2 * cryptsetup - setup cryptographic volumes for dm-crypt
4 * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
5 * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
6 * Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * version 2 as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
37 #include "cryptsetup.h"
39 static int opt_verbose = 0;
40 static int opt_debug = 0;
41 static const char *opt_cipher = NULL;
42 static const char *opt_hash = NULL;
43 static int opt_verify_passphrase = 0;
44 static const char *opt_key_file = NULL;
45 static const char *opt_master_key_file = NULL;
46 static const char *opt_header_backup_file = NULL;
47 static const char *opt_uuid = NULL;
48 static const char *opt_header_device = NULL;
49 static int opt_key_size = 0;
50 static long opt_keyfile_size = 0;
51 static long opt_new_keyfile_size = 0;
52 static long opt_keyfile_offset = 0;
53 static long opt_new_keyfile_offset = 0;
54 static int opt_key_slot = CRYPT_ANY_SLOT;
55 static uint64_t opt_size = 0;
56 static uint64_t opt_offset = 0;
57 static uint64_t opt_skip = 0;
58 static int opt_skip_valid = 0;
59 static int opt_readonly = 0;
60 static int opt_iteration_time = 1000;
61 static int opt_batch_mode = 0;
62 static int opt_version_mode = 0;
63 static int opt_timeout = 0;
64 static int opt_tries = 3;
65 static int opt_align_payload = 0;
66 static int opt_random = 0;
67 static int opt_urandom = 0;
68 static int opt_dump_master_key = 0;
69 static int opt_shared = 0;
70 static int opt_allow_discards = 0;
72 static const char **action_argv;
73 static int action_argc;
75 static int action_create(int arg);
76 static int action_remove(int arg);
77 static int action_resize(int arg);
78 static int action_status(int arg);
79 static int action_luksFormat(int arg);
80 static int action_luksOpen(int arg);
81 static int action_luksAddKey(int arg);
82 static int action_luksKillSlot(int arg);
83 static int action_luksRemoveKey(int arg);
84 static int action_luksChangeKey(int arg);
85 static int action_isLuks(int arg);
86 static int action_luksUUID(int arg);
87 static int action_luksDump(int arg);
88 static int action_luksSuspend(int arg);
89 static int action_luksResume(int arg);
90 static int action_luksBackup(int arg);
91 static int action_luksRestore(int arg);
92 static int action_loopaesOpen(int arg);
93 static int action_luksRepair(int arg);
95 static struct action_type {
99 int required_action_argc;
100 int required_memlock;
101 const char *arg_desc;
104 { "create", action_create, 0, 2, 1, N_("<name> <device>"),N_("create device") },
105 { "remove", action_remove, 0, 1, 1, N_("<name>"), N_("remove device") },
106 { "resize", action_resize, 0, 1, 1, N_("<name>"), N_("resize active device") },
107 { "status", action_status, 0, 1, 0, N_("<name>"), N_("show device status") },
108 { "repair", action_luksRepair, 0, 1, 1, N_("<device>"), N_("try to repair on-disk metadata") },
109 { "luksFormat", action_luksFormat, 0, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
110 { "luksOpen", action_luksOpen, 0, 2, 1, N_("<device> <name> "), N_("open LUKS device as mapping <name>") },
111 { "luksAddKey", action_luksAddKey, 0, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
112 { "luksRemoveKey",action_luksRemoveKey, 0, 1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
113 { "luksChangeKey",action_luksChangeKey, 0, 1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
114 { "luksKillSlot", action_luksKillSlot, 0, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
115 { "luksUUID", action_luksUUID, 0, 1, 0, N_("<device>"), N_("print UUID of LUKS device") },
116 { "isLuks", action_isLuks, 0, 1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
117 { "luksClose", action_remove, 0, 1, 1, N_("<name>"), N_("remove LUKS mapping") },
118 { "luksDump", action_luksDump, 0, 1, 1, N_("<device>"), N_("dump LUKS partition information") },
119 { "luksSuspend",action_luksSuspend, 0, 1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen).") },
120 { "luksResume", action_luksResume, 0, 1, 1, N_("<device>"), N_("Resume suspended LUKS device.") },
121 { "luksHeaderBackup",action_luksBackup, 0, 1, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
122 { "luksHeaderRestore",action_luksRestore,0,1, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
123 { "loopaesOpen",action_loopaesOpen, 0, 2, 1, N_("<device> <name> "), N_("open loop-AES device as mapping <name>") },
124 { "loopaesClose",action_remove, 0, 1, 1, N_("<name>"), N_("remove loop-AES mapping") },
125 { NULL, NULL, 0, 0, 0, NULL, NULL }
128 __attribute__((format(printf, 5, 6)))
129 static void clogger(struct crypt_device *cd, int level, const char *file,
130 int line, const char *format, ...)
135 va_start(argp, format);
137 if (vasprintf(&target, format, argp) > 0) {
139 crypt_log(cd, level, target);
141 } else if (opt_debug)
142 printf("# %s:%d %s\n", file ?: "?", line, target);
144 } else if (opt_debug)
145 printf("# %s\n", target);
153 static int _yesDialog(const char *msg, void *usrptr __attribute__((unused)))
159 if(isatty(STDIN_FILENO) && !opt_batch_mode) {
160 log_std("\nWARNING!\n========\n");
161 log_std("%s\n\nAre you sure? (Type uppercase yes): ", msg);
162 if(getline(&answer, &size, stdin) == -1) {
167 if(strcmp(answer, "YES\n"))
175 static void _log(int level, const char *msg, void *usrptr __attribute__((unused)))
179 case CRYPT_LOG_NORMAL:
182 case CRYPT_LOG_VERBOSE:
186 case CRYPT_LOG_ERROR:
189 case CRYPT_LOG_DEBUG:
191 printf("# %s\n", msg);
194 fprintf(stderr, "Internal error on logging class for msg: %s", msg);
199 static void _quiet_log(int level, const char *msg, void *usrptr)
201 if (!opt_verbose && (level == CRYPT_LOG_ERROR || level == CRYPT_LOG_NORMAL))
202 level = CRYPT_LOG_VERBOSE;
203 _log(level, msg, usrptr);
206 static int _verify_passphrase(int def)
208 /* Batch mode switch off verify - if not overrided by -y */
209 if (opt_verify_passphrase)
211 else if (opt_batch_mode)
214 /* Non-tty input doesn't allow verify */
215 if (def && !isatty(STDIN_FILENO)) {
216 if (opt_verify_passphrase)
217 log_err(_("Can't do passphrase verification on non-tty inputs.\n"));
224 static void show_status(int errcode)
226 char error[256], *error_;
232 log_std(_("Command successful.\n"));
236 crypt_get_error(error, sizeof(error));
239 error_ = strerror_r(-errcode, error, sizeof(error));
240 if (error_ != error) {
241 strncpy(error, error_, sizeof(error));
242 error[sizeof(error) - 1] = '\0';
246 log_err(_("Command failed with code %i"), -errcode);
248 log_err(": %s\n", error);
253 static const char *uuid_or_device(const char *spec)
255 static char device[PATH_MAX];
257 int i = 0, uuid_len = 5;
259 /* Check if it is correct UUID=<LUKS_UUID> format */
260 if (spec && !strncmp(spec, "UUID=", uuid_len)) {
261 strcpy(device, "/dev/disk/by-uuid/");
262 ptr = &device[strlen(device)];
264 while ((s = spec[i++]) && i < PATH_MAX) {
265 if (!isxdigit(s) && s != '-')
266 return spec; /* Bail it out */
278 static int action_create(int arg __attribute__((unused)))
280 struct crypt_device *cd = NULL;
281 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
282 struct crypt_params_plain params = {
283 .hash = opt_hash ?: DEFAULT_PLAIN_HASH,
285 .offset = opt_offset,
288 char *password = NULL;
290 size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
291 uint32_t activate_flags = 0;
294 if (params.hash && !strcmp(params.hash, "plain"))
297 /* FIXME: temporary hack */
298 if (opt_key_file && strcmp(opt_key_file, "-"))
301 if ((opt_keyfile_offset || opt_keyfile_size) && opt_key_file)
302 log_std(("Ignoring keyfile offset and size options, keyfile read "
303 "size is always the same as encryption key size.\n"));
305 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
306 cipher, NULL, cipher_mode);
308 log_err("No known cipher specification pattern detected.\n");
312 if ((r = crypt_init(&cd, action_argv[1])))
315 crypt_set_timeout(cd, opt_timeout);
316 crypt_set_password_retry(cd, opt_tries);
318 r = crypt_format(cd, CRYPT_PLAIN,
327 activate_flags |= CRYPT_ACTIVATE_READONLY;
330 activate_flags |= CRYPT_ACTIVATE_SHARED;
332 if (opt_allow_discards)
333 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
336 /* With hashing, read the whole keyfile */
337 r = crypt_activate_by_keyfile_offset(cd, action_argv[0],
338 CRYPT_ANY_SLOT, opt_key_file,
339 params.hash ? 0 : key_size, 0,
342 r = crypt_get_key(_("Enter passphrase: "),
343 &password, &passwordLen,
344 opt_keyfile_offset, opt_keyfile_size,
346 _verify_passphrase(0),
351 r = crypt_activate_by_passphrase(cd, action_argv[0],
352 CRYPT_ANY_SLOT, password, passwordLen, activate_flags);
356 crypt_safe_free(password);
361 static int action_loopaesOpen(int arg __attribute__((unused)))
363 struct crypt_device *cd = NULL;
364 struct crypt_params_loopaes params = {
365 .hash = opt_hash ?: NULL,
366 .offset = opt_offset,
367 .skip = opt_skip_valid ? opt_skip : opt_offset,
369 unsigned int key_size = (opt_key_size ?: DEFAULT_LOOPAES_KEYBITS) / 8;
370 uint32_t activate_flags = 0;
374 log_err(_("Option --key-file is required.\n"));
379 activate_flags |= CRYPT_ACTIVATE_READONLY;
381 if (opt_allow_discards)
382 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
384 if ((r = crypt_init(&cd, action_argv[0])))
387 r = crypt_format(cd, CRYPT_LOOPAES, opt_cipher ?: DEFAULT_LOOPAES_CIPHER,
388 NULL, NULL, NULL, key_size, ¶ms);
392 r = crypt_activate_by_keyfile_offset(cd, action_argv[1], CRYPT_ANY_SLOT,
393 opt_key_file, opt_keyfile_size,
394 opt_keyfile_size, activate_flags);
401 static int action_remove(int arg __attribute__((unused)))
403 struct crypt_device *cd = NULL;
406 r = crypt_init_by_name(&cd, action_argv[0]);
408 r = crypt_deactivate(cd, action_argv[0]);
414 static int action_resize(int arg __attribute__((unused)))
416 struct crypt_device *cd = NULL;
419 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
421 r = crypt_resize(cd, action_argv[0], opt_size);
427 static int action_status(int arg __attribute__((unused)))
429 crypt_status_info ci;
430 struct crypt_active_device cad;
431 struct crypt_device *cd = NULL;
437 /* perhaps a path, not a dm device name */
438 if (strchr(action_argv[0], '/') && !stat(action_argv[0], &st))
441 ci = crypt_status(NULL, action_argv[0]);
448 log_std("%s is inactive.\n", action_argv[0]);
450 log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
456 log_std("%s is active%s.\n", action_argv[0],
457 ci == CRYPT_BUSY ? " and is in use" : "");
459 log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
460 ci == CRYPT_BUSY ? " and is in use" : "");
462 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
463 if (r < 0 || !crypt_get_type(cd))
466 log_std(" type: %s\n", crypt_get_type(cd));
468 r = crypt_get_active_device(cd, action_argv[0], &cad);
472 log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
473 log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
474 device = crypt_get_device_name(cd);
475 log_std(" device: %s\n", device);
476 if (crypt_loop_device(device)) {
477 backing_file = crypt_loop_backing_file(device);
478 log_std(" loop: %s\n", backing_file);
481 log_std(" offset: %" PRIu64 " sectors\n", cad.offset);
482 log_std(" size: %" PRIu64 " sectors\n", cad.size);
484 log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset);
485 log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
486 "readonly" : "read/write");
487 if (cad.flags & CRYPT_ACTIVATE_ALLOW_DISCARDS)
488 log_std(" flags: discards\n");
495 static int _read_mk(const char *file, char **key, int keysize)
499 *key = crypt_safe_alloc(keysize);
503 fd = open(file, O_RDONLY);
505 log_err("Cannot read keyfile %s.\n", file);
508 if ((read(fd, *key, keysize) != keysize)) {
509 log_err("Cannot read %d bytes from keyfile %s.\n", keysize, file);
516 crypt_safe_free(*key);
521 static int action_luksRepair(int arg __attribute__((unused)))
523 struct crypt_device *cd = NULL;
526 if ((r = crypt_init(&cd, action_argv[0])))
529 /* Currently only LUKS1 allows repair */
530 crypt_set_log_callback(cd, _quiet_log, NULL);
531 r = crypt_load(cd, CRYPT_LUKS1, NULL);
532 crypt_set_log_callback(cd, _log, NULL);
534 log_verbose( _("No known problems detected for LUKS header.\n"));
538 r = _yesDialog(_("Really try to repair LUKS device header?"),
541 r = crypt_repair(cd, CRYPT_LUKS1, NULL);
547 static int action_luksFormat(int arg __attribute__((unused)))
549 int r = -EINVAL, keysize;
550 const char *header_device;
551 char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
552 char *password = NULL;
554 struct crypt_device *cd = NULL;
555 struct crypt_params_luks1 params = {
556 .hash = opt_hash ?: DEFAULT_LUKS1_HASH,
557 .data_alignment = opt_align_payload,
558 .data_device = opt_header_device ? action_argv[0] : NULL,
561 header_device = opt_header_device ?: action_argv[0];
563 if(asprintf(&msg, _("This will overwrite data on %s irrevocably."),
564 header_device) == -1) {
565 log_err(_("memory allocation error in action_luksFormat"));
569 r = _yesDialog(msg, NULL) ? 0 : -EINVAL;
574 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
575 cipher, NULL, cipher_mode);
577 log_err(_("No known cipher specification pattern detected.\n"));
581 if ((r = crypt_init(&cd, header_device))) {
582 if (opt_header_device)
583 log_err(_("Cannot use %s as on-disk header.\n"), header_device);
587 keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
589 crypt_set_timeout(cd, opt_timeout);
590 if (opt_iteration_time)
591 crypt_set_iteration_time(cd, opt_iteration_time);
594 crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
595 else if (opt_urandom)
596 crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
598 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
599 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
600 opt_timeout, _verify_passphrase(1), cd);
604 if (opt_master_key_file) {
605 r = _read_mk(opt_master_key_file, &key, keysize);
610 r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
611 opt_uuid, key, keysize, ¶ms);
615 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
617 password, passwordLen);
620 crypt_safe_free(key);
621 crypt_safe_free(password);
626 static int action_luksOpen(int arg __attribute__((unused)))
628 struct crypt_device *cd = NULL;
629 const char *data_device, *header_device;
634 if (opt_header_device) {
635 header_device = uuid_or_device(opt_header_device);
636 data_device = action_argv[0];
638 header_device = uuid_or_device(action_argv[0]);
642 if ((r = crypt_init(&cd, header_device)))
645 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
649 (r = crypt_set_data_device(cd, data_device)))
652 if (!data_device && (crypt_get_data_offset(cd) < 8)) {
653 log_err(_("Reduced data offset is allowed only for detached LUKS header.\n"));
658 crypt_set_timeout(cd, opt_timeout);
659 crypt_set_password_retry(cd, opt_tries);
660 crypt_set_password_verify(cd, _verify_passphrase(0));
662 if (opt_iteration_time)
663 crypt_set_iteration_time(cd, opt_iteration_time);
666 flags |= CRYPT_ACTIVATE_READONLY;
668 if (opt_allow_discards)
669 flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
671 if (opt_master_key_file) {
672 keysize = crypt_get_volume_key_size(cd);
673 r = _read_mk(opt_master_key_file, &key, keysize);
676 r = crypt_activate_by_volume_key(cd, action_argv[1],
677 key, keysize, flags);
678 } else if (opt_key_file) {
679 crypt_set_password_retry(cd, 1);
680 r = crypt_activate_by_keyfile_offset(cd, action_argv[1],
681 opt_key_slot, opt_key_file, opt_keyfile_size,
682 opt_keyfile_offset, flags);
684 r = crypt_activate_by_passphrase(cd, action_argv[1],
685 opt_key_slot, NULL, 0, flags);
687 crypt_safe_free(key);
692 static int verify_keyslot(struct crypt_device *cd, int key_slot,
693 char *msg_last, char *msg_pass,
694 const char *key_file, int keyfile_offset,
697 crypt_keyslot_info ki;
698 char *password = NULL;
702 ki = crypt_keyslot_status(cd, key_slot);
703 if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !_yesDialog(msg_last, NULL))
706 r = crypt_get_key(msg_pass, &password, &passwordLen,
707 keyfile_offset, keyfile_size, key_file, opt_timeout,
708 _verify_passphrase(0), cd);
712 if (ki == CRYPT_SLOT_ACTIVE_LAST) {
713 /* check the last keyslot */
714 r = crypt_activate_by_passphrase(cd, NULL, key_slot,
715 password, passwordLen, 0);
717 /* try all other keyslots */
718 for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
721 ki = crypt_keyslot_status(cd, key_slot);
722 if (ki == CRYPT_SLOT_ACTIVE)
723 r = crypt_activate_by_passphrase(cd, NULL, i,
724 password, passwordLen, 0);
731 log_err(_("No key available with this passphrase.\n"));
733 crypt_safe_free(password);
737 static int action_luksKillSlot(int arg __attribute__((unused)))
739 struct crypt_device *cd = NULL;
742 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
745 crypt_set_confirm_callback(cd, _yesDialog, NULL);
746 crypt_set_timeout(cd, opt_timeout);
748 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
751 switch (crypt_keyslot_status(cd, opt_key_slot)) {
752 case CRYPT_SLOT_ACTIVE_LAST:
753 case CRYPT_SLOT_ACTIVE:
754 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
756 case CRYPT_SLOT_INACTIVE:
757 log_err(_("Key %d not active. Can't wipe.\n"), opt_key_slot);
758 case CRYPT_SLOT_INVALID:
763 if (!opt_batch_mode) {
764 r = verify_keyslot(cd, opt_key_slot,
765 _("This is the last keyslot. Device will become unusable after purging this key."),
766 _("Enter any remaining LUKS passphrase: "),
767 opt_key_file, opt_keyfile_offset, opt_keyfile_size);
772 r = crypt_keyslot_destroy(cd, opt_key_slot);
778 static int action_luksRemoveKey(int arg __attribute__((unused)))
780 struct crypt_device *cd = NULL;
781 char *password = NULL;
785 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
788 crypt_set_confirm_callback(cd, _yesDialog, NULL);
789 crypt_set_timeout(cd, opt_timeout);
791 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
794 r = crypt_get_key(_("Enter LUKS passphrase to be deleted: "),
795 &password, &passwordLen,
796 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
798 _verify_passphrase(0),
803 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
804 password, passwordLen, 0);
809 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
811 if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_ACTIVE_LAST &&
812 !_yesDialog(_("This is the last keyslot. "
813 "Device will become unusable after purging this key."),
819 r = crypt_keyslot_destroy(cd, opt_key_slot);
821 crypt_safe_free(password);
826 static int action_luksAddKey(int arg __attribute__((unused)))
828 int r = -EINVAL, keysize = 0;
830 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
831 struct crypt_device *cd = NULL;
833 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
836 crypt_set_confirm_callback(cd, _yesDialog, NULL);
838 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
841 keysize = crypt_get_volume_key_size(cd);
842 /* FIXME: lib cannot properly set verification for new/old passphrase */
843 crypt_set_password_verify(cd, _verify_passphrase(0));
844 crypt_set_timeout(cd, opt_timeout);
845 if (opt_iteration_time)
846 crypt_set_iteration_time(cd, opt_iteration_time);
848 if (opt_master_key_file) {
849 r = _read_mk(opt_master_key_file, &key, keysize);
852 //FIXME: process keyfile arg
853 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
854 key, keysize, NULL, 0);
855 } else if (opt_key_file || opt_new_key_file) {
856 r = crypt_keyslot_add_by_keyfile_offset(cd, opt_key_slot,
857 opt_key_file, opt_keyfile_size, opt_keyfile_offset,
858 opt_new_key_file, opt_new_keyfile_size, opt_new_keyfile_offset);
860 r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
865 crypt_safe_free(key);
869 static int _slots_full(struct crypt_device *cd)
873 for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++)
874 if (crypt_keyslot_status(cd, i) == CRYPT_SLOT_INACTIVE)
879 static int action_luksChangeKey(int arg __attribute__((unused)))
881 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
882 struct crypt_device *cd = NULL;
883 char *vk = NULL, *password = NULL;
884 size_t passwordLen = 0;
886 int new_key_slot, old_key_slot, r;
888 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
891 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
894 if (opt_iteration_time)
895 crypt_set_iteration_time(cd, opt_iteration_time);
897 r = crypt_get_key(_("Enter LUKS passphrase to be changed: "),
898 &password, &passwordLen,
899 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
900 opt_timeout, _verify_passphrase(0), cd);
904 vk_size = crypt_get_volume_key_size(cd);
905 vk = crypt_safe_alloc(vk_size);
911 r = crypt_volume_key_get(cd, opt_key_slot, vk, &vk_size,
912 password, passwordLen);
914 if (opt_key_slot != CRYPT_ANY_SLOT)
915 log_err(_("No key available with this passphrase.\n"));
919 if (opt_key_slot != CRYPT_ANY_SLOT || _slots_full(cd)) {
920 log_dbg("Key slot %d is going to be overwritten (%s).",
921 r, opt_key_slot != CRYPT_ANY_SLOT ?
922 "explicit key slot specified" : "no free key slot");
926 log_dbg("Allocating new key slot.");
928 new_key_slot = CRYPT_ANY_SLOT;
931 crypt_safe_free(password);
934 r = crypt_get_key(_("Enter new LUKS passphrase: "),
935 &password, &passwordLen,
936 opt_new_keyfile_offset, opt_new_keyfile_size,
938 opt_timeout, _verify_passphrase(0), cd);
942 if (new_key_slot == old_key_slot) {
943 (void)crypt_keyslot_destroy(cd, old_key_slot);
944 r = crypt_keyslot_add_by_volume_key(cd, new_key_slot,
946 password, passwordLen);
948 log_verbose(_("Key slot %d changed.\n"), r);
950 r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT,
952 password, passwordLen);
954 log_verbose(_("Replaced with key slot %d.\n"), r);
955 r = crypt_keyslot_destroy(cd, old_key_slot);
959 log_err(_("Failed to swap new key slot.\n"));
962 crypt_safe_free(password);
967 static int action_isLuks(int arg __attribute__((unused)))
969 struct crypt_device *cd = NULL;
972 if ((r = crypt_init(&cd, action_argv[0])))
975 crypt_set_log_callback(cd, _quiet_log, NULL);
976 r = crypt_load(cd, CRYPT_LUKS1, NULL);
982 static int action_luksUUID(int arg __attribute__((unused)))
984 struct crypt_device *cd = NULL;
985 const char *existing_uuid = NULL;
988 if ((r = crypt_init(&cd, action_argv[0])))
991 crypt_set_confirm_callback(cd, _yesDialog, NULL);
993 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
997 r = crypt_set_uuid(cd, opt_uuid);
999 existing_uuid = crypt_get_uuid(cd);
1000 log_std("%s\n", existing_uuid ?: "");
1001 r = existing_uuid ? 0 : 1;
1008 static int luksDump_with_volume_key(struct crypt_device *cd)
1010 char *vk = NULL, *password = NULL;
1011 size_t passwordLen = 0;
1016 crypt_set_confirm_callback(cd, _yesDialog, NULL);
1018 _("LUKS header dump with volume key is sensitive information\n"
1019 "which allows access to encrypted partition without passphrase.\n"
1020 "This dump should be always stored encrypted on safe place."),
1024 vk_size = crypt_get_volume_key_size(cd);
1025 vk = crypt_safe_alloc(vk_size);
1029 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
1030 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
1031 opt_timeout, 0, cd);
1035 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
1036 password, passwordLen);
1040 log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
1041 log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
1042 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
1043 log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
1044 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
1045 log_std("MK bits: \t%d\n", (int)vk_size * 8);
1046 log_std("MK dump:\t");
1048 for(i = 0; i < vk_size; i++) {
1051 log_std("%02hhx ", (char)vk[i]);
1056 crypt_safe_free(password);
1057 crypt_safe_free(vk);
1061 static int action_luksDump(int arg __attribute__((unused)))
1063 struct crypt_device *cd = NULL;
1066 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
1069 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
1072 if (opt_dump_master_key)
1073 r = luksDump_with_volume_key(cd);
1081 static int action_luksSuspend(int arg __attribute__((unused)))
1083 struct crypt_device *cd = NULL;
1086 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
1088 r = crypt_suspend(cd, action_argv[0]);
1094 static int action_luksResume(int arg __attribute__((unused)))
1096 struct crypt_device *cd = NULL;
1099 if ((r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device)))
1102 crypt_set_timeout(cd, opt_timeout);
1103 crypt_set_password_retry(cd, opt_tries);
1104 crypt_set_password_verify(cd, _verify_passphrase(0));
1107 r = crypt_resume_by_keyfile_offset(cd, action_argv[0], CRYPT_ANY_SLOT,
1108 opt_key_file, opt_keyfile_size, opt_keyfile_offset);
1110 r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
1117 static int action_luksBackup(int arg __attribute__((unused)))
1119 struct crypt_device *cd = NULL;
1122 if (!opt_header_backup_file) {
1123 log_err(_("Option --header-backup-file is required.\n"));
1127 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
1130 crypt_set_confirm_callback(cd, _yesDialog, NULL);
1132 r = crypt_header_backup(cd, CRYPT_LUKS1, opt_header_backup_file);
1138 static int action_luksRestore(int arg __attribute__((unused)))
1140 struct crypt_device *cd = NULL;
1143 if (!opt_header_backup_file) {
1144 log_err(_("Option --header-backup-file is required.\n"));
1148 if ((r = crypt_init(&cd, action_argv[0])))
1151 crypt_set_confirm_callback(cd, _yesDialog, NULL);
1152 r = crypt_header_restore(cd, CRYPT_LUKS1, opt_header_backup_file);
1158 static __attribute__ ((noreturn)) void usage(poptContext popt_context,
1159 int exitcode, const char *error,
1162 poptPrintUsage(popt_context, stderr, 0);
1164 log_err("%s: %s\n", more, error);
1165 poptFreeContext(popt_context);
1169 static void help(poptContext popt_context,
1170 enum poptCallbackReason reason __attribute__((unused)),
1171 struct poptOption *key,
1172 const char *arg __attribute__((unused)),
1173 void *data __attribute__((unused)))
1175 if (key->shortName == '?') {
1176 struct action_type *action;
1178 log_std("%s\n",PACKAGE_STRING);
1180 poptPrintHelp(popt_context, stdout, 0);
1183 "<action> is one of:\n"));
1185 for(action = action_types; action->type; action++)
1186 log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
1189 "<name> is the device to create under %s\n"
1190 "<device> is the encrypted device\n"
1191 "<key slot> is the LUKS key slot number to modify\n"
1192 "<key file> optional key file for the new key for luksAddKey action\n"),
1195 log_std(_("\nDefault compiled-in keyfile parameters:\n"
1196 "\tMaximum keyfile size: %dkB, "
1197 "Maximum interactive passphrase length %d (characters)\n"),
1198 DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX);
1200 log_std(_("\nDefault compiled-in device cipher parameters:\n"
1201 "\tloop-AES: %s, Key %d bits\n"
1202 "\tplain: %s, Key: %d bits, Password hashing: %s\n"
1203 "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
1204 DEFAULT_LOOPAES_CIPHER, DEFAULT_LOOPAES_KEYBITS,
1205 DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
1206 DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
1210 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
1213 static void _dbg_version_and_cmd(int argc, const char **argv)
1217 log_std("# %s %s processing \"", PACKAGE_NAME, PACKAGE_VERSION);
1218 for (i = 0; i < argc; i++) {
1221 log_std("%s", argv[i]);
1226 static int run_action(struct action_type *action)
1230 log_dbg("Running command %s.", action->type);
1232 if (action->required_memlock)
1233 crypt_memory_lock(NULL, 1);
1235 r = action->handler(action->arg);
1237 if (action->required_memlock)
1238 crypt_memory_lock(NULL, 0);
1240 /* Some functions returns keyslot # */
1246 /* Translate exit code to simple codes */
1248 case 0: r = EXIT_SUCCESS; break;
1250 case -EBUSY: r = 5; break;
1252 case -ENODEV: r = 4; break;
1253 case -ENOMEM: r = 3; break;
1254 case -EPERM: r = 2; break;
1258 default: r = EXIT_FAILURE;
1263 int main(int argc, const char **argv)
1265 static char *popt_tmp;
1266 static struct poptOption popt_help_options[] = {
1267 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
1268 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
1269 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
1272 static struct poptOption popt_options[] = {
1273 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
1274 { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
1275 { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
1276 { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
1277 { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
1278 { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
1279 { "verify-passphrase", 'y', POPT_ARG_NONE, &opt_verify_passphrase, 0, N_("Verifies the passphrase by asking for it twice"), NULL },
1280 { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 0, N_("Read the key from a file."), NULL },
1281 { "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL },
1282 { "dump-master-key", '\0', POPT_ARG_NONE, &opt_dump_master_key, 0, N_("Dump volume (master) key instead of keyslots info."), NULL },
1283 { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
1284 { "keyfile-size", 'l', POPT_ARG_LONG, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
1285 { "keyfile-offset", '\0', POPT_ARG_LONG, &opt_keyfile_offset, 0, N_("Number of bytes to skip in keyfile"), N_("bytes") },
1286 { "new-keyfile-size", '\0', POPT_ARG_LONG, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
1287 { "new-keyfile-offset",'\0', POPT_ARG_LONG, &opt_new_keyfile_offset, 0, N_("Number of bytes to skip in newly added keyfile"), N_("bytes") },
1288 { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL },
1289 { "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") },
1290 { "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
1291 { "skip", 'p', POPT_ARG_STRING, &popt_tmp, 3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
1292 { "readonly", 'r', POPT_ARG_NONE, &opt_readonly, 0, N_("Create a readonly mapping"), NULL },
1293 { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
1294 { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
1295 { "timeout", 't', POPT_ARG_INT, &opt_timeout, 0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
1296 { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
1297 { "align-payload", '\0', POPT_ARG_INT, &opt_align_payload, 0, N_("Align payload at <n> sector boundaries - for luksFormat"), N_("SECTORS") },
1298 { "header-backup-file",'\0', POPT_ARG_STRING, &opt_header_backup_file, 0, N_("File with LUKS header and keyslots backup."), NULL },
1299 { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
1300 { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
1301 { "shared", '\0', POPT_ARG_NONE, &opt_shared, 0, N_("Share device with another non-overlapping crypt segment."), NULL },
1302 { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
1303 { "allow-discards", '\0', POPT_ARG_NONE, &opt_allow_discards, 0, N_("Allow discards (aka TRIM) requests for device."), NULL },
1304 { "header", '\0', POPT_ARG_STRING, &opt_header_device, 0, N_("Device or file with separated LUKS header."), NULL },
1307 poptContext popt_context;
1308 struct action_type *action;
1311 const char *null_action_argv[] = {NULL};
1313 crypt_set_log_callback(NULL, _log, NULL);
1315 setlocale(LC_ALL, "");
1316 bindtextdomain(PACKAGE, LOCALEDIR);
1317 textdomain(PACKAGE);
1319 crypt_fips_self_check(NULL);
1321 popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
1322 poptSetOtherOptionHelp(popt_context,
1323 N_("[OPTION...] <action> <action-specific>]"));
1325 while((r = poptGetNextOpt(popt_context)) > 0) {
1326 unsigned long long ull_value;
1330 ull_value = strtoull(popt_tmp, &endp, 0);
1331 if (*endp || !*popt_tmp ||
1332 (errno == ERANGE && ull_value == ULLONG_MAX) ||
1333 (errno != 0 && ull_value == 0))
1334 r = POPT_ERROR_BADNUMBER;
1338 opt_size = ull_value;
1341 opt_offset = ull_value;
1344 opt_skip = ull_value;
1354 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
1355 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
1356 if (opt_version_mode) {
1357 log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
1358 poptFreeContext(popt_context);
1362 if (!(aname = poptGetArg(popt_context)))
1363 usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
1364 poptGetInvocationName(popt_context));
1365 for(action = action_types; action->type; action++)
1366 if (strcmp(action->type, aname) == 0)
1369 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
1370 poptGetInvocationName(popt_context));
1373 action_argv = poptGetArgs(popt_context);
1374 /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
1376 action_argv = null_action_argv;
1378 /* Count args, somewhat unnice, change? */
1379 while(action_argv[action_argc] != NULL)
1382 if(action_argc < action->required_action_argc) {
1384 snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
1385 usage(popt_context, EXIT_FAILURE, buf,
1386 poptGetInvocationName(popt_context));
1389 /* FIXME: rewrite this from scratch */
1391 if (opt_shared && strcmp(aname, "create")) {
1392 usage(popt_context, EXIT_FAILURE,
1393 _("Option --shared is allowed only for create operation.\n"),
1394 poptGetInvocationName(popt_context));
1397 if (opt_allow_discards &&
1398 strcmp(aname, "luksOpen") &&
1399 strcmp(aname, "create") &&
1400 strcmp(aname, "loopaesOpen")) {
1401 usage(popt_context, EXIT_FAILURE,
1402 _("Option --allow-discards is allowed only for luksOpen, loopaesOpen and create operation.\n"),
1403 poptGetInvocationName(popt_context));
1407 strcmp(aname, "luksFormat") &&
1408 strcmp(aname, "create") &&
1409 strcmp(aname, "loopaesOpen")) {
1410 usage(popt_context, EXIT_FAILURE,
1411 _("Option --key-size is allowed only for luksFormat, create and loopaesOpen.\n"
1412 "To limit read from keyfile use --keyfile-size=(bytes)."),
1413 poptGetInvocationName(popt_context));
1416 if (opt_key_size % 8)
1417 usage(popt_context, EXIT_FAILURE,
1418 _("Key size must be a multiple of 8 bits"),
1419 poptGetInvocationName(popt_context));
1421 if (!strcmp(aname, "luksKillSlot") && action_argc > 1)
1422 opt_key_slot = atoi(action_argv[1]);
1423 if (opt_key_slot != CRYPT_ANY_SLOT &&
1424 (opt_key_slot < 0 || opt_key_slot >= crypt_keyslot_max(CRYPT_LUKS1)))
1425 usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
1426 poptGetInvocationName(popt_context));
1428 if ((!strcmp(aname, "luksRemoveKey") ||
1429 !strcmp(aname, "luksFormat")) &&
1432 log_err(_("Option --key-file takes precedence over specified key file argument.\n"));
1434 opt_key_file = action_argv[1];
1437 if (opt_keyfile_size < 0 || opt_new_keyfile_size < 0 || opt_key_size < 0 ||
1438 opt_keyfile_offset < 0 || opt_new_keyfile_offset < 0) {
1439 usage(popt_context, EXIT_FAILURE,
1440 _("Negative number for option not permitted."),
1441 poptGetInvocationName(popt_context));
1444 if (opt_random && opt_urandom)
1445 usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
1446 poptGetInvocationName(popt_context));
1448 if ((opt_random || opt_urandom) && strcmp(aname, "luksFormat"))
1449 usage(popt_context, EXIT_FAILURE, _("Option --use-[u]random is allowed only for luksFormat."),
1450 poptGetInvocationName(popt_context));
1452 if (opt_uuid && strcmp(aname, "luksFormat") && strcmp(aname, "luksUUID"))
1453 usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only for luksFormat and luksUUID."),
1454 poptGetInvocationName(popt_context));
1456 if (opt_align_payload && strcmp(aname, "luksFormat"))
1457 usage(popt_context, EXIT_FAILURE, _("Option --align-payload is allowed only for luksFormat."),
1458 poptGetInvocationName(popt_context));
1460 if (opt_skip && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1461 usage(popt_context, EXIT_FAILURE,
1462 _("Option --skip is supported only for create and loopaesOpen commands.\n"),
1463 poptGetInvocationName(popt_context));
1465 if (opt_offset && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1466 usage(popt_context, EXIT_FAILURE,
1467 _("Option --offset is supported only for create and loopaesOpen commands.\n"),
1468 poptGetInvocationName(popt_context));
1472 crypt_set_debug_level(-1);
1473 _dbg_version_and_cmd(argc, argv);
1476 r = run_action(action);
1477 poptFreeContext(popt_context);