0;
48 static long opt_new_keyfile_size = 0;
49 static int opt_key_slot = CRYPT_ANY_SLOT;
50 static uint64_t opt_size = 0;
51 static uint64_t opt_offset = 0;
52 static uint64_t opt_skip = 0;
53 static int opt_skip_valid = 0;
54 static int opt_readonly = 0;
55 static int opt_iteration_time = 1000;
56 static int opt_batch_mode = 0;
57 static int opt_version_mode = 0;
58 static int opt_timeout = 0;
59 static int opt_tries = 3;
60 static int opt_align_payload = 0;
61 static int opt_random = 0;
62 static int opt_urandom = 0;
63 static int opt_dump_master_key = 0;
65 static const char **action_argv;
66 static int action_argc;
68 static int action_create(int arg);
69 static int action_remove(int arg);
70 static int action_resize(int arg);
71 static int action_status(int arg);
72 static int action_luksFormat(int arg);
73 static int action_luksOpen(int arg);
74 static int action_luksAddKey(int arg);
75 static int action_luksKillSlot(int arg);
76 static int action_luksRemoveKey(int arg);
77 static int action_luksChangeKey(int arg);
78 static int action_isLuks(int arg);
79 static int action_luksUUID(int arg);
80 static int action_luksDump(int arg);
81 static int action_luksSuspend(int arg);
82 static int action_luksResume(int arg);
83 static int action_luksBackup(int arg);
84 static int action_luksRestore(int arg);
85 static int action_loopaesOpen(int arg);
87 static struct action_type {
91 int required_action_argc;
96 { "create", action_create, 0, 2, 1, N_("<name> <device>"),N_("create device") },
97 { "remove", action_remove, 0, 1, 1, N_("<name>"), N_("remove device") },
98 { "resize", action_resize, 0, 1, 1, N_("<name>"), N_("resize active device") },
99 { "status", action_status, 0, 1, 0, N_("<name>"), N_("show device status") },
100 { "luksFormat", action_luksFormat, 0, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
101 { "luksOpen", action_luksOpen, 0, 2, 1, N_("<device> <name> "), N_("open LUKS device as mapping <name>") },
102 { "luksAddKey", action_luksAddKey, 0, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
103 { "luksRemoveKey",action_luksRemoveKey, 0, 1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
104 { "luksChangeKey",action_luksChangeKey, 0, 1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
105 { "luksKillSlot", action_luksKillSlot, 0, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
106 { "luksUUID", action_luksUUID, 0, 1, 0, N_("<device>"), N_("print UUID of LUKS device") },
107 { "isLuks", action_isLuks, 0, 1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
108 { "luksClose", action_remove, 0, 1, 1, N_("<name>"), N_("remove LUKS mapping") },
109 { "luksDump", action_luksDump, 0, 1, 1, N_("<device>"), N_("dump LUKS partition information") },
110 { "luksSuspend",action_luksSuspend, 0, 1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen).") },
111 { "luksResume", action_luksResume, 0, 1, 1, N_("<device>"), N_("Resume suspended LUKS device.") },
112 { "luksHeaderBackup",action_luksBackup, 0, 1, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
113 { "luksHeaderRestore",action_luksRestore,0,1, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
114 { "loopaesOpen",action_loopaesOpen, 0, 2, 1, N_("<device> <name> "), N_("open loop-AES device as mapping <name>") },
115 { "loopaesClose",action_remove, 0, 1, 1, N_("<name>"), N_("remove loop-AES mapping") },
116 { NULL, NULL, 0, 0, 0, NULL, NULL }
119 __attribute__((format(printf, 5, 6)))
120 static void clogger(struct crypt_device *cd, int level, const char *file,
121 int line, const char *format, ...)
126 va_start(argp, format);
128 if (vasprintf(&target, format, argp) > 0) {
130 crypt_log(cd, level, target);
132 } else if (opt_debug)
133 printf("# %s:%d %s\n", file ?: "?", line, target);
135 } else if (opt_debug)
136 printf("# %s\n", target);
144 static int _yesDialog(const char *msg, void *usrptr __attribute__((unused)))
150 if(isatty(0) && !opt_batch_mode) {
151 log_std("\nWARNING!\n========\n");
152 log_std("%s\n\nAre you sure? (Type uppercase yes): ", msg);
153 if(getline(&answer, &size, stdin) == -1) {
158 if(strcmp(answer, "YES\n"))
166 static void _log(int level, const char *msg, void *usrptr __attribute__((unused)))
170 case CRYPT_LOG_NORMAL:
173 case CRYPT_LOG_VERBOSE:
177 case CRYPT_LOG_ERROR:
180 case CRYPT_LOG_DEBUG:
182 printf("# %s\n", msg);
185 fprintf(stderr, "Internal error on logging class for msg: %s", msg);
190 static void show_status(int errcode)
192 char error[256], *error_;
198 log_std(_("Command successful.\n"));
202 crypt_get_error(error, sizeof(error));
205 error_ = strerror_r(-errcode, error, sizeof(error));
206 if (error_ != error) {
207 strncpy(error, error_, sizeof(error));
208 error[sizeof(error) - 1] = '\0';
212 log_err(_("Command failed with code %i"), -errcode);
214 log_err(": %s\n", error);
219 static int action_create(int arg __attribute__((unused)))
221 struct crypt_device *cd = NULL;
222 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
223 struct crypt_params_plain params = {
224 .hash = opt_hash ?: DEFAULT_PLAIN_HASH,
226 .offset = opt_offset,
228 char *password = NULL;
230 size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
233 if (params.hash && !strcmp(params.hash, "plain"))
236 /* FIXME: temporary hack */
237 if (opt_key_file && strcmp(opt_key_file, "-"))
240 if (opt_keyfile_size && opt_key_file)
241 log_std(("Ignoring keyfile size option, keyfile read size "
242 "is always the same as encryption key size.\n"));
244 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
245 cipher, NULL, cipher_mode);
247 log_err("No known cipher specification pattern detected.\n");
251 if ((r = crypt_init(&cd, action_argv[1])))
254 crypt_set_timeout(cd, opt_timeout);
255 crypt_set_password_retry(cd, opt_tries);
257 r = crypt_format(cd, CRYPT_PLAIN,
266 /* With hashing, read the whole keyfile */
267 r = crypt_activate_by_keyfile(cd, action_argv[0],
268 CRYPT_ANY_SLOT, opt_key_file, params.hash ? 0 : key_size,
269 opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
271 r = crypt_get_key(_("Enter passphrase: "),
272 &password, &passwordLen, opt_keyfile_size,
274 opt_batch_mode ? 0 : opt_verify_passphrase,
279 r = crypt_activate_by_passphrase(cd, action_argv[0],
280 CRYPT_ANY_SLOT, password, passwordLen,
281 opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
284 /* FIXME: workaround, new api missing format parameter for size.
285 * Properly fix it after bumping library version,
286 * add start_offset and size into "PLAIN" format specifiers.
288 if (r >= 0 && opt_size)
289 r = crypt_resize(cd, action_argv[0], opt_size);
293 crypt_safe_free(password);
298 static int action_loopaesOpen(int arg __attribute__((unused)))
300 struct crypt_device *cd = NULL;
301 struct crypt_params_loopaes params = {
302 .hash = opt_hash ?: NULL,
303 .offset = opt_offset,
304 .skip = opt_skip_valid ? opt_skip : opt_offset,
306 unsigned int key_size = (opt_key_size ?: DEFAULT_LOOPAES_KEYBITS) / 8;
310 log_err(_("Option --key-file is required.\n"));
314 if ((r = crypt_init(&cd, action_argv[0])))
317 r = crypt_format(cd, CRYPT_LOOPAES, opt_cipher ?: DEFAULT_LOOPAES_CIPHER,
318 NULL, NULL, NULL, key_size, ¶ms);
322 r = crypt_activate_by_keyfile(cd, action_argv[1],
323 CRYPT_ANY_SLOT, opt_key_file, opt_keyfile_size,
324 opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
331 static int action_remove(int arg __attribute__((unused)))
333 struct crypt_device *cd = NULL;
336 r = crypt_init_by_name(&cd, action_argv[0]);
338 r = crypt_deactivate(cd, action_argv[0]);
344 static int action_resize(int arg __attribute__((unused)))
346 struct crypt_device *cd = NULL;
349 r = crypt_init_by_name(&cd, action_argv[0]);
351 r = crypt_resize(cd, action_argv[0], opt_size);
357 static int action_status(int arg __attribute__((unused)))
359 crypt_status_info ci;
360 struct crypt_active_device cad;
361 struct crypt_device *cd = NULL;
366 ci = crypt_status(NULL, action_argv[0]);
372 log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
376 log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
377 ci == CRYPT_BUSY ? " and is in use" : "");
378 r = crypt_init_by_name(&cd, action_argv[0]);
379 if (r < 0 || !crypt_get_type(cd))
382 log_std(" type: %s\n", crypt_get_type(cd));
384 r = crypt_get_active_device(cd, action_argv[0], &cad);
388 log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
389 log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
390 device = crypt_get_device_name(cd);
391 log_std(" device: %s\n", device);
392 if (crypt_loop_device(device)) {
393 backing_file = crypt_loop_backing_file(device);
394 log_std(" loop: %s\n", backing_file);
397 log_std(" offset: %" PRIu64 " sectors\n", cad.offset);
398 log_std(" size: %" PRIu64 " sectors\n", cad.size);
400 log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset);
401 log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
402 "readonly" : "read/write");
409 static int _read_mk(const char *file, char **key, int keysize)
413 *key = crypt_safe_alloc(keysize);
417 fd = open(file, O_RDONLY);
419 log_err("Cannot read keyfile %s.\n", file);
422 if ((read(fd, *key, keysize) != keysize)) {
423 log_err("Cannot read %d bytes from keyfile %s.\n", keysize, file);
430 crypt_safe_free(*key);
435 static int action_luksFormat(int arg __attribute__((unused)))
437 int r = -EINVAL, keysize;
438 char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
439 char *password = NULL;
441 struct crypt_device *cd = NULL;
442 struct crypt_params_luks1 params = {
443 .hash = opt_hash ?: DEFAULT_LUKS1_HASH,
444 .data_alignment = opt_align_payload,
447 if(asprintf(&msg, _("This will overwrite data on %s irrevocably."), action_argv[0]) == -1) {
448 log_err(_("memory allocation error in action_luksFormat"));
452 r = _yesDialog(msg, NULL) ? 0 : -EINVAL;
457 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
458 cipher, NULL, cipher_mode);
460 log_err("No known cipher specification pattern detected.\n");
464 if ((r = crypt_init(&cd, action_argv[0])))
467 keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
469 crypt_set_password_verify(cd, 1);
470 crypt_set_timeout(cd, opt_timeout);
471 if (opt_iteration_time)
472 crypt_set_iterarion_time(cd, opt_iteration_time);
475 crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
476 else if (opt_urandom)
477 crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
479 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
480 opt_keyfile_size, opt_key_file, opt_timeout,
481 opt_batch_mode ? 0 : 1 /* always verify */, cd);
485 if (opt_master_key_file) {
486 r = _read_mk(opt_master_key_file, &key, keysize);
491 r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
492 opt_uuid, key, keysize, ¶ms);
496 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
498 password, passwordLen);
501 crypt_safe_free(key);
502 crypt_safe_free(password);
507 static int action_luksOpen(int arg __attribute__((unused)))
509 struct crypt_device *cd = NULL;
513 if ((r = crypt_init(&cd, action_argv[0])))
516 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
519 crypt_set_timeout(cd, opt_timeout);
520 crypt_set_password_retry(cd, opt_tries);
522 if (opt_iteration_time)
523 crypt_set_iterarion_time(cd, opt_iteration_time);
525 flags |= CRYPT_ACTIVATE_READONLY;
528 crypt_set_password_retry(cd, 1);
529 r = crypt_activate_by_keyfile(cd, action_argv[1],
530 CRYPT_ANY_SLOT, opt_key_file, opt_keyfile_size,
533 r = crypt_activate_by_passphrase(cd, action_argv[1],
534 CRYPT_ANY_SLOT, NULL, 0, flags);
540 static int verify_keyslot(struct crypt_device *cd, int key_slot,
541 char *msg_last, char *msg_pass,
542 const char *key_file, int keyfile_size)
544 crypt_keyslot_info ki;
545 char *password = NULL;
549 ki = crypt_keyslot_status(cd, key_slot);
550 if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !_yesDialog(msg_last, NULL))
553 r = crypt_get_key(msg_pass, &password, &passwordLen,
554 keyfile_size, key_file, opt_timeout,
555 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
559 if (ki == CRYPT_SLOT_ACTIVE_LAST) {
560 /* check the last keyslot */
561 r = crypt_activate_by_passphrase(cd, NULL, key_slot,
562 password, passwordLen, 0);
564 /* try all other keyslots */
565 for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
568 ki = crypt_keyslot_status(cd, key_slot);
569 if (ki == CRYPT_SLOT_ACTIVE)
570 r = crypt_activate_by_passphrase(cd, NULL, i,
571 password, passwordLen, 0);
578 log_err(_("No key available with this passphrase.\n"));
580 crypt_safe_free(password);
584 static int action_luksKillSlot(int arg __attribute__((unused)))
586 struct crypt_device *cd = NULL;
589 if ((r = crypt_init(&cd, action_argv[0])))
592 crypt_set_confirm_callback(cd, _yesDialog, NULL);
593 crypt_set_timeout(cd, opt_timeout);
595 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
598 switch (crypt_keyslot_status(cd, opt_key_slot)) {
599 case CRYPT_SLOT_ACTIVE_LAST:
600 case CRYPT_SLOT_ACTIVE:
601 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
603 case CRYPT_SLOT_INACTIVE:
604 log_err(_("Key %d not active. Can't wipe.\n"), opt_key_slot);
605 case CRYPT_SLOT_INVALID:
609 if (!opt_batch_mode) {
610 r = verify_keyslot(cd, opt_key_slot,
611 _("This is the last keyslot. Device will become unusable after purging this key."),
612 _("Enter any remaining LUKS passphrase: "),
613 opt_key_file, opt_keyfile_size);
618 r = crypt_keyslot_destroy(cd, opt_key_slot);
624 static int action_luksRemoveKey(int arg __attribute__((unused)))
626 struct crypt_device *cd = NULL;
627 char *password = NULL;
631 if ((r = crypt_init(&cd, action_argv[0])))
634 crypt_set_confirm_callback(cd, _yesDialog, NULL);
635 crypt_set_timeout(cd, opt_timeout);
637 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
640 r = crypt_get_key(_("Enter LUKS passphrase to be deleted: "),
641 &password, &passwordLen,
642 opt_keyfile_size, opt_key_file,
644 opt_batch_mode ? 0 : opt_verify_passphrase,
649 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
650 password, passwordLen, 0);
655 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
657 if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_ACTIVE_LAST &&
658 !_yesDialog(_("This is the last keyslot. "
659 "Device will become unusable after purging this key."),
665 r = crypt_keyslot_destroy(cd, opt_key_slot);
667 crypt_safe_free(password);
672 static int action_luksAddKey(int arg __attribute__((unused)))
674 int r = -EINVAL, keysize = 0;
676 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
677 struct crypt_device *cd = NULL;
679 if ((r = crypt_init(&cd, action_argv[0])))
682 crypt_set_confirm_callback(cd, _yesDialog, NULL);
684 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
687 keysize = crypt_get_volume_key_size(cd);
688 crypt_set_password_verify(cd, opt_verify_passphrase ? 1 : 0);
689 crypt_set_timeout(cd, opt_timeout);
690 if (opt_iteration_time)
691 crypt_set_iterarion_time(cd, opt_iteration_time);
693 if (opt_master_key_file) {
694 r = _read_mk(opt_master_key_file, &key, keysize);
697 //FIXME: process keyfile arg
698 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
699 key, keysize, NULL, 0);
700 } else if (opt_key_file || opt_new_key_file) {
701 r = crypt_keyslot_add_by_keyfile(cd, opt_key_slot,
702 opt_key_file, opt_keyfile_size,
703 opt_new_key_file, opt_new_keyfile_size);
705 r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
710 crypt_safe_free(key);
714 static int _slots_full(struct crypt_device *cd)
718 for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++)
719 if (crypt_keyslot_status(cd, i) == CRYPT_SLOT_INACTIVE)
724 static int action_luksChangeKey(int arg __attribute__((unused)))
726 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
727 struct crypt_device *cd = NULL;
728 char *vk = NULL, *password = NULL;
729 size_t passwordLen = 0;
731 int new_key_slot, old_key_slot, r;
733 if ((r = crypt_init(&cd, action_argv[0])))
736 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
739 if (opt_iteration_time)
740 crypt_set_iterarion_time(cd, opt_iteration_time);
742 r = crypt_get_key(_("Enter LUKS passphrase to be changed: "),
743 &password, &passwordLen,
744 opt_keyfile_size, opt_key_file, opt_timeout,
745 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
749 vk_size = crypt_get_volume_key_size(cd);
750 vk = crypt_safe_alloc(vk_size);
756 r = crypt_volume_key_get(cd, opt_key_slot, vk, &vk_size,
757 password, passwordLen);
759 if (opt_key_slot != CRYPT_ANY_SLOT)
760 log_err(_("No key available with this passphrase.\n"));
764 if (opt_key_slot != CRYPT_ANY_SLOT || _slots_full(cd)) {
765 log_dbg("Key slot %d is going to be overwritten (%s).",
766 r, opt_key_slot != CRYPT_ANY_SLOT ?
767 "explicit key slot specified" : "no free key slot");
771 log_dbg("Allocating new key slot.");
773 new_key_slot = CRYPT_ANY_SLOT;
776 crypt_safe_free(password);
779 r = crypt_get_key(_("Enter new LUKS passphrase: "),
780 &password, &passwordLen,
781 opt_new_keyfile_size, opt_new_key_file,
782 opt_timeout, opt_batch_mode ? 0 : 1, cd);
786 if (new_key_slot == old_key_slot) {
787 (void)crypt_keyslot_destroy(cd, old_key_slot);
788 r = crypt_keyslot_add_by_volume_key(cd, new_key_slot,
790 password, passwordLen);
792 log_verbose(_("Key slot %d changed.\n"), r);
794 r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT,
796 password, passwordLen);
798 log_verbose(_("Replaced with key slot %d.\n"), r);
799 r = crypt_keyslot_destroy(cd, old_key_slot);
803 log_err(_("Failed to swap new key slot.\n"));
806 crypt_safe_free(password);
811 static int action_isLuks(int arg __attribute__((unused)))
813 struct crypt_device *cd = NULL;
816 if ((r = crypt_init(&cd, action_argv[0])))
819 r = crypt_load(cd, CRYPT_LUKS1, NULL);
825 static int action_luksUUID(int arg __attribute__((unused)))
827 struct crypt_device *cd = NULL;
828 const char *existing_uuid = NULL;
831 if ((r = crypt_init(&cd, action_argv[0])))
834 crypt_set_confirm_callback(cd, _yesDialog, NULL);
836 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
840 r = crypt_set_uuid(cd, opt_uuid);
842 existing_uuid = crypt_get_uuid(cd);
843 log_std("%s\n", existing_uuid ?: "");
844 r = existing_uuid ? 0 : 1;
851 static int luksDump_with_volume_key(struct crypt_device *cd)
853 char *vk = NULL, *password = NULL;
854 size_t passwordLen = 0;
859 crypt_set_confirm_callback(cd, _yesDialog, NULL);
861 _("LUKS header dump with volume key is sensitive information\n"
862 "which allows access to encrypted partition without passphrase.\n"
863 "This dump should be always stored encrypted on safe place."),
867 vk_size = crypt_get_volume_key_size(cd);
868 vk = crypt_safe_alloc(vk_size);
872 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
873 opt_keyfile_size, opt_key_file, opt_timeout, 0, cd);
877 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
878 password, passwordLen);
882 log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
883 log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
884 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
885 log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
886 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
887 log_std("MK bits: \t%d\n", (int)vk_size * 8);
888 log_std("MK dump:\t");
890 for(i = 0; i < vk_size; i++) {
893 log_std("%02hhx ", (char)vk[i]);
898 crypt_safe_free(password);
903 static int action_luksDump(int arg __attribute__((unused)))
905 struct crypt_device *cd = NULL;
908 if ((r = crypt_init(&cd, action_argv[0])))
911 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
914 if (opt_dump_master_key)
915 r = luksDump_with_volume_key(cd);
923 static int action_luksSuspend(int arg __attribute__((unused)))
925 struct crypt_device *cd = NULL;
928 r = crypt_init_by_name(&cd, action_argv[0]);
930 r = crypt_suspend(cd, action_argv[0]);
936 static int action_luksResume(int arg __attribute__((unused)))
938 struct crypt_device *cd = NULL;
941 if ((r = crypt_init_by_name(&cd, action_argv[0])))
944 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
948 r = crypt_resume_by_keyfile(cd, action_argv[0], CRYPT_ANY_SLOT,
949 opt_key_file, opt_keyfile_size);
951 r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
958 static int action_luksBackup(int arg __attribute__((unused)))
960 struct crypt_device *cd = NULL;
963 if (!opt_header_backup_file) {
964 log_err(_("Option --header-backup-file is required.\n"));
968 if ((r = crypt_init(&cd, action_argv[0])))
971 crypt_set_confirm_callback(cd, _yesDialog, NULL);
973 r = crypt_header_backup(cd, CRYPT_LUKS1, opt_header_backup_file);
979 static int action_luksRestore(int arg __attribute__((unused)))
981 struct crypt_device *cd = NULL;
984 if (!opt_header_backup_file) {
985 log_err(_("Option --header-backup-file is required.\n"));
989 if ((r = crypt_init(&cd, action_argv[0])))
992 crypt_set_confirm_callback(cd, _yesDialog, NULL);
993 r = crypt_header_restore(cd, CRYPT_LUKS1, opt_header_backup_file);
999 static __attribute__ ((noreturn)) void usage(poptContext popt_context,
1000 int exitcode, const char *error,
1003 poptPrintUsage(popt_context, stderr, 0);
1005 log_err("%s: %s\n", more, error);
1009 static void help(poptContext popt_context,
1010 enum poptCallbackReason reason __attribute__((unused)),
1011 struct poptOption *key,
1012 const char *arg __attribute__((unused)),
1013 void *data __attribute__((unused)))
1015 if (key->shortName == '?') {
1016 struct action_type *action;
1018 log_std("%s\n",PACKAGE_STRING);
1020 poptPrintHelp(popt_context, stdout, 0);
1023 "<action> is one of:\n"));
1025 for(action = action_types; action->type; action++)
1026 log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
1029 "<name> is the device to create under %s\n"
1030 "<device> is the encrypted device\n"
1031 "<key slot> is the LUKS key slot number to modify\n"
1032 "<key file> optional key file for the new key for luksAddKey action\n"),
1035 log_std(_("\nDefault compiled-in keyfile parameters:\n"
1036 "\tMaximum keyfile size: %dkB, "
1037 "Maximum interactive passphrase length %d (characters)\n"),
1038 DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX);
1040 log_std(_("\nDefault compiled-in device cipher parameters:\n"
1041 "\tloop-AES: %s, Key %d bits\n"
1042 "\tplain: %s, Key: %d bits, Password hashing: %s\n"
1043 "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
1044 DEFAULT_LOOPAES_CIPHER, DEFAULT_LOOPAES_KEYBITS,
1045 DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
1046 DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
1050 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
1053 static void _dbg_version_and_cmd(int argc, const char **argv)
1057 log_std("# %s %s processing \"", PACKAGE_NAME, PACKAGE_VERSION);
1058 for (i = 0; i < argc; i++) {
1061 log_std("%s", argv[i]);
1066 static int run_action(struct action_type *action)
1070 log_dbg("Running command %s.", action->type);
1072 if (action->required_memlock)
1073 crypt_memory_lock(NULL, 1);
1075 r = action->handler(action->arg);
1077 if (action->required_memlock)
1078 crypt_memory_lock(NULL, 0);
1080 /* Some functions returns keyslot # */
1086 /* Translate exit code to simple codes */
1088 case 0: r = EXIT_SUCCESS; break;
1090 case -EBUSY: r = 5; break;
1092 case -ENODEV: r = 4; break;
1093 case -ENOMEM: r = 3; break;
1094 case -EPERM: r = 2; break;
1098 default: r = EXIT_FAILURE;
1103 int main(int argc, const char **argv)
1105 static char *popt_tmp;
1106 static struct poptOption popt_help_options[] = {
1107 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
1108 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
1109 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
1112 static struct poptOption popt_options[] = {
1113 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
1114 { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
1115 { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
1116 { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
1117 { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
1118 { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
1119 { "verify-passphrase", 'y', POPT_ARG_NONE, &opt_verify_passphrase, 0, N_("Verifies the passphrase by asking for it twice"), NULL },
1120 { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 0, N_("Read the key from a file."), NULL },
1121 { "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL },
1122 { "dump-master-key", '\0', POPT_ARG_NONE, &opt_dump_master_key, 0, N_("Dump volume (master) key instead of keyslots info."), NULL },
1123 { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
1124 { "keyfile-size", 'l', POPT_ARG_LONG, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
1125 { "new-keyfile-size", '\0', POPT_ARG_LONG, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
1126 { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL },
1127 { "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") },
1128 { "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
1129 { "skip", 'p', POPT_ARG_STRING, &popt_tmp, 3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
1130 { "readonly", 'r', POPT_ARG_NONE, &opt_readonly, 0, N_("Create a readonly mapping"), NULL },
1131 { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
1132 { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
1133 { "timeout", 't', POPT_ARG_INT, &opt_timeout, 0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
1134 { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
1135 { "align-payload", '\0', POPT_ARG_INT, &opt_align_payload, 0, N_("Align payload at <n> sector boundaries - for luksFormat"), N_("SECTORS") },
1136 { "header-backup-file",'\0', POPT_ARG_STRING, &opt_header_backup_file, 0, N_("File with LUKS header and keyslots backup."), NULL },
1137 { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
1138 { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
1139 { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
1142 poptContext popt_context;
1143 struct action_type *action;
1146 const char *null_action_argv[] = {NULL};
1148 crypt_set_log_callback(NULL, _log, NULL);
1150 setlocale(LC_ALL, "");
1151 bindtextdomain(PACKAGE, LOCALEDIR);
1152 textdomain(PACKAGE);
1154 popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
1155 poptSetOtherOptionHelp(popt_context,
1156 N_("[OPTION...] <action> <action-specific>]"));
1158 while((r = poptGetNextOpt(popt_context)) > 0) {
1159 unsigned long long ull_value;
1162 ull_value = strtoull(popt_tmp, &endp, 0);
1163 if (*endp || !*popt_tmp)
1164 r = POPT_ERROR_BADNUMBER;
1168 opt_size = ull_value;
1171 opt_offset = ull_value;
1174 opt_skip = ull_value;
1184 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
1185 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
1186 if (opt_version_mode) {
1187 log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
1191 if (!(aname = poptGetArg(popt_context)))
1192 usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
1193 poptGetInvocationName(popt_context));
1194 for(action = action_types; action->type; action++)
1195 if (strcmp(action->type, aname) == 0)
1198 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
1199 poptGetInvocationName(popt_context));
1202 action_argv = poptGetArgs(popt_context);
1203 /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
1205 action_argv = null_action_argv;
1207 /* Count args, somewhat unnice, change? */
1208 while(action_argv[action_argc] != NULL)
1211 if(action_argc < action->required_action_argc) {
1213 snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
1214 usage(popt_context, EXIT_FAILURE, buf,
1215 poptGetInvocationName(popt_context));
1218 /* FIXME: rewrite this from scratch */
1221 strcmp(aname, "luksFormat") &&
1222 strcmp(aname, "create") &&
1223 strcmp(aname, "loopaesOpen")) {
1224 usage(popt_context, EXIT_FAILURE,
1225 _("Option --key-size is allowed only for luksFormat, create and loopaesOpen.\n"
1226 "To limit read from keyfile use --keyfile-size=(bytes)."),
1227 poptGetInvocationName(popt_context));
1230 if (opt_key_size % 8)
1231 usage(popt_context, EXIT_FAILURE,
1232 _("Key size must be a multiple of 8 bits"),
1233 poptGetInvocationName(popt_context));
1235 if (!strcmp(aname, "luksKillSlot") && action_argc > 1)
1236 opt_key_slot = atoi(action_argv[1]);
1237 if (opt_key_slot != CRYPT_ANY_SLOT &&
1238 (opt_key_slot < 0 || opt_key_slot > crypt_keyslot_max(CRYPT_LUKS1)))
1239 usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
1240 poptGetInvocationName(popt_context));
1242 if ((!strcmp(aname, "luksRemoveKey") ||
1243 !strcmp(aname, "luksFormat")) &&
1246 log_err(_("Option --key-file takes precedence over specified key file argument.\n"));
1248 opt_key_file = action_argv[1];
1251 if (opt_keyfile_size < 0 || opt_new_keyfile_size < 0 || opt_key_size < 0) {
1252 usage(popt_context, EXIT_FAILURE,
1253 _("Negative number for option not permitted."),
1254 poptGetInvocationName(popt_context));
1257 if (opt_random && opt_urandom)
1258 usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
1259 poptGetInvocationName(popt_context));
1260 if ((opt_random || opt_urandom) && strcmp(aname, "luksFormat"))
1261 usage(popt_context, EXIT_FAILURE, _("Option --use-[u]random is allowed only for luksFormat."),
1262 poptGetInvocationName(popt_context));
1264 if (opt_uuid && strcmp(aname, "luksFormat") && strcmp(aname, "luksUUID"))
1265 usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only for luksFormat and luksUUID."),
1266 poptGetInvocationName(popt_context));
1268 if (opt_skip && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1269 usage(popt_context, EXIT_FAILURE,
1270 _("Option --skip is supported only for create and loopaesOpen commands.\n"),
1271 poptGetInvocationName(popt_context));
1273 if (opt_offset && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1274 usage(popt_context, EXIT_FAILURE,
1275 _("Option --offset is supported only for create and loopaesOpen commands.\n"),
1276 poptGetInvocationName(popt_context));
1280 crypt_set_debug_level(-1);
1281 _dbg_version_and_cmd(argc, argv);
1284 return run_action(action);