2 * cryptsetup - setup cryptographic volumes for dm-crypt
4 * Copyright (C) 2004 Jana Saout <jana@saout.de>
5 * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
6 * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
7 * Copyright (C) 2009-2023 Milan Broz
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License
11 * as published by the Free Software Foundation; either version 2
12 * of the License, or (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 #include <uuid/uuid.h>
26 #include "cryptsetup.h"
27 #include "cryptsetup_args.h"
28 #include "utils_luks.h"
30 static char *keyfiles[MAX_KEYFILES];
31 static char *keyfile_stdin = NULL;
33 static int keyfiles_count = 0;
34 int64_t data_shift = 0;
36 const char *device_type = "luks";
37 const char *set_pbkdf = NULL;
39 static const char **action_argv;
40 static int action_argc;
41 static const char *null_action_argv[] = {NULL, NULL};
42 static int total_keyfiles = 0;
44 static struct tools_log_params log_parms;
46 struct tools_arg tool_core_args[] = { { NULL, false, CRYPT_ARG_BOOL }, /* leave unused due to popt library */
47 #define ARG(A, B, C, D, E, F, G, H) { A, false, F, G, H },
48 #include "cryptsetup_arg_list.h"
52 void tools_cleanup(void)
54 tools_args_free(tool_core_args, ARRAY_SIZE(tool_core_args));
56 FREE_AND_NULL(keyfile_stdin);
58 while (keyfiles_count)
59 free(keyfiles[--keyfiles_count]);
64 static const char *uuid_or_device_header(const char **data_device)
67 *data_device = ARG_SET(OPT_HEADER_ID) ? action_argv[0] : NULL;
69 return uuid_or_device(ARG_STR(OPT_HEADER_ID) ?: action_argv[0]);
72 static bool isLUKS(const char *type)
74 return isLUKS2(type) || isLUKS1(type);
77 static int _set_keyslot_encryption_params(struct crypt_device *cd)
79 const char *type = crypt_get_type(cd);
81 if (!ARG_SET(OPT_KEYSLOT_KEY_SIZE_ID) && !ARG_SET(OPT_KEYSLOT_CIPHER_ID))
85 log_err(_("Keyslot encryption parameters can be set only for LUKS2 device."));
89 return crypt_keyslot_set_encryption(cd, ARG_STR(OPT_KEYSLOT_CIPHER_ID), ARG_UINT32(OPT_KEYSLOT_KEY_SIZE_ID) / 8);
92 static int _try_token_pin_unlock(struct crypt_device *cd,
94 const char *activated_name,
95 const char *token_type,
96 uint32_t activate_flags,
101 char msg[64], *pin = NULL;
105 assert(token_id >= 0 || token_id == CRYPT_ANY_TOKEN);
107 if (token_id == CRYPT_ANY_TOKEN)
108 r = snprintf(msg, sizeof(msg), _("Enter token PIN: "));
110 r = snprintf(msg, sizeof(msg), _("Enter token %d PIN: "), token_id);
111 if (r < 0 || (size_t)r >= sizeof(msg))
115 r = tools_get_key(msg, &pin, &pin_len, 0, 0, NULL,
116 ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
121 r = crypt_activate_by_token_pin(cd, activated_name, token_type,
122 token_id, pin, pin_len, NULL,
125 r = crypt_resume_by_token_pin(cd, activated_name, token_type,
126 token_id, pin, pin_len, NULL);
127 crypt_safe_free(pin);
129 tools_keyslot_msg(r, UNLOCKED);
130 tools_token_error_msg(r, ARG_STR(OPT_TOKEN_TYPE_ID), token_id, true);
132 } while (r == -ENOANO && (--tries > 0));
137 static int action_open_plain(void)
139 struct crypt_device *cd = NULL, *cd1 = NULL;
140 const char *pcipher, *pmode;
141 char *msg, cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
142 struct crypt_active_device cad;
143 struct crypt_params_plain params = {
144 .hash = ARG_SET(OPT_HASH_ID) ? ARG_STR(OPT_HASH_ID) : DEFAULT_PLAIN_HASH,
145 .skip = ARG_UINT64(OPT_SKIP_ID),
146 .offset = ARG_UINT64(OPT_OFFSET_ID),
147 .sector_size = ARG_UINT32(OPT_SECTOR_SIZE_ID) ?: SECTOR_SIZE
149 char *password = NULL;
150 const char *activated_name = NULL;
151 size_t passwordLen, key_size_max, signatures = 0,
152 key_size = (ARG_UINT32(OPT_KEY_SIZE_ID) ?: DEFAULT_PLAIN_KEYBITS) / 8;
153 uint32_t activate_flags = 0;
156 r = crypt_parse_name_and_mode(ARG_STR(OPT_CIPHER_ID) ?: DEFAULT_CIPHER(PLAIN),
157 cipher, NULL, cipher_mode);
159 log_err(_("No known cipher specification pattern detected."));
163 /* FIXME: temporary hack, no hashing for keyfiles in plain mode */
164 if (ARG_SET(OPT_KEY_FILE_ID) && !tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID))) {
166 if (!ARG_SET(OPT_BATCH_MODE_ID) && ARG_SET(OPT_HASH_ID))
167 log_std(_("WARNING: The --hash parameter is being ignored "
168 "in plain mode with keyfile specified.\n"));
171 if (params.hash && !strcmp(params.hash, "plain"))
174 if (!ARG_SET(OPT_BATCH_MODE_ID) && !params.hash && ARG_SET(OPT_KEY_FILE_ID) && !tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID)) && ARG_SET(OPT_KEYFILE_SIZE_ID))
175 log_std(_("WARNING: The --keyfile-size option is being ignored, "
176 "the read size is the same as the encryption key size.\n"));
178 if (ARG_SET(OPT_REFRESH_ID)) {
179 activated_name = action_argc > 1 ? action_argv[1] : action_argv[0];
180 r = crypt_init_by_name_and_header(&cd1, activated_name, NULL);
183 r = crypt_get_active_device(cd1, activated_name, &cad);
187 /* copy known parameters from existing device */
188 params.skip = crypt_get_iv_offset(cd1);
189 params.offset = crypt_get_data_offset(cd1);
190 params.size = cad.size;
191 params.sector_size = crypt_get_sector_size(cd1);
192 key_size = crypt_get_volume_key_size(cd1);
194 if ((r = crypt_init(&cd, crypt_get_device_name(cd1))))
197 activate_flags |= CRYPT_ACTIVATE_REFRESH;
199 pcipher = crypt_get_cipher(cd1);
200 pmode = crypt_get_cipher_mode(cd1);
202 activated_name = action_argv[1];
203 if ((r = crypt_init(&cd, action_argv[0])))
206 /* Skip blkid scan when activating plain device with offset */
207 if (!ARG_UINT64(OPT_OFFSET_ID)) {
208 /* Print all present signatures in read-only mode */
209 r = tools_detect_signatures(action_argv[0], PRB_FILTER_NONE, &signatures, ARG_SET(OPT_BATCH_MODE_ID));
214 if (signatures && !ARG_SET(OPT_BATCH_MODE_ID)) {
215 r = asprintf(&msg, _("Detected device signature(s) on %s. Proceeding further may damage existing data."), action_argv[0]);
221 r = yesDialog(msg, _("Operation aborted.\n")) ? 0 : -EINVAL;
231 if (ARG_SET(OPT_DEVICE_SIZE_ID))
232 params.size = ARG_UINT64(OPT_DEVICE_SIZE_ID) / SECTOR_SIZE;
233 else if (ARG_SET(OPT_SIZE_ID))
234 params.size = ARG_UINT64(OPT_SIZE_ID);
236 r = crypt_format(cd, CRYPT_PLAIN,
245 if (ARG_SET(OPT_SHARED_ID))
246 activate_flags |= CRYPT_ACTIVATE_SHARED;
248 set_activation_flags(&activate_flags);
250 if (!tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID))) {
251 /* If no hash, key is read directly, read size is always key_size
252 * (possible --keyfile_size is ignored.
253 * If hash is specified, --keyfile_size is applied.
254 * The --keyfile_offset is applied always.
256 key_size_max = params.hash ? ARG_UINT32(OPT_KEYFILE_SIZE_ID) : key_size;
257 r = crypt_activate_by_keyfile_device_offset(cd, action_argv[1],
258 CRYPT_ANY_SLOT, ARG_STR(OPT_KEY_FILE_ID), key_size_max,
259 ARG_UINT64(OPT_KEYFILE_OFFSET_ID), activate_flags);
261 key_size_max = (ARG_SET(OPT_KEY_FILE_ID) && !params.hash) ? key_size : ARG_UINT32(OPT_KEYFILE_SIZE_ID);
262 r = tools_get_key(NULL, &password, &passwordLen,
263 ARG_UINT64(OPT_KEYFILE_OFFSET_ID), key_size_max,
264 ARG_STR(OPT_KEY_FILE_ID), ARG_UINT32(OPT_TIMEOUT_ID),
265 verify_passphrase(0), 0, cd);
269 r = crypt_activate_by_passphrase(cd, activated_name,
270 CRYPT_ANY_SLOT, password, passwordLen, activate_flags);
275 crypt_safe_free(password);
280 static int action_open_loopaes(void)
282 struct crypt_device *cd = NULL;
283 struct crypt_params_loopaes params = {
284 .hash = ARG_STR(OPT_HASH_ID),
285 .offset = ARG_UINT64(OPT_OFFSET_ID),
286 .skip = ARG_SET(OPT_SKIP_ID) ? ARG_UINT64(OPT_SKIP_ID) : ARG_UINT64(OPT_OFFSET_ID)
288 unsigned int key_size = (ARG_UINT32(OPT_KEY_SIZE_ID) ?: DEFAULT_LOOPAES_KEYBITS) / 8;
289 uint32_t activate_flags = 0;
290 const char *activated_name = NULL;
293 if (!ARG_SET(OPT_KEY_FILE_ID)) {
294 log_err(_("Option --key-file is required."));
298 if (ARG_SET(OPT_REFRESH_ID)) {
299 activated_name = action_argc > 1 ? action_argv[1] : action_argv[0];
300 if ((r = crypt_init_by_name(&cd, activated_name)))
302 activate_flags |= CRYPT_ACTIVATE_REFRESH;
304 activated_name = action_argv[1];
305 if ((r = crypt_init(&cd, action_argv[0])))
308 r = crypt_format(cd, CRYPT_LOOPAES, ARG_STR(OPT_CIPHER_ID) ?: DEFAULT_LOOPAES_CIPHER,
309 NULL, NULL, NULL, key_size, ¶ms);
315 set_activation_flags(&activate_flags);
317 r = crypt_activate_by_keyfile_device_offset(cd, activated_name, CRYPT_ANY_SLOT,
318 tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID)) ? "/dev/stdin" : ARG_STR(OPT_KEY_FILE_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID),
319 ARG_UINT64(OPT_KEYFILE_OFFSET_ID), activate_flags);
326 static int tcrypt_load(struct crypt_device *cd, struct crypt_params_tcrypt *params)
328 int r, tries, eperm = 0;
330 tries = set_tries_tty();
332 /* TCRYPT header is encrypted, get passphrase now */
333 r = tools_get_key(NULL, CONST_CAST(char**)¶ms->passphrase,
334 ¶ms->passphrase_size, 0, 0, keyfile_stdin, ARG_UINT32(OPT_TIMEOUT_ID),
335 verify_passphrase(0), 0, cd);
339 if (ARG_SET(OPT_VERACRYPT_QUERY_PIM_ID)) {
340 char *tmp_pim_nptr = NULL;
341 char *tmp_pim_end = NULL;
342 size_t tmp_pim_size = 0;
343 unsigned long long tmp_pim_ull = 0;
345 r = tools_get_key(_("Enter VeraCrypt PIM: "),
347 &tmp_pim_size, 0, 0, keyfile_stdin, ARG_UINT32(OPT_TIMEOUT_ID),
348 verify_passphrase(0), 0, cd);
352 tmp_pim_ull = strtoull(tmp_pim_nptr, &tmp_pim_end, 10);
353 if (*tmp_pim_nptr == '\0' || !tmp_pim_end || *tmp_pim_end != '\0') {
354 log_err(_("Invalid PIM value: parse error."));
356 } else if (tmp_pim_ull == 0) {
357 log_err(_("Invalid PIM value: 0."));
359 } else if (tmp_pim_ull > UINT32_MAX) {
360 log_err(_("Invalid PIM value: outside of range."));
363 crypt_safe_free(tmp_pim_nptr);
367 params->veracrypt_pim = (uint32_t)tmp_pim_ull;
368 crypt_safe_memzero(&tmp_pim_ull, sizeof(tmp_pim_ull));
371 if (ARG_SET(OPT_TCRYPT_HIDDEN_ID))
372 params->flags |= CRYPT_TCRYPT_HIDDEN_HEADER;
374 if (ARG_SET(OPT_TCRYPT_SYSTEM_ID))
375 params->flags |= CRYPT_TCRYPT_SYSTEM_HEADER;
377 if (ARG_SET(OPT_TCRYPT_BACKUP_ID))
378 params->flags |= CRYPT_TCRYPT_BACKUP_HEADER;
380 r = crypt_load(cd, CRYPT_TCRYPT, params);
383 log_err(_("No device header detected with this passphrase."));
388 crypt_safe_free(CONST_CAST(char*)params->passphrase);
389 params->passphrase = NULL;
390 params->passphrase_size = 0;
393 } while ((r == -EPERM || r == -ERANGE) && (--tries > 0));
395 /* Report wrong passphrase if at least one try failed */
396 if (eperm && r == -EPIPE)
402 static int action_open_tcrypt(void)
404 struct crypt_device *cd = NULL;
405 struct crypt_params_tcrypt params = {
406 .keyfiles = CONST_CAST(const char **)keyfiles,
407 .keyfiles_count = keyfiles_count,
408 .flags = CRYPT_TCRYPT_LEGACY_MODES |
409 (ARG_SET(OPT_DISABLE_VERACRYPT_ID) ? 0 : CRYPT_TCRYPT_VERA_MODES),
410 .veracrypt_pim = ARG_UINT32(OPT_VERACRYPT_PIM_ID),
411 .hash_name = ARG_STR(OPT_HASH_ID),
412 .cipher = ARG_STR(OPT_CIPHER_ID),
414 const char *activated_name;
415 uint32_t activate_flags = 0;
418 activated_name = ARG_SET(OPT_TEST_PASSPHRASE_ID) ? NULL : action_argv[1];
420 r = crypt_init_data_device(&cd, ARG_STR(OPT_HEADER_ID) ?: action_argv[0], action_argv[0]);
424 r = tcrypt_load(cd, ¶ms);
428 set_activation_flags(&activate_flags);
431 r = crypt_activate_by_volume_key(cd, activated_name, NULL, 0, activate_flags);
434 crypt_safe_free(CONST_CAST(char*)params.passphrase);
435 crypt_safe_memzero(¶ms.veracrypt_pim, sizeof(params.veracrypt_pim));
439 static int action_open_bitlk(void)
441 struct crypt_device *cd = NULL;
442 const char *activated_name;
443 uint32_t activate_flags = 0;
444 int r, tries, keysize;
445 char *password = NULL;
449 activated_name = ARG_SET(OPT_TEST_PASSPHRASE_ID) ? NULL : action_argv[1];
451 if ((r = crypt_init(&cd, action_argv[0])))
454 r = crypt_load(cd, CRYPT_BITLK, NULL);
456 log_err(_("Device %s is not a valid BITLK device."), action_argv[0]);
459 set_activation_flags(&activate_flags);
461 if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
462 keysize = crypt_get_volume_key_size(cd);
463 if (!keysize && !ARG_SET(OPT_KEY_SIZE_ID)) {
464 log_err(_("Cannot determine volume key size for BITLK, please use --key-size option."));
468 keysize = ARG_UINT32(OPT_KEY_SIZE_ID) / 8;
470 r = tools_read_vk(ARG_STR(OPT_VOLUME_KEY_FILE_ID), &key, keysize);
473 r = crypt_activate_by_volume_key(cd, activated_name,
474 key, keysize, activate_flags);
476 tries = set_tries_tty();
478 r = tools_get_key(NULL, &password, &passwordLen,
479 ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
480 ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
484 r = crypt_activate_by_passphrase(cd, activated_name, CRYPT_ANY_SLOT,
485 password, passwordLen, activate_flags);
486 tools_passphrase_msg(r);
488 crypt_safe_free(password);
490 } while ((r == -EPERM || r == -ERANGE) && (--tries > 0));
493 crypt_safe_free(password);
494 crypt_safe_free(key);
499 static int tcryptDump_with_volume_key(struct crypt_device *cd)
505 if (!ARG_SET(OPT_BATCH_MODE_ID) && !yesDialog(
506 _("Header dump with volume key is sensitive information\n"
507 "which allows access to encrypted partition without passphrase.\n"
508 "This dump should be always stored encrypted on safe place."),
512 vk_size = crypt_get_volume_key_size(cd);
513 vk = crypt_safe_alloc(vk_size);
517 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size, NULL, 0);
521 log_std("TCRYPT header information for %s\n", crypt_get_device_name(cd));
522 log_std("Cipher chain: \t%s\n", crypt_get_cipher(cd));
523 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
524 log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
525 log_std("MK bits: \t%d\n", (int)vk_size * 8);
526 log_std("MK dump:\t");
527 crypt_log_hex(NULL, vk, vk_size, " ", 16, "\n\t\t");
534 static int action_tcryptDump(void)
536 struct crypt_device *cd = NULL;
537 struct crypt_params_tcrypt params = {
538 .keyfiles = CONST_CAST(const char **)keyfiles,
539 .keyfiles_count = keyfiles_count,
540 .flags = CRYPT_TCRYPT_LEGACY_MODES |
541 (ARG_SET(OPT_DISABLE_VERACRYPT_ID) ? 0: CRYPT_TCRYPT_VERA_MODES),
542 .veracrypt_pim = ARG_UINT32(OPT_VERACRYPT_PIM_ID),
543 .hash_name = ARG_STR(OPT_HASH_ID),
544 .cipher = ARG_STR(OPT_CIPHER_ID),
547 r = crypt_init_data_device(&cd, ARG_STR(OPT_HEADER_ID) ?: action_argv[0], action_argv[0]);
551 r = tcrypt_load(cd, ¶ms);
555 if (ARG_SET(OPT_DUMP_VOLUME_KEY_ID))
556 r = tcryptDump_with_volume_key(cd);
561 crypt_safe_free(CONST_CAST(char*)params.passphrase);
565 static int bitlkDump_with_volume_key(struct crypt_device *cd)
567 char *vk = NULL, *password = NULL;
568 size_t passwordLen = 0;
572 if (!ARG_SET(OPT_BATCH_MODE_ID) && !yesDialog(
573 _("The header dump with volume key is sensitive information\n"
574 "that allows access to encrypted partition without a passphrase.\n"
575 "This dump should be stored encrypted in a safe place."),
579 vk_size = crypt_get_volume_key_size(cd);
580 vk = crypt_safe_alloc(vk_size);
584 r = tools_get_key(NULL, &password, &passwordLen,
585 ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
586 ARG_UINT32(OPT_TIMEOUT_ID), 0, 0, cd);
590 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
591 password, passwordLen);
592 tools_passphrase_msg(r);
596 tools_keyslot_msg(r, UNLOCKED);
598 if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
599 r = tools_write_mk(ARG_STR(OPT_VOLUME_KEY_FILE_ID), vk, vk_size);
604 log_std("BITLK header information for %s\n", crypt_get_device_name(cd));
605 log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
606 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
607 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
608 log_std("MK bits: \t%d\n", (int)vk_size * 8);
609 if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
610 log_std("Key stored to file %s.\n", ARG_STR(OPT_VOLUME_KEY_FILE_ID));
613 log_std("MK dump:\t");
614 crypt_log_hex(NULL, vk, vk_size, " ", 16, "\n\t\t");
617 crypt_safe_free(password);
622 static int action_bitlkDump(void)
624 struct crypt_device *cd = NULL;
627 if ((r = crypt_init(&cd, action_argv[0])))
630 r = crypt_load(cd, CRYPT_BITLK, NULL);
632 log_err(_("Device %s is not a valid BITLK device."), action_argv[0]);
636 if (ARG_SET(OPT_DUMP_VOLUME_KEY_ID))
637 r = bitlkDump_with_volume_key(cd);
645 static int fvault2Dump_with_volume_key(struct crypt_device *cd)
648 char *password = NULL;
653 if (!ARG_SET(OPT_BATCH_MODE_ID) && !yesDialog(
654 _("The header dump with volume key is sensitive information\n"
655 "that allows access to encrypted partition without a passphrase.\n"
656 "This dump should be stored encrypted in a safe place."),
660 vk_size = crypt_get_volume_key_size(cd);
661 vk = crypt_safe_alloc(vk_size);
665 r = tools_get_key(NULL, &password, &pass_len,
666 ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID),
667 ARG_STR(OPT_KEY_FILE_ID), ARG_UINT32(OPT_TIMEOUT_ID), 0, 0, cd);
671 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size, password, pass_len);
672 tools_passphrase_msg(r);
677 tools_keyslot_msg(r, UNLOCKED);
679 if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
680 r = tools_write_mk(ARG_STR(OPT_VOLUME_KEY_FILE_ID), vk, vk_size);
689 log_std("Volume key: \t");
690 crypt_log_hex(cd, vk, vk_size, " ", 0, NULL);
693 crypt_safe_free(password);
698 static int action_fvault2Dump(void)
700 struct crypt_device *cd = NULL;
703 r = crypt_init(&cd, action_argv[0]);
707 r = crypt_load(cd, CRYPT_FVAULT2, NULL);
709 log_err(_("Device %s is not a valid FVAULT2 device."), action_argv[0]);
713 if (ARG_SET(OPT_DUMP_VOLUME_KEY_ID))
714 r = fvault2Dump_with_volume_key(cd);
722 static int action_open_fvault2(void)
724 struct crypt_device *cd = NULL;
725 const char *activated_name;
726 uint32_t activate_flags = 0;
727 int r, tries, keysize;
728 char *password = NULL;
732 activated_name = ARG_SET(OPT_TEST_PASSPHRASE_ID) ? NULL : action_argv[1];
734 if ((r = crypt_init(&cd, action_argv[0])))
737 r = crypt_load(cd, CRYPT_FVAULT2, NULL);
739 log_err(_("Device %s is not a valid FVAULT2 device."), action_argv[0]);
742 set_activation_flags(&activate_flags);
744 if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
745 keysize = crypt_get_volume_key_size(cd);
746 if (!keysize && !ARG_SET(OPT_KEY_SIZE_ID)) {
747 log_err(_("Cannot determine volume key size for FVAULT2, please use --key-size option."));
751 keysize = ARG_UINT32(OPT_KEY_SIZE_ID) / 8;
753 r = tools_read_vk(ARG_STR(OPT_VOLUME_KEY_FILE_ID), &key, keysize);
756 r = crypt_activate_by_volume_key(cd, activated_name, key, keysize, activate_flags);
758 tries = set_tries_tty();
760 r = tools_get_key(NULL, &password, &passwordLen,
761 ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID),
762 ARG_STR(OPT_KEY_FILE_ID), ARG_UINT32(OPT_TIMEOUT_ID),
763 verify_passphrase(0), 0, cd);
767 r = crypt_activate_by_passphrase(cd, activated_name, CRYPT_ANY_SLOT,
768 password, passwordLen, activate_flags);
769 tools_passphrase_msg(r);
771 crypt_safe_free(password);
773 } while ((r == -EPERM || r == -ERANGE) && (--tries > 0));
776 crypt_safe_free(password);
777 crypt_safe_free(key);
782 static int action_close(void)
784 struct crypt_device *cd = NULL;
785 crypt_status_info ci;
789 if (ARG_SET(OPT_DEFERRED_ID))
790 flags |= CRYPT_DEACTIVATE_DEFERRED;
791 if (ARG_SET(OPT_CANCEL_DEFERRED_ID))
792 flags |= CRYPT_DEACTIVATE_DEFERRED_CANCEL;
794 r = crypt_init_by_name_and_header(&cd, action_argv[0], ARG_STR(OPT_HEADER_ID));
796 r = crypt_deactivate_by_name(cd, action_argv[0], flags);
798 if (!r && ARG_SET(OPT_DEFERRED_ID)) {
799 ci = crypt_status(cd, action_argv[0]);
800 if (ci == CRYPT_ACTIVE || ci == CRYPT_BUSY)
801 log_std(_("Device %s is still active and scheduled for deferred removal.\n"),
809 static int action_resize(void)
813 struct crypt_active_device cad;
814 uint64_t dev_size = 0;
815 char *password = NULL;
816 struct crypt_device *cd = NULL;
818 r = crypt_init_by_name_and_header(&cd, action_argv[0], ARG_STR(OPT_HEADER_ID));
822 /* FIXME: LUKS2 may enforce fixed size and it must not be changed */
823 r = crypt_get_active_device(cd, action_argv[0], &cad);
827 if (ARG_SET(OPT_DEVICE_SIZE_ID))
828 dev_size = ARG_UINT64(OPT_DEVICE_SIZE_ID) / SECTOR_SIZE;
829 else if (ARG_SET(OPT_SIZE_ID))
830 dev_size = ARG_UINT64(OPT_SIZE_ID);
832 if (cad.flags & CRYPT_ACTIVATE_KEYRING_KEY) {
833 if (ARG_SET(OPT_DISABLE_KEYRING_ID)) {
835 log_err(_("Resize of active device requires volume key "
836 "in keyring but --disable-keyring option is set."));
840 /* try load VK in kernel keyring using token */
841 r = crypt_activate_by_token_pin(cd, NULL, ARG_STR(OPT_TOKEN_TYPE_ID),
842 ARG_INT32(OPT_TOKEN_ID_ID), NULL, 0, NULL,
843 CRYPT_ACTIVATE_KEYRING_KEY);
844 tools_keyslot_msg(r, UNLOCKED);
845 tools_token_error_msg(r, ARG_STR(OPT_TOKEN_TYPE_ID), ARG_INT32(OPT_TOKEN_ID_ID), false);
847 /* Token requires PIN. Ask if there is evident preference for tokens */
848 if (r == -ENOANO && (ARG_SET(OPT_TOKEN_ONLY_ID) || ARG_SET(OPT_TOKEN_TYPE_ID) ||
849 ARG_SET(OPT_TOKEN_ID_ID)))
850 r = _try_token_pin_unlock(cd, ARG_INT32(OPT_TOKEN_ID_ID), NULL, ARG_STR(OPT_TOKEN_TYPE_ID), CRYPT_ACTIVATE_KEYRING_KEY, 1, true);
852 if (r >= 0 || quit || ARG_SET(OPT_TOKEN_ONLY_ID))
855 r = tools_get_key(NULL, &password, &passwordLen,
856 ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
857 ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
861 r = crypt_activate_by_passphrase(cd, NULL, ARG_INT32(OPT_KEY_SLOT_ID),
862 password, passwordLen,
863 CRYPT_ACTIVATE_KEYRING_KEY);
864 tools_passphrase_msg(r);
865 tools_keyslot_msg(r, UNLOCKED);
870 r = crypt_resize(cd, action_argv[0], dev_size);
872 crypt_safe_free(password);
877 static int action_status(void)
879 crypt_status_info ci;
880 crypt_reencrypt_info ri;
881 struct crypt_active_device cad;
882 struct crypt_params_integrity ip = {};
883 struct crypt_device *cd = NULL;
888 /* perhaps a path, not a dm device name */
889 if (strchr(action_argv[0], '/'))
892 ci = crypt_status(NULL, action_argv[0]);
899 log_std("%s is inactive.\n", action_argv[0]);
901 log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
907 log_std("%s is active%s.\n", action_argv[0],
908 ci == CRYPT_BUSY ? " and is in use" : "");
910 log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
911 ci == CRYPT_BUSY ? " and is in use" : "");
913 r = crypt_init_by_name_and_header(&cd, action_argv[0], ARG_STR(OPT_HEADER_ID));
917 log_std(" type: %s\n", crypt_get_type(cd) ?: "n/a");
919 /* Print only CRYPT type devices */
920 if (!crypt_get_cipher(cd))
923 ri = crypt_reencrypt_status(cd, NULL);
924 if (ri > CRYPT_REENCRYPT_NONE && ri < CRYPT_REENCRYPT_INVALID)
925 log_std(" reencryption: in-progress\n");
927 r = crypt_get_active_device(cd, action_argv[0], &cad);
931 r = crypt_get_integrity_info(cd, &ip);
932 if (r < 0 && r != -ENOTSUP)
935 log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
936 log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
937 log_std(" key location: %s\n", (cad.flags & CRYPT_ACTIVATE_KEYRING_KEY) ? "keyring" : "dm-crypt");
939 log_std(" integrity: %s\n", ip.integrity);
940 if (ip.integrity_key_size)
941 log_std(" integrity keysize: %d bits\n", ip.integrity_key_size * 8);
942 device = crypt_get_device_name(cd);
943 log_std(" device: %s\n", device);
944 if ((backing_file = crypt_loop_backing_file(device))) {
945 log_std(" loop: %s\n", backing_file);
948 log_std(" sector size: %d\n", crypt_get_sector_size(cd));
949 log_std(" offset: %" PRIu64 " sectors\n", cad.offset);
950 log_std(" size: %" PRIu64 " sectors\n", cad.size);
952 log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset);
953 log_std(" mode: %s%s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
954 "readonly" : "read/write",
955 (cad.flags & CRYPT_ACTIVATE_SUSPENDED) ? " (suspended)" : "");
956 if (cad.flags & (CRYPT_ACTIVATE_ALLOW_DISCARDS|
957 CRYPT_ACTIVATE_SAME_CPU_CRYPT|
958 CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS|
959 CRYPT_ACTIVATE_NO_READ_WORKQUEUE|
960 CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE))
961 log_std(" flags: %s%s%s%s%s\n",
962 (cad.flags & CRYPT_ACTIVATE_ALLOW_DISCARDS) ? "discards " : "",
963 (cad.flags & CRYPT_ACTIVATE_SAME_CPU_CRYPT) ? "same_cpu_crypt " : "",
964 (cad.flags & CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS) ? "submit_from_crypt_cpus " : "",
965 (cad.flags & CRYPT_ACTIVATE_NO_READ_WORKQUEUE) ? "no_read_workqueue " : "",
966 (cad.flags & CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE) ? "no_write_workqueue" : "");
975 static int benchmark_callback(uint32_t time_ms, void *usrptr)
977 struct crypt_pbkdf_type *pbkdf = usrptr;
982 log_err(_("Benchmark interrupted."));
984 log_dbg("PBKDF benchmark: memory cost = %u, iterations = %u, "
985 "threads = %u (took %u ms)", pbkdf->max_memory_kb,
986 pbkdf->iterations, pbkdf->parallel_threads, time_ms);
990 static int action_benchmark_kdf(const char *kdf, const char *hash, size_t key_size)
993 if (!strcmp(kdf, CRYPT_KDF_PBKDF2)) {
994 struct crypt_pbkdf_type pbkdf = {
995 .type = CRYPT_KDF_PBKDF2,
1000 r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foobarfo", 8, "0123456789abcdef", 16, key_size,
1001 &benchmark_callback, &pbkdf);
1003 log_std(_("PBKDF2-%-9s N/A\n"), hash);
1005 log_std(_("PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"),
1006 hash, pbkdf.iterations, key_size * 8);
1008 struct crypt_pbkdf_type pbkdf = {
1010 .time_ms = ARG_UINT32(OPT_ITER_TIME_ID) ?: DEFAULT_LUKS2_ITER_TIME,
1011 .max_memory_kb = ARG_UINT32(OPT_PBKDF_MEMORY_ID),
1012 .parallel_threads = ARG_UINT32(OPT_PBKDF_PARALLEL_ID)
1015 r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foobarfo", 8,
1016 "0123456789abcdef0123456789abcdef", 32,
1017 key_size, &benchmark_callback, &pbkdf);
1019 log_std(_("%-10s N/A\n"), kdf);
1021 log_std(_("%-10s %4u iterations, %5u memory, "
1022 "%1u parallel threads (CPUs) for "
1023 "%zu-bit key (requested %u ms time)\n"), kdf,
1024 pbkdf.iterations, pbkdf.max_memory_kb, pbkdf.parallel_threads,
1025 key_size * 8, pbkdf.time_ms);
1031 static int benchmark_cipher_loop(const char *cipher, const char *cipher_mode,
1032 size_t volume_key_size,
1033 double *encryption_mbs, double *decryption_mbs)
1035 int r, buffer_size = 1024 * 1024;
1038 r = crypt_benchmark(NULL, cipher, cipher_mode,
1039 volume_key_size, 0, buffer_size,
1040 encryption_mbs, decryption_mbs);
1042 if (buffer_size < 1024 * 1024 * 65)
1045 log_err(_("Result of benchmark is not reliable."));
1049 } while (r == -ERANGE);
1054 static int action_benchmark(void)
1061 { "aes", "cbc", 16 },
1062 { "serpent", "cbc", 16 },
1063 { "twofish", "cbc", 16 },
1064 { "aes", "cbc", 32 },
1065 { "serpent", "cbc", 32 },
1066 { "twofish", "cbc", 32 },
1067 { "aes", "xts", 32 },
1068 { "serpent", "xts", 32 },
1069 { "twofish", "xts", 32 },
1070 { "aes", "xts", 64 },
1071 { "serpent", "xts", 64 },
1072 { "twofish", "xts", 64 },
1079 { CRYPT_KDF_PBKDF2, "sha1" },
1080 { CRYPT_KDF_PBKDF2, "sha256" },
1081 { CRYPT_KDF_PBKDF2, "sha512" },
1082 { CRYPT_KDF_PBKDF2, "ripemd160" },
1083 { CRYPT_KDF_PBKDF2, "whirlpool" },
1084 { CRYPT_KDF_ARGON2I, NULL },
1085 { CRYPT_KDF_ARGON2ID, NULL },
1088 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
1089 double enc_mbr = 0, dec_mbr = 0;
1090 int key_size = (ARG_UINT32(OPT_KEY_SIZE_ID) ?: DEFAULT_PLAIN_KEYBITS) / 8;
1091 int skipped = 0, width;
1095 log_std(_("# Tests are approximate using memory only (no storage IO).\n"));
1096 if (set_pbkdf || ARG_SET(OPT_HASH_ID)) {
1097 if (!set_pbkdf && ARG_SET(OPT_HASH_ID))
1098 set_pbkdf = CRYPT_KDF_PBKDF2;
1099 r = action_benchmark_kdf(set_pbkdf, ARG_STR(OPT_HASH_ID), key_size);
1100 } else if (ARG_SET(OPT_CIPHER_ID)) {
1101 r = crypt_parse_name_and_mode(ARG_STR(OPT_CIPHER_ID), cipher, NULL, cipher_mode);
1103 log_err(_("No known cipher specification pattern detected."));
1106 if ((c = strchr(cipher_mode, '-')))
1109 r = benchmark_cipher_loop(cipher, cipher_mode, key_size, &enc_mbr, &dec_mbr);
1111 width = strlen(cipher) + strlen(cipher_mode) + 1;
1114 /* TRANSLATORS: The string is header of a table and must be exactly (right side) aligned. */
1115 log_std(_("#%*s Algorithm | Key | Encryption | Decryption\n"), width - 11, "");
1116 log_std("%*s-%s %9db %10.1f MiB/s %10.1f MiB/s\n", width - (int)strlen(cipher_mode) - 1,
1117 cipher, cipher_mode, key_size*8, enc_mbr, dec_mbr);
1119 log_err(_("Cipher %s (with %i bits key) is not available."), ARG_STR(OPT_CIPHER_ID), key_size * 8);
1121 for (i = 0; bkdfs[i].type; i++) {
1122 r = action_benchmark_kdf(bkdfs[i].type, bkdfs[i].hash, key_size);
1128 for (i = 0; bciphers[i].cipher; i++) {
1129 r = benchmark_cipher_loop(bciphers[i].cipher, bciphers[i].mode,
1130 bciphers[i].key_size, &enc_mbr, &dec_mbr);
1132 if (r == -ENOTSUP || r == -EINTR)
1137 /* TRANSLATORS: The string is header of a table and must be exactly (right side) aligned. */
1138 log_std(_("# Algorithm | Key | Encryption | Decryption\n"));
1140 if (snprintf(cipher, MAX_CIPHER_LEN, "%s-%s",
1141 bciphers[i].cipher, bciphers[i].mode) < 0)
1145 log_std("%15s %9zub %10.1f MiB/s %10.1f MiB/s\n",
1146 cipher, bciphers[i].key_size*8, enc_mbr, dec_mbr);
1148 log_std("%15s %9zub %17s %17s\n", cipher,
1149 bciphers[i].key_size*8, _("N/A"), _("N/A"));
1151 if (skipped && skipped == i)
1155 if (r == -ENOTSUP) {
1156 log_err(_("Required kernel crypto interface not available."));
1157 #ifdef ENABLE_AF_ALG
1158 log_err( _("Ensure you have algif_skcipher kernel module loaded."));
1164 static int reencrypt_metadata_repair(struct crypt_device *cd)
1169 struct crypt_params_reencrypt params = {
1170 .flags = CRYPT_REENCRYPT_REPAIR_NEEDED
1173 if (!ARG_SET(OPT_BATCH_MODE_ID) &&
1174 !yesDialog(_("Unprotected LUKS2 reencryption metadata detected. "
1175 "Please verify the reencryption operation is desirable (see luksDump output)\n"
1176 "and continue (upgrade metadata) only if you acknowledge the operation as genuine."),
1177 _("Operation aborted.\n")))
1180 r = tools_get_key(_("Enter passphrase to protect and upgrade reencryption metadata: "),
1181 &password, &passwordLen, ARG_UINT64(OPT_KEYFILE_OFFSET_ID),
1182 ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID), ARG_UINT32(OPT_TIMEOUT_ID),
1183 verify_passphrase(0), 0, cd);
1187 r = crypt_reencrypt_init_by_passphrase(cd, NULL, password, passwordLen,
1188 ARG_INT32(OPT_KEY_SLOT_ID), ARG_INT32(OPT_KEY_SLOT_ID), NULL, NULL, ¶ms);
1189 tools_passphrase_msg(r);
1193 r = crypt_activate_by_passphrase(cd, NULL, ARG_INT32(OPT_KEY_SLOT_ID),
1194 password, passwordLen, 0);
1195 tools_passphrase_msg(r);
1200 crypt_safe_free(password);
1204 static int luks2_reencrypt_repair(struct crypt_device *cd)
1209 char *password = NULL;
1210 struct crypt_params_reencrypt params = {};
1212 crypt_reencrypt_info ri = crypt_reencrypt_status(cd, ¶ms);
1214 if (params.flags & CRYPT_REENCRYPT_REPAIR_NEEDED)
1215 return reencrypt_metadata_repair(cd);
1218 case CRYPT_REENCRYPT_NONE:
1220 case CRYPT_REENCRYPT_CLEAN:
1222 case CRYPT_REENCRYPT_CRASH:
1223 if (!ARG_SET(OPT_BATCH_MODE_ID) &&
1224 !yesDialog(_("Really proceed with LUKS2 reencryption recovery?"),
1225 _("Operation aborted.\n")))
1232 if (ri == CRYPT_REENCRYPT_CLEAN)
1233 msg = _("Enter passphrase to verify reencryption metadata digest: ");
1235 msg = _("Enter passphrase for reencryption recovery: ");
1237 r = tools_get_key(msg, &password, &passwordLen, ARG_UINT64(OPT_KEYFILE_OFFSET_ID),
1238 ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID), ARG_UINT32(OPT_TIMEOUT_ID),
1239 verify_passphrase(0), 0, cd);
1243 r = crypt_activate_by_passphrase(cd, NULL, ARG_INT32(OPT_KEY_SLOT_ID),
1244 password, passwordLen, 0);
1248 if (ri == CRYPT_REENCRYPT_CLEAN) {
1253 r = crypt_reencrypt_init_by_passphrase(cd, NULL, password, passwordLen,
1254 ARG_INT32(OPT_KEY_SLOT_ID), ARG_INT32(OPT_KEY_SLOT_ID), NULL, NULL,
1255 &(struct crypt_params_reencrypt){ .flags = CRYPT_REENCRYPT_RECOVERY });
1259 crypt_safe_free(password);
1264 static int action_luksRepair(void)
1266 struct crypt_device *cd = NULL;
1269 if ((r = crypt_init_data_device(&cd, ARG_STR(OPT_HEADER_ID) ?: action_argv[0],
1273 crypt_set_log_callback(cd, quiet_log, &log_parms);
1274 r = crypt_load(cd, luksType(device_type), NULL);
1275 crypt_set_log_callback(cd, tool_log, &log_parms);
1276 if (r == 0 && isLUKS2(crypt_get_type(cd))) {
1278 * LUKS2 triggers autorepair in crypt_load() above
1279 * LUKS1 need to call crypt_repair() even if crypt_load() is ok
1281 log_verbose(_("No known problems detected for LUKS header."));
1285 r = tools_detect_signatures(action_argv[0], PRB_FILTER_LUKS, NULL, ARG_SET(OPT_BATCH_MODE_ID));
1289 if (!ARG_SET(OPT_BATCH_MODE_ID) &&
1290 !yesDialog(_("Really try to repair LUKS device header?"),
1291 _("Operation aborted.\n")))
1294 r = crypt_repair(cd, luksType(device_type), NULL);
1296 /* Header is ok, check if reencryption metadata needs repair/recovery. */
1297 if (!r && isLUKS2(crypt_get_type(cd)))
1298 r = luks2_reencrypt_repair(cd);
1304 static int _wipe_data_device(struct crypt_device *cd)
1306 char tmp_name[64], tmp_path[128], tmp_uuid[40];
1307 uuid_t tmp_uuid_bin;
1309 char *backing_file = NULL;
1310 struct tools_progress_params prog_parms = {
1311 .frequency = ARG_UINT32(OPT_PROGRESS_FREQUENCY_ID),
1312 .batch_mode = ARG_SET(OPT_BATCH_MODE_ID),
1313 .json_output = ARG_SET(OPT_PROGRESS_JSON_ID),
1314 .interrupt_message = _("\nWipe interrupted."),
1315 .device = tools_get_device_name(crypt_get_device_name(cd), &backing_file)
1318 if (!ARG_SET(OPT_BATCH_MODE_ID))
1319 log_std(_("Wiping device to initialize integrity checksum.\n"
1320 "You can interrupt this by pressing CTRL+c "
1321 "(rest of not wiped device will contain invalid checksum).\n"));
1323 /* Activate the device a temporary one */
1324 uuid_generate(tmp_uuid_bin);
1325 uuid_unparse(tmp_uuid_bin, tmp_uuid);
1326 if (snprintf(tmp_name, sizeof(tmp_name), "temporary-cryptsetup-%s", tmp_uuid) < 0)
1328 if (snprintf(tmp_path, sizeof(tmp_path), "%s/%s", crypt_get_dir(), tmp_name) < 0)
1331 r = crypt_activate_by_volume_key(cd, tmp_name, NULL, 0,
1332 CRYPT_ACTIVATE_PRIVATE | CRYPT_ACTIVATE_NO_JOURNAL);
1336 /* Wipe the device */
1338 r = crypt_wipe(cd, tmp_path, CRYPT_WIPE_ZERO, 0, 0, DEFAULT_WIPE_BLOCK,
1339 0, &tools_progress, &prog_parms);
1340 if (crypt_deactivate(cd, tmp_name))
1341 log_err(_("Cannot deactivate temporary device %s."), tmp_path);
1349 static int strcmp_or_null(const char *str, const char *expected)
1351 return !str ? 0 : strcmp(str, expected);
1354 int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_passwordLen)
1356 int r = -EINVAL, keysize, integrity_keysize = 0, fd, created = 0;
1358 const char *header_device, *type;
1359 char *msg = NULL, *key = NULL, *password = NULL;
1360 char cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN], integrity[MAX_CIPHER_LEN];
1361 size_t passwordLen, signatures;
1362 struct crypt_device *cd = NULL;
1363 struct crypt_params_luks1 params1 = {
1364 .hash = ARG_STR(OPT_HASH_ID) ?: DEFAULT_LUKS1_HASH,
1365 .data_alignment = ARG_UINT32(OPT_ALIGN_PAYLOAD_ID),
1366 .data_device = ARG_SET(OPT_HEADER_ID) ? action_argv[0] : NULL,
1368 struct crypt_params_luks2 params2 = {
1369 .data_alignment = params1.data_alignment,
1370 .data_device = params1.data_device,
1371 .sector_size = ARG_UINT32(OPT_SECTOR_SIZE_ID),
1372 .label = ARG_STR(OPT_LABEL_ID),
1373 .subsystem = ARG_STR(OPT_SUBSYSTEM_ID)
1377 type = luksType(device_type);
1379 type = crypt_get_default_type();
1381 if (isLUKS2(type)) {
1383 } else if (isLUKS1(type)) {
1386 if (ARG_UINT32(OPT_SECTOR_SIZE_ID) > SECTOR_SIZE) {
1387 log_err(_("Unsupported encryption sector size."));
1391 if (ARG_SET(OPT_INTEGRITY_ID)) {
1392 log_err(_("Integrity option can be used only for LUKS2 format."));
1396 if (ARG_SET(OPT_LUKS2_KEYSLOTS_SIZE_ID) || ARG_SET(OPT_LUKS2_METADATA_SIZE_ID)) {
1397 log_err(_("Unsupported LUKS2 metadata size options."));
1403 /* Create header file (must contain at least one sector)? */
1404 if (ARG_SET(OPT_HEADER_ID) && stat(ARG_STR(OPT_HEADER_ID), &st) < 0 && errno == ENOENT) {
1405 if (!ARG_SET(OPT_BATCH_MODE_ID) &&
1406 !yesDialog(_("Header file does not exist, do you want to create it?"),
1407 _("Operation aborted.\n")))
1410 log_dbg("Creating header file.");
1411 /* coverity[toctou] */
1412 fd = open(ARG_STR(OPT_HEADER_ID), O_CREAT|O_EXCL|O_WRONLY, S_IRUSR|S_IWUSR);
1413 if (fd == -1 || posix_fallocate(fd, 0, 4096))
1414 log_err(_("Cannot create header file %s."), ARG_STR(OPT_HEADER_ID));
1425 header_device = ARG_STR(OPT_HEADER_ID) ?: action_argv[0];
1427 r = crypt_parse_name_and_mode(ARG_STR(OPT_CIPHER_ID) ?: DEFAULT_CIPHER(LUKS1),
1428 cipher, NULL, cipher_mode);
1430 log_err(_("No known cipher specification pattern detected."));
1434 if (ARG_SET(OPT_INTEGRITY_ID)) {
1435 r = crypt_parse_integrity_mode(ARG_STR(OPT_INTEGRITY_ID), integrity, &integrity_keysize);
1437 log_err(_("No known integrity specification pattern detected."));
1440 params2.integrity = integrity;
1441 /* FIXME: we use default integrity_params (set to NULL) */
1444 /* Never call pwquality if using null cipher */
1445 if (crypt_is_cipher_null(cipher))
1446 ARG_SET_TRUE(OPT_FORCE_PASSWORD_ID);
1448 if ((r = crypt_init(&cd, header_device))) {
1449 if (ARG_SET(OPT_HEADER_ID))
1450 log_err(_("Cannot use %s as on-disk header."), header_device);
1454 if (ARG_SET(OPT_LUKS2_KEYSLOTS_SIZE_ID) || ARG_SET(OPT_LUKS2_METADATA_SIZE_ID)) {
1455 r = crypt_set_metadata_size(cd, ARG_UINT64(OPT_LUKS2_METADATA_SIZE_ID), ARG_UINT64(OPT_LUKS2_KEYSLOTS_SIZE_ID));
1457 log_err(_("Unsupported LUKS2 metadata size options."));
1462 if (ARG_SET(OPT_OFFSET_ID)) {
1463 r = crypt_set_data_offset(cd, ARG_UINT64(OPT_OFFSET_ID));
1468 /* Print all present signatures in read-only mode */
1469 r = tools_detect_signatures(header_device, PRB_FILTER_NONE, &signatures, ARG_SET(OPT_BATCH_MODE_ID));
1473 if (!created && !ARG_SET(OPT_BATCH_MODE_ID)) {
1474 r = asprintf(&msg, _("This will overwrite data on %s irrevocably."), header_device);
1480 r = yesDialog(msg, _("Operation aborted.\n")) ? 0 : -EINVAL;
1486 keysize = get_adjusted_key_size(cipher_mode, DEFAULT_LUKS1_KEYBITS, integrity_keysize);
1488 if (ARG_SET(OPT_USE_RANDOM_ID))
1489 crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
1490 else if (ARG_SET(OPT_USE_URANDOM_ID))
1491 crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
1493 r = tools_get_key(NULL, &password, &passwordLen,
1494 ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
1495 ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(1), !ARG_SET(OPT_FORCE_PASSWORD_ID), cd);
1499 if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
1500 r = tools_read_vk(ARG_STR(OPT_VOLUME_KEY_FILE_ID), &key, keysize);
1505 r = set_pbkdf_params(cd, type);
1507 log_err(_("Failed to set pbkdf parameters."));
1511 /* Signature candidates found */
1512 if (signatures && ((r = tools_wipe_all_signatures(header_device, true, false)) < 0))
1515 if (ARG_SET(OPT_INTEGRITY_LEGACY_PADDING_ID))
1516 crypt_set_compatibility(cd, CRYPT_COMPAT_LEGACY_INTEGRITY_PADDING);
1518 r = crypt_format(cd, type, cipher, cipher_mode,
1519 ARG_STR(OPT_UUID_ID), key, keysize, params);
1524 r = _set_keyslot_encryption_params(cd);
1528 r = crypt_keyslot_add_by_volume_key(cd, ARG_INT32(OPT_KEY_SLOT_ID),
1530 password, passwordLen);
1532 (void) tools_wipe_all_signatures(header_device, true, false);
1535 tools_keyslot_msg(r, CREATED);
1537 if (ARG_SET(OPT_INTEGRITY_ID) && !ARG_SET(OPT_INTEGRITY_NO_WIPE_ID) &&
1538 strcmp_or_null(params2.integrity, "none"))
1539 r = _wipe_data_device(cd);
1541 if (r >= 0 && r_cd && r_password && r_passwordLen) {
1543 *r_password = password;
1544 *r_passwordLen = passwordLen;
1547 crypt_safe_free(password);
1550 crypt_safe_free(key);
1555 static int action_luksFormat(void)
1557 return luksFormat(NULL, NULL, NULL);
1560 static int action_open_luks(void)
1562 struct crypt_active_device cad;
1563 struct crypt_device *cd = NULL;
1564 const char *data_device, *header_device, *activated_name;
1566 uint32_t activate_flags = 0;
1567 int r, keysize, tries;
1568 char *password = NULL;
1572 if (ARG_SET(OPT_REFRESH_ID)) {
1573 activated_name = action_argc > 1 ? action_argv[1] : action_argv[0];
1574 r = crypt_init_by_name_and_header(&cd, activated_name, ARG_STR(OPT_HEADER_ID));
1577 activate_flags |= CRYPT_ACTIVATE_REFRESH;
1579 header_device = uuid_or_device_header(&data_device);
1581 activated_name = ARG_SET(OPT_TEST_PASSPHRASE_ID) ? NULL : action_argv[1];
1583 if ((r = crypt_init_data_device(&cd, header_device, data_device)))
1586 if ((r = crypt_load(cd, luksType(device_type), NULL))) {
1587 log_err(_("Device %s is not a valid LUKS device."),
1592 if (!data_device && (crypt_get_data_offset(cd) < 8) && !ARG_SET(OPT_TEST_PASSPHRASE_ID)) {
1593 log_err(_("Reduced data offset is allowed only for detached LUKS header."));
1598 if (activated_name && !stat(crypt_get_device_name(cd), &st) && S_ISREG(st.st_mode) &&
1599 crypt_get_data_offset(cd) >= ((uint64_t)st.st_size / SECTOR_SIZE)) {
1600 log_err(_("LUKS file container %s is too small for activation, there is no remaining space for data."),
1601 crypt_get_device_name(cd));
1607 set_activation_flags(&activate_flags);
1609 if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
1610 keysize = crypt_get_volume_key_size(cd);
1611 if (!keysize && !ARG_SET(OPT_KEY_SIZE_ID)) {
1612 log_err(_("Cannot determine volume key size for LUKS without keyslots, please use --key-size option."));
1615 } else if (!keysize)
1616 keysize = ARG_UINT32(OPT_KEY_SIZE_ID) / 8;
1618 r = tools_read_vk(ARG_STR(OPT_VOLUME_KEY_FILE_ID), &key, keysize);
1621 r = crypt_activate_by_volume_key(cd, activated_name,
1622 key, keysize, activate_flags);
1624 r = crypt_activate_by_token_pin(cd, activated_name, ARG_STR(OPT_TOKEN_TYPE_ID),
1625 ARG_INT32(OPT_TOKEN_ID_ID), NULL, 0, NULL, activate_flags);
1626 tools_keyslot_msg(r, UNLOCKED);
1627 tools_token_error_msg(r, ARG_STR(OPT_TOKEN_TYPE_ID), ARG_INT32(OPT_TOKEN_ID_ID), false);
1629 /* Token requires PIN. Ask if there is evident preference for tokens */
1630 if (r == -ENOANO && (ARG_SET(OPT_TOKEN_ONLY_ID) || ARG_SET(OPT_TOKEN_TYPE_ID) ||
1631 ARG_SET(OPT_TOKEN_ID_ID)))
1632 r = _try_token_pin_unlock(cd, ARG_INT32(OPT_TOKEN_ID_ID), activated_name, ARG_STR(OPT_TOKEN_TYPE_ID), activate_flags, set_tries_tty(), true);
1634 if (r >= 0 || r == -EEXIST || quit || ARG_SET(OPT_TOKEN_ONLY_ID))
1637 tries = set_tries_tty();
1639 r = tools_get_key(NULL, &password, &passwordLen,
1640 ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
1641 ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
1645 r = crypt_activate_by_passphrase(cd, activated_name,
1646 ARG_INT32(OPT_KEY_SLOT_ID), password, passwordLen, activate_flags);
1647 tools_keyslot_msg(r, UNLOCKED);
1648 tools_passphrase_msg(r);
1650 crypt_safe_free(password);
1652 } while ((r == -EPERM || r == -ERANGE) && (--tries > 0));
1655 if (r >= 0 && ARG_SET(OPT_PERSISTENT_ID) &&
1656 (crypt_get_active_device(cd, activated_name, &cad) ||
1657 crypt_persistent_flags_set(cd, CRYPT_FLAGS_ACTIVATION, cad.flags & activate_flags)))
1658 log_err(_("Device activated but cannot make flags persistent."));
1660 crypt_safe_free(key);
1661 crypt_safe_free(password);
1666 static int verify_keyslot(struct crypt_device *cd, int key_slot, crypt_keyslot_info ki,
1667 char *msg_last, char *msg_pass, char *msg_fail,
1668 const char *key_file, uint64_t keyfile_offset,
1671 char *password = NULL;
1675 if (ki == CRYPT_SLOT_ACTIVE_LAST && !ARG_SET(OPT_BATCH_MODE_ID) && !key_file &&
1676 msg_last && !ARG_SET(OPT_BATCH_MODE_ID) && !yesDialog(msg_last, msg_fail))
1679 r = tools_get_key(msg_pass, &password, &passwordLen,
1680 keyfile_offset, keyfile_size, key_file, ARG_UINT32(OPT_TIMEOUT_ID),
1681 verify_passphrase(0), 0, cd);
1685 if (ki == CRYPT_SLOT_ACTIVE_LAST) {
1686 /* check the last keyslot */
1687 r = crypt_activate_by_passphrase(cd, NULL, key_slot,
1688 password, passwordLen, 0);
1690 /* try all other keyslots */
1691 r = crypt_keyslot_max(crypt_get_type(cd));
1696 for (i = 0; i < max ; i++) {
1699 ki = crypt_keyslot_status(cd, i);
1700 if (ki == CRYPT_SLOT_ACTIVE || ki == CRYPT_SLOT_ACTIVE_LAST)
1701 r = crypt_activate_by_passphrase(cd, NULL, i,
1702 password, passwordLen, 0);
1708 /* Handle inactive keyslots the same as bad password here */
1711 tools_passphrase_msg(r);
1713 crypt_safe_free(password);
1717 static int action_luksKillSlot(void)
1719 struct crypt_device *cd = NULL;
1720 crypt_keyslot_info ki;
1723 if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
1726 if ((r = crypt_load(cd, luksType(device_type), NULL))) {
1727 log_err(_("Device %s is not a valid LUKS device."),
1728 uuid_or_device_header(NULL));
1732 ki = crypt_keyslot_status(cd, ARG_INT32(OPT_KEY_SLOT_ID));
1734 case CRYPT_SLOT_ACTIVE_LAST:
1735 case CRYPT_SLOT_ACTIVE:
1736 case CRYPT_SLOT_UNBOUND:
1737 log_verbose(_("Keyslot %d is selected for deletion."), ARG_INT32(OPT_KEY_SLOT_ID));
1739 case CRYPT_SLOT_INACTIVE:
1740 log_err(_("Keyslot %d is not active."), ARG_INT32(OPT_KEY_SLOT_ID));
1742 case CRYPT_SLOT_INVALID:
1747 if (!ARG_SET(OPT_BATCH_MODE_ID) || ARG_SET(OPT_KEY_FILE_ID) || !isatty(STDIN_FILENO)) {
1748 r = verify_keyslot(cd, ARG_INT32(OPT_KEY_SLOT_ID), ki,
1749 _("This is the last keyslot. Device will become unusable after purging this key."),
1750 _("Enter any remaining passphrase: "),
1751 _("Operation aborted, the keyslot was NOT wiped.\n"),
1752 ARG_STR(OPT_KEY_FILE_ID), ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID));
1753 tools_keyslot_msg(r, UNLOCKED);
1755 if (r == -EPIPE && (!ARG_SET(OPT_KEY_FILE_ID) || tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID)))) {
1756 log_dbg("Failed read from input, ignoring passphrase.");
1764 r = crypt_keyslot_destroy(cd, ARG_INT32(OPT_KEY_SLOT_ID));
1765 tools_keyslot_msg(ARG_INT32(OPT_KEY_SLOT_ID), REMOVED);
1771 static int action_luksRemoveKey(void)
1773 struct crypt_device *cd = NULL;
1774 char *password = NULL;
1778 if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
1781 if ((r = crypt_load(cd, luksType(device_type), NULL))) {
1782 log_err(_("Device %s is not a valid LUKS device."),
1783 uuid_or_device_header(NULL));
1787 r = tools_get_key(_("Enter passphrase to be deleted: "),
1788 &password, &passwordLen,
1789 ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
1790 ARG_UINT32(OPT_TIMEOUT_ID),
1791 verify_passphrase(0), 0,
1796 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
1797 password, passwordLen, 0);
1798 tools_passphrase_msg(r);
1802 tools_keyslot_msg(r, UNLOCKED);
1804 ARG_SET_INT32(OPT_KEY_SLOT_ID, r);
1805 log_verbose(_("Keyslot %d is selected for deletion."), ARG_INT32(OPT_KEY_SLOT_ID));
1807 if (crypt_keyslot_status(cd, ARG_INT32(OPT_KEY_SLOT_ID)) == CRYPT_SLOT_ACTIVE_LAST &&
1808 !ARG_SET(OPT_BATCH_MODE_ID) &&
1809 !yesDialog(_("This is the last keyslot. "
1810 "Device will become unusable after purging this key."),
1811 _("Operation aborted, the keyslot was NOT wiped.\n"))) {
1816 r = crypt_keyslot_destroy(cd, ARG_INT32(OPT_KEY_SLOT_ID));
1817 tools_keyslot_msg(ARG_INT32(OPT_KEY_SLOT_ID), REMOVED);
1819 crypt_safe_free(password);
1824 static int luksAddUnboundKey(void)
1826 int r = -EINVAL, keysize = 0;
1828 const char *new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
1829 char *password_new = NULL;
1830 size_t password_new_size = 0;
1831 struct crypt_device *cd = NULL;
1833 if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
1836 if ((r = crypt_load(cd, CRYPT_LUKS2, NULL))) {
1837 log_err(_("Device %s is not a valid LUKS2 device."),
1838 uuid_or_device_header(NULL));
1842 r = _set_keyslot_encryption_params(cd);
1846 /* Never call pwquality if using null cipher */
1847 if (crypt_is_cipher_null(crypt_get_cipher(cd)))
1848 ARG_SET_TRUE(OPT_FORCE_PASSWORD_ID);
1850 keysize = ARG_UINT32(OPT_KEY_SIZE_ID) / 8;
1851 r = set_pbkdf_params(cd, crypt_get_type(cd));
1853 log_err(_("Failed to set pbkdf parameters."));
1857 if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
1858 r = tools_read_vk(ARG_STR(OPT_VOLUME_KEY_FILE_ID), &key, keysize);
1867 r = tools_get_key(_("Enter new passphrase for key slot: "),
1868 &password_new, &password_new_size,
1869 ARG_UINT64(OPT_NEW_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_NEW_KEYFILE_SIZE_ID),
1870 new_key_file, ARG_UINT32(OPT_TIMEOUT_ID),
1871 verify_passphrase(1), !ARG_SET(OPT_FORCE_PASSWORD_ID), cd);
1875 r = crypt_keyslot_add_by_key(cd, ARG_INT32(OPT_KEY_SLOT_ID), key, keysize,
1876 password_new, password_new_size, CRYPT_VOLUME_KEY_NO_SEGMENT);
1877 tools_keyslot_msg(r, CREATED);
1879 crypt_safe_free(password_new);
1880 crypt_safe_free(key);
1885 static int _ask_for_pin(struct crypt_device *cd,
1886 int token_id, char **r_pin, size_t *r_pin_size,
1887 struct crypt_keyslot_context *kc)
1895 assert(token_id >= 0 || token_id == CRYPT_ANY_TOKEN);
1897 if (crypt_keyslot_context_get_type(kc) != CRYPT_KC_TYPE_TOKEN)
1900 if (token_id == CRYPT_ANY_TOKEN)
1901 r = snprintf(msg, sizeof(msg), _("Enter token PIN: "));
1903 r = snprintf(msg, sizeof(msg), _("Enter token %d PIN: "), token_id);
1904 if (r < 0 || (size_t)r >= sizeof(msg))
1907 r = tools_get_key(msg, r_pin, r_pin_size, 0, 0, NULL,
1908 ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
1912 r = crypt_keyslot_context_set_pin(cd, *r_pin, *r_pin_size, kc);
1914 crypt_safe_free(*r_pin);
1922 static int try_keyslot_add(struct crypt_device *cd,
1923 int keyslot_existing,
1925 struct crypt_keyslot_context *kc,
1926 struct crypt_keyslot_context *kc_new,
1928 bool new_pin_provided)
1932 r = crypt_keyslot_add_by_keyslot_context(cd, keyslot_existing, kc, keyslot_new, kc_new, 0);
1933 if (crypt_keyslot_context_get_type(kc) == CRYPT_KC_TYPE_TOKEN)
1934 tools_token_error_msg(crypt_keyslot_context_get_error(kc), ARG_STR(OPT_TOKEN_TYPE_ID),
1935 ARG_INT32(OPT_TOKEN_ID_ID), pin_provided);
1936 if (crypt_keyslot_context_get_type(kc_new) == CRYPT_KC_TYPE_TOKEN)
1937 tools_token_error_msg(crypt_keyslot_context_get_error(kc_new), NULL,
1938 ARG_INT32(OPT_NEW_TOKEN_ID_ID), new_pin_provided);
1942 static int action_luksAddKey(void)
1944 int keyslot_old, keyslot_new, keysize = 0, r = -EINVAL;
1945 const char *new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
1946 char *key = NULL, *password = NULL, *password_new = NULL, *pin = NULL, *pin_new = NULL;
1947 size_t pin_size, pin_size_new, password_size = 0, password_new_size = 0;
1948 struct crypt_device *cd = NULL;
1949 struct crypt_keyslot_context *p_kc_new = NULL, *kc = NULL, *kc_new = NULL;
1951 /* Unbound keyslot (no assigned data segment) is special case */
1952 if (ARG_SET(OPT_UNBOUND_ID))
1953 return luksAddUnboundKey();
1955 /* maintain backward compatibility of luksAddKey action positional parameter */
1957 new_key_file = ARG_STR(OPT_NEW_KEYFILE_ID);
1959 keyslot_old = ARG_INT32(OPT_KEY_SLOT_ID);
1960 keyslot_new = ARG_INT32(OPT_NEW_KEY_SLOT_ID);
1963 * maintain backward compatibility of --key-slot/-S as 'new keyslot number'
1964 * unless --new-key-slot is used.
1966 if (!ARG_SET(OPT_NEW_KEY_SLOT_ID) && ARG_SET(OPT_KEY_SLOT_ID)) {
1967 if (!ARG_SET(OPT_BATCH_MODE_ID))
1968 log_std(_("WARNING: The --key-slot parameter is used for new keyslot number.\n"));
1969 keyslot_old = CRYPT_ANY_SLOT;
1970 keyslot_new = ARG_INT32(OPT_KEY_SLOT_ID);
1973 if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
1976 if ((r = crypt_load(cd, luksType(device_type), NULL))) {
1977 log_err(_("Device %s is not a valid LUKS device."),
1978 uuid_or_device_header(NULL));
1982 r = _set_keyslot_encryption_params(cd);
1986 /* Never call pwquality if using null cipher */
1987 if (crypt_is_cipher_null(crypt_get_cipher(cd)))
1988 ARG_SET_TRUE(OPT_FORCE_PASSWORD_ID);
1990 keysize = crypt_get_volume_key_size(cd);
1991 r = set_pbkdf_params(cd, crypt_get_type(cd));
1993 log_err(_("Failed to set pbkdf parameters."));
1997 if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
1998 if (!keysize && !ARG_SET(OPT_KEY_SIZE_ID)) {
1999 log_err(_("Cannot determine volume key size for LUKS without keyslots, please use --key-size option."));
2002 } else if (!keysize)
2003 keysize = ARG_UINT32(OPT_KEY_SIZE_ID) / 8;
2005 r = tools_read_vk(ARG_STR(OPT_VOLUME_KEY_FILE_ID), &key, keysize);
2009 r = crypt_volume_key_verify(cd, key, keysize);
2011 log_err(_("Volume key does not match the volume."));
2015 r = crypt_keyslot_context_init_by_volume_key(cd, key, keysize, &kc);
2016 } else if (ARG_SET(OPT_KEY_FILE_ID) && !tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID)))
2017 r = crypt_keyslot_context_init_by_keyfile(cd,
2018 ARG_STR(OPT_KEY_FILE_ID),
2019 ARG_UINT32(OPT_KEYFILE_SIZE_ID),
2020 ARG_UINT64(OPT_KEYFILE_OFFSET_ID),
2022 else if (ARG_SET(OPT_TOKEN_ID_ID) || ARG_SET(OPT_TOKEN_TYPE_ID) || ARG_SET(OPT_TOKEN_ONLY_ID)) {
2023 r = crypt_keyslot_context_init_by_token(cd,
2024 ARG_INT32(OPT_TOKEN_ID_ID),
2025 ARG_STR(OPT_TOKEN_TYPE_ID),
2026 NULL, 0, NULL, &kc);
2028 r = tools_get_key(_("Enter any existing passphrase: "),
2029 &password, &password_size,
2030 ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
2031 ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
2036 /* Check password before asking for new one */
2037 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
2038 password, password_size, 0);
2040 tools_passphrase_msg(r);
2043 tools_keyslot_msg(r, UNLOCKED);
2045 r = crypt_keyslot_context_init_by_passphrase(cd, password, password_size, &kc);
2051 if (new_key_file && !tools_is_stdin(new_key_file)) {
2052 if (ARG_SET(OPT_KEY_FILE_ID) && !strcmp(ARG_STR(OPT_KEY_FILE_ID), new_key_file))
2055 r = crypt_keyslot_context_init_by_keyfile(cd,
2057 ARG_UINT32(OPT_NEW_KEYFILE_SIZE_ID),
2058 ARG_UINT64(OPT_NEW_KEYFILE_OFFSET_ID),
2062 } else if (ARG_SET(OPT_NEW_TOKEN_ID_ID)) {
2063 if (ARG_INT32(OPT_NEW_TOKEN_ID_ID) == ARG_INT32(OPT_TOKEN_ID_ID))
2066 r = crypt_keyslot_context_init_by_token(cd,
2067 ARG_INT32(OPT_NEW_TOKEN_ID_ID),
2068 NULL, NULL, 0, NULL, &kc_new);
2072 r = tools_get_key(_("Enter new passphrase for key slot: "),
2073 &password_new, &password_new_size,
2074 ARG_UINT64(OPT_NEW_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_NEW_KEYFILE_SIZE_ID), new_key_file,
2075 ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(1), !ARG_SET(OPT_FORCE_PASSWORD_ID), cd);
2079 r = crypt_keyslot_context_init_by_passphrase(cd, password_new, password_new_size, &kc_new);
2088 r = try_keyslot_add(cd, keyslot_old, keyslot_new, kc, p_kc_new, pin, pin_new);
2089 if (r >= 0 || r != -ENOANO)
2092 if (crypt_keyslot_context_get_error(kc) == -ENOANO) {
2093 r = _ask_for_pin(cd, ARG_INT32(OPT_TOKEN_ID_ID), &pin, &pin_size, kc);
2097 r = try_keyslot_add(cd, keyslot_old, keyslot_new, kc, p_kc_new, pin, pin_new);
2098 if (r >= 0 || r != -ENOANO)
2102 if (crypt_keyslot_context_get_error(p_kc_new) == -ENOANO) {
2103 r = _ask_for_pin(cd, ARG_INT32(OPT_NEW_TOKEN_ID_ID), &pin_new, &pin_size_new, p_kc_new);
2106 r = try_keyslot_add(cd, keyslot_old, keyslot_new, kc, p_kc_new, pin, pin_new);
2109 tools_keyslot_msg(r, CREATED);
2110 crypt_keyslot_context_free(kc);
2111 crypt_keyslot_context_free(kc_new);
2112 crypt_safe_free(password);
2113 crypt_safe_free(password_new);
2114 crypt_safe_free(pin);
2115 crypt_safe_free(pin_new);
2116 crypt_safe_free(key);
2121 static int action_luksChangeKey(void)
2123 const char *new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
2124 struct crypt_device *cd = NULL;
2125 char *password = NULL, *password_new = NULL;
2126 size_t password_size = 0, password_new_size = 0;
2129 if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
2132 if ((r = crypt_load(cd, luksType(device_type), NULL))) {
2133 log_err(_("Device %s is not a valid LUKS device."),
2134 uuid_or_device_header(NULL));
2138 r = _set_keyslot_encryption_params(cd);
2142 /* Never call pwquality if using null cipher */
2143 if (crypt_is_cipher_null(crypt_get_cipher(cd)))
2144 ARG_SET_TRUE(OPT_FORCE_PASSWORD_ID);
2146 r = set_pbkdf_params(cd, crypt_get_type(cd));
2148 log_err(_("Failed to set pbkdf parameters."));
2152 r = tools_get_key(_("Enter passphrase to be changed: "),
2153 &password, &password_size,
2154 ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
2155 ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
2159 /* Check password before asking for new one */
2160 r = crypt_activate_by_passphrase(cd, NULL, ARG_INT32(OPT_KEY_SLOT_ID),
2161 password, password_size, CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY);
2162 tools_passphrase_msg(r);
2166 tools_keyslot_msg(r, UNLOCKED);
2168 r = tools_get_key(_("Enter new passphrase: "),
2169 &password_new, &password_new_size,
2170 ARG_UINT64(OPT_NEW_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_NEW_KEYFILE_SIZE_ID),
2172 ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(1), !ARG_SET(OPT_FORCE_PASSWORD_ID), cd);
2176 r = crypt_keyslot_change_by_passphrase(cd, ARG_INT32(OPT_KEY_SLOT_ID), ARG_INT32(OPT_KEY_SLOT_ID),
2177 password, password_size, password_new, password_new_size);
2178 tools_keyslot_msg(r, CREATED);
2180 crypt_safe_free(password);
2181 crypt_safe_free(password_new);
2186 static int action_luksConvertKey(void)
2188 struct crypt_device *cd = NULL;
2189 char *password = NULL;
2190 size_t password_size = 0;
2193 if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
2196 if ((r = crypt_load(cd, CRYPT_LUKS2, NULL))) {
2197 log_err(_("Device %s is not a valid LUKS2 device."),
2198 uuid_or_device_header(NULL));
2202 r = _set_keyslot_encryption_params(cd);
2206 if (crypt_keyslot_status(cd, ARG_INT32(OPT_KEY_SLOT_ID)) == CRYPT_SLOT_INACTIVE) {
2208 log_err(_("Keyslot %d is not active."), ARG_INT32(OPT_KEY_SLOT_ID));
2212 r = set_pbkdf_params(cd, crypt_get_type(cd));
2214 log_err(_("Failed to set pbkdf parameters."));
2218 r = tools_get_key(_("Enter passphrase for keyslot to be converted: "),
2219 &password, &password_size,
2220 ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
2221 ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
2225 r = crypt_keyslot_change_by_passphrase(cd, ARG_INT32(OPT_KEY_SLOT_ID), ARG_INT32(OPT_KEY_SLOT_ID),
2226 password, password_size, password, password_size);
2227 tools_passphrase_msg(r);
2228 tools_keyslot_msg(r, CREATED);
2230 crypt_safe_free(password);
2235 static int action_isLuks(void)
2237 struct crypt_device *cd = NULL;
2240 /* FIXME: argc > max should be checked for other operations as well */
2241 if (action_argc > 1) {
2242 log_err(_("Only one device argument for isLuks operation is supported."));
2246 if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
2249 crypt_set_log_callback(cd, quiet_log, &log_parms);
2250 r = crypt_load(cd, luksType(device_type), NULL);
2256 static int action_luksUUID(void)
2258 struct crypt_device *cd = NULL;
2259 const char *existing_uuid = NULL;
2262 if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
2265 if (!ARG_SET(OPT_BATCH_MODE_ID))
2266 crypt_set_confirm_callback(cd, yesDialog, _("Operation aborted.\n"));
2268 if ((r = crypt_load(cd, luksType(device_type), NULL)))
2271 if (ARG_SET(OPT_UUID_ID))
2272 r = crypt_set_uuid(cd, ARG_STR(OPT_UUID_ID));
2274 existing_uuid = crypt_get_uuid(cd);
2275 log_std("%s\n", existing_uuid ?: "");
2276 r = existing_uuid ? 0 : 1;
2283 static int luksDump_with_volume_key(struct crypt_device *cd)
2285 char *vk = NULL, *password = NULL;
2286 size_t passwordLen = 0;
2290 if (!ARG_SET(OPT_BATCH_MODE_ID) && !yesDialog(
2291 _("The header dump with volume key is sensitive information\n"
2292 "that allows access to encrypted partition without a passphrase.\n"
2293 "This dump should be stored encrypted in a safe place."),
2297 vk_size = crypt_get_volume_key_size(cd);
2298 vk = crypt_safe_alloc(vk_size);
2302 r = tools_get_key(NULL, &password, &passwordLen,
2303 ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
2304 ARG_UINT32(OPT_TIMEOUT_ID), 0, 0, cd);
2308 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
2309 password, passwordLen);
2310 tools_passphrase_msg(r);
2314 tools_keyslot_msg(r, UNLOCKED);
2316 if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
2317 r = tools_write_mk(ARG_STR(OPT_VOLUME_KEY_FILE_ID), vk, vk_size);
2322 log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
2323 log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
2324 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
2325 log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
2326 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
2327 log_std("MK bits: \t%d\n", (int)vk_size * 8);
2328 if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
2329 log_std("Key stored to file %s.\n", ARG_STR(OPT_VOLUME_KEY_FILE_ID));
2332 log_std("MK dump:\t");
2333 crypt_log_hex(NULL, vk, vk_size, " ", 16, "\n\t\t");
2336 crypt_safe_free(password);
2337 crypt_safe_free(vk);
2341 static int luksDump_with_unbound_key(struct crypt_device *cd)
2343 crypt_keyslot_info ki;
2344 char *uk = NULL, *password = NULL;
2345 size_t uk_size, passwordLen = 0;
2348 ki = crypt_keyslot_status(cd, ARG_INT32(OPT_KEY_SLOT_ID));
2349 if (ki != CRYPT_SLOT_UNBOUND) {
2350 log_err(_("Keyslot %d does not contain unbound key."), ARG_INT32(OPT_KEY_SLOT_ID));
2354 if (!ARG_SET(OPT_BATCH_MODE_ID) && !yesDialog(
2355 _("The header dump with unbound key is sensitive information.\n"
2356 "This dump should be stored encrypted in a safe place."),
2360 r = crypt_keyslot_get_key_size(cd, ARG_INT32(OPT_KEY_SLOT_ID));
2364 uk = crypt_safe_alloc(uk_size);
2368 r = tools_get_key(NULL, &password, &passwordLen,
2369 ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
2370 ARG_UINT32(OPT_TIMEOUT_ID), 0, 0, cd);
2374 r = crypt_volume_key_get(cd, ARG_INT32(OPT_KEY_SLOT_ID), uk, &uk_size,
2375 password, passwordLen);
2376 tools_passphrase_msg(r);
2380 tools_keyslot_msg(r, UNLOCKED);
2382 if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
2383 r = tools_write_mk(ARG_STR(OPT_VOLUME_KEY_FILE_ID), uk, uk_size);
2388 log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
2389 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
2390 log_std("Keyslot: \t%d\n", ARG_INT32(OPT_KEY_SLOT_ID));
2391 log_std("Key bits:\t%d\n", (int)uk_size * 8);
2392 if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
2393 log_std("Key stored to file %s.\n", ARG_STR(OPT_VOLUME_KEY_FILE_ID));
2396 log_std("Unbound Key:\t");
2397 crypt_log_hex(NULL, uk, uk_size, " ", 16, "\n\t\t");
2400 crypt_safe_free(password);
2401 crypt_safe_free(uk);
2405 static int action_luksDump(void)
2407 struct crypt_device *cd = NULL;
2410 if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
2413 if ((r = crypt_load(cd, luksType(device_type), NULL))) {
2414 log_err(_("Device %s is not a valid LUKS device."),
2415 uuid_or_device_header(NULL));
2419 if (ARG_SET(OPT_DUMP_VOLUME_KEY_ID))
2420 r = luksDump_with_volume_key(cd);
2421 else if (ARG_SET(OPT_UNBOUND_ID))
2422 r = luksDump_with_unbound_key(cd);
2423 else if (ARG_SET(OPT_DUMP_JSON_ID))
2424 r = crypt_dump_json(cd, NULL, 0);
2432 static int action_luksSuspend(void)
2434 struct crypt_device *cd = NULL;
2437 r = crypt_init_by_name_and_header(&cd, action_argv[0], uuid_or_device(ARG_STR(OPT_HEADER_ID)));
2439 r = crypt_suspend(cd, action_argv[0]);
2441 log_err(_("%s is not active %s device name."), action_argv[0], "LUKS");
2448 static int action_luksResume(void)
2450 struct crypt_device *cd = NULL;
2451 char *password = NULL;
2454 struct crypt_active_device cad;
2455 const char *req_type = luksType(device_type);
2457 if (req_type && !isLUKS(req_type))
2460 if ((r = crypt_init_by_name_and_header(&cd, action_argv[0], uuid_or_device(ARG_STR(OPT_HEADER_ID)))))
2464 if (!isLUKS(crypt_get_type(cd))) {
2465 log_err(_("%s is not active LUKS device name or header is missing."), action_argv[0]);
2469 if (req_type && strcmp(req_type, crypt_get_type(cd))) {
2470 log_err(_("%s is not active %s device name."), action_argv[0], req_type);
2474 r = crypt_get_active_device(cd, action_argv[0], &cad);
2478 if (!(cad.flags & CRYPT_ACTIVATE_SUSPENDED)) {
2479 log_err(_("Volume %s is not suspended."), action_argv[0]);
2484 /* try to resume LUKS2 device by token first */
2485 r = crypt_resume_by_token_pin(cd, action_argv[0], ARG_STR(OPT_TOKEN_TYPE_ID),
2486 ARG_INT32(OPT_TOKEN_ID_ID), NULL, 0, NULL);
2487 tools_keyslot_msg(r, UNLOCKED);
2488 tools_token_error_msg(r, ARG_STR(OPT_TOKEN_TYPE_ID), ARG_INT32(OPT_TOKEN_ID_ID), false);
2490 /* Token requires PIN. Ask if there is evident preference for tokens */
2491 if (r == -ENOANO && (ARG_SET(OPT_TOKEN_ONLY_ID) || ARG_SET(OPT_TOKEN_TYPE_ID) ||
2492 ARG_SET(OPT_TOKEN_ID_ID)))
2493 r = _try_token_pin_unlock(cd, ARG_INT32(OPT_TOKEN_ID_ID), action_argv[0], ARG_STR(OPT_TOKEN_TYPE_ID), 0, set_tries_tty(), false);
2495 if (r >= 0 || quit || ARG_SET(OPT_TOKEN_ONLY_ID))
2498 tries = set_tries_tty();
2500 r = tools_get_key(NULL, &password, &passwordLen,
2501 ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
2502 ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
2506 r = crypt_resume_by_passphrase(cd, action_argv[0], ARG_INT32(OPT_KEY_SLOT_ID),
2507 password, passwordLen);
2508 tools_passphrase_msg(r);
2510 tools_keyslot_msg(r, UNLOCKED);
2512 crypt_safe_free(password);
2514 } while ((r == -EPERM || r == -ERANGE) && (--tries > 0));
2516 crypt_safe_free(password);
2521 static int action_luksBackup(void)
2523 struct crypt_device *cd = NULL;
2526 if (!ARG_SET(OPT_HEADER_BACKUP_FILE_ID)) {
2527 log_err(_("Option --header-backup-file is required."));
2531 if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
2534 r = crypt_header_backup(cd, NULL, ARG_STR(OPT_HEADER_BACKUP_FILE_ID));
2540 static int action_luksRestore(void)
2542 struct crypt_device *cd = NULL;
2545 if (!ARG_SET(OPT_HEADER_BACKUP_FILE_ID)) {
2546 log_err(_("Option --header-backup-file is required."));
2550 if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
2553 if (!ARG_SET(OPT_BATCH_MODE_ID))
2554 crypt_set_confirm_callback(cd, yesDialog, NULL);
2555 r = crypt_header_restore(cd, NULL, ARG_STR(OPT_HEADER_BACKUP_FILE_ID));
2561 static const char *_get_device_type(void)
2563 const char *type, *name = NULL;
2564 struct crypt_device *cd = NULL;
2566 if (action_argc > 1)
2567 name = action_argv[1];
2568 else if (action_argc == 1)
2569 name = action_argv[0];
2571 if (crypt_init_by_name_and_header(&cd, name, ARG_STR(OPT_HEADER_ID)))
2574 type = crypt_get_type(cd);
2577 log_err(_("%s is not cryptsetup managed device."), name);
2581 if (!strncmp(type, "LUKS", 4))
2583 else if (!strcmp(type, CRYPT_PLAIN))
2585 else if (!strcmp(type, CRYPT_LOOPAES))
2588 log_err(_("Refresh is not supported for device type %s"), type);
2597 static int action_open(void)
2601 if (ARG_SET(OPT_REFRESH_ID) && !device_type)
2602 /* read device type from active mapping */
2603 device_type = _get_device_type();
2608 if (!strcmp(device_type, "luks") ||
2609 !strcmp(device_type, "luks1") ||
2610 !strcmp(device_type, "luks2")) {
2611 if (action_argc < 2 && (!ARG_SET(OPT_TEST_PASSPHRASE_ID) && !ARG_SET(OPT_REFRESH_ID)))
2613 return action_open_luks();
2614 } else if (!strcmp(device_type, "plain")) {
2615 if (action_argc < 2 && !ARG_SET(OPT_REFRESH_ID))
2617 return action_open_plain();
2618 } else if (!strcmp(device_type, "loopaes")) {
2619 if (action_argc < 2 && !ARG_SET(OPT_REFRESH_ID))
2621 return action_open_loopaes();
2622 } else if (!strcmp(device_type, "tcrypt")) {
2623 if (action_argc < 2 && !ARG_SET(OPT_TEST_PASSPHRASE_ID))
2625 return action_open_tcrypt();
2626 } else if (!strcmp(device_type, "bitlk")) {
2627 if (action_argc < 2 && !ARG_SET(OPT_TEST_PASSPHRASE_ID))
2629 return action_open_bitlk();
2630 } else if (!strcmp(device_type, "fvault2")) {
2631 if (action_argc < 2 && !ARG_SET(OPT_TEST_PASSPHRASE_ID))
2633 return action_open_fvault2();
2638 log_err(_("Unrecognized metadata device type %s."), device_type);
2640 log_err(_("Command requires device and mapped name as arguments."));
2645 static int action_luksErase(void)
2647 struct crypt_device *cd = NULL;
2648 crypt_keyslot_info ki;
2652 if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
2655 if ((r = crypt_load(cd, luksType(device_type), NULL))) {
2656 log_err(_("Device %s is not a valid LUKS device."),
2657 uuid_or_device_header(NULL));
2661 if(asprintf(&msg, _("This operation will erase all keyslots on device %s.\n"
2662 "Device will become unusable after this operation."),
2663 uuid_or_device_header(NULL)) == -1) {
2668 if (!ARG_SET(OPT_BATCH_MODE_ID) && !yesDialog(msg, _("Operation aborted, keyslots were NOT wiped.\n"))) {
2674 max = crypt_keyslot_max(crypt_get_type(cd));
2680 for (i = 0; i < max; i++) {
2681 ki = crypt_keyslot_status(cd, i);
2682 if (ki == CRYPT_SLOT_ACTIVE || ki == CRYPT_SLOT_ACTIVE_LAST) {
2683 r = crypt_keyslot_destroy(cd, i);
2686 tools_keyslot_msg(i, REMOVED);
2695 static int action_luksConvert(void)
2697 struct crypt_device *cd = NULL;
2699 const char *to_type, *from_type;
2702 if (!strcmp(device_type, "luks2")) {
2703 to_type = CRYPT_LUKS2;
2704 } else if (!strcmp(device_type, "luks1")) {
2705 to_type = CRYPT_LUKS1;
2707 log_err(_("Invalid LUKS type, only luks1 and luks2 are supported."));
2711 if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
2714 if ((r = crypt_load(cd, CRYPT_LUKS, NULL)) ||
2715 !(from_type = crypt_get_type(cd))) {
2716 log_err(_("Device %s is not a valid LUKS device."),
2717 uuid_or_device_header(NULL));
2722 if (!strcmp(from_type, to_type)) {
2723 log_err(_("Device is already %s type."), to_type);
2729 if (!ARG_SET(OPT_BATCH_MODE_ID)) {
2730 if (asprintf(&msg, _("This operation will convert %s to %s format.\n"),
2731 uuid_or_device_header(NULL), to_type) == -1)
2733 else if (!yesDialog(msg, _("Operation aborted, device was NOT converted.\n")))
2737 r = r ?: crypt_convert(cd, to_type, NULL);
2744 static int _config_priority(struct crypt_device *cd)
2746 crypt_keyslot_info cs;
2747 crypt_keyslot_priority priority = CRYPT_SLOT_PRIORITY_INVALID;
2749 if (!strcmp("normal", ARG_STR(OPT_PRIORITY_ID)))
2750 priority = CRYPT_SLOT_PRIORITY_NORMAL;
2751 else if (!strcmp("prefer", ARG_STR(OPT_PRIORITY_ID)))
2752 priority = CRYPT_SLOT_PRIORITY_PREFER;
2753 else if (!strcmp("ignore", ARG_STR(OPT_PRIORITY_ID)))
2754 priority = CRYPT_SLOT_PRIORITY_IGNORE;
2756 cs = crypt_keyslot_status(cd, ARG_INT32(OPT_KEY_SLOT_ID));
2757 if (cs != CRYPT_SLOT_INVALID)
2758 return crypt_keyslot_set_priority(cd, ARG_INT32(OPT_KEY_SLOT_ID), priority);
2762 static int _config_labels(struct crypt_device *cd)
2764 return crypt_set_label(cd, ARG_STR(OPT_LABEL_ID), ARG_STR(OPT_SUBSYSTEM_ID));
2767 static int action_luksConfig(void)
2769 struct crypt_device *cd = NULL;
2772 if (!ARG_SET(OPT_PRIORITY_ID) && !ARG_SET(OPT_LABEL_ID) && !ARG_SET(OPT_SUBSYSTEM_ID)) {
2773 log_err(_("Option --priority, --label or --subsystem is missing."));
2777 if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
2780 if ((r = crypt_load(cd, CRYPT_LUKS2, NULL))) {
2781 log_err(_("Device %s is not a valid LUKS2 device."),
2782 uuid_or_device_header(NULL));
2786 if (ARG_SET(OPT_PRIORITY_ID) && (r = _config_priority(cd)))
2789 if ((ARG_SET(OPT_LABEL_ID) || ARG_SET(OPT_SUBSYSTEM_ID)) && (r = _config_labels(cd)))
2796 static int _token_add(struct crypt_device *cd)
2799 crypt_token_info token_info;
2800 const struct crypt_token_params_luks2_keyring params = {
2801 .key_description = ARG_STR(OPT_KEY_DESCRIPTION_ID)
2804 if (ARG_INT32(OPT_TOKEN_ID_ID) != CRYPT_ANY_TOKEN) {
2805 token_info = crypt_token_status(cd, ARG_INT32(OPT_TOKEN_ID_ID), NULL);
2806 if (token_info < CRYPT_TOKEN_INACTIVE) {
2807 log_err(_("Token %d is invalid."), ARG_INT32(OPT_TOKEN_ID_ID));
2809 } else if (token_info > CRYPT_TOKEN_INACTIVE && !ARG_SET(OPT_TOKEN_REPLACE_ID)) {
2810 log_err(_("Token %d in use."), ARG_INT32(OPT_TOKEN_ID_ID));
2815 if (crypt_keyslot_status(cd, ARG_INT32(OPT_KEY_SLOT_ID)) == CRYPT_SLOT_INACTIVE) {
2816 log_err(_("Keyslot %d is not active."), ARG_INT32(OPT_KEY_SLOT_ID));
2820 r = crypt_token_luks2_keyring_set(cd, ARG_INT32(OPT_TOKEN_ID_ID), ¶ms);
2822 log_err(_("Failed to add luks2-keyring token %d."), ARG_INT32(OPT_TOKEN_ID_ID));
2828 if (ARG_SET(OPT_UNBOUND_ID))
2831 r = crypt_token_assign_keyslot(cd, token, ARG_INT32(OPT_KEY_SLOT_ID));
2833 log_err(_("Failed to assign token %d to keyslot %d."), token, ARG_INT32(OPT_KEY_SLOT_ID));
2834 (void) crypt_token_json_set(cd, token, NULL);
2841 static int _token_remove(struct crypt_device *cd)
2843 crypt_token_info token_info;
2845 token_info = crypt_token_status(cd, ARG_INT32(OPT_TOKEN_ID_ID), NULL);
2846 if (token_info < CRYPT_TOKEN_INACTIVE) {
2847 log_err(_("Token %d is invalid."), ARG_INT32(OPT_TOKEN_ID_ID));
2849 } else if (token_info == CRYPT_TOKEN_INACTIVE) {
2850 log_err(_("Token %d is not in use."), ARG_INT32(OPT_TOKEN_ID_ID));
2854 return crypt_token_json_set(cd, ARG_INT32(OPT_TOKEN_ID_ID), NULL);
2857 static int _token_import(struct crypt_device *cd)
2861 crypt_token_info token_info;
2864 if (ARG_INT32(OPT_TOKEN_ID_ID) != CRYPT_ANY_TOKEN) {
2865 token_info = crypt_token_status(cd, ARG_INT32(OPT_TOKEN_ID_ID), NULL);
2866 if (token_info < CRYPT_TOKEN_INACTIVE) {
2867 log_err(_("Token %d is invalid."), ARG_INT32(OPT_TOKEN_ID_ID));
2869 } else if (token_info > CRYPT_TOKEN_INACTIVE && !ARG_SET(OPT_TOKEN_REPLACE_ID)) {
2870 log_err(_("Token %d in use."), ARG_INT32(OPT_TOKEN_ID_ID));
2875 if (crypt_keyslot_status(cd, ARG_INT32(OPT_KEY_SLOT_ID)) == CRYPT_SLOT_INACTIVE) {
2876 log_err(_("Keyslot %d is not active."), ARG_INT32(OPT_KEY_SLOT_ID));
2880 r = tools_read_json_file(ARG_STR(OPT_JSON_FILE_ID), &json, &json_length, ARG_SET(OPT_BATCH_MODE_ID));
2884 r = crypt_token_json_set(cd, ARG_INT32(OPT_TOKEN_ID_ID), json);
2887 log_err(_("Failed to import token from file."));
2893 if (ARG_INT32(OPT_KEY_SLOT_ID) != CRYPT_ANY_SLOT) {
2894 r = crypt_token_assign_keyslot(cd, token, ARG_INT32(OPT_KEY_SLOT_ID));
2896 log_err(_("Failed to assign token %d to keyslot %d."), token, ARG_INT32(OPT_KEY_SLOT_ID));
2897 (void) crypt_token_json_set(cd, token, NULL);
2905 static int _token_export(struct crypt_device *cd)
2910 r = crypt_token_json_get(cd, ARG_INT32(OPT_TOKEN_ID_ID), &json);
2912 log_err(_("Failed to get token %d for export."), ARG_INT32(OPT_TOKEN_ID_ID));
2916 return tools_write_json_file(ARG_STR(OPT_JSON_FILE_ID), json);
2919 static int _token_unassign(struct crypt_device *cd)
2921 int r = crypt_token_is_assigned(cd, ARG_INT32(OPT_TOKEN_ID_ID), ARG_INT32(OPT_KEY_SLOT_ID));
2925 log_err(_("Token %d is not assigned to keyslot %d."), ARG_INT32(OPT_TOKEN_ID_ID), ARG_INT32(OPT_KEY_SLOT_ID));
2927 log_err(_("Failed to unassign token %d from keyslot %d."), ARG_INT32(OPT_TOKEN_ID_ID), ARG_INT32(OPT_KEY_SLOT_ID));
2932 r = crypt_token_unassign_keyslot(cd, ARG_INT32(OPT_TOKEN_ID_ID), ARG_INT32(OPT_KEY_SLOT_ID));
2934 log_err(_("Failed to unassign token %d from keyslot %d."), ARG_INT32(OPT_TOKEN_ID_ID), ARG_INT32(OPT_KEY_SLOT_ID));
2939 static int action_token(void)
2942 struct crypt_device *cd = NULL;
2944 if ((r = crypt_init(&cd, uuid_or_device(ARG_STR(OPT_HEADER_ID) ?: action_argv[1]))))
2947 if ((r = crypt_load(cd, CRYPT_LUKS2, NULL))) {
2948 log_err(_("Device %s is not a valid LUKS2 device."),
2949 uuid_or_device(ARG_STR(OPT_HEADER_ID) ?: action_argv[1]));
2956 if (!strcmp(action_argv[0], "add")) {
2957 r = _token_add(cd); /* adds only luks2-keyring type */
2958 tools_token_msg(r, CREATED);
2959 } else if (!strcmp(action_argv[0], "remove")) {
2960 r = _token_remove(cd);
2961 tools_token_msg(r, REMOVED);
2962 } else if (!strcmp(action_argv[0], "import")) {
2963 r = _token_import(cd);
2964 tools_token_msg(r, CREATED);
2965 } else if (!strcmp(action_argv[0], "export"))
2966 r = _token_export(cd);
2967 else if (!strcmp(action_argv[0], "unassign"))
2968 r = _token_unassign(cd);
2975 static int action_reencrypt(void)
2977 return reencrypt(action_argc, action_argv);
2980 static const char *verify_tcryptdump(void)
2982 if ((ARG_SET(OPT_TCRYPT_HIDDEN_ID) || ARG_SET(OPT_TCRYPT_SYSTEM_ID) || ARG_SET(OPT_TCRYPT_BACKUP_ID)) && (!device_type || strcmp(device_type, "tcrypt")))
2983 return _("Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.");
2985 if ((ARG_SET(OPT_VERACRYPT_ID) || ARG_SET(OPT_DISABLE_VERACRYPT_ID)) && (!device_type || strcmp(device_type, "tcrypt")))
2986 return _("Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type.");
2988 if (ARG_SET(OPT_VERACRYPT_PIM_ID) && ARG_SET(OPT_DISABLE_VERACRYPT_ID))
2989 return _("Option --veracrypt-pim is supported only for VeraCrypt compatible devices.");
2991 if (ARG_SET(OPT_VERACRYPT_QUERY_PIM_ID)) {
2992 if (ARG_SET(OPT_DISABLE_VERACRYPT_ID))
2993 return _("Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices.");
2994 else if (ARG_SET(OPT_VERACRYPT_PIM_ID))
2995 return _("The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive.");
3001 static const char * verify_open(void)
3003 if (ARG_SET(OPT_PERSISTENT_ID) && ARG_SET(OPT_TEST_PASSPHRASE_ID))
3004 return _("Option --persistent is not allowed with --test-passphrase.");
3006 if (ARG_SET(OPT_REFRESH_ID) && ARG_SET(OPT_TEST_PASSPHRASE_ID))
3007 return _("Options --refresh and --test-passphrase are mutually exclusive.");
3009 if (ARG_SET(OPT_SHARED_ID) && strcmp_or_null(device_type, "plain"))
3010 return _("Option --shared is allowed only for open of plain device.");
3012 if (ARG_SET(OPT_SKIP_ID) && strcmp_or_null(device_type, "plain") && strcmp(device_type, "loopaes"))
3013 return _("Option --skip is supported only for open of plain and loopaes devices.");
3015 if (ARG_SET(OPT_OFFSET_ID) && strcmp_or_null(device_type, "plain") && strcmp(device_type, "loopaes"))
3016 return _("Option --offset with open action is only supported for plain and loopaes devices.");
3018 if (ARG_SET(OPT_TCRYPT_HIDDEN_ID) && ARG_SET(OPT_ALLOW_DISCARDS_ID))
3019 return _("Option --tcrypt-hidden cannot be combined with --allow-discards.");
3021 if (ARG_SET(OPT_SECTOR_SIZE_ID) &&
3022 (!device_type || strcmp(device_type, "plain")))
3023 return _("Sector size option with open action is supported only for plain devices.");
3025 if (ARG_SET(OPT_IV_LARGE_SECTORS_ID) && (!device_type || strcmp(device_type, "plain") ||
3026 ARG_UINT32(OPT_SECTOR_SIZE_ID) <= SECTOR_SIZE))
3027 return _("Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes.");
3029 if (ARG_SET(OPT_TEST_PASSPHRASE_ID) && (!device_type ||
3030 (strncmp(device_type, "luks", 4) && strcmp(device_type, "tcrypt") &&
3031 strcmp(device_type, "bitlk") && strcmp(device_type, "fvault2"))))
3032 return _("Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices.");
3034 if (ARG_SET(OPT_DEVICE_SIZE_ID) && ARG_SET(OPT_SIZE_ID))
3035 return _("Options --device-size and --size cannot be combined.");
3037 if (ARG_SET(OPT_UNBOUND_ID) && device_type && strncmp(device_type, "luks", 4))
3038 return _("Option --unbound is allowed only for open of luks device.");
3040 if (ARG_SET(OPT_UNBOUND_ID) && !ARG_SET(OPT_TEST_PASSPHRASE_ID))
3041 return _("Option --unbound cannot be used without --test-passphrase.");
3043 /* "open --type tcrypt" and "tcryptDump" checks are identical */
3044 return verify_tcryptdump();
3047 static const char *verify_close(void)
3049 if (ARG_SET(OPT_CANCEL_DEFERRED_ID) && ARG_SET(OPT_DEFERRED_ID))
3050 return _("Options --cancel-deferred and --deferred cannot be used at the same time.");
3055 static const char *verify_resize(void)
3057 if (ARG_SET(OPT_DEVICE_SIZE_ID) && ARG_SET(OPT_SIZE_ID))
3058 return _("Options --device-size and --size cannot be combined.");
3063 static const char *verify_reencrypt(void)
3065 if (ARG_SET(OPT_REDUCE_DEVICE_SIZE_ID) && ARG_SET(OPT_DEVICE_SIZE_ID))
3066 return _("Options --reduce-device-size and --data-size cannot be combined.");
3068 if (isLUKS1(luksType(device_type)) && ARG_SET(OPT_ACTIVE_NAME_ID))
3069 return _("Option --active-name can be set only for LUKS2 device.");
3071 if (ARG_SET(OPT_ACTIVE_NAME_ID) && ARG_SET(OPT_FORCE_OFFLINE_REENCRYPT_ID))
3072 return _("Options --active-name and --force-offline-reencrypt cannot be combined.");
3077 static const char *verify_config(void)
3079 if (ARG_SET(OPT_PRIORITY_ID) && ARG_INT32(OPT_KEY_SLOT_ID) == CRYPT_ANY_SLOT)
3080 return _("Keyslot specification is required.");
3085 static const char *verify_format(void)
3087 if (ARG_SET(OPT_ALIGN_PAYLOAD_ID) && ARG_SET(OPT_OFFSET_ID))
3088 return _("Options --align-payload and --offset cannot be combined.");
3090 if (ARG_SET(OPT_INTEGRITY_NO_WIPE_ID) && !ARG_SET(OPT_INTEGRITY_ID))
3091 return _("Option --integrity-no-wipe can be used only for format action with integrity extension.");
3093 if (ARG_SET(OPT_USE_RANDOM_ID) && ARG_SET(OPT_USE_URANDOM_ID))
3094 return _("Only one of --use-[u]random options is allowed.");
3099 static const char *verify_addkey(void)
3101 if (ARG_SET(OPT_UNBOUND_ID) && !ARG_UINT32(OPT_KEY_SIZE_ID))
3102 return _("Key size is required with --unbound option.");
3107 static const char *verify_luksDump(void)
3109 if (ARG_SET(OPT_UNBOUND_ID) && ARG_INT32(OPT_KEY_SLOT_ID) == CRYPT_ANY_SLOT)
3110 return _("Keyslot specification is required.");
3115 static const char *verify_token(void)
3117 if (strcmp(action_argv[0], "add") &&
3118 strcmp(action_argv[0], "remove") &&
3119 strcmp(action_argv[0], "import") &&
3120 strcmp(action_argv[0], "export") &&
3121 strcmp(action_argv[0], "unassign"))
3122 return _("Invalid token action.");
3124 if (!ARG_SET(OPT_KEY_DESCRIPTION_ID) && !strcmp(action_argv[0], "add"))
3125 return _("--key-description parameter is mandatory for token add action.");
3127 if (ARG_INT32(OPT_TOKEN_ID_ID) == CRYPT_ANY_TOKEN &&
3128 (!strcmp(action_argv[0], "remove") || !strcmp(action_argv[0], "export")))
3129 return _("Action requires specific token. Use --token-id parameter.");
3131 if (ARG_SET(OPT_UNBOUND_ID)) {
3132 if (strcmp(action_argv[0], "add"))
3133 return _("Option --unbound is valid only with token add action.");
3134 if (ARG_SET(OPT_KEY_SLOT_ID))
3135 return _("Options --key-slot and --unbound cannot be combined.");
3138 if (!strcmp(action_argv[0], "unassign")) {
3139 if (!ARG_SET(OPT_KEY_SLOT_ID))
3140 return _("Action requires specific keyslot. Use --key-slot parameter.");
3141 if (!ARG_SET(OPT_TOKEN_ID_ID))
3142 return _("Action requires specific token. Use --token-id parameter.");
3148 static struct action_type {
3150 int (*handler)(void);
3151 const char *(*verify)(void);
3152 int required_action_argc;
3153 const char *arg_desc;
3155 } action_types[] = {
3156 { OPEN_ACTION, action_open, verify_open, 1, N_("<device> [--type <type>] [<name>]"),N_("open device as <name>") },
3157 { CLOSE_ACTION, action_close, verify_close, 1, N_("<name>"), N_("close device (remove mapping)") },
3158 { RESIZE_ACTION, action_resize, verify_resize, 1, N_("<name>"), N_("resize active device") },
3159 { STATUS_ACTION, action_status, NULL, 1, N_("<name>"), N_("show device status") },
3160 { BENCHMARK_ACTION, action_benchmark, NULL, 0, N_("[--cipher <cipher>]"), N_("benchmark cipher") },
3161 { REPAIR_ACTION, action_luksRepair, NULL, 1, N_("<device>"), N_("try to repair on-disk metadata") },
3162 { REENCRYPT_ACTION, action_reencrypt, verify_reencrypt, 0, N_("<device>"), N_("reencrypt LUKS2 device") },
3163 { ERASE_ACTION, action_luksErase, NULL, 1, N_("<device>"), N_("erase all keyslots (remove encryption key)") },
3164 { CONVERT_ACTION, action_luksConvert, NULL, 1, N_("<device>"), N_("convert LUKS from/to LUKS2 format") },
3165 { CONFIG_ACTION, action_luksConfig, verify_config, 1, N_("<device>"), N_("set permanent configuration options for LUKS2") },
3166 { FORMAT_ACTION, action_luksFormat, verify_format, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
3167 { ADDKEY_ACTION, action_luksAddKey, verify_addkey, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
3168 { REMOVEKEY_ACTION, action_luksRemoveKey, NULL, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
3169 { CHANGEKEY_ACTION, action_luksChangeKey, NULL, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
3170 { CONVERTKEY_ACTION, action_luksConvertKey, NULL, 1, N_("<device> [<key file>]"), N_("converts a key to new pbkdf parameters") },
3171 { KILLKEY_ACTION, action_luksKillSlot, NULL, 2, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
3172 { UUID_ACTION, action_luksUUID, NULL, 1, N_("<device>"), N_("print UUID of LUKS device") },
3173 { ISLUKS_ACTION, action_isLuks, NULL, 1, N_("<device>"), N_("tests <device> for LUKS partition header") },
3174 { LUKSDUMP_ACTION, action_luksDump, verify_luksDump, 1, N_("<device>"), N_("dump LUKS partition information") },
3175 { TCRYPTDUMP_ACTION, action_tcryptDump, verify_tcryptdump, 1, N_("<device>"), N_("dump TCRYPT device information") },
3176 { BITLKDUMP_ACTION, action_bitlkDump, NULL, 1, N_("<device>"), N_("dump BITLK device information") },
3177 { FVAULT2DUMP_ACTION, action_fvault2Dump, NULL, 1, N_("<device>"), N_("dump FVAULT2 device information") },
3178 { SUSPEND_ACTION, action_luksSuspend, NULL, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen)") },
3179 { RESUME_ACTION, action_luksResume, NULL, 1, N_("<device>"), N_("Resume suspended LUKS device") },
3180 { HEADERBACKUP_ACTION, action_luksBackup, NULL, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
3181 { HEADERRESTORE_ACTION, action_luksRestore, NULL, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
3182 { TOKEN_ACTION, action_token, verify_token, 2, N_("<add|remove|import|export> <device>"), N_("Manipulate LUKS2 tokens") },
3186 static void help(poptContext popt_context,
3187 enum poptCallbackReason reason __attribute__((unused)),
3188 struct poptOption *key,
3189 const char *arg __attribute__((unused)),
3190 void *data __attribute__((unused)))
3194 if (key->shortName == '?') {
3195 struct action_type *action;
3196 const struct crypt_pbkdf_type *pbkdf_luks1, *pbkdf_luks2;
3198 tools_package_version(PACKAGE_NAME, true);
3199 poptPrintHelp(popt_context, stdout, 0);
3202 "<action> is one of:\n"));
3204 for(action = action_types; action->type; action++)
3205 log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
3208 "You can also use old <action> syntax aliases:\n"
3209 "\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
3210 "\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"));
3212 "<name> is the device to create under %s\n"
3213 "<device> is the encrypted device\n"
3214 "<key slot> is the LUKS key slot number to modify\n"
3215 "<key file> optional key file for the new key for luksAddKey action\n"),
3218 log_std(_("\nDefault compiled-in metadata format is %s (for luksFormat action).\n"),
3219 crypt_get_default_type());
3221 path = crypt_token_external_path();
3223 log_std(_("\nLUKS2 external token plugin support is %s.\n"), _("compiled-in"));
3224 log_std(_("LUKS2 external token plugin path: %s.\n"), path);
3226 log_std(_("\nLUKS2 external token plugin support is %s.\n"), _("disabled"));
3228 pbkdf_luks1 = crypt_get_pbkdf_default(CRYPT_LUKS1);
3229 pbkdf_luks2 = crypt_get_pbkdf_default(CRYPT_LUKS2);
3230 log_std(_("\nDefault compiled-in key and passphrase parameters:\n"
3231 "\tMaximum keyfile size: %dkB, "
3232 "Maximum interactive passphrase length %d (characters)\n"
3233 "Default PBKDF for LUKS1: %s, iteration time: %d (ms)\n"
3234 "Default PBKDF for LUKS2: %s\n"
3235 "\tIteration time: %d, Memory required: %dkB, Parallel threads: %d\n"),
3236 DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX,
3237 pbkdf_luks1->type, pbkdf_luks1->time_ms,
3238 pbkdf_luks2->type, pbkdf_luks2->time_ms, pbkdf_luks2->max_memory_kb,
3239 pbkdf_luks2->parallel_threads);
3241 log_std(_("\nDefault compiled-in device cipher parameters:\n"
3242 "\tloop-AES: %s, Key %d bits\n"
3243 "\tplain: %s, Key: %d bits, Password hashing: %s\n"
3244 "\tLUKS: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
3245 DEFAULT_LOOPAES_CIPHER, DEFAULT_LOOPAES_KEYBITS,
3246 DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
3247 DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
3249 #if defined(ENABLE_LUKS_ADJUST_XTS_KEYSIZE) && DEFAULT_LUKS1_KEYBITS != 512
3250 log_std(_("\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"));
3253 poptFreeContext(popt_context);
3255 } else if (key->shortName == 'V') {
3256 tools_package_version(PACKAGE_NAME, true);
3258 poptFreeContext(popt_context);
3261 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
3264 static void help_args(struct action_type *action, poptContext popt_context)
3268 if (snprintf(buf, sizeof(buf), _("%s: requires %s as arguments"), action->type, action->arg_desc) < 0)
3270 usage(popt_context, EXIT_FAILURE, buf, poptGetInvocationName(popt_context));
3273 static int run_action(struct action_type *action)
3277 log_dbg("Running command %s.", action->type);
3280 r = action->handler();
3282 /* Some functions returns keyslot # */
3288 return translate_errno(r);
3291 static const char *verify_action(struct action_type *action)
3293 log_dbg("Verifying parameters for command %s.", action->type);
3295 return action->verify ? action->verify() : NULL;
3298 static bool needs_size_conversion(unsigned arg_id)
3300 return (arg_id == OPT_DEVICE_SIZE_ID || arg_id == OPT_HOTZONE_SIZE_ID ||
3301 arg_id == OPT_LUKS2_KEYSLOTS_SIZE_ID || arg_id == OPT_LUKS2_METADATA_SIZE_ID ||
3302 arg_id == OPT_REDUCE_DEVICE_SIZE_ID);
3305 static void check_key_slot_value(poptContext popt_context)
3307 if (ARG_INT32(OPT_KEY_SLOT_ID) < 0)
3308 usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
3309 poptGetInvocationName(popt_context));
3312 static void basic_options_cb(poptContext popt_context,
3313 enum poptCallbackReason reason __attribute__((unused)),
3314 struct poptOption *key,
3316 void *data __attribute__((unused)))
3318 tools_parse_arg_value(popt_context, tool_core_args[key->val].type, tool_core_args + key->val, arg, key->val, needs_size_conversion);
3320 /* special cases additional handling */
3322 case OPT_DEBUG_JSON_ID:
3325 log_parms.debug = true;
3327 case OPT_VERBOSE_ID:
3328 log_parms.verbose = true;
3330 case OPT_DEVICE_SIZE_ID:
3331 if (ARG_UINT64(OPT_DEVICE_SIZE_ID) == 0)
3332 usage(popt_context, EXIT_FAILURE, poptStrerror(POPT_ERROR_BADNUMBER),
3333 poptGetInvocationName(popt_context));
3334 if (ARG_UINT64(OPT_DEVICE_SIZE_ID) % SECTOR_SIZE)
3335 usage(popt_context, EXIT_FAILURE, _("Device size must be multiple of 512 bytes sector."),
3336 poptGetInvocationName(popt_context));
3338 case OPT_HOTZONE_SIZE_ID:
3339 if (ARG_UINT64(OPT_HOTZONE_SIZE_ID) == 0)
3340 usage(popt_context, EXIT_FAILURE, _("Invalid max reencryption hotzone size specification."),
3341 poptGetInvocationName(popt_context));
3343 case OPT_KEY_FILE_ID:
3344 if (tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID))) {
3345 free(keyfile_stdin);
3346 keyfile_stdin = strdup(ARG_STR(OPT_KEY_FILE_ID));
3347 } else if (keyfiles_count < MAX_KEYFILES)
3348 keyfiles[keyfiles_count++] = strdup(ARG_STR(OPT_KEY_FILE_ID));
3351 case OPT_KEY_SIZE_ID:
3352 if (ARG_UINT32(OPT_KEY_SIZE_ID) % 8)
3353 usage(popt_context, EXIT_FAILURE,
3354 _("Key size must be a multiple of 8 bits"),
3355 poptGetInvocationName(popt_context));
3357 case OPT_KEY_SLOT_ID:
3358 check_key_slot_value(popt_context);
3360 case OPT_KEYSLOT_KEY_SIZE_ID:
3361 if (ARG_UINT32(OPT_KEYSLOT_KEY_SIZE_ID) == 0)
3362 usage(popt_context, EXIT_FAILURE, poptStrerror(POPT_ERROR_BADNUMBER),
3363 poptGetInvocationName(popt_context));
3364 if (ARG_UINT32(OPT_KEYSLOT_KEY_SIZE_ID) % 8)
3365 usage(popt_context, EXIT_FAILURE,
3366 _("Key size must be a multiple of 8 bits"),
3367 poptGetInvocationName(popt_context));
3369 case OPT_REDUCE_DEVICE_SIZE_ID:
3370 if (ARG_UINT64(OPT_REDUCE_DEVICE_SIZE_ID) > 1024 * 1024 * 1024)
3371 usage(popt_context, EXIT_FAILURE, _("Maximum device reduce size is 1 GiB."),
3372 poptGetInvocationName(popt_context));
3373 if (ARG_UINT64(OPT_REDUCE_DEVICE_SIZE_ID) % SECTOR_SIZE)
3374 usage(popt_context, EXIT_FAILURE, _("Reduce size must be multiple of 512 bytes sector."),
3375 poptGetInvocationName(popt_context));
3376 data_shift = -(int64_t)ARG_UINT64(OPT_REDUCE_DEVICE_SIZE_ID);
3378 case OPT_SECTOR_SIZE_ID:
3379 if (ARG_UINT32(OPT_SECTOR_SIZE_ID) < SECTOR_SIZE ||
3380 ARG_UINT32(OPT_SECTOR_SIZE_ID) > MAX_SECTOR_SIZE ||
3381 (ARG_UINT32(OPT_SECTOR_SIZE_ID) & (ARG_UINT32(OPT_SECTOR_SIZE_ID) - 1)))
3382 usage(popt_context, EXIT_FAILURE,
3383 _("Unsupported encryption sector size."),
3384 poptGetInvocationName(popt_context));
3386 case OPT_PRIORITY_ID:
3387 if (strcmp(ARG_STR(OPT_PRIORITY_ID), "normal") &&
3388 strcmp(ARG_STR(OPT_PRIORITY_ID), "prefer") &&
3389 strcmp(ARG_STR(OPT_PRIORITY_ID), "ignore"))
3390 usage(popt_context, EXIT_FAILURE,
3391 _("Option --priority can be only ignore/normal/prefer."),
3392 poptGetInvocationName(popt_context));
3397 static void cryptsetup_init_arg_aliases(void)
3401 for (i = 1; i < ARRAY_SIZE(tool_core_args); i++)
3402 if (tool_core_args[i].type == CRYPT_ARG_ALIAS)
3406 int main(int argc, const char **argv)
3408 static struct poptOption popt_help_options[] = {
3409 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
3410 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
3411 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
3412 { "version",'V', POPT_ARG_NONE, NULL, 0, N_("Print package version"), NULL },
3415 static struct poptOption popt_basic_options[] = {
3416 { NULL, '\0', POPT_ARG_CALLBACK, basic_options_cb, 0, NULL, NULL },
3417 #define ARG(A, B, C, D, E, F, G, H) { A, B, C, NULL, A ## _ID, D, E },
3418 #include "cryptsetup_arg_list.h"
3422 static struct poptOption popt_options[] = {
3423 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
3424 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_basic_options, 0, NULL, NULL },
3427 poptContext popt_context;
3428 struct action_type *action;
3429 const char *aname, *error_message;
3432 /* initialize aliases */
3433 cryptsetup_init_arg_aliases();
3435 crypt_set_log_callback(NULL, tool_log, &log_parms);
3437 setlocale(LC_ALL, "");
3438 bindtextdomain(PACKAGE, LOCALEDIR);
3439 textdomain(PACKAGE);
3441 popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
3442 poptSetOtherOptionHelp(popt_context,
3443 _("[OPTION...] <action> <action-specific>"));
3445 while ((r = poptGetNextOpt(popt_context)) > 0) {}
3448 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
3449 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
3451 if (!(aname = poptGetArg(popt_context)))
3452 usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
3453 poptGetInvocationName(popt_context));
3456 action_argv = poptGetArgs(popt_context);
3457 /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
3459 action_argv = null_action_argv;
3461 /* Count args, somewhat unnice, change? */
3462 while(action_argv[action_argc] != NULL)
3465 /* Handle aliases */
3466 if (!strcmp(aname, "create")) {
3467 /* create command had historically switched arguments */
3468 if (action_argv[0] && action_argv[1]) {
3469 const char *tmp = action_argv[0];
3470 action_argv[0] = action_argv[1];
3471 action_argv[1] = tmp;
3473 aname = OPEN_ACTION;
3474 device_type = "plain";
3475 } else if (!strcmp(aname, "plainOpen")) {
3476 aname = OPEN_ACTION;
3477 device_type = "plain";
3478 } else if (!strcmp(aname, "luksOpen")) {
3479 aname = OPEN_ACTION;
3480 device_type = "luks";
3481 } else if (!strcmp(aname, "loopaesOpen")) {
3482 aname = OPEN_ACTION;
3483 device_type = "loopaes";
3484 } else if (!strcmp(aname, "tcryptOpen")) {
3485 aname = OPEN_ACTION;
3486 device_type = "tcrypt";
3487 } else if (!strcmp(aname, "bitlkOpen")) {
3488 aname = OPEN_ACTION;
3489 device_type = "bitlk";
3490 } else if (!strcmp(aname, "fvault2Open")) {
3491 aname = OPEN_ACTION;
3492 device_type = "fvault2";
3493 } else if (!strcmp(aname, "tcryptDump")) {
3494 device_type = "tcrypt";
3495 } else if (!strcmp(aname, "bitlkDump")) {
3496 device_type = "bitlk";
3497 } else if (!strcmp(aname, "fvault2Dump")) {
3498 device_type = "fvault2";
3499 } else if (!strcmp(aname, "remove") ||
3500 !strcmp(aname, "plainClose") ||
3501 !strcmp(aname, "luksClose") ||
3502 !strcmp(aname, "loopaesClose") ||
3503 !strcmp(aname, "tcryptClose") ||
3504 !strcmp(aname, "bitlkClose") ||
3505 !strcmp(aname, "fvault2Close")) {
3506 aname = CLOSE_ACTION;
3507 } else if (!strcmp(aname, "luksErase")) {
3508 aname = ERASE_ACTION;
3509 device_type = "luks";
3510 } else if (!strcmp(aname, "luksConfig")) {
3511 aname = CONFIG_ACTION;
3512 device_type = "luks2";
3513 } else if (!strcmp(aname, "refresh")) {
3514 aname = OPEN_ACTION;
3515 ARG_SET_TRUE(OPT_REFRESH_ID);
3516 } else if (ARG_SET(OPT_TYPE_ID))
3517 device_type = ARG_STR(OPT_TYPE_ID);
3519 /* ignore user supplied type and query device type instead */
3520 if (ARG_SET(OPT_REFRESH_ID))
3523 for(action = action_types; action->type; action++)
3524 if (strcmp(action->type, aname) == 0)
3528 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
3529 poptGetInvocationName(popt_context));
3531 if (action_argc < action->required_action_argc)
3532 help_args(action, popt_context);
3534 /* this routine short circuits to exit() on error */
3535 tools_check_args(action->type, tool_core_args, ARRAY_SIZE(tool_core_args), popt_context);
3537 if (!strcmp(aname, KILLKEY_ACTION) && action_argc > 1) {
3538 ARG_SET_INT32(OPT_KEY_SLOT_ID, atoi(action_argv[1]));
3539 check_key_slot_value(popt_context);
3542 if ((!strcmp(aname, REMOVEKEY_ACTION) ||
3543 !strcmp(aname, FORMAT_ACTION)) &&
3545 if (ARG_SET(OPT_KEY_FILE_ID))
3546 log_err(_("Option --key-file takes precedence over specified key file argument."));
3548 ARG_SET_STR(OPT_KEY_FILE_ID, strdup(action_argv[1]));
3551 if (total_keyfiles > 1 && (strcmp_or_null(device_type, "tcrypt")))
3552 usage(popt_context, EXIT_FAILURE, _("Only one --key-file argument is allowed."),
3553 poptGetInvocationName(popt_context));
3555 if (ARG_SET(OPT_PBKDF_ID) && crypt_parse_pbkdf(ARG_STR(OPT_PBKDF_ID), &set_pbkdf))
3556 usage(popt_context, EXIT_FAILURE,
3557 _("Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id."),
3558 poptGetInvocationName(popt_context));
3560 if (ARG_SET(OPT_PBKDF_FORCE_ITERATIONS_ID) && ARG_SET(OPT_ITER_TIME_ID))
3561 usage(popt_context, EXIT_FAILURE,
3562 _("PBKDF forced iterations cannot be combined with iteration time option."),
3563 poptGetInvocationName(popt_context));
3565 if (ARG_SET(OPT_DEBUG_ID) || ARG_SET(OPT_DEBUG_JSON_ID)) {
3566 crypt_set_debug_level(ARG_SET(OPT_DEBUG_JSON_ID)? CRYPT_DEBUG_JSON : CRYPT_DEBUG_ALL);
3567 dbg_version_and_cmd(argc, argv);
3570 /* reencrypt action specific check */
3572 if (ARG_SET(OPT_KEYSLOT_CIPHER_ID) != ARG_SET(OPT_KEYSLOT_KEY_SIZE_ID))
3573 usage(popt_context, EXIT_FAILURE, _("Options --keyslot-cipher and --keyslot-key-size must be used together."),
3574 poptGetInvocationName(popt_context));
3576 error_message = verify_action(action);
3578 usage(popt_context, EXIT_FAILURE, error_message, poptGetInvocationName(popt_context));
3580 if (ARG_SET(OPT_TEST_ARGS_ID)) {
3581 log_std(_("No action taken. Invoked with --test-args option.\n"));
3583 poptFreeContext(popt_context);
3587 if (ARG_SET(OPT_DISABLE_KEYRING_ID))
3588 (void) crypt_volume_key_keyring(NULL, 0);
3590 if (ARG_SET(OPT_DISABLE_EXTERNAL_TOKENS_ID))
3591 (void) crypt_token_external_disable();
3593 if (ARG_SET(OPT_DISABLE_LOCKS_ID) && crypt_metadata_locking(NULL, 0)) {
3594 log_std(_("Cannot disable metadata locking."));
3597 r = run_action(action);
3601 poptFreeContext(popt_context);
projects / platform / upstream / cryptsetup.git / blob