2 * cryptsetup - setup cryptographic volumes for dm-crypt
4 * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
5 * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
6 * Copyright (C) 2009-2011, Red Hat, Inc. All rights reserved.
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * version 2 as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
32 #include <libcryptsetup.h>
35 #include "cryptsetup.h"
37 static int opt_verbose = 0;
38 static int opt_debug = 0;
39 static const char *opt_cipher = NULL;
40 static const char *opt_hash = NULL;
41 static int opt_verify_passphrase = 0;
42 static const char *opt_key_file = NULL;
43 static const char *opt_master_key_file = NULL;
44 static const char *opt_header_backup_file = NULL;
45 static const char *opt_uuid = NULL;
46 static const char *opt_header_device = NULL;
47 static int opt_key_size = 0;
48 static long opt_keyfile_size = 0;
49 static long opt_new_keyfile_size = 0;
50 static int opt_key_slot = CRYPT_ANY_SLOT;
51 static uint64_t opt_size = 0;
52 static uint64_t opt_offset = 0;
53 static uint64_t opt_skip = 0;
54 static int opt_skip_valid = 0;
55 static int opt_readonly = 0;
56 static int opt_iteration_time = 1000;
57 static int opt_batch_mode = 0;
58 static int opt_version_mode = 0;
59 static int opt_timeout = 0;
60 static int opt_tries = 3;
61 static int opt_align_payload = 0;
62 static int opt_random = 0;
63 static int opt_urandom = 0;
64 static int opt_dump_master_key = 0;
65 static int opt_shared = 0;
66 static int opt_allow_discards = 0;
68 static const char **action_argv;
69 static int action_argc;
71 static int action_create(int arg);
72 static int action_remove(int arg);
73 static int action_resize(int arg);
74 static int action_status(int arg);
75 static int action_luksFormat(int arg);
76 static int action_luksOpen(int arg);
77 static int action_luksAddKey(int arg);
78 static int action_luksKillSlot(int arg);
79 static int action_luksRemoveKey(int arg);
80 static int action_luksChangeKey(int arg);
81 static int action_isLuks(int arg);
82 static int action_luksUUID(int arg);
83 static int action_luksDump(int arg);
84 static int action_luksSuspend(int arg);
85 static int action_luksResume(int arg);
86 static int action_luksBackup(int arg);
87 static int action_luksRestore(int arg);
88 static int action_loopaesOpen(int arg);
90 static struct action_type {
94 int required_action_argc;
99 { "create", action_create, 0, 2, 1, N_("<name> <device>"),N_("create device") },
100 { "remove", action_remove, 0, 1, 1, N_("<name>"), N_("remove device") },
101 { "resize", action_resize, 0, 1, 1, N_("<name>"), N_("resize active device") },
102 { "status", action_status, 0, 1, 0, N_("<name>"), N_("show device status") },
103 { "luksFormat", action_luksFormat, 0, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
104 { "luksOpen", action_luksOpen, 0, 2, 1, N_("<device> <name> "), N_("open LUKS device as mapping <name>") },
105 { "luksAddKey", action_luksAddKey, 0, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
106 { "luksRemoveKey",action_luksRemoveKey, 0, 1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
107 { "luksChangeKey",action_luksChangeKey, 0, 1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
108 { "luksKillSlot", action_luksKillSlot, 0, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
109 { "luksUUID", action_luksUUID, 0, 1, 0, N_("<device>"), N_("print UUID of LUKS device") },
110 { "isLuks", action_isLuks, 0, 1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
111 { "luksClose", action_remove, 0, 1, 1, N_("<name>"), N_("remove LUKS mapping") },
112 { "luksDump", action_luksDump, 0, 1, 1, N_("<device>"), N_("dump LUKS partition information") },
113 { "luksSuspend",action_luksSuspend, 0, 1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen).") },
114 { "luksResume", action_luksResume, 0, 1, 1, N_("<device>"), N_("Resume suspended LUKS device.") },
115 { "luksHeaderBackup",action_luksBackup, 0, 1, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
116 { "luksHeaderRestore",action_luksRestore,0,1, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
117 { "loopaesOpen",action_loopaesOpen, 0, 2, 1, N_("<device> <name> "), N_("open loop-AES device as mapping <name>") },
118 { "loopaesClose",action_remove, 0, 1, 1, N_("<name>"), N_("remove loop-AES mapping") },
119 { NULL, NULL, 0, 0, 0, NULL, NULL }
122 __attribute__((format(printf, 5, 6)))
123 static void clogger(struct crypt_device *cd, int level, const char *file,
124 int line, const char *format, ...)
129 va_start(argp, format);
131 if (vasprintf(&target, format, argp) > 0) {
133 crypt_log(cd, level, target);
135 } else if (opt_debug)
136 printf("# %s:%d %s\n", file ?: "?", line, target);
138 } else if (opt_debug)
139 printf("# %s\n", target);
147 static int _yesDialog(const char *msg, void *usrptr __attribute__((unused)))
153 if(isatty(0) && !opt_batch_mode) {
154 log_std("\nWARNING!\n========\n");
155 log_std("%s\n\nAre you sure? (Type uppercase yes): ", msg);
156 if(getline(&answer, &size, stdin) == -1) {
161 if(strcmp(answer, "YES\n"))
169 static void _log(int level, const char *msg, void *usrptr __attribute__((unused)))
173 case CRYPT_LOG_NORMAL:
176 case CRYPT_LOG_VERBOSE:
180 case CRYPT_LOG_ERROR:
183 case CRYPT_LOG_DEBUG:
185 printf("# %s\n", msg);
188 fprintf(stderr, "Internal error on logging class for msg: %s", msg);
193 static void show_status(int errcode)
195 char error[256], *error_;
201 log_std(_("Command successful.\n"));
205 crypt_get_error(error, sizeof(error));
208 error_ = strerror_r(-errcode, error, sizeof(error));
209 if (error_ != error) {
210 strncpy(error, error_, sizeof(error));
211 error[sizeof(error) - 1] = '\0';
215 log_err(_("Command failed with code %i"), -errcode);
217 log_err(": %s\n", error);
222 static int action_create(int arg __attribute__((unused)))
224 struct crypt_device *cd = NULL;
225 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
226 struct crypt_params_plain params = {
227 .hash = opt_hash ?: DEFAULT_PLAIN_HASH,
229 .offset = opt_offset,
232 char *password = NULL;
234 size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
235 uint32_t activate_flags = 0;
238 if (params.hash && !strcmp(params.hash, "plain"))
241 /* FIXME: temporary hack */
242 if (opt_key_file && strcmp(opt_key_file, "-"))
245 if (opt_keyfile_size && opt_key_file)
246 log_std(("Ignoring keyfile size option, keyfile read size "
247 "is always the same as encryption key size.\n"));
249 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
250 cipher, NULL, cipher_mode);
252 log_err("No known cipher specification pattern detected.\n");
256 if ((r = crypt_init(&cd, action_argv[1])))
259 crypt_set_timeout(cd, opt_timeout);
260 crypt_set_password_retry(cd, opt_tries);
262 r = crypt_format(cd, CRYPT_PLAIN,
271 activate_flags |= CRYPT_ACTIVATE_READONLY;
274 activate_flags |= CRYPT_ACTIVATE_SHARED;
276 if (opt_allow_discards)
277 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
280 /* With hashing, read the whole keyfile */
281 r = crypt_activate_by_keyfile(cd, action_argv[0],
282 CRYPT_ANY_SLOT, opt_key_file, params.hash ? 0 : key_size,
285 r = crypt_get_key(_("Enter passphrase: "),
286 &password, &passwordLen, opt_keyfile_size,
288 opt_batch_mode ? 0 : opt_verify_passphrase,
293 r = crypt_activate_by_passphrase(cd, action_argv[0],
294 CRYPT_ANY_SLOT, password, passwordLen, activate_flags);
298 crypt_safe_free(password);
303 static int action_loopaesOpen(int arg __attribute__((unused)))
305 struct crypt_device *cd = NULL;
306 struct crypt_params_loopaes params = {
307 .hash = opt_hash ?: NULL,
308 .offset = opt_offset,
309 .skip = opt_skip_valid ? opt_skip : opt_offset,
311 unsigned int key_size = (opt_key_size ?: DEFAULT_LOOPAES_KEYBITS) / 8;
312 uint32_t activate_flags = 0;
316 log_err(_("Option --key-file is required.\n"));
321 activate_flags |= CRYPT_ACTIVATE_READONLY;
323 if (opt_allow_discards)
324 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
326 if ((r = crypt_init(&cd, action_argv[0])))
329 r = crypt_format(cd, CRYPT_LOOPAES, opt_cipher ?: DEFAULT_LOOPAES_CIPHER,
330 NULL, NULL, NULL, key_size, ¶ms);
334 r = crypt_activate_by_keyfile(cd, action_argv[1], CRYPT_ANY_SLOT,
335 opt_key_file, opt_keyfile_size, activate_flags);
342 static int action_remove(int arg __attribute__((unused)))
344 struct crypt_device *cd = NULL;
347 r = crypt_init_by_name(&cd, action_argv[0]);
349 r = crypt_deactivate(cd, action_argv[0]);
355 static int action_resize(int arg __attribute__((unused)))
357 struct crypt_device *cd = NULL;
360 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
362 r = crypt_resize(cd, action_argv[0], opt_size);
368 static int action_status(int arg __attribute__((unused)))
370 crypt_status_info ci;
371 struct crypt_active_device cad;
372 struct crypt_device *cd = NULL;
377 ci = crypt_status(NULL, action_argv[0]);
383 log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
388 log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
389 ci == CRYPT_BUSY ? " and is in use" : "");
390 r = crypt_init_by_name(&cd, action_argv[0]);
391 if (r < 0 || !crypt_get_type(cd))
394 log_std(" type: %s\n", crypt_get_type(cd));
396 r = crypt_get_active_device(cd, action_argv[0], &cad);
400 log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
401 log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
402 device = crypt_get_device_name(cd);
403 log_std(" device: %s\n", device);
404 if (crypt_loop_device(device)) {
405 backing_file = crypt_loop_backing_file(device);
406 log_std(" loop: %s\n", backing_file);
409 log_std(" offset: %" PRIu64 " sectors\n", cad.offset);
410 log_std(" size: %" PRIu64 " sectors\n", cad.size);
412 log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset);
413 log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
414 "readonly" : "read/write");
415 if (cad.flags & CRYPT_ACTIVATE_ALLOW_DISCARDS)
416 log_std(" flags: discards\n");
423 static int _read_mk(const char *file, char **key, int keysize)
427 *key = crypt_safe_alloc(keysize);
431 fd = open(file, O_RDONLY);
433 log_err("Cannot read keyfile %s.\n", file);
436 if ((read(fd, *key, keysize) != keysize)) {
437 log_err("Cannot read %d bytes from keyfile %s.\n", keysize, file);
444 crypt_safe_free(*key);
449 static int action_luksFormat(int arg __attribute__((unused)))
451 int r = -EINVAL, keysize;
452 const char *header_device;
453 char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
454 char *password = NULL;
456 struct crypt_device *cd = NULL;
457 struct crypt_params_luks1 params = {
458 .hash = opt_hash ?: DEFAULT_LUKS1_HASH,
459 .data_alignment = opt_align_payload,
460 .data_device = opt_header_device ? action_argv[0] : NULL,
463 header_device = opt_header_device ?: action_argv[0];
465 if(asprintf(&msg, _("This will overwrite data on %s irrevocably."),
466 header_device) == -1) {
467 log_err(_("memory allocation error in action_luksFormat"));
471 r = _yesDialog(msg, NULL) ? 0 : -EINVAL;
476 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
477 cipher, NULL, cipher_mode);
479 log_err("No known cipher specification pattern detected.\n");
483 if ((r = crypt_init(&cd, header_device)))
486 keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
488 crypt_set_password_verify(cd, 1);
489 crypt_set_timeout(cd, opt_timeout);
490 if (opt_iteration_time)
491 crypt_set_iterarion_time(cd, opt_iteration_time);
494 crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
495 else if (opt_urandom)
496 crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
498 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
499 opt_keyfile_size, opt_key_file, opt_timeout,
500 opt_batch_mode ? 0 : 1 /* always verify */, cd);
504 if (opt_master_key_file) {
505 r = _read_mk(opt_master_key_file, &key, keysize);
510 r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
511 opt_uuid, key, keysize, ¶ms);
515 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
517 password, passwordLen);
520 crypt_safe_free(key);
521 crypt_safe_free(password);
526 static int action_luksOpen(int arg __attribute__((unused)))
528 struct crypt_device *cd = NULL;
529 const char *data_device, *header_device;
533 if (opt_header_device) {
534 header_device = opt_header_device;
535 data_device = action_argv[0];
537 header_device = action_argv[0];
541 if ((r = crypt_init(&cd, header_device)))
544 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
548 (r = crypt_set_data_device(cd, data_device)))
551 if (!data_device && (crypt_get_data_offset(cd) < 8)) {
552 log_err(_("Reduced data offset is allowed only for detached LUKS header.\n"));
557 crypt_set_timeout(cd, opt_timeout);
558 crypt_set_password_retry(cd, opt_tries);
560 if (opt_iteration_time)
561 crypt_set_iterarion_time(cd, opt_iteration_time);
564 flags |= CRYPT_ACTIVATE_READONLY;
566 if (opt_allow_discards)
567 flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
570 crypt_set_password_retry(cd, 1);
571 r = crypt_activate_by_keyfile(cd, action_argv[1],
572 CRYPT_ANY_SLOT, opt_key_file, opt_keyfile_size,
575 r = crypt_activate_by_passphrase(cd, action_argv[1],
576 CRYPT_ANY_SLOT, NULL, 0, flags);
582 static int verify_keyslot(struct crypt_device *cd, int key_slot,
583 char *msg_last, char *msg_pass,
584 const char *key_file, int keyfile_size)
586 crypt_keyslot_info ki;
587 char *password = NULL;
591 ki = crypt_keyslot_status(cd, key_slot);
592 if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !_yesDialog(msg_last, NULL))
595 r = crypt_get_key(msg_pass, &password, &passwordLen,
596 keyfile_size, key_file, opt_timeout,
597 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
601 if (ki == CRYPT_SLOT_ACTIVE_LAST) {
602 /* check the last keyslot */
603 r = crypt_activate_by_passphrase(cd, NULL, key_slot,
604 password, passwordLen, 0);
606 /* try all other keyslots */
607 for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
610 ki = crypt_keyslot_status(cd, key_slot);
611 if (ki == CRYPT_SLOT_ACTIVE)
612 r = crypt_activate_by_passphrase(cd, NULL, i,
613 password, passwordLen, 0);
620 log_err(_("No key available with this passphrase.\n"));
622 crypt_safe_free(password);
626 static int action_luksKillSlot(int arg __attribute__((unused)))
628 struct crypt_device *cd = NULL;
631 if ((r = crypt_init(&cd, action_argv[0])))
634 crypt_set_confirm_callback(cd, _yesDialog, NULL);
635 crypt_set_timeout(cd, opt_timeout);
637 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
640 switch (crypt_keyslot_status(cd, opt_key_slot)) {
641 case CRYPT_SLOT_ACTIVE_LAST:
642 case CRYPT_SLOT_ACTIVE:
643 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
645 case CRYPT_SLOT_INACTIVE:
646 log_err(_("Key %d not active. Can't wipe.\n"), opt_key_slot);
647 case CRYPT_SLOT_INVALID:
651 if (!opt_batch_mode) {
652 r = verify_keyslot(cd, opt_key_slot,
653 _("This is the last keyslot. Device will become unusable after purging this key."),
654 _("Enter any remaining LUKS passphrase: "),
655 opt_key_file, opt_keyfile_size);
660 r = crypt_keyslot_destroy(cd, opt_key_slot);
666 static int action_luksRemoveKey(int arg __attribute__((unused)))
668 struct crypt_device *cd = NULL;
669 char *password = NULL;
673 if ((r = crypt_init(&cd, action_argv[0])))
676 crypt_set_confirm_callback(cd, _yesDialog, NULL);
677 crypt_set_timeout(cd, opt_timeout);
679 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
682 r = crypt_get_key(_("Enter LUKS passphrase to be deleted: "),
683 &password, &passwordLen,
684 opt_keyfile_size, opt_key_file,
686 opt_batch_mode ? 0 : opt_verify_passphrase,
691 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
692 password, passwordLen, 0);
697 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
699 if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_ACTIVE_LAST &&
700 !_yesDialog(_("This is the last keyslot. "
701 "Device will become unusable after purging this key."),
707 r = crypt_keyslot_destroy(cd, opt_key_slot);
709 crypt_safe_free(password);
714 static int action_luksAddKey(int arg __attribute__((unused)))
716 int r = -EINVAL, keysize = 0;
718 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
719 struct crypt_device *cd = NULL;
721 if ((r = crypt_init(&cd, action_argv[0])))
724 crypt_set_confirm_callback(cd, _yesDialog, NULL);
726 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
729 keysize = crypt_get_volume_key_size(cd);
730 crypt_set_password_verify(cd, opt_verify_passphrase ? 1 : 0);
731 crypt_set_timeout(cd, opt_timeout);
732 if (opt_iteration_time)
733 crypt_set_iterarion_time(cd, opt_iteration_time);
735 if (opt_master_key_file) {
736 r = _read_mk(opt_master_key_file, &key, keysize);
739 //FIXME: process keyfile arg
740 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
741 key, keysize, NULL, 0);
742 } else if (opt_key_file || opt_new_key_file) {
743 r = crypt_keyslot_add_by_keyfile(cd, opt_key_slot,
744 opt_key_file, opt_keyfile_size,
745 opt_new_key_file, opt_new_keyfile_size);
747 r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
752 crypt_safe_free(key);
756 static int _slots_full(struct crypt_device *cd)
760 for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++)
761 if (crypt_keyslot_status(cd, i) == CRYPT_SLOT_INACTIVE)
766 static int action_luksChangeKey(int arg __attribute__((unused)))
768 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
769 struct crypt_device *cd = NULL;
770 char *vk = NULL, *password = NULL;
771 size_t passwordLen = 0;
773 int new_key_slot, old_key_slot, r;
775 if ((r = crypt_init(&cd, action_argv[0])))
778 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
781 if (opt_iteration_time)
782 crypt_set_iterarion_time(cd, opt_iteration_time);
784 r = crypt_get_key(_("Enter LUKS passphrase to be changed: "),
785 &password, &passwordLen,
786 opt_keyfile_size, opt_key_file, opt_timeout,
787 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
791 vk_size = crypt_get_volume_key_size(cd);
792 vk = crypt_safe_alloc(vk_size);
798 r = crypt_volume_key_get(cd, opt_key_slot, vk, &vk_size,
799 password, passwordLen);
801 if (opt_key_slot != CRYPT_ANY_SLOT)
802 log_err(_("No key available with this passphrase.\n"));
806 if (opt_key_slot != CRYPT_ANY_SLOT || _slots_full(cd)) {
807 log_dbg("Key slot %d is going to be overwritten (%s).",
808 r, opt_key_slot != CRYPT_ANY_SLOT ?
809 "explicit key slot specified" : "no free key slot");
813 log_dbg("Allocating new key slot.");
815 new_key_slot = CRYPT_ANY_SLOT;
818 crypt_safe_free(password);
821 r = crypt_get_key(_("Enter new LUKS passphrase: "),
822 &password, &passwordLen,
823 opt_new_keyfile_size, opt_new_key_file,
824 opt_timeout, opt_batch_mode ? 0 : 1, cd);
828 if (new_key_slot == old_key_slot) {
829 (void)crypt_keyslot_destroy(cd, old_key_slot);
830 r = crypt_keyslot_add_by_volume_key(cd, new_key_slot,
832 password, passwordLen);
834 log_verbose(_("Key slot %d changed.\n"), r);
836 r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT,
838 password, passwordLen);
840 log_verbose(_("Replaced with key slot %d.\n"), r);
841 r = crypt_keyslot_destroy(cd, old_key_slot);
845 log_err(_("Failed to swap new key slot.\n"));
848 crypt_safe_free(password);
853 static int action_isLuks(int arg __attribute__((unused)))
855 struct crypt_device *cd = NULL;
858 if ((r = crypt_init(&cd, action_argv[0])))
861 r = crypt_load(cd, CRYPT_LUKS1, NULL);
867 static int action_luksUUID(int arg __attribute__((unused)))
869 struct crypt_device *cd = NULL;
870 const char *existing_uuid = NULL;
873 if ((r = crypt_init(&cd, action_argv[0])))
876 crypt_set_confirm_callback(cd, _yesDialog, NULL);
878 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
882 r = crypt_set_uuid(cd, opt_uuid);
884 existing_uuid = crypt_get_uuid(cd);
885 log_std("%s\n", existing_uuid ?: "");
886 r = existing_uuid ? 0 : 1;
893 static int luksDump_with_volume_key(struct crypt_device *cd)
895 char *vk = NULL, *password = NULL;
896 size_t passwordLen = 0;
901 crypt_set_confirm_callback(cd, _yesDialog, NULL);
903 _("LUKS header dump with volume key is sensitive information\n"
904 "which allows access to encrypted partition without passphrase.\n"
905 "This dump should be always stored encrypted on safe place."),
909 vk_size = crypt_get_volume_key_size(cd);
910 vk = crypt_safe_alloc(vk_size);
914 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
915 opt_keyfile_size, opt_key_file, opt_timeout, 0, cd);
919 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
920 password, passwordLen);
924 log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
925 log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
926 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
927 log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
928 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
929 log_std("MK bits: \t%d\n", (int)vk_size * 8);
930 log_std("MK dump:\t");
932 for(i = 0; i < vk_size; i++) {
935 log_std("%02hhx ", (char)vk[i]);
940 crypt_safe_free(password);
945 static int action_luksDump(int arg __attribute__((unused)))
947 struct crypt_device *cd = NULL;
950 if ((r = crypt_init(&cd, action_argv[0])))
953 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
956 if (opt_dump_master_key)
957 r = luksDump_with_volume_key(cd);
965 static int action_luksSuspend(int arg __attribute__((unused)))
967 struct crypt_device *cd = NULL;
970 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
972 r = crypt_suspend(cd, action_argv[0]);
978 static int action_luksResume(int arg __attribute__((unused)))
980 struct crypt_device *cd = NULL;
983 if ((r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device)))
986 crypt_set_timeout(cd, opt_timeout);
987 crypt_set_password_retry(cd, opt_tries);
990 r = crypt_resume_by_keyfile(cd, action_argv[0], CRYPT_ANY_SLOT,
991 opt_key_file, opt_keyfile_size);
993 r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
1000 static int action_luksBackup(int arg __attribute__((unused)))
1002 struct crypt_device *cd = NULL;
1005 if (!opt_header_backup_file) {
1006 log_err(_("Option --header-backup-file is required.\n"));
1010 if ((r = crypt_init(&cd, action_argv[0])))
1013 crypt_set_confirm_callback(cd, _yesDialog, NULL);
1015 r = crypt_header_backup(cd, CRYPT_LUKS1, opt_header_backup_file);
1021 static int action_luksRestore(int arg __attribute__((unused)))
1023 struct crypt_device *cd = NULL;
1026 if (!opt_header_backup_file) {
1027 log_err(_("Option --header-backup-file is required.\n"));
1031 if ((r = crypt_init(&cd, action_argv[0])))
1034 crypt_set_confirm_callback(cd, _yesDialog, NULL);
1035 r = crypt_header_restore(cd, CRYPT_LUKS1, opt_header_backup_file);
1041 static __attribute__ ((noreturn)) void usage(poptContext popt_context,
1042 int exitcode, const char *error,
1045 poptPrintUsage(popt_context, stderr, 0);
1047 log_err("%s: %s\n", more, error);
1051 static void help(poptContext popt_context,
1052 enum poptCallbackReason reason __attribute__((unused)),
1053 struct poptOption *key,
1054 const char *arg __attribute__((unused)),
1055 void *data __attribute__((unused)))
1057 if (key->shortName == '?') {
1058 struct action_type *action;
1060 log_std("%s\n",PACKAGE_STRING);
1062 poptPrintHelp(popt_context, stdout, 0);
1065 "<action> is one of:\n"));
1067 for(action = action_types; action->type; action++)
1068 log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
1071 "<name> is the device to create under %s\n"
1072 "<device> is the encrypted device\n"
1073 "<key slot> is the LUKS key slot number to modify\n"
1074 "<key file> optional key file for the new key for luksAddKey action\n"),
1077 log_std(_("\nDefault compiled-in keyfile parameters:\n"
1078 "\tMaximum keyfile size: %dkB, "
1079 "Maximum interactive passphrase length %d (characters)\n"),
1080 DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX);
1082 log_std(_("\nDefault compiled-in device cipher parameters:\n"
1083 "\tloop-AES: %s, Key %d bits\n"
1084 "\tplain: %s, Key: %d bits, Password hashing: %s\n"
1085 "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
1086 DEFAULT_LOOPAES_CIPHER, DEFAULT_LOOPAES_KEYBITS,
1087 DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
1088 DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
1092 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
1095 static void _dbg_version_and_cmd(int argc, const char **argv)
1099 log_std("# %s %s processing \"", PACKAGE_NAME, PACKAGE_VERSION);
1100 for (i = 0; i < argc; i++) {
1103 log_std("%s", argv[i]);
1108 static int run_action(struct action_type *action)
1112 log_dbg("Running command %s.", action->type);
1114 if (action->required_memlock)
1115 crypt_memory_lock(NULL, 1);
1117 r = action->handler(action->arg);
1119 if (action->required_memlock)
1120 crypt_memory_lock(NULL, 0);
1122 /* Some functions returns keyslot # */
1128 /* Translate exit code to simple codes */
1130 case 0: r = EXIT_SUCCESS; break;
1132 case -EBUSY: r = 5; break;
1134 case -ENODEV: r = 4; break;
1135 case -ENOMEM: r = 3; break;
1136 case -EPERM: r = 2; break;
1140 default: r = EXIT_FAILURE;
1145 int main(int argc, const char **argv)
1147 static char *popt_tmp;
1148 static struct poptOption popt_help_options[] = {
1149 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
1150 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
1151 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
1154 static struct poptOption popt_options[] = {
1155 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
1156 { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
1157 { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
1158 { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
1159 { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
1160 { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
1161 { "verify-passphrase", 'y', POPT_ARG_NONE, &opt_verify_passphrase, 0, N_("Verifies the passphrase by asking for it twice"), NULL },
1162 { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 0, N_("Read the key from a file."), NULL },
1163 { "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL },
1164 { "dump-master-key", '\0', POPT_ARG_NONE, &opt_dump_master_key, 0, N_("Dump volume (master) key instead of keyslots info."), NULL },
1165 { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
1166 { "keyfile-size", 'l', POPT_ARG_LONG, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
1167 { "new-keyfile-size", '\0', POPT_ARG_LONG, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
1168 { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL },
1169 { "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") },
1170 { "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
1171 { "skip", 'p', POPT_ARG_STRING, &popt_tmp, 3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
1172 { "readonly", 'r', POPT_ARG_NONE, &opt_readonly, 0, N_("Create a readonly mapping"), NULL },
1173 { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
1174 { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
1175 { "timeout", 't', POPT_ARG_INT, &opt_timeout, 0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
1176 { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
1177 { "align-payload", '\0', POPT_ARG_INT, &opt_align_payload, 0, N_("Align payload at <n> sector boundaries - for luksFormat"), N_("SECTORS") },
1178 { "header-backup-file",'\0', POPT_ARG_STRING, &opt_header_backup_file, 0, N_("File with LUKS header and keyslots backup."), NULL },
1179 { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
1180 { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
1181 { "shared", '\0', POPT_ARG_NONE, &opt_shared, 0, N_("Share device with another non-overlapping crypt segment."), NULL },
1182 { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
1183 { "allow-discards", '\0', POPT_ARG_NONE, &opt_allow_discards, 0, N_("Allow discards (aka TRIM) requests for device."), NULL },
1184 { "header", '\0', POPT_ARG_STRING, &opt_header_device, 0, N_("Device or file with separated LUKS header."), NULL },
1187 poptContext popt_context;
1188 struct action_type *action;
1191 const char *null_action_argv[] = {NULL};
1193 crypt_set_log_callback(NULL, _log, NULL);
1195 setlocale(LC_ALL, "");
1196 bindtextdomain(PACKAGE, LOCALEDIR);
1197 textdomain(PACKAGE);
1199 popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
1200 poptSetOtherOptionHelp(popt_context,
1201 N_("[OPTION...] <action> <action-specific>]"));
1203 while((r = poptGetNextOpt(popt_context)) > 0) {
1204 unsigned long long ull_value;
1207 ull_value = strtoull(popt_tmp, &endp, 0);
1208 if (*endp || !*popt_tmp)
1209 r = POPT_ERROR_BADNUMBER;
1213 opt_size = ull_value;
1216 opt_offset = ull_value;
1219 opt_skip = ull_value;
1229 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
1230 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
1231 if (opt_version_mode) {
1232 log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
1236 if (!(aname = poptGetArg(popt_context)))
1237 usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
1238 poptGetInvocationName(popt_context));
1239 for(action = action_types; action->type; action++)
1240 if (strcmp(action->type, aname) == 0)
1243 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
1244 poptGetInvocationName(popt_context));
1247 action_argv = poptGetArgs(popt_context);
1248 /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
1250 action_argv = null_action_argv;
1252 /* Count args, somewhat unnice, change? */
1253 while(action_argv[action_argc] != NULL)
1256 if(action_argc < action->required_action_argc) {
1258 snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
1259 usage(popt_context, EXIT_FAILURE, buf,
1260 poptGetInvocationName(popt_context));
1263 /* FIXME: rewrite this from scratch */
1265 if (opt_shared && strcmp(aname, "create")) {
1266 usage(popt_context, EXIT_FAILURE,
1267 _("Option --shared is allowed only for create operation.\n"),
1268 poptGetInvocationName(popt_context));
1271 if (opt_allow_discards &&
1272 strcmp(aname, "luksOpen") &&
1273 strcmp(aname, "create") &&
1274 strcmp(aname, "loopaesOpen")) {
1275 usage(popt_context, EXIT_FAILURE,
1276 _("Option --allow-discards is allowed only for luksOpen, loopaesOpen and create operation.\n"),
1277 poptGetInvocationName(popt_context));
1281 strcmp(aname, "luksFormat") &&
1282 strcmp(aname, "create") &&
1283 strcmp(aname, "loopaesOpen")) {
1284 usage(popt_context, EXIT_FAILURE,
1285 _("Option --key-size is allowed only for luksFormat, create and loopaesOpen.\n"
1286 "To limit read from keyfile use --keyfile-size=(bytes)."),
1287 poptGetInvocationName(popt_context));
1290 if (opt_key_size % 8)
1291 usage(popt_context, EXIT_FAILURE,
1292 _("Key size must be a multiple of 8 bits"),
1293 poptGetInvocationName(popt_context));
1295 if (!strcmp(aname, "luksKillSlot") && action_argc > 1)
1296 opt_key_slot = atoi(action_argv[1]);
1297 if (opt_key_slot != CRYPT_ANY_SLOT &&
1298 (opt_key_slot < 0 || opt_key_slot > crypt_keyslot_max(CRYPT_LUKS1)))
1299 usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
1300 poptGetInvocationName(popt_context));
1302 if ((!strcmp(aname, "luksRemoveKey") ||
1303 !strcmp(aname, "luksFormat")) &&
1306 log_err(_("Option --key-file takes precedence over specified key file argument.\n"));
1308 opt_key_file = action_argv[1];
1311 if (opt_keyfile_size < 0 || opt_new_keyfile_size < 0 || opt_key_size < 0) {
1312 usage(popt_context, EXIT_FAILURE,
1313 _("Negative number for option not permitted."),
1314 poptGetInvocationName(popt_context));
1317 if (opt_random && opt_urandom)
1318 usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
1319 poptGetInvocationName(popt_context));
1320 if ((opt_random || opt_urandom) && strcmp(aname, "luksFormat"))
1321 usage(popt_context, EXIT_FAILURE, _("Option --use-[u]random is allowed only for luksFormat."),
1322 poptGetInvocationName(popt_context));
1324 if (opt_uuid && strcmp(aname, "luksFormat") && strcmp(aname, "luksUUID"))
1325 usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only for luksFormat and luksUUID."),
1326 poptGetInvocationName(popt_context));
1328 if (opt_skip && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1329 usage(popt_context, EXIT_FAILURE,
1330 _("Option --skip is supported only for create and loopaesOpen commands.\n"),
1331 poptGetInvocationName(popt_context));
1333 if (opt_offset && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1334 usage(popt_context, EXIT_FAILURE,
1335 _("Option --offset is supported only for create and loopaesOpen commands.\n"),
1336 poptGetInvocationName(popt_context));
1340 crypt_set_debug_level(-1);
1341 _dbg_version_and_cmd(argc, argv);
1344 return run_action(action);