2 * cryptsetup - setup cryptographic volumes for dm-crypt
4 * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
5 * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
6 * Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * version 2 as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 #include "cryptsetup.h"
24 static const char *opt_cipher = NULL;
25 static const char *opt_hash = NULL;
26 static int opt_verify_passphrase = 0;
28 static const char *opt_key_file = NULL;
29 static int opt_keyfiles_count = 0;
30 static const char *opt_keyfiles[MAX_KEYFILES];
32 static const char *opt_master_key_file = NULL;
33 static const char *opt_header_backup_file = NULL;
34 static const char *opt_uuid = NULL;
35 static const char *opt_header_device = NULL;
36 static int opt_key_size = 0;
37 static long opt_keyfile_size = 0;
38 static long opt_new_keyfile_size = 0;
39 static long opt_keyfile_offset = 0;
40 static long opt_new_keyfile_offset = 0;
41 static int opt_key_slot = CRYPT_ANY_SLOT;
42 static uint64_t opt_size = 0;
43 static uint64_t opt_offset = 0;
44 static uint64_t opt_skip = 0;
45 static int opt_skip_valid = 0;
46 static int opt_readonly = 0;
47 static int opt_iteration_time = 1000;
48 static int opt_version_mode = 0;
49 static int opt_timeout = 0;
50 static int opt_tries = 3;
51 static int opt_align_payload = 0;
52 static int opt_random = 0;
53 static int opt_urandom = 0;
54 static int opt_dump_master_key = 0;
55 static int opt_shared = 0;
56 static int opt_allow_discards = 0;
57 static int opt_test_passphrase = 0;
58 static int opt_hidden = 0;
60 static const char **action_argv;
61 static int action_argc;
62 static const char *null_action_argv[] = {NULL, NULL};
64 static int action_create(int arg);
65 static int action_remove(int arg);
66 static int action_resize(int arg);
67 static int action_status(int arg);
68 static int action_benchmark(int arg);
69 static int action_luksFormat(int arg);
70 static int action_luksOpen(int arg);
71 static int action_luksAddKey(int arg);
72 static int action_luksKillSlot(int arg);
73 static int action_luksRemoveKey(int arg);
74 static int action_luksChangeKey(int arg);
75 static int action_isLuks(int arg);
76 static int action_luksUUID(int arg);
77 static int action_luksDump(int arg);
78 static int action_luksSuspend(int arg);
79 static int action_luksResume(int arg);
80 static int action_luksBackup(int arg);
81 static int action_luksRestore(int arg);
82 static int action_loopaesOpen(int arg);
83 static int action_luksRepair(int arg);
84 static int action_tcryptOpen(int arg);
86 static struct action_type {
90 int required_action_argc;
95 { "create", action_create, 0, 2, 1, N_("<name> <device>"),N_("create device") },
96 { "remove", action_remove, 0, 1, 1, N_("<name>"), N_("remove device") },
97 { "resize", action_resize, 0, 1, 1, N_("<name>"), N_("resize active device") },
98 { "status", action_status, 0, 1, 0, N_("<name>"), N_("show device status") },
99 { "benchmark", action_benchmark, 0, 0, 0, N_("<name>"), N_("benchmark cipher") },
100 { "repair", action_luksRepair, 0, 1, 1, N_("<device>"), N_("try to repair on-disk metadata") },
101 { "luksFormat", action_luksFormat, 0, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
102 { "luksOpen", action_luksOpen, 0, 2, 1, N_("<device> <name> "), N_("open LUKS device as mapping <name>") },
103 { "luksAddKey", action_luksAddKey, 0, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
104 { "luksRemoveKey",action_luksRemoveKey, 0, 1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
105 { "luksChangeKey",action_luksChangeKey, 0, 1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
106 { "luksKillSlot", action_luksKillSlot, 0, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
107 { "luksUUID", action_luksUUID, 0, 1, 0, N_("<device>"), N_("print UUID of LUKS device") },
108 { "isLuks", action_isLuks, 0, 1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
109 { "luksClose", action_remove, 0, 1, 1, N_("<name>"), N_("remove LUKS mapping") },
110 { "luksDump", action_luksDump, 0, 1, 1, N_("<device>"), N_("dump LUKS partition information") },
111 { "luksSuspend",action_luksSuspend, 0, 1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen).") },
112 { "luksResume", action_luksResume, 0, 1, 1, N_("<device>"), N_("Resume suspended LUKS device.") },
113 { "luksHeaderBackup",action_luksBackup, 0, 1, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
114 { "luksHeaderRestore",action_luksRestore,0,1, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
115 { "loopaesOpen",action_loopaesOpen, 0, 2, 1, N_("<device> <name> "), N_("open loop-AES device as mapping <name>") },
116 { "loopaesClose",action_remove, 0, 1, 1, N_("<name>"), N_("remove loop-AES mapping") },
117 { "tcryptOpen", action_tcryptOpen, 0, 2, 1, N_("<device> <name> "), N_("open TCRYPT device as mapping <name>") },
118 { NULL, NULL, 0, 0, 0, NULL, NULL }
121 static int _verify_passphrase(int def)
123 /* Batch mode switch off verify - if not overrided by -y */
124 if (opt_verify_passphrase)
126 else if (opt_batch_mode)
129 /* Non-tty input doesn't allow verify */
130 if (def && !isatty(STDIN_FILENO)) {
131 if (opt_verify_passphrase)
132 log_err(_("Can't do passphrase verification on non-tty inputs.\n"));
139 static int action_create(int arg __attribute__((unused)))
141 struct crypt_device *cd = NULL;
142 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
143 struct crypt_params_plain params = {
144 .hash = opt_hash ?: DEFAULT_PLAIN_HASH,
146 .offset = opt_offset,
149 char *password = NULL;
151 size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
152 uint32_t activate_flags = 0;
155 if (params.hash && !strcmp(params.hash, "plain"))
158 /* FIXME: temporary hack */
159 if (opt_key_file && strcmp(opt_key_file, "-"))
162 if ((opt_keyfile_offset || opt_keyfile_size) && opt_key_file)
163 log_std(("Ignoring keyfile offset and size options, keyfile read "
164 "size is always the same as encryption key size.\n"));
166 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
167 cipher, NULL, cipher_mode);
169 log_err("No known cipher specification pattern detected.\n");
173 if ((r = crypt_init(&cd, action_argv[1])))
176 crypt_set_timeout(cd, opt_timeout);
177 crypt_set_password_retry(cd, opt_tries);
179 r = crypt_format(cd, CRYPT_PLAIN,
188 activate_flags |= CRYPT_ACTIVATE_READONLY;
191 activate_flags |= CRYPT_ACTIVATE_SHARED;
193 if (opt_allow_discards)
194 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
197 /* With hashing, read the whole keyfile */
198 r = crypt_activate_by_keyfile_offset(cd, action_argv[0],
199 CRYPT_ANY_SLOT, opt_key_file,
200 params.hash ? 0 : key_size, 0,
203 r = crypt_get_key(_("Enter passphrase: "),
204 &password, &passwordLen,
205 opt_keyfile_offset, opt_keyfile_size,
207 _verify_passphrase(0),
212 r = crypt_activate_by_passphrase(cd, action_argv[0],
213 CRYPT_ANY_SLOT, password, passwordLen, activate_flags);
217 crypt_safe_free(password);
222 static int action_loopaesOpen(int arg __attribute__((unused)))
224 struct crypt_device *cd = NULL;
225 struct crypt_params_loopaes params = {
226 .hash = opt_hash ?: NULL,
227 .offset = opt_offset,
228 .skip = opt_skip_valid ? opt_skip : opt_offset,
230 unsigned int key_size = (opt_key_size ?: DEFAULT_LOOPAES_KEYBITS) / 8;
231 uint32_t activate_flags = 0;
235 log_err(_("Option --key-file is required.\n"));
240 activate_flags |= CRYPT_ACTIVATE_READONLY;
242 if (opt_allow_discards)
243 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
245 if ((r = crypt_init(&cd, action_argv[0])))
248 r = crypt_format(cd, CRYPT_LOOPAES, opt_cipher ?: DEFAULT_LOOPAES_CIPHER,
249 NULL, NULL, NULL, key_size, ¶ms);
253 r = crypt_activate_by_keyfile_offset(cd, action_argv[1], CRYPT_ANY_SLOT,
254 opt_key_file, opt_keyfile_size,
255 opt_keyfile_size, activate_flags);
262 static int action_tcryptOpen(int arg __attribute__((unused)))
264 struct crypt_device *cd = NULL;
265 struct crypt_params_tcrypt params = {
266 .keyfiles = opt_keyfiles,
267 .keyfiles_count = opt_keyfiles_count,
268 .flags = CRYPT_TCRYPT_LEGACY_MODES,
270 const char *activated_name;
274 activated_name = opt_test_passphrase ? NULL : action_argv[1];
276 if ((r = crypt_init(&cd, action_argv[0])))
279 /* TCRYPT header is encrypted, get passphrase now */
280 r = crypt_get_key(_("Enter passphrase: "),
281 CONST_CAST(char**)¶ms.passphrase,
282 ¶ms.passphrase_size, 0, 0, NULL, opt_timeout,
283 _verify_passphrase(0), cd);
288 params.flags |= CRYPT_TCRYPT_HIDDEN_HEADER;
290 r = crypt_load(cd, CRYPT_TCRYPT, ¶ms);
295 flags |= CRYPT_ACTIVATE_READONLY;
298 r = crypt_activate_by_volume_key(cd, activated_name, NULL, 0, flags);
301 crypt_safe_free(CONST_CAST(char*)params.passphrase);
305 static int action_remove(int arg __attribute__((unused)))
307 struct crypt_device *cd = NULL;
310 r = crypt_init_by_name(&cd, action_argv[0]);
312 r = crypt_deactivate(cd, action_argv[0]);
318 static int action_resize(int arg __attribute__((unused)))
320 struct crypt_device *cd = NULL;
323 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
325 r = crypt_resize(cd, action_argv[0], opt_size);
331 static int action_status(int arg __attribute__((unused)))
333 crypt_status_info ci;
334 struct crypt_active_device cad;
335 struct crypt_device *cd = NULL;
341 /* perhaps a path, not a dm device name */
342 if (strchr(action_argv[0], '/') && !stat(action_argv[0], &st))
345 ci = crypt_status(NULL, action_argv[0]);
352 log_std("%s is inactive.\n", action_argv[0]);
354 log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
360 log_std("%s is active%s.\n", action_argv[0],
361 ci == CRYPT_BUSY ? " and is in use" : "");
363 log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
364 ci == CRYPT_BUSY ? " and is in use" : "");
366 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
367 if (r < 0 || !crypt_get_type(cd))
370 log_std(" type: %s\n", crypt_get_type(cd));
372 r = crypt_get_active_device(cd, action_argv[0], &cad);
376 log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
377 log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
378 device = crypt_get_device_name(cd);
379 log_std(" device: %s\n", device);
380 if (crypt_loop_device(device)) {
381 backing_file = crypt_loop_backing_file(device);
382 log_std(" loop: %s\n", backing_file);
385 log_std(" offset: %" PRIu64 " sectors\n", cad.offset);
386 log_std(" size: %" PRIu64 " sectors\n", cad.size);
388 log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset);
389 log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
390 "readonly" : "read/write");
391 if (cad.flags & CRYPT_ACTIVATE_ALLOW_DISCARDS)
392 log_std(" flags: discards\n");
401 static int action_benchmark(int arg __attribute__((unused)))
409 { "aes", "cbc", 16, 16 },
410 { "serpent", "cbc", 16, 16 },
411 { "twofish", "cbc", 16, 16 },
412 { "aes", "cbc", 32, 16 },
413 { "serpent", "cbc", 32, 16 },
414 { "twofish", "cbc", 32, 16 },
415 { "aes", "xts", 32, 16 },
416 { "serpent", "xts", 32, 16 },
417 { "twofish", "xts", 32, 16 },
418 { "aes", "xts", 64, 16 },
419 { "serpent", "xts", 64, 16 },
420 { "twofish", "xts", 64, 16 },
423 char *header = "# Tests are approximate using memory only (no storage IO).\n"
424 "# Algorithm | Key | Encryption | Decryption\n";
425 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
426 double enc_mbr = 0, dec_mbr = 0;
427 int key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS);
429 int buffer_size = 1024 * 1024;
434 r = crypt_parse_name_and_mode(opt_cipher, cipher, NULL, cipher_mode);
436 log_err(_("No known cipher specification pattern detected.\n"));
439 if ((c = strchr(cipher_mode, '-')))
442 /* FIXME: not really clever :) */
443 if (strstr(cipher, "des"))
446 r = crypt_benchmark(NULL, cipher, cipher_mode,
447 key_size / 8, iv_size, buffer_size,
450 log_std("%s", header);
451 strncat(cipher, "-", MAX_CIPHER_LEN);
452 strncat(cipher, cipher_mode, MAX_CIPHER_LEN);
453 log_std("%11s %4db %5.1f MiB/s %5.1f MiB/s\n",
454 cipher, key_size, enc_mbr, dec_mbr);
456 log_err(_("Cannot benchmark %s.\n"), cipher);
458 log_std("%s", header);
459 for (i = 0; bciphers[i].cipher; i++) {
460 r = crypt_benchmark(NULL, bciphers[i].cipher, bciphers[i].mode,
461 bciphers[i].key_size, bciphers[i].iv_size,
462 buffer_size, &enc_mbr, &dec_mbr);
463 snprintf(cipher, MAX_CIPHER_LEN, "%s-%s",
464 bciphers[i].cipher, bciphers[i].mode);
466 log_std("%11s %4db %5.1f MiB/s %5.1f MiB/s\n",
467 cipher, bciphers[i].key_size*8, enc_mbr, dec_mbr);
469 log_std("%11s %4db %12s %12s\n", cipher,
470 bciphers[i].key_size*8, _("N/A"), _("N/A"));
477 static int _read_mk(const char *file, char **key, int keysize)
481 *key = crypt_safe_alloc(keysize);
485 fd = open(file, O_RDONLY);
487 log_err("Cannot read keyfile %s.\n", file);
490 if ((read(fd, *key, keysize) != keysize)) {
491 log_err("Cannot read %d bytes from keyfile %s.\n", keysize, file);
498 crypt_safe_free(*key);
503 static int action_luksRepair(int arg __attribute__((unused)))
505 struct crypt_device *cd = NULL;
508 if ((r = crypt_init(&cd, action_argv[0])))
511 /* Currently only LUKS1 allows repair */
512 crypt_set_log_callback(cd, quiet_log, NULL);
513 r = crypt_load(cd, CRYPT_LUKS1, NULL);
514 crypt_set_log_callback(cd, tool_log, NULL);
516 log_verbose( _("No known problems detected for LUKS header.\n"));
520 r = yesDialog(_("Really try to repair LUKS device header?"),
523 r = crypt_repair(cd, CRYPT_LUKS1, NULL);
529 static int action_luksFormat(int arg __attribute__((unused)))
531 int r = -EINVAL, keysize;
532 const char *header_device;
533 char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
534 char *password = NULL;
536 struct crypt_device *cd = NULL;
537 struct crypt_params_luks1 params = {
538 .hash = opt_hash ?: DEFAULT_LUKS1_HASH,
539 .data_alignment = opt_align_payload,
540 .data_device = opt_header_device ? action_argv[0] : NULL,
543 header_device = opt_header_device ?: action_argv[0];
545 if(asprintf(&msg, _("This will overwrite data on %s irrevocably."),
546 header_device) == -1) {
547 log_err(_("memory allocation error in action_luksFormat"));
551 r = yesDialog(msg, NULL) ? 0 : -EINVAL;
556 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
557 cipher, NULL, cipher_mode);
559 log_err(_("No known cipher specification pattern detected.\n"));
563 if ((r = crypt_init(&cd, header_device))) {
564 if (opt_header_device)
565 log_err(_("Cannot use %s as on-disk header.\n"), header_device);
569 keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
571 crypt_set_timeout(cd, opt_timeout);
572 if (opt_iteration_time)
573 crypt_set_iteration_time(cd, opt_iteration_time);
576 crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
577 else if (opt_urandom)
578 crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
580 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
581 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
582 opt_timeout, _verify_passphrase(1), cd);
586 if (opt_master_key_file) {
587 r = _read_mk(opt_master_key_file, &key, keysize);
592 r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
593 opt_uuid, key, keysize, ¶ms);
597 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
599 password, passwordLen);
602 crypt_safe_free(key);
603 crypt_safe_free(password);
608 static int action_luksOpen(int arg __attribute__((unused)))
610 struct crypt_device *cd = NULL;
611 const char *data_device, *header_device, *activated_name;
616 if (opt_header_device) {
617 header_device = uuid_or_device(opt_header_device);
618 data_device = action_argv[0];
620 header_device = uuid_or_device(action_argv[0]);
624 activated_name = opt_test_passphrase ? NULL : action_argv[1];
626 if ((r = crypt_init(&cd, header_device)))
629 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
633 (r = crypt_set_data_device(cd, data_device)))
636 if (!data_device && (crypt_get_data_offset(cd) < 8)) {
637 log_err(_("Reduced data offset is allowed only for detached LUKS header.\n"));
642 crypt_set_timeout(cd, opt_timeout);
643 crypt_set_password_retry(cd, opt_tries);
644 crypt_set_password_verify(cd, _verify_passphrase(0));
646 if (opt_iteration_time)
647 crypt_set_iteration_time(cd, opt_iteration_time);
650 flags |= CRYPT_ACTIVATE_READONLY;
652 if (opt_allow_discards)
653 flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
655 if (opt_master_key_file) {
656 keysize = crypt_get_volume_key_size(cd);
657 r = _read_mk(opt_master_key_file, &key, keysize);
660 r = crypt_activate_by_volume_key(cd, activated_name,
661 key, keysize, flags);
662 } else if (opt_key_file) {
663 crypt_set_password_retry(cd, 1);
664 r = crypt_activate_by_keyfile_offset(cd, activated_name,
665 opt_key_slot, opt_key_file, opt_keyfile_size,
666 opt_keyfile_offset, flags);
668 r = crypt_activate_by_passphrase(cd, activated_name,
669 opt_key_slot, NULL, 0, flags);
671 crypt_safe_free(key);
676 static int verify_keyslot(struct crypt_device *cd, int key_slot,
677 char *msg_last, char *msg_pass,
678 const char *key_file, int keyfile_offset,
681 crypt_keyslot_info ki;
682 char *password = NULL;
686 ki = crypt_keyslot_status(cd, key_slot);
687 if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !yesDialog(msg_last, NULL))
690 r = crypt_get_key(msg_pass, &password, &passwordLen,
691 keyfile_offset, keyfile_size, key_file, opt_timeout,
692 _verify_passphrase(0), cd);
696 if (ki == CRYPT_SLOT_ACTIVE_LAST) {
697 /* check the last keyslot */
698 r = crypt_activate_by_passphrase(cd, NULL, key_slot,
699 password, passwordLen, 0);
701 /* try all other keyslots */
702 for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
705 ki = crypt_keyslot_status(cd, key_slot);
706 if (ki == CRYPT_SLOT_ACTIVE)
707 r = crypt_activate_by_passphrase(cd, NULL, i,
708 password, passwordLen, 0);
715 log_err(_("No key available with this passphrase.\n"));
717 crypt_safe_free(password);
721 static int action_luksKillSlot(int arg __attribute__((unused)))
723 struct crypt_device *cd = NULL;
726 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
729 crypt_set_confirm_callback(cd, yesDialog, NULL);
730 crypt_set_timeout(cd, opt_timeout);
732 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
735 switch (crypt_keyslot_status(cd, opt_key_slot)) {
736 case CRYPT_SLOT_ACTIVE_LAST:
737 case CRYPT_SLOT_ACTIVE:
738 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
740 case CRYPT_SLOT_INACTIVE:
741 log_err(_("Key %d not active. Can't wipe.\n"), opt_key_slot);
742 case CRYPT_SLOT_INVALID:
747 if (!opt_batch_mode) {
748 r = verify_keyslot(cd, opt_key_slot,
749 _("This is the last keyslot. Device will become unusable after purging this key."),
750 _("Enter any remaining LUKS passphrase: "),
751 opt_key_file, opt_keyfile_offset, opt_keyfile_size);
756 r = crypt_keyslot_destroy(cd, opt_key_slot);
762 static int action_luksRemoveKey(int arg __attribute__((unused)))
764 struct crypt_device *cd = NULL;
765 char *password = NULL;
769 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
772 crypt_set_confirm_callback(cd, yesDialog, NULL);
773 crypt_set_timeout(cd, opt_timeout);
775 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
778 r = crypt_get_key(_("Enter LUKS passphrase to be deleted: "),
779 &password, &passwordLen,
780 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
782 _verify_passphrase(0),
787 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
788 password, passwordLen, 0);
793 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
795 if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_ACTIVE_LAST &&
796 !yesDialog(_("This is the last keyslot. "
797 "Device will become unusable after purging this key."),
803 r = crypt_keyslot_destroy(cd, opt_key_slot);
805 crypt_safe_free(password);
810 static int action_luksAddKey(int arg __attribute__((unused)))
812 int r = -EINVAL, keysize = 0;
814 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
815 struct crypt_device *cd = NULL;
817 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
820 crypt_set_confirm_callback(cd, yesDialog, NULL);
822 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
825 keysize = crypt_get_volume_key_size(cd);
826 /* FIXME: lib cannot properly set verification for new/old passphrase */
827 crypt_set_password_verify(cd, _verify_passphrase(0));
828 crypt_set_timeout(cd, opt_timeout);
829 if (opt_iteration_time)
830 crypt_set_iteration_time(cd, opt_iteration_time);
832 if (opt_master_key_file) {
833 r = _read_mk(opt_master_key_file, &key, keysize);
836 //FIXME: process keyfile arg
837 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
838 key, keysize, NULL, 0);
839 } else if (opt_key_file || opt_new_key_file) {
840 r = crypt_keyslot_add_by_keyfile_offset(cd, opt_key_slot,
841 opt_key_file, opt_keyfile_size, opt_keyfile_offset,
842 opt_new_key_file, opt_new_keyfile_size, opt_new_keyfile_offset);
844 r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
849 crypt_safe_free(key);
853 static int _slots_full(struct crypt_device *cd)
857 for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++)
858 if (crypt_keyslot_status(cd, i) == CRYPT_SLOT_INACTIVE)
863 static int action_luksChangeKey(int arg __attribute__((unused)))
865 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
866 struct crypt_device *cd = NULL;
867 char *vk = NULL, *password = NULL;
868 size_t passwordLen = 0;
870 int new_key_slot, old_key_slot, r;
872 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
875 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
878 if (opt_iteration_time)
879 crypt_set_iteration_time(cd, opt_iteration_time);
881 r = crypt_get_key(_("Enter LUKS passphrase to be changed: "),
882 &password, &passwordLen,
883 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
884 opt_timeout, _verify_passphrase(0), cd);
888 vk_size = crypt_get_volume_key_size(cd);
889 vk = crypt_safe_alloc(vk_size);
895 r = crypt_volume_key_get(cd, opt_key_slot, vk, &vk_size,
896 password, passwordLen);
898 if (opt_key_slot != CRYPT_ANY_SLOT)
899 log_err(_("No key available with this passphrase.\n"));
903 if (opt_key_slot != CRYPT_ANY_SLOT || _slots_full(cd)) {
904 log_dbg("Key slot %d is going to be overwritten (%s).",
905 r, opt_key_slot != CRYPT_ANY_SLOT ?
906 "explicit key slot specified" : "no free key slot");
910 log_dbg("Allocating new key slot.");
912 new_key_slot = CRYPT_ANY_SLOT;
915 crypt_safe_free(password);
918 r = crypt_get_key(_("Enter new LUKS passphrase: "),
919 &password, &passwordLen,
920 opt_new_keyfile_offset, opt_new_keyfile_size,
922 opt_timeout, _verify_passphrase(0), cd);
926 if (new_key_slot == old_key_slot) {
927 (void)crypt_keyslot_destroy(cd, old_key_slot);
928 r = crypt_keyslot_add_by_volume_key(cd, new_key_slot,
930 password, passwordLen);
932 log_verbose(_("Key slot %d changed.\n"), r);
934 r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT,
936 password, passwordLen);
938 log_verbose(_("Replaced with key slot %d.\n"), r);
939 r = crypt_keyslot_destroy(cd, old_key_slot);
943 log_err(_("Failed to swap new key slot.\n"));
946 crypt_safe_free(password);
951 static int action_isLuks(int arg __attribute__((unused)))
953 struct crypt_device *cd = NULL;
956 if ((r = crypt_init(&cd, action_argv[0])))
959 crypt_set_log_callback(cd, quiet_log, NULL);
960 r = crypt_load(cd, CRYPT_LUKS1, NULL);
966 static int action_luksUUID(int arg __attribute__((unused)))
968 struct crypt_device *cd = NULL;
969 const char *existing_uuid = NULL;
972 if ((r = crypt_init(&cd, action_argv[0])))
975 crypt_set_confirm_callback(cd, yesDialog, NULL);
977 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
981 r = crypt_set_uuid(cd, opt_uuid);
983 existing_uuid = crypt_get_uuid(cd);
984 log_std("%s\n", existing_uuid ?: "");
985 r = existing_uuid ? 0 : 1;
992 static int luksDump_with_volume_key(struct crypt_device *cd)
994 char *vk = NULL, *password = NULL;
995 size_t passwordLen = 0;
1000 crypt_set_confirm_callback(cd, yesDialog, NULL);
1002 _("LUKS header dump with volume key is sensitive information\n"
1003 "which allows access to encrypted partition without passphrase.\n"
1004 "This dump should be always stored encrypted on safe place."),
1008 vk_size = crypt_get_volume_key_size(cd);
1009 vk = crypt_safe_alloc(vk_size);
1013 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
1014 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
1015 opt_timeout, 0, cd);
1019 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
1020 password, passwordLen);
1024 log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
1025 log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
1026 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
1027 log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
1028 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
1029 log_std("MK bits: \t%d\n", (int)vk_size * 8);
1030 log_std("MK dump:\t");
1032 for(i = 0; i < vk_size; i++) {
1035 log_std("%02hhx ", (char)vk[i]);
1040 crypt_safe_free(password);
1041 crypt_safe_free(vk);
1045 static int action_luksDump(int arg __attribute__((unused)))
1047 struct crypt_device *cd = NULL;
1050 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
1053 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
1056 if (opt_dump_master_key)
1057 r = luksDump_with_volume_key(cd);
1065 static int action_luksSuspend(int arg __attribute__((unused)))
1067 struct crypt_device *cd = NULL;
1070 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
1072 r = crypt_suspend(cd, action_argv[0]);
1078 static int action_luksResume(int arg __attribute__((unused)))
1080 struct crypt_device *cd = NULL;
1083 if ((r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device)))
1086 crypt_set_timeout(cd, opt_timeout);
1087 crypt_set_password_retry(cd, opt_tries);
1088 crypt_set_password_verify(cd, _verify_passphrase(0));
1091 r = crypt_resume_by_keyfile_offset(cd, action_argv[0], CRYPT_ANY_SLOT,
1092 opt_key_file, opt_keyfile_size, opt_keyfile_offset);
1094 r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
1101 static int action_luksBackup(int arg __attribute__((unused)))
1103 struct crypt_device *cd = NULL;
1106 if (!opt_header_backup_file) {
1107 log_err(_("Option --header-backup-file is required.\n"));
1111 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
1114 crypt_set_confirm_callback(cd, yesDialog, NULL);
1116 r = crypt_header_backup(cd, CRYPT_LUKS1, opt_header_backup_file);
1122 static int action_luksRestore(int arg __attribute__((unused)))
1124 struct crypt_device *cd = NULL;
1127 if (!opt_header_backup_file) {
1128 log_err(_("Option --header-backup-file is required.\n"));
1132 if ((r = crypt_init(&cd, action_argv[0])))
1135 crypt_set_confirm_callback(cd, yesDialog, NULL);
1136 r = crypt_header_restore(cd, CRYPT_LUKS1, opt_header_backup_file);
1142 static void help(poptContext popt_context,
1143 enum poptCallbackReason reason __attribute__((unused)),
1144 struct poptOption *key,
1145 const char *arg __attribute__((unused)),
1146 void *data __attribute__((unused)))
1148 if (key->shortName == '?') {
1149 struct action_type *action;
1151 log_std("%s\n",PACKAGE_STRING);
1153 poptPrintHelp(popt_context, stdout, 0);
1156 "<action> is one of:\n"));
1158 for(action = action_types; action->type; action++)
1159 log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
1162 "<name> is the device to create under %s\n"
1163 "<device> is the encrypted device\n"
1164 "<key slot> is the LUKS key slot number to modify\n"
1165 "<key file> optional key file for the new key for luksAddKey action\n"),
1168 log_std(_("\nDefault compiled-in keyfile parameters:\n"
1169 "\tMaximum keyfile size: %dkB, "
1170 "Maximum interactive passphrase length %d (characters)\n"),
1171 DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX);
1173 log_std(_("\nDefault compiled-in device cipher parameters:\n"
1174 "\tloop-AES: %s, Key %d bits\n"
1175 "\tplain: %s, Key: %d bits, Password hashing: %s\n"
1176 "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
1177 DEFAULT_LOOPAES_CIPHER, DEFAULT_LOOPAES_KEYBITS,
1178 DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
1179 DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
1183 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
1186 static int run_action(struct action_type *action)
1190 log_dbg("Running command %s.", action->type);
1192 if (action->required_memlock)
1193 crypt_memory_lock(NULL, 1);
1195 r = action->handler(action->arg);
1197 if (action->required_memlock)
1198 crypt_memory_lock(NULL, 0);
1200 /* Some functions returns keyslot # */
1205 return translate_errno(r);
1208 int main(int argc, const char **argv)
1210 static char *popt_tmp;
1211 static struct poptOption popt_help_options[] = {
1212 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
1213 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
1214 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
1217 static struct poptOption popt_options[] = {
1218 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
1219 { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
1220 { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
1221 { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
1222 { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
1223 { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
1224 { "verify-passphrase", 'y', POPT_ARG_NONE, &opt_verify_passphrase, 0, N_("Verifies the passphrase by asking for it twice"), NULL },
1225 { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 5, N_("Read the key from a file."), NULL },
1226 { "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL },
1227 { "dump-master-key", '\0', POPT_ARG_NONE, &opt_dump_master_key, 0, N_("Dump volume (master) key instead of keyslots info."), NULL },
1228 { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
1229 { "keyfile-size", 'l', POPT_ARG_LONG, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
1230 { "keyfile-offset", '\0', POPT_ARG_LONG, &opt_keyfile_offset, 0, N_("Number of bytes to skip in keyfile"), N_("bytes") },
1231 { "new-keyfile-size", '\0', POPT_ARG_LONG, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
1232 { "new-keyfile-offset",'\0', POPT_ARG_LONG, &opt_new_keyfile_offset, 0, N_("Number of bytes to skip in newly added keyfile"), N_("bytes") },
1233 { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL },
1234 { "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") },
1235 { "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
1236 { "skip", 'p', POPT_ARG_STRING, &popt_tmp, 3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
1237 { "readonly", 'r', POPT_ARG_NONE, &opt_readonly, 0, N_("Create a readonly mapping"), NULL },
1238 { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
1239 { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
1240 { "timeout", 't', POPT_ARG_INT, &opt_timeout, 0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
1241 { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
1242 { "align-payload", '\0', POPT_ARG_INT, &opt_align_payload, 0, N_("Align payload at <n> sector boundaries - for luksFormat"), N_("SECTORS") },
1243 { "header-backup-file",'\0', POPT_ARG_STRING, &opt_header_backup_file, 0, N_("File with LUKS header and keyslots backup."), NULL },
1244 { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
1245 { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
1246 { "shared", '\0', POPT_ARG_NONE, &opt_shared, 0, N_("Share device with another non-overlapping crypt segment."), NULL },
1247 { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
1248 { "allow-discards", '\0', POPT_ARG_NONE, &opt_allow_discards, 0, N_("Allow discards (aka TRIM) requests for device."), NULL },
1249 { "header", '\0', POPT_ARG_STRING, &opt_header_device, 0, N_("Device or file with separated LUKS header."), NULL },
1250 { "test-passphrase", '\0', POPT_ARG_NONE, &opt_test_passphrase, 0, N_("Do not activate device, just check passphrase."), NULL },
1251 { "hidden", '\0', POPT_ARG_NONE, &opt_hidden, 0, N_("Use hidden header (hiden TCRYPT device) ."), NULL },
1254 poptContext popt_context;
1255 struct action_type *action;
1259 crypt_set_log_callback(NULL, tool_log, NULL);
1261 setlocale(LC_ALL, "");
1262 bindtextdomain(PACKAGE, LOCALEDIR);
1263 textdomain(PACKAGE);
1265 crypt_fips_self_check(NULL);
1267 popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
1268 poptSetOtherOptionHelp(popt_context,
1269 _("[OPTION...] <action> <action-specific>"));
1271 while((r = poptGetNextOpt(popt_context)) > 0) {
1272 unsigned long long ull_value;
1276 if (opt_keyfiles_count < MAX_KEYFILES)
1277 opt_keyfiles[opt_keyfiles_count++] = poptGetOptArg(popt_context);
1282 ull_value = strtoull(popt_tmp, &endp, 0);
1283 if (*endp || !*popt_tmp ||
1284 (errno == ERANGE && ull_value == ULLONG_MAX) ||
1285 (errno != 0 && ull_value == 0))
1286 r = POPT_ERROR_BADNUMBER;
1290 opt_size = ull_value;
1293 opt_offset = ull_value;
1296 opt_skip = ull_value;
1306 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
1307 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
1308 if (opt_version_mode) {
1309 log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
1310 poptFreeContext(popt_context);
1314 if (!(aname = poptGetArg(popt_context)))
1315 usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
1316 poptGetInvocationName(popt_context));
1317 for(action = action_types; action->type; action++)
1318 if (strcmp(action->type, aname) == 0)
1321 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
1322 poptGetInvocationName(popt_context));
1325 action_argv = poptGetArgs(popt_context);
1326 /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
1328 action_argv = null_action_argv;
1330 /* Count args, somewhat unnice, change? */
1331 while(action_argv[action_argc] != NULL)
1334 if(action_argc < action->required_action_argc) {
1336 snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
1337 usage(popt_context, EXIT_FAILURE, buf,
1338 poptGetInvocationName(popt_context));
1341 /* FIXME: rewrite this from scratch */
1343 if (opt_shared && strcmp(aname, "create"))
1344 usage(popt_context, EXIT_FAILURE,
1345 _("Option --shared is allowed only for create operation.\n"),
1346 poptGetInvocationName(popt_context));
1348 if (opt_allow_discards &&
1349 strcmp(aname, "luksOpen") &&
1350 strcmp(aname, "create") &&
1351 strcmp(aname, "loopaesOpen"))
1352 usage(popt_context, EXIT_FAILURE,
1353 _("Option --allow-discards is allowed only for luksOpen, loopaesOpen and create operation.\n"),
1354 poptGetInvocationName(popt_context));
1357 strcmp(aname, "luksFormat") &&
1358 strcmp(aname, "create") &&
1359 strcmp(aname, "loopaesOpen") &&
1360 strcmp(aname, "benchmark"))
1361 usage(popt_context, EXIT_FAILURE,
1362 _("Option --key-size is allowed only for luksFormat, create, loopaesOpen and benchmark.\n"
1363 "To limit read from keyfile use --keyfile-size=(bytes)."),
1364 poptGetInvocationName(popt_context));
1366 if (opt_test_passphrase &&
1367 strcmp(aname, "luksOpen") &&
1368 strcmp(aname, "tcryptOpen"))
1369 usage(popt_context, EXIT_FAILURE,
1370 _("Option --test-passphrase is allowed only for luksOpen and tcryptOpen.\n"),
1371 poptGetInvocationName(popt_context));
1373 if (opt_key_size % 8)
1374 usage(popt_context, EXIT_FAILURE,
1375 _("Key size must be a multiple of 8 bits"),
1376 poptGetInvocationName(popt_context));
1378 if (!strcmp(aname, "luksKillSlot") && action_argc > 1)
1379 opt_key_slot = atoi(action_argv[1]);
1380 if (opt_key_slot != CRYPT_ANY_SLOT &&
1381 (opt_key_slot < 0 || opt_key_slot >= crypt_keyslot_max(CRYPT_LUKS1)))
1382 usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
1383 poptGetInvocationName(popt_context));
1385 if ((!strcmp(aname, "luksRemoveKey") ||
1386 !strcmp(aname, "luksFormat")) &&
1389 log_err(_("Option --key-file takes precedence over specified key file argument.\n"));
1391 opt_key_file = action_argv[1];
1394 if (opt_keyfile_size < 0 || opt_new_keyfile_size < 0 || opt_key_size < 0 ||
1395 opt_keyfile_offset < 0 || opt_new_keyfile_offset < 0)
1396 usage(popt_context, EXIT_FAILURE,
1397 _("Negative number for option not permitted."),
1398 poptGetInvocationName(popt_context));
1400 if (opt_random && opt_urandom)
1401 usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
1402 poptGetInvocationName(popt_context));
1404 if ((opt_random || opt_urandom) && strcmp(aname, "luksFormat"))
1405 usage(popt_context, EXIT_FAILURE, _("Option --use-[u]random is allowed only for luksFormat."),
1406 poptGetInvocationName(popt_context));
1408 if (opt_uuid && strcmp(aname, "luksFormat") && strcmp(aname, "luksUUID"))
1409 usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only for luksFormat and luksUUID."),
1410 poptGetInvocationName(popt_context));
1412 if (opt_align_payload && strcmp(aname, "luksFormat"))
1413 usage(popt_context, EXIT_FAILURE, _("Option --align-payload is allowed only for luksFormat."),
1414 poptGetInvocationName(popt_context));
1416 if (opt_skip && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1417 usage(popt_context, EXIT_FAILURE,
1418 _("Option --skip is supported only for create and loopaesOpen commands.\n"),
1419 poptGetInvocationName(popt_context));
1421 if (opt_offset && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1422 usage(popt_context, EXIT_FAILURE,
1423 _("Option --offset is supported only for create and loopaesOpen commands.\n"),
1424 poptGetInvocationName(popt_context));
1426 if (opt_hidden && strcmp(aname, "tcryptOpen"))
1427 usage(popt_context, EXIT_FAILURE,
1428 _("Option --hidden is supported only for tcryptOpen command.\n"),
1429 poptGetInvocationName(popt_context));
1433 crypt_set_debug_level(-1);
1434 dbg_version_and_cmd(argc, argv);
1437 r = run_action(action);
1438 poptFreeContext(popt_context);
projects / platform / upstream / cryptsetup.git / blob