4 [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
5 CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
7 CRYPTSETUP_VALGRIND=../.libs/cryptsetup
8 CRYPTSETUP_LIB_VALGRIND=../.libs
10 FAST_PBKDF2="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
11 FAST_PBKDF_ARGON="--pbkdf-force-iterations 4 --pbkdf-memory 32 --pbkdf-parallel 1"
12 DEFAULT_ARGON="argon2i"
27 [ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
29 function dm_crypt_features()
31 VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
32 [ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
34 VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
35 VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
36 VER_PTC=$(echo $VER_STR | cut -f 3 -d.)
38 [ $VER_MAJ -lt 1 ] && return
39 [ $VER_MAJ -gt 1 ] && {
45 [ $VER_MIN -lt 14 ] && return
47 if [ $VER_MIN -ge 17 -o \( $VER_MIN -eq 14 -a $VER_PTC -ge 5 \) ]; then
52 function dm_delay_features()
54 local _ver_str=$(dmsetup targets | grep delay | cut -f2 -dv)
55 [ -z "$_ver_str" ] && return 1
59 # $1 path to scsi debug bdev
60 scsi_debug_teardown() {
63 while [ -b "$1" -a $_tries -gt 0 ]; do
64 rmmod scsi_debug 2> /dev/null
71 test ! -b "$1" || rmmod scsi_debug 2> /dev/null
74 function remove_mapping()
76 [ -b /dev/mapper/$DEV_NAME ] && {
77 dmsetup resume $DEV_NAME
78 dmsetup remove --retry $DEV_NAME
80 [ -b /dev/mapper/$DEV_NAME2 ] && {
81 dmsetup resume $DEV_NAME2
82 dmsetup remove --retry $DEV_NAME2
84 [ -b /dev/mapper/$DEV_NAME-overlay ] && {
85 dmsetup resume $DEV_NAME-overlay
86 dmsetup remove --retry $DEV_NAME-overlay
88 [ -b /dev/mapper/$DEV_NAME-hotzone-forward ] && {
89 dmsetup resume $DEV_NAME-hotzone-forward
90 dmsetup remove --retry $DEV_NAME-hotzone-forward
92 [ -b /dev/mapper/$DEV_NAME-hotzone-backward ] && {
93 dmsetup resume $DEV_NAME-hotzone-backward
94 dmsetup remove --retry $DEV_NAME-hotzone-backward
96 [ -b /dev/mapper/$OVRDEV ] && dmsetup remove --retry $OVRDEV 2>/dev/null
97 [ -b /dev/mapper/$OVRDEV-err ] && dmsetup remove --retry $OVRDEV-err 2>/dev/null
98 [ -n "$LOOPDEV" ] && losetup -d $LOOPDEV
100 rm -f $IMG $IMG_HDR $KEY1 $VKEY1 $DEVBIG >/dev/null 2>&1
101 rmmod scsi_debug 2> /dev/null
102 scsi_debug_teardown $DEV
108 [ -n "$1" ] && echo "$1"
109 echo "FAILED backtrace:"
110 while caller $frame; do ((frame++)); done
117 [ -n "$1" ] && echo "$1"
124 [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
127 function add_scsi_device() {
128 scsi_debug_teardown $DEV
129 modprobe scsi_debug $@ delay=0
130 if [ $? -ne 0 ] ; then
131 echo "This kernel seems to not support proper scsi_debug module, test skipped."
136 DEV="/dev/"$(grep -l -e scsi_debug /sys/block/*/device/model | cut -f4 -d /)
137 [ -b $DEV ] || fail "Cannot find $DEV."
140 function open_crypt() # $1 pwd, $2 hdr
142 if [ -n "$2" ] ; then
143 echo "$1" | $CRYPTSETUP luksOpen $DEV $DEV_NAME --header $2 || fail
144 elif [ -n "$1" ] ; then
145 echo "$1" | $CRYPTSETUP luksOpen $DEV $DEV_NAME || fail
147 $CRYPTSETUP luksOpen -d $KEY1 $DEV $DEV_NAME || fail
151 function wipe_dev() # $1 dev
154 blkdiscard --zeroout $1 2>/dev/null || dd if=/dev/zero of=$1 bs=1M conv=notrunc >/dev/null 2>&1
156 local size=$(stat --printf="%s" $1)
162 function wipe() # $1 pass, $2 hdr
165 wipe_dev /dev/mapper/$DEV_NAME
166 udevadm settle >/dev/null 2>&1
167 $CRYPTSETUP luksClose $DEV_NAME || fail
170 function prepare() # $1 dev1_siz
174 if [ ! -e $KEY1 ]; then
175 dd if=/dev/urandom of=$KEY1 count=1 bs=32 >/dev/null 2>&1
178 if [ ! -e $VKEY1 ]; then
179 echo -n $'\x44\xc6\x74\x4f\x41\x4e\x50\xc0\x79\xc2\x2d\x5b\x5f\x68\x84\x17' >$VKEY1
180 echo -n $'\x9c\x03\xba\xbe\x4d\x0f\x9a\x75\xb3\x90\x70\x32\x0a\xf8\xae\xc4'>>$VKEY1
186 function preparebig() # $1 dev1_siz
190 if [ ! -e $KEY1 ]; then
191 dd if=/dev/urandom of=$KEY1 count=1 bs=32 >/dev/null 2>&1
194 truncate -s "$1"M $DEVBIG
195 LOOPDEV=$(losetup -f)
196 losetup -f $DEVBIG || fail
200 function check_hash_dev() # $1 dev, $2 hash
202 HASH=$(sha256sum $1 | cut -d' ' -f 1)
203 [ $HASH != "$2" ] && fail "HASH differs (expected: $2) (result $HASH)"
206 function check_hash() # $1 pwd, $2 hash, $3 hdr
209 check_hash_dev /dev/mapper/$DEV_NAME $2
210 $CRYPTSETUP remove $DEV_NAME || fail
213 function check_hash_head() # $1 pwd, $2 len, $3 hash, $4 hdr
217 echo $1 | $CRYPTSETUP resize $DEV_NAME --size $2 --header $4 || fail
219 echo $1 | $CRYPTSETUP resize $DEV_NAME --size $2 || fail
221 check_hash_dev /dev/mapper/$DEV_NAME $3
222 $CRYPTSETUP remove $DEV_NAME || fail
225 function resize_file() # $1 dev, $2 shrink bytes
227 local size=$(stat --printf="%s" $1)
228 truncate -s $(($size + $2)) $1
232 function error_writes() { # $1 dmdev, $2 data dev, $3 offset, $4 size
233 local _dev_size=$(blockdev --getsz /dev/mapper/$1)
234 local _offset=$(($3+$4))
235 local _size=$((_dev_size-_offset))
238 dmsetup create $_err --table "0 $_dev_size error" || fail
240 if [ $3 -ne 0 ]; then
241 _table="0 $3 linear $2 0\n"
244 _table=$_table"$3 $4 delay $2 $3 0 /dev/mapper/$_err $3 0"
246 if [ $_size -ne 0 ]; then
247 _table="$_table\n$_offset $_size linear $2 $_offset"
250 echo -e "$_table" | dmsetup load $1 || fail
251 dmsetup resume $1 || fail
252 blockdev --setra 0 /dev/mapper/$1
253 blockdev --setra 0 /dev/mapper/$_err
256 function fix_writes() { # $1 dmdev, $2 data dev
257 local _dev_size=$(blockdev --getsz /dev/mapper/$1)
258 dmsetup load $1 --table "0 $_dev_size linear $2 0" || fail
259 dmsetup resume $1 || fail
260 dmsetup remove --retry $1-err 2>/dev/null || fail
263 function prepare_linear_dev() {
267 if [ "$_sizemb" -gt 32 ]; then
270 prepare dev_size_mb=$_sizemb $@
273 dmsetup create $OVRDEV --table "0 $((_sizemb*1024*2)) linear $DEV 0" || fail
276 DEV=/dev/mapper/$OVRDEV
279 function get_error_offsets() # $1 devsize, $2 minimal offset, $3 sector_size [512 if omitted], $4 max offset
281 local _devsize=$(($1*1024*2))
282 local _sector_size=${3:-512}
283 local _max_offset=${4:-$_devsize}
284 _sector_size=$((_sector_size/512))
286 # 8 sectors minimal size (4096)
287 ERRLENGTH=$((($RANDOM%56)+8))
288 ERRLENGTH=$(($ERRLENGTH-($ERRLENGTH%$_sector_size)))
290 ERROFFSET=$(($2+((2*$RANDOM)%($_max_offset-$2-$ERRLENGTH))))
291 ERROFFSET=$(($ERROFFSET-($ERROFFSET%$_sector_size)))
294 function reencrypt_recover() { # $1 sector size, $2 resilience, $3 digest, [$4 header]
295 echo -n "resilience mode: $2 ..."
297 test -z "$4" || _hdr="--header $4"
299 error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
300 echo $PWD1 | $CRYPTSETUP reencrypt $DEV $_hdr --hotzone-size 1M --resilience $2 --sector-size $1 -q $FAST_PBKDF_ARGON >/dev/null 2>&1 && fail
301 fix_writes $OVRDEV $OLD_DEV
303 echo $PWD1 | $CRYPTSETUP -q repair $DEV $_hdr || fail
305 check_hash $PWD1 $3 $4
307 echo $PWD1 | $CRYPTSETUP reencrypt $DEV $_hdr --resilience $2 --sector-size $1 -q $FAST_PBKDF_ARGON || fail
308 check_hash $PWD1 $3 $4
313 function reencrypt_recover_online() { # $1 sector size, $2 resilience, $3 digest, [$4 header]
314 echo -n "resilience mode: $2 ..."
316 test -z "$4" || _hdr="--header $4"
318 echo $PWD1 | $CRYPTSETUP open $DEV $_hdr $DEV_NAME || fail
320 error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
321 echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME $_hdr --hotzone-size 1M --resilience $2 --sector-size $1 -q $FAST_PBKDF_ARGON >/dev/null 2>&1 && fail
322 $CRYPTSETUP status $DEV_NAME $_hdr | grep -q "reencryption: in-progress" || fail
323 $CRYPTSETUP close $DEV_NAME || fail
324 fix_writes $OVRDEV $OLD_DEV
326 # recovery during activation
327 echo $PWD1 | $CRYPTSETUP open $DEV $_hdr $DEV_NAME || fail
328 check_hash_dev /dev/mapper/$DEV_NAME $3
330 $CRYPTSETUP luksDump ${4:-$DEV} | grep -q "online-reencrypt"
331 if [ $? -eq 0 ]; then
332 $CRYPTSETUP status $DEV_NAME $_hdr | grep -q "reencryption: in-progress" || fail
333 echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME $_hdr --resilience $2 --resume-only -q || fail
334 check_hash_dev /dev/mapper/$DEV_NAME $3
337 $CRYPTSETUP close $DEV_NAME || fail
341 function encrypt_recover() { # $1 sector size, $2 reduce size, $3 digest, $4 device size in sectors, $5 origin digest
343 check_hash_dev $DEV $5
345 echo -n "resilience mode: datashift ..."
347 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size $2 --sector-size $1 -q $FAST_PBKDF_ARGON --init-only >/dev/null 2>&1 || fail
349 error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
350 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q >/dev/null 2>&1 && fail
351 fix_writes $OVRDEV $OLD_DEV
353 echo $PWD1 | $CRYPTSETUP -q repair $DEV || fail
355 $CRYPTSETUP luksDump $DEV | grep -q "online-reencrypt"
356 if [ $? -eq 0 ]; then
358 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --sector-size $1 -q $FAST_PBKDF_ARGON || fail
361 check_hash_head $PWD1 $4 $3
366 function encrypt_recover_online() { # $1 sector size, $2 reduce size, $3 digest, $4 device size in sectors, $5 origin digest
368 check_hash_dev $DEV $5
370 echo -n "resilience mode: datashift ..."
372 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size $2 --sector-size $1 -q $FAST_PBKDF_ARGON --init-only > /dev/null || fail
373 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
375 error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
376 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q >/dev/null 2>&1 && fail
377 $CRYPTSETUP status $DEV_NAME | grep -q "reencryption: in-progress" || fail
378 $CRYPTSETUP close $DEV_NAME || fail
379 fix_writes $OVRDEV $OLD_DEV
381 # recovery in activation
382 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
384 $CRYPTSETUP luksDump $DEV | grep -q "online-reencrypt"
385 if [ $? -eq 0 ]; then
386 $CRYPTSETUP status $DEV_NAME | grep -q "reencryption: in-progress" || fail
387 check_hash_dev /dev/mapper/$DEV_NAME $3
388 echo $PWD1 | $CRYPTSETUP reencrypt --resume-only --active-name $DEV_NAME -q || fail
391 $CRYPTSETUP close $DEV_NAME || fail
392 check_hash_head $PWD1 $4 $3
397 function encrypt_recover_detached() { # $1 sector size, $2 resilience, $3 digest, $4 hdr
399 check_hash_dev $DEV $3
401 echo -n "resilience mode: $2 ..."
403 error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
404 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --hotzone-size 1M --header $4 --resilience $2 --sector-size $1 -q $FAST_PBKDF_ARGON 2>/dev/null && fail
405 fix_writes $OVRDEV $OLD_DEV
407 echo $PWD1 | $CRYPTSETUP repair $DEV --header $4 || fail
409 check_hash $PWD1 $3 $4
411 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --header $4 --resilience $2 --sector-size $1 -q $FAST_PBKDF_ARGON || fail
412 check_hash $PWD1 $3 $4
417 function encrypt_recover_detached_online() { # $1 sector size, $2 resilience, $3 digest, $4 hdr
419 check_hash_dev $DEV $3
421 echo -n "resilience mode: $2 ..."
423 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --hotzone-size 1M --header $4 --resilience $2 --sector-size $1 -q $FAST_PBKDF_ARGON --init-only || fail
424 echo $PWD1 | $CRYPTSETUP open $DEV --header $4 $DEV_NAME || fail
426 error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
427 echo $PWD1 | $CRYPTSETUP reencrypt -q $DEV --header $4 --hotzone-size 1M 2>/dev/null && fail
428 $CRYPTSETUP status $DEV_NAME --header $4 | grep -q "reencryption: in-progress" || fail
429 $CRYPTSETUP close $DEV_NAME || fail
430 fix_writes $OVRDEV $OLD_DEV
432 echo $PWD1 | $CRYPTSETUP open $DEV --header $4 $DEV_NAME || fail
433 check_hash_dev /dev/mapper/$DEV_NAME $3
435 $CRYPTSETUP luksDump $4 | grep -q "online-reencrypt"
436 if [ $? -eq 0 ]; then
437 $CRYPTSETUP status $DEV_NAME --header $4 | grep -q "reencryption: in-progress" || fail
438 echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME --resume-only --header $4 --resilience $2 -q || fail
439 check_hash_dev /dev/mapper/$DEV_NAME $3
442 $CRYPTSETUP close $DEV_NAME || fail
447 function decrypt_recover_detached() { # $1 sector size, $2 resilience, $3 digest, $4 hdr
448 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size $1 --header $4 $FAST_PBKDF_ARGON $DEV || fail
450 check_hash $PWD1 $3 $4
452 echo -n "resilience mode: $2 ..."
454 error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
455 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --decrypt --hotzone-size 1M --header $4 --resilience $2 -q 2>/dev/null && fail
456 fix_writes $OVRDEV $OLD_DEV
458 echo $PWD1 | $CRYPTSETUP repair $DEV --header $4 || fail
460 $CRYPTSETUP luksDump $4 | grep -q "online-reencrypt"
461 if [ $? -eq 0 ]; then
462 check_hash $PWD1 $3 $4
463 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --resume-only --header $4 --resilience $2 -q || fail
466 check_hash_dev $DEV $3
471 function decrypt_recover_detached_online() { # $1 sector size, $2 resilience, $3 digest, $4 hdr
472 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size $1 --header $4 $FAST_PBKDF_ARGON $DEV || fail
473 echo $PWD1 | $CRYPTSETUP open $DEV --header $4 $DEV_NAME || fail
474 wipe_dev /dev/mapper/$DEV_NAME
475 check_hash_dev /dev/mapper/$DEV_NAME $3
477 echo -n "resilience mode: $2 ..."
479 error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
480 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --decrypt --hotzone-size 1M --header $4 --resilience $2 -q 2>/dev/null && fail
481 $CRYPTSETUP status $DEV_NAME --header $4 | grep -q "reencryption: in-progress" || fail
482 $CRYPTSETUP close $DEV_NAME || fail
483 fix_writes $OVRDEV $OLD_DEV
485 # recovery during activation
486 echo $PWD1 | $CRYPTSETUP open $DEV --header $4 $DEV_NAME || fail
488 $CRYPTSETUP luksDump $4 | grep -q "online-reencrypt"
489 if [ $? -eq 0 ]; then
490 $CRYPTSETUP status $DEV_NAME --header $4 | grep -q "reencryption: in-progress" || fail
491 check_hash_dev /dev/mapper/$DEV_NAME $3
492 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --header $4 --resilience $2 -q || fail
495 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail
496 check_hash_dev $DEV $3
501 # sector size (bytes)
502 # reenc dev size (sectors)
508 function reencrypt_offline_fixed_size() {
509 local _esz=$(($1>>9))
511 test -z "$7" || _hdr="--header $7"
513 # reencrypt with fixed device size
514 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --sector-size $1 --device-size $2s --resilience $4 || fail
515 check_hash_head $PWD1 $2 $3 $7
518 # try to reencrypt device size + 1 encryption sector size
519 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --sector-size $1 --init-only || fail
520 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --device-size $(($5+_esz))s --resilience $4 2>/dev/null && fail
521 check_hash $PWD1 $6 $7
523 # misaligned reencryption size
524 if [ $_esz -gt 1 ]; then
525 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --device-size $(($2+_esz-1))s --resilience $4 2>/dev/null && fail
526 $CRYPTSETUP luksDump ${7:-$DEV} | grep -q "2: crypt" || fail
527 $CRYPTSETUP luksDump ${7:-$DEV} | grep -q "3: crypt" && fail
528 check_hash $PWD1 $6 $7
532 # sector size (bytes)
533 # reenc dev size (sectors)
539 function encrypt_offline_fixed_size() {
540 local _esz=$(($1>>9))
542 # reencrypt with fixed device size
544 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -q $FAST_PBKDF_ARGON $DEV --header $7 --sector-size $1 --device-size $2s --resilience $4 || fail
545 check_hash_head $PWD1 $2 $3 $7
547 # try to reencrypt device size + 1 encryption sector size
549 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -q $FAST_PBKDF_ARGON $DEV --header $7 --sector-size $1 --init-only || fail
550 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV --header $7 --device-size $(($5+_esz))s --resilience $4 2>/dev/null && fail
551 check_hash $PWD1 $6 $7
553 # misaligned reencryption size
554 if [ $_esz -gt 1 ]; then
555 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -q $FAST_PBKDF_ARGON $DEV --header $7 --sector-size $1 --init-only || fail
556 echo $PWD1 | $CRYPTSETUP reencrypt -q $DEV --header $7 --device-size $(($2+_esz-1))s --resilience $4 2>/dev/null && fail
557 $CRYPTSETUP luksDump $7 | grep -q "2: crypt" || fail
558 $CRYPTSETUP luksDump $7 | grep -q "3: crypt" && fail
559 check_hash $PWD1 $6 $7
563 # sector size (bytes)
564 # reenc dev size (sectors)
570 function decrypt_offline_fixed_size() {
571 local _esz=$(($1>>9))
573 # decrypt with fixed device size
574 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -q $FAST_PBKDF_ARGON $DEV --header $7 --sector-size $1 || fail
576 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt -q $DEV --header $7 --device-size $2s --resilience $4 || fail
578 dmsetup load $OVRDEV --table "0 $2 linear $OLD_DEV 0" || fail
579 dmsetup resume $OVRDEV || fail
580 check_hash_dev $DEV $3
581 dmsetup load $OVRDEV --table "0 $5 linear $OLD_DEV 0" || fail
582 dmsetup resume $OVRDEV || fail
584 # try to decrypt device size + 1 encryption sector size
585 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -q $FAST_PBKDF_ARGON $DEV --header $7 --sector-size $1 || fail
587 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt -q $FAST_PBKDF_ARGON $DEV --header $7 --init-only || fail
588 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV --header $7 --device-size $(($5+_esz))s --resilience $4 2>/dev/null && fail
589 check_hash $PWD1 $6 $7
591 # misaligned reencryption size
592 if [ $_esz -gt 1 ]; then
593 echo $PWD1 | $CRYPTSETUP reencrypt -q $DEV --header $7 --device-size $(($2+_esz-1))s --resilience $4 2>/dev/null && fail
594 $CRYPTSETUP luksDump $7 | grep -q "2: linear\|2: crypt" || fail
595 $CRYPTSETUP luksDump $7 | grep -q "3: crypt\|3: linear" && fail
596 check_hash $PWD1 $6 $7
600 # sector size (bytes)
601 # reenc dev size (sectors)
607 function reencrypt_online_fixed_size() {
608 local _esz=$(($1>>9))
610 test -z "$7" || _hdr="--header $7"
612 if [ -z "$_hdr" ]; then
613 echo $PWD1 | $CRYPTSETUP -q luksFormat --sector-size 512 --type luks2 --offset 16384 $FAST_PBKDF_ARGON $DEV || fail
615 echo $PWD1 | $CRYPTSETUP -q luksFormat --sector-size 512 --type luks2 $_hdr $FAST_PBKDF_ARGON $DEV || fail
619 # reencrypt with fixed device size
620 echo $PWD1 | $CRYPTSETUP open $DEV $_hdr $DEV_NAME || fail
621 echo $PWD1 | $CRYPTSETUP resize $DEV_NAME $_hdr --size $2 || fail
622 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --sector-size $1 --resilience $4 || fail
623 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "$2 sectors" || fail
624 $CRYPTSETUP close $DEV_NAME || fail
625 check_hash_head $PWD1 $2 $3 $7
628 # active device != requested reencryption size
629 echo $PWD1 | $CRYPTSETUP open $DEV $_hdr $DEV_NAME || fail
630 echo $PWD1 | $CRYPTSETUP resize $DEV_NAME $_hdr --size $2 || fail
631 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --sector-size $1 --init-only || fail
632 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --device-size $(($2-_esz))s --resilience $4 2>/dev/null && fail
633 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --device-size $2s --resilience $4 || fail
634 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "$2 sectors" || fail
635 $CRYPTSETUP close $DEV_NAME || fail
636 check_hash_head $PWD1 $2 $3 $7
638 # misaligned reencryption size
639 if [ $_esz -gt 1 ]; then
640 if [ -z "$_hdr" ]; then
641 echo $PWD1 | $CRYPTSETUP -q luksFormat --sector-size 512 --type luks2 --offset 16384 $FAST_PBKDF_ARGON $DEV || fail
643 echo $PWD1 | $CRYPTSETUP -q luksFormat --sector-size 512 --type luks2 $_hdr $FAST_PBKDF_ARGON $DEV || fail
646 check_hash $PWD1 $6 $7
648 echo $PWD1 | $CRYPTSETUP open $DEV $_hdr $DEV_NAME || fail
649 echo $PWD1 | $CRYPTSETUP resize $DEV_NAME $_hdr --size $(($2+_esz-1)) || fail
650 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --sector-size $1 --init-only || fail
651 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --resilience $4 2>/dev/null && fail
652 $CRYPTSETUP close $DEV_NAME || fail
653 check_hash $PWD1 $6 $7
657 function setup_luks2_env() {
658 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -c aes-xts-plain64 $FAST_PBKDF_ARGON $DEV || fail
659 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
660 HAVE_KEYRING=$($CRYPTSETUP status $DEV_NAME | grep "key location: keyring")
661 if [ -n "$HAVE_KEYRING" ]; then
666 DEF_XTS_KEY=$($CRYPTSETUP status $DEV_NAME | grep "keysize:" | sed 's/\( keysize: \)\([0-9]\+\)\(.*\)/\2/')
667 [ -n "$DEF_XTS_KEY" ] || fail "Failed to parse xts mode key size."
668 $CRYPTSETUP close $DEV_NAME || fail
671 function valgrind_setup()
673 which valgrind >/dev/null 2>&1 || fail "Cannot find valgrind."
674 [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
675 export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
678 function valgrind_run()
680 INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
683 [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
684 [ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
685 fips_mode && skip "This test cannot be run in FIPS mode."
686 modprobe --dry-run scsi_debug || exit 77
687 modprobe dm-crypt || fail "dm-crypt failed to load"
688 modprobe dm-delay > /dev/null 2>&1
691 if [ -n "$DM_SECTOR_SIZE" ]; then
692 TEST_SECTORS="512 4096"
697 modinfo scsi_debug -p | grep -q opt_xferlen_exp && OPT_XFERLEN_EXP="opt_xferlen_exp=6"
701 [ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
705 # 28 MiBs of zeros (32MiBs - 4MiB LUKS2 header)
706 HASH1=f8280c81b347b01405277bf9e8bf0685ae8be863ff104797c65b7169f8203fd2
708 HASH2=30e14955ebf1352266dc2ff8067e68104607e750abb9d3b36582b8af909fcb58
710 HASH3=a6d72ac7690f53be6ae46ba88506bd97302a093f7108472bd9efc3cefda06484
712 HASH4=3b6a07d0d404fab4e23b6d34bc6696a6a312dd92821332385e5af7c01c421351
714 HASH5=8afcb7e7189ce4d112fd245eaa60c3cfcf5a5d5e1d6bf4eb85941d73ef8cfbd5
716 HASH6=39f7c6d38af574fe2c90ef400dfaba8ef8edccd11bdac998a3f8143a86837331
718 HASH7=18a393d1a505e22ccf3e29effe3005ea8627e4c36b7cca0e53f58121f49b67e1
720 HASH8=cf5ac69ca412f9b3b1a8b8de27d368c5c05ed4b1b6aa40e6c38d9cbf23711342
722 prepare dev_size_mb=32
725 echo "[1] Reencryption"
726 echo -n "[512 sector]"
727 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c aes-cbc-essiv:sha256 --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
729 check_hash $PWD1 $HASH1
730 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON 2>&1 | tail -1 | grep -q "not supported" && skip " No reenryption support, test skipped."
731 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON || fail
732 check_hash $PWD1 $HASH1
733 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal $FAST_PBKDF_ARGON || fail
734 check_hash $PWD1 $HASH1
735 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience none $FAST_PBKDF_ARGON || fail
736 check_hash $PWD1 $HASH1
737 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 128 -c aes-cbc-essiv:sha256 --resilience checksum $FAST_PBKDF_ARGON || fail
738 check_hash $PWD1 $HASH1
739 # simple test --active-name can consume absolute path to mapping
740 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -c aes-xts-plain64 --init-only $FAST_PBKDF_ARGON || fail
741 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
742 echo $PWD1 | $CRYPTSETUP reencrypt --active-name /dev/mapper/$DEV_NAME --resilience none -q || fail
743 XTS_KEY=$($CRYPTSETUP status $DEV_NAME | grep "keysize:" | sed 's/\( keysize: \)\([0-9]\+\)\(.*\)/\2/')
744 [ "$XTS_KEY" -eq "$DEF_XTS_KEY" ] || fail "xts mode has wrong key size after reencryption ($XTS_KEY != expected $DEF_XTS_KEY)"
745 echo $PWD1 | $CRYPTSETUP close $DEV_NAME || fail
746 echo -n "[OK][4096 sector]"
747 prepare sector_size=4096 dev_size_mb=32
748 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c aes-cbc-essiv:sha256 --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
750 check_hash $PWD1 $HASH1
751 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON || fail
752 check_hash $PWD1 $HASH1
753 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal $FAST_PBKDF_ARGON || fail
754 check_hash $PWD1 $HASH1
755 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience none $FAST_PBKDF_ARGON || fail
756 check_hash $PWD1 $HASH1
757 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 128 -c aes-cbc-essiv:sha256 --resilience checksum $FAST_PBKDF_ARGON || fail
758 check_hash $PWD1 $HASH1
759 if [ -n "$DM_SECTOR_SIZE" ]; then
760 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON --sector-size 4096 || fail
761 check_hash $PWD1 $HASH1
762 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal --sector-size 2048 $FAST_PBKDF_ARGON || fail
763 check_hash $PWD1 $HASH1
764 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience none $FAST_PBKDF_ARGON --sector-size 1024 || fail
765 check_hash $PWD1 $HASH1
766 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 128 -c aes-cbc-essiv:sha256 --resilience checksum --sector-size 512 $FAST_PBKDF_ARGON || fail
767 check_hash $PWD1 $HASH1
769 echo -n "[OK][4096/512 sector]"
770 prepare sector_size=512 physblk_exp=3 dev_size_mb=32
771 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c aes-cbc-essiv:sha256 --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
773 check_hash $PWD1 $HASH1
774 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON || fail
775 check_hash $PWD1 $HASH1
776 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal $FAST_PBKDF_ARGON || fail
777 check_hash $PWD1 $HASH1
778 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience none $FAST_PBKDF_ARGON || fail
779 check_hash $PWD1 $HASH1
780 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 128 -c aes-cbc-essiv:sha256 --resilience checksum $FAST_PBKDF_ARGON || fail
781 check_hash $PWD1 $HASH1
784 # reencrypt minimal device size (FIXME: change data device size to single encryption sector size)
785 # temporary small device size is default luks2 hdr size + 1MiB
786 echo -n "[small device reencryption]"
787 prepare dev_size_mb=5
788 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c aes-cbc-essiv:sha256 --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
790 check_hash $PWD1 $HASH2
791 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON || fail
792 check_hash $PWD1 $HASH2
793 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal $FAST_PBKDF_ARGON || fail
794 check_hash $PWD1 $HASH2
795 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience none $FAST_PBKDF_ARGON || fail
796 check_hash $PWD1 $HASH2
797 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 128 -c aes-cbc-essiv:sha256 --resilience checksum $FAST_PBKDF_ARGON || fail
798 check_hash $PWD1 $HASH2
799 if [ -n "$DM_SECTOR_SIZE" ]; then
800 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON --sector-size 4096 || fail
801 check_hash $PWD1 $HASH2
802 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal --sector-size 2048 $FAST_PBKDF_ARGON || fail
803 check_hash $PWD1 $HASH2
804 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience none $FAST_PBKDF_ARGON --sector-size 1024 || fail
805 check_hash $PWD1 $HASH2
806 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 128 -c aes-cbc-essiv:sha256 --resilience checksum --sector-size 512 $FAST_PBKDF_ARGON || fail
807 check_hash $PWD1 $HASH2
811 echo "[2] Encryption with data shift"
812 # well, movin' zeroes :-)
815 check_hash_dev $DEV $HASH4
816 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M -q $FAST_PBKDF_ARGON || fail
817 check_hash_head $PWD1 $((56*1024*2)) $HASH5
819 check_hash_dev $DEV $HASH4
820 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c twofish-cbc-essiv:sha256 -s 128 --reduce-device-size 21M -q $FAST_PBKDF_ARGON || fail
821 check_hash_head $PWD1 $((43*1024*2)) $HASH6
823 # offset 21504 equals 10,5MiBs, equals --reduce-device-size 21M from test above (30M is ignored here, we'll reduce it to 21M in cryptsetup anyway)
824 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c twofish-cbc-essiv:sha256 -s 128 --offset 21504 --reduce-device-size 30M -q $FAST_PBKDF_ARGON > /dev/null || fail
825 check_hash_head $PWD1 $((43*1024*2)) $HASH6
827 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size 33M -q $FAST_PBKDF_ARGON || fail
828 check_hash_head $PWD1 $((31*1024*2)) $HASH7
830 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size 64M -q $FAST_PBKDF_ARGON > /dev/null 2>&1 && fail
831 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --reduce-device-size 8M --init-only -q $FAST_PBKDF_ARGON $DEV || fail
832 resize_file $DEVBIG -512
833 echo $PWD1 | $CRYPTSETUP reencrypt $DEV 2> /dev/null && fail
834 resize_file $DEVBIG 512
836 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c aes-cbc-essiv:sha256 -s 128 --offset 32760 --reduce-device-size 8M -q $FAST_PBKDF_ARGON --init-only >/dev/null 2>&1 && fail
837 # data offset at 21MiB
838 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --header $IMG_HDR --offset 43008 --reduce-device-size 21M -q $FAST_PBKDF_ARGON || fail
839 check_hash $PWD1 $HASH6 $IMG_HDR
840 $CRYPTSETUP luksHeaderRestore --header-backup-file $IMG_HDR $DEV -q || fail
841 check_hash $PWD1 $HASH6
843 # Device activation after encryption initialization
845 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 -S11 --reduce-device-size 8M -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail
846 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
847 check_hash_dev /dev/mapper/$DEV_NAME $HASH5
848 echo $PWD1 | $CRYPTSETUP reencrypt --resume-only $DEV -q || fail
849 check_hash_dev /dev/mapper/$DEV_NAME $HASH5
851 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M -q $FAST_PBKDF_ARGON $DEV_NAME 2>/dev/null && fail
852 $CRYPTSETUP close $DEV_NAME
853 check_hash_head $PWD1 $((56*1024*2)) $HASH5
855 # Device activation using key file
857 echo -n $PWD1 > $KEY1
858 $CRYPTSETUP reencrypt $DEV --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M --key-file $KEY1 -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail
859 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
860 $CRYPTSETUP close $DEV_NAME
861 echo $PWD1 | $CRYPTSETUP open $DEV --test-passphrase || fail
863 echo "[3] Encryption with detached header"
866 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
867 check_hash $PWD1 $HASH3 $IMG_HDR
869 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --resilience journal --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
870 check_hash $PWD1 $HASH3 $IMG_HDR
872 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -c twofish-cbc-essiv:sha256 -s 128 --resilience none --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
873 check_hash $PWD1 $HASH3 $IMG_HDR
875 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -c serpent-xts-plain --resilience checksum --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
876 check_hash $PWD1 $HASH3 $IMG_HDR
878 # Device activation after encryption initialization
880 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV $DEV_NAME >/dev/null || fail
881 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
882 check_hash_dev /dev/mapper/$DEV_NAME $HASH3
883 echo $PWD1 | $CRYPTSETUP reencrypt --resume-only --header $IMG_HDR --active-name $DEV_NAME -q || fail
884 check_hash_dev /dev/mapper/$DEV_NAME $HASH3
885 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M -q $FAST_PBKDF_ARGON $DEV_NAME 2>/dev/null && fail
886 $CRYPTSETUP close $DEV_NAME
887 check_hash $PWD1 $HASH3 $IMG_HDR
889 # Device activation using key file
891 echo -n $PWD1 > $KEY1
892 $CRYPTSETUP reencrypt $DEV --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR --key-file $KEY1 -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail
893 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
894 $CRYPTSETUP close $DEV_NAME
895 echo $PWD1 | $CRYPTSETUP open --header $IMG_HDR $DEV --test-passphrase || fail
897 echo "[4] Reencryption with detached header"
899 echo $PWD1 | $CRYPTSETUP reencrypt -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
900 check_hash $PWD1 $HASH3 $IMG_HDR
901 echo $PWD1 | $CRYPTSETUP reencrypt --resilience journal --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
902 check_hash $PWD1 $HASH3 $IMG_HDR
903 echo $PWD1 | $CRYPTSETUP reencrypt -c twofish-cbc-essiv:sha256 -s 128 --resilience none --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
904 check_hash $PWD1 $HASH3 $IMG_HDR
905 echo $PWD1 | $CRYPTSETUP reencrypt -c serpent-xts-plain --resilience checksum --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
906 check_hash $PWD1 $HASH3 $IMG_HDR
907 # trivial check for detached header misuse
908 dd if=/dev/zero of=$IMG bs=4k count=1 >/dev/null 2>&1
909 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
910 echo $PWD1 | $CRYPTSETUP open $IMG $DEV_NAME --header $IMG_HDR || fail
911 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME2 --header $IMG_HDR || fail
912 echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME --header $IMG_HDR -q || fail
913 # key description mismatch in active device
914 echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME2 --header $IMG_HDR >/dev/null 2>&1 && fail
915 # also check it can abort initialization in this case
916 $CRYPTSETUP luksDump $IMG_HDR | grep -q "online-reencrypt" && fail
917 $CRYPTSETUP close $DEV_NAME || fail
918 $CRYPTSETUP close $DEV_NAME2 || fail
920 echo "[5] Decryption with detached header"
921 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
923 echo $PWD1 | $CRYPTSETUP reencrypt -q --decrypt --header $IMG_HDR $DEV || fail
924 check_hash_dev $DEV $HASH3
925 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
927 echo $PWD1 | $CRYPTSETUP reencrypt -q --decrypt --resilience journal --header $IMG_HDR $DEV || fail
928 check_hash_dev $DEV $HASH3
929 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -c twofish-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
931 echo $PWD1 | $CRYPTSETUP reencrypt -q --decrypt --resilience none --header $IMG_HDR $DEV || fail
932 check_hash_dev $DEV $HASH3
933 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -c serpent-xts-plain --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
935 echo $PWD1 | $CRYPTSETUP reencrypt -q --decrypt --resilience checksum --header $IMG_HDR $DEV || fail
936 check_hash_dev $DEV $HASH3
938 # check deferred remove works as expected after decryption
939 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -c serpent-xts-plain --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
940 open_crypt $PWD1 $IMG_HDR
941 dmsetup create $DEV_NAME2 --table "0 1 linear /dev/mapper/$DEV_NAME 0" || fail
942 echo $PWD1 | $CRYPTSETUP reencrypt -q --decrypt --resilience checksum --header $IMG_HDR --active-name $DEV_NAME || fail
943 $CRYPTSETUP status $DEV_NAME >/dev/null || fail
944 dmsetup remove --retry $DEV_NAME2
945 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail
947 # check tool can block some funny user ideas
949 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -c serpent-xts-plain -q $FAST_PBKDF_ARGON $DEV || fail
950 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV -q 2>/dev/null && fail
951 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV --header $DEV -q 2>/dev/null && fail
953 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --active-name $DEV_NAME -q 2>/dev/null && fail
954 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --active-name $DEV_NAME --header $DEV -q 2>/dev/null && fail
955 $CRYPTSETUP status $DEV_NAME | grep -q "reencryption: in-progress" && fail
956 $CRYPTSETUP close $DEV_NAME
958 if ! dm_delay_features; then
959 echo "dm-delay target is missing, skipping recovery tests."
964 echo "[6] Reencryption recovery"
965 # (check opt-io size optimization in reencryption code does not affect recovery)
966 # device with opt-io size 32k
967 prepare_linear_dev 32 opt_blks=64 $OPT_XFERLEN_EXP
970 echo "sector size 512->512"
972 get_error_offsets 32 $OFFSET
973 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
975 check_hash $PWD1 $HASH1
977 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
978 reencrypt_recover 512 checksum $HASH1
979 reencrypt_recover 512 journal $HASH1
981 if [ -n "$DM_SECTOR_SIZE" ]; then
982 echo "sector size 512->4096"
984 get_error_offsets 32 $OFFSET 4096
985 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
987 check_hash $PWD1 $HASH1
989 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
990 reencrypt_recover 4096 checksum $HASH1
991 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
993 check_hash $PWD1 $HASH1
994 reencrypt_recover 4096 journal $HASH1
996 echo "sector size 4096->4096"
998 get_error_offsets 32 $OFFSET 4096
999 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 --sector-size 4096 -c aes-cbc-essiv:sha256 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1001 check_hash $PWD1 $HASH1
1003 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1004 reencrypt_recover 4096 checksum $HASH1
1005 reencrypt_recover 4096 journal $HASH1
1008 echo "[7] Reencryption recovery (online i/o error)"
1010 echo "sector size 512->512"
1012 get_error_offsets 32 $OFFSET
1013 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1015 check_hash $PWD1 $HASH1
1017 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1018 reencrypt_recover_online 512 checksum $HASH1
1019 reencrypt_recover_online 512 journal $HASH1
1021 if [ -n "$DM_SECTOR_SIZE" ]; then
1022 echo "sector size 512->4096"
1024 get_error_offsets 32 $OFFSET 4096
1025 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1027 check_hash $PWD1 $HASH1
1029 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1030 reencrypt_recover_online 4096 checksum $HASH1
1031 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1033 check_hash $PWD1 $HASH1
1034 reencrypt_recover_online 4096 journal $HASH1
1036 echo "sector size 4096->4096"
1038 get_error_offsets 32 $OFFSET 4096
1039 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 --sector-size 4096 -c aes-cbc-essiv:sha256 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1041 check_hash $PWD1 $HASH1
1043 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1044 reencrypt_recover_online 4096 checksum $HASH1
1045 reencrypt_recover_online 4096 journal $HASH1
1048 echo "[8] Reencryption with detached header recovery"
1049 prepare_linear_dev 31 opt_blks=64 $OPT_XFERLEN_EXP
1051 echo "sector size 512->512"
1053 get_error_offsets 31 0
1054 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
1056 check_hash $PWD1 $HASH7 $IMG_HDR
1058 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1059 reencrypt_recover 512 checksum $HASH7 $IMG_HDR
1060 reencrypt_recover 512 journal $HASH7 $IMG_HDR
1062 if [ -n "$DM_SECTOR_SIZE" ]; then
1063 echo "sector size 512->4096"
1065 get_error_offsets 31 0 4096
1066 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
1068 check_hash $PWD1 $HASH7 $IMG_HDR
1070 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1071 reencrypt_recover 4096 checksum $HASH7 $IMG_HDR
1072 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
1074 check_hash $PWD1 $HASH7 $IMG_HDR
1075 reencrypt_recover 4096 journal $HASH7 $IMG_HDR
1077 echo "sector size 4096->4096"
1079 get_error_offsets 31 0 4096
1080 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 4096 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
1082 check_hash $PWD1 $HASH7 $IMG_HDR
1084 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1085 reencrypt_recover 4096 checksum $HASH7 $IMG_HDR
1086 reencrypt_recover 4096 journal $HASH7 $IMG_HDR
1089 echo "[9] Reencryption with detached header recovery (online i/o error)"
1091 echo "sector size 512->512"
1093 get_error_offsets 31 0
1094 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
1096 check_hash $PWD1 $HASH7 $IMG_HDR
1098 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1099 reencrypt_recover_online 512 checksum $HASH7 $IMG_HDR
1100 reencrypt_recover_online 512 journal $HASH7 $IMG_HDR
1102 if [ -n "$DM_SECTOR_SIZE" ]; then
1103 echo "sector size 512->4096"
1105 get_error_offsets 31 0 4096
1106 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
1108 check_hash $PWD1 $HASH7 $IMG_HDR
1110 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1111 reencrypt_recover_online 4096 checksum $HASH7 $IMG_HDR
1112 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
1114 check_hash $PWD1 $HASH7 $IMG_HDR
1115 reencrypt_recover_online 4096 journal $HASH7 $IMG_HDR
1117 echo "sector size 4096->4096"
1119 get_error_offsets 31 0 4096
1120 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 4096 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
1122 check_hash $PWD1 $HASH7 $IMG_HDR
1124 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1125 reencrypt_recover_online 4096 checksum $HASH7 $IMG_HDR
1126 reencrypt_recover_online 4096 journal $HASH7 $IMG_HDR
1129 echo "[10] Encryption recovery"
1130 prepare_linear_dev 64
1131 OFFSET=$((2*1024*2))
1133 echo "sector size 512"
1135 get_error_offsets 64 $OFFSET 512 $((62*1024*2))
1137 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1138 encrypt_recover 512 4M $HASH8 $((60*1024*2)) $HASH4
1140 if [ -n "$DM_SECTOR_SIZE" ]; then
1141 echo "sector size 4096"
1143 get_error_offsets 64 $OFFSET 4096 $((62*1024*2))
1145 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1146 encrypt_recover 4096 4M $HASH8 $((60*1024*2)) $HASH4
1149 echo "[11] Encryption recovery (online i/o error)"
1151 echo "sector size 512"
1153 get_error_offsets 64 $OFFSET 512 $((62*1024*2))
1155 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1156 encrypt_recover_online 512 4M $HASH8 $((60*1024*2)) $HASH4
1158 if [ -n "$DM_SECTOR_SIZE" ]; then
1159 echo "sector size 4096"
1161 get_error_offsets 64 $OFFSET 4096 $((62*1024*2))
1163 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1164 encrypt_recover_online 4096 4M $HASH8 $((60*1024*2)) $HASH4
1167 echo "[12] Encryption with detached header recovery"
1168 prepare_linear_dev 31 opt_blks=64 $OPT_XFERLEN_EXP
1170 get_error_offsets 31 0
1172 echo "sector size 512"
1174 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1175 encrypt_recover_detached 512 checksum $HASH7 $IMG_HDR
1176 encrypt_recover_detached 512 journal $HASH7 $IMG_HDR
1178 if [ -n "$DM_SECTOR_SIZE" ]; then
1179 get_error_offsets 31 0 4096
1181 echo "sector size 4096"
1183 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1184 encrypt_recover_detached 4096 checksum $HASH7 $IMG_HDR
1185 encrypt_recover_detached 4096 journal $HASH7 $IMG_HDR
1188 echo "[13] Encryption with detached header recovery (online i/o error)"
1190 get_error_offsets 31 0
1192 echo "sector size 512"
1194 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1195 encrypt_recover_detached_online 512 checksum $HASH7 $IMG_HDR
1196 encrypt_recover_detached_online 512 journal $HASH7 $IMG_HDR
1198 if [ -n "$DM_SECTOR_SIZE" ]; then
1199 get_error_offsets 31 0 4096
1201 echo "sector size 4096"
1203 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1204 encrypt_recover_detached_online 4096 checksum $HASH7 $IMG_HDR
1205 encrypt_recover_detached_online 4096 journal $HASH7 $IMG_HDR
1208 echo "[14] Decryption with detached header recovery"
1210 echo "sector size 512"
1212 # TODO: What should decryption do when it finishes decryption during recovery (with open)
1213 get_error_offsets 31 2049
1215 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1216 decrypt_recover_detached 512 journal $HASH7 $IMG_HDR
1217 decrypt_recover_detached 512 checksum $HASH7 $IMG_HDR
1219 if [ -n "$DM_SECTOR_SIZE" ]; then
1220 echo "sector size 4096"
1222 # TODO: What should decryption do when it finishes decryption during recovery (with open)
1223 get_error_offsets 31 2048 4096
1225 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1226 decrypt_recover_detached 4096 checksum $HASH7 $IMG_HDR
1227 decrypt_recover_detached 4096 journal $HASH7 $IMG_HDR
1230 echo "[15] Decryption with detached header recovery (online i/o error)"
1232 echo "sector size 512"
1234 # TODO: What should decryption do when it finishes decryption during recovery (with open)
1235 get_error_offsets 31 2049
1237 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1238 decrypt_recover_detached_online 512 journal $HASH7 $IMG_HDR
1239 decrypt_recover_detached_online 512 checksum $HASH7 $IMG_HDR
1241 if [ -n "$DM_SECTOR_SIZE" ]; then
1242 echo "sector size 4096"
1244 # TODO: What should decryption do when it finishes decryption during recovery (with open)
1245 get_error_offsets 31 2048 4096
1247 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1248 decrypt_recover_detached_online 4096 checksum $HASH7 $IMG_HDR
1249 decrypt_recover_detached_online 4096 journal $HASH7 $IMG_HDR
1252 echo "[16] Offline reencryption with fixed device size."
1254 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --offset 16384 $FAST_PBKDF_ARGON $DEV || fail
1256 check_hash $PWD1 $HASH8
1258 for test_ss in $TEST_SECTORS; do
1259 printf "sector size %4s: " $test_ss
1260 for test_res in checksum journal none; do
1261 echo -n "[$test_res]"
1262 reencrypt_offline_fixed_size $test_ss 2048 $HASH2 $test_res $((60*1024*2)) $HASH8
1263 reencrypt_offline_fixed_size $test_ss $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8
1264 reencrypt_offline_fixed_size $test_ss $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8
1270 echo "[17] Online reencryption with fixed device size."
1271 for test_ss in $TEST_SECTORS; do
1272 printf "sector size %4s: " $test_ss
1273 for test_res in checksum journal none; do
1274 echo -n "[$test_res]"
1275 reencrypt_online_fixed_size $test_ss 2048 $HASH2 $test_res $((60*1024*2)) $HASH8
1276 reencrypt_online_fixed_size $test_ss $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8
1277 reencrypt_online_fixed_size $test_ss $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8
1283 echo "[18] Offline reencryption with fixed device size (detached header)."
1285 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
1287 check_hash $PWD1 $HASH8 $IMG_HDR
1289 for test_ss in $TEST_SECTORS; do
1290 printf "sector size %4s: " $test_ss
1291 for test_res in checksum journal none; do
1292 echo -n "[$test_res]"
1293 reencrypt_offline_fixed_size $test_ss 2048 $HASH2 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1294 reencrypt_offline_fixed_size $test_ss $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1295 reencrypt_offline_fixed_size $test_ss $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1301 echo "[19] Online reencryption with fixed device size (detached header)."
1302 for test_ss in $TEST_SECTORS; do
1303 printf "sector size %4s: " $test_ss
1304 for test_res in checksum journal none; do
1305 echo -n "[$test_res]"
1306 reencrypt_online_fixed_size $test_ss 2048 $HASH2 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1307 reencrypt_online_fixed_size $test_ss $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1308 reencrypt_online_fixed_size $test_ss $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1314 echo "[20] Offline encryption with fixed device size (detached header)."
1315 for test_ss in $TEST_SECTORS; do
1316 printf "sector size %4s: " $test_ss
1317 for test_res in checksum journal none; do
1318 echo -n "[$test_res]"
1319 encrypt_offline_fixed_size $test_ss 2048 $HASH2 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1320 encrypt_offline_fixed_size $test_ss $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1321 encrypt_offline_fixed_size $test_ss $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1327 echo "[21] Offline decryption with fixed device size (detached header)."
1328 prepare_linear_dev 60
1329 for test_ss in $TEST_SECTORS; do
1330 printf "sector size %4s: " $test_ss
1331 for test_res in checksum journal none; do
1332 echo -n "[$test_res]"
1333 decrypt_offline_fixed_size $test_ss 2048 $HASH2 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1334 decrypt_offline_fixed_size $test_ss $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1335 decrypt_offline_fixed_size $test_ss $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1341 echo "[22] Multi-keyslot device reencryption"
1342 prepare dev_size_mb=17
1343 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --offset 32768 $FAST_PBKDF_ARGON $DEV || fail
1344 echo -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF2 $DEV || fail
1345 echo -e "$PWD1\n$PWD3" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF_ARGON $DEV || fail
1347 check_hash $PWD1 $HASH2
1349 echo -e "$PWD1\n$PWD2\n$PWD3" | $CRYPTSETUP reencrypt $DEV -q || fail
1350 check_hash $PWD1 $HASH2
1351 check_hash $PWD2 $HASH2
1352 check_hash $PWD3 $HASH2
1354 # check at least pbkdf type is preserved
1355 $CRYPTSETUP luksDump $DEV | grep -e "3: luks2" -A5 | grep -q "argon2" || fail
1356 $CRYPTSETUP luksDump $DEV | grep -e "4: luks2" -A5 | grep -q "pbkdf2" || fail
1357 $CRYPTSETUP luksDump $DEV | grep -e "5: luks2" -A5 | grep -q "argon2" || fail
1359 echo $PWD1 | $CRYPTSETUP -q luksAddKey $FAST_PBKDF2 $DEV $KEY1 || fail
1361 # with more keyslots, specific has to be selected
1362 $CRYPTSETUP reencrypt $DEV -d $KEY1 -q 2>/dev/null && fail
1363 $CRYPTSETUP reencrypt $DEV -d $KEY1 -q -S0 || fail
1365 check_hash_dev /dev/mapper/$DEV_NAME $HASH2
1366 $CRYPTSETUP close $DEV_NAME
1368 # there should be single keyslot now
1369 $CRYPTSETUP reencrypt $DEV -d $KEY1 -q || fail
1370 echo $PWD1 | $CRYPTSETUP -q luksAddKey $FAST_PBKDF2 $DEV -S1 -d $KEY1 || fail
1372 echo $PWD3 | $CRYPTSETUP -q luksAddKey $FAST_PBKDF2 $DEV -S2 --unbound --key-size 32 || fail
1373 echo $PWD3 | $CRYPTSETUP -q luksAddKey $FAST_PBKDF2 $DEV -S22 --unbound --key-size 32 || fail
1374 echo $PWD3 | $CRYPTSETUP -q luksAddKey $FAST_PBKDF2 $DEV -S23 --unbound --key-size 32 || fail
1376 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -S1 -q || fail
1377 $CRYPTSETUP open --test-passphrase -d $KEY1 $DEV 2>/dev/null && fail
1378 echo $PWD3 | $CRYPTSETUP open --test-passphrase -S2 $DEV || fail
1379 echo $PWD3 | $CRYPTSETUP open --test-passphrase -S22 $DEV || fail
1380 check_hash $PWD1 $HASH2
1384 while [ $COUNT -gt 0 ]; do
1385 echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey $DEV -q $FAST_PBKDF_ARGON || fail
1389 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -S0 -q 2>/dev/null && fail
1390 echo $PWD1 | $CRYPTSETUP luksKillSlot $DEV 30 || fail
1391 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -S0 || fail
1394 while [ $COUNT -gt 0 ]; do
1395 echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey $DEV -q $FAST_PBKDF_ARGON || fail
1399 echo -e "$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1" | $CRYPTSETUP reencrypt $DEV -q 2>/dev/null && fail
1400 echo $PWD1 | $CRYPTSETUP luksKillSlot $DEV 1 || fail
1401 # one wrong passphrase
1402 echo -e "$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD2" | $CRYPTSETUP reencrypt $DEV -q 2>/dev/null && fail
1403 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --resume-only -q 2>/dev/null && fail
1404 echo -e "$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1" | $CRYPTSETUP reencrypt $DEV -q || fail
1406 echo "[23] Reencryption with specified new volume key"
1407 prepare dev_size_mb=32
1408 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 256 -c aes-cbc-essiv:sha256 --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
1409 echo -e "$PWD1\n$PWD3" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF_ARGON $DEV || fail
1411 check_hash $PWD1 $HASH1
1412 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -S0 $FAST_PBKDF_ARGON --master-key-file $VKEY1 -s 128 || fail
1413 check_hash $PWD1 $HASH1
1414 $CRYPTSETUP luksErase -q $DEV || fail
1415 echo $PWD1 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_ARGON --master-key-file $VKEY1 -s 128 $DEV || fail
1416 check_hash $PWD1 $HASH1
1418 echo "[24] Reencryption with initial cipher_null"
1419 # aka custom encryption
1420 prepare dev_size_mb=32
1421 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c cipher_null-ecb --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
1423 check_hash $PWD1 $HASH1
1424 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -c aes-xts-plain64 -q $FAST_PBKDF_ARGON || fail
1425 check_hash $PWD1 $HASH1
1428 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c cipher_null-ecb --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
1430 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME
1431 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -c aes-xts-plain64 -q $FAST_PBKDF_ARGON || fail
1432 check_hash_dev /dev/mapper/$DEV_NAME $HASH1
1433 if [ $HAVE_KEYRING -gt 0 ]; then
1434 $CRYPTSETUP status $DEV_NAME | grep -q "key location: keyring" || fail
1436 $CRYPTSETUP close $DEV_NAME
1438 # simulate LUKS2 device with cipher_null in both keyslot and segment (it can be created only by up conversion from LUKS1)
1439 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 -s 128 -c cipher_null-ecb --offset 8192 $FAST_PBKDF2 $DEV || fail
1440 $CRYPTSETUP convert -q --type luks2 $DEV || fail
1442 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON >/dev/null || fail
1443 check_hash $PWD1 $HASH1
1444 # both keyslot and segment cipher must not be null after reencryption with default params
1445 $CRYPTSETUP luksDump $DEV | grep -q "cipher_null" && fail
1447 # multistep reencryption with initial cipher_null
1449 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 $DEV -c null --offset 16384 -q $FAST_PBKDF_ARGON || fail
1450 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME
1451 wipe_dev /dev/mapper/$DEV_NAME
1452 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --hotzone-size 1M --resilience none -q $FAST_PBKDF_ARGON >/dev/null || fail
1453 $CRYPTSETUP close $DEV_NAME
1454 check_hash $PWD1 $HASH5
1456 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 $DEV -c null --offset 16384 -q $FAST_PBKDF_ARGON || fail
1458 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --hotzone-size 1M --resilience none -q $FAST_PBKDF_ARGON >/dev/null || fail
1459 check_hash $PWD1 $HASH5
1461 echo "[25] Reencryption recovery with cipher_null"
1462 # (check opt-io size optimization in reencryption code does not affect recovery)
1463 # device with opt-io size 32k
1464 prepare_linear_dev 32 opt_blks=64 $OPT_XFERLEN_EXP
1467 echo "sector size 512->512"
1469 get_error_offsets 32 $OFFSET
1470 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1472 check_hash $PWD1 $HASH1
1474 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1475 reencrypt_recover 512 checksum $HASH1
1476 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1478 reencrypt_recover 512 journal $HASH1
1480 if [ -n "$DM_SECTOR_SIZE" ]; then
1481 echo "sector size 512->4096"
1483 get_error_offsets 32 $OFFSET 4096
1484 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1486 check_hash $PWD1 $HASH1
1488 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1489 reencrypt_recover 4096 checksum $HASH1
1490 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1492 check_hash $PWD1 $HASH1
1493 reencrypt_recover 4096 journal $HASH1
1495 echo "sector size 4096->4096"
1497 get_error_offsets 32 $OFFSET 4096
1498 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 4096 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1500 check_hash $PWD1 $HASH1
1502 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1503 reencrypt_recover 4096 checksum $HASH1
1504 reencrypt_recover 4096 journal $HASH1
1507 echo "[26] Reencryption recovery with cipher_null (online i/o error)"
1509 echo "sector size 512->512"
1511 get_error_offsets 32 $OFFSET
1512 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 -c null --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1514 check_hash $PWD1 $HASH1
1516 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1517 reencrypt_recover_online 512 checksum $HASH1
1518 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 -c null --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1520 reencrypt_recover_online 512 journal $HASH1
1522 if [ -n "$DM_SECTOR_SIZE" ]; then
1523 echo "sector size 512->4096"
1525 get_error_offsets 32 $OFFSET 4096
1526 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1528 check_hash $PWD1 $HASH1
1530 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1531 reencrypt_recover_online 4096 checksum $HASH1
1532 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1534 check_hash $PWD1 $HASH1
1535 reencrypt_recover_online 4096 journal $HASH1
1537 echo "sector size 4096->4096"
1539 get_error_offsets 32 $OFFSET 4096
1540 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 4096 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1542 check_hash $PWD1 $HASH1
1544 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1545 reencrypt_recover_online 4096 checksum $HASH1
1546 reencrypt_recover_online 4096 journal $HASH1