2 * cryptsetup - setup cryptographic volumes for dm-crypt
4 * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
5 * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
6 * Copyright (C) 2009-2011, Red Hat, Inc. All rights reserved.
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * version 2 as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
33 #include <libcryptsetup.h>
36 #include "../config.h"
38 #include "cryptsetup.h"
40 static int opt_verbose = 0;
41 static int opt_debug = 0;
42 static char *opt_cipher = NULL;
43 static char *opt_hash = NULL;
44 static int opt_verify_passphrase = 0;
45 static char *opt_key_file = NULL;
46 static char *opt_master_key_file = NULL;
47 static char *opt_header_backup_file = NULL;
48 static char *opt_uuid = NULL;
49 static unsigned int opt_key_size = 0;
50 static unsigned int opt_keyfile_size = 0;
51 static unsigned int opt_new_keyfile_size = 0;
52 static int opt_key_slot = CRYPT_ANY_SLOT;
53 static uint64_t opt_size = 0;
54 static uint64_t opt_offset = 0;
55 static uint64_t opt_skip = 0;
56 static int opt_readonly = 0;
57 static int opt_iteration_time = 1000;
58 static int opt_batch_mode = 0;
59 static int opt_version_mode = 0;
60 static int opt_timeout = 0;
61 static int opt_tries = 3;
62 static int opt_align_payload = 0;
63 static int opt_random = 0;
64 static int opt_urandom = 0;
65 static int opt_dump_master_key = 0;
67 static const char **action_argv;
68 static int action_argc;
70 static int action_create(int arg);
71 static int action_remove(int arg);
72 static int action_resize(int arg);
73 static int action_status(int arg);
74 static int action_luksFormat(int arg);
75 static int action_luksOpen(int arg);
76 static int action_luksAddKey(int arg);
77 static int action_luksKillSlot(int arg);
78 static int action_luksRemoveKey(int arg);
79 static int action_luksChangeKey(int arg);
80 static int action_isLuks(int arg);
81 static int action_luksUUID(int arg);
82 static int action_luksDump(int arg);
83 static int action_luksSuspend(int arg);
84 static int action_luksResume(int arg);
85 static int action_luksBackup(int arg);
86 static int action_luksRestore(int arg);
87 static int action_loopaesOpen(int arg);
89 static struct action_type {
93 int required_action_argc;
98 { "create", action_create, 0, 2, 1, N_("<name> <device>"),N_("create device") },
99 { "remove", action_remove, 0, 1, 1, N_("<name>"), N_("remove device") },
100 { "resize", action_resize, 0, 1, 1, N_("<name>"), N_("resize active device") },
101 { "status", action_status, 0, 1, 0, N_("<name>"), N_("show device status") },
102 { "luksFormat", action_luksFormat, 0, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
103 { "luksOpen", action_luksOpen, 0, 2, 1, N_("<device> <name> "), N_("open LUKS device as mapping <name>") },
104 { "luksAddKey", action_luksAddKey, 0, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
105 { "luksRemoveKey",action_luksRemoveKey, 0, 1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
106 { "luksChangeKey",action_luksChangeKey, 0, 1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
107 { "luksKillSlot", action_luksKillSlot, 0, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
108 { "luksUUID", action_luksUUID, 0, 1, 0, N_("<device>"), N_("print UUID of LUKS device") },
109 { "isLuks", action_isLuks, 0, 1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
110 { "luksClose", action_remove, 0, 1, 1, N_("<name>"), N_("remove LUKS mapping") },
111 { "luksDump", action_luksDump, 0, 1, 0, N_("<device>"), N_("dump LUKS partition information") },
112 { "luksSuspend",action_luksSuspend, 0, 1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen).") },
113 { "luksResume", action_luksResume, 0, 1, 1, N_("<device>"), N_("Resume suspended LUKS device.") },
114 { "luksHeaderBackup",action_luksBackup, 0, 1, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
115 { "luksHeaderRestore",action_luksRestore,0,1, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
116 { "loopaesOpen",action_loopaesOpen, 0, 2, 1, N_("<device> <name> "), N_("open loop-AES device as mapping <name>") },
117 { "loopaesClose",action_remove, 0, 1, 1, N_("<name>"), N_("remove loop-AES mapping") },
118 { NULL, NULL, 0, 0, 0, NULL, NULL }
121 static void clogger(struct crypt_device *cd, int level, const char *file,
122 int line, const char *format, ...)
127 va_start(argp, format);
129 if (vasprintf(&target, format, argp) > 0) {
131 crypt_log(cd, level, target);
133 } else if (opt_debug)
134 printf("# %s:%d %s\n", file ?: "?", line, target);
136 } else if (opt_debug)
137 printf("# %s\n", target);
145 static int _yesDialog(const char *msg, void *usrptr)
151 if(isatty(0) && !opt_batch_mode) {
152 log_std("\nWARNING!\n========\n");
153 log_std("%s\n\nAre you sure? (Type uppercase yes): ", msg);
154 if(getline(&answer, &size, stdin) == -1) {
159 if(strcmp(answer, "YES\n"))
167 static void _log(int level, const char *msg, void *usrptr)
171 case CRYPT_LOG_NORMAL:
174 case CRYPT_LOG_VERBOSE:
178 case CRYPT_LOG_ERROR:
182 fprintf(stderr, "Internal error on logging class for msg: %s", msg);
187 static void show_status(int errcode)
189 char error[256], *error_;
195 log_std(_("Command successful.\n"));
199 crypt_get_error(error, sizeof(error));
202 error_ = strerror_r(-errcode, error, sizeof(error));
203 if (error_ != error) {
204 strncpy(error, error_, sizeof(error));
205 error[sizeof(error) - 1] = '\0';
209 log_err(_("Command failed with code %i"), -errcode);
211 log_err(": %s\n", error);
216 static int action_create(int arg)
218 struct crypt_device *cd = NULL;
219 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
220 struct crypt_params_plain params = {
221 .hash = opt_hash ?: DEFAULT_PLAIN_HASH,
223 .offset = opt_offset,
225 char *password = NULL;
226 unsigned int passwordLen;
227 unsigned int key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
230 if (params.hash && !strcmp(params.hash, "plain"))
233 /* FIXME: temporary hack */
234 if (opt_key_file && strcmp(opt_key_file, "-"))
237 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
238 cipher, NULL, cipher_mode);
240 log_err("No known cipher specification pattern detected.\n");
244 if ((r = crypt_init(&cd, action_argv[1])))
247 crypt_set_timeout(cd, opt_timeout);
248 crypt_set_password_retry(cd, opt_tries);
250 r = crypt_format(cd, CRYPT_PLAIN,
259 r = crypt_activate_by_keyfile(cd, action_argv[0],
260 CRYPT_ANY_SLOT, opt_key_file, key_size,
261 opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
263 r = crypt_get_key(_("Enter passphrase: "),
264 &password, &passwordLen, 0, NULL,
266 opt_batch_mode ? 0 : opt_verify_passphrase,
271 r = crypt_activate_by_passphrase(cd, action_argv[0],
272 CRYPT_ANY_SLOT, password, passwordLen,
273 opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
277 crypt_safe_free(password);
282 static int action_loopaesOpen(int arg)
284 struct crypt_device *cd = NULL;
285 struct crypt_params_loopaes params = {
286 .hash = opt_hash ?: NULL, // FIXME
287 .offset = opt_offset,
289 unsigned int key_size = (opt_key_size ?: DEFAULT_LOOPAES_KEYBITS) / 8;
293 log_err(_("Option --key-file is required.\n"));
297 if ((r = crypt_init(&cd, action_argv[0])))
300 r = crypt_format(cd, CRYPT_LOOPAES, opt_cipher ?: DEFAULT_LOOPAES_CIPHER,
301 NULL, NULL, NULL, key_size, ¶ms);
305 r = crypt_activate_by_keyfile(cd, action_argv[1],
306 CRYPT_ANY_SLOT, opt_key_file, 0,
307 opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
314 static int action_remove(int arg)
316 struct crypt_device *cd = NULL;
319 r = crypt_init_by_name(&cd, action_argv[0]);
321 r = crypt_deactivate(cd, action_argv[0]);
327 static int action_resize(int arg)
329 struct crypt_device *cd = NULL;
332 r = crypt_init_by_name(&cd, action_argv[0]);
334 r = crypt_resize(cd, action_argv[0], opt_size);
340 static int action_status(int arg)
342 crypt_status_info ci;
343 struct crypt_active_device cad;
344 struct crypt_device *cd = NULL;
349 ci = crypt_status(NULL, action_argv[0]);
355 log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
359 log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
360 ci == CRYPT_BUSY ? " and is in use" : "");
361 r = crypt_init_by_name(&cd, action_argv[0]);
362 if (r < 0 || !crypt_get_type(cd))
365 log_std(" type: %s\n", crypt_get_type(cd));
367 r = crypt_get_active_device(cd, action_argv[0], &cad);
371 log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
372 log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
373 device = crypt_get_device_name(cd);
374 log_std(" device: %s\n", device);
375 if (crypt_loop_device(device)) {
376 backing_file = crypt_loop_backing_file(device);
377 log_std(" loop: %s\n", backing_file);
380 log_std(" offset: %" PRIu64 " sectors\n", cad.offset);
381 log_std(" size: %" PRIu64 " sectors\n", cad.size);
383 log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset);
384 log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
385 "readonly" : "read/write");
392 static int _read_mk(const char *file, char **key, int keysize)
396 *key = crypt_safe_alloc(keysize);
400 fd = open(file, O_RDONLY);
402 log_err("Cannot read keyfile %s.\n", file);
405 if ((read(fd, *key, keysize) != keysize)) {
406 log_err("Cannot read %d bytes from keyfile %s.\n", keysize, file);
413 crypt_safe_free(*key);
418 static int action_luksFormat(int arg)
420 int r = -EINVAL, keysize;
421 char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
422 char *password = NULL;
423 unsigned int passwordLen;
424 struct crypt_device *cd = NULL;
425 struct crypt_params_luks1 params = {
426 .hash = opt_hash ?: DEFAULT_LUKS1_HASH,
427 .data_alignment = opt_align_payload,
430 if(asprintf(&msg, _("This will overwrite data on %s irrevocably."), action_argv[0]) == -1) {
431 log_err(_("memory allocation error in action_luksFormat"));
435 r = _yesDialog(msg, NULL) ? 0 : -EINVAL;
440 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
441 cipher, NULL, cipher_mode);
443 log_err("No known cipher specification pattern detected.\n");
447 if ((r = crypt_init(&cd, action_argv[0])))
450 keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
452 crypt_set_password_verify(cd, 1);
453 crypt_set_timeout(cd, opt_timeout);
454 if (opt_iteration_time)
455 crypt_set_iterarion_time(cd, opt_iteration_time);
458 crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
459 else if (opt_urandom)
460 crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
462 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
463 opt_keyfile_size, opt_key_file, opt_timeout,
464 opt_batch_mode ? 0 : 1 /* always verify */, cd);
468 if (opt_master_key_file) {
469 r = _read_mk(opt_master_key_file, &key, keysize);
474 r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
475 opt_uuid, key, keysize, ¶ms);
479 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
481 password, passwordLen);
484 crypt_safe_free(key);
485 crypt_safe_free(password);
490 static int action_luksOpen(int arg)
492 struct crypt_device *cd = NULL;
496 if ((r = crypt_init(&cd, action_argv[0])))
499 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
502 crypt_set_timeout(cd, opt_timeout);
503 crypt_set_password_retry(cd, opt_tries);
505 if (opt_iteration_time)
506 crypt_set_iterarion_time(cd, opt_iteration_time);
508 flags |= CRYPT_ACTIVATE_READONLY;
511 crypt_set_password_retry(cd, 1);
512 r = crypt_activate_by_keyfile(cd, action_argv[1],
513 CRYPT_ANY_SLOT, opt_key_file, opt_keyfile_size,
516 r = crypt_activate_by_passphrase(cd, action_argv[1],
517 CRYPT_ANY_SLOT, NULL, 0, flags);
523 static int verify_keyslot(struct crypt_device *cd, int key_slot,
524 char *msg_last, char *msg_pass,
525 const char *key_file, int keyfile_size)
527 crypt_keyslot_info ki;
528 char *password = NULL;
529 unsigned int passwordLen, i;
532 ki = crypt_keyslot_status(cd, key_slot);
533 if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !_yesDialog(msg_last, NULL))
536 r = crypt_get_key(msg_pass, &password, &passwordLen,
537 keyfile_size, key_file, opt_timeout,
538 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
542 if (ki == CRYPT_SLOT_ACTIVE_LAST) {
543 /* check the last keyslot */
544 r = crypt_activate_by_passphrase(cd, NULL, key_slot,
545 password, passwordLen, 0);
547 /* try all other keyslots */
548 for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
551 ki = crypt_keyslot_status(cd, key_slot);
552 if (ki == CRYPT_SLOT_ACTIVE)
553 r = crypt_activate_by_passphrase(cd, NULL, i,
554 password, passwordLen, 0);
561 log_err(_("No key available with this passphrase.\n"));
563 crypt_safe_free(password);
567 static int action_luksKillSlot(int arg)
569 struct crypt_device *cd = NULL;
572 if ((r = crypt_init(&cd, action_argv[0])))
575 crypt_set_confirm_callback(cd, _yesDialog, NULL);
576 crypt_set_timeout(cd, opt_timeout);
578 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
581 switch (crypt_keyslot_status(cd, opt_key_slot)) {
582 case CRYPT_SLOT_ACTIVE_LAST:
583 case CRYPT_SLOT_ACTIVE:
584 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
586 case CRYPT_SLOT_INACTIVE:
587 log_err(_("Key %d not active. Can't wipe.\n"), opt_key_slot);
588 case CRYPT_SLOT_INVALID:
592 if (!opt_batch_mode) {
593 r = verify_keyslot(cd, opt_key_slot,
594 _("This is the last keyslot. Device will become unusable after purging this key."),
595 _("Enter any remaining LUKS passphrase: "),
596 opt_key_file, opt_keyfile_size);
601 r = crypt_keyslot_destroy(cd, opt_key_slot);
607 static int action_luksRemoveKey(int arg)
609 struct crypt_device *cd = NULL;
610 char *password = NULL;
611 unsigned int passwordLen;
614 if ((r = crypt_init(&cd, action_argv[0])))
617 crypt_set_confirm_callback(cd, _yesDialog, NULL);
618 crypt_set_timeout(cd, opt_timeout);
620 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
623 r = crypt_get_key(_("Enter LUKS passphrase to be deleted: "),
624 &password, &passwordLen,
625 opt_keyfile_size, opt_key_file,
627 opt_batch_mode ? 0 : opt_verify_passphrase,
632 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
633 password, passwordLen, 0);
638 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
640 if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_ACTIVE_LAST &&
641 !_yesDialog(_("This is the last keyslot. "
642 "Device will become unusable after purging this key."),
648 r = crypt_keyslot_destroy(cd, opt_key_slot);
650 crypt_safe_free(password);
655 static int action_luksAddKey(int arg)
657 int r = -EINVAL, keysize = 0;
659 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
660 struct crypt_device *cd = NULL;
662 if ((r = crypt_init(&cd, action_argv[0])))
665 crypt_set_confirm_callback(cd, _yesDialog, NULL);
667 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
670 keysize = crypt_get_volume_key_size(cd);
671 crypt_set_password_verify(cd, opt_verify_passphrase ? 1 : 0);
672 crypt_set_timeout(cd, opt_timeout);
673 if (opt_iteration_time)
674 crypt_set_iterarion_time(cd, opt_iteration_time);
676 if (opt_master_key_file) {
677 r = _read_mk(opt_master_key_file, &key, keysize);
680 //FIXME: process keyfile arg
681 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
682 key, keysize, NULL, 0);
683 } else if (opt_key_file || opt_new_key_file) {
684 r = crypt_keyslot_add_by_keyfile(cd, opt_key_slot,
685 opt_key_file, opt_keyfile_size,
686 opt_new_key_file, opt_new_keyfile_size);
688 r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
693 crypt_safe_free(key);
697 static int _slots_full(struct crypt_device *cd)
701 for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++)
702 if (crypt_keyslot_status(cd, i) == CRYPT_SLOT_INACTIVE)
707 static int action_luksChangeKey(int arg)
709 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
710 struct crypt_device *cd = NULL;
711 char *vk = NULL, *password = NULL;
712 unsigned int passwordLen = 0;
714 int new_key_slot, old_key_slot, r;
716 if ((r = crypt_init(&cd, action_argv[0])))
719 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
722 if (opt_iteration_time)
723 crypt_set_iterarion_time(cd, opt_iteration_time);
725 r = crypt_get_key(_("Enter LUKS passphrase to be changed: "),
726 &password, &passwordLen,
727 opt_keyfile_size, opt_key_file, opt_timeout,
728 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
732 vk_size = crypt_get_volume_key_size(cd);
733 vk = crypt_safe_alloc(vk_size);
739 r = crypt_volume_key_get(cd, opt_key_slot, vk, &vk_size,
740 password, passwordLen);
742 if (opt_key_slot != CRYPT_ANY_SLOT)
743 log_err(_("No key available with this passphrase.\n"));
747 if (opt_key_slot != CRYPT_ANY_SLOT || _slots_full(cd)) {
748 log_dbg("Key slot %d is going to be overwritten (%s).",
749 r, opt_key_slot != CRYPT_ANY_SLOT ?
750 "explicit key slot specified" : "no free key slot");
754 log_dbg("Allocating new key slot.");
756 new_key_slot = CRYPT_ANY_SLOT;
759 crypt_safe_free(password);
762 r = crypt_get_key(_("Enter new LUKS passphrase: "),
763 &password, &passwordLen,
764 opt_new_keyfile_size, opt_new_key_file,
765 opt_timeout, opt_batch_mode ? 0 : 1, cd);
769 if (new_key_slot == old_key_slot) {
770 (void)crypt_keyslot_destroy(cd, old_key_slot);
771 r = crypt_keyslot_add_by_volume_key(cd, new_key_slot,
773 password, passwordLen);
775 log_verbose(_("Key slot %d changed.\n"), r);
777 r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT,
779 password, passwordLen);
781 log_verbose(_("Replaced with key slot %d.\n"), r);
782 r = crypt_keyslot_destroy(cd, old_key_slot);
786 log_err(_("Failed to swap new key slot.\n"));
789 crypt_safe_free(password);
794 static int action_isLuks(int arg)
796 struct crypt_device *cd = NULL;
799 if ((r = crypt_init(&cd, action_argv[0])))
802 r = crypt_load(cd, CRYPT_LUKS1, NULL);
808 static int action_luksUUID(int arg)
810 struct crypt_device *cd = NULL;
811 const char *existing_uuid = NULL;
814 if ((r = crypt_init(&cd, action_argv[0])))
817 crypt_set_confirm_callback(cd, _yesDialog, NULL);
819 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
823 r = crypt_set_uuid(cd, opt_uuid);
825 existing_uuid = crypt_get_uuid(cd);
826 log_std("%s\n", existing_uuid ?: "");
827 r = existing_uuid ? 0 : 1;
834 static int luksDump_with_volume_key(struct crypt_device *cd)
836 char *vk = NULL, *password = NULL;
837 unsigned int passwordLen = 0;
841 crypt_set_confirm_callback(cd, _yesDialog, NULL);
843 _("LUKS header dump with volume key is sensitive information\n"
844 "which allows access to encrypted partition without passphrase.\n"
845 "This dump should be always stored encrypted on safe place."),
849 vk_size = crypt_get_volume_key_size(cd);
850 vk = crypt_safe_alloc(vk_size);
854 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
855 opt_keyfile_size, opt_key_file, opt_timeout, 0, cd);
859 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
860 password, passwordLen);
864 log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
865 log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
866 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
867 log_std("Payload offset:\t%d\n", crypt_get_data_offset(cd));
868 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
869 log_std("MK bits: \t%d\n", vk_size * 8);
870 log_std("MK dump:\t");
872 for(i = 0; i < vk_size; i++) {
875 log_std("%02hhx ", (char)vk[i]);
880 crypt_safe_free(password);
885 static int action_luksDump(int arg)
887 struct crypt_device *cd = NULL;
890 if ((r = crypt_init(&cd, action_argv[0])))
893 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
896 if (opt_dump_master_key)
897 r = luksDump_with_volume_key(cd);
905 static int action_luksSuspend(int arg)
907 struct crypt_device *cd = NULL;
910 r = crypt_init_by_name(&cd, action_argv[0]);
912 r = crypt_suspend(cd, action_argv[0]);
918 static int action_luksResume(int arg)
920 struct crypt_device *cd = NULL;
923 if ((r = crypt_init_by_name(&cd, action_argv[0])))
926 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
930 r = crypt_resume_by_keyfile(cd, action_argv[0], CRYPT_ANY_SLOT,
931 opt_key_file, opt_keyfile_size);
933 r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
940 static int action_luksBackup(int arg)
942 struct crypt_device *cd = NULL;
945 if (!opt_header_backup_file) {
946 log_err(_("Option --header-backup-file is required.\n"));
950 if ((r = crypt_init(&cd, action_argv[0])))
953 crypt_set_confirm_callback(cd, _yesDialog, NULL);
955 r = crypt_header_backup(cd, CRYPT_LUKS1, opt_header_backup_file);
961 static int action_luksRestore(int arg)
963 struct crypt_device *cd = NULL;
966 if (!opt_header_backup_file) {
967 log_err(_("Option --header-backup-file is required.\n"));
971 if ((r = crypt_init(&cd, action_argv[0])))
974 crypt_set_confirm_callback(cd, _yesDialog, NULL);
975 r = crypt_header_restore(cd, CRYPT_LUKS1, opt_header_backup_file);
981 static __attribute__ ((noreturn)) void usage(poptContext popt_context,
982 int exitcode, const char *error,
985 poptPrintUsage(popt_context, stderr, 0);
987 log_err("%s: %s\n", more, error);
991 static void help(poptContext popt_context, enum poptCallbackReason reason,
992 struct poptOption *key, const char * arg, void *data)
994 if (key->shortName == '?') {
995 struct action_type *action;
997 log_std("%s\n",PACKAGE_STRING);
999 poptPrintHelp(popt_context, stdout, 0);
1002 "<action> is one of:\n"));
1004 for(action = action_types; action->type; action++)
1005 log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
1008 "<name> is the device to create under %s\n"
1009 "<device> is the encrypted device\n"
1010 "<key slot> is the LUKS key slot number to modify\n"
1011 "<key file> optional key file for the new key for luksAddKey action\n"),
1014 log_std(_("\nDefault compiled-in device cipher parameters:\n"
1015 "\tloop-AES: %s, Key %d bits\n"
1016 "\tplain: %s, Key: %d bits, Password hashing: %s\n"
1017 "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
1018 DEFAULT_LOOPAES_CIPHER, DEFAULT_LOOPAES_KEYBITS,
1019 DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
1020 DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
1024 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
1027 static void _dbg_version_and_cmd(int argc, char **argv)
1031 log_std("# %s %s processing \"", PACKAGE_NAME, PACKAGE_VERSION);
1032 for (i = 0; i < argc; i++) {
1040 static int run_action(struct action_type *action)
1044 log_dbg("Running command %s.", action->type);
1046 if (action->required_memlock)
1047 crypt_memory_lock(NULL, 1);
1049 r = action->handler(action->arg);
1051 if (action->required_memlock)
1052 crypt_memory_lock(NULL, 0);
1054 /* Some functions returns keyslot # */
1060 /* Translate exit code to simple codes */
1062 case 0: r = EXIT_SUCCESS; break;
1064 case -EBUSY: r = 5; break;
1066 case -ENODEV: r = 4; break;
1067 case -ENOMEM: r = 3; break;
1068 case -EPERM: r = 2; break;
1072 default: r = EXIT_FAILURE;
1077 int main(int argc, char **argv)
1079 static char *popt_tmp;
1080 static struct poptOption popt_help_options[] = {
1081 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
1082 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
1083 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
1086 static struct poptOption popt_options[] = {
1087 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
1088 { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
1089 { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
1090 { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
1091 { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
1092 { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
1093 { "verify-passphrase", 'y', POPT_ARG_NONE, &opt_verify_passphrase, 0, N_("Verifies the passphrase by asking for it twice"), NULL },
1094 { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 0, N_("Read the key from a file."), NULL },
1095 { "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL },
1096 { "dump-master-key", '\0', POPT_ARG_NONE, &opt_dump_master_key, 0, N_("Dump volume (master) key instead of keyslots info."), NULL },
1097 { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
1098 { "keyfile-size", 'l', POPT_ARG_INT, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
1099 { "new-keyfile-size", '\0', POPT_ARG_INT, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
1100 { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL },
1101 { "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") },
1102 { "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
1103 { "skip", 'p', POPT_ARG_STRING, &popt_tmp, 3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
1104 { "readonly", 'r', POPT_ARG_NONE, &opt_readonly, 0, N_("Create a readonly mapping"), NULL },
1105 { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
1106 { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
1107 { "timeout", 't', POPT_ARG_INT, &opt_timeout, 0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
1108 { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
1109 { "align-payload", '\0', POPT_ARG_INT, &opt_align_payload, 0, N_("Align payload at <n> sector boundaries - for luksFormat"), N_("SECTORS") },
1110 { "header-backup-file",'\0', POPT_ARG_STRING, &opt_header_backup_file, 0, N_("File with LUKS header and keyslots backup."), NULL },
1111 { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
1112 { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
1113 { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
1116 poptContext popt_context;
1117 struct action_type *action;
1120 const char *null_action_argv[] = {NULL};
1122 crypt_set_log_callback(NULL, _log, NULL);
1124 setlocale(LC_ALL, "");
1125 bindtextdomain(PACKAGE, LOCALEDIR);
1126 textdomain(PACKAGE);
1128 popt_context = poptGetContext(PACKAGE, argc, (const char **)argv,
1130 poptSetOtherOptionHelp(popt_context,
1131 N_("[OPTION...] <action> <action-specific>]"));
1133 while((r = poptGetNextOpt(popt_context)) > 0) {
1134 unsigned long long ull_value;
1137 ull_value = strtoull(popt_tmp, &endp, 0);
1138 if (*endp || !*popt_tmp)
1139 r = POPT_ERROR_BADNUMBER;
1143 opt_size = ull_value;
1146 opt_offset = ull_value;
1149 opt_skip = ull_value;
1158 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
1159 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
1160 if (opt_version_mode) {
1161 log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
1165 if (!(aname = (char *)poptGetArg(popt_context)))
1166 usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
1167 poptGetInvocationName(popt_context));
1168 for(action = action_types; action->type; action++)
1169 if (strcmp(action->type, aname) == 0)
1172 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
1173 poptGetInvocationName(popt_context));
1176 action_argv = poptGetArgs(popt_context);
1177 /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
1179 action_argv = null_action_argv;
1181 /* Count args, somewhat unnice, change? */
1182 while(action_argv[action_argc] != NULL)
1185 if(action_argc < action->required_action_argc) {
1187 snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
1188 usage(popt_context, EXIT_FAILURE, buf,
1189 poptGetInvocationName(popt_context));
1192 /* FIXME: rewrite this from scratch */
1195 strcmp(aname, "luksFormat") &&
1196 strcmp(aname, "create") &&
1197 strcmp(aname, "loopaesOpen")) {
1198 usage(popt_context, EXIT_FAILURE,
1199 _("Option --key-size is allowed only for luksFormat, create and loopaesOpen.\n"
1200 "To limit read from keyfile use --keyfile-size=(bytes)."),
1201 poptGetInvocationName(popt_context));
1204 if (opt_key_size % 8)
1205 usage(popt_context, EXIT_FAILURE,
1206 _("Key size must be a multiple of 8 bits"),
1207 poptGetInvocationName(popt_context));
1209 if (!strcmp(aname, "luksKillSlot") && action_argc > 1)
1210 opt_key_slot = atoi(action_argv[1]);
1211 if (opt_key_slot != CRYPT_ANY_SLOT &&
1212 (opt_key_slot < 0 || opt_key_slot > crypt_keyslot_max(CRYPT_LUKS1)))
1213 usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
1214 poptGetInvocationName(popt_context));
1216 if ((!strcmp(aname, "luksRemoveKey") ||
1217 !strcmp(aname, "luksFormat")) &&
1220 log_err(_("Option --key-file takes precedence over specified key file argument.\n"));
1222 opt_key_file = (char*)action_argv[1];
1225 if (opt_random && opt_urandom)
1226 usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
1227 poptGetInvocationName(popt_context));
1228 if ((opt_random || opt_urandom) && strcmp(aname, "luksFormat"))
1229 usage(popt_context, EXIT_FAILURE, _("Option --use-[u]random is allowed only for luksFormat."),
1230 poptGetInvocationName(popt_context));
1232 if (opt_uuid && strcmp(aname, "luksFormat") && strcmp(aname, "luksUUID"))
1233 usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only for luksFormat and luksUUID."),
1234 poptGetInvocationName(popt_context));
1236 if ((opt_offset || opt_skip) && strcmp(aname, "create"))
1237 usage(popt_context, EXIT_FAILURE, _("Options --offset and --skip are supported only for create command.\n"),
1238 poptGetInvocationName(popt_context));
1242 crypt_set_debug_level(-1);
1243 _dbg_version_and_cmd(argc, argv);
1246 return run_action(action);