2 * cryptsetup - setup cryptographic volumes for dm-crypt
4 * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
5 * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
6 * Copyright (C) 2009-2011, Red Hat, Inc. All rights reserved.
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * version 2 as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
33 #include <libcryptsetup.h>
36 #include "cryptsetup.h"
38 static int opt_verbose = 0;
39 static int opt_debug = 0;
40 static const char *opt_cipher = NULL;
41 static const char *opt_hash = NULL;
42 static int opt_verify_passphrase = 0;
43 static const char *opt_key_file = NULL;
44 static const char *opt_master_key_file = NULL;
45 static const char *opt_header_backup_file = NULL;
46 static const char *opt_uuid = NULL;
47 static const char *opt_header_device = NULL;
48 static int opt_key_size = 0;
49 static long opt_keyfile_size = 0;
50 static long opt_new_keyfile_size = 0;
51 static int opt_key_slot = CRYPT_ANY_SLOT;
52 static uint64_t opt_size = 0;
53 static uint64_t opt_offset = 0;
54 static uint64_t opt_skip = 0;
55 static int opt_skip_valid = 0;
56 static int opt_readonly = 0;
57 static int opt_iteration_time = 1000;
58 static int opt_batch_mode = 0;
59 static int opt_version_mode = 0;
60 static int opt_timeout = 0;
61 static int opt_tries = 3;
62 static int opt_align_payload = 0;
63 static int opt_random = 0;
64 static int opt_urandom = 0;
65 static int opt_dump_master_key = 0;
66 static int opt_shared = 0;
67 static int opt_allow_discards = 0;
69 static const char **action_argv;
70 static int action_argc;
72 static int action_create(int arg);
73 static int action_remove(int arg);
74 static int action_resize(int arg);
75 static int action_status(int arg);
76 static int action_luksFormat(int arg);
77 static int action_luksOpen(int arg);
78 static int action_luksAddKey(int arg);
79 static int action_luksKillSlot(int arg);
80 static int action_luksRemoveKey(int arg);
81 static int action_luksChangeKey(int arg);
82 static int action_isLuks(int arg);
83 static int action_luksUUID(int arg);
84 static int action_luksDump(int arg);
85 static int action_luksSuspend(int arg);
86 static int action_luksResume(int arg);
87 static int action_luksBackup(int arg);
88 static int action_luksRestore(int arg);
89 static int action_loopaesOpen(int arg);
91 static struct action_type {
95 int required_action_argc;
100 { "create", action_create, 0, 2, 1, N_("<name> <device>"),N_("create device") },
101 { "remove", action_remove, 0, 1, 1, N_("<name>"), N_("remove device") },
102 { "resize", action_resize, 0, 1, 1, N_("<name>"), N_("resize active device") },
103 { "status", action_status, 0, 1, 0, N_("<name>"), N_("show device status") },
104 { "luksFormat", action_luksFormat, 0, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
105 { "luksOpen", action_luksOpen, 0, 2, 1, N_("<device> <name> "), N_("open LUKS device as mapping <name>") },
106 { "luksAddKey", action_luksAddKey, 0, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
107 { "luksRemoveKey",action_luksRemoveKey, 0, 1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
108 { "luksChangeKey",action_luksChangeKey, 0, 1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
109 { "luksKillSlot", action_luksKillSlot, 0, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
110 { "luksUUID", action_luksUUID, 0, 1, 0, N_("<device>"), N_("print UUID of LUKS device") },
111 { "isLuks", action_isLuks, 0, 1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
112 { "luksClose", action_remove, 0, 1, 1, N_("<name>"), N_("remove LUKS mapping") },
113 { "luksDump", action_luksDump, 0, 1, 1, N_("<device>"), N_("dump LUKS partition information") },
114 { "luksSuspend",action_luksSuspend, 0, 1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen).") },
115 { "luksResume", action_luksResume, 0, 1, 1, N_("<device>"), N_("Resume suspended LUKS device.") },
116 { "luksHeaderBackup",action_luksBackup, 0, 1, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
117 { "luksHeaderRestore",action_luksRestore,0,1, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
118 { "loopaesOpen",action_loopaesOpen, 0, 2, 1, N_("<device> <name> "), N_("open loop-AES device as mapping <name>") },
119 { "loopaesClose",action_remove, 0, 1, 1, N_("<name>"), N_("remove loop-AES mapping") },
120 { NULL, NULL, 0, 0, 0, NULL, NULL }
123 __attribute__((format(printf, 5, 6)))
124 static void clogger(struct crypt_device *cd, int level, const char *file,
125 int line, const char *format, ...)
130 va_start(argp, format);
132 if (vasprintf(&target, format, argp) > 0) {
134 crypt_log(cd, level, target);
136 } else if (opt_debug)
137 printf("# %s:%d %s\n", file ?: "?", line, target);
139 } else if (opt_debug)
140 printf("# %s\n", target);
148 static int _yesDialog(const char *msg, void *usrptr __attribute__((unused)))
154 if(isatty(0) && !opt_batch_mode) {
155 log_std("\nWARNING!\n========\n");
156 log_std("%s\n\nAre you sure? (Type uppercase yes): ", msg);
157 if(getline(&answer, &size, stdin) == -1) {
162 if(strcmp(answer, "YES\n"))
170 static void _log(int level, const char *msg, void *usrptr __attribute__((unused)))
174 case CRYPT_LOG_NORMAL:
177 case CRYPT_LOG_VERBOSE:
181 case CRYPT_LOG_ERROR:
184 case CRYPT_LOG_DEBUG:
186 printf("# %s\n", msg);
189 fprintf(stderr, "Internal error on logging class for msg: %s", msg);
194 static void show_status(int errcode)
196 char error[256], *error_;
202 log_std(_("Command successful.\n"));
206 crypt_get_error(error, sizeof(error));
209 error_ = strerror_r(-errcode, error, sizeof(error));
210 if (error_ != error) {
211 strncpy(error, error_, sizeof(error));
212 error[sizeof(error) - 1] = '\0';
216 log_err(_("Command failed with code %i"), -errcode);
218 log_err(": %s\n", error);
223 static int action_create(int arg __attribute__((unused)))
225 struct crypt_device *cd = NULL;
226 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
227 struct crypt_params_plain params = {
228 .hash = opt_hash ?: DEFAULT_PLAIN_HASH,
230 .offset = opt_offset,
233 char *password = NULL;
235 size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
236 uint32_t activate_flags = 0;
239 if (params.hash && !strcmp(params.hash, "plain"))
242 /* FIXME: temporary hack */
243 if (opt_key_file && strcmp(opt_key_file, "-"))
246 if (opt_keyfile_size && opt_key_file)
247 log_std(("Ignoring keyfile size option, keyfile read size "
248 "is always the same as encryption key size.\n"));
250 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
251 cipher, NULL, cipher_mode);
253 log_err("No known cipher specification pattern detected.\n");
257 if ((r = crypt_init(&cd, action_argv[1])))
260 crypt_set_timeout(cd, opt_timeout);
261 crypt_set_password_retry(cd, opt_tries);
263 r = crypt_format(cd, CRYPT_PLAIN,
272 activate_flags |= CRYPT_ACTIVATE_READONLY;
275 activate_flags |= CRYPT_ACTIVATE_SHARED;
277 if (opt_allow_discards)
278 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
281 /* With hashing, read the whole keyfile */
282 r = crypt_activate_by_keyfile(cd, action_argv[0],
283 CRYPT_ANY_SLOT, opt_key_file, params.hash ? 0 : key_size,
286 r = crypt_get_key(_("Enter passphrase: "),
287 &password, &passwordLen, opt_keyfile_size,
289 opt_batch_mode ? 0 : opt_verify_passphrase,
294 r = crypt_activate_by_passphrase(cd, action_argv[0],
295 CRYPT_ANY_SLOT, password, passwordLen, activate_flags);
299 crypt_safe_free(password);
304 static int action_loopaesOpen(int arg __attribute__((unused)))
306 struct crypt_device *cd = NULL;
307 struct crypt_params_loopaes params = {
308 .hash = opt_hash ?: NULL,
309 .offset = opt_offset,
310 .skip = opt_skip_valid ? opt_skip : opt_offset,
312 unsigned int key_size = (opt_key_size ?: DEFAULT_LOOPAES_KEYBITS) / 8;
313 uint32_t activate_flags = 0;
317 log_err(_("Option --key-file is required.\n"));
322 activate_flags |= CRYPT_ACTIVATE_READONLY;
324 if (opt_allow_discards)
325 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
327 if ((r = crypt_init(&cd, action_argv[0])))
330 r = crypt_format(cd, CRYPT_LOOPAES, opt_cipher ?: DEFAULT_LOOPAES_CIPHER,
331 NULL, NULL, NULL, key_size, ¶ms);
335 r = crypt_activate_by_keyfile(cd, action_argv[1], CRYPT_ANY_SLOT,
336 opt_key_file, opt_keyfile_size, activate_flags);
343 static int action_remove(int arg __attribute__((unused)))
345 struct crypt_device *cd = NULL;
348 r = crypt_init_by_name(&cd, action_argv[0]);
350 r = crypt_deactivate(cd, action_argv[0]);
356 static int action_resize(int arg __attribute__((unused)))
358 struct crypt_device *cd = NULL;
361 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
363 r = crypt_resize(cd, action_argv[0], opt_size);
369 static int action_status(int arg __attribute__((unused)))
371 crypt_status_info ci;
372 struct crypt_active_device cad;
373 struct crypt_device *cd = NULL;
378 ci = crypt_status(NULL, action_argv[0]);
384 log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
389 log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
390 ci == CRYPT_BUSY ? " and is in use" : "");
391 r = crypt_init_by_name(&cd, action_argv[0]);
392 if (r < 0 || !crypt_get_type(cd))
395 log_std(" type: %s\n", crypt_get_type(cd));
397 r = crypt_get_active_device(cd, action_argv[0], &cad);
401 log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
402 log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
403 device = crypt_get_device_name(cd);
404 log_std(" device: %s\n", device);
405 if (crypt_loop_device(device)) {
406 backing_file = crypt_loop_backing_file(device);
407 log_std(" loop: %s\n", backing_file);
410 log_std(" offset: %" PRIu64 " sectors\n", cad.offset);
411 log_std(" size: %" PRIu64 " sectors\n", cad.size);
413 log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset);
414 log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
415 "readonly" : "read/write");
416 if (cad.flags & CRYPT_ACTIVATE_ALLOW_DISCARDS)
417 log_std(" flags: discards\n");
424 static int _read_mk(const char *file, char **key, int keysize)
428 *key = crypt_safe_alloc(keysize);
432 fd = open(file, O_RDONLY);
434 log_err("Cannot read keyfile %s.\n", file);
437 if ((read(fd, *key, keysize) != keysize)) {
438 log_err("Cannot read %d bytes from keyfile %s.\n", keysize, file);
445 crypt_safe_free(*key);
450 static int action_luksFormat(int arg __attribute__((unused)))
452 int r = -EINVAL, keysize;
453 const char *header_device;
454 char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
455 char *password = NULL;
457 struct crypt_device *cd = NULL;
458 struct crypt_params_luks1 params = {
459 .hash = opt_hash ?: DEFAULT_LUKS1_HASH,
460 .data_alignment = opt_align_payload,
461 .data_device = opt_header_device ? action_argv[0] : NULL,
464 header_device = opt_header_device ?: action_argv[0];
466 if(asprintf(&msg, _("This will overwrite data on %s irrevocably."),
467 header_device) == -1) {
468 log_err(_("memory allocation error in action_luksFormat"));
472 r = _yesDialog(msg, NULL) ? 0 : -EINVAL;
477 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
478 cipher, NULL, cipher_mode);
480 log_err(_("No known cipher specification pattern detected.\n"));
484 if ((r = crypt_init(&cd, header_device))) {
485 if (opt_header_device)
486 log_err(_("Cannot use %s as on-disk header.\n"), header_device);
490 keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
492 crypt_set_password_verify(cd, 1);
493 crypt_set_timeout(cd, opt_timeout);
494 if (opt_iteration_time)
495 crypt_set_iterarion_time(cd, opt_iteration_time);
498 crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
499 else if (opt_urandom)
500 crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
502 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
503 opt_keyfile_size, opt_key_file, opt_timeout,
504 opt_batch_mode ? 0 : 1 /* always verify */, cd);
508 if (opt_master_key_file) {
509 r = _read_mk(opt_master_key_file, &key, keysize);
514 r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
515 opt_uuid, key, keysize, ¶ms);
519 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
521 password, passwordLen);
524 crypt_safe_free(key);
525 crypt_safe_free(password);
530 static int action_luksOpen(int arg __attribute__((unused)))
532 struct crypt_device *cd = NULL;
533 const char *data_device, *header_device;
537 if (opt_header_device) {
538 header_device = opt_header_device;
539 data_device = action_argv[0];
541 header_device = action_argv[0];
545 if ((r = crypt_init(&cd, header_device)))
548 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
552 (r = crypt_set_data_device(cd, data_device)))
555 if (!data_device && (crypt_get_data_offset(cd) < 8)) {
556 log_err(_("Reduced data offset is allowed only for detached LUKS header.\n"));
561 crypt_set_timeout(cd, opt_timeout);
562 crypt_set_password_retry(cd, opt_tries);
564 if (opt_iteration_time)
565 crypt_set_iterarion_time(cd, opt_iteration_time);
568 flags |= CRYPT_ACTIVATE_READONLY;
570 if (opt_allow_discards)
571 flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
574 crypt_set_password_retry(cd, 1);
575 r = crypt_activate_by_keyfile(cd, action_argv[1],
576 opt_key_slot, opt_key_file, opt_keyfile_size,
579 r = crypt_activate_by_passphrase(cd, action_argv[1],
580 opt_key_slot, NULL, 0, flags);
586 static int verify_keyslot(struct crypt_device *cd, int key_slot,
587 char *msg_last, char *msg_pass,
588 const char *key_file, int keyfile_size)
590 crypt_keyslot_info ki;
591 char *password = NULL;
595 ki = crypt_keyslot_status(cd, key_slot);
596 if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !_yesDialog(msg_last, NULL))
599 r = crypt_get_key(msg_pass, &password, &passwordLen,
600 keyfile_size, key_file, opt_timeout,
601 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
605 if (ki == CRYPT_SLOT_ACTIVE_LAST) {
606 /* check the last keyslot */
607 r = crypt_activate_by_passphrase(cd, NULL, key_slot,
608 password, passwordLen, 0);
610 /* try all other keyslots */
611 for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
614 ki = crypt_keyslot_status(cd, key_slot);
615 if (ki == CRYPT_SLOT_ACTIVE)
616 r = crypt_activate_by_passphrase(cd, NULL, i,
617 password, passwordLen, 0);
624 log_err(_("No key available with this passphrase.\n"));
626 crypt_safe_free(password);
630 static int action_luksKillSlot(int arg __attribute__((unused)))
632 struct crypt_device *cd = NULL;
635 if ((r = crypt_init(&cd, action_argv[0])))
638 crypt_set_confirm_callback(cd, _yesDialog, NULL);
639 crypt_set_timeout(cd, opt_timeout);
641 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
644 switch (crypt_keyslot_status(cd, opt_key_slot)) {
645 case CRYPT_SLOT_ACTIVE_LAST:
646 case CRYPT_SLOT_ACTIVE:
647 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
649 case CRYPT_SLOT_INACTIVE:
650 log_err(_("Key %d not active. Can't wipe.\n"), opt_key_slot);
651 case CRYPT_SLOT_INVALID:
656 if (!opt_batch_mode) {
657 r = verify_keyslot(cd, opt_key_slot,
658 _("This is the last keyslot. Device will become unusable after purging this key."),
659 _("Enter any remaining LUKS passphrase: "),
660 opt_key_file, opt_keyfile_size);
665 r = crypt_keyslot_destroy(cd, opt_key_slot);
671 static int action_luksRemoveKey(int arg __attribute__((unused)))
673 struct crypt_device *cd = NULL;
674 char *password = NULL;
678 if ((r = crypt_init(&cd, action_argv[0])))
681 crypt_set_confirm_callback(cd, _yesDialog, NULL);
682 crypt_set_timeout(cd, opt_timeout);
684 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
687 r = crypt_get_key(_("Enter LUKS passphrase to be deleted: "),
688 &password, &passwordLen,
689 opt_keyfile_size, opt_key_file,
691 opt_batch_mode ? 0 : opt_verify_passphrase,
696 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
697 password, passwordLen, 0);
702 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
704 if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_ACTIVE_LAST &&
705 !_yesDialog(_("This is the last keyslot. "
706 "Device will become unusable after purging this key."),
712 r = crypt_keyslot_destroy(cd, opt_key_slot);
714 crypt_safe_free(password);
719 static int action_luksAddKey(int arg __attribute__((unused)))
721 int r = -EINVAL, keysize = 0;
723 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
724 struct crypt_device *cd = NULL;
726 if ((r = crypt_init(&cd, action_argv[0])))
729 crypt_set_confirm_callback(cd, _yesDialog, NULL);
731 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
734 keysize = crypt_get_volume_key_size(cd);
735 crypt_set_password_verify(cd, opt_verify_passphrase ? 1 : 0);
736 crypt_set_timeout(cd, opt_timeout);
737 if (opt_iteration_time)
738 crypt_set_iterarion_time(cd, opt_iteration_time);
740 if (opt_master_key_file) {
741 r = _read_mk(opt_master_key_file, &key, keysize);
744 //FIXME: process keyfile arg
745 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
746 key, keysize, NULL, 0);
747 } else if (opt_key_file || opt_new_key_file) {
748 r = crypt_keyslot_add_by_keyfile(cd, opt_key_slot,
749 opt_key_file, opt_keyfile_size,
750 opt_new_key_file, opt_new_keyfile_size);
752 r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
757 crypt_safe_free(key);
761 static int _slots_full(struct crypt_device *cd)
765 for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++)
766 if (crypt_keyslot_status(cd, i) == CRYPT_SLOT_INACTIVE)
771 static int action_luksChangeKey(int arg __attribute__((unused)))
773 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
774 struct crypt_device *cd = NULL;
775 char *vk = NULL, *password = NULL;
776 size_t passwordLen = 0;
778 int new_key_slot, old_key_slot, r;
780 if ((r = crypt_init(&cd, action_argv[0])))
783 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
786 if (opt_iteration_time)
787 crypt_set_iterarion_time(cd, opt_iteration_time);
789 r = crypt_get_key(_("Enter LUKS passphrase to be changed: "),
790 &password, &passwordLen,
791 opt_keyfile_size, opt_key_file, opt_timeout,
792 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
796 vk_size = crypt_get_volume_key_size(cd);
797 vk = crypt_safe_alloc(vk_size);
803 r = crypt_volume_key_get(cd, opt_key_slot, vk, &vk_size,
804 password, passwordLen);
806 if (opt_key_slot != CRYPT_ANY_SLOT)
807 log_err(_("No key available with this passphrase.\n"));
811 if (opt_key_slot != CRYPT_ANY_SLOT || _slots_full(cd)) {
812 log_dbg("Key slot %d is going to be overwritten (%s).",
813 r, opt_key_slot != CRYPT_ANY_SLOT ?
814 "explicit key slot specified" : "no free key slot");
818 log_dbg("Allocating new key slot.");
820 new_key_slot = CRYPT_ANY_SLOT;
823 crypt_safe_free(password);
826 r = crypt_get_key(_("Enter new LUKS passphrase: "),
827 &password, &passwordLen,
828 opt_new_keyfile_size, opt_new_key_file,
829 opt_timeout, opt_batch_mode ? 0 : 1, cd);
833 if (new_key_slot == old_key_slot) {
834 (void)crypt_keyslot_destroy(cd, old_key_slot);
835 r = crypt_keyslot_add_by_volume_key(cd, new_key_slot,
837 password, passwordLen);
839 log_verbose(_("Key slot %d changed.\n"), r);
841 r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT,
843 password, passwordLen);
845 log_verbose(_("Replaced with key slot %d.\n"), r);
846 r = crypt_keyslot_destroy(cd, old_key_slot);
850 log_err(_("Failed to swap new key slot.\n"));
853 crypt_safe_free(password);
858 static int action_isLuks(int arg __attribute__((unused)))
860 struct crypt_device *cd = NULL;
863 if ((r = crypt_init(&cd, action_argv[0])))
866 r = crypt_load(cd, CRYPT_LUKS1, NULL);
872 static int action_luksUUID(int arg __attribute__((unused)))
874 struct crypt_device *cd = NULL;
875 const char *existing_uuid = NULL;
878 if ((r = crypt_init(&cd, action_argv[0])))
881 crypt_set_confirm_callback(cd, _yesDialog, NULL);
883 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
887 r = crypt_set_uuid(cd, opt_uuid);
889 existing_uuid = crypt_get_uuid(cd);
890 log_std("%s\n", existing_uuid ?: "");
891 r = existing_uuid ? 0 : 1;
898 static int luksDump_with_volume_key(struct crypt_device *cd)
900 char *vk = NULL, *password = NULL;
901 size_t passwordLen = 0;
906 crypt_set_confirm_callback(cd, _yesDialog, NULL);
908 _("LUKS header dump with volume key is sensitive information\n"
909 "which allows access to encrypted partition without passphrase.\n"
910 "This dump should be always stored encrypted on safe place."),
914 vk_size = crypt_get_volume_key_size(cd);
915 vk = crypt_safe_alloc(vk_size);
919 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
920 opt_keyfile_size, opt_key_file, opt_timeout, 0, cd);
924 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
925 password, passwordLen);
929 log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
930 log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
931 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
932 log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
933 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
934 log_std("MK bits: \t%d\n", (int)vk_size * 8);
935 log_std("MK dump:\t");
937 for(i = 0; i < vk_size; i++) {
940 log_std("%02hhx ", (char)vk[i]);
945 crypt_safe_free(password);
950 static int action_luksDump(int arg __attribute__((unused)))
952 struct crypt_device *cd = NULL;
955 if ((r = crypt_init(&cd, action_argv[0])))
958 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
961 if (opt_dump_master_key)
962 r = luksDump_with_volume_key(cd);
970 static int action_luksSuspend(int arg __attribute__((unused)))
972 struct crypt_device *cd = NULL;
975 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
977 r = crypt_suspend(cd, action_argv[0]);
983 static int action_luksResume(int arg __attribute__((unused)))
985 struct crypt_device *cd = NULL;
988 if ((r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device)))
991 crypt_set_timeout(cd, opt_timeout);
992 crypt_set_password_retry(cd, opt_tries);
995 r = crypt_resume_by_keyfile(cd, action_argv[0], CRYPT_ANY_SLOT,
996 opt_key_file, opt_keyfile_size);
998 r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
1005 static int action_luksBackup(int arg __attribute__((unused)))
1007 struct crypt_device *cd = NULL;
1010 if (!opt_header_backup_file) {
1011 log_err(_("Option --header-backup-file is required.\n"));
1015 if ((r = crypt_init(&cd, action_argv[0])))
1018 crypt_set_confirm_callback(cd, _yesDialog, NULL);
1020 r = crypt_header_backup(cd, CRYPT_LUKS1, opt_header_backup_file);
1026 static int action_luksRestore(int arg __attribute__((unused)))
1028 struct crypt_device *cd = NULL;
1031 if (!opt_header_backup_file) {
1032 log_err(_("Option --header-backup-file is required.\n"));
1036 if ((r = crypt_init(&cd, action_argv[0])))
1039 crypt_set_confirm_callback(cd, _yesDialog, NULL);
1040 r = crypt_header_restore(cd, CRYPT_LUKS1, opt_header_backup_file);
1046 static __attribute__ ((noreturn)) void usage(poptContext popt_context,
1047 int exitcode, const char *error,
1050 poptPrintUsage(popt_context, stderr, 0);
1052 log_err("%s: %s\n", more, error);
1053 poptFreeContext(popt_context);
1057 static void help(poptContext popt_context,
1058 enum poptCallbackReason reason __attribute__((unused)),
1059 struct poptOption *key,
1060 const char *arg __attribute__((unused)),
1061 void *data __attribute__((unused)))
1063 if (key->shortName == '?') {
1064 struct action_type *action;
1066 log_std("%s\n",PACKAGE_STRING);
1068 poptPrintHelp(popt_context, stdout, 0);
1071 "<action> is one of:\n"));
1073 for(action = action_types; action->type; action++)
1074 log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
1077 "<name> is the device to create under %s\n"
1078 "<device> is the encrypted device\n"
1079 "<key slot> is the LUKS key slot number to modify\n"
1080 "<key file> optional key file for the new key for luksAddKey action\n"),
1083 log_std(_("\nDefault compiled-in keyfile parameters:\n"
1084 "\tMaximum keyfile size: %dkB, "
1085 "Maximum interactive passphrase length %d (characters)\n"),
1086 DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX);
1088 log_std(_("\nDefault compiled-in device cipher parameters:\n"
1089 "\tloop-AES: %s, Key %d bits\n"
1090 "\tplain: %s, Key: %d bits, Password hashing: %s\n"
1091 "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
1092 DEFAULT_LOOPAES_CIPHER, DEFAULT_LOOPAES_KEYBITS,
1093 DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
1094 DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
1098 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
1101 static void _dbg_version_and_cmd(int argc, const char **argv)
1105 log_std("# %s %s processing \"", PACKAGE_NAME, PACKAGE_VERSION);
1106 for (i = 0; i < argc; i++) {
1109 log_std("%s", argv[i]);
1114 static int run_action(struct action_type *action)
1118 log_dbg("Running command %s.", action->type);
1120 if (action->required_memlock)
1121 crypt_memory_lock(NULL, 1);
1123 r = action->handler(action->arg);
1125 if (action->required_memlock)
1126 crypt_memory_lock(NULL, 0);
1128 /* Some functions returns keyslot # */
1134 /* Translate exit code to simple codes */
1136 case 0: r = EXIT_SUCCESS; break;
1138 case -EBUSY: r = 5; break;
1140 case -ENODEV: r = 4; break;
1141 case -ENOMEM: r = 3; break;
1142 case -EPERM: r = 2; break;
1146 default: r = EXIT_FAILURE;
1151 int main(int argc, const char **argv)
1153 static char *popt_tmp;
1154 static struct poptOption popt_help_options[] = {
1155 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
1156 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
1157 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
1160 static struct poptOption popt_options[] = {
1161 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
1162 { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
1163 { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
1164 { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
1165 { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
1166 { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
1167 { "verify-passphrase", 'y', POPT_ARG_NONE, &opt_verify_passphrase, 0, N_("Verifies the passphrase by asking for it twice"), NULL },
1168 { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 0, N_("Read the key from a file."), NULL },
1169 { "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL },
1170 { "dump-master-key", '\0', POPT_ARG_NONE, &opt_dump_master_key, 0, N_("Dump volume (master) key instead of keyslots info."), NULL },
1171 { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
1172 { "keyfile-size", 'l', POPT_ARG_LONG, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
1173 { "new-keyfile-size", '\0', POPT_ARG_LONG, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
1174 { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL },
1175 { "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") },
1176 { "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
1177 { "skip", 'p', POPT_ARG_STRING, &popt_tmp, 3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
1178 { "readonly", 'r', POPT_ARG_NONE, &opt_readonly, 0, N_("Create a readonly mapping"), NULL },
1179 { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
1180 { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
1181 { "timeout", 't', POPT_ARG_INT, &opt_timeout, 0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
1182 { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
1183 { "align-payload", '\0', POPT_ARG_INT, &opt_align_payload, 0, N_("Align payload at <n> sector boundaries - for luksFormat"), N_("SECTORS") },
1184 { "header-backup-file",'\0', POPT_ARG_STRING, &opt_header_backup_file, 0, N_("File with LUKS header and keyslots backup."), NULL },
1185 { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
1186 { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
1187 { "shared", '\0', POPT_ARG_NONE, &opt_shared, 0, N_("Share device with another non-overlapping crypt segment."), NULL },
1188 { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
1189 { "allow-discards", '\0', POPT_ARG_NONE, &opt_allow_discards, 0, N_("Allow discards (aka TRIM) requests for device."), NULL },
1190 { "header", '\0', POPT_ARG_STRING, &opt_header_device, 0, N_("Device or file with separated LUKS header."), NULL },
1193 poptContext popt_context;
1194 struct action_type *action;
1197 const char *null_action_argv[] = {NULL};
1199 crypt_set_log_callback(NULL, _log, NULL);
1201 setlocale(LC_ALL, "");
1202 bindtextdomain(PACKAGE, LOCALEDIR);
1203 textdomain(PACKAGE);
1205 popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
1206 poptSetOtherOptionHelp(popt_context,
1207 N_("[OPTION...] <action> <action-specific>]"));
1209 while((r = poptGetNextOpt(popt_context)) > 0) {
1210 unsigned long long ull_value;
1214 ull_value = strtoull(popt_tmp, &endp, 0);
1215 if (*endp || !*popt_tmp ||
1216 (errno == ERANGE && ull_value == ULLONG_MAX) ||
1217 (errno != 0 && ull_value == 0))
1218 r = POPT_ERROR_BADNUMBER;
1222 opt_size = ull_value;
1225 opt_offset = ull_value;
1228 opt_skip = ull_value;
1238 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
1239 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
1240 if (opt_version_mode) {
1241 log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
1242 poptFreeContext(popt_context);
1246 if (!(aname = poptGetArg(popt_context)))
1247 usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
1248 poptGetInvocationName(popt_context));
1249 for(action = action_types; action->type; action++)
1250 if (strcmp(action->type, aname) == 0)
1253 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
1254 poptGetInvocationName(popt_context));
1257 action_argv = poptGetArgs(popt_context);
1258 /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
1260 action_argv = null_action_argv;
1262 /* Count args, somewhat unnice, change? */
1263 while(action_argv[action_argc] != NULL)
1266 if(action_argc < action->required_action_argc) {
1268 snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
1269 usage(popt_context, EXIT_FAILURE, buf,
1270 poptGetInvocationName(popt_context));
1273 /* FIXME: rewrite this from scratch */
1275 if (opt_shared && strcmp(aname, "create")) {
1276 usage(popt_context, EXIT_FAILURE,
1277 _("Option --shared is allowed only for create operation.\n"),
1278 poptGetInvocationName(popt_context));
1281 if (opt_allow_discards &&
1282 strcmp(aname, "luksOpen") &&
1283 strcmp(aname, "create") &&
1284 strcmp(aname, "loopaesOpen")) {
1285 usage(popt_context, EXIT_FAILURE,
1286 _("Option --allow-discards is allowed only for luksOpen, loopaesOpen and create operation.\n"),
1287 poptGetInvocationName(popt_context));
1291 strcmp(aname, "luksFormat") &&
1292 strcmp(aname, "create") &&
1293 strcmp(aname, "loopaesOpen")) {
1294 usage(popt_context, EXIT_FAILURE,
1295 _("Option --key-size is allowed only for luksFormat, create and loopaesOpen.\n"
1296 "To limit read from keyfile use --keyfile-size=(bytes)."),
1297 poptGetInvocationName(popt_context));
1300 if (opt_key_size % 8)
1301 usage(popt_context, EXIT_FAILURE,
1302 _("Key size must be a multiple of 8 bits"),
1303 poptGetInvocationName(popt_context));
1305 if (!strcmp(aname, "luksKillSlot") && action_argc > 1)
1306 opt_key_slot = atoi(action_argv[1]);
1307 if (opt_key_slot != CRYPT_ANY_SLOT &&
1308 (opt_key_slot < 0 || opt_key_slot >= crypt_keyslot_max(CRYPT_LUKS1)))
1309 usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
1310 poptGetInvocationName(popt_context));
1312 if ((!strcmp(aname, "luksRemoveKey") ||
1313 !strcmp(aname, "luksFormat")) &&
1316 log_err(_("Option --key-file takes precedence over specified key file argument.\n"));
1318 opt_key_file = action_argv[1];
1321 if (opt_keyfile_size < 0 || opt_new_keyfile_size < 0 || opt_key_size < 0) {
1322 usage(popt_context, EXIT_FAILURE,
1323 _("Negative number for option not permitted."),
1324 poptGetInvocationName(popt_context));
1327 if (opt_random && opt_urandom)
1328 usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
1329 poptGetInvocationName(popt_context));
1330 if ((opt_random || opt_urandom) && strcmp(aname, "luksFormat"))
1331 usage(popt_context, EXIT_FAILURE, _("Option --use-[u]random is allowed only for luksFormat."),
1332 poptGetInvocationName(popt_context));
1334 if (opt_uuid && strcmp(aname, "luksFormat") && strcmp(aname, "luksUUID"))
1335 usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only for luksFormat and luksUUID."),
1336 poptGetInvocationName(popt_context));
1338 if (opt_skip && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1339 usage(popt_context, EXIT_FAILURE,
1340 _("Option --skip is supported only for create and loopaesOpen commands.\n"),
1341 poptGetInvocationName(popt_context));
1343 if (opt_offset && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1344 usage(popt_context, EXIT_FAILURE,
1345 _("Option --offset is supported only for create and loopaesOpen commands.\n"),
1346 poptGetInvocationName(popt_context));
1350 crypt_set_debug_level(-1);
1351 _dbg_version_and_cmd(argc, argv);
1354 r = run_action(action);
1355 poptFreeContext(popt_context);
projects / platform / upstream / cryptsetup.git / blob