2 * cryptsetup - setup cryptographic volumes for dm-crypt
4 * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
5 * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
6 * Copyright (C) 2009-2011, Red Hat, Inc. All rights reserved.
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * version 2 as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
32 #include <libcryptsetup.h>
35 #include "cryptsetup.h"
37 static int opt_verbose = 0;
38 static int opt_debug = 0;
39 static const char *opt_cipher = NULL;
40 static const char *opt_hash = NULL;
41 static int opt_verify_passphrase = 0;
42 static const char *opt_key_file = NULL;
43 static const char *opt_master_key_file = NULL;
44 static const char *opt_header_backup_file = NULL;
45 static const char *opt_uuid = NULL;
46 static const char *opt_header_device = NULL;
47 static int opt_key_size = 0;
48 static long opt_keyfile_size = 0;
49 static long opt_new_keyfile_size = 0;
50 static int opt_key_slot = CRYPT_ANY_SLOT;
51 static uint64_t opt_size = 0;
52 static uint64_t opt_offset = 0;
53 static uint64_t opt_skip = 0;
54 static int opt_skip_valid = 0;
55 static int opt_readonly = 0;
56 static int opt_iteration_time = 1000;
57 static int opt_batch_mode = 0;
58 static int opt_version_mode = 0;
59 static int opt_timeout = 0;
60 static int opt_tries = 3;
61 static int opt_align_payload = 0;
62 static int opt_random = 0;
63 static int opt_urandom = 0;
64 static int opt_dump_master_key = 0;
65 static int opt_shared = 0;
66 static int opt_allow_discards = 0;
68 static const char **action_argv;
69 static int action_argc;
71 static int action_create(int arg);
72 static int action_remove(int arg);
73 static int action_resize(int arg);
74 static int action_status(int arg);
75 static int action_luksFormat(int arg);
76 static int action_luksOpen(int arg);
77 static int action_luksAddKey(int arg);
78 static int action_luksKillSlot(int arg);
79 static int action_luksRemoveKey(int arg);
80 static int action_luksChangeKey(int arg);
81 static int action_isLuks(int arg);
82 static int action_luksUUID(int arg);
83 static int action_luksDump(int arg);
84 static int action_luksSuspend(int arg);
85 static int action_luksResume(int arg);
86 static int action_luksBackup(int arg);
87 static int action_luksRestore(int arg);
88 static int action_loopaesOpen(int arg);
90 static struct action_type {
94 int required_action_argc;
99 { "create", action_create, 0, 2, 1, N_("<name> <device>"),N_("create device") },
100 { "remove", action_remove, 0, 1, 1, N_("<name>"), N_("remove device") },
101 { "resize", action_resize, 0, 1, 1, N_("<name>"), N_("resize active device") },
102 { "status", action_status, 0, 1, 0, N_("<name>"), N_("show device status") },
103 { "luksFormat", action_luksFormat, 0, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
104 { "luksOpen", action_luksOpen, 0, 2, 1, N_("<device> <name> "), N_("open LUKS device as mapping <name>") },
105 { "luksAddKey", action_luksAddKey, 0, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
106 { "luksRemoveKey",action_luksRemoveKey, 0, 1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
107 { "luksChangeKey",action_luksChangeKey, 0, 1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
108 { "luksKillSlot", action_luksKillSlot, 0, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
109 { "luksUUID", action_luksUUID, 0, 1, 0, N_("<device>"), N_("print UUID of LUKS device") },
110 { "isLuks", action_isLuks, 0, 1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
111 { "luksClose", action_remove, 0, 1, 1, N_("<name>"), N_("remove LUKS mapping") },
112 { "luksDump", action_luksDump, 0, 1, 1, N_("<device>"), N_("dump LUKS partition information") },
113 { "luksSuspend",action_luksSuspend, 0, 1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen).") },
114 { "luksResume", action_luksResume, 0, 1, 1, N_("<device>"), N_("Resume suspended LUKS device.") },
115 { "luksHeaderBackup",action_luksBackup, 0, 1, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
116 { "luksHeaderRestore",action_luksRestore,0,1, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
117 { "loopaesOpen",action_loopaesOpen, 0, 2, 1, N_("<device> <name> "), N_("open loop-AES device as mapping <name>") },
118 { "loopaesClose",action_remove, 0, 1, 1, N_("<name>"), N_("remove loop-AES mapping") },
119 { NULL, NULL, 0, 0, 0, NULL, NULL }
122 __attribute__((format(printf, 5, 6)))
123 static void clogger(struct crypt_device *cd, int level, const char *file,
124 int line, const char *format, ...)
129 va_start(argp, format);
131 if (vasprintf(&target, format, argp) > 0) {
133 crypt_log(cd, level, target);
135 } else if (opt_debug)
136 printf("# %s:%d %s\n", file ?: "?", line, target);
138 } else if (opt_debug)
139 printf("# %s\n", target);
147 static int _yesDialog(const char *msg, void *usrptr __attribute__((unused)))
153 if(isatty(0) && !opt_batch_mode) {
154 log_std("\nWARNING!\n========\n");
155 log_std("%s\n\nAre you sure? (Type uppercase yes): ", msg);
156 if(getline(&answer, &size, stdin) == -1) {
161 if(strcmp(answer, "YES\n"))
169 static void _log(int level, const char *msg, void *usrptr __attribute__((unused)))
173 case CRYPT_LOG_NORMAL:
176 case CRYPT_LOG_VERBOSE:
180 case CRYPT_LOG_ERROR:
183 case CRYPT_LOG_DEBUG:
185 printf("# %s\n", msg);
188 fprintf(stderr, "Internal error on logging class for msg: %s", msg);
193 static void show_status(int errcode)
195 char error[256], *error_;
201 log_std(_("Command successful.\n"));
205 crypt_get_error(error, sizeof(error));
208 error_ = strerror_r(-errcode, error, sizeof(error));
209 if (error_ != error) {
210 strncpy(error, error_, sizeof(error));
211 error[sizeof(error) - 1] = '\0';
215 log_err(_("Command failed with code %i"), -errcode);
217 log_err(": %s\n", error);
222 static int action_create(int arg __attribute__((unused)))
224 struct crypt_device *cd = NULL;
225 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
226 struct crypt_params_plain params = {
227 .hash = opt_hash ?: DEFAULT_PLAIN_HASH,
229 .offset = opt_offset,
232 char *password = NULL;
234 size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
235 uint32_t activate_flags = 0;
238 if (params.hash && !strcmp(params.hash, "plain"))
241 /* FIXME: temporary hack */
242 if (opt_key_file && strcmp(opt_key_file, "-"))
245 if (opt_keyfile_size && opt_key_file)
246 log_std(("Ignoring keyfile size option, keyfile read size "
247 "is always the same as encryption key size.\n"));
249 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
250 cipher, NULL, cipher_mode);
252 log_err("No known cipher specification pattern detected.\n");
256 if ((r = crypt_init(&cd, action_argv[1])))
259 crypt_set_timeout(cd, opt_timeout);
260 crypt_set_password_retry(cd, opt_tries);
262 r = crypt_format(cd, CRYPT_PLAIN,
271 activate_flags |= CRYPT_ACTIVATE_READONLY;
274 activate_flags |= CRYPT_ACTIVATE_SHARED;
276 if (opt_allow_discards)
277 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
280 /* With hashing, read the whole keyfile */
281 r = crypt_activate_by_keyfile(cd, action_argv[0],
282 CRYPT_ANY_SLOT, opt_key_file, params.hash ? 0 : key_size,
285 r = crypt_get_key(_("Enter passphrase: "),
286 &password, &passwordLen, opt_keyfile_size,
288 opt_batch_mode ? 0 : opt_verify_passphrase,
293 r = crypt_activate_by_passphrase(cd, action_argv[0],
294 CRYPT_ANY_SLOT, password, passwordLen, activate_flags);
298 crypt_safe_free(password);
303 static int action_loopaesOpen(int arg __attribute__((unused)))
305 struct crypt_device *cd = NULL;
306 struct crypt_params_loopaes params = {
307 .hash = opt_hash ?: NULL,
308 .offset = opt_offset,
309 .skip = opt_skip_valid ? opt_skip : opt_offset,
311 unsigned int key_size = (opt_key_size ?: DEFAULT_LOOPAES_KEYBITS) / 8;
312 uint32_t activate_flags = 0;
316 log_err(_("Option --key-file is required.\n"));
321 activate_flags |= CRYPT_ACTIVATE_READONLY;
323 if (opt_allow_discards)
324 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
326 if ((r = crypt_init(&cd, action_argv[0])))
329 r = crypt_format(cd, CRYPT_LOOPAES, opt_cipher ?: DEFAULT_LOOPAES_CIPHER,
330 NULL, NULL, NULL, key_size, ¶ms);
334 r = crypt_activate_by_keyfile(cd, action_argv[1], CRYPT_ANY_SLOT,
335 opt_key_file, opt_keyfile_size, activate_flags);
342 static int action_remove(int arg __attribute__((unused)))
344 struct crypt_device *cd = NULL;
347 r = crypt_init_by_name(&cd, action_argv[0]);
349 r = crypt_deactivate(cd, action_argv[0]);
355 static int action_resize(int arg __attribute__((unused)))
357 struct crypt_device *cd = NULL;
360 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
362 r = crypt_resize(cd, action_argv[0], opt_size);
368 static int action_status(int arg __attribute__((unused)))
370 crypt_status_info ci;
371 struct crypt_active_device cad;
372 struct crypt_device *cd = NULL;
377 ci = crypt_status(NULL, action_argv[0]);
383 log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
388 log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
389 ci == CRYPT_BUSY ? " and is in use" : "");
390 r = crypt_init_by_name(&cd, action_argv[0]);
391 if (r < 0 || !crypt_get_type(cd))
394 log_std(" type: %s\n", crypt_get_type(cd));
396 r = crypt_get_active_device(cd, action_argv[0], &cad);
400 log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
401 log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
402 device = crypt_get_device_name(cd);
403 log_std(" device: %s\n", device);
404 if (crypt_loop_device(device)) {
405 backing_file = crypt_loop_backing_file(device);
406 log_std(" loop: %s\n", backing_file);
409 log_std(" offset: %" PRIu64 " sectors\n", cad.offset);
410 log_std(" size: %" PRIu64 " sectors\n", cad.size);
412 log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset);
413 log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
414 "readonly" : "read/write");
415 if (cad.flags & CRYPT_ACTIVATE_ALLOW_DISCARDS)
416 log_std(" flags: discards\n");
423 static int _read_mk(const char *file, char **key, int keysize)
427 *key = crypt_safe_alloc(keysize);
431 fd = open(file, O_RDONLY);
433 log_err("Cannot read keyfile %s.\n", file);
436 if ((read(fd, *key, keysize) != keysize)) {
437 log_err("Cannot read %d bytes from keyfile %s.\n", keysize, file);
444 crypt_safe_free(*key);
449 static int action_luksFormat(int arg __attribute__((unused)))
451 int r = -EINVAL, keysize;
452 char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
453 char *password = NULL;
455 struct crypt_device *cd = NULL;
456 struct crypt_params_luks1 params = {
457 .hash = opt_hash ?: DEFAULT_LUKS1_HASH,
458 .data_alignment = opt_align_payload,
461 if(asprintf(&msg, _("This will overwrite data on %s irrevocably."), action_argv[0]) == -1) {
462 log_err(_("memory allocation error in action_luksFormat"));
466 r = _yesDialog(msg, NULL) ? 0 : -EINVAL;
471 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
472 cipher, NULL, cipher_mode);
474 log_err("No known cipher specification pattern detected.\n");
478 if ((r = crypt_init(&cd, action_argv[0])))
481 keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
483 crypt_set_password_verify(cd, 1);
484 crypt_set_timeout(cd, opt_timeout);
485 if (opt_iteration_time)
486 crypt_set_iterarion_time(cd, opt_iteration_time);
489 crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
490 else if (opt_urandom)
491 crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
493 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
494 opt_keyfile_size, opt_key_file, opt_timeout,
495 opt_batch_mode ? 0 : 1 /* always verify */, cd);
499 if (opt_master_key_file) {
500 r = _read_mk(opt_master_key_file, &key, keysize);
505 r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
506 opt_uuid, key, keysize, ¶ms);
510 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
512 password, passwordLen);
515 crypt_safe_free(key);
516 crypt_safe_free(password);
521 static int action_luksOpen(int arg __attribute__((unused)))
523 struct crypt_device *cd = NULL;
524 const char *data_device, *header_device;
528 if (opt_header_device) {
529 header_device = opt_header_device;
530 data_device = action_argv[0];
532 header_device = action_argv[0];
536 if ((r = crypt_init(&cd, header_device)))
539 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
543 (r = crypt_set_data_device(cd, data_device)))
546 crypt_set_timeout(cd, opt_timeout);
547 crypt_set_password_retry(cd, opt_tries);
549 if (opt_iteration_time)
550 crypt_set_iterarion_time(cd, opt_iteration_time);
553 flags |= CRYPT_ACTIVATE_READONLY;
555 if (opt_allow_discards)
556 flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
559 crypt_set_password_retry(cd, 1);
560 r = crypt_activate_by_keyfile(cd, action_argv[1],
561 CRYPT_ANY_SLOT, opt_key_file, opt_keyfile_size,
564 r = crypt_activate_by_passphrase(cd, action_argv[1],
565 CRYPT_ANY_SLOT, NULL, 0, flags);
571 static int verify_keyslot(struct crypt_device *cd, int key_slot,
572 char *msg_last, char *msg_pass,
573 const char *key_file, int keyfile_size)
575 crypt_keyslot_info ki;
576 char *password = NULL;
580 ki = crypt_keyslot_status(cd, key_slot);
581 if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !_yesDialog(msg_last, NULL))
584 r = crypt_get_key(msg_pass, &password, &passwordLen,
585 keyfile_size, key_file, opt_timeout,
586 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
590 if (ki == CRYPT_SLOT_ACTIVE_LAST) {
591 /* check the last keyslot */
592 r = crypt_activate_by_passphrase(cd, NULL, key_slot,
593 password, passwordLen, 0);
595 /* try all other keyslots */
596 for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
599 ki = crypt_keyslot_status(cd, key_slot);
600 if (ki == CRYPT_SLOT_ACTIVE)
601 r = crypt_activate_by_passphrase(cd, NULL, i,
602 password, passwordLen, 0);
609 log_err(_("No key available with this passphrase.\n"));
611 crypt_safe_free(password);
615 static int action_luksKillSlot(int arg __attribute__((unused)))
617 struct crypt_device *cd = NULL;
620 if ((r = crypt_init(&cd, action_argv[0])))
623 crypt_set_confirm_callback(cd, _yesDialog, NULL);
624 crypt_set_timeout(cd, opt_timeout);
626 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
629 switch (crypt_keyslot_status(cd, opt_key_slot)) {
630 case CRYPT_SLOT_ACTIVE_LAST:
631 case CRYPT_SLOT_ACTIVE:
632 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
634 case CRYPT_SLOT_INACTIVE:
635 log_err(_("Key %d not active. Can't wipe.\n"), opt_key_slot);
636 case CRYPT_SLOT_INVALID:
640 if (!opt_batch_mode) {
641 r = verify_keyslot(cd, opt_key_slot,
642 _("This is the last keyslot. Device will become unusable after purging this key."),
643 _("Enter any remaining LUKS passphrase: "),
644 opt_key_file, opt_keyfile_size);
649 r = crypt_keyslot_destroy(cd, opt_key_slot);
655 static int action_luksRemoveKey(int arg __attribute__((unused)))
657 struct crypt_device *cd = NULL;
658 char *password = NULL;
662 if ((r = crypt_init(&cd, action_argv[0])))
665 crypt_set_confirm_callback(cd, _yesDialog, NULL);
666 crypt_set_timeout(cd, opt_timeout);
668 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
671 r = crypt_get_key(_("Enter LUKS passphrase to be deleted: "),
672 &password, &passwordLen,
673 opt_keyfile_size, opt_key_file,
675 opt_batch_mode ? 0 : opt_verify_passphrase,
680 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
681 password, passwordLen, 0);
686 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
688 if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_ACTIVE_LAST &&
689 !_yesDialog(_("This is the last keyslot. "
690 "Device will become unusable after purging this key."),
696 r = crypt_keyslot_destroy(cd, opt_key_slot);
698 crypt_safe_free(password);
703 static int action_luksAddKey(int arg __attribute__((unused)))
705 int r = -EINVAL, keysize = 0;
707 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
708 struct crypt_device *cd = NULL;
710 if ((r = crypt_init(&cd, action_argv[0])))
713 crypt_set_confirm_callback(cd, _yesDialog, NULL);
715 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
718 keysize = crypt_get_volume_key_size(cd);
719 crypt_set_password_verify(cd, opt_verify_passphrase ? 1 : 0);
720 crypt_set_timeout(cd, opt_timeout);
721 if (opt_iteration_time)
722 crypt_set_iterarion_time(cd, opt_iteration_time);
724 if (opt_master_key_file) {
725 r = _read_mk(opt_master_key_file, &key, keysize);
728 //FIXME: process keyfile arg
729 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
730 key, keysize, NULL, 0);
731 } else if (opt_key_file || opt_new_key_file) {
732 r = crypt_keyslot_add_by_keyfile(cd, opt_key_slot,
733 opt_key_file, opt_keyfile_size,
734 opt_new_key_file, opt_new_keyfile_size);
736 r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
741 crypt_safe_free(key);
745 static int _slots_full(struct crypt_device *cd)
749 for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++)
750 if (crypt_keyslot_status(cd, i) == CRYPT_SLOT_INACTIVE)
755 static int action_luksChangeKey(int arg __attribute__((unused)))
757 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
758 struct crypt_device *cd = NULL;
759 char *vk = NULL, *password = NULL;
760 size_t passwordLen = 0;
762 int new_key_slot, old_key_slot, r;
764 if ((r = crypt_init(&cd, action_argv[0])))
767 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
770 if (opt_iteration_time)
771 crypt_set_iterarion_time(cd, opt_iteration_time);
773 r = crypt_get_key(_("Enter LUKS passphrase to be changed: "),
774 &password, &passwordLen,
775 opt_keyfile_size, opt_key_file, opt_timeout,
776 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
780 vk_size = crypt_get_volume_key_size(cd);
781 vk = crypt_safe_alloc(vk_size);
787 r = crypt_volume_key_get(cd, opt_key_slot, vk, &vk_size,
788 password, passwordLen);
790 if (opt_key_slot != CRYPT_ANY_SLOT)
791 log_err(_("No key available with this passphrase.\n"));
795 if (opt_key_slot != CRYPT_ANY_SLOT || _slots_full(cd)) {
796 log_dbg("Key slot %d is going to be overwritten (%s).",
797 r, opt_key_slot != CRYPT_ANY_SLOT ?
798 "explicit key slot specified" : "no free key slot");
802 log_dbg("Allocating new key slot.");
804 new_key_slot = CRYPT_ANY_SLOT;
807 crypt_safe_free(password);
810 r = crypt_get_key(_("Enter new LUKS passphrase: "),
811 &password, &passwordLen,
812 opt_new_keyfile_size, opt_new_key_file,
813 opt_timeout, opt_batch_mode ? 0 : 1, cd);
817 if (new_key_slot == old_key_slot) {
818 (void)crypt_keyslot_destroy(cd, old_key_slot);
819 r = crypt_keyslot_add_by_volume_key(cd, new_key_slot,
821 password, passwordLen);
823 log_verbose(_("Key slot %d changed.\n"), r);
825 r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT,
827 password, passwordLen);
829 log_verbose(_("Replaced with key slot %d.\n"), r);
830 r = crypt_keyslot_destroy(cd, old_key_slot);
834 log_err(_("Failed to swap new key slot.\n"));
837 crypt_safe_free(password);
842 static int action_isLuks(int arg __attribute__((unused)))
844 struct crypt_device *cd = NULL;
847 if ((r = crypt_init(&cd, action_argv[0])))
850 r = crypt_load(cd, CRYPT_LUKS1, NULL);
856 static int action_luksUUID(int arg __attribute__((unused)))
858 struct crypt_device *cd = NULL;
859 const char *existing_uuid = NULL;
862 if ((r = crypt_init(&cd, action_argv[0])))
865 crypt_set_confirm_callback(cd, _yesDialog, NULL);
867 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
871 r = crypt_set_uuid(cd, opt_uuid);
873 existing_uuid = crypt_get_uuid(cd);
874 log_std("%s\n", existing_uuid ?: "");
875 r = existing_uuid ? 0 : 1;
882 static int luksDump_with_volume_key(struct crypt_device *cd)
884 char *vk = NULL, *password = NULL;
885 size_t passwordLen = 0;
890 crypt_set_confirm_callback(cd, _yesDialog, NULL);
892 _("LUKS header dump with volume key is sensitive information\n"
893 "which allows access to encrypted partition without passphrase.\n"
894 "This dump should be always stored encrypted on safe place."),
898 vk_size = crypt_get_volume_key_size(cd);
899 vk = crypt_safe_alloc(vk_size);
903 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
904 opt_keyfile_size, opt_key_file, opt_timeout, 0, cd);
908 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
909 password, passwordLen);
913 log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
914 log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
915 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
916 log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
917 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
918 log_std("MK bits: \t%d\n", (int)vk_size * 8);
919 log_std("MK dump:\t");
921 for(i = 0; i < vk_size; i++) {
924 log_std("%02hhx ", (char)vk[i]);
929 crypt_safe_free(password);
934 static int action_luksDump(int arg __attribute__((unused)))
936 struct crypt_device *cd = NULL;
939 if ((r = crypt_init(&cd, action_argv[0])))
942 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
945 if (opt_dump_master_key)
946 r = luksDump_with_volume_key(cd);
954 static int action_luksSuspend(int arg __attribute__((unused)))
956 struct crypt_device *cd = NULL;
959 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
961 r = crypt_suspend(cd, action_argv[0]);
967 static int action_luksResume(int arg __attribute__((unused)))
969 struct crypt_device *cd = NULL;
972 if ((r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device)))
975 crypt_set_timeout(cd, opt_timeout);
976 crypt_set_password_retry(cd, opt_tries);
979 r = crypt_resume_by_keyfile(cd, action_argv[0], CRYPT_ANY_SLOT,
980 opt_key_file, opt_keyfile_size);
982 r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
989 static int action_luksBackup(int arg __attribute__((unused)))
991 struct crypt_device *cd = NULL;
994 if (!opt_header_backup_file) {
995 log_err(_("Option --header-backup-file is required.\n"));
999 if ((r = crypt_init(&cd, action_argv[0])))
1002 crypt_set_confirm_callback(cd, _yesDialog, NULL);
1004 r = crypt_header_backup(cd, CRYPT_LUKS1, opt_header_backup_file);
1010 static int action_luksRestore(int arg __attribute__((unused)))
1012 struct crypt_device *cd = NULL;
1015 if (!opt_header_backup_file) {
1016 log_err(_("Option --header-backup-file is required.\n"));
1020 if ((r = crypt_init(&cd, action_argv[0])))
1023 crypt_set_confirm_callback(cd, _yesDialog, NULL);
1024 r = crypt_header_restore(cd, CRYPT_LUKS1, opt_header_backup_file);
1030 static __attribute__ ((noreturn)) void usage(poptContext popt_context,
1031 int exitcode, const char *error,
1034 poptPrintUsage(popt_context, stderr, 0);
1036 log_err("%s: %s\n", more, error);
1040 static void help(poptContext popt_context,
1041 enum poptCallbackReason reason __attribute__((unused)),
1042 struct poptOption *key,
1043 const char *arg __attribute__((unused)),
1044 void *data __attribute__((unused)))
1046 if (key->shortName == '?') {
1047 struct action_type *action;
1049 log_std("%s\n",PACKAGE_STRING);
1051 poptPrintHelp(popt_context, stdout, 0);
1054 "<action> is one of:\n"));
1056 for(action = action_types; action->type; action++)
1057 log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
1060 "<name> is the device to create under %s\n"
1061 "<device> is the encrypted device\n"
1062 "<key slot> is the LUKS key slot number to modify\n"
1063 "<key file> optional key file for the new key for luksAddKey action\n"),
1066 log_std(_("\nDefault compiled-in keyfile parameters:\n"
1067 "\tMaximum keyfile size: %dkB, "
1068 "Maximum interactive passphrase length %d (characters)\n"),
1069 DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX);
1071 log_std(_("\nDefault compiled-in device cipher parameters:\n"
1072 "\tloop-AES: %s, Key %d bits\n"
1073 "\tplain: %s, Key: %d bits, Password hashing: %s\n"
1074 "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
1075 DEFAULT_LOOPAES_CIPHER, DEFAULT_LOOPAES_KEYBITS,
1076 DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
1077 DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
1081 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
1084 static void _dbg_version_and_cmd(int argc, const char **argv)
1088 log_std("# %s %s processing \"", PACKAGE_NAME, PACKAGE_VERSION);
1089 for (i = 0; i < argc; i++) {
1092 log_std("%s", argv[i]);
1097 static int run_action(struct action_type *action)
1101 log_dbg("Running command %s.", action->type);
1103 if (action->required_memlock)
1104 crypt_memory_lock(NULL, 1);
1106 r = action->handler(action->arg);
1108 if (action->required_memlock)
1109 crypt_memory_lock(NULL, 0);
1111 /* Some functions returns keyslot # */
1117 /* Translate exit code to simple codes */
1119 case 0: r = EXIT_SUCCESS; break;
1121 case -EBUSY: r = 5; break;
1123 case -ENODEV: r = 4; break;
1124 case -ENOMEM: r = 3; break;
1125 case -EPERM: r = 2; break;
1129 default: r = EXIT_FAILURE;
1134 int main(int argc, const char **argv)
1136 static char *popt_tmp;
1137 static struct poptOption popt_help_options[] = {
1138 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
1139 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
1140 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
1143 static struct poptOption popt_options[] = {
1144 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
1145 { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
1146 { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
1147 { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
1148 { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
1149 { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
1150 { "verify-passphrase", 'y', POPT_ARG_NONE, &opt_verify_passphrase, 0, N_("Verifies the passphrase by asking for it twice"), NULL },
1151 { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 0, N_("Read the key from a file."), NULL },
1152 { "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL },
1153 { "dump-master-key", '\0', POPT_ARG_NONE, &opt_dump_master_key, 0, N_("Dump volume (master) key instead of keyslots info."), NULL },
1154 { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
1155 { "keyfile-size", 'l', POPT_ARG_LONG, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
1156 { "new-keyfile-size", '\0', POPT_ARG_LONG, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
1157 { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL },
1158 { "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") },
1159 { "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
1160 { "skip", 'p', POPT_ARG_STRING, &popt_tmp, 3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
1161 { "readonly", 'r', POPT_ARG_NONE, &opt_readonly, 0, N_("Create a readonly mapping"), NULL },
1162 { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
1163 { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
1164 { "timeout", 't', POPT_ARG_INT, &opt_timeout, 0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
1165 { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
1166 { "align-payload", '\0', POPT_ARG_INT, &opt_align_payload, 0, N_("Align payload at <n> sector boundaries - for luksFormat"), N_("SECTORS") },
1167 { "header-backup-file",'\0', POPT_ARG_STRING, &opt_header_backup_file, 0, N_("File with LUKS header and keyslots backup."), NULL },
1168 { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
1169 { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
1170 { "shared", '\0', POPT_ARG_NONE, &opt_shared, 0, N_("Share device with another non-overlapping crypt segment."), NULL },
1171 { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
1172 { "allow-discards", '\0', POPT_ARG_NONE, &opt_allow_discards, 0, N_("Allow discards (aka TRIM) requests for device."), NULL },
1173 { "header", '\0', POPT_ARG_STRING, &opt_header_device, 0, N_("Device or file with separated LUKS header."), NULL },
1176 poptContext popt_context;
1177 struct action_type *action;
1180 const char *null_action_argv[] = {NULL};
1182 crypt_set_log_callback(NULL, _log, NULL);
1184 setlocale(LC_ALL, "");
1185 bindtextdomain(PACKAGE, LOCALEDIR);
1186 textdomain(PACKAGE);
1188 popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
1189 poptSetOtherOptionHelp(popt_context,
1190 N_("[OPTION...] <action> <action-specific>]"));
1192 while((r = poptGetNextOpt(popt_context)) > 0) {
1193 unsigned long long ull_value;
1196 ull_value = strtoull(popt_tmp, &endp, 0);
1197 if (*endp || !*popt_tmp)
1198 r = POPT_ERROR_BADNUMBER;
1202 opt_size = ull_value;
1205 opt_offset = ull_value;
1208 opt_skip = ull_value;
1218 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
1219 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
1220 if (opt_version_mode) {
1221 log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
1225 if (!(aname = poptGetArg(popt_context)))
1226 usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
1227 poptGetInvocationName(popt_context));
1228 for(action = action_types; action->type; action++)
1229 if (strcmp(action->type, aname) == 0)
1232 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
1233 poptGetInvocationName(popt_context));
1236 action_argv = poptGetArgs(popt_context);
1237 /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
1239 action_argv = null_action_argv;
1241 /* Count args, somewhat unnice, change? */
1242 while(action_argv[action_argc] != NULL)
1245 if(action_argc < action->required_action_argc) {
1247 snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
1248 usage(popt_context, EXIT_FAILURE, buf,
1249 poptGetInvocationName(popt_context));
1252 /* FIXME: rewrite this from scratch */
1254 if (opt_shared && strcmp(aname, "create")) {
1255 usage(popt_context, EXIT_FAILURE,
1256 _("Option --shared is allowed only for create operation.\n"),
1257 poptGetInvocationName(popt_context));
1260 if (opt_allow_discards &&
1261 strcmp(aname, "luksOpen") &&
1262 strcmp(aname, "create") &&
1263 strcmp(aname, "loopaesOpen")) {
1264 usage(popt_context, EXIT_FAILURE,
1265 _("Option --allow-discards is allowed only for luksOpen, loopaesOpen and create operation.\n"),
1266 poptGetInvocationName(popt_context));
1270 strcmp(aname, "luksFormat") &&
1271 strcmp(aname, "create") &&
1272 strcmp(aname, "loopaesOpen")) {
1273 usage(popt_context, EXIT_FAILURE,
1274 _("Option --key-size is allowed only for luksFormat, create and loopaesOpen.\n"
1275 "To limit read from keyfile use --keyfile-size=(bytes)."),
1276 poptGetInvocationName(popt_context));
1279 if (opt_key_size % 8)
1280 usage(popt_context, EXIT_FAILURE,
1281 _("Key size must be a multiple of 8 bits"),
1282 poptGetInvocationName(popt_context));
1284 if (!strcmp(aname, "luksKillSlot") && action_argc > 1)
1285 opt_key_slot = atoi(action_argv[1]);
1286 if (opt_key_slot != CRYPT_ANY_SLOT &&
1287 (opt_key_slot < 0 || opt_key_slot > crypt_keyslot_max(CRYPT_LUKS1)))
1288 usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
1289 poptGetInvocationName(popt_context));
1291 if ((!strcmp(aname, "luksRemoveKey") ||
1292 !strcmp(aname, "luksFormat")) &&
1295 log_err(_("Option --key-file takes precedence over specified key file argument.\n"));
1297 opt_key_file = action_argv[1];
1300 if (opt_keyfile_size < 0 || opt_new_keyfile_size < 0 || opt_key_size < 0) {
1301 usage(popt_context, EXIT_FAILURE,
1302 _("Negative number for option not permitted."),
1303 poptGetInvocationName(popt_context));
1306 if (opt_random && opt_urandom)
1307 usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
1308 poptGetInvocationName(popt_context));
1309 if ((opt_random || opt_urandom) && strcmp(aname, "luksFormat"))
1310 usage(popt_context, EXIT_FAILURE, _("Option --use-[u]random is allowed only for luksFormat."),
1311 poptGetInvocationName(popt_context));
1313 if (opt_uuid && strcmp(aname, "luksFormat") && strcmp(aname, "luksUUID"))
1314 usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only for luksFormat and luksUUID."),
1315 poptGetInvocationName(popt_context));
1317 if (opt_skip && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1318 usage(popt_context, EXIT_FAILURE,
1319 _("Option --skip is supported only for create and loopaesOpen commands.\n"),
1320 poptGetInvocationName(popt_context));
1322 if (opt_offset && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1323 usage(popt_context, EXIT_FAILURE,
1324 _("Option --offset is supported only for create and loopaesOpen commands.\n"),
1325 poptGetInvocationName(popt_context));
1329 crypt_set_debug_level(-1);
1330 _dbg_version_and_cmd(argc, argv);
1333 return run_action(action);
projects / platform / upstream / cryptsetup.git / blob