2 * cryptsetup - setup cryptographic volumes for dm-crypt
4 * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
5 * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
6 * Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * version 2 as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 #include "cryptsetup.h"
24 static const char *opt_cipher = NULL;
25 static const char *opt_hash = NULL;
26 static int opt_verify_passphrase = 0;
27 static const char *opt_key_file = NULL;
28 static const char *opt_master_key_file = NULL;
29 static const char *opt_header_backup_file = NULL;
30 static const char *opt_uuid = NULL;
31 static const char *opt_header_device = NULL;
32 static int opt_key_size = 0;
33 static long opt_keyfile_size = 0;
34 static long opt_new_keyfile_size = 0;
35 static long opt_keyfile_offset = 0;
36 static long opt_new_keyfile_offset = 0;
37 static int opt_key_slot = CRYPT_ANY_SLOT;
38 static uint64_t opt_size = 0;
39 static uint64_t opt_offset = 0;
40 static uint64_t opt_skip = 0;
41 static int opt_skip_valid = 0;
42 static int opt_readonly = 0;
43 static int opt_iteration_time = 1000;
44 static int opt_version_mode = 0;
45 static int opt_timeout = 0;
46 static int opt_tries = 3;
47 static int opt_align_payload = 0;
48 static int opt_random = 0;
49 static int opt_urandom = 0;
50 static int opt_dump_master_key = 0;
51 static int opt_shared = 0;
52 static int opt_allow_discards = 0;
53 static int opt_test_passphrase = 0;
55 static const char **action_argv;
56 static int action_argc;
57 static const char *null_action_argv[] = {NULL, NULL};
59 static int action_create(int arg);
60 static int action_remove(int arg);
61 static int action_resize(int arg);
62 static int action_status(int arg);
63 static int action_benchmark(int arg);
64 static int action_luksFormat(int arg);
65 static int action_luksOpen(int arg);
66 static int action_luksAddKey(int arg);
67 static int action_luksKillSlot(int arg);
68 static int action_luksRemoveKey(int arg);
69 static int action_luksChangeKey(int arg);
70 static int action_isLuks(int arg);
71 static int action_luksUUID(int arg);
72 static int action_luksDump(int arg);
73 static int action_luksSuspend(int arg);
74 static int action_luksResume(int arg);
75 static int action_luksBackup(int arg);
76 static int action_luksRestore(int arg);
77 static int action_loopaesOpen(int arg);
78 static int action_luksRepair(int arg);
80 static struct action_type {
84 int required_action_argc;
89 { "create", action_create, 0, 2, 1, N_("<name> <device>"),N_("create device") },
90 { "remove", action_remove, 0, 1, 1, N_("<name>"), N_("remove device") },
91 { "resize", action_resize, 0, 1, 1, N_("<name>"), N_("resize active device") },
92 { "status", action_status, 0, 1, 0, N_("<name>"), N_("show device status") },
93 { "benchmark", action_benchmark, 0, 0, 0, N_("<name>"), N_("benchmark cipher") },
94 { "repair", action_luksRepair, 0, 1, 1, N_("<device>"), N_("try to repair on-disk metadata") },
95 { "luksFormat", action_luksFormat, 0, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
96 { "luksOpen", action_luksOpen, 0, 2, 1, N_("<device> <name> "), N_("open LUKS device as mapping <name>") },
97 { "luksAddKey", action_luksAddKey, 0, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
98 { "luksRemoveKey",action_luksRemoveKey, 0, 1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
99 { "luksChangeKey",action_luksChangeKey, 0, 1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
100 { "luksKillSlot", action_luksKillSlot, 0, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
101 { "luksUUID", action_luksUUID, 0, 1, 0, N_("<device>"), N_("print UUID of LUKS device") },
102 { "isLuks", action_isLuks, 0, 1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
103 { "luksClose", action_remove, 0, 1, 1, N_("<name>"), N_("remove LUKS mapping") },
104 { "luksDump", action_luksDump, 0, 1, 1, N_("<device>"), N_("dump LUKS partition information") },
105 { "luksSuspend",action_luksSuspend, 0, 1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen).") },
106 { "luksResume", action_luksResume, 0, 1, 1, N_("<device>"), N_("Resume suspended LUKS device.") },
107 { "luksHeaderBackup",action_luksBackup, 0, 1, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
108 { "luksHeaderRestore",action_luksRestore,0,1, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
109 { "loopaesOpen",action_loopaesOpen, 0, 2, 1, N_("<device> <name> "), N_("open loop-AES device as mapping <name>") },
110 { "loopaesClose",action_remove, 0, 1, 1, N_("<name>"), N_("remove loop-AES mapping") },
111 { NULL, NULL, 0, 0, 0, NULL, NULL }
114 static int _verify_passphrase(int def)
116 /* Batch mode switch off verify - if not overrided by -y */
117 if (opt_verify_passphrase)
119 else if (opt_batch_mode)
122 /* Non-tty input doesn't allow verify */
123 if (def && !isatty(STDIN_FILENO)) {
124 if (opt_verify_passphrase)
125 log_err(_("Can't do passphrase verification on non-tty inputs.\n"));
132 static int action_create(int arg __attribute__((unused)))
134 struct crypt_device *cd = NULL;
135 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
136 struct crypt_params_plain params = {
137 .hash = opt_hash ?: DEFAULT_PLAIN_HASH,
139 .offset = opt_offset,
142 char *password = NULL;
144 size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
145 uint32_t activate_flags = 0;
148 if (params.hash && !strcmp(params.hash, "plain"))
151 /* FIXME: temporary hack */
152 if (opt_key_file && strcmp(opt_key_file, "-"))
155 if ((opt_keyfile_offset || opt_keyfile_size) && opt_key_file)
156 log_std(("Ignoring keyfile offset and size options, keyfile read "
157 "size is always the same as encryption key size.\n"));
159 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
160 cipher, NULL, cipher_mode);
162 log_err("No known cipher specification pattern detected.\n");
166 if ((r = crypt_init(&cd, action_argv[1])))
169 crypt_set_timeout(cd, opt_timeout);
170 crypt_set_password_retry(cd, opt_tries);
172 r = crypt_format(cd, CRYPT_PLAIN,
181 activate_flags |= CRYPT_ACTIVATE_READONLY;
184 activate_flags |= CRYPT_ACTIVATE_SHARED;
186 if (opt_allow_discards)
187 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
190 /* With hashing, read the whole keyfile */
191 r = crypt_activate_by_keyfile_offset(cd, action_argv[0],
192 CRYPT_ANY_SLOT, opt_key_file,
193 params.hash ? 0 : key_size, 0,
196 r = crypt_get_key(_("Enter passphrase: "),
197 &password, &passwordLen,
198 opt_keyfile_offset, opt_keyfile_size,
200 _verify_passphrase(0),
205 r = crypt_activate_by_passphrase(cd, action_argv[0],
206 CRYPT_ANY_SLOT, password, passwordLen, activate_flags);
210 crypt_safe_free(password);
215 static int action_loopaesOpen(int arg __attribute__((unused)))
217 struct crypt_device *cd = NULL;
218 struct crypt_params_loopaes params = {
219 .hash = opt_hash ?: NULL,
220 .offset = opt_offset,
221 .skip = opt_skip_valid ? opt_skip : opt_offset,
223 unsigned int key_size = (opt_key_size ?: DEFAULT_LOOPAES_KEYBITS) / 8;
224 uint32_t activate_flags = 0;
228 log_err(_("Option --key-file is required.\n"));
233 activate_flags |= CRYPT_ACTIVATE_READONLY;
235 if (opt_allow_discards)
236 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
238 if ((r = crypt_init(&cd, action_argv[0])))
241 r = crypt_format(cd, CRYPT_LOOPAES, opt_cipher ?: DEFAULT_LOOPAES_CIPHER,
242 NULL, NULL, NULL, key_size, ¶ms);
246 r = crypt_activate_by_keyfile_offset(cd, action_argv[1], CRYPT_ANY_SLOT,
247 opt_key_file, opt_keyfile_size,
248 opt_keyfile_size, activate_flags);
255 static int action_remove(int arg __attribute__((unused)))
257 struct crypt_device *cd = NULL;
260 r = crypt_init_by_name(&cd, action_argv[0]);
262 r = crypt_deactivate(cd, action_argv[0]);
268 static int action_resize(int arg __attribute__((unused)))
270 struct crypt_device *cd = NULL;
273 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
275 r = crypt_resize(cd, action_argv[0], opt_size);
281 static int action_status(int arg __attribute__((unused)))
283 crypt_status_info ci;
284 struct crypt_active_device cad;
285 struct crypt_device *cd = NULL;
291 /* perhaps a path, not a dm device name */
292 if (strchr(action_argv[0], '/') && !stat(action_argv[0], &st))
295 ci = crypt_status(NULL, action_argv[0]);
302 log_std("%s is inactive.\n", action_argv[0]);
304 log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
310 log_std("%s is active%s.\n", action_argv[0],
311 ci == CRYPT_BUSY ? " and is in use" : "");
313 log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
314 ci == CRYPT_BUSY ? " and is in use" : "");
316 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
317 if (r < 0 || !crypt_get_type(cd))
320 log_std(" type: %s\n", crypt_get_type(cd));
322 r = crypt_get_active_device(cd, action_argv[0], &cad);
326 log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
327 log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
328 device = crypt_get_device_name(cd);
329 log_std(" device: %s\n", device);
330 if (crypt_loop_device(device)) {
331 backing_file = crypt_loop_backing_file(device);
332 log_std(" loop: %s\n", backing_file);
335 log_std(" offset: %" PRIu64 " sectors\n", cad.offset);
336 log_std(" size: %" PRIu64 " sectors\n", cad.size);
338 log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset);
339 log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
340 "readonly" : "read/write");
341 if (cad.flags & CRYPT_ACTIVATE_ALLOW_DISCARDS)
342 log_std(" flags: discards\n");
351 static int action_benchmark(int arg __attribute__((unused)))
359 { "aes", "cbc", 16, 16 },
360 { "serpent", "cbc", 16, 16 },
361 { "twofish", "cbc", 16, 16 },
362 { "aes", "cbc", 32, 16 },
363 { "serpent", "cbc", 32, 16 },
364 { "twofish", "cbc", 32, 16 },
365 { "aes", "xts", 32, 16 },
366 { "serpent", "xts", 32, 16 },
367 { "twofish", "xts", 32, 16 },
368 { "aes", "xts", 64, 16 },
369 { "serpent", "xts", 64, 16 },
370 { "twofish", "xts", 64, 16 },
373 char *header = "# Tests are approximate using memory only (no storage IO).\n"
374 "# Algorithm | Key | Encryption | Decryption\n";
375 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
376 double enc_mbr = 0, dec_mbr = 0;
377 int key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS);
379 int buffer_size = 1024 * 1024;
384 r = crypt_parse_name_and_mode(opt_cipher, cipher, NULL, cipher_mode);
386 log_err(_("No known cipher specification pattern detected.\n"));
389 if ((c = strchr(cipher_mode, '-')))
392 /* FIXME: not really clever :) */
393 if (strstr(cipher, "des"))
396 r = crypt_benchmark(NULL, cipher, cipher_mode,
397 key_size / 8, iv_size, buffer_size,
400 log_std("%s", header);
401 strncat(cipher, "-", MAX_CIPHER_LEN);
402 strncat(cipher, cipher_mode, MAX_CIPHER_LEN);
403 log_std("%11s %4db %5.1f MiB/s %5.1f MiB/s\n",
404 cipher, key_size, enc_mbr, dec_mbr);
406 log_err(_("Cannot benchmark %s.\n"), cipher);
408 log_std("%s", header);
409 for (i = 0; bciphers[i].cipher; i++) {
410 r = crypt_benchmark(NULL, bciphers[i].cipher, bciphers[i].mode,
411 bciphers[i].key_size, bciphers[i].iv_size,
412 buffer_size, &enc_mbr, &dec_mbr);
413 snprintf(cipher, MAX_CIPHER_LEN, "%s-%s",
414 bciphers[i].cipher, bciphers[i].mode);
416 log_std("%11s %4db %5.1f MiB/s %5.1f MiB/s\n",
417 cipher, bciphers[i].key_size*8, enc_mbr, dec_mbr);
419 log_std("%11s %4db %12s %12s\n", cipher,
420 bciphers[i].key_size*8, _("N/A"), _("N/A"));
427 static int _read_mk(const char *file, char **key, int keysize)
431 *key = crypt_safe_alloc(keysize);
435 fd = open(file, O_RDONLY);
437 log_err("Cannot read keyfile %s.\n", file);
440 if ((read(fd, *key, keysize) != keysize)) {
441 log_err("Cannot read %d bytes from keyfile %s.\n", keysize, file);
448 crypt_safe_free(*key);
453 static int action_luksRepair(int arg __attribute__((unused)))
455 struct crypt_device *cd = NULL;
458 if ((r = crypt_init(&cd, action_argv[0])))
461 /* Currently only LUKS1 allows repair */
462 crypt_set_log_callback(cd, quiet_log, NULL);
463 r = crypt_load(cd, CRYPT_LUKS1, NULL);
464 crypt_set_log_callback(cd, tool_log, NULL);
466 log_verbose( _("No known problems detected for LUKS header.\n"));
470 r = yesDialog(_("Really try to repair LUKS device header?"),
473 r = crypt_repair(cd, CRYPT_LUKS1, NULL);
479 static int action_luksFormat(int arg __attribute__((unused)))
481 int r = -EINVAL, keysize;
482 const char *header_device;
483 char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
484 char *password = NULL;
486 struct crypt_device *cd = NULL;
487 struct crypt_params_luks1 params = {
488 .hash = opt_hash ?: DEFAULT_LUKS1_HASH,
489 .data_alignment = opt_align_payload,
490 .data_device = opt_header_device ? action_argv[0] : NULL,
493 header_device = opt_header_device ?: action_argv[0];
495 if(asprintf(&msg, _("This will overwrite data on %s irrevocably."),
496 header_device) == -1) {
497 log_err(_("memory allocation error in action_luksFormat"));
501 r = yesDialog(msg, NULL) ? 0 : -EINVAL;
506 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
507 cipher, NULL, cipher_mode);
509 log_err(_("No known cipher specification pattern detected.\n"));
513 if ((r = crypt_init(&cd, header_device))) {
514 if (opt_header_device)
515 log_err(_("Cannot use %s as on-disk header.\n"), header_device);
519 keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
521 crypt_set_timeout(cd, opt_timeout);
522 if (opt_iteration_time)
523 crypt_set_iteration_time(cd, opt_iteration_time);
526 crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
527 else if (opt_urandom)
528 crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
530 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
531 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
532 opt_timeout, _verify_passphrase(1), cd);
536 if (opt_master_key_file) {
537 r = _read_mk(opt_master_key_file, &key, keysize);
542 r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
543 opt_uuid, key, keysize, ¶ms);
547 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
549 password, passwordLen);
552 crypt_safe_free(key);
553 crypt_safe_free(password);
558 static int action_luksOpen(int arg __attribute__((unused)))
560 struct crypt_device *cd = NULL;
561 const char *data_device, *header_device, *activated_name;
566 if (opt_header_device) {
567 header_device = uuid_or_device(opt_header_device);
568 data_device = action_argv[0];
570 header_device = uuid_or_device(action_argv[0]);
574 activated_name = opt_test_passphrase ? NULL : action_argv[1];
576 if ((r = crypt_init(&cd, header_device)))
579 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
583 (r = crypt_set_data_device(cd, data_device)))
586 if (!data_device && (crypt_get_data_offset(cd) < 8)) {
587 log_err(_("Reduced data offset is allowed only for detached LUKS header.\n"));
592 crypt_set_timeout(cd, opt_timeout);
593 crypt_set_password_retry(cd, opt_tries);
594 crypt_set_password_verify(cd, _verify_passphrase(0));
596 if (opt_iteration_time)
597 crypt_set_iteration_time(cd, opt_iteration_time);
600 flags |= CRYPT_ACTIVATE_READONLY;
602 if (opt_allow_discards)
603 flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
605 if (opt_master_key_file) {
606 keysize = crypt_get_volume_key_size(cd);
607 r = _read_mk(opt_master_key_file, &key, keysize);
610 r = crypt_activate_by_volume_key(cd, activated_name,
611 key, keysize, flags);
612 } else if (opt_key_file) {
613 crypt_set_password_retry(cd, 1);
614 r = crypt_activate_by_keyfile_offset(cd, activated_name,
615 opt_key_slot, opt_key_file, opt_keyfile_size,
616 opt_keyfile_offset, flags);
618 r = crypt_activate_by_passphrase(cd, activated_name,
619 opt_key_slot, NULL, 0, flags);
621 crypt_safe_free(key);
626 static int verify_keyslot(struct crypt_device *cd, int key_slot,
627 char *msg_last, char *msg_pass,
628 const char *key_file, int keyfile_offset,
631 crypt_keyslot_info ki;
632 char *password = NULL;
636 ki = crypt_keyslot_status(cd, key_slot);
637 if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !yesDialog(msg_last, NULL))
640 r = crypt_get_key(msg_pass, &password, &passwordLen,
641 keyfile_offset, keyfile_size, key_file, opt_timeout,
642 _verify_passphrase(0), cd);
646 if (ki == CRYPT_SLOT_ACTIVE_LAST) {
647 /* check the last keyslot */
648 r = crypt_activate_by_passphrase(cd, NULL, key_slot,
649 password, passwordLen, 0);
651 /* try all other keyslots */
652 for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
655 ki = crypt_keyslot_status(cd, key_slot);
656 if (ki == CRYPT_SLOT_ACTIVE)
657 r = crypt_activate_by_passphrase(cd, NULL, i,
658 password, passwordLen, 0);
665 log_err(_("No key available with this passphrase.\n"));
667 crypt_safe_free(password);
671 static int action_luksKillSlot(int arg __attribute__((unused)))
673 struct crypt_device *cd = NULL;
676 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
679 crypt_set_confirm_callback(cd, yesDialog, NULL);
680 crypt_set_timeout(cd, opt_timeout);
682 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
685 switch (crypt_keyslot_status(cd, opt_key_slot)) {
686 case CRYPT_SLOT_ACTIVE_LAST:
687 case CRYPT_SLOT_ACTIVE:
688 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
690 case CRYPT_SLOT_INACTIVE:
691 log_err(_("Key %d not active. Can't wipe.\n"), opt_key_slot);
692 case CRYPT_SLOT_INVALID:
697 if (!opt_batch_mode) {
698 r = verify_keyslot(cd, opt_key_slot,
699 _("This is the last keyslot. Device will become unusable after purging this key."),
700 _("Enter any remaining LUKS passphrase: "),
701 opt_key_file, opt_keyfile_offset, opt_keyfile_size);
706 r = crypt_keyslot_destroy(cd, opt_key_slot);
712 static int action_luksRemoveKey(int arg __attribute__((unused)))
714 struct crypt_device *cd = NULL;
715 char *password = NULL;
719 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
722 crypt_set_confirm_callback(cd, yesDialog, NULL);
723 crypt_set_timeout(cd, opt_timeout);
725 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
728 r = crypt_get_key(_("Enter LUKS passphrase to be deleted: "),
729 &password, &passwordLen,
730 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
732 _verify_passphrase(0),
737 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
738 password, passwordLen, 0);
743 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
745 if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_ACTIVE_LAST &&
746 !yesDialog(_("This is the last keyslot. "
747 "Device will become unusable after purging this key."),
753 r = crypt_keyslot_destroy(cd, opt_key_slot);
755 crypt_safe_free(password);
760 static int action_luksAddKey(int arg __attribute__((unused)))
762 int r = -EINVAL, keysize = 0;
764 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
765 struct crypt_device *cd = NULL;
767 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
770 crypt_set_confirm_callback(cd, yesDialog, NULL);
772 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
775 keysize = crypt_get_volume_key_size(cd);
776 /* FIXME: lib cannot properly set verification for new/old passphrase */
777 crypt_set_password_verify(cd, _verify_passphrase(0));
778 crypt_set_timeout(cd, opt_timeout);
779 if (opt_iteration_time)
780 crypt_set_iteration_time(cd, opt_iteration_time);
782 if (opt_master_key_file) {
783 r = _read_mk(opt_master_key_file, &key, keysize);
786 //FIXME: process keyfile arg
787 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
788 key, keysize, NULL, 0);
789 } else if (opt_key_file || opt_new_key_file) {
790 r = crypt_keyslot_add_by_keyfile_offset(cd, opt_key_slot,
791 opt_key_file, opt_keyfile_size, opt_keyfile_offset,
792 opt_new_key_file, opt_new_keyfile_size, opt_new_keyfile_offset);
794 r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
799 crypt_safe_free(key);
803 static int _slots_full(struct crypt_device *cd)
807 for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++)
808 if (crypt_keyslot_status(cd, i) == CRYPT_SLOT_INACTIVE)
813 static int action_luksChangeKey(int arg __attribute__((unused)))
815 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
816 struct crypt_device *cd = NULL;
817 char *vk = NULL, *password = NULL;
818 size_t passwordLen = 0;
820 int new_key_slot, old_key_slot, r;
822 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
825 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
828 if (opt_iteration_time)
829 crypt_set_iteration_time(cd, opt_iteration_time);
831 r = crypt_get_key(_("Enter LUKS passphrase to be changed: "),
832 &password, &passwordLen,
833 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
834 opt_timeout, _verify_passphrase(0), cd);
838 vk_size = crypt_get_volume_key_size(cd);
839 vk = crypt_safe_alloc(vk_size);
845 r = crypt_volume_key_get(cd, opt_key_slot, vk, &vk_size,
846 password, passwordLen);
848 if (opt_key_slot != CRYPT_ANY_SLOT)
849 log_err(_("No key available with this passphrase.\n"));
853 if (opt_key_slot != CRYPT_ANY_SLOT || _slots_full(cd)) {
854 log_dbg("Key slot %d is going to be overwritten (%s).",
855 r, opt_key_slot != CRYPT_ANY_SLOT ?
856 "explicit key slot specified" : "no free key slot");
860 log_dbg("Allocating new key slot.");
862 new_key_slot = CRYPT_ANY_SLOT;
865 crypt_safe_free(password);
868 r = crypt_get_key(_("Enter new LUKS passphrase: "),
869 &password, &passwordLen,
870 opt_new_keyfile_offset, opt_new_keyfile_size,
872 opt_timeout, _verify_passphrase(0), cd);
876 if (new_key_slot == old_key_slot) {
877 (void)crypt_keyslot_destroy(cd, old_key_slot);
878 r = crypt_keyslot_add_by_volume_key(cd, new_key_slot,
880 password, passwordLen);
882 log_verbose(_("Key slot %d changed.\n"), r);
884 r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT,
886 password, passwordLen);
888 log_verbose(_("Replaced with key slot %d.\n"), r);
889 r = crypt_keyslot_destroy(cd, old_key_slot);
893 log_err(_("Failed to swap new key slot.\n"));
896 crypt_safe_free(password);
901 static int action_isLuks(int arg __attribute__((unused)))
903 struct crypt_device *cd = NULL;
906 if ((r = crypt_init(&cd, action_argv[0])))
909 crypt_set_log_callback(cd, quiet_log, NULL);
910 r = crypt_load(cd, CRYPT_LUKS1, NULL);
916 static int action_luksUUID(int arg __attribute__((unused)))
918 struct crypt_device *cd = NULL;
919 const char *existing_uuid = NULL;
922 if ((r = crypt_init(&cd, action_argv[0])))
925 crypt_set_confirm_callback(cd, yesDialog, NULL);
927 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
931 r = crypt_set_uuid(cd, opt_uuid);
933 existing_uuid = crypt_get_uuid(cd);
934 log_std("%s\n", existing_uuid ?: "");
935 r = existing_uuid ? 0 : 1;
942 static int luksDump_with_volume_key(struct crypt_device *cd)
944 char *vk = NULL, *password = NULL;
945 size_t passwordLen = 0;
950 crypt_set_confirm_callback(cd, yesDialog, NULL);
952 _("LUKS header dump with volume key is sensitive information\n"
953 "which allows access to encrypted partition without passphrase.\n"
954 "This dump should be always stored encrypted on safe place."),
958 vk_size = crypt_get_volume_key_size(cd);
959 vk = crypt_safe_alloc(vk_size);
963 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
964 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
969 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
970 password, passwordLen);
974 log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
975 log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
976 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
977 log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
978 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
979 log_std("MK bits: \t%d\n", (int)vk_size * 8);
980 log_std("MK dump:\t");
982 for(i = 0; i < vk_size; i++) {
985 log_std("%02hhx ", (char)vk[i]);
990 crypt_safe_free(password);
995 static int action_luksDump(int arg __attribute__((unused)))
997 struct crypt_device *cd = NULL;
1000 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
1003 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
1006 if (opt_dump_master_key)
1007 r = luksDump_with_volume_key(cd);
1015 static int action_luksSuspend(int arg __attribute__((unused)))
1017 struct crypt_device *cd = NULL;
1020 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
1022 r = crypt_suspend(cd, action_argv[0]);
1028 static int action_luksResume(int arg __attribute__((unused)))
1030 struct crypt_device *cd = NULL;
1033 if ((r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device)))
1036 crypt_set_timeout(cd, opt_timeout);
1037 crypt_set_password_retry(cd, opt_tries);
1038 crypt_set_password_verify(cd, _verify_passphrase(0));
1041 r = crypt_resume_by_keyfile_offset(cd, action_argv[0], CRYPT_ANY_SLOT,
1042 opt_key_file, opt_keyfile_size, opt_keyfile_offset);
1044 r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
1051 static int action_luksBackup(int arg __attribute__((unused)))
1053 struct crypt_device *cd = NULL;
1056 if (!opt_header_backup_file) {
1057 log_err(_("Option --header-backup-file is required.\n"));
1061 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
1064 crypt_set_confirm_callback(cd, yesDialog, NULL);
1066 r = crypt_header_backup(cd, CRYPT_LUKS1, opt_header_backup_file);
1072 static int action_luksRestore(int arg __attribute__((unused)))
1074 struct crypt_device *cd = NULL;
1077 if (!opt_header_backup_file) {
1078 log_err(_("Option --header-backup-file is required.\n"));
1082 if ((r = crypt_init(&cd, action_argv[0])))
1085 crypt_set_confirm_callback(cd, yesDialog, NULL);
1086 r = crypt_header_restore(cd, CRYPT_LUKS1, opt_header_backup_file);
1092 static void help(poptContext popt_context,
1093 enum poptCallbackReason reason __attribute__((unused)),
1094 struct poptOption *key,
1095 const char *arg __attribute__((unused)),
1096 void *data __attribute__((unused)))
1098 if (key->shortName == '?') {
1099 struct action_type *action;
1101 log_std("%s\n",PACKAGE_STRING);
1103 poptPrintHelp(popt_context, stdout, 0);
1106 "<action> is one of:\n"));
1108 for(action = action_types; action->type; action++)
1109 log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
1112 "<name> is the device to create under %s\n"
1113 "<device> is the encrypted device\n"
1114 "<key slot> is the LUKS key slot number to modify\n"
1115 "<key file> optional key file for the new key for luksAddKey action\n"),
1118 log_std(_("\nDefault compiled-in keyfile parameters:\n"
1119 "\tMaximum keyfile size: %dkB, "
1120 "Maximum interactive passphrase length %d (characters)\n"),
1121 DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX);
1123 log_std(_("\nDefault compiled-in device cipher parameters:\n"
1124 "\tloop-AES: %s, Key %d bits\n"
1125 "\tplain: %s, Key: %d bits, Password hashing: %s\n"
1126 "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
1127 DEFAULT_LOOPAES_CIPHER, DEFAULT_LOOPAES_KEYBITS,
1128 DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
1129 DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
1133 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
1136 static int run_action(struct action_type *action)
1140 log_dbg("Running command %s.", action->type);
1142 if (action->required_memlock)
1143 crypt_memory_lock(NULL, 1);
1145 r = action->handler(action->arg);
1147 if (action->required_memlock)
1148 crypt_memory_lock(NULL, 0);
1150 /* Some functions returns keyslot # */
1155 return translate_errno(r);
1158 int main(int argc, const char **argv)
1160 static char *popt_tmp;
1161 static struct poptOption popt_help_options[] = {
1162 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
1163 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
1164 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
1167 static struct poptOption popt_options[] = {
1168 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
1169 { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
1170 { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
1171 { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
1172 { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
1173 { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
1174 { "verify-passphrase", 'y', POPT_ARG_NONE, &opt_verify_passphrase, 0, N_("Verifies the passphrase by asking for it twice"), NULL },
1175 { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 0, N_("Read the key from a file."), NULL },
1176 { "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL },
1177 { "dump-master-key", '\0', POPT_ARG_NONE, &opt_dump_master_key, 0, N_("Dump volume (master) key instead of keyslots info."), NULL },
1178 { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
1179 { "keyfile-size", 'l', POPT_ARG_LONG, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
1180 { "keyfile-offset", '\0', POPT_ARG_LONG, &opt_keyfile_offset, 0, N_("Number of bytes to skip in keyfile"), N_("bytes") },
1181 { "new-keyfile-size", '\0', POPT_ARG_LONG, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
1182 { "new-keyfile-offset",'\0', POPT_ARG_LONG, &opt_new_keyfile_offset, 0, N_("Number of bytes to skip in newly added keyfile"), N_("bytes") },
1183 { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL },
1184 { "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") },
1185 { "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
1186 { "skip", 'p', POPT_ARG_STRING, &popt_tmp, 3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
1187 { "readonly", 'r', POPT_ARG_NONE, &opt_readonly, 0, N_("Create a readonly mapping"), NULL },
1188 { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
1189 { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
1190 { "timeout", 't', POPT_ARG_INT, &opt_timeout, 0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
1191 { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
1192 { "align-payload", '\0', POPT_ARG_INT, &opt_align_payload, 0, N_("Align payload at <n> sector boundaries - for luksFormat"), N_("SECTORS") },
1193 { "header-backup-file",'\0', POPT_ARG_STRING, &opt_header_backup_file, 0, N_("File with LUKS header and keyslots backup."), NULL },
1194 { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
1195 { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
1196 { "shared", '\0', POPT_ARG_NONE, &opt_shared, 0, N_("Share device with another non-overlapping crypt segment."), NULL },
1197 { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
1198 { "allow-discards", '\0', POPT_ARG_NONE, &opt_allow_discards, 0, N_("Allow discards (aka TRIM) requests for device."), NULL },
1199 { "header", '\0', POPT_ARG_STRING, &opt_header_device, 0, N_("Device or file with separated LUKS header."), NULL },
1200 { "test-passphrase", '\0', POPT_ARG_NONE, &opt_test_passphrase, 0, N_("Do not activate device, just check passphrase."), NULL },
1203 poptContext popt_context;
1204 struct action_type *action;
1208 crypt_set_log_callback(NULL, tool_log, NULL);
1210 setlocale(LC_ALL, "");
1211 bindtextdomain(PACKAGE, LOCALEDIR);
1212 textdomain(PACKAGE);
1214 crypt_fips_self_check(NULL);
1216 popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
1217 poptSetOtherOptionHelp(popt_context,
1218 _("[OPTION...] <action> <action-specific>"));
1220 while((r = poptGetNextOpt(popt_context)) > 0) {
1221 unsigned long long ull_value;
1225 ull_value = strtoull(popt_tmp, &endp, 0);
1226 if (*endp || !*popt_tmp ||
1227 (errno == ERANGE && ull_value == ULLONG_MAX) ||
1228 (errno != 0 && ull_value == 0))
1229 r = POPT_ERROR_BADNUMBER;
1233 opt_size = ull_value;
1236 opt_offset = ull_value;
1239 opt_skip = ull_value;
1249 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
1250 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
1251 if (opt_version_mode) {
1252 log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
1253 poptFreeContext(popt_context);
1257 if (!(aname = poptGetArg(popt_context)))
1258 usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
1259 poptGetInvocationName(popt_context));
1260 for(action = action_types; action->type; action++)
1261 if (strcmp(action->type, aname) == 0)
1264 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
1265 poptGetInvocationName(popt_context));
1268 action_argv = poptGetArgs(popt_context);
1269 /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
1271 action_argv = null_action_argv;
1273 /* Count args, somewhat unnice, change? */
1274 while(action_argv[action_argc] != NULL)
1277 if(action_argc < action->required_action_argc) {
1279 snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
1280 usage(popt_context, EXIT_FAILURE, buf,
1281 poptGetInvocationName(popt_context));
1284 /* FIXME: rewrite this from scratch */
1286 if (opt_shared && strcmp(aname, "create"))
1287 usage(popt_context, EXIT_FAILURE,
1288 _("Option --shared is allowed only for create operation.\n"),
1289 poptGetInvocationName(popt_context));
1291 if (opt_allow_discards &&
1292 strcmp(aname, "luksOpen") &&
1293 strcmp(aname, "create") &&
1294 strcmp(aname, "loopaesOpen"))
1295 usage(popt_context, EXIT_FAILURE,
1296 _("Option --allow-discards is allowed only for luksOpen, loopaesOpen and create operation.\n"),
1297 poptGetInvocationName(popt_context));
1300 strcmp(aname, "luksFormat") &&
1301 strcmp(aname, "create") &&
1302 strcmp(aname, "loopaesOpen") &&
1303 strcmp(aname, "benchmark"))
1304 usage(popt_context, EXIT_FAILURE,
1305 _("Option --key-size is allowed only for luksFormat, create, loopaesOpen and benchmark.\n"
1306 "To limit read from keyfile use --keyfile-size=(bytes)."),
1307 poptGetInvocationName(popt_context));
1309 if (opt_test_passphrase &&
1310 strcmp(aname, "luksOpen"))
1311 usage(popt_context, EXIT_FAILURE,
1312 _("Option --test-passphrase is allowed only for luksOpen.\n"),
1313 poptGetInvocationName(popt_context));
1315 if (opt_key_size % 8)
1316 usage(popt_context, EXIT_FAILURE,
1317 _("Key size must be a multiple of 8 bits"),
1318 poptGetInvocationName(popt_context));
1320 if (!strcmp(aname, "luksKillSlot") && action_argc > 1)
1321 opt_key_slot = atoi(action_argv[1]);
1322 if (opt_key_slot != CRYPT_ANY_SLOT &&
1323 (opt_key_slot < 0 || opt_key_slot >= crypt_keyslot_max(CRYPT_LUKS1)))
1324 usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
1325 poptGetInvocationName(popt_context));
1327 if ((!strcmp(aname, "luksRemoveKey") ||
1328 !strcmp(aname, "luksFormat")) &&
1331 log_err(_("Option --key-file takes precedence over specified key file argument.\n"));
1333 opt_key_file = action_argv[1];
1336 if (opt_keyfile_size < 0 || opt_new_keyfile_size < 0 || opt_key_size < 0 ||
1337 opt_keyfile_offset < 0 || opt_new_keyfile_offset < 0)
1338 usage(popt_context, EXIT_FAILURE,
1339 _("Negative number for option not permitted."),
1340 poptGetInvocationName(popt_context));
1342 if (opt_random && opt_urandom)
1343 usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
1344 poptGetInvocationName(popt_context));
1346 if ((opt_random || opt_urandom) && strcmp(aname, "luksFormat"))
1347 usage(popt_context, EXIT_FAILURE, _("Option --use-[u]random is allowed only for luksFormat."),
1348 poptGetInvocationName(popt_context));
1350 if (opt_uuid && strcmp(aname, "luksFormat") && strcmp(aname, "luksUUID"))
1351 usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only for luksFormat and luksUUID."),
1352 poptGetInvocationName(popt_context));
1354 if (opt_align_payload && strcmp(aname, "luksFormat"))
1355 usage(popt_context, EXIT_FAILURE, _("Option --align-payload is allowed only for luksFormat."),
1356 poptGetInvocationName(popt_context));
1358 if (opt_skip && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1359 usage(popt_context, EXIT_FAILURE,
1360 _("Option --skip is supported only for create and loopaesOpen commands.\n"),
1361 poptGetInvocationName(popt_context));
1363 if (opt_offset && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1364 usage(popt_context, EXIT_FAILURE,
1365 _("Option --offset is supported only for create and loopaesOpen commands.\n"),
1366 poptGetInvocationName(popt_context));
1370 crypt_set_debug_level(-1);
1371 dbg_version_and_cmd(argc, argv);
1374 r = run_action(action);
1375 poptFreeContext(popt_context);