2 * cryptsetup - setup cryptographic volumes for dm-crypt
4 * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
5 * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
6 * Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * version 2 as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 #include "cryptsetup.h"
24 static const char *opt_cipher = NULL;
25 static const char *opt_hash = NULL;
26 static int opt_verify_passphrase = 0;
28 static const char *opt_key_file = NULL;
29 static int opt_keyfiles_count = 0;
30 static const char *opt_keyfiles[MAX_KEYFILES];
32 static const char *opt_master_key_file = NULL;
33 static const char *opt_header_backup_file = NULL;
34 static const char *opt_uuid = NULL;
35 static const char *opt_header_device = NULL;
36 static int opt_key_size = 0;
37 static long opt_keyfile_size = 0;
38 static long opt_new_keyfile_size = 0;
39 static long opt_keyfile_offset = 0;
40 static long opt_new_keyfile_offset = 0;
41 static int opt_key_slot = CRYPT_ANY_SLOT;
42 static uint64_t opt_size = 0;
43 static uint64_t opt_offset = 0;
44 static uint64_t opt_skip = 0;
45 static int opt_skip_valid = 0;
46 static int opt_readonly = 0;
47 static int opt_iteration_time = DEFAULT_LUKS1_ITER_TIME;
48 static int opt_version_mode = 0;
49 static int opt_timeout = 0;
50 static int opt_tries = 3;
51 static int opt_align_payload = 0;
52 static int opt_random = 0;
53 static int opt_urandom = 0;
54 static int opt_dump_master_key = 0;
55 static int opt_shared = 0;
56 static int opt_allow_discards = 0;
57 static int opt_test_passphrase = 0;
58 static int opt_hidden = 0;
60 static const char **action_argv;
61 static int action_argc;
62 static const char *null_action_argv[] = {NULL, NULL};
64 static int action_create(int arg);
65 static int action_remove(int arg);
66 static int action_resize(int arg);
67 static int action_status(int arg);
68 static int action_benchmark(int arg);
69 static int action_luksFormat(int arg);
70 static int action_luksOpen(int arg);
71 static int action_luksAddKey(int arg);
72 static int action_luksKillSlot(int arg);
73 static int action_luksRemoveKey(int arg);
74 static int action_luksChangeKey(int arg);
75 static int action_isLuks(int arg);
76 static int action_luksUUID(int arg);
77 static int action_luksDump(int arg);
78 static int action_luksSuspend(int arg);
79 static int action_luksResume(int arg);
80 static int action_luksBackup(int arg);
81 static int action_luksRestore(int arg);
82 static int action_loopaesOpen(int arg);
83 static int action_luksRepair(int arg);
84 static int action_tcryptOpen(int arg);
85 static int action_tcryptDump(int arg);
87 static struct action_type {
91 int required_action_argc;
96 { "create", action_create, 0, 2, 1, N_("<name> <device>"),N_("create device") },
97 { "remove", action_remove, 0, 1, 1, N_("<name>"), N_("remove device") },
98 { "resize", action_resize, 0, 1, 1, N_("<name>"), N_("resize active device") },
99 { "status", action_status, 0, 1, 0, N_("<name>"), N_("show device status") },
100 { "benchmark", action_benchmark, 0, 0, 0, N_("<name>"), N_("benchmark cipher") },
101 { "repair", action_luksRepair, 0, 1, 1, N_("<device>"), N_("try to repair on-disk metadata") },
102 { "luksFormat", action_luksFormat, 0, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
103 { "luksOpen", action_luksOpen, 0, 2, 1, N_("<device> <name> "), N_("open LUKS device as mapping <name>") },
104 { "luksAddKey", action_luksAddKey, 0, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
105 { "luksRemoveKey",action_luksRemoveKey, 0, 1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
106 { "luksChangeKey",action_luksChangeKey, 0, 1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
107 { "luksKillSlot", action_luksKillSlot, 0, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
108 { "luksUUID", action_luksUUID, 0, 1, 0, N_("<device>"), N_("print UUID of LUKS device") },
109 { "isLuks", action_isLuks, 0, 1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
110 { "luksClose", action_remove, 0, 1, 1, N_("<name>"), N_("remove LUKS mapping") },
111 { "luksDump", action_luksDump, 0, 1, 1, N_("<device>"), N_("dump LUKS partition information") },
112 { "luksSuspend",action_luksSuspend, 0, 1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen).") },
113 { "luksResume", action_luksResume, 0, 1, 1, N_("<device>"), N_("Resume suspended LUKS device.") },
114 { "luksHeaderBackup",action_luksBackup, 0, 1, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
115 { "luksHeaderRestore",action_luksRestore,0,1, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
116 { "loopaesOpen",action_loopaesOpen, 0, 2, 1, N_("<device> <name> "), N_("open loop-AES device as mapping <name>") },
117 { "loopaesClose",action_remove, 0, 1, 1, N_("<name>"), N_("remove loop-AES mapping") },
118 { "tcryptOpen", action_tcryptOpen, 0, 2, 1, N_("<device> <name> "), N_("open TCRYPT device as mapping <name>") },
119 { "tcryptDump", action_tcryptDump, 0, 1, 1, N_("<device>"), N_("dump TCRYPT device information") },
120 { NULL, NULL, 0, 0, 0, NULL, NULL }
123 static int _verify_passphrase(int def)
125 /* Batch mode switch off verify - if not overrided by -y */
126 if (opt_verify_passphrase)
128 else if (opt_batch_mode)
131 /* Non-tty input doesn't allow verify */
132 if (def && !isatty(STDIN_FILENO)) {
133 if (opt_verify_passphrase)
134 log_err(_("Can't do passphrase verification on non-tty inputs.\n"));
141 static int action_create(int arg __attribute__((unused)))
143 struct crypt_device *cd = NULL;
144 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
145 struct crypt_params_plain params = {
146 .hash = opt_hash ?: DEFAULT_PLAIN_HASH,
148 .offset = opt_offset,
151 char *password = NULL;
153 size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
154 uint32_t activate_flags = 0;
157 if (params.hash && !strcmp(params.hash, "plain"))
160 /* FIXME: temporary hack */
161 if (opt_key_file && strcmp(opt_key_file, "-"))
164 if ((opt_keyfile_offset || opt_keyfile_size) && opt_key_file)
165 log_std(("Ignoring keyfile offset and size options, keyfile read "
166 "size is always the same as encryption key size.\n"));
168 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
169 cipher, NULL, cipher_mode);
171 log_err("No known cipher specification pattern detected.\n");
175 if ((r = crypt_init(&cd, action_argv[1])))
178 crypt_set_timeout(cd, opt_timeout);
179 crypt_set_password_retry(cd, opt_tries);
181 r = crypt_format(cd, CRYPT_PLAIN,
190 activate_flags |= CRYPT_ACTIVATE_READONLY;
193 activate_flags |= CRYPT_ACTIVATE_SHARED;
195 if (opt_allow_discards)
196 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
199 /* With hashing, read the whole keyfile */
200 r = crypt_activate_by_keyfile_offset(cd, action_argv[0],
201 CRYPT_ANY_SLOT, opt_key_file,
202 params.hash ? 0 : key_size, 0,
205 r = crypt_get_key(_("Enter passphrase: "),
206 &password, &passwordLen,
207 opt_keyfile_offset, opt_keyfile_size,
209 _verify_passphrase(0),
214 r = crypt_activate_by_passphrase(cd, action_argv[0],
215 CRYPT_ANY_SLOT, password, passwordLen, activate_flags);
219 crypt_safe_free(password);
224 static int action_loopaesOpen(int arg __attribute__((unused)))
226 struct crypt_device *cd = NULL;
227 struct crypt_params_loopaes params = {
228 .hash = opt_hash ?: NULL,
229 .offset = opt_offset,
230 .skip = opt_skip_valid ? opt_skip : opt_offset,
232 unsigned int key_size = (opt_key_size ?: DEFAULT_LOOPAES_KEYBITS) / 8;
233 uint32_t activate_flags = 0;
237 log_err(_("Option --key-file is required.\n"));
242 activate_flags |= CRYPT_ACTIVATE_READONLY;
244 if (opt_allow_discards)
245 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
247 if ((r = crypt_init(&cd, action_argv[0])))
250 r = crypt_format(cd, CRYPT_LOOPAES, opt_cipher ?: DEFAULT_LOOPAES_CIPHER,
251 NULL, NULL, NULL, key_size, ¶ms);
255 r = crypt_activate_by_keyfile_offset(cd, action_argv[1], CRYPT_ANY_SLOT,
256 opt_key_file, opt_keyfile_size,
257 opt_keyfile_size, activate_flags);
264 static int action_tcryptOpen(int arg __attribute__((unused)))
266 struct crypt_device *cd = NULL;
267 struct crypt_params_tcrypt params = {
268 .keyfiles = opt_keyfiles,
269 .keyfiles_count = opt_keyfiles_count,
270 .flags = CRYPT_TCRYPT_LEGACY_MODES,
272 const char *activated_name;
276 activated_name = opt_test_passphrase ? NULL : action_argv[1];
278 if ((r = crypt_init(&cd, action_argv[0])))
281 /* TCRYPT header is encrypted, get passphrase now */
282 r = crypt_get_key(_("Enter passphrase: "),
283 CONST_CAST(char**)¶ms.passphrase,
284 ¶ms.passphrase_size, 0, 0, NULL, opt_timeout,
285 _verify_passphrase(0), cd);
290 params.flags |= CRYPT_TCRYPT_HIDDEN_HEADER;
292 r = crypt_load(cd, CRYPT_TCRYPT, ¶ms);
297 flags |= CRYPT_ACTIVATE_READONLY;
300 r = crypt_activate_by_volume_key(cd, activated_name, NULL, 0, flags);
303 crypt_safe_free(CONST_CAST(char*)params.passphrase);
307 static int action_tcryptDump(int arg __attribute__((unused)))
309 struct crypt_device *cd = NULL;
310 struct crypt_params_tcrypt params = {
311 .keyfiles = opt_keyfiles,
312 .keyfiles_count = opt_keyfiles_count,
313 .flags = CRYPT_TCRYPT_LEGACY_MODES,
317 if ((r = crypt_init(&cd, action_argv[0])))
320 /* TCRYPT header is encrypted, get passphrase now */
321 r = crypt_get_key(_("Enter passphrase: "),
322 CONST_CAST(char**)¶ms.passphrase,
323 ¶ms.passphrase_size, 0, 0, NULL, opt_timeout,
324 _verify_passphrase(0), cd);
329 params.flags |= CRYPT_TCRYPT_HIDDEN_HEADER;
331 r = crypt_load(cd, CRYPT_TCRYPT, ¶ms);
338 crypt_safe_free(CONST_CAST(char*)params.passphrase);
342 static int action_remove(int arg __attribute__((unused)))
344 struct crypt_device *cd = NULL;
347 r = crypt_init_by_name(&cd, action_argv[0]);
349 r = crypt_deactivate(cd, action_argv[0]);
355 static int action_resize(int arg __attribute__((unused)))
357 struct crypt_device *cd = NULL;
360 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
362 r = crypt_resize(cd, action_argv[0], opt_size);
368 static int action_status(int arg __attribute__((unused)))
370 crypt_status_info ci;
371 struct crypt_active_device cad;
372 struct crypt_device *cd = NULL;
378 /* perhaps a path, not a dm device name */
379 if (strchr(action_argv[0], '/') && !stat(action_argv[0], &st))
382 ci = crypt_status(NULL, action_argv[0]);
389 log_std("%s is inactive.\n", action_argv[0]);
391 log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
397 log_std("%s is active%s.\n", action_argv[0],
398 ci == CRYPT_BUSY ? " and is in use" : "");
400 log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
401 ci == CRYPT_BUSY ? " and is in use" : "");
403 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
404 if (r < 0 || !crypt_get_type(cd))
407 log_std(" type: %s\n", crypt_get_type(cd));
409 r = crypt_get_active_device(cd, action_argv[0], &cad);
413 log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
414 log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
415 device = crypt_get_device_name(cd);
416 log_std(" device: %s\n", device);
417 if (crypt_loop_device(device)) {
418 backing_file = crypt_loop_backing_file(device);
419 log_std(" loop: %s\n", backing_file);
422 log_std(" offset: %" PRIu64 " sectors\n", cad.offset);
423 log_std(" size: %" PRIu64 " sectors\n", cad.size);
425 log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset);
426 log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
427 "readonly" : "read/write");
428 if (cad.flags & CRYPT_ACTIVATE_ALLOW_DISCARDS)
429 log_std(" flags: discards\n");
438 static int action_benchmark(int arg __attribute__((unused)))
446 { "aes", "cbc", 16, 16 },
447 { "serpent", "cbc", 16, 16 },
448 { "twofish", "cbc", 16, 16 },
449 { "aes", "cbc", 32, 16 },
450 { "serpent", "cbc", 32, 16 },
451 { "twofish", "cbc", 32, 16 },
452 { "aes", "xts", 32, 16 },
453 { "serpent", "xts", 32, 16 },
454 { "twofish", "xts", 32, 16 },
455 { "aes", "xts", 64, 16 },
456 { "serpent", "xts", 64, 16 },
457 { "twofish", "xts", 64, 16 },
460 char *header = "# Tests are approximate using memory only (no storage IO).\n"
461 "# Algorithm | Key | Encryption | Decryption\n";
462 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
463 double enc_mbr = 0, dec_mbr = 0;
464 int key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS);
465 int iv_size = 16, skipped = 0;
466 int buffer_size = 1024 * 1024;
471 r = crypt_parse_name_and_mode(opt_cipher, cipher, NULL, cipher_mode);
473 log_err(_("No known cipher specification pattern detected.\n"));
476 if ((c = strchr(cipher_mode, '-')))
479 /* FIXME: not really clever :) */
480 if (strstr(cipher, "des") ||
481 strstr(cipher, "blowfish") ||
482 strstr(cipher, "cast5"))
485 r = crypt_benchmark(NULL, cipher, cipher_mode,
486 key_size / 8, iv_size, buffer_size,
489 log_std("%s", header);
490 strncat(cipher, "-", MAX_CIPHER_LEN);
491 strncat(cipher, cipher_mode, MAX_CIPHER_LEN);
492 log_std("%12s %4db %5.1f MiB/s %5.1f MiB/s\n",
493 cipher, key_size, enc_mbr, dec_mbr);
494 } else if (r == -ENOENT)
495 log_err(_("Cipher %s is not available.\n"), opt_cipher);
497 for (i = 0; bciphers[i].cipher; i++) {
498 r = crypt_benchmark(NULL, bciphers[i].cipher, bciphers[i].mode,
499 bciphers[i].key_size, bciphers[i].iv_size,
500 buffer_size, &enc_mbr, &dec_mbr);
506 log_std("%s", header);
508 snprintf(cipher, MAX_CIPHER_LEN, "%s-%s",
509 bciphers[i].cipher, bciphers[i].mode);
511 log_std("%12s %4db %5.1f MiB/s %5.1f MiB/s\n",
512 cipher, bciphers[i].key_size*8, enc_mbr, dec_mbr);
514 log_std("%12s %4db %12s %12s\n", cipher,
515 bciphers[i].key_size*8, _("N/A"), _("N/A"));
517 if (skipped && skipped == i)
522 log_err( _("Required kernel crypto interface not available.\n"
523 "Ensure you have algif_skcipher kernel module loaded.\n"));
527 static int _read_mk(const char *file, char **key, int keysize)
531 *key = crypt_safe_alloc(keysize);
535 fd = open(file, O_RDONLY);
537 log_err("Cannot read keyfile %s.\n", file);
540 if ((read(fd, *key, keysize) != keysize)) {
541 log_err("Cannot read %d bytes from keyfile %s.\n", keysize, file);
548 crypt_safe_free(*key);
553 static int action_luksRepair(int arg __attribute__((unused)))
555 struct crypt_device *cd = NULL;
558 if ((r = crypt_init(&cd, action_argv[0])))
561 /* Currently only LUKS1 allows repair */
562 crypt_set_log_callback(cd, quiet_log, NULL);
563 r = crypt_load(cd, CRYPT_LUKS1, NULL);
564 crypt_set_log_callback(cd, tool_log, NULL);
566 log_verbose( _("No known problems detected for LUKS header.\n"));
570 r = yesDialog(_("Really try to repair LUKS device header?"),
573 r = crypt_repair(cd, CRYPT_LUKS1, NULL);
579 static int action_luksFormat(int arg __attribute__((unused)))
581 int r = -EINVAL, keysize;
582 const char *header_device;
583 char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
584 char *password = NULL;
586 struct crypt_device *cd = NULL;
587 struct crypt_params_luks1 params = {
588 .hash = opt_hash ?: DEFAULT_LUKS1_HASH,
589 .data_alignment = opt_align_payload,
590 .data_device = opt_header_device ? action_argv[0] : NULL,
593 header_device = opt_header_device ?: action_argv[0];
595 if(asprintf(&msg, _("This will overwrite data on %s irrevocably."),
596 header_device) == -1) {
597 log_err(_("memory allocation error in action_luksFormat"));
601 r = yesDialog(msg, NULL) ? 0 : -EINVAL;
606 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
607 cipher, NULL, cipher_mode);
609 log_err(_("No known cipher specification pattern detected.\n"));
613 if ((r = crypt_init(&cd, header_device))) {
614 if (opt_header_device)
615 log_err(_("Cannot use %s as on-disk header.\n"), header_device);
619 keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
621 crypt_set_timeout(cd, opt_timeout);
622 if (opt_iteration_time)
623 crypt_set_iteration_time(cd, opt_iteration_time);
626 crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
627 else if (opt_urandom)
628 crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
630 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
631 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
632 opt_timeout, _verify_passphrase(1), cd);
636 if (opt_master_key_file) {
637 r = _read_mk(opt_master_key_file, &key, keysize);
642 r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
643 opt_uuid, key, keysize, ¶ms);
647 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
649 password, passwordLen);
652 crypt_safe_free(key);
653 crypt_safe_free(password);
658 static int action_luksOpen(int arg __attribute__((unused)))
660 struct crypt_device *cd = NULL;
661 const char *data_device, *header_device, *activated_name;
666 if (opt_header_device) {
667 header_device = uuid_or_device(opt_header_device);
668 data_device = action_argv[0];
670 header_device = uuid_or_device(action_argv[0]);
674 activated_name = opt_test_passphrase ? NULL : action_argv[1];
676 if ((r = crypt_init(&cd, header_device)))
679 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
683 (r = crypt_set_data_device(cd, data_device)))
686 if (!data_device && (crypt_get_data_offset(cd) < 8)) {
687 log_err(_("Reduced data offset is allowed only for detached LUKS header.\n"));
692 crypt_set_timeout(cd, opt_timeout);
693 crypt_set_password_retry(cd, opt_tries);
694 crypt_set_password_verify(cd, _verify_passphrase(0));
696 if (opt_iteration_time)
697 crypt_set_iteration_time(cd, opt_iteration_time);
700 flags |= CRYPT_ACTIVATE_READONLY;
702 if (opt_allow_discards)
703 flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
705 if (opt_master_key_file) {
706 keysize = crypt_get_volume_key_size(cd);
707 r = _read_mk(opt_master_key_file, &key, keysize);
710 r = crypt_activate_by_volume_key(cd, activated_name,
711 key, keysize, flags);
712 } else if (opt_key_file) {
713 crypt_set_password_retry(cd, 1);
714 r = crypt_activate_by_keyfile_offset(cd, activated_name,
715 opt_key_slot, opt_key_file, opt_keyfile_size,
716 opt_keyfile_offset, flags);
718 r = crypt_activate_by_passphrase(cd, activated_name,
719 opt_key_slot, NULL, 0, flags);
721 crypt_safe_free(key);
726 static int verify_keyslot(struct crypt_device *cd, int key_slot,
727 char *msg_last, char *msg_pass,
728 const char *key_file, int keyfile_offset,
731 crypt_keyslot_info ki;
732 char *password = NULL;
736 ki = crypt_keyslot_status(cd, key_slot);
737 if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !yesDialog(msg_last, NULL))
740 r = crypt_get_key(msg_pass, &password, &passwordLen,
741 keyfile_offset, keyfile_size, key_file, opt_timeout,
742 _verify_passphrase(0), cd);
746 if (ki == CRYPT_SLOT_ACTIVE_LAST) {
747 /* check the last keyslot */
748 r = crypt_activate_by_passphrase(cd, NULL, key_slot,
749 password, passwordLen, 0);
751 /* try all other keyslots */
752 for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
755 ki = crypt_keyslot_status(cd, key_slot);
756 if (ki == CRYPT_SLOT_ACTIVE)
757 r = crypt_activate_by_passphrase(cd, NULL, i,
758 password, passwordLen, 0);
765 log_err(_("No key available with this passphrase.\n"));
767 crypt_safe_free(password);
771 static int action_luksKillSlot(int arg __attribute__((unused)))
773 struct crypt_device *cd = NULL;
776 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
779 crypt_set_confirm_callback(cd, yesDialog, NULL);
780 crypt_set_timeout(cd, opt_timeout);
782 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
785 switch (crypt_keyslot_status(cd, opt_key_slot)) {
786 case CRYPT_SLOT_ACTIVE_LAST:
787 case CRYPT_SLOT_ACTIVE:
788 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
790 case CRYPT_SLOT_INACTIVE:
791 log_err(_("Key %d not active. Can't wipe.\n"), opt_key_slot);
792 case CRYPT_SLOT_INVALID:
797 if (!opt_batch_mode) {
798 r = verify_keyslot(cd, opt_key_slot,
799 _("This is the last keyslot. Device will become unusable after purging this key."),
800 _("Enter any remaining LUKS passphrase: "),
801 opt_key_file, opt_keyfile_offset, opt_keyfile_size);
806 r = crypt_keyslot_destroy(cd, opt_key_slot);
812 static int action_luksRemoveKey(int arg __attribute__((unused)))
814 struct crypt_device *cd = NULL;
815 char *password = NULL;
819 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
822 crypt_set_confirm_callback(cd, yesDialog, NULL);
823 crypt_set_timeout(cd, opt_timeout);
825 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
828 r = crypt_get_key(_("Enter LUKS passphrase to be deleted: "),
829 &password, &passwordLen,
830 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
832 _verify_passphrase(0),
837 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
838 password, passwordLen, 0);
843 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
845 if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_ACTIVE_LAST &&
846 !yesDialog(_("This is the last keyslot. "
847 "Device will become unusable after purging this key."),
853 r = crypt_keyslot_destroy(cd, opt_key_slot);
855 crypt_safe_free(password);
860 static int action_luksAddKey(int arg __attribute__((unused)))
862 int r = -EINVAL, keysize = 0;
864 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
865 struct crypt_device *cd = NULL;
867 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
870 crypt_set_confirm_callback(cd, yesDialog, NULL);
872 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
875 keysize = crypt_get_volume_key_size(cd);
876 /* FIXME: lib cannot properly set verification for new/old passphrase */
877 crypt_set_password_verify(cd, _verify_passphrase(0));
878 crypt_set_timeout(cd, opt_timeout);
879 if (opt_iteration_time)
880 crypt_set_iteration_time(cd, opt_iteration_time);
882 if (opt_master_key_file) {
883 r = _read_mk(opt_master_key_file, &key, keysize);
886 //FIXME: process keyfile arg
887 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
888 key, keysize, NULL, 0);
889 } else if (opt_key_file || opt_new_key_file) {
890 r = crypt_keyslot_add_by_keyfile_offset(cd, opt_key_slot,
891 opt_key_file, opt_keyfile_size, opt_keyfile_offset,
892 opt_new_key_file, opt_new_keyfile_size, opt_new_keyfile_offset);
894 r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
899 crypt_safe_free(key);
903 static int _slots_full(struct crypt_device *cd)
907 for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++)
908 if (crypt_keyslot_status(cd, i) == CRYPT_SLOT_INACTIVE)
913 static int action_luksChangeKey(int arg __attribute__((unused)))
915 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
916 struct crypt_device *cd = NULL;
917 char *vk = NULL, *password = NULL;
918 size_t passwordLen = 0;
920 int new_key_slot, old_key_slot, r;
922 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
925 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
928 if (opt_iteration_time)
929 crypt_set_iteration_time(cd, opt_iteration_time);
931 r = crypt_get_key(_("Enter LUKS passphrase to be changed: "),
932 &password, &passwordLen,
933 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
934 opt_timeout, _verify_passphrase(0), cd);
938 vk_size = crypt_get_volume_key_size(cd);
939 vk = crypt_safe_alloc(vk_size);
945 r = crypt_volume_key_get(cd, opt_key_slot, vk, &vk_size,
946 password, passwordLen);
948 if (opt_key_slot != CRYPT_ANY_SLOT)
949 log_err(_("No key available with this passphrase.\n"));
953 if (opt_key_slot != CRYPT_ANY_SLOT || _slots_full(cd)) {
954 log_dbg("Key slot %d is going to be overwritten (%s).",
955 r, opt_key_slot != CRYPT_ANY_SLOT ?
956 "explicit key slot specified" : "no free key slot");
960 log_dbg("Allocating new key slot.");
962 new_key_slot = CRYPT_ANY_SLOT;
965 crypt_safe_free(password);
968 r = crypt_get_key(_("Enter new LUKS passphrase: "),
969 &password, &passwordLen,
970 opt_new_keyfile_offset, opt_new_keyfile_size,
972 opt_timeout, _verify_passphrase(0), cd);
976 if (new_key_slot == old_key_slot) {
977 (void)crypt_keyslot_destroy(cd, old_key_slot);
978 r = crypt_keyslot_add_by_volume_key(cd, new_key_slot,
980 password, passwordLen);
982 log_verbose(_("Key slot %d changed.\n"), r);
984 r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT,
986 password, passwordLen);
988 log_verbose(_("Replaced with key slot %d.\n"), r);
989 r = crypt_keyslot_destroy(cd, old_key_slot);
993 log_err(_("Failed to swap new key slot.\n"));
996 crypt_safe_free(password);
1001 static int action_isLuks(int arg __attribute__((unused)))
1003 struct crypt_device *cd = NULL;
1006 if ((r = crypt_init(&cd, action_argv[0])))
1009 crypt_set_log_callback(cd, quiet_log, NULL);
1010 r = crypt_load(cd, CRYPT_LUKS1, NULL);
1016 static int action_luksUUID(int arg __attribute__((unused)))
1018 struct crypt_device *cd = NULL;
1019 const char *existing_uuid = NULL;
1022 if ((r = crypt_init(&cd, action_argv[0])))
1025 crypt_set_confirm_callback(cd, yesDialog, NULL);
1027 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
1031 r = crypt_set_uuid(cd, opt_uuid);
1033 existing_uuid = crypt_get_uuid(cd);
1034 log_std("%s\n", existing_uuid ?: "");
1035 r = existing_uuid ? 0 : 1;
1042 static int luksDump_with_volume_key(struct crypt_device *cd)
1044 char *vk = NULL, *password = NULL;
1045 size_t passwordLen = 0;
1050 crypt_set_confirm_callback(cd, yesDialog, NULL);
1052 _("LUKS header dump with volume key is sensitive information\n"
1053 "which allows access to encrypted partition without passphrase.\n"
1054 "This dump should be always stored encrypted on safe place."),
1058 vk_size = crypt_get_volume_key_size(cd);
1059 vk = crypt_safe_alloc(vk_size);
1063 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
1064 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
1065 opt_timeout, 0, cd);
1069 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
1070 password, passwordLen);
1074 log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
1075 log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
1076 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
1077 log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
1078 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
1079 log_std("MK bits: \t%d\n", (int)vk_size * 8);
1080 log_std("MK dump:\t");
1082 for(i = 0; i < vk_size; i++) {
1085 log_std("%02hhx ", (char)vk[i]);
1090 crypt_safe_free(password);
1091 crypt_safe_free(vk);
1095 static int action_luksDump(int arg __attribute__((unused)))
1097 struct crypt_device *cd = NULL;
1100 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
1103 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
1106 if (opt_dump_master_key)
1107 r = luksDump_with_volume_key(cd);
1115 static int action_luksSuspend(int arg __attribute__((unused)))
1117 struct crypt_device *cd = NULL;
1120 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
1122 r = crypt_suspend(cd, action_argv[0]);
1128 static int action_luksResume(int arg __attribute__((unused)))
1130 struct crypt_device *cd = NULL;
1133 if ((r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device)))
1136 crypt_set_timeout(cd, opt_timeout);
1137 crypt_set_password_retry(cd, opt_tries);
1138 crypt_set_password_verify(cd, _verify_passphrase(0));
1141 r = crypt_resume_by_keyfile_offset(cd, action_argv[0], CRYPT_ANY_SLOT,
1142 opt_key_file, opt_keyfile_size, opt_keyfile_offset);
1144 r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
1151 static int action_luksBackup(int arg __attribute__((unused)))
1153 struct crypt_device *cd = NULL;
1156 if (!opt_header_backup_file) {
1157 log_err(_("Option --header-backup-file is required.\n"));
1161 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
1164 crypt_set_confirm_callback(cd, yesDialog, NULL);
1166 r = crypt_header_backup(cd, CRYPT_LUKS1, opt_header_backup_file);
1172 static int action_luksRestore(int arg __attribute__((unused)))
1174 struct crypt_device *cd = NULL;
1177 if (!opt_header_backup_file) {
1178 log_err(_("Option --header-backup-file is required.\n"));
1182 if ((r = crypt_init(&cd, action_argv[0])))
1185 crypt_set_confirm_callback(cd, yesDialog, NULL);
1186 r = crypt_header_restore(cd, CRYPT_LUKS1, opt_header_backup_file);
1192 static void help(poptContext popt_context,
1193 enum poptCallbackReason reason __attribute__((unused)),
1194 struct poptOption *key,
1195 const char *arg __attribute__((unused)),
1196 void *data __attribute__((unused)))
1198 if (key->shortName == '?') {
1199 struct action_type *action;
1201 log_std("%s\n",PACKAGE_STRING);
1203 poptPrintHelp(popt_context, stdout, 0);
1206 "<action> is one of:\n"));
1208 for(action = action_types; action->type; action++)
1209 log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
1212 "<name> is the device to create under %s\n"
1213 "<device> is the encrypted device\n"
1214 "<key slot> is the LUKS key slot number to modify\n"
1215 "<key file> optional key file for the new key for luksAddKey action\n"),
1218 log_std(_("\nDefault compiled-in key and passphrase parameters:\n"
1219 "\tMaximum keyfile size: %dkB, "
1220 "Maximum interactive passphrase length %d (characters)\n"
1221 "Default PBKDF2 iteration time for LUKS: %d (ms)\n"),
1222 DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX,
1223 DEFAULT_LUKS1_ITER_TIME);
1225 log_std(_("\nDefault compiled-in device cipher parameters:\n"
1226 "\tloop-AES: %s, Key %d bits\n"
1227 "\tplain: %s, Key: %d bits, Password hashing: %s\n"
1228 "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
1229 DEFAULT_LOOPAES_CIPHER, DEFAULT_LOOPAES_KEYBITS,
1230 DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
1231 DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
1235 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
1238 static int run_action(struct action_type *action)
1242 log_dbg("Running command %s.", action->type);
1244 if (action->required_memlock)
1245 crypt_memory_lock(NULL, 1);
1247 r = action->handler(action->arg);
1249 if (action->required_memlock)
1250 crypt_memory_lock(NULL, 0);
1252 /* Some functions returns keyslot # */
1257 return translate_errno(r);
1260 int main(int argc, const char **argv)
1262 static char *popt_tmp;
1263 static struct poptOption popt_help_options[] = {
1264 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
1265 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
1266 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
1269 static struct poptOption popt_options[] = {
1270 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
1271 { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
1272 { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
1273 { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
1274 { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
1275 { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
1276 { "verify-passphrase", 'y', POPT_ARG_NONE, &opt_verify_passphrase, 0, N_("Verifies the passphrase by asking for it twice"), NULL },
1277 { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 5, N_("Read the key from a file."), NULL },
1278 { "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL },
1279 { "dump-master-key", '\0', POPT_ARG_NONE, &opt_dump_master_key, 0, N_("Dump volume (master) key instead of keyslots info."), NULL },
1280 { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
1281 { "keyfile-size", 'l', POPT_ARG_LONG, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
1282 { "keyfile-offset", '\0', POPT_ARG_LONG, &opt_keyfile_offset, 0, N_("Number of bytes to skip in keyfile"), N_("bytes") },
1283 { "new-keyfile-size", '\0', POPT_ARG_LONG, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
1284 { "new-keyfile-offset",'\0', POPT_ARG_LONG, &opt_new_keyfile_offset, 0, N_("Number of bytes to skip in newly added keyfile"), N_("bytes") },
1285 { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL },
1286 { "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") },
1287 { "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
1288 { "skip", 'p', POPT_ARG_STRING, &popt_tmp, 3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
1289 { "readonly", 'r', POPT_ARG_NONE, &opt_readonly, 0, N_("Create a readonly mapping"), NULL },
1290 { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
1291 { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
1292 { "timeout", 't', POPT_ARG_INT, &opt_timeout, 0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
1293 { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
1294 { "align-payload", '\0', POPT_ARG_INT, &opt_align_payload, 0, N_("Align payload at <n> sector boundaries - for luksFormat"), N_("SECTORS") },
1295 { "header-backup-file",'\0', POPT_ARG_STRING, &opt_header_backup_file, 0, N_("File with LUKS header and keyslots backup."), NULL },
1296 { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
1297 { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
1298 { "shared", '\0', POPT_ARG_NONE, &opt_shared, 0, N_("Share device with another non-overlapping crypt segment."), NULL },
1299 { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
1300 { "allow-discards", '\0', POPT_ARG_NONE, &opt_allow_discards, 0, N_("Allow discards (aka TRIM) requests for device."), NULL },
1301 { "header", '\0', POPT_ARG_STRING, &opt_header_device, 0, N_("Device or file with separated LUKS header."), NULL },
1302 { "test-passphrase", '\0', POPT_ARG_NONE, &opt_test_passphrase, 0, N_("Do not activate device, just check passphrase."), NULL },
1303 { "hidden", '\0', POPT_ARG_NONE, &opt_hidden, 0, N_("Use hidden header (hiden TCRYPT device) ."), NULL },
1306 poptContext popt_context;
1307 struct action_type *action;
1311 crypt_set_log_callback(NULL, tool_log, NULL);
1313 setlocale(LC_ALL, "");
1314 bindtextdomain(PACKAGE, LOCALEDIR);
1315 textdomain(PACKAGE);
1317 crypt_fips_self_check(NULL);
1319 popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
1320 poptSetOtherOptionHelp(popt_context,
1321 _("[OPTION...] <action> <action-specific>"));
1323 while((r = poptGetNextOpt(popt_context)) > 0) {
1324 unsigned long long ull_value;
1328 if (opt_keyfiles_count < MAX_KEYFILES)
1329 opt_keyfiles[opt_keyfiles_count++] = poptGetOptArg(popt_context);
1334 ull_value = strtoull(popt_tmp, &endp, 0);
1335 if (*endp || !*popt_tmp ||
1336 (errno == ERANGE && ull_value == ULLONG_MAX) ||
1337 (errno != 0 && ull_value == 0))
1338 r = POPT_ERROR_BADNUMBER;
1342 opt_size = ull_value;
1345 opt_offset = ull_value;
1348 opt_skip = ull_value;
1358 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
1359 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
1360 if (opt_version_mode) {
1361 log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
1362 poptFreeContext(popt_context);
1366 if (!(aname = poptGetArg(popt_context)))
1367 usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
1368 poptGetInvocationName(popt_context));
1369 for(action = action_types; action->type; action++)
1370 if (strcmp(action->type, aname) == 0)
1373 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
1374 poptGetInvocationName(popt_context));
1377 action_argv = poptGetArgs(popt_context);
1378 /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
1380 action_argv = null_action_argv;
1382 /* Count args, somewhat unnice, change? */
1383 while(action_argv[action_argc] != NULL)
1386 if(action_argc < action->required_action_argc) {
1388 snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
1389 usage(popt_context, EXIT_FAILURE, buf,
1390 poptGetInvocationName(popt_context));
1393 /* FIXME: rewrite this from scratch */
1395 if (opt_shared && strcmp(aname, "create"))
1396 usage(popt_context, EXIT_FAILURE,
1397 _("Option --shared is allowed only for create operation.\n"),
1398 poptGetInvocationName(popt_context));
1400 if (opt_allow_discards &&
1401 strcmp(aname, "luksOpen") &&
1402 strcmp(aname, "create") &&
1403 strcmp(aname, "loopaesOpen"))
1404 usage(popt_context, EXIT_FAILURE,
1405 _("Option --allow-discards is allowed only for luksOpen, loopaesOpen and create operation.\n"),
1406 poptGetInvocationName(popt_context));
1409 strcmp(aname, "luksFormat") &&
1410 strcmp(aname, "create") &&
1411 strcmp(aname, "loopaesOpen") &&
1412 strcmp(aname, "benchmark"))
1413 usage(popt_context, EXIT_FAILURE,
1414 _("Option --key-size is allowed only for luksFormat, create, loopaesOpen and benchmark.\n"
1415 "To limit read from keyfile use --keyfile-size=(bytes)."),
1416 poptGetInvocationName(popt_context));
1418 if (opt_test_passphrase &&
1419 strcmp(aname, "luksOpen") &&
1420 strcmp(aname, "tcryptOpen"))
1421 usage(popt_context, EXIT_FAILURE,
1422 _("Option --test-passphrase is allowed only for luksOpen and tcryptOpen.\n"),
1423 poptGetInvocationName(popt_context));
1425 if (opt_key_size % 8)
1426 usage(popt_context, EXIT_FAILURE,
1427 _("Key size must be a multiple of 8 bits"),
1428 poptGetInvocationName(popt_context));
1430 if (!strcmp(aname, "luksKillSlot") && action_argc > 1)
1431 opt_key_slot = atoi(action_argv[1]);
1432 if (opt_key_slot != CRYPT_ANY_SLOT &&
1433 (opt_key_slot < 0 || opt_key_slot >= crypt_keyslot_max(CRYPT_LUKS1)))
1434 usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
1435 poptGetInvocationName(popt_context));
1437 if ((!strcmp(aname, "luksRemoveKey") ||
1438 !strcmp(aname, "luksFormat")) &&
1441 log_err(_("Option --key-file takes precedence over specified key file argument.\n"));
1443 opt_key_file = action_argv[1];
1446 if (opt_keyfile_size < 0 || opt_new_keyfile_size < 0 || opt_key_size < 0 ||
1447 opt_keyfile_offset < 0 || opt_new_keyfile_offset < 0)
1448 usage(popt_context, EXIT_FAILURE,
1449 _("Negative number for option not permitted."),
1450 poptGetInvocationName(popt_context));
1452 if (opt_random && opt_urandom)
1453 usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
1454 poptGetInvocationName(popt_context));
1456 if ((opt_random || opt_urandom) && strcmp(aname, "luksFormat"))
1457 usage(popt_context, EXIT_FAILURE, _("Option --use-[u]random is allowed only for luksFormat."),
1458 poptGetInvocationName(popt_context));
1460 if (opt_uuid && strcmp(aname, "luksFormat") && strcmp(aname, "luksUUID"))
1461 usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only for luksFormat and luksUUID."),
1462 poptGetInvocationName(popt_context));
1464 if (opt_align_payload && strcmp(aname, "luksFormat"))
1465 usage(popt_context, EXIT_FAILURE, _("Option --align-payload is allowed only for luksFormat."),
1466 poptGetInvocationName(popt_context));
1468 if (opt_skip && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1469 usage(popt_context, EXIT_FAILURE,
1470 _("Option --skip is supported only for create and loopaesOpen commands.\n"),
1471 poptGetInvocationName(popt_context));
1473 if (opt_offset && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1474 usage(popt_context, EXIT_FAILURE,
1475 _("Option --offset is supported only for create and loopaesOpen commands.\n"),
1476 poptGetInvocationName(popt_context));
1478 if (opt_hidden && strcmp(aname, "tcryptOpen") && strcmp(aname, "tcryptDump"))
1479 usage(popt_context, EXIT_FAILURE,
1480 _("Option --hidden is supported only for TCRYPT commands.\n"),
1481 poptGetInvocationName(popt_context));
1485 crypt_set_debug_level(-1);
1486 dbg_version_and_cmd(argc, argv);
1489 r = run_action(action);
1490 poptFreeContext(popt_context);