2 * cryptsetup - setup cryptographic volumes for dm-crypt
4 * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
5 * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
6 * Copyright (C) 2009-2011, Red Hat, Inc. All rights reserved.
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * version 2 as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
32 #include <libcryptsetup.h>
35 #include "cryptsetup.h"
37 static int opt_verbose = 0;
38 static int opt_debug = 0;
39 static const char *opt_cipher = NULL;
40 static const char *opt_hash = NULL;
41 static int opt_verify_passphrase = 0;
42 static const char *opt_key_file = NULL;
43 static const char *opt_master_key_file = NULL;
44 static const char *opt_header_backup_file = NULL;
45 static const char *opt_uuid = NULL;
46 static int opt_key_size = 0;
47 static long opt_keyfile_size = 0;
48 static long opt_new_keyfile_size = 0;
49 static int opt_key_slot = CRYPT_ANY_SLOT;
50 static uint64_t opt_size = 0;
51 static uint64_t opt_offset = 0;
52 static uint64_t opt_skip = 0;
53 static int opt_skip_valid = 0;
54 static int opt_readonly = 0;
55 static int opt_iteration_time = 1000;
56 static int opt_batch_mode = 0;
57 static int opt_version_mode = 0;
58 static int opt_timeout = 0;
59 static int opt_tries = 3;
60 static int opt_align_payload = 0;
61 static int opt_random = 0;
62 static int opt_urandom = 0;
63 static int opt_dump_master_key = 0;
64 static int opt_shared = 0;
65 static int opt_allow_discards = 0;
67 static const char **action_argv;
68 static int action_argc;
70 static int action_create(int arg);
71 static int action_remove(int arg);
72 static int action_resize(int arg);
73 static int action_status(int arg);
74 static int action_luksFormat(int arg);
75 static int action_luksOpen(int arg);
76 static int action_luksAddKey(int arg);
77 static int action_luksKillSlot(int arg);
78 static int action_luksRemoveKey(int arg);
79 static int action_luksChangeKey(int arg);
80 static int action_isLuks(int arg);
81 static int action_luksUUID(int arg);
82 static int action_luksDump(int arg);
83 static int action_luksSuspend(int arg);
84 static int action_luksResume(int arg);
85 static int action_luksBackup(int arg);
86 static int action_luksRestore(int arg);
87 static int action_loopaesOpen(int arg);
89 static struct action_type {
93 int required_action_argc;
98 { "create", action_create, 0, 2, 1, N_("<name> <device>"),N_("create device") },
99 { "remove", action_remove, 0, 1, 1, N_("<name>"), N_("remove device") },
100 { "resize", action_resize, 0, 1, 1, N_("<name>"), N_("resize active device") },
101 { "status", action_status, 0, 1, 0, N_("<name>"), N_("show device status") },
102 { "luksFormat", action_luksFormat, 0, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
103 { "luksOpen", action_luksOpen, 0, 2, 1, N_("<device> <name> "), N_("open LUKS device as mapping <name>") },
104 { "luksAddKey", action_luksAddKey, 0, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
105 { "luksRemoveKey",action_luksRemoveKey, 0, 1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
106 { "luksChangeKey",action_luksChangeKey, 0, 1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
107 { "luksKillSlot", action_luksKillSlot, 0, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
108 { "luksUUID", action_luksUUID, 0, 1, 0, N_("<device>"), N_("print UUID of LUKS device") },
109 { "isLuks", action_isLuks, 0, 1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
110 { "luksClose", action_remove, 0, 1, 1, N_("<name>"), N_("remove LUKS mapping") },
111 { "luksDump", action_luksDump, 0, 1, 1, N_("<device>"), N_("dump LUKS partition information") },
112 { "luksSuspend",action_luksSuspend, 0, 1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen).") },
113 { "luksResume", action_luksResume, 0, 1, 1, N_("<device>"), N_("Resume suspended LUKS device.") },
114 { "luksHeaderBackup",action_luksBackup, 0, 1, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
115 { "luksHeaderRestore",action_luksRestore,0,1, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
116 { "loopaesOpen",action_loopaesOpen, 0, 2, 1, N_("<device> <name> "), N_("open loop-AES device as mapping <name>") },
117 { "loopaesClose",action_remove, 0, 1, 1, N_("<name>"), N_("remove loop-AES mapping") },
118 { NULL, NULL, 0, 0, 0, NULL, NULL }
121 __attribute__((format(printf, 5, 6)))
122 static void clogger(struct crypt_device *cd, int level, const char *file,
123 int line, const char *format, ...)
128 va_start(argp, format);
130 if (vasprintf(&target, format, argp) > 0) {
132 crypt_log(cd, level, target);
134 } else if (opt_debug)
135 printf("# %s:%d %s\n", file ?: "?", line, target);
137 } else if (opt_debug)
138 printf("# %s\n", target);
146 static int _yesDialog(const char *msg, void *usrptr __attribute__((unused)))
152 if(isatty(0) && !opt_batch_mode) {
153 log_std("\nWARNING!\n========\n");
154 log_std("%s\n\nAre you sure? (Type uppercase yes): ", msg);
155 if(getline(&answer, &size, stdin) == -1) {
160 if(strcmp(answer, "YES\n"))
168 static void _log(int level, const char *msg, void *usrptr __attribute__((unused)))
172 case CRYPT_LOG_NORMAL:
175 case CRYPT_LOG_VERBOSE:
179 case CRYPT_LOG_ERROR:
182 case CRYPT_LOG_DEBUG:
184 printf("# %s\n", msg);
187 fprintf(stderr, "Internal error on logging class for msg: %s", msg);
192 static void show_status(int errcode)
194 char error[256], *error_;
200 log_std(_("Command successful.\n"));
204 crypt_get_error(error, sizeof(error));
207 error_ = strerror_r(-errcode, error, sizeof(error));
208 if (error_ != error) {
209 strncpy(error, error_, sizeof(error));
210 error[sizeof(error) - 1] = '\0';
214 log_err(_("Command failed with code %i"), -errcode);
216 log_err(": %s\n", error);
221 static int action_create(int arg __attribute__((unused)))
223 struct crypt_device *cd = NULL;
224 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
225 struct crypt_params_plain params = {
226 .hash = opt_hash ?: DEFAULT_PLAIN_HASH,
228 .offset = opt_offset,
231 char *password = NULL;
233 size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
234 uint32_t activate_flags = 0;
237 if (params.hash && !strcmp(params.hash, "plain"))
240 /* FIXME: temporary hack */
241 if (opt_key_file && strcmp(opt_key_file, "-"))
244 if (opt_keyfile_size && opt_key_file)
245 log_std(("Ignoring keyfile size option, keyfile read size "
246 "is always the same as encryption key size.\n"));
248 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
249 cipher, NULL, cipher_mode);
251 log_err("No known cipher specification pattern detected.\n");
255 if ((r = crypt_init(&cd, action_argv[1])))
258 crypt_set_timeout(cd, opt_timeout);
259 crypt_set_password_retry(cd, opt_tries);
261 r = crypt_format(cd, CRYPT_PLAIN,
270 activate_flags |= CRYPT_ACTIVATE_READONLY;
273 activate_flags |= CRYPT_ACTIVATE_SHARED;
275 if (opt_allow_discards)
276 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
279 /* With hashing, read the whole keyfile */
280 r = crypt_activate_by_keyfile(cd, action_argv[0],
281 CRYPT_ANY_SLOT, opt_key_file, params.hash ? 0 : key_size,
284 r = crypt_get_key(_("Enter passphrase: "),
285 &password, &passwordLen, opt_keyfile_size,
287 opt_batch_mode ? 0 : opt_verify_passphrase,
292 r = crypt_activate_by_passphrase(cd, action_argv[0],
293 CRYPT_ANY_SLOT, password, passwordLen, activate_flags);
297 crypt_safe_free(password);
302 static int action_loopaesOpen(int arg __attribute__((unused)))
304 struct crypt_device *cd = NULL;
305 struct crypt_params_loopaes params = {
306 .hash = opt_hash ?: NULL,
307 .offset = opt_offset,
308 .skip = opt_skip_valid ? opt_skip : opt_offset,
310 unsigned int key_size = (opt_key_size ?: DEFAULT_LOOPAES_KEYBITS) / 8;
311 uint32_t activate_flags = 0;
315 log_err(_("Option --key-file is required.\n"));
320 activate_flags |= CRYPT_ACTIVATE_READONLY;
322 if (opt_allow_discards)
323 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
325 if ((r = crypt_init(&cd, action_argv[0])))
328 r = crypt_format(cd, CRYPT_LOOPAES, opt_cipher ?: DEFAULT_LOOPAES_CIPHER,
329 NULL, NULL, NULL, key_size, ¶ms);
333 r = crypt_activate_by_keyfile(cd, action_argv[1], CRYPT_ANY_SLOT,
334 opt_key_file, opt_keyfile_size, activate_flags);
341 static int action_remove(int arg __attribute__((unused)))
343 struct crypt_device *cd = NULL;
346 r = crypt_init_by_name(&cd, action_argv[0]);
348 r = crypt_deactivate(cd, action_argv[0]);
354 static int action_resize(int arg __attribute__((unused)))
356 struct crypt_device *cd = NULL;
359 r = crypt_init_by_name(&cd, action_argv[0]);
361 r = crypt_resize(cd, action_argv[0], opt_size);
367 static int action_status(int arg __attribute__((unused)))
369 crypt_status_info ci;
370 struct crypt_active_device cad;
371 struct crypt_device *cd = NULL;
376 ci = crypt_status(NULL, action_argv[0]);
382 log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
387 log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
388 ci == CRYPT_BUSY ? " and is in use" : "");
389 r = crypt_init_by_name(&cd, action_argv[0]);
390 if (r < 0 || !crypt_get_type(cd))
393 log_std(" type: %s\n", crypt_get_type(cd));
395 r = crypt_get_active_device(cd, action_argv[0], &cad);
399 log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
400 log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
401 device = crypt_get_device_name(cd);
402 log_std(" device: %s\n", device);
403 if (crypt_loop_device(device)) {
404 backing_file = crypt_loop_backing_file(device);
405 log_std(" loop: %s\n", backing_file);
408 log_std(" offset: %" PRIu64 " sectors\n", cad.offset);
409 log_std(" size: %" PRIu64 " sectors\n", cad.size);
411 log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset);
412 log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
413 "readonly" : "read/write");
414 if (cad.flags & CRYPT_ACTIVATE_ALLOW_DISCARDS)
415 log_std(" flags: discards\n");
422 static int _read_mk(const char *file, char **key, int keysize)
426 *key = crypt_safe_alloc(keysize);
430 fd = open(file, O_RDONLY);
432 log_err("Cannot read keyfile %s.\n", file);
435 if ((read(fd, *key, keysize) != keysize)) {
436 log_err("Cannot read %d bytes from keyfile %s.\n", keysize, file);
443 crypt_safe_free(*key);
448 static int action_luksFormat(int arg __attribute__((unused)))
450 int r = -EINVAL, keysize;
451 char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
452 char *password = NULL;
454 struct crypt_device *cd = NULL;
455 struct crypt_params_luks1 params = {
456 .hash = opt_hash ?: DEFAULT_LUKS1_HASH,
457 .data_alignment = opt_align_payload,
460 if(asprintf(&msg, _("This will overwrite data on %s irrevocably."), action_argv[0]) == -1) {
461 log_err(_("memory allocation error in action_luksFormat"));
465 r = _yesDialog(msg, NULL) ? 0 : -EINVAL;
470 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
471 cipher, NULL, cipher_mode);
473 log_err("No known cipher specification pattern detected.\n");
477 if ((r = crypt_init(&cd, action_argv[0])))
480 keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
482 crypt_set_password_verify(cd, 1);
483 crypt_set_timeout(cd, opt_timeout);
484 if (opt_iteration_time)
485 crypt_set_iterarion_time(cd, opt_iteration_time);
488 crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
489 else if (opt_urandom)
490 crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
492 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
493 opt_keyfile_size, opt_key_file, opt_timeout,
494 opt_batch_mode ? 0 : 1 /* always verify */, cd);
498 if (opt_master_key_file) {
499 r = _read_mk(opt_master_key_file, &key, keysize);
504 r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
505 opt_uuid, key, keysize, ¶ms);
509 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
511 password, passwordLen);
514 crypt_safe_free(key);
515 crypt_safe_free(password);
520 static int action_luksOpen(int arg __attribute__((unused)))
522 struct crypt_device *cd = NULL;
526 if ((r = crypt_init(&cd, action_argv[0])))
529 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
532 crypt_set_timeout(cd, opt_timeout);
533 crypt_set_password_retry(cd, opt_tries);
535 if (opt_iteration_time)
536 crypt_set_iterarion_time(cd, opt_iteration_time);
539 flags |= CRYPT_ACTIVATE_READONLY;
541 if (opt_allow_discards)
542 flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
545 crypt_set_password_retry(cd, 1);
546 r = crypt_activate_by_keyfile(cd, action_argv[1],
547 CRYPT_ANY_SLOT, opt_key_file, opt_keyfile_size,
550 r = crypt_activate_by_passphrase(cd, action_argv[1],
551 CRYPT_ANY_SLOT, NULL, 0, flags);
557 static int verify_keyslot(struct crypt_device *cd, int key_slot,
558 char *msg_last, char *msg_pass,
559 const char *key_file, int keyfile_size)
561 crypt_keyslot_info ki;
562 char *password = NULL;
566 ki = crypt_keyslot_status(cd, key_slot);
567 if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !_yesDialog(msg_last, NULL))
570 r = crypt_get_key(msg_pass, &password, &passwordLen,
571 keyfile_size, key_file, opt_timeout,
572 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
576 if (ki == CRYPT_SLOT_ACTIVE_LAST) {
577 /* check the last keyslot */
578 r = crypt_activate_by_passphrase(cd, NULL, key_slot,
579 password, passwordLen, 0);
581 /* try all other keyslots */
582 for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
585 ki = crypt_keyslot_status(cd, key_slot);
586 if (ki == CRYPT_SLOT_ACTIVE)
587 r = crypt_activate_by_passphrase(cd, NULL, i,
588 password, passwordLen, 0);
595 log_err(_("No key available with this passphrase.\n"));
597 crypt_safe_free(password);
601 static int action_luksKillSlot(int arg __attribute__((unused)))
603 struct crypt_device *cd = NULL;
606 if ((r = crypt_init(&cd, action_argv[0])))
609 crypt_set_confirm_callback(cd, _yesDialog, NULL);
610 crypt_set_timeout(cd, opt_timeout);
612 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
615 switch (crypt_keyslot_status(cd, opt_key_slot)) {
616 case CRYPT_SLOT_ACTIVE_LAST:
617 case CRYPT_SLOT_ACTIVE:
618 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
620 case CRYPT_SLOT_INACTIVE:
621 log_err(_("Key %d not active. Can't wipe.\n"), opt_key_slot);
622 case CRYPT_SLOT_INVALID:
626 if (!opt_batch_mode) {
627 r = verify_keyslot(cd, opt_key_slot,
628 _("This is the last keyslot. Device will become unusable after purging this key."),
629 _("Enter any remaining LUKS passphrase: "),
630 opt_key_file, opt_keyfile_size);
635 r = crypt_keyslot_destroy(cd, opt_key_slot);
641 static int action_luksRemoveKey(int arg __attribute__((unused)))
643 struct crypt_device *cd = NULL;
644 char *password = NULL;
648 if ((r = crypt_init(&cd, action_argv[0])))
651 crypt_set_confirm_callback(cd, _yesDialog, NULL);
652 crypt_set_timeout(cd, opt_timeout);
654 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
657 r = crypt_get_key(_("Enter LUKS passphrase to be deleted: "),
658 &password, &passwordLen,
659 opt_keyfile_size, opt_key_file,
661 opt_batch_mode ? 0 : opt_verify_passphrase,
666 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
667 password, passwordLen, 0);
672 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
674 if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_ACTIVE_LAST &&
675 !_yesDialog(_("This is the last keyslot. "
676 "Device will become unusable after purging this key."),
682 r = crypt_keyslot_destroy(cd, opt_key_slot);
684 crypt_safe_free(password);
689 static int action_luksAddKey(int arg __attribute__((unused)))
691 int r = -EINVAL, keysize = 0;
693 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
694 struct crypt_device *cd = NULL;
696 if ((r = crypt_init(&cd, action_argv[0])))
699 crypt_set_confirm_callback(cd, _yesDialog, NULL);
701 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
704 keysize = crypt_get_volume_key_size(cd);
705 crypt_set_password_verify(cd, opt_verify_passphrase ? 1 : 0);
706 crypt_set_timeout(cd, opt_timeout);
707 if (opt_iteration_time)
708 crypt_set_iterarion_time(cd, opt_iteration_time);
710 if (opt_master_key_file) {
711 r = _read_mk(opt_master_key_file, &key, keysize);
714 //FIXME: process keyfile arg
715 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
716 key, keysize, NULL, 0);
717 } else if (opt_key_file || opt_new_key_file) {
718 r = crypt_keyslot_add_by_keyfile(cd, opt_key_slot,
719 opt_key_file, opt_keyfile_size,
720 opt_new_key_file, opt_new_keyfile_size);
722 r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
727 crypt_safe_free(key);
731 static int _slots_full(struct crypt_device *cd)
735 for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++)
736 if (crypt_keyslot_status(cd, i) == CRYPT_SLOT_INACTIVE)
741 static int action_luksChangeKey(int arg __attribute__((unused)))
743 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
744 struct crypt_device *cd = NULL;
745 char *vk = NULL, *password = NULL;
746 size_t passwordLen = 0;
748 int new_key_slot, old_key_slot, r;
750 if ((r = crypt_init(&cd, action_argv[0])))
753 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
756 if (opt_iteration_time)
757 crypt_set_iterarion_time(cd, opt_iteration_time);
759 r = crypt_get_key(_("Enter LUKS passphrase to be changed: "),
760 &password, &passwordLen,
761 opt_keyfile_size, opt_key_file, opt_timeout,
762 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
766 vk_size = crypt_get_volume_key_size(cd);
767 vk = crypt_safe_alloc(vk_size);
773 r = crypt_volume_key_get(cd, opt_key_slot, vk, &vk_size,
774 password, passwordLen);
776 if (opt_key_slot != CRYPT_ANY_SLOT)
777 log_err(_("No key available with this passphrase.\n"));
781 if (opt_key_slot != CRYPT_ANY_SLOT || _slots_full(cd)) {
782 log_dbg("Key slot %d is going to be overwritten (%s).",
783 r, opt_key_slot != CRYPT_ANY_SLOT ?
784 "explicit key slot specified" : "no free key slot");
788 log_dbg("Allocating new key slot.");
790 new_key_slot = CRYPT_ANY_SLOT;
793 crypt_safe_free(password);
796 r = crypt_get_key(_("Enter new LUKS passphrase: "),
797 &password, &passwordLen,
798 opt_new_keyfile_size, opt_new_key_file,
799 opt_timeout, opt_batch_mode ? 0 : 1, cd);
803 if (new_key_slot == old_key_slot) {
804 (void)crypt_keyslot_destroy(cd, old_key_slot);
805 r = crypt_keyslot_add_by_volume_key(cd, new_key_slot,
807 password, passwordLen);
809 log_verbose(_("Key slot %d changed.\n"), r);
811 r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT,
813 password, passwordLen);
815 log_verbose(_("Replaced with key slot %d.\n"), r);
816 r = crypt_keyslot_destroy(cd, old_key_slot);
820 log_err(_("Failed to swap new key slot.\n"));
823 crypt_safe_free(password);
828 static int action_isLuks(int arg __attribute__((unused)))
830 struct crypt_device *cd = NULL;
833 if ((r = crypt_init(&cd, action_argv[0])))
836 r = crypt_load(cd, CRYPT_LUKS1, NULL);
842 static int action_luksUUID(int arg __attribute__((unused)))
844 struct crypt_device *cd = NULL;
845 const char *existing_uuid = NULL;
848 if ((r = crypt_init(&cd, action_argv[0])))
851 crypt_set_confirm_callback(cd, _yesDialog, NULL);
853 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
857 r = crypt_set_uuid(cd, opt_uuid);
859 existing_uuid = crypt_get_uuid(cd);
860 log_std("%s\n", existing_uuid ?: "");
861 r = existing_uuid ? 0 : 1;
868 static int luksDump_with_volume_key(struct crypt_device *cd)
870 char *vk = NULL, *password = NULL;
871 size_t passwordLen = 0;
876 crypt_set_confirm_callback(cd, _yesDialog, NULL);
878 _("LUKS header dump with volume key is sensitive information\n"
879 "which allows access to encrypted partition without passphrase.\n"
880 "This dump should be always stored encrypted on safe place."),
884 vk_size = crypt_get_volume_key_size(cd);
885 vk = crypt_safe_alloc(vk_size);
889 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
890 opt_keyfile_size, opt_key_file, opt_timeout, 0, cd);
894 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
895 password, passwordLen);
899 log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
900 log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
901 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
902 log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
903 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
904 log_std("MK bits: \t%d\n", (int)vk_size * 8);
905 log_std("MK dump:\t");
907 for(i = 0; i < vk_size; i++) {
910 log_std("%02hhx ", (char)vk[i]);
915 crypt_safe_free(password);
920 static int action_luksDump(int arg __attribute__((unused)))
922 struct crypt_device *cd = NULL;
925 if ((r = crypt_init(&cd, action_argv[0])))
928 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
931 if (opt_dump_master_key)
932 r = luksDump_with_volume_key(cd);
940 static int action_luksSuspend(int arg __attribute__((unused)))
942 struct crypt_device *cd = NULL;
945 r = crypt_init_by_name(&cd, action_argv[0]);
947 r = crypt_suspend(cd, action_argv[0]);
953 static int action_luksResume(int arg __attribute__((unused)))
955 struct crypt_device *cd = NULL;
958 if ((r = crypt_init_by_name(&cd, action_argv[0])))
961 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
965 r = crypt_resume_by_keyfile(cd, action_argv[0], CRYPT_ANY_SLOT,
966 opt_key_file, opt_keyfile_size);
968 r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
975 static int action_luksBackup(int arg __attribute__((unused)))
977 struct crypt_device *cd = NULL;
980 if (!opt_header_backup_file) {
981 log_err(_("Option --header-backup-file is required.\n"));
985 if ((r = crypt_init(&cd, action_argv[0])))
988 crypt_set_confirm_callback(cd, _yesDialog, NULL);
990 r = crypt_header_backup(cd, CRYPT_LUKS1, opt_header_backup_file);
996 static int action_luksRestore(int arg __attribute__((unused)))
998 struct crypt_device *cd = NULL;
1001 if (!opt_header_backup_file) {
1002 log_err(_("Option --header-backup-file is required.\n"));
1006 if ((r = crypt_init(&cd, action_argv[0])))
1009 crypt_set_confirm_callback(cd, _yesDialog, NULL);
1010 r = crypt_header_restore(cd, CRYPT_LUKS1, opt_header_backup_file);
1016 static __attribute__ ((noreturn)) void usage(poptContext popt_context,
1017 int exitcode, const char *error,
1020 poptPrintUsage(popt_context, stderr, 0);
1022 log_err("%s: %s\n", more, error);
1026 static void help(poptContext popt_context,
1027 enum poptCallbackReason reason __attribute__((unused)),
1028 struct poptOption *key,
1029 const char *arg __attribute__((unused)),
1030 void *data __attribute__((unused)))
1032 if (key->shortName == '?') {
1033 struct action_type *action;
1035 log_std("%s\n",PACKAGE_STRING);
1037 poptPrintHelp(popt_context, stdout, 0);
1040 "<action> is one of:\n"));
1042 for(action = action_types; action->type; action++)
1043 log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
1046 "<name> is the device to create under %s\n"
1047 "<device> is the encrypted device\n"
1048 "<key slot> is the LUKS key slot number to modify\n"
1049 "<key file> optional key file for the new key for luksAddKey action\n"),
1052 log_std(_("\nDefault compiled-in keyfile parameters:\n"
1053 "\tMaximum keyfile size: %dkB, "
1054 "Maximum interactive passphrase length %d (characters)\n"),
1055 DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX);
1057 log_std(_("\nDefault compiled-in device cipher parameters:\n"
1058 "\tloop-AES: %s, Key %d bits\n"
1059 "\tplain: %s, Key: %d bits, Password hashing: %s\n"
1060 "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
1061 DEFAULT_LOOPAES_CIPHER, DEFAULT_LOOPAES_KEYBITS,
1062 DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
1063 DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
1067 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
1070 static void _dbg_version_and_cmd(int argc, const char **argv)
1074 log_std("# %s %s processing \"", PACKAGE_NAME, PACKAGE_VERSION);
1075 for (i = 0; i < argc; i++) {
1078 log_std("%s", argv[i]);
1083 static int run_action(struct action_type *action)
1087 log_dbg("Running command %s.", action->type);
1089 if (action->required_memlock)
1090 crypt_memory_lock(NULL, 1);
1092 r = action->handler(action->arg);
1094 if (action->required_memlock)
1095 crypt_memory_lock(NULL, 0);
1097 /* Some functions returns keyslot # */
1103 /* Translate exit code to simple codes */
1105 case 0: r = EXIT_SUCCESS; break;
1107 case -EBUSY: r = 5; break;
1109 case -ENODEV: r = 4; break;
1110 case -ENOMEM: r = 3; break;
1111 case -EPERM: r = 2; break;
1115 default: r = EXIT_FAILURE;
1120 int main(int argc, const char **argv)
1122 static char *popt_tmp;
1123 static struct poptOption popt_help_options[] = {
1124 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
1125 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
1126 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
1129 static struct poptOption popt_options[] = {
1130 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
1131 { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
1132 { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
1133 { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
1134 { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
1135 { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
1136 { "verify-passphrase", 'y', POPT_ARG_NONE, &opt_verify_passphrase, 0, N_("Verifies the passphrase by asking for it twice"), NULL },
1137 { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 0, N_("Read the key from a file."), NULL },
1138 { "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL },
1139 { "dump-master-key", '\0', POPT_ARG_NONE, &opt_dump_master_key, 0, N_("Dump volume (master) key instead of keyslots info."), NULL },
1140 { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
1141 { "keyfile-size", 'l', POPT_ARG_LONG, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
1142 { "new-keyfile-size", '\0', POPT_ARG_LONG, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
1143 { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL },
1144 { "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") },
1145 { "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
1146 { "skip", 'p', POPT_ARG_STRING, &popt_tmp, 3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
1147 { "readonly", 'r', POPT_ARG_NONE, &opt_readonly, 0, N_("Create a readonly mapping"), NULL },
1148 { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
1149 { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
1150 { "timeout", 't', POPT_ARG_INT, &opt_timeout, 0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
1151 { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
1152 { "align-payload", '\0', POPT_ARG_INT, &opt_align_payload, 0, N_("Align payload at <n> sector boundaries - for luksFormat"), N_("SECTORS") },
1153 { "header-backup-file",'\0', POPT_ARG_STRING, &opt_header_backup_file, 0, N_("File with LUKS header and keyslots backup."), NULL },
1154 { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
1155 { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
1156 { "shared", '\0', POPT_ARG_NONE, &opt_shared, 0, N_("Share device with another non-overlapping crypt segment."), NULL },
1157 { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
1158 { "allow-discards", '\0', POPT_ARG_NONE, &opt_allow_discards, 0, N_("Allow discards (aka TRIM) requests for device."), NULL },
1161 poptContext popt_context;
1162 struct action_type *action;
1165 const char *null_action_argv[] = {NULL};
1167 crypt_set_log_callback(NULL, _log, NULL);
1169 setlocale(LC_ALL, "");
1170 bindtextdomain(PACKAGE, LOCALEDIR);
1171 textdomain(PACKAGE);
1173 popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
1174 poptSetOtherOptionHelp(popt_context,
1175 N_("[OPTION...] <action> <action-specific>]"));
1177 while((r = poptGetNextOpt(popt_context)) > 0) {
1178 unsigned long long ull_value;
1181 ull_value = strtoull(popt_tmp, &endp, 0);
1182 if (*endp || !*popt_tmp)
1183 r = POPT_ERROR_BADNUMBER;
1187 opt_size = ull_value;
1190 opt_offset = ull_value;
1193 opt_skip = ull_value;
1203 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
1204 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
1205 if (opt_version_mode) {
1206 log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
1210 if (!(aname = poptGetArg(popt_context)))
1211 usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
1212 poptGetInvocationName(popt_context));
1213 for(action = action_types; action->type; action++)
1214 if (strcmp(action->type, aname) == 0)
1217 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
1218 poptGetInvocationName(popt_context));
1221 action_argv = poptGetArgs(popt_context);
1222 /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
1224 action_argv = null_action_argv;
1226 /* Count args, somewhat unnice, change? */
1227 while(action_argv[action_argc] != NULL)
1230 if(action_argc < action->required_action_argc) {
1232 snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
1233 usage(popt_context, EXIT_FAILURE, buf,
1234 poptGetInvocationName(popt_context));
1237 /* FIXME: rewrite this from scratch */
1239 if (opt_shared && strcmp(aname, "create")) {
1240 usage(popt_context, EXIT_FAILURE,
1241 _("Option --shared is allowed only for create operation.\n"),
1242 poptGetInvocationName(popt_context));
1245 if (opt_allow_discards &&
1246 strcmp(aname, "luksOpen") &&
1247 strcmp(aname, "create") &&
1248 strcmp(aname, "loopaesOpen")) {
1249 usage(popt_context, EXIT_FAILURE,
1250 _("Option --allow-discards is allowed only for luksOpen, loopaesOpen and create operation.\n"),
1251 poptGetInvocationName(popt_context));
1255 strcmp(aname, "luksFormat") &&
1256 strcmp(aname, "create") &&
1257 strcmp(aname, "loopaesOpen")) {
1258 usage(popt_context, EXIT_FAILURE,
1259 _("Option --key-size is allowed only for luksFormat, create and loopaesOpen.\n"
1260 "To limit read from keyfile use --keyfile-size=(bytes)."),
1261 poptGetInvocationName(popt_context));
1264 if (opt_key_size % 8)
1265 usage(popt_context, EXIT_FAILURE,
1266 _("Key size must be a multiple of 8 bits"),
1267 poptGetInvocationName(popt_context));
1269 if (!strcmp(aname, "luksKillSlot") && action_argc > 1)
1270 opt_key_slot = atoi(action_argv[1]);
1271 if (opt_key_slot != CRYPT_ANY_SLOT &&
1272 (opt_key_slot < 0 || opt_key_slot > crypt_keyslot_max(CRYPT_LUKS1)))
1273 usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
1274 poptGetInvocationName(popt_context));
1276 if ((!strcmp(aname, "luksRemoveKey") ||
1277 !strcmp(aname, "luksFormat")) &&
1280 log_err(_("Option --key-file takes precedence over specified key file argument.\n"));
1282 opt_key_file = action_argv[1];
1285 if (opt_keyfile_size < 0 || opt_new_keyfile_size < 0 || opt_key_size < 0) {
1286 usage(popt_context, EXIT_FAILURE,
1287 _("Negative number for option not permitted."),
1288 poptGetInvocationName(popt_context));
1291 if (opt_random && opt_urandom)
1292 usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
1293 poptGetInvocationName(popt_context));
1294 if ((opt_random || opt_urandom) && strcmp(aname, "luksFormat"))
1295 usage(popt_context, EXIT_FAILURE, _("Option --use-[u]random is allowed only for luksFormat."),
1296 poptGetInvocationName(popt_context));
1298 if (opt_uuid && strcmp(aname, "luksFormat") && strcmp(aname, "luksUUID"))
1299 usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only for luksFormat and luksUUID."),
1300 poptGetInvocationName(popt_context));
1302 if (opt_skip && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1303 usage(popt_context, EXIT_FAILURE,
1304 _("Option --skip is supported only for create and loopaesOpen commands.\n"),
1305 poptGetInvocationName(popt_context));
1307 if (opt_offset && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1308 usage(popt_context, EXIT_FAILURE,
1309 _("Option --offset is supported only for create and loopaesOpen commands.\n"),
1310 poptGetInvocationName(popt_context));
1314 crypt_set_debug_level(-1);
1315 _dbg_version_and_cmd(argc, argv);
1318 return run_action(action);