12 #include <libcryptsetup.h>
15 #include "../config.h"
17 #include "cryptsetup.h"
19 static int opt_verbose = 0;
20 static int opt_debug = 0;
21 static char *opt_cipher = NULL;
22 static char *opt_hash = NULL;
23 static int opt_verify_passphrase = 0;
24 static char *opt_key_file = NULL;
25 static char *opt_master_key_file = NULL;
26 static char *opt_header_backup_file = NULL;
27 static char *opt_uuid = NULL;
28 static unsigned int opt_key_size = 0;
29 static unsigned int opt_keyfile_size = 0;
30 static unsigned int opt_new_keyfile_size = 0;
31 static int opt_key_slot = CRYPT_ANY_SLOT;
32 static uint64_t opt_size = 0;
33 static uint64_t opt_offset = 0;
34 static uint64_t opt_skip = 0;
35 static int opt_readonly = 0;
36 static int opt_iteration_time = 1000;
37 static int opt_batch_mode = 0;
38 static int opt_version_mode = 0;
39 static int opt_timeout = 0;
40 static int opt_tries = 3;
41 static int opt_align_payload = 0;
42 static int opt_random = 0;
43 static int opt_urandom = 0;
44 static int opt_dump_master_key = 0;
46 static const char **action_argv;
47 static int action_argc;
49 static int action_create(int arg);
50 static int action_remove(int arg);
51 static int action_resize(int arg);
52 static int action_status(int arg);
53 static int action_luksFormat(int arg);
54 static int action_luksOpen(int arg);
55 static int action_luksAddKey(int arg);
56 static int action_luksKillSlot(int arg);
57 static int action_luksRemoveKey(int arg);
58 static int action_luksChangeKey(int arg);
59 static int action_isLuks(int arg);
60 static int action_luksUUID(int arg);
61 static int action_luksDump(int arg);
62 static int action_luksSuspend(int arg);
63 static int action_luksResume(int arg);
64 static int action_luksBackup(int arg);
65 static int action_luksRestore(int arg);
66 static int action_loopaesOpen(int arg);
68 static struct action_type {
72 int required_action_argc;
77 { "create", action_create, 0, 2, 1, N_("<name> <device>"),N_("create device") },
78 { "remove", action_remove, 0, 1, 1, N_("<name>"), N_("remove device") },
79 { "resize", action_resize, 0, 1, 1, N_("<name>"), N_("resize active device") },
80 { "status", action_status, 0, 1, 0, N_("<name>"), N_("show device status") },
81 { "luksFormat", action_luksFormat, 0, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
82 { "luksOpen", action_luksOpen, 0, 2, 1, N_("<device> <name> "), N_("open LUKS device as mapping <name>") },
83 { "luksAddKey", action_luksAddKey, 0, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
84 { "luksRemoveKey",action_luksRemoveKey, 0, 1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
85 { "luksChangeKey",action_luksChangeKey, 0, 1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
86 { "luksKillSlot", action_luksKillSlot, 0, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
87 { "luksUUID", action_luksUUID, 0, 1, 0, N_("<device>"), N_("print UUID of LUKS device") },
88 { "isLuks", action_isLuks, 0, 1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
89 { "luksClose", action_remove, 0, 1, 1, N_("<name>"), N_("remove LUKS mapping") },
90 { "luksDump", action_luksDump, 0, 1, 0, N_("<device>"), N_("dump LUKS partition information") },
91 { "luksSuspend",action_luksSuspend, 0, 1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen).") },
92 { "luksResume", action_luksResume, 0, 1, 1, N_("<device>"), N_("Resume suspended LUKS device.") },
93 { "luksHeaderBackup",action_luksBackup, 0, 1, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
94 { "luksHeaderRestore",action_luksRestore,0,1, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
95 { "loopaesOpen",action_loopaesOpen, 0, 2, 1, N_("<device> <name> "), N_("open loop-AES device as mapping <name>") },
96 { "loopaesClose",action_remove, 0, 1, 1, N_("<name>"), N_("remove loop-AES mapping") },
97 { NULL, NULL, 0, 0, 0, NULL, NULL }
100 static void clogger(struct crypt_device *cd, int level, const char *file,
101 int line, const char *format, ...)
106 va_start(argp, format);
108 if (vasprintf(&target, format, argp) > 0) {
110 crypt_log(cd, level, target);
112 } else if (opt_debug)
113 printf("# %s:%d %s\n", file ?: "?", line, target);
115 } else if (opt_debug)
116 printf("# %s\n", target);
124 static int _yesDialog(const char *msg, void *usrptr)
130 if(isatty(0) && !opt_batch_mode) {
131 log_std("\nWARNING!\n========\n");
132 log_std("%s\n\nAre you sure? (Type uppercase yes): ", msg);
133 if(getline(&answer, &size, stdin) == -1) {
138 if(strcmp(answer, "YES\n"))
146 static void _log(int level, const char *msg, void *usrptr)
150 case CRYPT_LOG_NORMAL:
153 case CRYPT_LOG_VERBOSE:
157 case CRYPT_LOG_ERROR:
161 fprintf(stderr, "Internal error on logging class for msg: %s", msg);
166 static void show_status(int errcode)
168 char error[256], *error_;
174 log_std(_("Command successful.\n"));
178 crypt_get_error(error, sizeof(error));
181 error_ = strerror_r(-errcode, error, sizeof(error));
182 if (error_ != error) {
183 strncpy(error, error_, sizeof(error));
184 error[sizeof(error) - 1] = '\0';
188 log_err(_("Command failed with code %i"), -errcode);
190 log_err(": %s\n", error);
195 static int action_create(int arg)
197 struct crypt_device *cd = NULL;
198 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
199 struct crypt_params_plain params = {
200 .hash = opt_hash ?: DEFAULT_PLAIN_HASH,
202 .offset = opt_offset,
204 char *password = NULL;
205 unsigned int passwordLen;
206 unsigned int key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
209 if (params.hash && !strcmp(params.hash, "plain"))
212 /* FIXME: temporary hack */
213 if (opt_key_file && strcmp(opt_key_file, "-"))
216 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
217 cipher, NULL, cipher_mode);
219 log_err("No known cipher specification pattern detected.\n");
223 if ((r = crypt_init(&cd, action_argv[1])))
226 crypt_set_timeout(cd, opt_timeout);
227 crypt_set_password_retry(cd, opt_tries);
229 r = crypt_format(cd, CRYPT_PLAIN,
238 r = crypt_activate_by_keyfile(cd, action_argv[0],
239 CRYPT_ANY_SLOT, opt_key_file, key_size,
240 opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
242 r = crypt_get_key(_("Enter passphrase: "),
243 &password, &passwordLen, 0, NULL,
245 opt_batch_mode ? 0 : opt_verify_passphrase,
250 r = crypt_activate_by_passphrase(cd, action_argv[0],
251 CRYPT_ANY_SLOT, password, passwordLen,
252 opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
256 crypt_safe_free(password);
261 static int action_loopaesOpen(int arg)
263 struct crypt_device *cd = NULL;
264 struct crypt_params_loopaes params = {
265 .hash = opt_hash ?: NULL, // FIXME
266 .offset = opt_offset,
268 unsigned int key_size = (opt_key_size ?: 128) / 8;
272 log_err(_("Option --key-file is required.\n"));
276 if ((r = crypt_init(&cd, action_argv[0])))
279 r = crypt_format(cd, CRYPT_LOOPAES, NULL, NULL, NULL, NULL,
284 r = crypt_activate_by_keyfile(cd, action_argv[1],
285 CRYPT_ANY_SLOT, opt_key_file, 0,
286 opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
293 static int action_remove(int arg)
295 struct crypt_device *cd = NULL;
298 r = crypt_init_by_name(&cd, action_argv[0]);
300 r = crypt_deactivate(cd, action_argv[0]);
306 static int action_resize(int arg)
308 struct crypt_device *cd = NULL;
311 r = crypt_init_by_name(&cd, action_argv[0]);
313 r = crypt_resize(cd, action_argv[0], opt_size);
319 static int action_status(int arg)
321 crypt_status_info ci;
322 struct crypt_active_device cad;
323 struct crypt_device *cd = NULL;
328 ci = crypt_status(NULL, action_argv[0]);
334 log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
338 log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
339 ci == CRYPT_BUSY ? " and is in use" : "");
340 r = crypt_init_by_name(&cd, action_argv[0]);
341 if (r < 0 || !crypt_get_type(cd))
344 log_std(" type: %s\n", crypt_get_type(cd));
346 r = crypt_get_active_device(cd, action_argv[0], &cad);
350 log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
351 log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
352 device = crypt_get_device_name(cd);
353 log_std(" device: %s\n", device);
354 if (crypt_loop_device(device)) {
355 backing_file = crypt_loop_backing_file(device);
356 log_std(" loop: %s\n", backing_file);
359 log_std(" offset: %" PRIu64 " sectors\n", cad.offset);
360 log_std(" size: %" PRIu64 " sectors\n", cad.size);
362 log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset);
363 log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
364 "readonly" : "read/write");
371 static int _read_mk(const char *file, char **key, int keysize)
375 *key = crypt_safe_alloc(keysize);
379 fd = open(file, O_RDONLY);
381 log_err("Cannot read keyfile %s.\n", file);
384 if ((read(fd, *key, keysize) != keysize)) {
385 log_err("Cannot read %d bytes from keyfile %s.\n", keysize, file);
392 crypt_safe_free(*key);
397 static int action_luksFormat(int arg)
399 int r = -EINVAL, keysize;
400 char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
401 char *password = NULL;
402 unsigned int passwordLen;
403 struct crypt_device *cd = NULL;
404 struct crypt_params_luks1 params = {
405 .hash = opt_hash ?: DEFAULT_LUKS1_HASH,
406 .data_alignment = opt_align_payload,
409 if(asprintf(&msg, _("This will overwrite data on %s irrevocably."), action_argv[0]) == -1) {
410 log_err(_("memory allocation error in action_luksFormat"));
414 r = _yesDialog(msg, NULL) ? 0 : -EINVAL;
419 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
420 cipher, NULL, cipher_mode);
422 log_err("No known cipher specification pattern detected.\n");
426 if ((r = crypt_init(&cd, action_argv[0])))
429 keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
431 crypt_set_password_verify(cd, 1);
432 crypt_set_timeout(cd, opt_timeout);
433 if (opt_iteration_time)
434 crypt_set_iterarion_time(cd, opt_iteration_time);
437 crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
438 else if (opt_urandom)
439 crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
441 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
442 opt_keyfile_size, opt_key_file, opt_timeout,
443 opt_batch_mode ? 0 : 1 /* always verify */, cd);
447 if (opt_master_key_file) {
448 r = _read_mk(opt_master_key_file, &key, keysize);
453 r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
454 opt_uuid, key, keysize, ¶ms);
458 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
460 password, passwordLen);
463 crypt_safe_free(key);
464 crypt_safe_free(password);
469 static int action_luksOpen(int arg)
471 struct crypt_device *cd = NULL;
475 if ((r = crypt_init(&cd, action_argv[0])))
478 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
481 crypt_set_timeout(cd, opt_timeout);
482 crypt_set_password_retry(cd, opt_tries);
484 if (opt_iteration_time)
485 crypt_set_iterarion_time(cd, opt_iteration_time);
487 flags |= CRYPT_ACTIVATE_READONLY;
490 crypt_set_password_retry(cd, 1);
491 r = crypt_activate_by_keyfile(cd, action_argv[1],
492 CRYPT_ANY_SLOT, opt_key_file, opt_keyfile_size,
495 r = crypt_activate_by_passphrase(cd, action_argv[1],
496 CRYPT_ANY_SLOT, NULL, 0, flags);
502 static int verify_keyslot(struct crypt_device *cd, int key_slot,
503 char *msg_last, char *msg_pass,
504 const char *key_file, int keyfile_size)
506 crypt_keyslot_info ki;
507 char *password = NULL;
508 unsigned int passwordLen, i;
511 ki = crypt_keyslot_status(cd, key_slot);
512 if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !_yesDialog(msg_last, NULL))
515 r = crypt_get_key(msg_pass, &password, &passwordLen,
516 keyfile_size, key_file, opt_timeout,
517 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
521 if (ki == CRYPT_SLOT_ACTIVE_LAST) {
522 /* check the last keyslot */
523 r = crypt_activate_by_passphrase(cd, NULL, key_slot,
524 password, passwordLen, 0);
526 /* try all other keyslots */
527 for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
530 ki = crypt_keyslot_status(cd, key_slot);
531 if (ki == CRYPT_SLOT_ACTIVE)
532 r = crypt_activate_by_passphrase(cd, NULL, i,
533 password, passwordLen, 0);
540 log_err(_("No key available with this passphrase.\n"));
542 crypt_safe_free(password);
546 static int action_luksKillSlot(int arg)
548 struct crypt_device *cd = NULL;
551 if ((r = crypt_init(&cd, action_argv[0])))
554 crypt_set_confirm_callback(cd, _yesDialog, NULL);
555 crypt_set_timeout(cd, opt_timeout);
557 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
560 switch (crypt_keyslot_status(cd, opt_key_slot)) {
561 case CRYPT_SLOT_ACTIVE_LAST:
562 case CRYPT_SLOT_ACTIVE:
563 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
565 case CRYPT_SLOT_INACTIVE:
566 log_err(_("Key %d not active. Can't wipe.\n"), opt_key_slot);
567 case CRYPT_SLOT_INVALID:
571 if (!opt_batch_mode) {
572 r = verify_keyslot(cd, opt_key_slot,
573 _("This is the last keyslot. Device will become unusable after purging this key."),
574 _("Enter any remaining LUKS passphrase: "),
575 opt_key_file, opt_keyfile_size);
580 r = crypt_keyslot_destroy(cd, opt_key_slot);
586 static int action_luksRemoveKey(int arg)
588 struct crypt_device *cd = NULL;
589 char *password = NULL;
590 unsigned int passwordLen;
593 if ((r = crypt_init(&cd, action_argv[0])))
596 crypt_set_confirm_callback(cd, _yesDialog, NULL);
597 crypt_set_timeout(cd, opt_timeout);
599 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
602 r = crypt_get_key(_("Enter LUKS passphrase to be deleted: "),
603 &password, &passwordLen,
604 opt_keyfile_size, opt_key_file,
606 opt_batch_mode ? 0 : opt_verify_passphrase,
611 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
612 password, passwordLen, 0);
617 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
619 if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_ACTIVE_LAST &&
620 !_yesDialog(_("This is the last keyslot. "
621 "Device will become unusable after purging this key."),
627 r = crypt_keyslot_destroy(cd, opt_key_slot);
629 crypt_safe_free(password);
634 static int action_luksAddKey(int arg)
636 int r = -EINVAL, keysize = 0;
638 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
639 struct crypt_device *cd = NULL;
641 if ((r = crypt_init(&cd, action_argv[0])))
644 crypt_set_confirm_callback(cd, _yesDialog, NULL);
646 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
649 keysize = crypt_get_volume_key_size(cd);
650 crypt_set_password_verify(cd, opt_verify_passphrase ? 1 : 0);
651 crypt_set_timeout(cd, opt_timeout);
652 if (opt_iteration_time)
653 crypt_set_iterarion_time(cd, opt_iteration_time);
655 if (opt_master_key_file) {
656 r = _read_mk(opt_master_key_file, &key, keysize);
659 //FIXME: process keyfile arg
660 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
661 key, keysize, NULL, 0);
662 } else if (opt_key_file || opt_new_key_file) {
663 r = crypt_keyslot_add_by_keyfile(cd, opt_key_slot,
664 opt_key_file, opt_keyfile_size,
665 opt_new_key_file, opt_new_keyfile_size);
667 r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
672 crypt_safe_free(key);
676 static int _slots_full(struct crypt_device *cd)
680 for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++)
681 if (crypt_keyslot_status(cd, i) == CRYPT_SLOT_INACTIVE)
686 static int action_luksChangeKey(int arg)
688 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
689 struct crypt_device *cd = NULL;
690 char *vk = NULL, *password = NULL;
691 unsigned int passwordLen = 0;
693 int new_key_slot, old_key_slot, r;
695 if ((r = crypt_init(&cd, action_argv[0])))
698 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
701 r = crypt_get_key(_("Enter LUKS passphrase to be changed: "),
702 &password, &passwordLen,
703 opt_keyfile_size, opt_key_file, opt_timeout,
704 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
708 vk_size = crypt_get_volume_key_size(cd);
709 vk = crypt_safe_alloc(vk_size);
715 r = crypt_volume_key_get(cd, opt_key_slot, vk, &vk_size,
716 password, passwordLen);
718 if (opt_key_slot != CRYPT_ANY_SLOT)
719 log_err(_("No key available with this passphrase.\n"));
723 if (opt_key_slot != CRYPT_ANY_SLOT || _slots_full(cd)) {
724 log_dbg("Key slot %d is going to be overwritten (%s).",
725 r, opt_key_slot != CRYPT_ANY_SLOT ?
726 "explicit key slot specified" : "no free key slot");
730 log_dbg("Allocating new key slot.");
732 new_key_slot = CRYPT_ANY_SLOT;
735 crypt_safe_free(password);
738 r = crypt_get_key(_("Enter new LUKS passphrase: "),
739 &password, &passwordLen,
740 opt_new_keyfile_size, opt_new_key_file,
741 opt_timeout, opt_batch_mode ? 0 : 1, cd);
745 if (new_key_slot == old_key_slot) {
746 (void)crypt_keyslot_destroy(cd, old_key_slot);
747 r = crypt_keyslot_add_by_volume_key(cd, new_key_slot,
749 password, passwordLen);
751 log_verbose(_("Key slot %d changed.\n"), r);
753 r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT,
755 password, passwordLen);
757 log_verbose(_("Replaced with key slot %d.\n"), r);
758 r = crypt_keyslot_destroy(cd, old_key_slot);
762 log_err(_("Failed to swap new key slot.\n"));
765 crypt_safe_free(password);
770 static int action_isLuks(int arg)
772 struct crypt_device *cd = NULL;
775 if ((r = crypt_init(&cd, action_argv[0])))
778 r = crypt_load(cd, CRYPT_LUKS1, NULL);
784 static int action_luksUUID(int arg)
786 struct crypt_device *cd = NULL;
787 const char *existing_uuid = NULL;
790 if ((r = crypt_init(&cd, action_argv[0])))
793 crypt_set_confirm_callback(cd, _yesDialog, NULL);
795 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
799 r = crypt_set_uuid(cd, opt_uuid);
801 existing_uuid = crypt_get_uuid(cd);
802 log_std("%s\n", existing_uuid ?: "");
803 r = existing_uuid ? 0 : 1;
810 static int luksDump_with_volume_key(struct crypt_device *cd)
812 char *vk = NULL, *password = NULL;
813 unsigned int passwordLen = 0;
817 crypt_set_confirm_callback(cd, _yesDialog, NULL);
819 _("LUKS header dump with volume key is sensitive information\n"
820 "which allows access to encrypted partition without passphrase.\n"
821 "This dump should be always stored encrypted on safe place."),
825 vk_size = crypt_get_volume_key_size(cd);
826 vk = crypt_safe_alloc(vk_size);
830 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
831 opt_keyfile_size, opt_key_file, opt_timeout, 0, cd);
835 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
836 password, passwordLen);
840 log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
841 log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
842 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
843 log_std("Payload offset:\t%d\n", crypt_get_data_offset(cd));
844 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
845 log_std("MK bits: \t%d\n", vk_size * 8);
846 log_std("MK dump:\t");
848 for(i = 0; i < vk_size; i++) {
851 log_std("%02hhx ", (char)vk[i]);
856 crypt_safe_free(password);
861 static int action_luksDump(int arg)
863 struct crypt_device *cd = NULL;
866 if ((r = crypt_init(&cd, action_argv[0])))
869 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
872 if (opt_dump_master_key)
873 r = luksDump_with_volume_key(cd);
881 static int action_luksSuspend(int arg)
883 struct crypt_device *cd = NULL;
886 r = crypt_init_by_name(&cd, action_argv[0]);
888 r = crypt_suspend(cd, action_argv[0]);
894 static int action_luksResume(int arg)
896 struct crypt_device *cd = NULL;
899 if ((r = crypt_init_by_name(&cd, action_argv[0])))
902 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
906 r = crypt_resume_by_keyfile(cd, action_argv[0], CRYPT_ANY_SLOT,
907 opt_key_file, opt_keyfile_size);
909 r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
916 static int action_luksBackup(int arg)
918 struct crypt_device *cd = NULL;
921 if (!opt_header_backup_file) {
922 log_err(_("Option --header-backup-file is required.\n"));
926 if ((r = crypt_init(&cd, action_argv[0])))
929 crypt_set_confirm_callback(cd, _yesDialog, NULL);
931 r = crypt_header_backup(cd, CRYPT_LUKS1, opt_header_backup_file);
937 static int action_luksRestore(int arg)
939 struct crypt_device *cd = NULL;
942 if (!opt_header_backup_file) {
943 log_err(_("Option --header-backup-file is required.\n"));
947 if ((r = crypt_init(&cd, action_argv[0])))
950 crypt_set_confirm_callback(cd, _yesDialog, NULL);
951 r = crypt_header_restore(cd, CRYPT_LUKS1, opt_header_backup_file);
957 static __attribute__ ((noreturn)) void usage(poptContext popt_context,
958 int exitcode, const char *error,
961 poptPrintUsage(popt_context, stderr, 0);
963 log_err("%s: %s\n", more, error);
967 static void help(poptContext popt_context, enum poptCallbackReason reason,
968 struct poptOption *key, const char * arg, void *data)
970 if (key->shortName == '?') {
971 struct action_type *action;
973 log_std("%s\n",PACKAGE_STRING);
975 poptPrintHelp(popt_context, stdout, 0);
978 "<action> is one of:\n"));
980 for(action = action_types; action->type; action++)
981 log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
984 "<name> is the device to create under %s\n"
985 "<device> is the encrypted device\n"
986 "<key slot> is the LUKS key slot number to modify\n"
987 "<key file> optional key file for the new key for luksAddKey action\n"),
990 log_std(_("\nDefault compiled-in device cipher parameters:\n"
991 "\tplain: %s, Key: %d bits, Password hashing: %s\n"
992 "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
993 DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
994 DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
998 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
1001 static void _dbg_version_and_cmd(int argc, char **argv)
1005 log_std("# %s %s processing \"", PACKAGE_NAME, PACKAGE_VERSION);
1006 for (i = 0; i < argc; i++) {
1014 static int run_action(struct action_type *action)
1018 log_dbg("Running command %s.", action->type);
1020 if (action->required_memlock)
1021 crypt_memory_lock(NULL, 1);
1023 r = action->handler(action->arg);
1025 if (action->required_memlock)
1026 crypt_memory_lock(NULL, 0);
1028 /* Some functions returns keyslot # */
1034 /* Translate exit code to simple codes */
1036 case 0: r = EXIT_SUCCESS; break;
1038 case -EBUSY: r = 5; break;
1040 case -ENODEV: r = 4; break;
1041 case -ENOMEM: r = 3; break;
1042 case -EPERM: r = 2; break;
1046 default: r = EXIT_FAILURE;
1051 int main(int argc, char **argv)
1053 static char *popt_tmp;
1054 static struct poptOption popt_help_options[] = {
1055 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
1056 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
1057 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
1060 static struct poptOption popt_options[] = {
1061 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
1062 { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
1063 { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
1064 { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
1065 { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
1066 { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
1067 { "verify-passphrase", 'y', POPT_ARG_NONE, &opt_verify_passphrase, 0, N_("Verifies the passphrase by asking for it twice"), NULL },
1068 { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 0, N_("Read the key from a file."), NULL },
1069 { "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL },
1070 { "dump-master-key", '\0', POPT_ARG_NONE, &opt_dump_master_key, 0, N_("Dump volume (master) key instead of keyslots info."), NULL },
1071 { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
1072 { "keyfile-size", 'l', POPT_ARG_INT, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
1073 { "new-keyfile-size", '\0', POPT_ARG_INT, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
1074 { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL },
1075 { "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") },
1076 { "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
1077 { "skip", 'p', POPT_ARG_STRING, &popt_tmp, 3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
1078 { "readonly", 'r', POPT_ARG_NONE, &opt_readonly, 0, N_("Create a readonly mapping"), NULL },
1079 { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
1080 { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
1081 { "timeout", 't', POPT_ARG_INT, &opt_timeout, 0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
1082 { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
1083 { "align-payload", '\0', POPT_ARG_INT, &opt_align_payload, 0, N_("Align payload at <n> sector boundaries - for luksFormat"), N_("SECTORS") },
1084 { "header-backup-file",'\0', POPT_ARG_STRING, &opt_header_backup_file, 0, N_("File with LUKS header and keyslots backup."), NULL },
1085 { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
1086 { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
1087 { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
1090 poptContext popt_context;
1091 struct action_type *action;
1094 const char *null_action_argv[] = {NULL};
1096 crypt_set_log_callback(NULL, _log, NULL);
1098 setlocale(LC_ALL, "");
1099 bindtextdomain(PACKAGE, LOCALEDIR);
1100 textdomain(PACKAGE);
1102 popt_context = poptGetContext(PACKAGE, argc, (const char **)argv,
1104 poptSetOtherOptionHelp(popt_context,
1105 N_("[OPTION...] <action> <action-specific>]"));
1107 while((r = poptGetNextOpt(popt_context)) > 0) {
1108 unsigned long long ull_value;
1111 ull_value = strtoull(popt_tmp, &endp, 0);
1112 if (*endp || !*popt_tmp)
1113 r = POPT_ERROR_BADNUMBER;
1117 opt_size = ull_value;
1120 opt_offset = ull_value;
1123 opt_skip = ull_value;
1132 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
1133 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
1134 if (opt_version_mode) {
1135 log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
1139 if (!(aname = (char *)poptGetArg(popt_context)))
1140 usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
1141 poptGetInvocationName(popt_context));
1142 for(action = action_types; action->type; action++)
1143 if (strcmp(action->type, aname) == 0)
1146 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
1147 poptGetInvocationName(popt_context));
1150 action_argv = poptGetArgs(popt_context);
1151 /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
1153 action_argv = null_action_argv;
1155 /* Count args, somewhat unnice, change? */
1156 while(action_argv[action_argc] != NULL)
1159 if(action_argc < action->required_action_argc) {
1161 snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
1162 usage(popt_context, EXIT_FAILURE, buf,
1163 poptGetInvocationName(popt_context));
1166 /* FIXME: rewrite this from scratch */
1169 strcmp(aname, "luksFormat") &&
1170 strcmp(aname, "create") &&
1171 strcmp(aname, "loopaesOpen")) {
1172 usage(popt_context, EXIT_FAILURE,
1173 _("Option --key-size is allowed only for luksFormat, create and loopaesOpen.\n"
1174 "To limit read from keyfile use --keyfile-size=(bytes)."),
1175 poptGetInvocationName(popt_context));
1178 if (opt_key_size % 8)
1179 usage(popt_context, EXIT_FAILURE,
1180 _("Key size must be a multiple of 8 bits"),
1181 poptGetInvocationName(popt_context));
1183 if (!strcmp(aname, "luksKillSlot") && action_argc > 1)
1184 opt_key_slot = atoi(action_argv[1]);
1185 if (opt_key_slot != CRYPT_ANY_SLOT &&
1186 (opt_key_slot < 0 || opt_key_slot > crypt_keyslot_max(CRYPT_LUKS1)))
1187 usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
1188 poptGetInvocationName(popt_context));
1190 if ((!strcmp(aname, "luksRemoveKey") ||
1191 !strcmp(aname, "luksFormat")) &&
1194 log_err(_("Option --key-file takes precedence over specified key file argument.\n"));
1196 opt_key_file = (char*)action_argv[1];
1199 if (opt_random && opt_urandom)
1200 usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
1201 poptGetInvocationName(popt_context));
1202 if ((opt_random || opt_urandom) && strcmp(aname, "luksFormat"))
1203 usage(popt_context, EXIT_FAILURE, _("Option --use-[u]random is allowed only for luksFormat."),
1204 poptGetInvocationName(popt_context));
1206 if (opt_uuid && strcmp(aname, "luksFormat") && strcmp(aname, "luksUUID"))
1207 usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only for luksFormat and luksUUID."),
1208 poptGetInvocationName(popt_context));
1210 if ((opt_offset || opt_skip) && strcmp(aname, "create"))
1211 usage(popt_context, EXIT_FAILURE, _("Options --offset and --skip are supported only for create command.\n"),
1212 poptGetInvocationName(popt_context));
1216 crypt_set_debug_level(-1);
1217 _dbg_version_and_cmd(argc, argv);
1220 return run_action(action);