2 * cryptsetup - setup cryptographic volumes for dm-crypt
4 * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
5 * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
6 * Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * version 2 as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
37 #include "cryptsetup.h"
39 static int opt_verbose = 0;
40 static int opt_debug = 0;
41 static const char *opt_cipher = NULL;
42 static const char *opt_hash = NULL;
43 static int opt_verify_passphrase = 0;
44 static const char *opt_key_file = NULL;
45 static const char *opt_master_key_file = NULL;
46 static const char *opt_header_backup_file = NULL;
47 static const char *opt_uuid = NULL;
48 static const char *opt_header_device = NULL;
49 static int opt_key_size = 0;
50 static long opt_keyfile_size = 0;
51 static long opt_new_keyfile_size = 0;
52 static long opt_keyfile_offset = 0;
53 static long opt_new_keyfile_offset = 0;
54 static int opt_key_slot = CRYPT_ANY_SLOT;
55 static uint64_t opt_size = 0;
56 static uint64_t opt_offset = 0;
57 static uint64_t opt_skip = 0;
58 static int opt_skip_valid = 0;
59 static int opt_readonly = 0;
60 static int opt_iteration_time = 1000;
61 static int opt_batch_mode = 0;
62 static int opt_version_mode = 0;
63 static int opt_timeout = 0;
64 static int opt_tries = 3;
65 static int opt_align_payload = 0;
66 static int opt_random = 0;
67 static int opt_urandom = 0;
68 static int opt_dump_master_key = 0;
69 static int opt_shared = 0;
70 static int opt_allow_discards = 0;
71 static int opt_without_activation = 0;
73 static const char **action_argv;
74 static int action_argc;
76 static int action_create(int arg);
77 static int action_remove(int arg);
78 static int action_resize(int arg);
79 static int action_status(int arg);
80 static int action_luksFormat(int arg);
81 static int action_luksOpen(int arg);
82 static int action_luksAddKey(int arg);
83 static int action_luksKillSlot(int arg);
84 static int action_luksRemoveKey(int arg);
85 static int action_luksChangeKey(int arg);
86 static int action_isLuks(int arg);
87 static int action_luksUUID(int arg);
88 static int action_luksDump(int arg);
89 static int action_luksSuspend(int arg);
90 static int action_luksResume(int arg);
91 static int action_luksBackup(int arg);
92 static int action_luksRestore(int arg);
93 static int action_loopaesOpen(int arg);
94 static int action_luksRepair(int arg);
96 static struct action_type {
100 int required_action_argc;
101 int required_memlock;
102 const char *arg_desc;
105 { "create", action_create, 0, 2, 1, N_("<name> <device>"),N_("create device") },
106 { "remove", action_remove, 0, 1, 1, N_("<name>"), N_("remove device") },
107 { "resize", action_resize, 0, 1, 1, N_("<name>"), N_("resize active device") },
108 { "status", action_status, 0, 1, 0, N_("<name>"), N_("show device status") },
109 { "repair", action_luksRepair, 0, 1, 1, N_("<device>"), N_("try to repair on-disk metadata") },
110 { "luksFormat", action_luksFormat, 0, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
111 { "luksOpen", action_luksOpen, 0, 2, 1, N_("<device> <name> "), N_("open LUKS device as mapping <name>") },
112 { "luksAddKey", action_luksAddKey, 0, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
113 { "luksRemoveKey",action_luksRemoveKey, 0, 1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
114 { "luksChangeKey",action_luksChangeKey, 0, 1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
115 { "luksKillSlot", action_luksKillSlot, 0, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
116 { "luksUUID", action_luksUUID, 0, 1, 0, N_("<device>"), N_("print UUID of LUKS device") },
117 { "isLuks", action_isLuks, 0, 1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
118 { "luksClose", action_remove, 0, 1, 1, N_("<name>"), N_("remove LUKS mapping") },
119 { "luksDump", action_luksDump, 0, 1, 1, N_("<device>"), N_("dump LUKS partition information") },
120 { "luksSuspend",action_luksSuspend, 0, 1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen).") },
121 { "luksResume", action_luksResume, 0, 1, 1, N_("<device>"), N_("Resume suspended LUKS device.") },
122 { "luksHeaderBackup",action_luksBackup, 0, 1, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
123 { "luksHeaderRestore",action_luksRestore,0,1, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
124 { "loopaesOpen",action_loopaesOpen, 0, 2, 1, N_("<device> <name> "), N_("open loop-AES device as mapping <name>") },
125 { "loopaesClose",action_remove, 0, 1, 1, N_("<name>"), N_("remove loop-AES mapping") },
126 { NULL, NULL, 0, 0, 0, NULL, NULL }
129 __attribute__((format(printf, 5, 6)))
130 static void clogger(struct crypt_device *cd, int level, const char *file,
131 int line, const char *format, ...)
136 va_start(argp, format);
138 if (vasprintf(&target, format, argp) > 0) {
140 crypt_log(cd, level, target);
142 } else if (opt_debug)
143 printf("# %s:%d %s\n", file ?: "?", line, target);
145 } else if (opt_debug)
146 printf("# %s\n", target);
154 static int _yesDialog(const char *msg, void *usrptr __attribute__((unused)))
160 if(isatty(STDIN_FILENO) && !opt_batch_mode) {
161 log_std("\nWARNING!\n========\n");
162 log_std("%s\n\nAre you sure? (Type uppercase yes): ", msg);
163 if(getline(&answer, &size, stdin) == -1) {
168 if(strcmp(answer, "YES\n"))
176 static void _log(int level, const char *msg, void *usrptr __attribute__((unused)))
180 case CRYPT_LOG_NORMAL:
183 case CRYPT_LOG_VERBOSE:
187 case CRYPT_LOG_ERROR:
190 case CRYPT_LOG_DEBUG:
192 printf("# %s\n", msg);
195 fprintf(stderr, "Internal error on logging class for msg: %s", msg);
200 static void _quiet_log(int level, const char *msg, void *usrptr)
202 if (!opt_verbose && (level == CRYPT_LOG_ERROR || level == CRYPT_LOG_NORMAL))
203 level = CRYPT_LOG_VERBOSE;
204 _log(level, msg, usrptr);
207 static int _verify_passphrase(int def)
209 /* Batch mode switch off verify - if not overrided by -y */
210 if (opt_verify_passphrase)
212 else if (opt_batch_mode)
215 /* Non-tty input doesn't allow verify */
216 if (def && !isatty(STDIN_FILENO)) {
217 if (opt_verify_passphrase)
218 log_err(_("Can't do passphrase verification on non-tty inputs.\n"));
225 static void show_status(int errcode)
227 char error[256], *error_;
233 log_std(_("Command successful.\n"));
237 crypt_get_error(error, sizeof(error));
240 error_ = strerror_r(-errcode, error, sizeof(error));
241 if (error_ != error) {
242 strncpy(error, error_, sizeof(error));
243 error[sizeof(error) - 1] = '\0';
247 log_err(_("Command failed with code %i"), -errcode);
249 log_err(": %s\n", error);
254 static const char *uuid_or_device(const char *spec)
256 static char device[PATH_MAX];
258 int i = 0, uuid_len = 5;
260 /* Check if it is correct UUID=<LUKS_UUID> format */
261 if (spec && !strncmp(spec, "UUID=", uuid_len)) {
262 strcpy(device, "/dev/disk/by-uuid/");
263 ptr = &device[strlen(device)];
265 while ((s = spec[i++]) && i < PATH_MAX) {
266 if (!isxdigit(s) && s != '-')
267 return spec; /* Bail it out */
279 static int action_create(int arg __attribute__((unused)))
281 struct crypt_device *cd = NULL;
282 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
283 struct crypt_params_plain params = {
284 .hash = opt_hash ?: DEFAULT_PLAIN_HASH,
286 .offset = opt_offset,
289 char *password = NULL;
291 size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
292 uint32_t activate_flags = 0;
295 if (params.hash && !strcmp(params.hash, "plain"))
298 /* FIXME: temporary hack */
299 if (opt_key_file && strcmp(opt_key_file, "-"))
302 if ((opt_keyfile_offset || opt_keyfile_size) && opt_key_file)
303 log_std(("Ignoring keyfile offset and size options, keyfile read "
304 "size is always the same as encryption key size.\n"));
306 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
307 cipher, NULL, cipher_mode);
309 log_err("No known cipher specification pattern detected.\n");
313 if ((r = crypt_init(&cd, action_argv[1])))
316 crypt_set_timeout(cd, opt_timeout);
317 crypt_set_password_retry(cd, opt_tries);
319 r = crypt_format(cd, CRYPT_PLAIN,
328 activate_flags |= CRYPT_ACTIVATE_READONLY;
331 activate_flags |= CRYPT_ACTIVATE_SHARED;
333 if (opt_allow_discards)
334 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
337 /* With hashing, read the whole keyfile */
338 r = crypt_activate_by_keyfile_offset(cd, action_argv[0],
339 CRYPT_ANY_SLOT, opt_key_file,
340 params.hash ? 0 : key_size, 0,
343 r = crypt_get_key(_("Enter passphrase: "),
344 &password, &passwordLen,
345 opt_keyfile_offset, opt_keyfile_size,
347 _verify_passphrase(0),
352 r = crypt_activate_by_passphrase(cd, action_argv[0],
353 CRYPT_ANY_SLOT, password, passwordLen, activate_flags);
357 crypt_safe_free(password);
362 static int action_loopaesOpen(int arg __attribute__((unused)))
364 struct crypt_device *cd = NULL;
365 struct crypt_params_loopaes params = {
366 .hash = opt_hash ?: NULL,
367 .offset = opt_offset,
368 .skip = opt_skip_valid ? opt_skip : opt_offset,
370 unsigned int key_size = (opt_key_size ?: DEFAULT_LOOPAES_KEYBITS) / 8;
371 uint32_t activate_flags = 0;
375 log_err(_("Option --key-file is required.\n"));
380 activate_flags |= CRYPT_ACTIVATE_READONLY;
382 if (opt_allow_discards)
383 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
385 if ((r = crypt_init(&cd, action_argv[0])))
388 r = crypt_format(cd, CRYPT_LOOPAES, opt_cipher ?: DEFAULT_LOOPAES_CIPHER,
389 NULL, NULL, NULL, key_size, ¶ms);
393 r = crypt_activate_by_keyfile_offset(cd, action_argv[1], CRYPT_ANY_SLOT,
394 opt_key_file, opt_keyfile_size,
395 opt_keyfile_size, activate_flags);
402 static int action_remove(int arg __attribute__((unused)))
404 struct crypt_device *cd = NULL;
407 r = crypt_init_by_name(&cd, action_argv[0]);
409 r = crypt_deactivate(cd, action_argv[0]);
415 static int action_resize(int arg __attribute__((unused)))
417 struct crypt_device *cd = NULL;
420 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
422 r = crypt_resize(cd, action_argv[0], opt_size);
428 static int action_status(int arg __attribute__((unused)))
430 crypt_status_info ci;
431 struct crypt_active_device cad;
432 struct crypt_device *cd = NULL;
438 /* perhaps a path, not a dm device name */
439 if (strchr(action_argv[0], '/') && !stat(action_argv[0], &st))
442 ci = crypt_status(NULL, action_argv[0]);
449 log_std("%s is inactive.\n", action_argv[0]);
451 log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
457 log_std("%s is active%s.\n", action_argv[0],
458 ci == CRYPT_BUSY ? " and is in use" : "");
460 log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
461 ci == CRYPT_BUSY ? " and is in use" : "");
463 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
464 if (r < 0 || !crypt_get_type(cd))
467 log_std(" type: %s\n", crypt_get_type(cd));
469 r = crypt_get_active_device(cd, action_argv[0], &cad);
473 log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
474 log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
475 device = crypt_get_device_name(cd);
476 log_std(" device: %s\n", device);
477 if (crypt_loop_device(device)) {
478 backing_file = crypt_loop_backing_file(device);
479 log_std(" loop: %s\n", backing_file);
482 log_std(" offset: %" PRIu64 " sectors\n", cad.offset);
483 log_std(" size: %" PRIu64 " sectors\n", cad.size);
485 log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset);
486 log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
487 "readonly" : "read/write");
488 if (cad.flags & CRYPT_ACTIVATE_ALLOW_DISCARDS)
489 log_std(" flags: discards\n");
498 static int _read_mk(const char *file, char **key, int keysize)
502 *key = crypt_safe_alloc(keysize);
506 fd = open(file, O_RDONLY);
508 log_err("Cannot read keyfile %s.\n", file);
511 if ((read(fd, *key, keysize) != keysize)) {
512 log_err("Cannot read %d bytes from keyfile %s.\n", keysize, file);
519 crypt_safe_free(*key);
524 static int action_luksRepair(int arg __attribute__((unused)))
526 struct crypt_device *cd = NULL;
529 if ((r = crypt_init(&cd, action_argv[0])))
532 /* Currently only LUKS1 allows repair */
533 crypt_set_log_callback(cd, _quiet_log, NULL);
534 r = crypt_load(cd, CRYPT_LUKS1, NULL);
535 crypt_set_log_callback(cd, _log, NULL);
537 log_verbose( _("No known problems detected for LUKS header.\n"));
541 r = _yesDialog(_("Really try to repair LUKS device header?"),
544 r = crypt_repair(cd, CRYPT_LUKS1, NULL);
550 static int action_luksFormat(int arg __attribute__((unused)))
552 int r = -EINVAL, keysize;
553 const char *header_device;
554 char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
555 char *password = NULL;
557 struct crypt_device *cd = NULL;
558 struct crypt_params_luks1 params = {
559 .hash = opt_hash ?: DEFAULT_LUKS1_HASH,
560 .data_alignment = opt_align_payload,
561 .data_device = opt_header_device ? action_argv[0] : NULL,
564 header_device = opt_header_device ?: action_argv[0];
566 if(asprintf(&msg, _("This will overwrite data on %s irrevocably."),
567 header_device) == -1) {
568 log_err(_("memory allocation error in action_luksFormat"));
572 r = _yesDialog(msg, NULL) ? 0 : -EINVAL;
577 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
578 cipher, NULL, cipher_mode);
580 log_err(_("No known cipher specification pattern detected.\n"));
584 if ((r = crypt_init(&cd, header_device))) {
585 if (opt_header_device)
586 log_err(_("Cannot use %s as on-disk header.\n"), header_device);
590 keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
592 crypt_set_timeout(cd, opt_timeout);
593 if (opt_iteration_time)
594 crypt_set_iteration_time(cd, opt_iteration_time);
597 crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
598 else if (opt_urandom)
599 crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
601 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
602 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
603 opt_timeout, _verify_passphrase(1), cd);
607 if (opt_master_key_file) {
608 r = _read_mk(opt_master_key_file, &key, keysize);
613 r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
614 opt_uuid, key, keysize, ¶ms);
618 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
620 password, passwordLen);
623 crypt_safe_free(key);
624 crypt_safe_free(password);
629 static int action_luksOpen(int arg __attribute__((unused)))
631 struct crypt_device *cd = NULL;
632 const char *data_device, *header_device, *activated_name;
637 if (opt_header_device) {
638 header_device = uuid_or_device(opt_header_device);
639 data_device = action_argv[0];
641 header_device = uuid_or_device(action_argv[0]);
645 activated_name = opt_without_activation ? NULL : action_argv[1];
647 if ((r = crypt_init(&cd, header_device)))
650 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
654 (r = crypt_set_data_device(cd, data_device)))
657 if (!data_device && (crypt_get_data_offset(cd) < 8)) {
658 log_err(_("Reduced data offset is allowed only for detached LUKS header.\n"));
663 crypt_set_timeout(cd, opt_timeout);
664 crypt_set_password_retry(cd, opt_tries);
665 crypt_set_password_verify(cd, _verify_passphrase(0));
667 if (opt_iteration_time)
668 crypt_set_iteration_time(cd, opt_iteration_time);
671 flags |= CRYPT_ACTIVATE_READONLY;
673 if (opt_allow_discards)
674 flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
676 if (opt_master_key_file) {
677 keysize = crypt_get_volume_key_size(cd);
678 r = _read_mk(opt_master_key_file, &key, keysize);
681 r = crypt_activate_by_volume_key(cd, activated_name,
682 key, keysize, flags);
683 } else if (opt_key_file) {
684 crypt_set_password_retry(cd, 1);
685 r = crypt_activate_by_keyfile_offset(cd, activated_name,
686 opt_key_slot, opt_key_file, opt_keyfile_size,
687 opt_keyfile_offset, flags);
689 r = crypt_activate_by_passphrase(cd, activated_name,
690 opt_key_slot, NULL, 0, flags);
692 crypt_safe_free(key);
697 static int verify_keyslot(struct crypt_device *cd, int key_slot,
698 char *msg_last, char *msg_pass,
699 const char *key_file, int keyfile_offset,
702 crypt_keyslot_info ki;
703 char *password = NULL;
707 ki = crypt_keyslot_status(cd, key_slot);
708 if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !_yesDialog(msg_last, NULL))
711 r = crypt_get_key(msg_pass, &password, &passwordLen,
712 keyfile_offset, keyfile_size, key_file, opt_timeout,
713 _verify_passphrase(0), cd);
717 if (ki == CRYPT_SLOT_ACTIVE_LAST) {
718 /* check the last keyslot */
719 r = crypt_activate_by_passphrase(cd, NULL, key_slot,
720 password, passwordLen, 0);
722 /* try all other keyslots */
723 for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
726 ki = crypt_keyslot_status(cd, key_slot);
727 if (ki == CRYPT_SLOT_ACTIVE)
728 r = crypt_activate_by_passphrase(cd, NULL, i,
729 password, passwordLen, 0);
736 log_err(_("No key available with this passphrase.\n"));
738 crypt_safe_free(password);
742 static int action_luksKillSlot(int arg __attribute__((unused)))
744 struct crypt_device *cd = NULL;
747 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
750 crypt_set_confirm_callback(cd, _yesDialog, NULL);
751 crypt_set_timeout(cd, opt_timeout);
753 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
756 switch (crypt_keyslot_status(cd, opt_key_slot)) {
757 case CRYPT_SLOT_ACTIVE_LAST:
758 case CRYPT_SLOT_ACTIVE:
759 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
761 case CRYPT_SLOT_INACTIVE:
762 log_err(_("Key %d not active. Can't wipe.\n"), opt_key_slot);
763 case CRYPT_SLOT_INVALID:
768 if (!opt_batch_mode) {
769 r = verify_keyslot(cd, opt_key_slot,
770 _("This is the last keyslot. Device will become unusable after purging this key."),
771 _("Enter any remaining LUKS passphrase: "),
772 opt_key_file, opt_keyfile_offset, opt_keyfile_size);
777 r = crypt_keyslot_destroy(cd, opt_key_slot);
783 static int action_luksRemoveKey(int arg __attribute__((unused)))
785 struct crypt_device *cd = NULL;
786 char *password = NULL;
790 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
793 crypt_set_confirm_callback(cd, _yesDialog, NULL);
794 crypt_set_timeout(cd, opt_timeout);
796 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
799 r = crypt_get_key(_("Enter LUKS passphrase to be deleted: "),
800 &password, &passwordLen,
801 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
803 _verify_passphrase(0),
808 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
809 password, passwordLen, 0);
814 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
816 if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_ACTIVE_LAST &&
817 !_yesDialog(_("This is the last keyslot. "
818 "Device will become unusable after purging this key."),
824 r = crypt_keyslot_destroy(cd, opt_key_slot);
826 crypt_safe_free(password);
831 static int action_luksAddKey(int arg __attribute__((unused)))
833 int r = -EINVAL, keysize = 0;
835 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
836 struct crypt_device *cd = NULL;
838 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
841 crypt_set_confirm_callback(cd, _yesDialog, NULL);
843 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
846 keysize = crypt_get_volume_key_size(cd);
847 /* FIXME: lib cannot properly set verification for new/old passphrase */
848 crypt_set_password_verify(cd, _verify_passphrase(0));
849 crypt_set_timeout(cd, opt_timeout);
850 if (opt_iteration_time)
851 crypt_set_iteration_time(cd, opt_iteration_time);
853 if (opt_master_key_file) {
854 r = _read_mk(opt_master_key_file, &key, keysize);
857 //FIXME: process keyfile arg
858 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
859 key, keysize, NULL, 0);
860 } else if (opt_key_file || opt_new_key_file) {
861 r = crypt_keyslot_add_by_keyfile_offset(cd, opt_key_slot,
862 opt_key_file, opt_keyfile_size, opt_keyfile_offset,
863 opt_new_key_file, opt_new_keyfile_size, opt_new_keyfile_offset);
865 r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
870 crypt_safe_free(key);
874 static int _slots_full(struct crypt_device *cd)
878 for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++)
879 if (crypt_keyslot_status(cd, i) == CRYPT_SLOT_INACTIVE)
884 static int action_luksChangeKey(int arg __attribute__((unused)))
886 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
887 struct crypt_device *cd = NULL;
888 char *vk = NULL, *password = NULL;
889 size_t passwordLen = 0;
891 int new_key_slot, old_key_slot, r;
893 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
896 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
899 if (opt_iteration_time)
900 crypt_set_iteration_time(cd, opt_iteration_time);
902 r = crypt_get_key(_("Enter LUKS passphrase to be changed: "),
903 &password, &passwordLen,
904 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
905 opt_timeout, _verify_passphrase(0), cd);
909 vk_size = crypt_get_volume_key_size(cd);
910 vk = crypt_safe_alloc(vk_size);
916 r = crypt_volume_key_get(cd, opt_key_slot, vk, &vk_size,
917 password, passwordLen);
919 if (opt_key_slot != CRYPT_ANY_SLOT)
920 log_err(_("No key available with this passphrase.\n"));
924 if (opt_key_slot != CRYPT_ANY_SLOT || _slots_full(cd)) {
925 log_dbg("Key slot %d is going to be overwritten (%s).",
926 r, opt_key_slot != CRYPT_ANY_SLOT ?
927 "explicit key slot specified" : "no free key slot");
931 log_dbg("Allocating new key slot.");
933 new_key_slot = CRYPT_ANY_SLOT;
936 crypt_safe_free(password);
939 r = crypt_get_key(_("Enter new LUKS passphrase: "),
940 &password, &passwordLen,
941 opt_new_keyfile_offset, opt_new_keyfile_size,
943 opt_timeout, _verify_passphrase(0), cd);
947 if (new_key_slot == old_key_slot) {
948 (void)crypt_keyslot_destroy(cd, old_key_slot);
949 r = crypt_keyslot_add_by_volume_key(cd, new_key_slot,
951 password, passwordLen);
953 log_verbose(_("Key slot %d changed.\n"), r);
955 r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT,
957 password, passwordLen);
959 log_verbose(_("Replaced with key slot %d.\n"), r);
960 r = crypt_keyslot_destroy(cd, old_key_slot);
964 log_err(_("Failed to swap new key slot.\n"));
967 crypt_safe_free(password);
972 static int action_isLuks(int arg __attribute__((unused)))
974 struct crypt_device *cd = NULL;
977 if ((r = crypt_init(&cd, action_argv[0])))
980 crypt_set_log_callback(cd, _quiet_log, NULL);
981 r = crypt_load(cd, CRYPT_LUKS1, NULL);
987 static int action_luksUUID(int arg __attribute__((unused)))
989 struct crypt_device *cd = NULL;
990 const char *existing_uuid = NULL;
993 if ((r = crypt_init(&cd, action_argv[0])))
996 crypt_set_confirm_callback(cd, _yesDialog, NULL);
998 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
1002 r = crypt_set_uuid(cd, opt_uuid);
1004 existing_uuid = crypt_get_uuid(cd);
1005 log_std("%s\n", existing_uuid ?: "");
1006 r = existing_uuid ? 0 : 1;
1013 static int luksDump_with_volume_key(struct crypt_device *cd)
1015 char *vk = NULL, *password = NULL;
1016 size_t passwordLen = 0;
1021 crypt_set_confirm_callback(cd, _yesDialog, NULL);
1023 _("LUKS header dump with volume key is sensitive information\n"
1024 "which allows access to encrypted partition without passphrase.\n"
1025 "This dump should be always stored encrypted on safe place."),
1029 vk_size = crypt_get_volume_key_size(cd);
1030 vk = crypt_safe_alloc(vk_size);
1034 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
1035 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
1036 opt_timeout, 0, cd);
1040 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
1041 password, passwordLen);
1045 log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
1046 log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
1047 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
1048 log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
1049 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
1050 log_std("MK bits: \t%d\n", (int)vk_size * 8);
1051 log_std("MK dump:\t");
1053 for(i = 0; i < vk_size; i++) {
1056 log_std("%02hhx ", (char)vk[i]);
1061 crypt_safe_free(password);
1062 crypt_safe_free(vk);
1066 static int action_luksDump(int arg __attribute__((unused)))
1068 struct crypt_device *cd = NULL;
1071 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
1074 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
1077 if (opt_dump_master_key)
1078 r = luksDump_with_volume_key(cd);
1086 static int action_luksSuspend(int arg __attribute__((unused)))
1088 struct crypt_device *cd = NULL;
1091 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
1093 r = crypt_suspend(cd, action_argv[0]);
1099 static int action_luksResume(int arg __attribute__((unused)))
1101 struct crypt_device *cd = NULL;
1104 if ((r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device)))
1107 crypt_set_timeout(cd, opt_timeout);
1108 crypt_set_password_retry(cd, opt_tries);
1109 crypt_set_password_verify(cd, _verify_passphrase(0));
1112 r = crypt_resume_by_keyfile_offset(cd, action_argv[0], CRYPT_ANY_SLOT,
1113 opt_key_file, opt_keyfile_size, opt_keyfile_offset);
1115 r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
1122 static int action_luksBackup(int arg __attribute__((unused)))
1124 struct crypt_device *cd = NULL;
1127 if (!opt_header_backup_file) {
1128 log_err(_("Option --header-backup-file is required.\n"));
1132 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
1135 crypt_set_confirm_callback(cd, _yesDialog, NULL);
1137 r = crypt_header_backup(cd, CRYPT_LUKS1, opt_header_backup_file);
1143 static int action_luksRestore(int arg __attribute__((unused)))
1145 struct crypt_device *cd = NULL;
1148 if (!opt_header_backup_file) {
1149 log_err(_("Option --header-backup-file is required.\n"));
1153 if ((r = crypt_init(&cd, action_argv[0])))
1156 crypt_set_confirm_callback(cd, _yesDialog, NULL);
1157 r = crypt_header_restore(cd, CRYPT_LUKS1, opt_header_backup_file);
1163 static __attribute__ ((noreturn)) void usage(poptContext popt_context,
1164 int exitcode, const char *error,
1167 poptPrintUsage(popt_context, stderr, 0);
1169 log_err("%s: %s\n", more, error);
1170 poptFreeContext(popt_context);
1174 static void help(poptContext popt_context,
1175 enum poptCallbackReason reason __attribute__((unused)),
1176 struct poptOption *key,
1177 const char *arg __attribute__((unused)),
1178 void *data __attribute__((unused)))
1180 if (key->shortName == '?') {
1181 struct action_type *action;
1183 log_std("%s\n",PACKAGE_STRING);
1185 poptPrintHelp(popt_context, stdout, 0);
1188 "<action> is one of:\n"));
1190 for(action = action_types; action->type; action++)
1191 log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
1194 "<name> is the device to create under %s\n"
1195 "<device> is the encrypted device\n"
1196 "<key slot> is the LUKS key slot number to modify\n"
1197 "<key file> optional key file for the new key for luksAddKey action\n"),
1200 log_std(_("\nDefault compiled-in keyfile parameters:\n"
1201 "\tMaximum keyfile size: %dkB, "
1202 "Maximum interactive passphrase length %d (characters)\n"),
1203 DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX);
1205 log_std(_("\nDefault compiled-in device cipher parameters:\n"
1206 "\tloop-AES: %s, Key %d bits\n"
1207 "\tplain: %s, Key: %d bits, Password hashing: %s\n"
1208 "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
1209 DEFAULT_LOOPAES_CIPHER, DEFAULT_LOOPAES_KEYBITS,
1210 DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
1211 DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
1215 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
1218 static void _dbg_version_and_cmd(int argc, const char **argv)
1222 log_std("# %s %s processing \"", PACKAGE_NAME, PACKAGE_VERSION);
1223 for (i = 0; i < argc; i++) {
1226 log_std("%s", argv[i]);
1231 static int run_action(struct action_type *action)
1235 log_dbg("Running command %s.", action->type);
1237 if (action->required_memlock)
1238 crypt_memory_lock(NULL, 1);
1240 r = action->handler(action->arg);
1242 if (action->required_memlock)
1243 crypt_memory_lock(NULL, 0);
1245 /* Some functions returns keyslot # */
1251 /* Translate exit code to simple codes */
1253 case 0: r = EXIT_SUCCESS; break;
1255 case -EBUSY: r = 5; break;
1257 case -ENODEV: r = 4; break;
1258 case -ENOMEM: r = 3; break;
1259 case -EPERM: r = 2; break;
1263 default: r = EXIT_FAILURE;
1268 int main(int argc, const char **argv)
1270 static char *popt_tmp;
1271 static struct poptOption popt_help_options[] = {
1272 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
1273 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
1274 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
1277 static struct poptOption popt_options[] = {
1278 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
1279 { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
1280 { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
1281 { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
1282 { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
1283 { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
1284 { "verify-passphrase", 'y', POPT_ARG_NONE, &opt_verify_passphrase, 0, N_("Verifies the passphrase by asking for it twice"), NULL },
1285 { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 0, N_("Read the key from a file."), NULL },
1286 { "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL },
1287 { "dump-master-key", '\0', POPT_ARG_NONE, &opt_dump_master_key, 0, N_("Dump volume (master) key instead of keyslots info."), NULL },
1288 { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
1289 { "keyfile-size", 'l', POPT_ARG_LONG, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
1290 { "keyfile-offset", '\0', POPT_ARG_LONG, &opt_keyfile_offset, 0, N_("Number of bytes to skip in keyfile"), N_("bytes") },
1291 { "new-keyfile-size", '\0', POPT_ARG_LONG, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
1292 { "new-keyfile-offset",'\0', POPT_ARG_LONG, &opt_new_keyfile_offset, 0, N_("Number of bytes to skip in newly added keyfile"), N_("bytes") },
1293 { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL },
1294 { "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") },
1295 { "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
1296 { "skip", 'p', POPT_ARG_STRING, &popt_tmp, 3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
1297 { "readonly", 'r', POPT_ARG_NONE, &opt_readonly, 0, N_("Create a readonly mapping"), NULL },
1298 { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
1299 { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
1300 { "timeout", 't', POPT_ARG_INT, &opt_timeout, 0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
1301 { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
1302 { "align-payload", '\0', POPT_ARG_INT, &opt_align_payload, 0, N_("Align payload at <n> sector boundaries - for luksFormat"), N_("SECTORS") },
1303 { "header-backup-file",'\0', POPT_ARG_STRING, &opt_header_backup_file, 0, N_("File with LUKS header and keyslots backup."), NULL },
1304 { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
1305 { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
1306 { "shared", '\0', POPT_ARG_NONE, &opt_shared, 0, N_("Share device with another non-overlapping crypt segment."), NULL },
1307 { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
1308 { "allow-discards", '\0', POPT_ARG_NONE, &opt_allow_discards, 0, N_("Allow discards (aka TRIM) requests for device."), NULL },
1309 { "header", '\0', POPT_ARG_STRING, &opt_header_device, 0, N_("Device or file with separated LUKS header."), NULL },
1310 { "without-activation",'\0', POPT_ARG_NONE, &opt_without_activation, 0, N_("Do not activate device, just check passphrase."), NULL },
1313 poptContext popt_context;
1314 struct action_type *action;
1317 const char *null_action_argv[] = {NULL};
1319 crypt_set_log_callback(NULL, _log, NULL);
1321 setlocale(LC_ALL, "");
1322 bindtextdomain(PACKAGE, LOCALEDIR);
1323 textdomain(PACKAGE);
1325 crypt_fips_self_check(NULL);
1327 popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
1328 poptSetOtherOptionHelp(popt_context,
1329 N_("[OPTION...] <action> <action-specific>"));
1331 while((r = poptGetNextOpt(popt_context)) > 0) {
1332 unsigned long long ull_value;
1336 ull_value = strtoull(popt_tmp, &endp, 0);
1337 if (*endp || !*popt_tmp ||
1338 (errno == ERANGE && ull_value == ULLONG_MAX) ||
1339 (errno != 0 && ull_value == 0))
1340 r = POPT_ERROR_BADNUMBER;
1344 opt_size = ull_value;
1347 opt_offset = ull_value;
1350 opt_skip = ull_value;
1360 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
1361 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
1362 if (opt_version_mode) {
1363 log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
1364 poptFreeContext(popt_context);
1368 if (!(aname = poptGetArg(popt_context)))
1369 usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
1370 poptGetInvocationName(popt_context));
1371 for(action = action_types; action->type; action++)
1372 if (strcmp(action->type, aname) == 0)
1375 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
1376 poptGetInvocationName(popt_context));
1379 action_argv = poptGetArgs(popt_context);
1380 /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
1382 action_argv = null_action_argv;
1384 /* Count args, somewhat unnice, change? */
1385 while(action_argv[action_argc] != NULL)
1388 if(action_argc < action->required_action_argc) {
1390 snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
1391 usage(popt_context, EXIT_FAILURE, buf,
1392 poptGetInvocationName(popt_context));
1395 /* FIXME: rewrite this from scratch */
1397 if (opt_shared && strcmp(aname, "create"))
1398 usage(popt_context, EXIT_FAILURE,
1399 _("Option --shared is allowed only for create operation.\n"),
1400 poptGetInvocationName(popt_context));
1402 if (opt_allow_discards &&
1403 strcmp(aname, "luksOpen") &&
1404 strcmp(aname, "create") &&
1405 strcmp(aname, "loopaesOpen"))
1406 usage(popt_context, EXIT_FAILURE,
1407 _("Option --allow-discards is allowed only for luksOpen, loopaesOpen and create operation.\n"),
1408 poptGetInvocationName(popt_context));
1411 strcmp(aname, "luksFormat") &&
1412 strcmp(aname, "create") &&
1413 strcmp(aname, "loopaesOpen"))
1414 usage(popt_context, EXIT_FAILURE,
1415 _("Option --key-size is allowed only for luksFormat, create and loopaesOpen.\n"
1416 "To limit read from keyfile use --keyfile-size=(bytes)."),
1417 poptGetInvocationName(popt_context));
1419 if (opt_without_activation &&
1420 strcmp(aname, "luksOpen"))
1421 usage(popt_context, EXIT_FAILURE,
1422 _("Option --without-activation is allowed only for luksOpen.\n"),
1423 poptGetInvocationName(popt_context));
1425 if (opt_key_size % 8)
1426 usage(popt_context, EXIT_FAILURE,
1427 _("Key size must be a multiple of 8 bits"),
1428 poptGetInvocationName(popt_context));
1430 if (!strcmp(aname, "luksKillSlot") && action_argc > 1)
1431 opt_key_slot = atoi(action_argv[1]);
1432 if (opt_key_slot != CRYPT_ANY_SLOT &&
1433 (opt_key_slot < 0 || opt_key_slot >= crypt_keyslot_max(CRYPT_LUKS1)))
1434 usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
1435 poptGetInvocationName(popt_context));
1437 if ((!strcmp(aname, "luksRemoveKey") ||
1438 !strcmp(aname, "luksFormat")) &&
1441 log_err(_("Option --key-file takes precedence over specified key file argument.\n"));
1443 opt_key_file = action_argv[1];
1446 if (opt_keyfile_size < 0 || opt_new_keyfile_size < 0 || opt_key_size < 0 ||
1447 opt_keyfile_offset < 0 || opt_new_keyfile_offset < 0)
1448 usage(popt_context, EXIT_FAILURE,
1449 _("Negative number for option not permitted."),
1450 poptGetInvocationName(popt_context));
1452 if (opt_random && opt_urandom)
1453 usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
1454 poptGetInvocationName(popt_context));
1456 if ((opt_random || opt_urandom) && strcmp(aname, "luksFormat"))
1457 usage(popt_context, EXIT_FAILURE, _("Option --use-[u]random is allowed only for luksFormat."),
1458 poptGetInvocationName(popt_context));
1460 if (opt_uuid && strcmp(aname, "luksFormat") && strcmp(aname, "luksUUID"))
1461 usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only for luksFormat and luksUUID."),
1462 poptGetInvocationName(popt_context));
1464 if (opt_align_payload && strcmp(aname, "luksFormat"))
1465 usage(popt_context, EXIT_FAILURE, _("Option --align-payload is allowed only for luksFormat."),
1466 poptGetInvocationName(popt_context));
1468 if (opt_skip && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1469 usage(popt_context, EXIT_FAILURE,
1470 _("Option --skip is supported only for create and loopaesOpen commands.\n"),
1471 poptGetInvocationName(popt_context));
1473 if (opt_offset && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1474 usage(popt_context, EXIT_FAILURE,
1475 _("Option --offset is supported only for create and loopaesOpen commands.\n"),
1476 poptGetInvocationName(popt_context));
1480 crypt_set_debug_level(-1);
1481 _dbg_version_and_cmd(argc, argv);
1484 r = run_action(action);
1485 poptFreeContext(popt_context);