2 * cryptsetup - setup cryptographic volumes for dm-crypt
4 * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
5 * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
6 * Copyright (C) 2009-2011, Red Hat, Inc. All rights reserved.
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * version 2 as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
33 #include <libcryptsetup.h>
36 #include "cryptsetup.h"
38 static int opt_verbose = 0;
39 static int opt_debug = 0;
40 static const char *opt_cipher = NULL;
41 static const char *opt_hash = NULL;
42 static int opt_verify_passphrase = 0;
43 static const char *opt_key_file = NULL;
44 static const char *opt_master_key_file = NULL;
45 static const char *opt_header_backup_file = NULL;
46 static const char *opt_uuid = NULL;
47 static const char *opt_header_device = NULL;
48 static int opt_key_size = 0;
49 static long opt_keyfile_size = 0;
50 static long opt_new_keyfile_size = 0;
51 static int opt_key_slot = CRYPT_ANY_SLOT;
52 static uint64_t opt_size = 0;
53 static uint64_t opt_offset = 0;
54 static uint64_t opt_skip = 0;
55 static int opt_skip_valid = 0;
56 static int opt_readonly = 0;
57 static int opt_iteration_time = 1000;
58 static int opt_batch_mode = 0;
59 static int opt_version_mode = 0;
60 static int opt_timeout = 0;
61 static int opt_tries = 3;
62 static int opt_align_payload = 0;
63 static int opt_random = 0;
64 static int opt_urandom = 0;
65 static int opt_dump_master_key = 0;
66 static int opt_shared = 0;
67 static int opt_allow_discards = 0;
69 static const char **action_argv;
70 static int action_argc;
72 static int action_create(int arg);
73 static int action_remove(int arg);
74 static int action_resize(int arg);
75 static int action_status(int arg);
76 static int action_luksFormat(int arg);
77 static int action_luksOpen(int arg);
78 static int action_luksAddKey(int arg);
79 static int action_luksKillSlot(int arg);
80 static int action_luksRemoveKey(int arg);
81 static int action_luksChangeKey(int arg);
82 static int action_isLuks(int arg);
83 static int action_luksUUID(int arg);
84 static int action_luksDump(int arg);
85 static int action_luksSuspend(int arg);
86 static int action_luksResume(int arg);
87 static int action_luksBackup(int arg);
88 static int action_luksRestore(int arg);
89 static int action_loopaesOpen(int arg);
91 static struct action_type {
95 int required_action_argc;
100 { "create", action_create, 0, 2, 1, N_("<name> <device>"),N_("create device") },
101 { "remove", action_remove, 0, 1, 1, N_("<name>"), N_("remove device") },
102 { "resize", action_resize, 0, 1, 1, N_("<name>"), N_("resize active device") },
103 { "status", action_status, 0, 1, 0, N_("<name>"), N_("show device status") },
104 { "luksFormat", action_luksFormat, 0, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
105 { "luksOpen", action_luksOpen, 0, 2, 1, N_("<device> <name> "), N_("open LUKS device as mapping <name>") },
106 { "luksAddKey", action_luksAddKey, 0, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
107 { "luksRemoveKey",action_luksRemoveKey, 0, 1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
108 { "luksChangeKey",action_luksChangeKey, 0, 1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
109 { "luksKillSlot", action_luksKillSlot, 0, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
110 { "luksUUID", action_luksUUID, 0, 1, 0, N_("<device>"), N_("print UUID of LUKS device") },
111 { "isLuks", action_isLuks, 0, 1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
112 { "luksClose", action_remove, 0, 1, 1, N_("<name>"), N_("remove LUKS mapping") },
113 { "luksDump", action_luksDump, 0, 1, 1, N_("<device>"), N_("dump LUKS partition information") },
114 { "luksSuspend",action_luksSuspend, 0, 1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen).") },
115 { "luksResume", action_luksResume, 0, 1, 1, N_("<device>"), N_("Resume suspended LUKS device.") },
116 { "luksHeaderBackup",action_luksBackup, 0, 1, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
117 { "luksHeaderRestore",action_luksRestore,0,1, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
118 { "loopaesOpen",action_loopaesOpen, 0, 2, 1, N_("<device> <name> "), N_("open loop-AES device as mapping <name>") },
119 { "loopaesClose",action_remove, 0, 1, 1, N_("<name>"), N_("remove loop-AES mapping") },
120 { NULL, NULL, 0, 0, 0, NULL, NULL }
123 __attribute__((format(printf, 5, 6)))
124 static void clogger(struct crypt_device *cd, int level, const char *file,
125 int line, const char *format, ...)
130 va_start(argp, format);
132 if (vasprintf(&target, format, argp) > 0) {
134 crypt_log(cd, level, target);
136 } else if (opt_debug)
137 printf("# %s:%d %s\n", file ?: "?", line, target);
139 } else if (opt_debug)
140 printf("# %s\n", target);
148 static int _yesDialog(const char *msg, void *usrptr __attribute__((unused)))
154 if(isatty(0) && !opt_batch_mode) {
155 log_std("\nWARNING!\n========\n");
156 log_std("%s\n\nAre you sure? (Type uppercase yes): ", msg);
157 if(getline(&answer, &size, stdin) == -1) {
162 if(strcmp(answer, "YES\n"))
170 static void _log(int level, const char *msg, void *usrptr __attribute__((unused)))
174 case CRYPT_LOG_NORMAL:
177 case CRYPT_LOG_VERBOSE:
181 case CRYPT_LOG_ERROR:
184 case CRYPT_LOG_DEBUG:
186 printf("# %s\n", msg);
189 fprintf(stderr, "Internal error on logging class for msg: %s", msg);
194 static void show_status(int errcode)
196 char error[256], *error_;
202 log_std(_("Command successful.\n"));
206 crypt_get_error(error, sizeof(error));
209 error_ = strerror_r(-errcode, error, sizeof(error));
210 if (error_ != error) {
211 strncpy(error, error_, sizeof(error));
212 error[sizeof(error) - 1] = '\0';
216 log_err(_("Command failed with code %i"), -errcode);
218 log_err(": %s\n", error);
223 static int action_create(int arg __attribute__((unused)))
225 struct crypt_device *cd = NULL;
226 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
227 struct crypt_params_plain params = {
228 .hash = opt_hash ?: DEFAULT_PLAIN_HASH,
230 .offset = opt_offset,
233 char *password = NULL;
235 size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
236 uint32_t activate_flags = 0;
239 if (params.hash && !strcmp(params.hash, "plain"))
242 /* FIXME: temporary hack */
243 if (opt_key_file && strcmp(opt_key_file, "-"))
246 if (opt_keyfile_size && opt_key_file)
247 log_std(("Ignoring keyfile size option, keyfile read size "
248 "is always the same as encryption key size.\n"));
250 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
251 cipher, NULL, cipher_mode);
253 log_err("No known cipher specification pattern detected.\n");
257 if ((r = crypt_init(&cd, action_argv[1])))
260 crypt_set_timeout(cd, opt_timeout);
261 crypt_set_password_retry(cd, opt_tries);
263 r = crypt_format(cd, CRYPT_PLAIN,
272 activate_flags |= CRYPT_ACTIVATE_READONLY;
275 activate_flags |= CRYPT_ACTIVATE_SHARED;
277 if (opt_allow_discards)
278 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
281 /* With hashing, read the whole keyfile */
282 r = crypt_activate_by_keyfile(cd, action_argv[0],
283 CRYPT_ANY_SLOT, opt_key_file, params.hash ? 0 : key_size,
286 r = crypt_get_key(_("Enter passphrase: "),
287 &password, &passwordLen, opt_keyfile_size,
289 opt_batch_mode ? 0 : opt_verify_passphrase,
294 r = crypt_activate_by_passphrase(cd, action_argv[0],
295 CRYPT_ANY_SLOT, password, passwordLen, activate_flags);
299 crypt_safe_free(password);
304 static int action_loopaesOpen(int arg __attribute__((unused)))
306 struct crypt_device *cd = NULL;
307 struct crypt_params_loopaes params = {
308 .hash = opt_hash ?: NULL,
309 .offset = opt_offset,
310 .skip = opt_skip_valid ? opt_skip : opt_offset,
312 unsigned int key_size = (opt_key_size ?: DEFAULT_LOOPAES_KEYBITS) / 8;
313 uint32_t activate_flags = 0;
317 log_err(_("Option --key-file is required.\n"));
322 activate_flags |= CRYPT_ACTIVATE_READONLY;
324 if (opt_allow_discards)
325 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
327 if ((r = crypt_init(&cd, action_argv[0])))
330 r = crypt_format(cd, CRYPT_LOOPAES, opt_cipher ?: DEFAULT_LOOPAES_CIPHER,
331 NULL, NULL, NULL, key_size, ¶ms);
335 r = crypt_activate_by_keyfile(cd, action_argv[1], CRYPT_ANY_SLOT,
336 opt_key_file, opt_keyfile_size, activate_flags);
343 static int action_remove(int arg __attribute__((unused)))
345 struct crypt_device *cd = NULL;
348 r = crypt_init_by_name(&cd, action_argv[0]);
350 r = crypt_deactivate(cd, action_argv[0]);
356 static int action_resize(int arg __attribute__((unused)))
358 struct crypt_device *cd = NULL;
361 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
363 r = crypt_resize(cd, action_argv[0], opt_size);
369 static int action_status(int arg __attribute__((unused)))
371 crypt_status_info ci;
372 struct crypt_active_device cad;
373 struct crypt_device *cd = NULL;
378 ci = crypt_status(NULL, action_argv[0]);
384 log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
389 log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
390 ci == CRYPT_BUSY ? " and is in use" : "");
391 r = crypt_init_by_name(&cd, action_argv[0]);
392 if (r < 0 || !crypt_get_type(cd))
395 log_std(" type: %s\n", crypt_get_type(cd));
397 r = crypt_get_active_device(cd, action_argv[0], &cad);
401 log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
402 log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
403 device = crypt_get_device_name(cd);
404 log_std(" device: %s\n", device);
405 if (crypt_loop_device(device)) {
406 backing_file = crypt_loop_backing_file(device);
407 log_std(" loop: %s\n", backing_file);
410 log_std(" offset: %" PRIu64 " sectors\n", cad.offset);
411 log_std(" size: %" PRIu64 " sectors\n", cad.size);
413 log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset);
414 log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
415 "readonly" : "read/write");
416 if (cad.flags & CRYPT_ACTIVATE_ALLOW_DISCARDS)
417 log_std(" flags: discards\n");
424 static int _read_mk(const char *file, char **key, int keysize)
428 *key = crypt_safe_alloc(keysize);
432 fd = open(file, O_RDONLY);
434 log_err("Cannot read keyfile %s.\n", file);
437 if ((read(fd, *key, keysize) != keysize)) {
438 log_err("Cannot read %d bytes from keyfile %s.\n", keysize, file);
445 crypt_safe_free(*key);
450 static int action_luksFormat(int arg __attribute__((unused)))
452 int r = -EINVAL, keysize;
453 const char *header_device;
454 char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
455 char *password = NULL;
457 struct crypt_device *cd = NULL;
458 struct crypt_params_luks1 params = {
459 .hash = opt_hash ?: DEFAULT_LUKS1_HASH,
460 .data_alignment = opt_align_payload,
461 .data_device = opt_header_device ? action_argv[0] : NULL,
464 header_device = opt_header_device ?: action_argv[0];
466 if(asprintf(&msg, _("This will overwrite data on %s irrevocably."),
467 header_device) == -1) {
468 log_err(_("memory allocation error in action_luksFormat"));
472 r = _yesDialog(msg, NULL) ? 0 : -EINVAL;
477 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
478 cipher, NULL, cipher_mode);
480 log_err("No known cipher specification pattern detected.\n");
484 if ((r = crypt_init(&cd, header_device)))
487 keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
489 crypt_set_password_verify(cd, 1);
490 crypt_set_timeout(cd, opt_timeout);
491 if (opt_iteration_time)
492 crypt_set_iterarion_time(cd, opt_iteration_time);
495 crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
496 else if (opt_urandom)
497 crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
499 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
500 opt_keyfile_size, opt_key_file, opt_timeout,
501 opt_batch_mode ? 0 : 1 /* always verify */, cd);
505 if (opt_master_key_file) {
506 r = _read_mk(opt_master_key_file, &key, keysize);
511 r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
512 opt_uuid, key, keysize, ¶ms);
516 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
518 password, passwordLen);
521 crypt_safe_free(key);
522 crypt_safe_free(password);
527 static int action_luksOpen(int arg __attribute__((unused)))
529 struct crypt_device *cd = NULL;
530 const char *data_device, *header_device;
534 if (opt_header_device) {
535 header_device = opt_header_device;
536 data_device = action_argv[0];
538 header_device = action_argv[0];
542 if ((r = crypt_init(&cd, header_device)))
545 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
549 (r = crypt_set_data_device(cd, data_device)))
552 if (!data_device && (crypt_get_data_offset(cd) < 8)) {
553 log_err(_("Reduced data offset is allowed only for detached LUKS header.\n"));
558 crypt_set_timeout(cd, opt_timeout);
559 crypt_set_password_retry(cd, opt_tries);
561 if (opt_iteration_time)
562 crypt_set_iterarion_time(cd, opt_iteration_time);
565 flags |= CRYPT_ACTIVATE_READONLY;
567 if (opt_allow_discards)
568 flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
571 crypt_set_password_retry(cd, 1);
572 r = crypt_activate_by_keyfile(cd, action_argv[1],
573 CRYPT_ANY_SLOT, opt_key_file, opt_keyfile_size,
576 r = crypt_activate_by_passphrase(cd, action_argv[1],
577 CRYPT_ANY_SLOT, NULL, 0, flags);
583 static int verify_keyslot(struct crypt_device *cd, int key_slot,
584 char *msg_last, char *msg_pass,
585 const char *key_file, int keyfile_size)
587 crypt_keyslot_info ki;
588 char *password = NULL;
592 ki = crypt_keyslot_status(cd, key_slot);
593 if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !_yesDialog(msg_last, NULL))
596 r = crypt_get_key(msg_pass, &password, &passwordLen,
597 keyfile_size, key_file, opt_timeout,
598 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
602 if (ki == CRYPT_SLOT_ACTIVE_LAST) {
603 /* check the last keyslot */
604 r = crypt_activate_by_passphrase(cd, NULL, key_slot,
605 password, passwordLen, 0);
607 /* try all other keyslots */
608 for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
611 ki = crypt_keyslot_status(cd, key_slot);
612 if (ki == CRYPT_SLOT_ACTIVE)
613 r = crypt_activate_by_passphrase(cd, NULL, i,
614 password, passwordLen, 0);
621 log_err(_("No key available with this passphrase.\n"));
623 crypt_safe_free(password);
627 static int action_luksKillSlot(int arg __attribute__((unused)))
629 struct crypt_device *cd = NULL;
632 if ((r = crypt_init(&cd, action_argv[0])))
635 crypt_set_confirm_callback(cd, _yesDialog, NULL);
636 crypt_set_timeout(cd, opt_timeout);
638 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
641 switch (crypt_keyslot_status(cd, opt_key_slot)) {
642 case CRYPT_SLOT_ACTIVE_LAST:
643 case CRYPT_SLOT_ACTIVE:
644 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
646 case CRYPT_SLOT_INACTIVE:
647 log_err(_("Key %d not active. Can't wipe.\n"), opt_key_slot);
648 case CRYPT_SLOT_INVALID:
652 if (!opt_batch_mode) {
653 r = verify_keyslot(cd, opt_key_slot,
654 _("This is the last keyslot. Device will become unusable after purging this key."),
655 _("Enter any remaining LUKS passphrase: "),
656 opt_key_file, opt_keyfile_size);
661 r = crypt_keyslot_destroy(cd, opt_key_slot);
667 static int action_luksRemoveKey(int arg __attribute__((unused)))
669 struct crypt_device *cd = NULL;
670 char *password = NULL;
674 if ((r = crypt_init(&cd, action_argv[0])))
677 crypt_set_confirm_callback(cd, _yesDialog, NULL);
678 crypt_set_timeout(cd, opt_timeout);
680 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
683 r = crypt_get_key(_("Enter LUKS passphrase to be deleted: "),
684 &password, &passwordLen,
685 opt_keyfile_size, opt_key_file,
687 opt_batch_mode ? 0 : opt_verify_passphrase,
692 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
693 password, passwordLen, 0);
698 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
700 if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_ACTIVE_LAST &&
701 !_yesDialog(_("This is the last keyslot. "
702 "Device will become unusable after purging this key."),
708 r = crypt_keyslot_destroy(cd, opt_key_slot);
710 crypt_safe_free(password);
715 static int action_luksAddKey(int arg __attribute__((unused)))
717 int r = -EINVAL, keysize = 0;
719 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
720 struct crypt_device *cd = NULL;
722 if ((r = crypt_init(&cd, action_argv[0])))
725 crypt_set_confirm_callback(cd, _yesDialog, NULL);
727 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
730 keysize = crypt_get_volume_key_size(cd);
731 crypt_set_password_verify(cd, opt_verify_passphrase ? 1 : 0);
732 crypt_set_timeout(cd, opt_timeout);
733 if (opt_iteration_time)
734 crypt_set_iterarion_time(cd, opt_iteration_time);
736 if (opt_master_key_file) {
737 r = _read_mk(opt_master_key_file, &key, keysize);
740 //FIXME: process keyfile arg
741 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
742 key, keysize, NULL, 0);
743 } else if (opt_key_file || opt_new_key_file) {
744 r = crypt_keyslot_add_by_keyfile(cd, opt_key_slot,
745 opt_key_file, opt_keyfile_size,
746 opt_new_key_file, opt_new_keyfile_size);
748 r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
753 crypt_safe_free(key);
757 static int _slots_full(struct crypt_device *cd)
761 for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++)
762 if (crypt_keyslot_status(cd, i) == CRYPT_SLOT_INACTIVE)
767 static int action_luksChangeKey(int arg __attribute__((unused)))
769 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
770 struct crypt_device *cd = NULL;
771 char *vk = NULL, *password = NULL;
772 size_t passwordLen = 0;
774 int new_key_slot, old_key_slot, r;
776 if ((r = crypt_init(&cd, action_argv[0])))
779 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
782 if (opt_iteration_time)
783 crypt_set_iterarion_time(cd, opt_iteration_time);
785 r = crypt_get_key(_("Enter LUKS passphrase to be changed: "),
786 &password, &passwordLen,
787 opt_keyfile_size, opt_key_file, opt_timeout,
788 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
792 vk_size = crypt_get_volume_key_size(cd);
793 vk = crypt_safe_alloc(vk_size);
799 r = crypt_volume_key_get(cd, opt_key_slot, vk, &vk_size,
800 password, passwordLen);
802 if (opt_key_slot != CRYPT_ANY_SLOT)
803 log_err(_("No key available with this passphrase.\n"));
807 if (opt_key_slot != CRYPT_ANY_SLOT || _slots_full(cd)) {
808 log_dbg("Key slot %d is going to be overwritten (%s).",
809 r, opt_key_slot != CRYPT_ANY_SLOT ?
810 "explicit key slot specified" : "no free key slot");
814 log_dbg("Allocating new key slot.");
816 new_key_slot = CRYPT_ANY_SLOT;
819 crypt_safe_free(password);
822 r = crypt_get_key(_("Enter new LUKS passphrase: "),
823 &password, &passwordLen,
824 opt_new_keyfile_size, opt_new_key_file,
825 opt_timeout, opt_batch_mode ? 0 : 1, cd);
829 if (new_key_slot == old_key_slot) {
830 (void)crypt_keyslot_destroy(cd, old_key_slot);
831 r = crypt_keyslot_add_by_volume_key(cd, new_key_slot,
833 password, passwordLen);
835 log_verbose(_("Key slot %d changed.\n"), r);
837 r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT,
839 password, passwordLen);
841 log_verbose(_("Replaced with key slot %d.\n"), r);
842 r = crypt_keyslot_destroy(cd, old_key_slot);
846 log_err(_("Failed to swap new key slot.\n"));
849 crypt_safe_free(password);
854 static int action_isLuks(int arg __attribute__((unused)))
856 struct crypt_device *cd = NULL;
859 if ((r = crypt_init(&cd, action_argv[0])))
862 r = crypt_load(cd, CRYPT_LUKS1, NULL);
868 static int action_luksUUID(int arg __attribute__((unused)))
870 struct crypt_device *cd = NULL;
871 const char *existing_uuid = NULL;
874 if ((r = crypt_init(&cd, action_argv[0])))
877 crypt_set_confirm_callback(cd, _yesDialog, NULL);
879 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
883 r = crypt_set_uuid(cd, opt_uuid);
885 existing_uuid = crypt_get_uuid(cd);
886 log_std("%s\n", existing_uuid ?: "");
887 r = existing_uuid ? 0 : 1;
894 static int luksDump_with_volume_key(struct crypt_device *cd)
896 char *vk = NULL, *password = NULL;
897 size_t passwordLen = 0;
902 crypt_set_confirm_callback(cd, _yesDialog, NULL);
904 _("LUKS header dump with volume key is sensitive information\n"
905 "which allows access to encrypted partition without passphrase.\n"
906 "This dump should be always stored encrypted on safe place."),
910 vk_size = crypt_get_volume_key_size(cd);
911 vk = crypt_safe_alloc(vk_size);
915 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
916 opt_keyfile_size, opt_key_file, opt_timeout, 0, cd);
920 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
921 password, passwordLen);
925 log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
926 log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
927 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
928 log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
929 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
930 log_std("MK bits: \t%d\n", (int)vk_size * 8);
931 log_std("MK dump:\t");
933 for(i = 0; i < vk_size; i++) {
936 log_std("%02hhx ", (char)vk[i]);
941 crypt_safe_free(password);
946 static int action_luksDump(int arg __attribute__((unused)))
948 struct crypt_device *cd = NULL;
951 if ((r = crypt_init(&cd, action_argv[0])))
954 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
957 if (opt_dump_master_key)
958 r = luksDump_with_volume_key(cd);
966 static int action_luksSuspend(int arg __attribute__((unused)))
968 struct crypt_device *cd = NULL;
971 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
973 r = crypt_suspend(cd, action_argv[0]);
979 static int action_luksResume(int arg __attribute__((unused)))
981 struct crypt_device *cd = NULL;
984 if ((r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device)))
987 crypt_set_timeout(cd, opt_timeout);
988 crypt_set_password_retry(cd, opt_tries);
991 r = crypt_resume_by_keyfile(cd, action_argv[0], CRYPT_ANY_SLOT,
992 opt_key_file, opt_keyfile_size);
994 r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
1001 static int action_luksBackup(int arg __attribute__((unused)))
1003 struct crypt_device *cd = NULL;
1006 if (!opt_header_backup_file) {
1007 log_err(_("Option --header-backup-file is required.\n"));
1011 if ((r = crypt_init(&cd, action_argv[0])))
1014 crypt_set_confirm_callback(cd, _yesDialog, NULL);
1016 r = crypt_header_backup(cd, CRYPT_LUKS1, opt_header_backup_file);
1022 static int action_luksRestore(int arg __attribute__((unused)))
1024 struct crypt_device *cd = NULL;
1027 if (!opt_header_backup_file) {
1028 log_err(_("Option --header-backup-file is required.\n"));
1032 if ((r = crypt_init(&cd, action_argv[0])))
1035 crypt_set_confirm_callback(cd, _yesDialog, NULL);
1036 r = crypt_header_restore(cd, CRYPT_LUKS1, opt_header_backup_file);
1042 static __attribute__ ((noreturn)) void usage(poptContext popt_context,
1043 int exitcode, const char *error,
1046 poptPrintUsage(popt_context, stderr, 0);
1048 log_err("%s: %s\n", more, error);
1052 static void help(poptContext popt_context,
1053 enum poptCallbackReason reason __attribute__((unused)),
1054 struct poptOption *key,
1055 const char *arg __attribute__((unused)),
1056 void *data __attribute__((unused)))
1058 if (key->shortName == '?') {
1059 struct action_type *action;
1061 log_std("%s\n",PACKAGE_STRING);
1063 poptPrintHelp(popt_context, stdout, 0);
1066 "<action> is one of:\n"));
1068 for(action = action_types; action->type; action++)
1069 log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
1072 "<name> is the device to create under %s\n"
1073 "<device> is the encrypted device\n"
1074 "<key slot> is the LUKS key slot number to modify\n"
1075 "<key file> optional key file for the new key for luksAddKey action\n"),
1078 log_std(_("\nDefault compiled-in keyfile parameters:\n"
1079 "\tMaximum keyfile size: %dkB, "
1080 "Maximum interactive passphrase length %d (characters)\n"),
1081 DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX);
1083 log_std(_("\nDefault compiled-in device cipher parameters:\n"
1084 "\tloop-AES: %s, Key %d bits\n"
1085 "\tplain: %s, Key: %d bits, Password hashing: %s\n"
1086 "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
1087 DEFAULT_LOOPAES_CIPHER, DEFAULT_LOOPAES_KEYBITS,
1088 DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
1089 DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
1093 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
1096 static void _dbg_version_and_cmd(int argc, const char **argv)
1100 log_std("# %s %s processing \"", PACKAGE_NAME, PACKAGE_VERSION);
1101 for (i = 0; i < argc; i++) {
1104 log_std("%s", argv[i]);
1109 static int run_action(struct action_type *action)
1113 log_dbg("Running command %s.", action->type);
1115 if (action->required_memlock)
1116 crypt_memory_lock(NULL, 1);
1118 r = action->handler(action->arg);
1120 if (action->required_memlock)
1121 crypt_memory_lock(NULL, 0);
1123 /* Some functions returns keyslot # */
1129 /* Translate exit code to simple codes */
1131 case 0: r = EXIT_SUCCESS; break;
1133 case -EBUSY: r = 5; break;
1135 case -ENODEV: r = 4; break;
1136 case -ENOMEM: r = 3; break;
1137 case -EPERM: r = 2; break;
1141 default: r = EXIT_FAILURE;
1146 int main(int argc, const char **argv)
1148 static char *popt_tmp;
1149 static struct poptOption popt_help_options[] = {
1150 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
1151 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
1152 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
1155 static struct poptOption popt_options[] = {
1156 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
1157 { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
1158 { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
1159 { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
1160 { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
1161 { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
1162 { "verify-passphrase", 'y', POPT_ARG_NONE, &opt_verify_passphrase, 0, N_("Verifies the passphrase by asking for it twice"), NULL },
1163 { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 0, N_("Read the key from a file."), NULL },
1164 { "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL },
1165 { "dump-master-key", '\0', POPT_ARG_NONE, &opt_dump_master_key, 0, N_("Dump volume (master) key instead of keyslots info."), NULL },
1166 { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
1167 { "keyfile-size", 'l', POPT_ARG_LONG, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
1168 { "new-keyfile-size", '\0', POPT_ARG_LONG, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
1169 { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL },
1170 { "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") },
1171 { "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
1172 { "skip", 'p', POPT_ARG_STRING, &popt_tmp, 3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
1173 { "readonly", 'r', POPT_ARG_NONE, &opt_readonly, 0, N_("Create a readonly mapping"), NULL },
1174 { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
1175 { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
1176 { "timeout", 't', POPT_ARG_INT, &opt_timeout, 0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
1177 { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
1178 { "align-payload", '\0', POPT_ARG_INT, &opt_align_payload, 0, N_("Align payload at <n> sector boundaries - for luksFormat"), N_("SECTORS") },
1179 { "header-backup-file",'\0', POPT_ARG_STRING, &opt_header_backup_file, 0, N_("File with LUKS header and keyslots backup."), NULL },
1180 { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
1181 { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
1182 { "shared", '\0', POPT_ARG_NONE, &opt_shared, 0, N_("Share device with another non-overlapping crypt segment."), NULL },
1183 { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
1184 { "allow-discards", '\0', POPT_ARG_NONE, &opt_allow_discards, 0, N_("Allow discards (aka TRIM) requests for device."), NULL },
1185 { "header", '\0', POPT_ARG_STRING, &opt_header_device, 0, N_("Device or file with separated LUKS header."), NULL },
1188 poptContext popt_context;
1189 struct action_type *action;
1192 const char *null_action_argv[] = {NULL};
1194 crypt_set_log_callback(NULL, _log, NULL);
1196 setlocale(LC_ALL, "");
1197 bindtextdomain(PACKAGE, LOCALEDIR);
1198 textdomain(PACKAGE);
1200 popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
1201 poptSetOtherOptionHelp(popt_context,
1202 N_("[OPTION...] <action> <action-specific>]"));
1204 while((r = poptGetNextOpt(popt_context)) > 0) {
1205 unsigned long long ull_value;
1209 ull_value = strtoull(popt_tmp, &endp, 0);
1210 if (*endp || !*popt_tmp ||
1211 (errno == ERANGE && ull_value == ULLONG_MAX) ||
1212 (errno != 0 && ull_value == 0))
1213 r = POPT_ERROR_BADNUMBER;
1217 opt_size = ull_value;
1220 opt_offset = ull_value;
1223 opt_skip = ull_value;
1233 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
1234 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
1235 if (opt_version_mode) {
1236 log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
1240 if (!(aname = poptGetArg(popt_context)))
1241 usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
1242 poptGetInvocationName(popt_context));
1243 for(action = action_types; action->type; action++)
1244 if (strcmp(action->type, aname) == 0)
1247 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
1248 poptGetInvocationName(popt_context));
1251 action_argv = poptGetArgs(popt_context);
1252 /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
1254 action_argv = null_action_argv;
1256 /* Count args, somewhat unnice, change? */
1257 while(action_argv[action_argc] != NULL)
1260 if(action_argc < action->required_action_argc) {
1262 snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
1263 usage(popt_context, EXIT_FAILURE, buf,
1264 poptGetInvocationName(popt_context));
1267 /* FIXME: rewrite this from scratch */
1269 if (opt_shared && strcmp(aname, "create")) {
1270 usage(popt_context, EXIT_FAILURE,
1271 _("Option --shared is allowed only for create operation.\n"),
1272 poptGetInvocationName(popt_context));
1275 if (opt_allow_discards &&
1276 strcmp(aname, "luksOpen") &&
1277 strcmp(aname, "create") &&
1278 strcmp(aname, "loopaesOpen")) {
1279 usage(popt_context, EXIT_FAILURE,
1280 _("Option --allow-discards is allowed only for luksOpen, loopaesOpen and create operation.\n"),
1281 poptGetInvocationName(popt_context));
1285 strcmp(aname, "luksFormat") &&
1286 strcmp(aname, "create") &&
1287 strcmp(aname, "loopaesOpen")) {
1288 usage(popt_context, EXIT_FAILURE,
1289 _("Option --key-size is allowed only for luksFormat, create and loopaesOpen.\n"
1290 "To limit read from keyfile use --keyfile-size=(bytes)."),
1291 poptGetInvocationName(popt_context));
1294 if (opt_key_size % 8)
1295 usage(popt_context, EXIT_FAILURE,
1296 _("Key size must be a multiple of 8 bits"),
1297 poptGetInvocationName(popt_context));
1299 if (!strcmp(aname, "luksKillSlot") && action_argc > 1)
1300 opt_key_slot = atoi(action_argv[1]);
1301 if (opt_key_slot != CRYPT_ANY_SLOT &&
1302 (opt_key_slot < 0 || opt_key_slot > crypt_keyslot_max(CRYPT_LUKS1)))
1303 usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
1304 poptGetInvocationName(popt_context));
1306 if ((!strcmp(aname, "luksRemoveKey") ||
1307 !strcmp(aname, "luksFormat")) &&
1310 log_err(_("Option --key-file takes precedence over specified key file argument.\n"));
1312 opt_key_file = action_argv[1];
1315 if (opt_keyfile_size < 0 || opt_new_keyfile_size < 0 || opt_key_size < 0) {
1316 usage(popt_context, EXIT_FAILURE,
1317 _("Negative number for option not permitted."),
1318 poptGetInvocationName(popt_context));
1321 if (opt_random && opt_urandom)
1322 usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
1323 poptGetInvocationName(popt_context));
1324 if ((opt_random || opt_urandom) && strcmp(aname, "luksFormat"))
1325 usage(popt_context, EXIT_FAILURE, _("Option --use-[u]random is allowed only for luksFormat."),
1326 poptGetInvocationName(popt_context));
1328 if (opt_uuid && strcmp(aname, "luksFormat") && strcmp(aname, "luksUUID"))
1329 usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only for luksFormat and luksUUID."),
1330 poptGetInvocationName(popt_context));
1332 if (opt_skip && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1333 usage(popt_context, EXIT_FAILURE,
1334 _("Option --skip is supported only for create and loopaesOpen commands.\n"),
1335 poptGetInvocationName(popt_context));
1337 if (opt_offset && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1338 usage(popt_context, EXIT_FAILURE,
1339 _("Option --offset is supported only for create and loopaesOpen commands.\n"),
1340 poptGetInvocationName(popt_context));
1344 crypt_set_debug_level(-1);
1345 _dbg_version_and_cmd(argc, argv);
1348 return run_action(action);