12 #include <libcryptsetup.h>
15 #include "../config.h"
17 #include "cryptsetup.h"
19 static int opt_verbose = 0;
20 static int opt_debug = 0;
21 static char *opt_cipher = NULL;
22 static char *opt_hash = NULL;
23 static int opt_verify_passphrase = 0;
24 static char *opt_key_file = NULL;
25 static char *opt_master_key_file = NULL;
26 static char *opt_header_backup_file = NULL;
27 static char *opt_uuid = NULL;
28 static unsigned int opt_key_size = 0;
29 static unsigned int opt_keyfile_size = 0;
30 static unsigned int opt_new_keyfile_size = 0;
31 static int opt_key_slot = CRYPT_ANY_SLOT;
32 static uint64_t opt_size = 0;
33 static uint64_t opt_offset = 0;
34 static uint64_t opt_skip = 0;
35 static int opt_readonly = 0;
36 static int opt_iteration_time = 1000;
37 static int opt_batch_mode = 0;
38 static int opt_version_mode = 0;
39 static int opt_timeout = 0;
40 static int opt_tries = 3;
41 static int opt_align_payload = 0;
42 static int opt_random = 0;
43 static int opt_urandom = 0;
44 static int opt_dump_master_key = 0;
46 static const char **action_argv;
47 static int action_argc;
49 static int action_create(int arg);
50 static int action_remove(int arg);
51 static int action_resize(int arg);
52 static int action_status(int arg);
53 static int action_luksFormat(int arg);
54 static int action_luksOpen(int arg);
55 static int action_luksAddKey(int arg);
56 static int action_luksKillSlot(int arg);
57 static int action_luksRemoveKey(int arg);
58 static int action_luksChangeKey(int arg);
59 static int action_isLuks(int arg);
60 static int action_luksUUID(int arg);
61 static int action_luksDump(int arg);
62 static int action_luksSuspend(int arg);
63 static int action_luksResume(int arg);
64 static int action_luksBackup(int arg);
65 static int action_luksRestore(int arg);
66 static int action_loopaesOpen(int arg);
68 static struct action_type {
72 int required_action_argc;
77 { "create", action_create, 0, 2, 1, N_("<name> <device>"),N_("create device") },
78 { "remove", action_remove, 0, 1, 1, N_("<name>"), N_("remove device") },
79 { "resize", action_resize, 0, 1, 1, N_("<name>"), N_("resize active device") },
80 { "status", action_status, 0, 1, 0, N_("<name>"), N_("show device status") },
81 { "luksFormat", action_luksFormat, 0, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
82 { "luksOpen", action_luksOpen, 0, 2, 1, N_("<device> <name> "), N_("open LUKS device as mapping <name>") },
83 { "luksAddKey", action_luksAddKey, 0, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
84 { "luksRemoveKey",action_luksRemoveKey, 0, 1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
85 { "luksChangeKey",action_luksChangeKey, 0, 1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
86 { "luksKillSlot", action_luksKillSlot, 0, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
87 { "luksUUID", action_luksUUID, 0, 1, 0, N_("<device>"), N_("print UUID of LUKS device") },
88 { "isLuks", action_isLuks, 0, 1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
89 { "luksClose", action_remove, 0, 1, 1, N_("<name>"), N_("remove LUKS mapping") },
90 { "luksDump", action_luksDump, 0, 1, 0, N_("<device>"), N_("dump LUKS partition information") },
91 { "luksSuspend",action_luksSuspend, 0, 1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen).") },
92 { "luksResume", action_luksResume, 0, 1, 1, N_("<device>"), N_("Resume suspended LUKS device.") },
93 { "luksHeaderBackup",action_luksBackup, 0, 1, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
94 { "luksHeaderRestore",action_luksRestore,0,1, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
95 { "loopaesOpen",action_loopaesOpen, 0, 2, 1, N_("<device> <name> "), N_("open loop-AES device as mapping <name>") },
96 { "loopaesClose",action_remove, 0, 1, 1, N_("<name>"), N_("remove loop-AES mapping") },
97 { NULL, NULL, 0, 0, 0, NULL, NULL }
100 static void clogger(struct crypt_device *cd, int level, const char *file,
101 int line, const char *format, ...)
106 va_start(argp, format);
108 if (vasprintf(&target, format, argp) > 0) {
110 crypt_log(cd, level, target);
112 } else if (opt_debug)
113 printf("# %s:%d %s\n", file ?: "?", line, target);
115 } else if (opt_debug)
116 printf("# %s\n", target);
124 static int _yesDialog(const char *msg, void *usrptr)
130 if(isatty(0) && !opt_batch_mode) {
131 log_std("\nWARNING!\n========\n");
132 log_std("%s\n\nAre you sure? (Type uppercase yes): ", msg);
133 if(getline(&answer, &size, stdin) == -1) {
138 if(strcmp(answer, "YES\n"))
146 static void _log(int level, const char *msg, void *usrptr)
150 case CRYPT_LOG_NORMAL:
153 case CRYPT_LOG_VERBOSE:
157 case CRYPT_LOG_ERROR:
161 fprintf(stderr, "Internal error on logging class for msg: %s", msg);
166 static void show_status(int errcode)
168 char error[256], *error_;
174 log_std(_("Command successful.\n"));
178 crypt_get_error(error, sizeof(error));
181 error_ = strerror_r(-errcode, error, sizeof(error));
182 if (error_ != error) {
183 strncpy(error, error_, sizeof(error));
184 error[sizeof(error) - 1] = '\0';
188 log_err(_("Command failed with code %i"), -errcode);
190 log_err(": %s\n", error);
195 static int action_create(int arg)
197 struct crypt_device *cd = NULL;
198 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
199 struct crypt_params_plain params = {
200 .hash = opt_hash ?: DEFAULT_PLAIN_HASH,
202 .offset = opt_offset,
204 char *password = NULL;
205 unsigned int passwordLen;
206 unsigned int key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
209 if (params.hash && !strcmp(params.hash, "plain"))
212 /* FIXME: temporary hack */
213 if (opt_key_file && strcmp(opt_key_file, "-"))
216 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
217 cipher, NULL, cipher_mode);
219 log_err("No known cipher specification pattern detected.\n");
223 if ((r = crypt_init(&cd, action_argv[1])))
226 crypt_set_timeout(cd, opt_timeout);
227 crypt_set_password_retry(cd, opt_tries);
229 r = crypt_format(cd, CRYPT_PLAIN,
238 r = crypt_activate_by_keyfile(cd, action_argv[0],
239 CRYPT_ANY_SLOT, opt_key_file, key_size,
240 opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
242 r = crypt_get_key(_("Enter passphrase: "),
243 &password, &passwordLen, 0, NULL,
245 opt_batch_mode ? 0 : opt_verify_passphrase,
250 r = crypt_activate_by_passphrase(cd, action_argv[0],
251 CRYPT_ANY_SLOT, password, passwordLen,
252 opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
256 crypt_safe_free(password);
261 static int action_loopaesOpen(int arg)
263 struct crypt_device *cd = NULL;
264 struct crypt_params_loopaes params = {
265 .hash = opt_hash ?: NULL, // FIXME
266 .offset = opt_offset,
268 unsigned int key_size = (opt_key_size ?: DEFAULT_LOOPAES_KEYBITS) / 8;
272 log_err(_("Option --key-file is required.\n"));
276 if ((r = crypt_init(&cd, action_argv[0])))
279 r = crypt_format(cd, CRYPT_LOOPAES, opt_cipher ?: DEFAULT_LOOPAES_CIPHER,
280 NULL, NULL, NULL, key_size, ¶ms);
284 r = crypt_activate_by_keyfile(cd, action_argv[1],
285 CRYPT_ANY_SLOT, opt_key_file, 0,
286 opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
293 static int action_remove(int arg)
295 struct crypt_device *cd = NULL;
298 r = crypt_init_by_name(&cd, action_argv[0]);
300 r = crypt_deactivate(cd, action_argv[0]);
306 static int action_resize(int arg)
308 struct crypt_device *cd = NULL;
311 r = crypt_init_by_name(&cd, action_argv[0]);
313 r = crypt_resize(cd, action_argv[0], opt_size);
319 static int action_status(int arg)
321 crypt_status_info ci;
322 struct crypt_active_device cad;
323 struct crypt_device *cd = NULL;
328 ci = crypt_status(NULL, action_argv[0]);
334 log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
338 log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
339 ci == CRYPT_BUSY ? " and is in use" : "");
340 r = crypt_init_by_name(&cd, action_argv[0]);
341 if (r < 0 || !crypt_get_type(cd))
344 log_std(" type: %s\n", crypt_get_type(cd));
346 r = crypt_get_active_device(cd, action_argv[0], &cad);
350 log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
351 log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
352 device = crypt_get_device_name(cd);
353 log_std(" device: %s\n", device);
354 if (crypt_loop_device(device)) {
355 backing_file = crypt_loop_backing_file(device);
356 log_std(" loop: %s\n", backing_file);
359 log_std(" offset: %" PRIu64 " sectors\n", cad.offset);
360 log_std(" size: %" PRIu64 " sectors\n", cad.size);
362 log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset);
363 log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
364 "readonly" : "read/write");
371 static int _read_mk(const char *file, char **key, int keysize)
375 *key = crypt_safe_alloc(keysize);
379 fd = open(file, O_RDONLY);
381 log_err("Cannot read keyfile %s.\n", file);
384 if ((read(fd, *key, keysize) != keysize)) {
385 log_err("Cannot read %d bytes from keyfile %s.\n", keysize, file);
392 crypt_safe_free(*key);
397 static int action_luksFormat(int arg)
399 int r = -EINVAL, keysize;
400 char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
401 char *password = NULL;
402 unsigned int passwordLen;
403 struct crypt_device *cd = NULL;
404 struct crypt_params_luks1 params = {
405 .hash = opt_hash ?: DEFAULT_LUKS1_HASH,
406 .data_alignment = opt_align_payload,
409 if(asprintf(&msg, _("This will overwrite data on %s irrevocably."), action_argv[0]) == -1) {
410 log_err(_("memory allocation error in action_luksFormat"));
414 r = _yesDialog(msg, NULL) ? 0 : -EINVAL;
419 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
420 cipher, NULL, cipher_mode);
422 log_err("No known cipher specification pattern detected.\n");
426 if ((r = crypt_init(&cd, action_argv[0])))
429 keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
431 crypt_set_password_verify(cd, 1);
432 crypt_set_timeout(cd, opt_timeout);
433 if (opt_iteration_time)
434 crypt_set_iterarion_time(cd, opt_iteration_time);
437 crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
438 else if (opt_urandom)
439 crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
441 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
442 opt_keyfile_size, opt_key_file, opt_timeout,
443 opt_batch_mode ? 0 : 1 /* always verify */, cd);
447 if (opt_master_key_file) {
448 r = _read_mk(opt_master_key_file, &key, keysize);
453 r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
454 opt_uuid, key, keysize, ¶ms);
458 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
460 password, passwordLen);
463 crypt_safe_free(key);
464 crypt_safe_free(password);
469 static int action_luksOpen(int arg)
471 struct crypt_device *cd = NULL;
475 if ((r = crypt_init(&cd, action_argv[0])))
478 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
481 crypt_set_timeout(cd, opt_timeout);
482 crypt_set_password_retry(cd, opt_tries);
484 if (opt_iteration_time)
485 crypt_set_iterarion_time(cd, opt_iteration_time);
487 flags |= CRYPT_ACTIVATE_READONLY;
490 crypt_set_password_retry(cd, 1);
491 r = crypt_activate_by_keyfile(cd, action_argv[1],
492 CRYPT_ANY_SLOT, opt_key_file, opt_keyfile_size,
495 r = crypt_activate_by_passphrase(cd, action_argv[1],
496 CRYPT_ANY_SLOT, NULL, 0, flags);
502 static int verify_keyslot(struct crypt_device *cd, int key_slot,
503 char *msg_last, char *msg_pass,
504 const char *key_file, int keyfile_size)
506 crypt_keyslot_info ki;
507 char *password = NULL;
508 unsigned int passwordLen, i;
511 ki = crypt_keyslot_status(cd, key_slot);
512 if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !_yesDialog(msg_last, NULL))
515 r = crypt_get_key(msg_pass, &password, &passwordLen,
516 keyfile_size, key_file, opt_timeout,
517 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
521 if (ki == CRYPT_SLOT_ACTIVE_LAST) {
522 /* check the last keyslot */
523 r = crypt_activate_by_passphrase(cd, NULL, key_slot,
524 password, passwordLen, 0);
526 /* try all other keyslots */
527 for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
530 ki = crypt_keyslot_status(cd, key_slot);
531 if (ki == CRYPT_SLOT_ACTIVE)
532 r = crypt_activate_by_passphrase(cd, NULL, i,
533 password, passwordLen, 0);
540 log_err(_("No key available with this passphrase.\n"));
542 crypt_safe_free(password);
546 static int action_luksKillSlot(int arg)
548 struct crypt_device *cd = NULL;
551 if ((r = crypt_init(&cd, action_argv[0])))
554 crypt_set_confirm_callback(cd, _yesDialog, NULL);
555 crypt_set_timeout(cd, opt_timeout);
557 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
560 switch (crypt_keyslot_status(cd, opt_key_slot)) {
561 case CRYPT_SLOT_ACTIVE_LAST:
562 case CRYPT_SLOT_ACTIVE:
563 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
565 case CRYPT_SLOT_INACTIVE:
566 log_err(_("Key %d not active. Can't wipe.\n"), opt_key_slot);
567 case CRYPT_SLOT_INVALID:
571 if (!opt_batch_mode) {
572 r = verify_keyslot(cd, opt_key_slot,
573 _("This is the last keyslot. Device will become unusable after purging this key."),
574 _("Enter any remaining LUKS passphrase: "),
575 opt_key_file, opt_keyfile_size);
580 r = crypt_keyslot_destroy(cd, opt_key_slot);
586 static int action_luksRemoveKey(int arg)
588 struct crypt_device *cd = NULL;
589 char *password = NULL;
590 unsigned int passwordLen;
593 if ((r = crypt_init(&cd, action_argv[0])))
596 crypt_set_confirm_callback(cd, _yesDialog, NULL);
597 crypt_set_timeout(cd, opt_timeout);
599 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
602 r = crypt_get_key(_("Enter LUKS passphrase to be deleted: "),
603 &password, &passwordLen,
604 opt_keyfile_size, opt_key_file,
606 opt_batch_mode ? 0 : opt_verify_passphrase,
611 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
612 password, passwordLen, 0);
617 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
619 if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_ACTIVE_LAST &&
620 !_yesDialog(_("This is the last keyslot. "
621 "Device will become unusable after purging this key."),
627 r = crypt_keyslot_destroy(cd, opt_key_slot);
629 crypt_safe_free(password);
634 static int action_luksAddKey(int arg)
636 int r = -EINVAL, keysize = 0;
638 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
639 struct crypt_device *cd = NULL;
641 if ((r = crypt_init(&cd, action_argv[0])))
644 crypt_set_confirm_callback(cd, _yesDialog, NULL);
646 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
649 keysize = crypt_get_volume_key_size(cd);
650 crypt_set_password_verify(cd, opt_verify_passphrase ? 1 : 0);
651 crypt_set_timeout(cd, opt_timeout);
652 if (opt_iteration_time)
653 crypt_set_iterarion_time(cd, opt_iteration_time);
655 if (opt_master_key_file) {
656 r = _read_mk(opt_master_key_file, &key, keysize);
659 //FIXME: process keyfile arg
660 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
661 key, keysize, NULL, 0);
662 } else if (opt_key_file || opt_new_key_file) {
663 r = crypt_keyslot_add_by_keyfile(cd, opt_key_slot,
664 opt_key_file, opt_keyfile_size,
665 opt_new_key_file, opt_new_keyfile_size);
667 r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
672 crypt_safe_free(key);
676 static int _slots_full(struct crypt_device *cd)
680 for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++)
681 if (crypt_keyslot_status(cd, i) == CRYPT_SLOT_INACTIVE)
686 static int action_luksChangeKey(int arg)
688 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
689 struct crypt_device *cd = NULL;
690 char *vk = NULL, *password = NULL;
691 unsigned int passwordLen = 0;
693 int new_key_slot, old_key_slot, r;
695 if ((r = crypt_init(&cd, action_argv[0])))
698 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
701 r = crypt_get_key(_("Enter LUKS passphrase to be changed: "),
702 &password, &passwordLen,
703 opt_keyfile_size, opt_key_file, opt_timeout,
704 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
708 vk_size = crypt_get_volume_key_size(cd);
709 vk = crypt_safe_alloc(vk_size);
715 r = crypt_volume_key_get(cd, opt_key_slot, vk, &vk_size,
716 password, passwordLen);
718 if (opt_key_slot != CRYPT_ANY_SLOT)
719 log_err(_("No key available with this passphrase.\n"));
723 if (opt_key_slot != CRYPT_ANY_SLOT || _slots_full(cd)) {
724 log_dbg("Key slot %d is going to be overwritten (%s).",
725 r, opt_key_slot != CRYPT_ANY_SLOT ?
726 "explicit key slot specified" : "no free key slot");
730 log_dbg("Allocating new key slot.");
732 new_key_slot = CRYPT_ANY_SLOT;
735 crypt_safe_free(password);
738 r = crypt_get_key(_("Enter new LUKS passphrase: "),
739 &password, &passwordLen,
740 opt_new_keyfile_size, opt_new_key_file,
741 opt_timeout, opt_batch_mode ? 0 : 1, cd);
745 if (new_key_slot == old_key_slot) {
746 (void)crypt_keyslot_destroy(cd, old_key_slot);
747 r = crypt_keyslot_add_by_volume_key(cd, new_key_slot,
749 password, passwordLen);
751 log_verbose(_("Key slot %d changed.\n"), r);
753 r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT,
755 password, passwordLen);
757 log_verbose(_("Replaced with key slot %d.\n"), r);
758 r = crypt_keyslot_destroy(cd, old_key_slot);
762 log_err(_("Failed to swap new key slot.\n"));
765 crypt_safe_free(password);
770 static int action_isLuks(int arg)
772 struct crypt_device *cd = NULL;
775 if ((r = crypt_init(&cd, action_argv[0])))
778 r = crypt_load(cd, CRYPT_LUKS1, NULL);
784 static int action_luksUUID(int arg)
786 struct crypt_device *cd = NULL;
787 const char *existing_uuid = NULL;
790 if ((r = crypt_init(&cd, action_argv[0])))
793 crypt_set_confirm_callback(cd, _yesDialog, NULL);
795 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
799 r = crypt_set_uuid(cd, opt_uuid);
801 existing_uuid = crypt_get_uuid(cd);
802 log_std("%s\n", existing_uuid ?: "");
803 r = existing_uuid ? 0 : 1;
810 static int luksDump_with_volume_key(struct crypt_device *cd)
812 char *vk = NULL, *password = NULL;
813 unsigned int passwordLen = 0;
817 crypt_set_confirm_callback(cd, _yesDialog, NULL);
819 _("LUKS header dump with volume key is sensitive information\n"
820 "which allows access to encrypted partition without passphrase.\n"
821 "This dump should be always stored encrypted on safe place."),
825 vk_size = crypt_get_volume_key_size(cd);
826 vk = crypt_safe_alloc(vk_size);
830 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
831 opt_keyfile_size, opt_key_file, opt_timeout, 0, cd);
835 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
836 password, passwordLen);
840 log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
841 log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
842 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
843 log_std("Payload offset:\t%d\n", crypt_get_data_offset(cd));
844 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
845 log_std("MK bits: \t%d\n", vk_size * 8);
846 log_std("MK dump:\t");
848 for(i = 0; i < vk_size; i++) {
851 log_std("%02hhx ", (char)vk[i]);
856 crypt_safe_free(password);
861 static int action_luksDump(int arg)
863 struct crypt_device *cd = NULL;
866 if ((r = crypt_init(&cd, action_argv[0])))
869 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
872 if (opt_dump_master_key)
873 r = luksDump_with_volume_key(cd);
881 static int action_luksSuspend(int arg)
883 struct crypt_device *cd = NULL;
886 r = crypt_init_by_name(&cd, action_argv[0]);
888 r = crypt_suspend(cd, action_argv[0]);
894 static int action_luksResume(int arg)
896 struct crypt_device *cd = NULL;
899 if ((r = crypt_init_by_name(&cd, action_argv[0])))
902 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
906 r = crypt_resume_by_keyfile(cd, action_argv[0], CRYPT_ANY_SLOT,
907 opt_key_file, opt_keyfile_size);
909 r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
916 static int action_luksBackup(int arg)
918 struct crypt_device *cd = NULL;
921 if (!opt_header_backup_file) {
922 log_err(_("Option --header-backup-file is required.\n"));
926 if ((r = crypt_init(&cd, action_argv[0])))
929 crypt_set_confirm_callback(cd, _yesDialog, NULL);
931 r = crypt_header_backup(cd, CRYPT_LUKS1, opt_header_backup_file);
937 static int action_luksRestore(int arg)
939 struct crypt_device *cd = NULL;
942 if (!opt_header_backup_file) {
943 log_err(_("Option --header-backup-file is required.\n"));
947 if ((r = crypt_init(&cd, action_argv[0])))
950 crypt_set_confirm_callback(cd, _yesDialog, NULL);
951 r = crypt_header_restore(cd, CRYPT_LUKS1, opt_header_backup_file);
957 static __attribute__ ((noreturn)) void usage(poptContext popt_context,
958 int exitcode, const char *error,
961 poptPrintUsage(popt_context, stderr, 0);
963 log_err("%s: %s\n", more, error);
967 static void help(poptContext popt_context, enum poptCallbackReason reason,
968 struct poptOption *key, const char * arg, void *data)
970 if (key->shortName == '?') {
971 struct action_type *action;
973 log_std("%s\n",PACKAGE_STRING);
975 poptPrintHelp(popt_context, stdout, 0);
978 "<action> is one of:\n"));
980 for(action = action_types; action->type; action++)
981 log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
984 "<name> is the device to create under %s\n"
985 "<device> is the encrypted device\n"
986 "<key slot> is the LUKS key slot number to modify\n"
987 "<key file> optional key file for the new key for luksAddKey action\n"),
990 log_std(_("\nDefault compiled-in device cipher parameters:\n"
991 "\tloop-AES: %s, Key %d bits\n"
992 "\tplain: %s, Key: %d bits, Password hashing: %s\n"
993 "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
994 DEFAULT_LOOPAES_CIPHER, DEFAULT_LOOPAES_KEYBITS,
995 DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
996 DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
1000 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
1003 static void _dbg_version_and_cmd(int argc, char **argv)
1007 log_std("# %s %s processing \"", PACKAGE_NAME, PACKAGE_VERSION);
1008 for (i = 0; i < argc; i++) {
1016 static int run_action(struct action_type *action)
1020 log_dbg("Running command %s.", action->type);
1022 if (action->required_memlock)
1023 crypt_memory_lock(NULL, 1);
1025 r = action->handler(action->arg);
1027 if (action->required_memlock)
1028 crypt_memory_lock(NULL, 0);
1030 /* Some functions returns keyslot # */
1036 /* Translate exit code to simple codes */
1038 case 0: r = EXIT_SUCCESS; break;
1040 case -EBUSY: r = 5; break;
1042 case -ENODEV: r = 4; break;
1043 case -ENOMEM: r = 3; break;
1044 case -EPERM: r = 2; break;
1048 default: r = EXIT_FAILURE;
1053 int main(int argc, char **argv)
1055 static char *popt_tmp;
1056 static struct poptOption popt_help_options[] = {
1057 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
1058 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
1059 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
1062 static struct poptOption popt_options[] = {
1063 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
1064 { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
1065 { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
1066 { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
1067 { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
1068 { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
1069 { "verify-passphrase", 'y', POPT_ARG_NONE, &opt_verify_passphrase, 0, N_("Verifies the passphrase by asking for it twice"), NULL },
1070 { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 0, N_("Read the key from a file."), NULL },
1071 { "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL },
1072 { "dump-master-key", '\0', POPT_ARG_NONE, &opt_dump_master_key, 0, N_("Dump volume (master) key instead of keyslots info."), NULL },
1073 { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
1074 { "keyfile-size", 'l', POPT_ARG_INT, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
1075 { "new-keyfile-size", '\0', POPT_ARG_INT, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
1076 { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL },
1077 { "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") },
1078 { "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
1079 { "skip", 'p', POPT_ARG_STRING, &popt_tmp, 3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
1080 { "readonly", 'r', POPT_ARG_NONE, &opt_readonly, 0, N_("Create a readonly mapping"), NULL },
1081 { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
1082 { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
1083 { "timeout", 't', POPT_ARG_INT, &opt_timeout, 0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
1084 { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
1085 { "align-payload", '\0', POPT_ARG_INT, &opt_align_payload, 0, N_("Align payload at <n> sector boundaries - for luksFormat"), N_("SECTORS") },
1086 { "header-backup-file",'\0', POPT_ARG_STRING, &opt_header_backup_file, 0, N_("File with LUKS header and keyslots backup."), NULL },
1087 { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
1088 { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
1089 { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
1092 poptContext popt_context;
1093 struct action_type *action;
1096 const char *null_action_argv[] = {NULL};
1098 crypt_set_log_callback(NULL, _log, NULL);
1100 setlocale(LC_ALL, "");
1101 bindtextdomain(PACKAGE, LOCALEDIR);
1102 textdomain(PACKAGE);
1104 popt_context = poptGetContext(PACKAGE, argc, (const char **)argv,
1106 poptSetOtherOptionHelp(popt_context,
1107 N_("[OPTION...] <action> <action-specific>]"));
1109 while((r = poptGetNextOpt(popt_context)) > 0) {
1110 unsigned long long ull_value;
1113 ull_value = strtoull(popt_tmp, &endp, 0);
1114 if (*endp || !*popt_tmp)
1115 r = POPT_ERROR_BADNUMBER;
1119 opt_size = ull_value;
1122 opt_offset = ull_value;
1125 opt_skip = ull_value;
1134 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
1135 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
1136 if (opt_version_mode) {
1137 log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
1141 if (!(aname = (char *)poptGetArg(popt_context)))
1142 usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
1143 poptGetInvocationName(popt_context));
1144 for(action = action_types; action->type; action++)
1145 if (strcmp(action->type, aname) == 0)
1148 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
1149 poptGetInvocationName(popt_context));
1152 action_argv = poptGetArgs(popt_context);
1153 /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
1155 action_argv = null_action_argv;
1157 /* Count args, somewhat unnice, change? */
1158 while(action_argv[action_argc] != NULL)
1161 if(action_argc < action->required_action_argc) {
1163 snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
1164 usage(popt_context, EXIT_FAILURE, buf,
1165 poptGetInvocationName(popt_context));
1168 /* FIXME: rewrite this from scratch */
1171 strcmp(aname, "luksFormat") &&
1172 strcmp(aname, "create") &&
1173 strcmp(aname, "loopaesOpen")) {
1174 usage(popt_context, EXIT_FAILURE,
1175 _("Option --key-size is allowed only for luksFormat, create and loopaesOpen.\n"
1176 "To limit read from keyfile use --keyfile-size=(bytes)."),
1177 poptGetInvocationName(popt_context));
1180 if (opt_key_size % 8)
1181 usage(popt_context, EXIT_FAILURE,
1182 _("Key size must be a multiple of 8 bits"),
1183 poptGetInvocationName(popt_context));
1185 if (!strcmp(aname, "luksKillSlot") && action_argc > 1)
1186 opt_key_slot = atoi(action_argv[1]);
1187 if (opt_key_slot != CRYPT_ANY_SLOT &&
1188 (opt_key_slot < 0 || opt_key_slot > crypt_keyslot_max(CRYPT_LUKS1)))
1189 usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
1190 poptGetInvocationName(popt_context));
1192 if ((!strcmp(aname, "luksRemoveKey") ||
1193 !strcmp(aname, "luksFormat")) &&
1196 log_err(_("Option --key-file takes precedence over specified key file argument.\n"));
1198 opt_key_file = (char*)action_argv[1];
1201 if (opt_random && opt_urandom)
1202 usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
1203 poptGetInvocationName(popt_context));
1204 if ((opt_random || opt_urandom) && strcmp(aname, "luksFormat"))
1205 usage(popt_context, EXIT_FAILURE, _("Option --use-[u]random is allowed only for luksFormat."),
1206 poptGetInvocationName(popt_context));
1208 if (opt_uuid && strcmp(aname, "luksFormat") && strcmp(aname, "luksUUID"))
1209 usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only for luksFormat and luksUUID."),
1210 poptGetInvocationName(popt_context));
1212 if ((opt_offset || opt_skip) && strcmp(aname, "create"))
1213 usage(popt_context, EXIT_FAILURE, _("Options --offset and --skip are supported only for create command.\n"),
1214 poptGetInvocationName(popt_context));
1218 crypt_set_debug_level(-1);
1219 _dbg_version_and_cmd(argc, argv);
1222 return run_action(action);