4 [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
5 CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
7 CRYPTSETUP_VALGRIND=../.libs/cryptsetup
8 CRYPTSETUP_LIB_VALGRIND=../.libs
10 FAST_PBKDF2="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
11 FAST_PBKDF_ARGON="--pbkdf-force-iterations 4 --pbkdf-memory 32 --pbkdf-parallel 1"
12 DEFAULT_ARGON="argon2i"
21 HEADER_LUKS2_PV=blkid-luks2-pv.img
22 IMG_FS=xfs_512_block_size.img
28 DEV_LINK="reenc-test-link"
30 FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
32 function dm_crypt_features()
34 VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
35 [ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
37 VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
38 VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
39 VER_PTC=$(echo $VER_STR | cut -f 3 -d.)
41 [ $VER_MAJ -lt 1 ] && return
42 [ $VER_MAJ -gt 1 ] && {
48 [ $VER_MIN -lt 14 ] && return
50 if [ $VER_MIN -ge 17 ]; then
55 function dm_delay_features()
57 local _ver_str=$(dmsetup targets | grep delay | cut -f2 -dv)
58 [ -z "$_ver_str" ] && return 1
62 # $1 path to scsi debug bdev
63 scsi_debug_teardown() {
66 while [ -b "$1" -a $_tries -gt 0 ]; do
67 rmmod scsi_debug >/dev/null 2>&1
74 test ! -b "$1" || rmmod scsi_debug >/dev/null 2>&1
77 function remove_mapping()
79 [ -b /dev/mapper/$DEV_NAME ] && {
80 dmsetup resume $DEV_NAME
81 dmsetup remove --retry $DEV_NAME
83 [ -b /dev/mapper/$DEV_NAME2 ] && {
84 dmsetup resume $DEV_NAME2
85 dmsetup remove --retry $DEV_NAME2
87 [ -b /dev/mapper/$DEV_NAME-overlay ] && {
88 dmsetup resume $DEV_NAME-overlay
89 dmsetup remove --retry $DEV_NAME-overlay
91 [ -b /dev/mapper/$DEV_NAME-hotzone-forward ] && {
92 dmsetup resume $DEV_NAME-hotzone-forward
93 dmsetup remove --retry $DEV_NAME-hotzone-forward
95 [ -b /dev/mapper/$DEV_NAME-hotzone-backward ] && {
96 dmsetup resume $DEV_NAME-hotzone-backward
97 dmsetup remove --retry $DEV_NAME-hotzone-backward
99 [ -b /dev/mapper/$OVRDEV ] && dmsetup remove --retry $OVRDEV 2>/dev/null
100 [ -b /dev/mapper/$OVRDEV-err ] && dmsetup remove --retry $OVRDEV-err 2>/dev/null
101 [ -n "$LOOPDEV" ] && losetup -d $LOOPDEV
103 rm -f $IMG $IMG_HDR $KEY1 $VKEY1 $DEVBIG $DEV_LINK $HEADER_LUKS2_PV $IMG_FS >/dev/null 2>&1
104 rmmod scsi_debug >/dev/null 2>&1
105 scsi_debug_teardown $DEV
111 [ -n "$1" ] && echo "$1"
112 echo "FAILED backtrace:"
113 while caller $frame; do ((frame++)); done
120 [ -n "$1" ] && echo "$1"
127 [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
130 function add_scsi_device() {
131 scsi_debug_teardown $DEV
132 if [ -d /sys/module/scsi_debug ] ; then
133 echo "Cannot use scsi_debug module (in use or compiled-in), test skipped."
136 modprobe scsi_debug $@ delay=0 >/dev/null 2>&1
137 if [ $? -ne 0 ] ; then
138 echo "This kernel seems to not support proper scsi_debug module, test skipped."
143 DEV="/dev/"$(grep -l -e scsi_debug /sys/block/*/device/model | cut -f4 -d /)
144 [ -b $DEV ] || fail "Cannot find $DEV."
147 function open_crypt() # $1 pwd, $2 hdr
149 if [ -n "$2" ] ; then
150 echo "$1" | $CRYPTSETUP luksOpen $DEV $DEV_NAME --header $2 || fail
151 elif [ -n "$1" ] ; then
152 echo "$1" | $CRYPTSETUP luksOpen $DEV $DEV_NAME || fail
154 $CRYPTSETUP luksOpen -d $KEY1 $DEV $DEV_NAME || fail
158 function wipe_dev_head() # $1 dev, $2 length (in MiBs)
160 dd if=/dev/zero of=$1 bs=1M count=$2 conv=notrunc >/dev/null 2>&1
163 function wipe_dev() # $1 dev
166 blkdiscard --zeroout $1 2>/dev/null || dd if=/dev/zero of=$1 bs=1M conv=notrunc >/dev/null 2>&1
167 if [ $# -gt 2 ]; then
168 dd if=/dev/urandom of=$1 bs=1M seek=$2 conv=notrunc >/dev/null 2>&1
171 local size=$(stat --printf="%s" $1)
173 if [ $# -gt 2 ]; then
174 local diff=$((size-$2*1024*1024))
175 echo "size: $size, diff: $diff"
177 # wipe_dev_head $1 $((diff/(1024*1024)))
178 dd if=/dev/urandom of=$1 bs=1M seek=$2 size=$((diff/(1024*1024))) conv=notrunc >/dev/null 2>&1
185 function wipe() # $1 pass, $2 hdr
188 wipe_dev /dev/mapper/$DEV_NAME
189 udevadm settle >/dev/null 2>&1
190 $CRYPTSETUP luksClose $DEV_NAME || fail
193 function prepare() # $1 dev1_siz
197 if [ ! -e $KEY1 ]; then
198 dd if=/dev/urandom of=$KEY1 count=1 bs=32 >/dev/null 2>&1
201 if [ ! -e $VKEY1 ]; then
202 echo -n $'\x44\xc6\x74\x4f\x41\x4e\x50\xc0\x79\xc2\x2d\x5b\x5f\x68\x84\x17' >$VKEY1
203 echo -n $'\x9c\x03\xba\xbe\x4d\x0f\x9a\x75\xb3\x90\x70\x32\x0a\xf8\xae\xc4'>>$VKEY1
209 function preparebig() # $1 dev1_siz
213 if [ ! -e $KEY1 ]; then
214 dd if=/dev/urandom of=$KEY1 count=1 bs=32 >/dev/null 2>&1
217 truncate -s "$1"M $DEVBIG
218 LOOPDEV=$(losetup -f)
219 losetup -f $DEVBIG || fail
223 function check_hash_dev() # $1 dev, $2 hash
225 HASH=$(sha1sum $1 | cut -d' ' -f 1)
226 [ $HASH != "$2" ] && fail "HASH differs (expected: $2) (result $HASH)"
229 function check_hash() # $1 pwd, $2 hash, $3 hdr
232 check_hash_dev /dev/mapper/$DEV_NAME $2
233 $CRYPTSETUP remove $DEV_NAME || fail
236 function check_hash_dev_head() # $1 dev, $2 len, $3 hash
238 local hash=$(dd if=$1 bs=512 count=$2 2>/dev/null | sha1sum | cut -d' ' -f1)
239 [ $hash != "$3" ] && fail "HASH differs (expected: $3) (result $hash)"
242 function check_hash_head() # $1 pwd, $2 len, $3 hash, $4 hdr
245 check_hash_dev_head /dev/mapper/$DEV_NAME $2 $3
246 $CRYPTSETUP remove $DEV_NAME || fail
249 function resize_file() # $1 dev, $2 shrink bytes
251 local size=$(stat --printf="%s" $1)
252 truncate -s $(($size + $2)) $1
256 function error_writes() { # $1 dmdev, $2 data dev, $3 offset, $4 size
257 local _dev_size=$(blockdev --getsz /dev/mapper/$1)
258 local _offset=$(($3+$4))
259 local _size=$((_dev_size-_offset))
262 dmsetup create $_err --table "0 $_dev_size error" || fail
264 if [ $3 -ne 0 ]; then
265 _table="0 $3 linear $2 0\n"
268 _table=$_table"$3 $4 delay $2 $3 0 /dev/mapper/$_err $3 0"
270 if [ $_size -ne 0 ]; then
271 _table="$_table\n$_offset $_size linear $2 $_offset"
274 echo -e "$_table" | dmsetup load $1 || fail
275 dmsetup resume $1 || fail
276 blockdev --setra 0 /dev/mapper/$1
277 blockdev --setra 0 /dev/mapper/$_err
280 function fix_writes() { # $1 dmdev, $2 data dev
281 local _dev_size=$(blockdev --getsz /dev/mapper/$1)
282 dmsetup load $1 --table "0 $_dev_size linear $2 0" || fail
283 dmsetup resume $1 || fail
284 dmsetup remove --retry $1-err 2>/dev/null || fail
287 function prepare_linear_dev() {
291 if [ "$_sizemb" -gt 32 ]; then
294 prepare dev_size_mb=$_sizemb $@
297 dmsetup create $OVRDEV --table "0 $((_sizemb*1024*2)) linear $DEV 0" || fail
300 DEV=/dev/mapper/$OVRDEV
303 function get_error_offsets() # $1 devsize, $2 minimal offset, $3 sector_size [512 if omitted], $4 max offset
305 local _devsize=$(($1*1024*2))
306 local _sector_size=${3:-512}
307 local _max_offset=${4:-$_devsize}
308 _sector_size=$((_sector_size/512))
310 # 8 sectors minimal size (4096)
311 ERRLENGTH=$((($RANDOM%56)+8))
312 ERRLENGTH=$(($ERRLENGTH-($ERRLENGTH%$_sector_size)))
314 ERROFFSET=$(($2+((2*$RANDOM)%($_max_offset-$2-$ERRLENGTH))))
315 ERROFFSET=$(($ERROFFSET-($ERROFFSET%$_sector_size)))
318 function reencrypt_recover() { # $1 sector size, $2 resilience, $3 digest, [$4 header]
319 echo -n "resilience mode: $2 ..."
321 test -z "$4" || _hdr="--header $4"
323 error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
324 echo $PWD1 | $CRYPTSETUP reencrypt $DEV $_hdr --hotzone-size 1M --resilience $2 --sector-size $1 --force-offline-reencrypt -q $FAST_PBKDF_ARGON >/dev/null 2>&1 && fail
325 fix_writes $OVRDEV $OLD_DEV
327 echo $PWD1 | $CRYPTSETUP -q repair $DEV $_hdr || fail
329 check_hash $PWD1 $3 $4
331 echo $PWD1 | $CRYPTSETUP reencrypt $DEV $_hdr --resilience $2 --sector-size $1 -q $FAST_PBKDF_ARGON || fail
332 check_hash $PWD1 $3 $4
337 function reencrypt_recover_online() { # $1 sector size, $2 resilience, $3 digest, [$4 header]
338 echo -n "resilience mode: $2 ..."
340 test -z "$4" || _hdr="--header $4"
342 echo $PWD1 | $CRYPTSETUP open $DEV $_hdr $DEV_NAME || fail
344 error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
345 echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME $_hdr --hotzone-size 1M --resilience $2 --sector-size $1 -q $FAST_PBKDF_ARGON >/dev/null 2>&1 && fail
346 $CRYPTSETUP status $DEV_NAME $_hdr | grep -q "reencryption: in-progress" || fail
347 $CRYPTSETUP close $DEV_NAME || fail
348 fix_writes $OVRDEV $OLD_DEV
350 # recovery during activation
351 echo $PWD1 | $CRYPTSETUP open $DEV $_hdr $DEV_NAME || fail
352 check_hash_dev /dev/mapper/$DEV_NAME $3
354 $CRYPTSETUP luksDump ${4:-$DEV} | grep -q "online-reencrypt"
355 if [ $? -eq 0 ]; then
356 $CRYPTSETUP status $DEV_NAME $_hdr | grep -q "reencryption: in-progress" || fail
357 echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME $_hdr --resilience $2 --resume-only -q || fail
358 check_hash_dev /dev/mapper/$DEV_NAME $3
361 $CRYPTSETUP close $DEV_NAME || fail
365 function encrypt_recover() { # $1 sector size, $2 reduce size, $3 digest, $4 device size in sectors, $5 origin digest
367 check_hash_dev $DEV $5
369 echo -n "resilience mode: datashift ..."
371 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size $2 --sector-size $1 -q $FAST_PBKDF_ARGON --init-only >/dev/null 2>&1 || fail
373 error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
374 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q >/dev/null 2>&1 && fail
375 fix_writes $OVRDEV $OLD_DEV
377 echo $PWD1 | $CRYPTSETUP -q repair $DEV || fail
379 $CRYPTSETUP luksDump $DEV | grep -q "online-reencrypt"
380 if [ $? -eq 0 ]; then
382 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --sector-size $1 -q $FAST_PBKDF_ARGON || fail
385 check_hash_head $PWD1 $4 $3
390 function encrypt_recover_online() { # $1 sector size, $2 reduce size, $3 digest, $4 device size in sectors, $5 origin digest
392 check_hash_dev $DEV $5
394 echo -n "resilience mode: datashift ..."
396 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size $2 --sector-size $1 -q $FAST_PBKDF_ARGON --init-only > /dev/null || fail
397 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
399 error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
400 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q >/dev/null 2>&1 && fail
401 $CRYPTSETUP status $DEV_NAME | grep -q "reencryption: in-progress" || fail
402 $CRYPTSETUP close $DEV_NAME || fail
403 fix_writes $OVRDEV $OLD_DEV
405 # recovery in activation
406 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
408 $CRYPTSETUP luksDump $DEV | grep -q "online-reencrypt"
409 if [ $? -eq 0 ]; then
410 $CRYPTSETUP status $DEV_NAME | grep -q "reencryption: in-progress" || fail
411 check_hash_dev /dev/mapper/$DEV_NAME $3
412 echo $PWD1 | $CRYPTSETUP reencrypt --resume-only --active-name $DEV_NAME -q || fail
415 $CRYPTSETUP close $DEV_NAME || fail
416 check_hash_head $PWD1 $4 $3
421 function encrypt_recover_detached() { # $1 sector size, $2 resilience, $3 digest, $4 hdr
423 check_hash_dev $DEV $3
425 echo -n "resilience mode: $2 ..."
427 error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
428 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --hotzone-size 1M --header $4 --resilience $2 --sector-size $1 -q $FAST_PBKDF_ARGON 2>/dev/null && fail
429 fix_writes $OVRDEV $OLD_DEV
431 echo $PWD1 | $CRYPTSETUP repair $DEV --header $4 || fail
433 check_hash $PWD1 $3 $4
435 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --header $4 --resilience $2 --sector-size $1 -q $FAST_PBKDF_ARGON || fail
436 check_hash $PWD1 $3 $4
438 [ -f $4 ] && rm -f $4
443 function encrypt_recover_detached_online() { # $1 sector size, $2 resilience, $3 digest, $4 hdr
445 check_hash_dev $DEV $3
447 echo -n "resilience mode: $2 ..."
449 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --hotzone-size 1M --header $4 --resilience $2 --sector-size $1 -q $FAST_PBKDF_ARGON --init-only || fail
450 echo $PWD1 | $CRYPTSETUP open $DEV --header $4 $DEV_NAME || fail
452 error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
453 echo $PWD1 | $CRYPTSETUP reencrypt -q $DEV --header $4 --hotzone-size 1M 2>/dev/null && fail
454 $CRYPTSETUP status $DEV_NAME --header $4 | grep -q "reencryption: in-progress" || fail
455 $CRYPTSETUP close $DEV_NAME || fail
456 fix_writes $OVRDEV $OLD_DEV
458 echo $PWD1 | $CRYPTSETUP open $DEV --header $4 $DEV_NAME || fail
459 check_hash_dev /dev/mapper/$DEV_NAME $3
461 $CRYPTSETUP luksDump $4 | grep -q "online-reencrypt"
462 if [ $? -eq 0 ]; then
463 $CRYPTSETUP status $DEV_NAME --header $4 | grep -q "reencryption: in-progress" || fail
464 echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME --resume-only --header $4 --resilience $2 -q || fail
465 check_hash_dev /dev/mapper/$DEV_NAME $3
468 $CRYPTSETUP close $DEV_NAME || fail
470 [ -f $4 ] && rm -f $4
475 function decrypt_recover_detached() { # $1 sector size, $2 resilience, $3 digest, $4 hdr
476 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size $1 --header $4 $FAST_PBKDF_ARGON $DEV || fail
478 check_hash $PWD1 $3 $4
480 echo -n "resilience mode: $2 ..."
482 error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
483 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --decrypt --hotzone-size 1M --header $4 --resilience $2 -q 2>/dev/null && fail
484 fix_writes $OVRDEV $OLD_DEV
486 echo $PWD1 | $CRYPTSETUP repair $DEV --header $4 || fail
488 $CRYPTSETUP luksDump $4 | grep -q "online-reencrypt"
489 if [ $? -eq 0 ]; then
490 check_hash $PWD1 $3 $4
491 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --resume-only --header $4 --resilience $2 -q || fail
494 check_hash_dev $DEV $3
496 [ -f $4 ] && rm -f $4
501 function decrypt_recover_detached_online() { # $1 sector size, $2 resilience, $3 digest, $4 hdr
502 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size $1 --header $4 $FAST_PBKDF_ARGON $DEV || fail
503 echo $PWD1 | $CRYPTSETUP open $DEV --header $4 $DEV_NAME || fail
504 wipe_dev /dev/mapper/$DEV_NAME
505 check_hash_dev /dev/mapper/$DEV_NAME $3
507 echo -n "resilience mode: $2 ..."
509 error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
510 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --decrypt --hotzone-size 1M --header $4 --resilience $2 -q 2>/dev/null && fail
511 $CRYPTSETUP status $DEV_NAME --header $4 | grep -q "reencryption: in-progress" || fail
512 $CRYPTSETUP close $DEV_NAME || fail
513 fix_writes $OVRDEV $OLD_DEV
515 # recovery during activation
516 echo $PWD1 | $CRYPTSETUP open $DEV --header $4 $DEV_NAME || fail
518 $CRYPTSETUP luksDump $4 | grep -q "online-reencrypt"
519 if [ $? -eq 0 ]; then
520 $CRYPTSETUP status $DEV_NAME --header $4 | grep -q "reencryption: in-progress" || fail
521 check_hash_dev /dev/mapper/$DEV_NAME $3
522 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --header $4 --resilience $2 -q || fail
525 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail
526 check_hash_dev $DEV $3
528 [ -f $4 ] && rm -f $4
533 function decrypt_recover() { # $1 hash, $2 hdr, $3 dev size, $4 resilience, $5 hotzone size
536 test -z "$4" || _res="--resilience $4"
537 test -z "$5" || _maxhz="--hotzone-size $5"
538 echo -n "[${4:-default}]"
540 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --decrypt --header $2 --init-only $_maxhz >/dev/null || fail
542 error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
543 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --header $2 -q $_res >/dev/null 2>&1 && fail
544 fix_writes $OVRDEV $OLD_DEV
546 echo $PWD1 | $CRYPTSETUP -q repair $DEV --header $2 || fail
548 $CRYPTSETUP luksDump $2 | grep -q "online-reencrypt"
549 if [ $? -eq 0 ]; then
550 check_hash $PWD1 $1 $2
551 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --header $2 $_res -q $FAST_PBKDF_ARGON || fail
554 check_hash_dev_head $DEV $3 $1
556 [ -f $2 ] && rm -f $2
561 function decrypt_recover_online() { # $1 hash, $2 hdr, $3 dev size
564 test -z "$4" || _res="--resilience $4"
565 test -z "$5" || _maxhz="--hotzone-size $5"
566 echo -n "[${4:-default}]"
568 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --decrypt --header $2 $_maxhz --init-only >/dev/null 2>&1 || fail
570 error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
571 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --header $2 -q $_res >/dev/null 2>&1 && fail
572 $CRYPTSETUP status $DEV_NAME --header $2 | grep -q "reencryption: in-progress" || fail
573 $CRYPTSETUP close $DEV_NAME || fail
574 fix_writes $OVRDEV $OLD_DEV
576 # recovery during activation
577 echo $PWD1 | $CRYPTSETUP open $DEV --header $2 $DEV_NAME || fail
579 check_hash_dev /dev/mapper/$DEV_NAME $1
580 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --header $2 -q || fail
582 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail
583 check_hash_dev_head $DEV $3 $1
585 [ -f $2 ] && rm -f $2
590 function decrypt_recover_online_moved() { # $1 hash, $2 hdr, $3 dev size
593 test -z "$4" || _res="--resilience $4"
594 test -z "$5" || _maxhz="--hotzone-size $5"
595 echo -n "[${4:-default}]"
597 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --decrypt --header $2 $_maxhz $_res --init-only >/dev/null 2>&1 || fail
599 error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
600 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --header $2 -q $_res >/dev/null 2>&1 && fail
601 $CRYPTSETUP status $DEV_NAME --header $2 | grep -q "reencryption: in-progress" || fail
602 $CRYPTSETUP close $DEV_NAME || fail
603 fix_writes $OVRDEV $OLD_DEV
605 # recovery but activation fails due to last segment recovery makes it plaintext device
606 echo $PWD1 | $CRYPTSETUP open $DEV --header $2 $DEV_NAME 2>/dev/null && fail
608 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail
609 check_hash_dev_head $DEV $3 $1
611 [ -f $2 ] && rm -f $2
616 # sector size (bytes)
617 # reenc dev size (sectors)
623 function reencrypt_offline_fixed_size() {
624 local _esz=$(($1>>9))
626 # round-up fixed size to megabytes
627 local _mbs=$((($2>>11)+1))
628 test -z "$7" || _hdr="--header $7"
631 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --offset 16384 $FAST_PBKDF_ARGON $DEV || fail
633 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --header $7 $FAST_PBKDF_ARGON $DEV || fail
635 echo $PWD1 | $CRYPTSETUP open $_hdr $DEV $DEV_NAME || fail
636 wipe_dev_head /dev/mapper/$DEV_NAME $_mbs
637 $CRYPTSETUP close $DEV_NAME || fail
639 # reencrypt with fixed device size
640 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --sector-size $1 --device-size $2s --resilience $4 --force-offline-reencrypt || fail
642 check_hash_head $PWD1 $2 $3 $7
645 # try to reencrypt device size + 1 encryption sector size
646 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --sector-size $1 --init-only --force-offline-reencrypt || fail
647 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --device-size $(($5+_esz))s --resilience $4 2>/dev/null && fail
648 check_hash $PWD1 $6 $7
650 # misaligned reencryption size
651 if [ $_esz -gt 1 ]; then
652 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --device-size $(($2+_esz-1))s --resilience $4 2>/dev/null && fail
653 $CRYPTSETUP luksDump ${7:-$DEV} | grep -q "2: crypt" || fail
654 $CRYPTSETUP luksDump ${7:-$DEV} | grep -q "3: crypt" && fail
655 check_hash $PWD1 $6 $7
659 # sector size (bytes)
660 # reenc dev size (sectors)
666 function encrypt_offline_fixed_size() {
667 local _esz=$(($1>>9))
669 # reencrypt with fixed device size
671 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -q $FAST_PBKDF_ARGON $DEV --header $7 --sector-size $1 --device-size $2s --resilience $4 || fail
672 check_hash_head $PWD1 $2 $3 $7
673 [ -f $7 ] && rm -f $7
675 # try to reencrypt device size + 1 encryption sector size
677 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -q $FAST_PBKDF_ARGON $DEV --header $7 --sector-size $1 --init-only || fail
678 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV --header $7 --device-size $(($5+_esz))s --resilience $4 2>/dev/null && fail
679 check_hash $PWD1 $6 $7
681 # misaligned reencryption size
682 if [ $_esz -gt 1 ]; then
683 [ -f $7 ] && rm -f $7
684 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -q $FAST_PBKDF_ARGON $DEV --header $7 --sector-size $1 --init-only || fail
685 echo $PWD1 | $CRYPTSETUP reencrypt -q $DEV --header $7 --device-size $(($2+_esz-1))s --resilience $4 2>/dev/null && fail
686 $CRYPTSETUP luksDump $7 | grep -q "2: crypt" || fail
687 $CRYPTSETUP luksDump $7 | grep -q "3: crypt" && fail
688 check_hash $PWD1 $6 $7
691 [ -f $7 ] && rm -f $7
694 # sector size (bytes)
695 # reenc dev size (sectors)
701 function decrypt_offline_fixed_size() {
702 local _esz=$(($1>>9))
704 # decrypt with fixed device size
705 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -q $FAST_PBKDF_ARGON $DEV --header $7 --sector-size $1 || fail
707 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt -q $DEV --header $7 --device-size $2s --resilience $4 || fail
709 dmsetup load $OVRDEV --table "0 $2 linear $OLD_DEV 0" || fail
710 dmsetup resume $OVRDEV || fail
711 check_hash_dev $DEV $3
712 dmsetup load $OVRDEV --table "0 $5 linear $OLD_DEV 0" || fail
713 dmsetup resume $OVRDEV || fail
715 # try to decrypt device size + 1 encryption sector size
716 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -q $FAST_PBKDF_ARGON $DEV --header $7 --sector-size $1 || fail
718 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt -q $FAST_PBKDF_ARGON $DEV --header $7 --init-only || fail
719 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV --header $7 --device-size $(($5+_esz))s --resilience $4 2>/dev/null && fail
720 check_hash $PWD1 $6 $7
722 # misaligned reencryption size
723 if [ $_esz -gt 1 ]; then
724 echo $PWD1 | $CRYPTSETUP reencrypt -q $DEV --header $7 --device-size $(($2+_esz-1))s --resilience $4 2>/dev/null && fail
725 $CRYPTSETUP luksDump $7 | grep -q "2: linear\|2: crypt" || fail
726 $CRYPTSETUP luksDump $7 | grep -q "3: crypt\|3: linear" && fail
727 check_hash $PWD1 $6 $7
731 # sector size (bytes)
732 # reenc dev size (sectors)
738 function reencrypt_online_fixed_size() {
739 local _esz=$(($1>>9))
741 test -z "$7" || _hdr="--header $7"
743 if [ -z "$_hdr" ]; then
744 echo $PWD1 | $CRYPTSETUP -q luksFormat --sector-size 512 --type luks2 --offset 16384 $FAST_PBKDF_ARGON $DEV || fail
746 echo $PWD1 | $CRYPTSETUP -q luksFormat --sector-size 512 --type luks2 $_hdr $FAST_PBKDF_ARGON $DEV || fail
750 # reencrypt with fixed device size
751 echo $PWD1 | $CRYPTSETUP open $DEV $_hdr $DEV_NAME || fail
752 echo $PWD1 | $CRYPTSETUP resize $DEV_NAME $_hdr --size $2 || fail
753 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --sector-size $1 --resilience $4 || fail
754 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "$2 sectors" || fail
755 $CRYPTSETUP close $DEV_NAME || fail
756 check_hash_head $PWD1 $2 $3 $7
759 # active device != requested reencryption size
760 echo $PWD1 | $CRYPTSETUP open $DEV $_hdr $DEV_NAME || fail
761 echo $PWD1 | $CRYPTSETUP resize $DEV_NAME $_hdr --size $2 || fail
762 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --sector-size $1 --init-only || fail
763 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --device-size $(($2-_esz))s --resilience $4 2>/dev/null && fail
764 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --device-size $2s --resilience $4 || fail
765 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "$2 sectors" || fail
766 $CRYPTSETUP close $DEV_NAME || fail
767 check_hash_head $PWD1 $2 $3 $7
769 # misaligned reencryption size
770 if [ $_esz -gt 1 ]; then
771 if [ -z "$_hdr" ]; then
772 echo $PWD1 | $CRYPTSETUP -q luksFormat --sector-size 512 --type luks2 --offset 16384 $FAST_PBKDF_ARGON $DEV || fail
774 echo $PWD1 | $CRYPTSETUP -q luksFormat --sector-size 512 --type luks2 $_hdr $FAST_PBKDF_ARGON $DEV || fail
777 check_hash $PWD1 $6 $7
779 echo $PWD1 | $CRYPTSETUP open $DEV $_hdr $DEV_NAME || fail
780 echo $PWD1 | $CRYPTSETUP resize $DEV_NAME $_hdr --size $(($2+_esz-1)) || fail
781 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --sector-size $1 --init-only || fail
782 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --resilience $4 2>/dev/null && fail
783 $CRYPTSETUP close $DEV_NAME || fail
784 check_hash $PWD1 $6 $7
787 [ -n "$7" -a -f "$7" ] && rm -f $7
790 function setup_luks2_env() {
791 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -c aes-xts-plain64 $FAST_PBKDF_ARGON $DEV || fail
792 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
793 HAVE_KEYRING=$($CRYPTSETUP status $DEV_NAME | grep "key location: keyring")
794 if [ -n "$HAVE_KEYRING" ]; then
799 DEF_XTS_KEY=$($CRYPTSETUP status $DEV_NAME | grep "keysize:" | sed 's/\( keysize: \)\([0-9]\+\)\(.*\)/\2/')
800 [ -n "$DEF_XTS_KEY" ] || fail "Failed to parse xts mode key size."
801 $CRYPTSETUP close $DEV_NAME || fail
804 function check_blkid() {
806 xz -dkf $HEADER_LUKS2_PV.xz
807 if ! $($CRYPTSETUP --version | grep -q "BLKID"); then
809 elif $(blkid -p -n crypto_LUKS $HEADER_LUKS2_PV >/dev/null 2>&1); then
812 blkid $IMG_FS | grep -q BLOCK_SIZE && BLKID_BLOCK_SIZE_SUPPORT=1
818 function valgrind_setup()
820 command -v valgrind >/dev/null || fail "Cannot find valgrind."
821 [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
822 export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
825 function valgrind_run()
827 INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
832 command -v $1 >/dev/null || skip "WARNING: test require $1 binary, test skipped."
835 [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
836 [ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
837 fips_mode && skip "This test cannot be run in FIPS mode."
838 modprobe --dry-run scsi_debug >/dev/null 2>&1 || skip "This kernel seems to not support proper scsi_debug module, test skipped."
839 modprobe dm-crypt >/dev/null 2>&1 || fail "dm-crypt failed to load"
840 modprobe dm-delay > /dev/null 2>&1
843 if [ -n "$DM_SECTOR_SIZE" ]; then
844 TEST_SECTORS="512 4096"
849 modinfo scsi_debug -p | grep -q opt_xferlen_exp && OPT_XFERLEN_EXP="opt_xferlen_exp=6"
853 [ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
857 # 28 MiBs of zeros (32MiBs - 4MiB LUKS2 header)
858 HASH1=4da90c0638bd7d29ce3d0ace3df5ee99706c23da
860 HASH2=3b71f43ff30f4b15b5cd85dd9e95ebc7e84eb5a3
862 HASH3=7b91dbdc56c5781edf6c8847b4aa6965566c5c75
864 HASH4=44fac4bedde4df04b9572ac665d3ac2c5cd00c7d
866 HASH5=bcd8ce9b30a43b2dacdf479493c93e167ef60946
868 HASH6=2cf8a5f40a2ab5373c5425d6071da480f1ce08e8
870 HASH7=7ed56dd14d2841cf169fe503d097be04192666bd
872 HASH8=233ba936226a3ac499e67babaebd0d4aafb9761a
873 # 240 MiBs of zeroes (256MiBs - 16MiBs default LUKS2 header size)
874 HASH9=045eebed703cce308e049deb019b877f0445862f
876 HASH10=3b4417fc421cee30a9ad0fd9319220a8dae32da2
878 prepare dev_size_mb=32
881 # Check that we can use other ciphers than AES in userspace backend.
882 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c twofish-xts-plain64 $FAST_PBKDF_ARGON $DEV || fail
883 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON 2>/dev/null || skip "Cannot use Twofish cipher, test skipped"
884 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c serpent-xts-plain64 $FAST_PBKDF_ARGON $DEV || fail
885 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON 2>/dev/null || skip "Cannot use Serpent cipher, test skipped."
888 echo "[1] Reencryption"
889 echo -n "[512 sector]"
890 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c aes-cbc-essiv:sha256 --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
892 check_hash $PWD1 $HASH1
893 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON 2>&1 | tail -1 | grep -q "not supported" && skip " No reenryption support, test skipped."
894 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON || fail
895 check_hash $PWD1 $HASH1
896 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal $FAST_PBKDF_ARGON || fail
897 check_hash $PWD1 $HASH1
898 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience none $FAST_PBKDF_ARGON || fail
899 check_hash $PWD1 $HASH1
900 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 128 -c aes-cbc-essiv:sha256 --resilience checksum $FAST_PBKDF_ARGON || fail
901 check_hash $PWD1 $HASH1
902 # simple test --active-name can consume absolute path to mapping
903 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -c aes-xts-plain64 --init-only $FAST_PBKDF_ARGON || fail
904 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
905 echo $PWD1 | $CRYPTSETUP reencrypt --active-name /dev/mapper/$DEV_NAME --resilience none -q || fail
906 XTS_KEY=$($CRYPTSETUP status $DEV_NAME | grep "keysize:" | sed 's/\( keysize: \)\([0-9]\+\)\(.*\)/\2/')
907 [ "$XTS_KEY" -eq "$DEF_XTS_KEY" ] || fail "xts mode has wrong key size after reencryption ($XTS_KEY != expected $DEF_XTS_KEY)"
908 echo $PWD1 | $CRYPTSETUP close $DEV_NAME || fail
909 echo -n "[OK][4096 sector]"
910 prepare sector_size=4096 dev_size_mb=32
911 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c aes-cbc-essiv:sha256 --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
913 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON || fail
914 check_hash $PWD1 $HASH1
915 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal $FAST_PBKDF_ARGON || fail
916 check_hash $PWD1 $HASH1
917 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience none $FAST_PBKDF_ARGON || fail
918 check_hash $PWD1 $HASH1
919 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 128 -c aes-cbc-essiv:sha256 --resilience checksum $FAST_PBKDF_ARGON || fail
920 check_hash $PWD1 $HASH1
921 if [ -n "$DM_SECTOR_SIZE" ]; then
922 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON --sector-size 4096 || fail
923 check_hash $PWD1 $HASH1
924 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal --sector-size 2048 $FAST_PBKDF_ARGON || fail
925 check_hash $PWD1 $HASH1
926 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience none $FAST_PBKDF_ARGON --sector-size 1024 || fail
927 check_hash $PWD1 $HASH1
928 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 128 -c aes-cbc-essiv:sha256 --resilience checksum --sector-size 512 $FAST_PBKDF_ARGON || fail
929 check_hash $PWD1 $HASH1
931 echo -n "[OK][4096/512 sector]"
932 prepare sector_size=512 physblk_exp=3 dev_size_mb=32
933 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c aes-cbc-essiv:sha256 --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
935 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON || fail
936 check_hash $PWD1 $HASH1
937 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal $FAST_PBKDF_ARGON || fail
938 check_hash $PWD1 $HASH1
939 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience none $FAST_PBKDF_ARGON || fail
940 check_hash $PWD1 $HASH1
941 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 128 -c aes-cbc-essiv:sha256 --resilience checksum $FAST_PBKDF_ARGON || fail
942 check_hash $PWD1 $HASH1
945 # reencrypt minimal device size (FIXME: change data device size to single encryption sector size)
946 # temporary small device size is default luks2 hdr size + 1MiB
947 echo -n "[small device reencryption]"
948 prepare dev_size_mb=5
949 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c aes-cbc-essiv:sha256 --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
951 check_hash $PWD1 $HASH2
952 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON || fail
953 check_hash $PWD1 $HASH2
954 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal $FAST_PBKDF_ARGON || fail
955 check_hash $PWD1 $HASH2
956 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience none $FAST_PBKDF_ARGON || fail
957 check_hash $PWD1 $HASH2
958 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 128 -c aes-cbc-essiv:sha256 --resilience checksum $FAST_PBKDF_ARGON || fail
959 check_hash $PWD1 $HASH2
960 if [ -n "$DM_SECTOR_SIZE" ]; then
961 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON --sector-size 4096 --force-offline-reencrypt || fail
962 check_hash $PWD1 $HASH2
963 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal --sector-size 2048 $FAST_PBKDF_ARGON || fail
964 check_hash $PWD1 $HASH2
965 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience none $FAST_PBKDF_ARGON --sector-size 1024 || fail
966 check_hash $PWD1 $HASH2
967 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 128 -c aes-cbc-essiv:sha256 --resilience checksum --sector-size 512 $FAST_PBKDF_ARGON || fail
968 check_hash $PWD1 $HASH2
972 echo "[2] Encryption with data shift"
973 # well, movin' zeroes :-)
976 check_hash_dev $DEV $HASH4
977 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M -q $FAST_PBKDF_ARGON || fail
978 check_hash_head $PWD1 $((56*1024*2)) $HASH5
980 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c twofish-cbc-essiv:sha256 -s 128 --reduce-device-size 21M -q $FAST_PBKDF_ARGON || fail
981 check_hash_head $PWD1 $((43*1024*2)) $HASH6
983 # offset 21504 equals 10,5MiBs, equals --reduce-device-size 21M from test above (30M is ignored here, we'll reduce it to 21M in cryptsetup anyway)
984 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c twofish-cbc-essiv:sha256 -s 128 --offset 21504 --reduce-device-size 30M -q $FAST_PBKDF_ARGON > /dev/null || fail
985 check_hash_head $PWD1 $((43*1024*2)) $HASH6
987 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size 33M -q $FAST_PBKDF_ARGON || fail
988 check_hash_head $PWD1 $((31*1024*2)) $HASH7
990 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size 64M -q $FAST_PBKDF_ARGON > /dev/null 2>&1 && fail
991 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --reduce-device-size 8M --init-only -q $FAST_PBKDF_ARGON $DEV || fail
992 resize_file $DEVBIG -512
993 echo $PWD1 | $CRYPTSETUP reencrypt -q $DEV 2> /dev/null && fail
994 resize_file $DEVBIG 512
996 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c aes-cbc-essiv:sha256 -s 128 --offset 32760 --reduce-device-size 8M -q $FAST_PBKDF_ARGON --init-only >/dev/null 2>&1 && fail
997 # data offset at 21MiB
998 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --header $IMG_HDR --offset 43008 --reduce-device-size 21M -q $FAST_PBKDF_ARGON || fail
999 check_hash $PWD1 $HASH6 $IMG_HDR
1000 $CRYPTSETUP luksHeaderRestore --header-backup-file $IMG_HDR $DEV -q || fail
1001 check_hash $PWD1 $HASH6
1003 # Device activation after encryption initialization
1005 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 -S11 --reduce-device-size 8M -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail
1006 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
1007 check_hash_dev /dev/mapper/$DEV_NAME $HASH5
1008 echo $PWD1 | $CRYPTSETUP reencrypt --resume-only $DEV -q || fail
1009 check_hash_dev /dev/mapper/$DEV_NAME $HASH5
1011 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M -q $FAST_PBKDF_ARGON $DEV_NAME 2>/dev/null && fail
1012 $CRYPTSETUP close $DEV_NAME
1013 check_hash_head $PWD1 $((56*1024*2)) $HASH5
1015 # Device activation using key file
1017 echo -n $PWD1 > $KEY1
1018 $CRYPTSETUP reencrypt $DEV --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M --key-file $KEY1 -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail
1019 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
1020 $CRYPTSETUP close $DEV_NAME
1021 echo $PWD1 | $CRYPTSETUP open $DEV --test-passphrase || fail
1023 # Small device encryption test
1025 # wipe only 1st MiB (final data size after encryption)
1027 check_hash_dev_head $DEV 2048 $HASH2
1028 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size 64M -q $FAST_PBKDF_ARGON || fail
1029 check_hash_head $PWD1 2048 $HASH2
1031 wipe_dev_head $DEV 1
1032 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size 64M --init-only -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail
1033 check_hash_dev_head /dev/mapper/$DEV_NAME 2048 $HASH2
1034 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q || fail
1035 check_hash_dev_head /dev/mapper/$DEV_NAME 2048 $HASH2
1037 echo "[3] Encryption with detached header"
1040 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
1041 check_hash $PWD1 $HASH3 $IMG_HDR
1044 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --resilience journal --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
1045 check_hash $PWD1 $HASH3 $IMG_HDR
1048 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -c twofish-cbc-essiv:sha256 -s 128 --resilience none --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
1049 check_hash $PWD1 $HASH3 $IMG_HDR
1052 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -c serpent-xts-plain --resilience checksum --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
1053 check_hash $PWD1 $HASH3 $IMG_HDR
1056 # Device activation after encryption initialization
1058 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV $DEV_NAME >/dev/null || fail
1059 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
1060 check_hash_dev /dev/mapper/$DEV_NAME $HASH3
1061 echo $PWD1 | $CRYPTSETUP reencrypt --resume-only --header $IMG_HDR --active-name $DEV_NAME -q || fail
1062 check_hash_dev /dev/mapper/$DEV_NAME $HASH3
1063 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M -q $FAST_PBKDF_ARGON $DEV_NAME 2>/dev/null && fail
1064 $CRYPTSETUP close $DEV_NAME
1065 check_hash $PWD1 $HASH3 $IMG_HDR
1068 # Device encryption with data offset set in detached header
1070 dd if=/dev/urandom of=$DEV bs=512 count=32768 >/dev/null 2>&1
1071 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --header $IMG_HDR --offset 32768 -q $FAST_PBKDF_ARGON $DEV || fail
1072 check_hash $PWD1 $HASH9 $IMG_HDR
1075 # Device activation using key file
1077 echo -n $PWD1 > $KEY1
1078 $CRYPTSETUP reencrypt $DEV --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR --key-file $KEY1 -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail
1079 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
1080 $CRYPTSETUP close $DEV_NAME
1081 echo $PWD1 | $CRYPTSETUP open --header $IMG_HDR $DEV --test-passphrase || fail
1083 # Encrypt without size reduction must not allow header device same as data device
1084 wipe_dev_head $DEV 1
1085 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --type luks2 --encrypt --header $DEV -q $FAST_PBKDF_ARGON 2>/dev/null && fail
1086 $CRYPTSETUP isLUKS $DEV 2>/dev/null && fail
1087 ln -s $DEV $DEV_LINK || fail
1088 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --type luks2 --encrypt --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
1089 $CRYPTSETUP isLUKS $DEV 2>/dev/null && fail
1090 rm -f $DEV_LINK || fail
1092 dd if=/dev/zero of=$IMG bs=4k count=1 >/dev/null 2>&1
1093 echo $PWD1 | $CRYPTSETUP reencrypt $IMG --type luks2 --encrypt --header $IMG -q $FAST_PBKDF_ARGON 2>/dev/null && fail
1094 $CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
1095 ln -s $IMG $DEV_LINK || fail
1096 echo $PWD1 | $CRYPTSETUP reencrypt $IMG --type luks2 --encrypt --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
1097 $CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
1099 echo "[4] Reencryption with detached header"
1101 echo $PWD1 | $CRYPTSETUP reencrypt -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
1102 check_hash $PWD1 $HASH3 $IMG_HDR
1103 echo $PWD1 | $CRYPTSETUP reencrypt --resilience journal --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
1104 check_hash $PWD1 $HASH3 $IMG_HDR
1105 echo $PWD1 | $CRYPTSETUP reencrypt -c twofish-cbc-essiv:sha256 -s 128 --resilience none --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
1106 check_hash $PWD1 $HASH3 $IMG_HDR
1107 echo $PWD1 | $CRYPTSETUP reencrypt -c serpent-xts-plain --resilience checksum --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
1108 check_hash $PWD1 $HASH3 $IMG_HDR
1109 # trivial check for detached header misuse
1110 dd if=/dev/zero of=$IMG bs=4k count=1 >/dev/null 2>&1
1111 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
1112 echo $PWD1 | $CRYPTSETUP open $IMG $DEV_NAME --header $IMG_HDR || fail
1113 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME2 --header $IMG_HDR || fail
1114 echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME --header $IMG_HDR -q || fail
1115 # key description mismatch in active device
1116 echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME2 --header $IMG_HDR >/dev/null 2>&1 && fail
1117 # also check it can abort initialization in this case
1118 $CRYPTSETUP luksDump $IMG_HDR | grep -q "online-reencrypt" && fail
1119 $CRYPTSETUP close $DEV_NAME || fail
1120 $CRYPTSETUP close $DEV_NAME2 || fail
1122 echo "[5] Decryption with detached header"
1123 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --sector-size 512 -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
1125 echo $PWD1 | $CRYPTSETUP reencrypt -q --decrypt --header $IMG_HDR $DEV || fail
1126 check_hash_dev $DEV $HASH3
1127 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
1129 echo $PWD1 | $CRYPTSETUP reencrypt -q --decrypt --resilience journal --header $IMG_HDR $DEV || fail
1130 check_hash_dev $DEV $HASH3
1131 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -c twofish-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
1133 echo $PWD1 | $CRYPTSETUP reencrypt -q --decrypt --resilience none --header $IMG_HDR $DEV || fail
1134 check_hash_dev $DEV $HASH3
1135 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -c serpent-xts-plain --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
1137 echo $PWD1 | $CRYPTSETUP reencrypt -q --decrypt --resilience checksum --header $IMG_HDR $DEV || fail
1138 check_hash_dev $DEV $HASH3
1140 # check deferred remove works as expected after decryption
1141 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --sector-size 512 -c serpent-xts-plain --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
1142 open_crypt $PWD1 $IMG_HDR
1143 dmsetup create $DEV_NAME2 --table "0 1 linear /dev/mapper/$DEV_NAME 0" || fail
1144 echo $PWD1 | $CRYPTSETUP reencrypt -q --decrypt --resilience checksum --header $IMG_HDR --active-name $DEV_NAME || fail
1145 $CRYPTSETUP status $DEV_NAME >/dev/null || fail
1146 dmsetup remove --retry $DEV_NAME2
1147 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail
1149 # check tool can block some funny user ideas
1151 ln -s $DEV $DEV_LINK || fail
1152 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -c serpent-xts-plain -q $FAST_PBKDF_ARGON $DEV || fail
1153 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV -q 2>/dev/null && fail
1154 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV --header $DEV -q 2>/dev/null && fail
1155 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV --header $DEV_LINK -q 2>/dev/null && fail
1157 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --active-name $DEV_NAME -q 2>/dev/null && fail
1158 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --active-name $DEV_NAME --header $DEV -q 2>/dev/null && fail
1159 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --active-name $DEV_NAME --header $DEV_LINK -q 2>/dev/null && fail
1160 $CRYPTSETUP status $DEV_NAME | grep -q "reencryption: in-progress" && fail
1161 $CRYPTSETUP close $DEV_NAME
1163 # yet another funny idea
1165 $CRYPTSETUP luksHeaderBackup --header-backup-file $IMG_HDR $DEV || fail
1166 chmod +w $IMG_HDR || fail
1167 command -v wipefs >/dev/null && {
1168 wipefs -a $DEV >/dev/null 2>&1 || fail
1170 open_crypt $PWD1 $IMG_HDR
1171 echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME --decrypt --header $IMG_HDR -q 2>/dev/null && fail
1172 $CRYPTSETUP status $DEV_NAME | grep -q "reencryption: in-progress" && fail
1173 $CRYPTSETUP close $DEV_NAME || fail
1175 if ! dm_delay_features; then
1176 echo "dm-delay target is missing, skipping recovery tests."
1181 echo "[6] Reencryption recovery"
1182 # (check opt-io size optimization in reencryption code does not affect recovery)
1183 # device with opt-io size 32k
1184 prepare_linear_dev 32 opt_blks=64 $OPT_XFERLEN_EXP
1187 echo "sector size 512->512"
1189 get_error_offsets 32 $OFFSET
1190 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1193 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1194 reencrypt_recover 512 checksum $HASH1
1195 reencrypt_recover 512 journal $HASH1
1197 if [ -n "$DM_SECTOR_SIZE" ]; then
1198 echo "sector size 512->4096"
1200 get_error_offsets 32 $OFFSET 4096
1201 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1204 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1205 reencrypt_recover 4096 checksum $HASH1
1206 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1208 reencrypt_recover 4096 journal $HASH1
1210 echo "sector size 4096->4096"
1212 get_error_offsets 32 $OFFSET 4096
1213 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 --sector-size 4096 -c aes-cbc-essiv:sha256 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1216 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1217 reencrypt_recover 4096 checksum $HASH1
1218 reencrypt_recover 4096 journal $HASH1
1221 echo "[7] Reencryption recovery (online i/o error)"
1223 echo "sector size 512->512"
1225 get_error_offsets 32 $OFFSET
1226 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1229 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1230 reencrypt_recover_online 512 checksum $HASH1
1231 reencrypt_recover_online 512 journal $HASH1
1233 if [ -n "$DM_SECTOR_SIZE" ]; then
1234 echo "sector size 512->4096"
1236 get_error_offsets 32 $OFFSET 4096
1237 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1240 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1241 reencrypt_recover_online 4096 checksum $HASH1
1242 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1244 reencrypt_recover_online 4096 journal $HASH1
1246 echo "sector size 4096->4096"
1248 get_error_offsets 32 $OFFSET 4096
1249 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 --sector-size 4096 -c aes-cbc-essiv:sha256 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1252 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1253 reencrypt_recover_online 4096 checksum $HASH1
1254 reencrypt_recover_online 4096 journal $HASH1
1257 echo "[8] Reencryption with detached header recovery"
1258 prepare_linear_dev 31 opt_blks=64 $OPT_XFERLEN_EXP
1260 echo "sector size 512->512"
1262 get_error_offsets 31 0
1263 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
1265 check_hash $PWD1 $HASH7 $IMG_HDR
1267 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1268 reencrypt_recover 512 checksum $HASH7 $IMG_HDR
1269 reencrypt_recover 512 journal $HASH7 $IMG_HDR
1271 if [ -n "$DM_SECTOR_SIZE" ]; then
1272 echo "sector size 512->4096"
1274 get_error_offsets 31 0 4096
1275 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
1278 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1279 reencrypt_recover 4096 checksum $HASH7 $IMG_HDR
1280 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
1282 reencrypt_recover 4096 journal $HASH7 $IMG_HDR
1284 echo "sector size 4096->4096"
1286 get_error_offsets 31 0 4096
1287 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 4096 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
1290 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1291 reencrypt_recover 4096 checksum $HASH7 $IMG_HDR
1292 reencrypt_recover 4096 journal $HASH7 $IMG_HDR
1295 echo "[9] Reencryption with detached header recovery (online i/o error)"
1297 echo "sector size 512->512"
1299 get_error_offsets 31 0
1300 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
1303 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1304 reencrypt_recover_online 512 checksum $HASH7 $IMG_HDR
1305 reencrypt_recover_online 512 journal $HASH7 $IMG_HDR
1307 if [ -n "$DM_SECTOR_SIZE" ]; then
1308 echo "sector size 512->4096"
1310 get_error_offsets 31 0 4096
1311 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
1314 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1315 reencrypt_recover_online 4096 checksum $HASH7 $IMG_HDR
1316 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
1318 reencrypt_recover_online 4096 journal $HASH7 $IMG_HDR
1320 echo "sector size 4096->4096"
1322 get_error_offsets 31 0 4096
1323 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 4096 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
1326 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1327 reencrypt_recover_online 4096 checksum $HASH7 $IMG_HDR
1328 reencrypt_recover_online 4096 journal $HASH7 $IMG_HDR
1331 echo "[10] Encryption recovery"
1332 prepare_linear_dev 64
1333 OFFSET=$((2*1024*2))
1335 echo "sector size 512"
1337 get_error_offsets 64 $OFFSET 512 $((62*1024*2))
1339 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1340 encrypt_recover 512 4M $HASH8 $((60*1024*2)) $HASH4
1342 if [ -n "$DM_SECTOR_SIZE" ]; then
1343 echo "sector size 4096"
1345 get_error_offsets 64 $OFFSET 4096 $((62*1024*2))
1347 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1348 encrypt_recover 4096 4M $HASH8 $((60*1024*2)) $HASH4
1351 echo "[11] Encryption recovery (online i/o error)"
1353 echo "sector size 512"
1355 get_error_offsets 64 $OFFSET 512 $((62*1024*2))
1357 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1358 encrypt_recover_online 512 4M $HASH8 $((60*1024*2)) $HASH4
1360 if [ -n "$DM_SECTOR_SIZE" ]; then
1361 echo "sector size 4096"
1363 get_error_offsets 64 $OFFSET 4096 $((62*1024*2))
1365 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1366 encrypt_recover_online 4096 4M $HASH8 $((60*1024*2)) $HASH4
1369 echo "[12] Encryption with detached header recovery"
1370 prepare_linear_dev 31 opt_blks=64 $OPT_XFERLEN_EXP
1372 get_error_offsets 31 0
1374 echo "sector size 512"
1376 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1377 encrypt_recover_detached 512 checksum $HASH7 $IMG_HDR
1378 encrypt_recover_detached 512 journal $HASH7 $IMG_HDR
1380 if [ -n "$DM_SECTOR_SIZE" ]; then
1381 get_error_offsets 31 0 4096
1383 echo "sector size 4096"
1385 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1386 encrypt_recover_detached 4096 checksum $HASH7 $IMG_HDR
1387 encrypt_recover_detached 4096 journal $HASH7 $IMG_HDR
1390 echo "[13] Encryption with detached header recovery (online i/o error)"
1392 get_error_offsets 31 0
1394 echo "sector size 512"
1396 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1397 encrypt_recover_detached_online 512 checksum $HASH7 $IMG_HDR
1398 encrypt_recover_detached_online 512 journal $HASH7 $IMG_HDR
1400 if [ -n "$DM_SECTOR_SIZE" ]; then
1401 get_error_offsets 31 0 4096
1403 echo "sector size 4096"
1405 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1406 encrypt_recover_detached_online 4096 checksum $HASH7 $IMG_HDR
1407 encrypt_recover_detached_online 4096 journal $HASH7 $IMG_HDR
1410 echo "[14] Decryption with detached header recovery"
1412 echo "sector size 512"
1414 # TODO: What should decryption do when it finishes decryption during recovery (with open)
1415 get_error_offsets 31 2049
1417 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1418 decrypt_recover_detached 512 journal $HASH7 $IMG_HDR
1419 decrypt_recover_detached 512 checksum $HASH7 $IMG_HDR
1421 if [ -n "$DM_SECTOR_SIZE" ]; then
1422 echo "sector size 4096"
1424 # TODO: What should decryption do when it finishes decryption during recovery (with open)
1425 get_error_offsets 31 2048 4096
1427 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1428 decrypt_recover_detached 4096 checksum $HASH7 $IMG_HDR
1429 decrypt_recover_detached 4096 journal $HASH7 $IMG_HDR
1432 echo "[15] Decryption with detached header recovery (online i/o error)"
1434 echo "sector size 512"
1436 # TODO: What should decryption do when it finishes decryption during recovery (with open)
1437 get_error_offsets 31 2049
1439 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1440 decrypt_recover_detached_online 512 journal $HASH7 $IMG_HDR
1441 decrypt_recover_detached_online 512 checksum $HASH7 $IMG_HDR
1443 if [ -n "$DM_SECTOR_SIZE" ]; then
1444 echo "sector size 4096"
1446 # TODO: What should decryption do when it finishes decryption during recovery (with open)
1447 get_error_offsets 31 2048 4096
1449 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1450 decrypt_recover_detached_online 4096 checksum $HASH7 $IMG_HDR
1451 decrypt_recover_detached_online 4096 journal $HASH7 $IMG_HDR
1454 echo "[16] Offline reencryption with fixed device size."
1457 for test_sector_size in $TEST_SECTORS; do
1458 printf "sector size %4s: " $test_sector_size
1459 for test_res in checksum journal none; do
1460 echo -n "[$test_res]"
1461 reencrypt_offline_fixed_size $test_sector_size 2048 $HASH2 $test_res $((60*1024*2)) $HASH8
1462 reencrypt_offline_fixed_size $test_sector_size $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8
1463 reencrypt_offline_fixed_size $test_sector_size $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8
1469 echo "[17] Online reencryption with fixed device size."
1470 for test_sector_size in $TEST_SECTORS; do
1471 printf "sector size %4s: " $test_sector_size
1472 for test_res in checksum journal none; do
1473 echo -n "[$test_res]"
1474 reencrypt_online_fixed_size $test_sector_size 2048 $HASH2 $test_res $((60*1024*2)) $HASH8
1475 reencrypt_online_fixed_size $test_sector_size $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8
1476 reencrypt_online_fixed_size $test_sector_size $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8
1482 echo "[18] Offline reencryption with fixed device size (detached header)."
1485 for test_sector_size in $TEST_SECTORS; do
1486 printf "sector size %4s: " $test_sector_size
1487 for test_res in checksum journal none; do
1488 echo -n "[$test_res]"
1489 reencrypt_offline_fixed_size $test_sector_size 2048 $HASH2 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1490 reencrypt_offline_fixed_size $test_sector_size $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1491 reencrypt_offline_fixed_size $test_sector_size $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1497 echo "[19] Online reencryption with fixed device size (detached header)."
1498 for test_sector_size in $TEST_SECTORS; do
1499 printf "sector size %4s: " $test_sector_size
1500 for test_res in checksum journal none; do
1501 echo -n "[$test_res]"
1502 reencrypt_online_fixed_size $test_sector_size 2048 $HASH2 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1503 reencrypt_online_fixed_size $test_sector_size $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1504 reencrypt_online_fixed_size $test_sector_size $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1510 echo "[20] Offline encryption with fixed device size (detached header)."
1511 for test_sector_size in $TEST_SECTORS; do
1512 printf "sector size %4s: " $test_sector_size
1513 for test_res in checksum journal none; do
1514 echo -n "[$test_res]"
1515 encrypt_offline_fixed_size $test_sector_size 2048 $HASH2 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1516 encrypt_offline_fixed_size $test_sector_size $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1517 encrypt_offline_fixed_size $test_sector_size $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1523 echo "[21] Offline decryption with fixed device size (detached header)."
1524 prepare_linear_dev 60
1525 for test_sector_size in $TEST_SECTORS; do
1526 printf "sector size %4s: " $test_sector_size
1527 for test_res in checksum journal none; do
1528 echo -n "[$test_res]"
1529 decrypt_offline_fixed_size $test_sector_size 2048 $HASH2 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1530 decrypt_offline_fixed_size $test_sector_size $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1531 decrypt_offline_fixed_size $test_sector_size $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1537 echo "[22] Multi-keyslot device reencryption"
1538 prepare dev_size_mb=17
1539 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --offset 32768 $FAST_PBKDF_ARGON $DEV || fail
1540 echo -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF2 $DEV || fail
1541 echo -e "$PWD1\n$PWD3" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF_ARGON $DEV || fail
1544 echo -e "$PWD1\n$PWD2\n$PWD3" | $CRYPTSETUP reencrypt $DEV -q || fail
1545 check_hash $PWD1 $HASH2
1546 check_hash $PWD2 $HASH2
1547 check_hash $PWD3 $HASH2
1549 # check at least pbkdf type is preserved
1550 $CRYPTSETUP luksDump $DEV | grep -e "3: luks2" -A5 | grep -q "argon2" || fail
1551 $CRYPTSETUP luksDump $DEV | grep -e "4: luks2" -A5 | grep -q "pbkdf2" || fail
1552 $CRYPTSETUP luksDump $DEV | grep -e "5: luks2" -A5 | grep -q "argon2" || fail
1554 echo $PWD1 | $CRYPTSETUP -q luksAddKey $FAST_PBKDF2 $DEV $KEY1 || fail
1556 # with more keyslots, specific has to be selected
1557 $CRYPTSETUP reencrypt $DEV -d $KEY1 -q 2>/dev/null && fail
1558 $CRYPTSETUP reencrypt $DEV -d $KEY1 -q -S0 || fail
1560 check_hash_dev /dev/mapper/$DEV_NAME $HASH2
1561 $CRYPTSETUP close $DEV_NAME
1563 # there should be single keyslot now
1564 $CRYPTSETUP reencrypt $DEV -d $KEY1 -q || fail
1565 echo $PWD1 | $CRYPTSETUP -q luksAddKey $FAST_PBKDF2 $DEV -S1 -d $KEY1 || fail
1567 echo $PWD3 | $CRYPTSETUP -q luksAddKey $FAST_PBKDF2 $DEV -S2 --unbound --key-size 32 || fail
1568 echo $PWD3 | $CRYPTSETUP -q luksAddKey $FAST_PBKDF2 $DEV -S22 --unbound --key-size 32 || fail
1569 echo $PWD3 | $CRYPTSETUP -q luksAddKey $FAST_PBKDF2 $DEV -S23 --unbound --key-size 32 || fail
1571 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -S1 -q || fail
1572 $CRYPTSETUP open --test-passphrase -d $KEY1 $DEV 2>/dev/null && fail
1573 echo $PWD3 | $CRYPTSETUP open --test-passphrase -S2 $DEV || fail
1574 echo $PWD3 | $CRYPTSETUP open --test-passphrase -S22 $DEV || fail
1575 check_hash $PWD1 $HASH2
1579 while [ $COUNT -gt 0 ]; do
1580 echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey $DEV -q $FAST_PBKDF_ARGON || fail
1584 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -S0 -q 2>/dev/null && fail
1585 echo $PWD1 | $CRYPTSETUP luksKillSlot $DEV 30 || fail
1586 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -S0 || fail
1589 while [ $COUNT -gt 0 ]; do
1590 echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey $DEV -q $FAST_PBKDF_ARGON || fail
1594 echo -e "$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1" | $CRYPTSETUP reencrypt $DEV -q 2>/dev/null && fail
1595 echo $PWD1 | $CRYPTSETUP luksKillSlot $DEV 1 || fail
1596 # one wrong passphrase
1597 echo -e "$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD2" | $CRYPTSETUP reencrypt $DEV -q 2>/dev/null && fail
1598 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --resume-only -q 2>/dev/null && fail
1599 echo -e "$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1" | $CRYPTSETUP reencrypt $DEV -q || fail
1601 #test error path behaves as expected for initialization with not enough space in binary area
1602 # create LUKS2 header with keyslots binary space for exactly 4 keyslots
1603 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --luks2-keyslots-size $((4*258048)) -S0 -s512 --cipher aes-xts-plain64 $FAST_PBKDF_ARGON $DEV >/dev/null || fail
1604 echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -S1 $DEV -q $FAST_PBKDF_ARGON || fail
1605 echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -S2 $DEV -q $FAST_PBKDF_ARGON || fail
1606 # there is not enough space in binary area for keyslot id 4 (replacement for id 2)
1607 echo -e "$PWD1\n$PWD2\n$PWD2" | $CRYPTSETUP reencrypt $DEV --init-only -q 2>/dev/null && fail
1608 $CRYPTSETUP luksDump $DEV | grep -q "online-reencrypt" && fail
1609 # check cli removed all unbound keyslots created in-before reencryption initialization
1610 $CRYPTSETUP luksDump $DEV | grep -q "unbound" && fail
1612 echo $PWD1 | $CRYPTSETUP luksKillSlot $DEV 2 || fail
1613 # there is not enough space in binary area for reencryption keyslot
1614 echo -e "$PWD1\n$PWD2" | $CRYPTSETUP reencrypt $DEV --init-only -q 2>/dev/null && fail
1615 $CRYPTSETUP luksDump $DEV | grep -q "online-reencrypt" && fail
1616 # check cli removed all unbound keyslots created in-before reencryption initialization
1617 $CRYPTSETUP luksDump $DEV | grep -q "unbound" && fail
1619 echo "[23] Reencryption with specified new volume key"
1620 prepare dev_size_mb=32
1621 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 256 -c aes-cbc-essiv:sha256 --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
1622 echo -e "$PWD1\n$PWD3" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF_ARGON $DEV || fail
1624 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -S0 $FAST_PBKDF_ARGON --volume-key-file $VKEY1 -s 128 || fail
1625 check_hash $PWD1 $HASH1
1626 $CRYPTSETUP luksErase -q $DEV || fail
1627 echo $PWD1 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_ARGON --volume-key-file $VKEY1 -s 128 $DEV || fail
1628 check_hash $PWD1 $HASH1
1630 echo "[24] Reencryption with initial cipher_null"
1631 # aka custom encryption
1632 prepare dev_size_mb=32
1633 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c cipher_null-ecb --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
1635 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -c aes-xts-plain64 -q $FAST_PBKDF_ARGON || fail
1636 check_hash $PWD1 $HASH1
1639 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c cipher_null-ecb --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
1641 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME
1642 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -c aes-xts-plain64 -q $FAST_PBKDF_ARGON || fail
1643 check_hash_dev /dev/mapper/$DEV_NAME $HASH1
1644 if [ $HAVE_KEYRING -gt 0 ]; then
1645 $CRYPTSETUP status $DEV_NAME | grep -q "key location: keyring" || fail
1647 $CRYPTSETUP close $DEV_NAME
1649 # simulate LUKS2 device with cipher_null in both keyslot and segment (it can be created only by up conversion from LUKS1)
1650 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 -s 128 -c cipher_null-ecb --offset 8192 $FAST_PBKDF2 $DEV || fail
1651 $CRYPTSETUP convert -q --type luks2 $DEV || fail
1653 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON >/dev/null || fail
1654 check_hash $PWD1 $HASH1
1655 # both keyslot and segment cipher must not be null after reencryption with default params
1656 $CRYPTSETUP luksDump $DEV | grep -q "cipher_null" && fail
1658 # multistep reencryption with initial cipher_null
1660 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 $DEV -c null --offset 16384 -q $FAST_PBKDF_ARGON || fail
1661 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME
1662 wipe_dev /dev/mapper/$DEV_NAME
1663 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --hotzone-size 1M --resilience none -q $FAST_PBKDF_ARGON >/dev/null || fail
1664 $CRYPTSETUP close $DEV_NAME
1665 check_hash $PWD1 $HASH5
1667 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 $DEV -c null --offset 16384 -q $FAST_PBKDF_ARGON || fail
1669 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --hotzone-size 1M --resilience none -q $FAST_PBKDF_ARGON >/dev/null || fail
1670 check_hash $PWD1 $HASH5
1672 echo "[25] Reencryption recovery with cipher_null"
1673 # (check opt-io size optimization in reencryption code does not affect recovery)
1674 # device with opt-io size 32k
1675 prepare_linear_dev 32 opt_blks=64 $OPT_XFERLEN_EXP
1678 echo "sector size 512->512"
1680 get_error_offsets 32 $OFFSET
1681 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1684 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1685 reencrypt_recover 512 checksum $HASH1
1686 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1688 reencrypt_recover 512 journal $HASH1
1690 if [ -n "$DM_SECTOR_SIZE" ]; then
1691 echo "sector size 512->4096"
1693 get_error_offsets 32 $OFFSET 4096
1694 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1697 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1698 reencrypt_recover 4096 checksum $HASH1
1699 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1701 reencrypt_recover 4096 journal $HASH1
1703 echo "sector size 4096->4096"
1705 get_error_offsets 32 $OFFSET 4096
1706 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 4096 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1709 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1710 reencrypt_recover 4096 checksum $HASH1
1711 reencrypt_recover 4096 journal $HASH1
1714 echo "[26] Reencryption recovery with cipher_null (online i/o error)"
1716 echo "sector size 512->512"
1718 get_error_offsets 32 $OFFSET
1719 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 -c null --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1722 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1723 reencrypt_recover_online 512 checksum $HASH1
1724 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 -c null --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1726 reencrypt_recover_online 512 journal $HASH1
1728 if [ -n "$DM_SECTOR_SIZE" ]; then
1729 echo "sector size 512->4096"
1731 get_error_offsets 32 $OFFSET 4096
1732 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1735 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1736 reencrypt_recover_online 4096 checksum $HASH1
1737 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1739 reencrypt_recover_online 4096 journal $HASH1
1741 echo "sector size 4096->4096"
1743 get_error_offsets 32 $OFFSET 4096
1744 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 4096 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1747 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1748 reencrypt_recover_online 4096 checksum $HASH1
1749 reencrypt_recover_online 4096 journal $HASH1
1752 echo "[27] Verify test passphrase mode works with reencryption metadata"
1753 echo $PWD1 | $CRYPTSETUP -S5 -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV || fail
1754 echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $DEV || fail
1755 echo $PWD1 | $CRYPTSETUP reencrypt --init-only $DEV || fail
1756 echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail
1758 echo $PWD1 | $CRYPTSETUP -q luksFormat -S5 --header $IMG_HDR --type luks2 $FAST_PBKDF_ARGON $DEV || fail
1759 echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $IMG_HDR || fail
1760 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --init-only --header $IMG_HDR $DEV || fail
1761 echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail
1763 wipe_dev_head $DEV 1
1765 echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --init-only --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
1766 echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail
1768 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only --reduce-device-size 8M $FAST_PBKDF_ARGON $DEV || fail
1769 echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail
1771 echo "[28] Prevent nested encryption"
1772 prepare_linear_dev 32 opt_blks=64 $OPT_XFERLEN_EXP
1774 #device already LUKS2
1775 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF2 $DEV || fail
1777 echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --type luks1 --reduce-device-size 2m $FAST_PBKDF2 $DEV 2>/dev/null && fail
1778 echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --type luks1 --header $IMG_HDR $FAST_PBKDF2 $DEV 2>/dev/null && fail
1779 test -f $IMG_HDR && fail
1780 echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --type luks2 --reduce-device-size 2m $FAST_PBKDF2 $DEV 2>/dev/null && fail
1781 echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --type luks2 --header $IMG_HDR $FAST_PBKDF2 $DEV 2>/dev/null && fail
1782 test -f $IMG_HDR && fail
1784 echo $PWD1 | $CRYPTSETUP reencrypt -q --type luks1 $DEV 2>/dev/null && fail
1787 #detached header already LUKS2
1788 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --header $IMG_HDR $FAST_PBKDF2 $DEV || fail
1790 echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --type luks1 --header $IMG_HDR $FAST_PBKDF2 $DEV 2>/dev/null && fail
1791 echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --type luks2 --header $IMG_HDR $FAST_PBKDF2 $DEV 2>/dev/null && fail
1792 echo $PWD1 | $CRYPTSETUP reencrypt -q --type luks1 --header $IMG_HDR $DEV 2>/dev/null && fail
1795 #data device already in reencryption
1796 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF2 $DEV || fail
1797 echo $PWD1 | $CRYPTSETUP reencrypt --init-only $FAST_PBKDF_ARGON $DEV || fail
1799 echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --type luks1 --header $IMG_HDR $FAST_PBKDF2 $DEV 2>/dev/null && fail
1800 test -f $IMG_HDR && fail
1801 echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --type luks2 --header $IMG_HDR $FAST_PBKDF2 $DEV 2>/dev/null && fail
1802 test -f $IMG_HDR && fail
1804 echo $PWD1 | $CRYPTSETUP reencrypt -q --type luks1 $DEV 2>/dev/null && fail
1808 #header in reencryption (type mismatch)
1809 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only --type luks2 --header $IMG_HDR $FAST_PBKDF2 $DEV || fail
1810 echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --type luks1 --header $IMG_HDR $FAST_PBKDF2 $DEV 2>/dev/null && fail
1812 echo "[29] Conflicting reencryption parameters"
1813 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF2 $DEV || fail
1814 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --init-only $FAST_PBKDF_ARGON || fail
1815 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --reduce-device-size 4M $DEV -q $FAST_PBKDF_ARGON 2> /dev/null && fail
1816 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV -q $FAST_PBKDF_ARGON 2> /dev/null && fail
1817 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience datashift 2> /dev/null && fail
1818 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience datashift-checksum 2> /dev/null && fail
1819 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience datashift-journal 2> /dev/null && fail
1820 wipe_dev_head $DEV 1
1821 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only --reduce-device-size 16M $DEV -q $FAST_PBKDF_ARGON 2> /dev/null || fail
1822 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV -q $FAST_PBKDF_ARGON 2> /dev/null && fail
1823 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience journal 2> /dev/null && fail
1824 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience datashift-checksum 2> /dev/null && fail
1825 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience datashift-journal 2> /dev/null && fail
1826 wipe_dev_head $DEV 1
1827 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --header $IMG_HDR $FAST_PBKDF2 $DEV || fail
1828 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --header $IMG_HDR --init-only $FAST_PBKDF_ARGON || fail
1829 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --header $IMG_HDR $DEV -q $FAST_PBKDF_ARGON 2> /dev/null && fail
1830 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --header $IMG_HDR $DEV -q $FAST_PBKDF_ARGON 2> /dev/null && fail
1831 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --header $IMG_HDR --resilience datashift-checksum 2>/dev/null && fail
1832 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --header $IMG_HDR --resilience datashift-journal 2>/dev/null && fail
1834 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --encrypt --header $IMG_HDR --init-only $FAST_PBKDF_ARGON || fail
1835 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --header $IMG_HDR $DEV -q $FAST_PBKDF_ARGON 2> /dev/null && fail
1836 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --header $IMG_HDR $FAST_PBKDF2 $DEV || fail
1837 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR --init-only $FAST_PBKDF_ARGON || fail
1838 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --header $IMG_HDR $DEV -q $FAST_PBKDF_ARGON 2> /dev/null && fail
1840 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF2 $DEV || fail
1841 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV --header $IMG_HDR -q --init-only $FAST_PBKDF_ARGON --resilience datashift 2> /dev/null && fail
1842 test -f $IMG_HDR && fail
1843 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV --header $IMG_HDR -q --init-only $FAST_PBKDF_ARGON --resilience none 2> /dev/null && fail
1844 test -f $IMG_HDR && fail
1845 $CRYPTSETUP luksDump $DEV | grep -q "online-reencrypt" && fail
1846 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV --header $IMG_HDR -q --init-only $FAST_PBKDF_ARGON --resilience checksum --hotzone-size 4m || fail
1847 $CRYPTSETUP isLuks $DEV -q && fail
1848 # $CRYPTSETUP luksDump $IMG_HDR
1849 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV --header $IMG_HDR -q --resilience datashift 2> /dev/null && fail
1850 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV --header $IMG_HDR -q --resilience none 2> /dev/null && fail
1851 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV --header $IMG_HDR -q --resilience journal || fail
1855 if [ "$HAVE_BLKID" -gt 0 ]; then
1856 echo "[30] Prevent nested encryption of broken LUKS device"
1858 xz -dkf $HEADER_LUKS2_PV.xz
1862 echo $PWD1 | $CRYPTSETUP reencrypt -q --header $HEADER_LUKS2_PV $DEV $FAST_PBKDF_ARGON --encrypt --type luks2 2>/dev/null && fail
1863 $CRYPTSETUP isLuks $HEADER_LUKS2_PV && fail
1865 echo $PWD1 | $CRYPTSETUP reencrypt -q $HEADER_LUKS2_PV $FAST_PBKDF_ARGON --encrypt --force-offline-reencrypt --type luks2 --reduce-device-size 8m 2>/dev/null && fail
1866 $CRYPTSETUP isLuks $HEADER_LUKS2_PV && fail
1867 # broken data device only
1868 echo $PWD1 | $CRYPTSETUP reencrypt -q --header $IMG_HDR $HEADER_LUKS2_PV $FAST_PBKDF_ARGON --encrypt --force-offline-reencrypt --type luks2 2>/dev/null && fail
1869 test -f $IMG_HDR && fail
1872 if [ -n "$DM_SECTOR_SIZE" -a $HAVE_BLKID -gt 0 ]; then
1873 echo "[31] Prevent dangerous sector size increase"
1875 echo $PWD1 | $CRYPTSETUP luksFormat -q --sector-size 512 --type luks2 $FAST_PBKDF_ARGON $DEV || fail
1877 # block encryption sector size increase on offline device
1878 echo $PWD1 | $CRYPTSETUP reencrypt --init-only -q --sector-size 1024 $FAST_PBKDF_ARGON $DEV 2>/dev/null && fail
1879 $CRYPTSETUP luksDump $DEV | grep -q "online-reencrypt" && fail
1880 echo $PWD1 | $CRYPTSETUP reencrypt -q --sector-size 1024 $FAST_PBKDF_ARGON $DEV 2>/dev/null && fail
1881 $CRYPTSETUP luksDump $DEV | grep -q "online-reencrypt" && fail
1882 $CRYPTSETUP luksDump $DEV | grep -q "sector: 1024" && fail
1884 # --force-offline-reencrypt can bypass the constraint
1885 echo $PWD1 | $CRYPTSETUP reencrypt --force-offline-reencrypt --init-only -q --sector-size 1024 $FAST_PBKDF_ARGON $DEV || fail
1887 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV || fail
1889 # online with no superblock is fine
1890 echo $PWD1 | $CRYPTSETUP open -q $DEV $DEV_NAME || fail
1891 echo $PWD1 | $CRYPTSETUP reencrypt --init-only -q --sector-size 4096 $FAST_PBKDF_ARGON $DEV || fail
1892 $CRYPTSETUP close $DEV_NAME || fail
1894 # sector size decrease is ok
1895 echo $PWD1 | $CRYPTSETUP luksFormat -q --sector-size 4096 --type luks2 $FAST_PBKDF_ARGON $DEV || fail
1896 echo $PWD1 | $CRYPTSETUP reencrypt --init-only -q --sector-size 1024 $FAST_PBKDF_ARGON $DEV || fail
1898 if [ -n "$BLKID_BLOCK_SIZE_SUPPORT" ]; then
1900 # encryption checks must work in offline mode
1901 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --force-offline-reencrypt --sector-size 1024 -q --header $IMG_HDR $IMG_FS $FAST_PBKDF_ARGON --init-only --type luks2 2>/dev/null && fail
1902 test -f $IMG_HDR && fail
1904 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --force-offline-reencrypt --sector-size 1024 -q --header $IMG_HDR $IMG_FS $FAST_PBKDF_ARGON --type luks2 2>/dev/null && fail
1905 test -f $IMG_HDR && fail
1907 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --force-offline-reencrypt --sector-size 1024 -q --reduce-device-size 8m $IMG_FS $FAST_PBKDF_ARGON --init-only --type luks2 2>/dev/null && fail
1908 $CRYPTSETUP isLuks $IMG_FS && fail
1909 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --force-offline-reencrypt --sector-size 1024 -q --reduce-device-size 8m $IMG_FS $FAST_PBKDF_ARGON --type luks2 2>/dev/null && fail
1910 $CRYPTSETUP isLuks $IMG_FS && fail
1912 echo $PWD1 | $CRYPTSETUP luksFormat -q --sector-size 512 --type luks2 $FAST_PBKDF_ARGON $DEV || fail
1913 echo $PWD1 | $CRYPTSETUP open -q $DEV $DEV_NAME || fail
1914 dd if=$IMG_FS of=/dev/mapper/$DEV_NAME bs=1M >/dev/null 2>&1
1916 echo $PWD1 | $CRYPTSETUP reencrypt --init-only -q --sector-size 1024 $FAST_PBKDF_ARGON $DEV 2>/dev/null && fail
1917 $CRYPTSETUP status $DEV_NAME | grep -q "reencryption: in-progress" && fail
1918 echo $PWD1 | $CRYPTSETUP reencrypt --init-only -q --sector-size 1024 --active-name $DEV_NAME $FAST_PBKDF_ARGON 2>/dev/null && fail
1919 $CRYPTSETUP status $DEV_NAME | grep -q "reencryption: in-progress" && fail
1920 echo $PWD1 | $CRYPTSETUP reencrypt -q --sector-size 1024 $FAST_PBKDF_ARGON $DEV 2>/dev/null && fail
1921 $CRYPTSETUP luksDump $DEV | grep -q "sector: 512" || fail
1922 echo $PWD1 | $CRYPTSETUP reencrypt -q --sector-size 1024 --active-name $DEV_NAME $FAST_PBKDF_ARGON 2>/dev/null && fail
1923 $CRYPTSETUP luksDump $DEV | grep -q "sector: 512" || fail
1927 echo "[32] Removal of encryption (LUKS2 legacy cryptsetup-reencrypt test)."
1928 prepare dev_size_mb=32
1931 # offline decryption with shift
1932 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV --offset 8192 || fail
1934 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR || fail
1935 check_hash_dev_head $DEV 57344 $HASH1
1936 # FIXME: Should not reencryption remove it automatically?
1939 # online decryption with shift
1940 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV --offset 8192 || fail
1941 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
1942 wipe_dev /dev/mapper/$DEV_NAME
1943 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR || fail
1944 check_hash_dev_head $DEV 57344 $HASH1
1945 # FIXME: Should not reencryption remove it automatically?
1948 # offline decryption (separate initialization and decryption steps)
1949 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV --offset 8192 || fail
1951 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR --init-only || fail
1952 check_hash $PWD1 $HASH1 $IMG_HDR
1953 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR || fail
1954 check_hash_dev_head $DEV 57344 $HASH1
1955 # FIXME: Should not reencryption remove it automatically?
1958 # online decryption with shift
1959 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV --offset 8192 || fail
1960 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
1961 wipe_dev /dev/mapper/$DEV_NAME
1962 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR --init-only || fail
1963 check_hash_dev /dev/mapper/$DEV_NAME $HASH1
1964 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR || fail
1965 check_hash_dev_head $DEV 57344 $HASH1
1966 # FIXME: Should not reencryption remove it automatically?
1969 # same tests just with date size == LUKS2 header size
1970 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV --offset 32768 || fail
1972 check_hash $PWD1 $HASH10
1973 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR || fail
1974 check_hash_dev_head $DEV 32768 $HASH10
1975 # FIXME: Should not reencryption remove it automatically?
1978 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV --offset 32768 || fail
1979 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
1980 wipe_dev /dev/mapper/$DEV_NAME
1981 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR || fail
1982 check_hash_dev_head $DEV 32768 $HASH10
1983 # FIXME: Should not reencryption remove it automatically?
1986 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV --offset 32768 || fail
1988 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR --init-only || fail
1989 check_hash $PWD1 $HASH10 $IMG_HDR
1990 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR || fail
1991 check_hash_dev_head $DEV 32768 $HASH10
1992 # FIXME: Should not reencryption remove it automatically?
1995 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV --offset 32768 || fail
1996 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
1997 wipe_dev /dev/mapper/$DEV_NAME
1998 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR --init-only || fail
1999 check_hash_dev /dev/mapper/$DEV_NAME $HASH10
2000 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR || fail
2001 check_hash_dev_head $DEV 32768 $HASH10
2002 # FIXME: Should not reencryption remove it automatically?
2006 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV --offset 63488 || fail
2007 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
2008 wipe_dev /dev/mapper/$DEV_NAME
2009 # --hotzone-size larger than data expected to get auto corrected by library
2010 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR --init-only --hotzone-size 4M || fail
2011 check_hash_dev /dev/mapper/$DEV_NAME $HASH2
2012 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR || fail
2013 check_hash_dev_head $DEV 2048 $HASH2
2016 # small device (less than header size)
2017 prepare dev_size_mb=5
2018 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -S5 $FAST_PBKDF_ARGON $DEV --offset 8192 || fail
2020 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR || fail
2021 check_hash_dev_head $DEV 2048 $HASH2
2022 # FIXME: Should not reencryption remove it automatically?
2025 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -S5 $FAST_PBKDF_ARGON $DEV --offset 8192 || fail
2026 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
2027 wipe_dev /dev/mapper/$DEV_NAME
2028 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR || fail
2029 check_hash_dev_head $DEV 2048 $HASH2
2032 # initialization by --active-name parameter
2033 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV --offset 8192 || fail
2034 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
2035 wipe_dev /dev/mapper/$DEV_NAME
2036 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR --active-name $DEV_NAME || fail
2037 check_hash_dev_head $DEV 2048 $HASH2
2040 # initialization and resume by --active-name parameter
2041 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV --offset 8192 || fail
2042 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
2043 wipe_dev /dev/mapper/$DEV_NAME
2044 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR --active-name $DEV_NAME --init-only || fail
2045 check_hash_dev /dev/mapper/$DEV_NAME $HASH2
2046 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --header $IMG_HDR --active-name $DEV_NAME || fail
2047 check_hash_dev_head $DEV 2048 $HASH2
2050 echo "[33] Decryption with datashift recovery (error in shift area)."
2051 prepare_linear_dev 32
2052 echo "sector size 512"
2054 # avoid error in moved segment area on purpose
2055 # Also do not create write error in last segment because
2056 # that would not trigger reencryption crash (read would pass)
2057 get_error_offsets 32 $OFFSET 512 $((32-1024*2-$OFFSET))
2058 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
2061 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
2062 echo -n "resilience:"
2063 decrypt_recover $HASH1 $IMG_HDR $((32*1024*2-$OFFSET))
2065 if [ -n "$DM_SECTOR_SIZE" ]; then
2066 echo -e "\nsector size 4096"
2068 get_error_offsets 32 $OFFSET 4096 $((32-1024*2-$OFFSET))
2069 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 4096 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
2072 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
2073 echo -n "resilience:"
2074 decrypt_recover $HASH1 $IMG_HDR $((32*1024*2-$OFFSET))
2078 echo "[34] Decryption with datashift recovery (error in moved segment)."
2079 echo "sector size 512"
2081 HZ_SIZE=$((3*1024*2))
2083 # move injected error in moved segment area
2084 get_error_offsets 32 0 512 $HZ_SIZE
2085 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
2087 echo -n "resilience:"
2088 for res in datashift-journal datashift-checksum; do
2090 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
2093 decrypt_recover $HASH1 $IMG_HDR $((32*1024*2-$OFFSET)) $res $(($HZ_SIZE*512))
2096 if [ -n "$DM_SECTOR_SIZE" ]; then
2097 echo -e "\nsector size 4096"
2099 # move injected error in moved segment area
2100 get_error_offsets 32 0 4096 $HZ_SIZE
2101 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
2103 echo -n "resilience:"
2104 for res in datashift-journal datashift-checksum; do
2105 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 4096 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
2108 decrypt_recover $HASH1 $IMG_HDR $((32*1024*2-$OFFSET)) $res $(($HZ_SIZE*512))
2113 echo "[35] Decryption with datashift recovery (online i/o error in shift area)."
2114 echo "sector size 512"
2116 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
2117 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
2118 wipe_dev /dev/mapper/$DEV_NAME
2120 # avoid error in moved segment area on purpose
2121 # Also do not create write error in last segment because
2122 # that would not trigger reencryption crash (read would pass)
2123 get_error_offsets 32 $OFFSET 512 $((32-1024*2-$OFFSET))
2124 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
2126 echo -n "resilience:"
2127 decrypt_recover_online $HASH1 $IMG_HDR $((32*1024*2-$OFFSET))
2129 if [ -n "$DM_SECTOR_SIZE" ]; then
2130 echo -e "\nsector size 4096"
2132 get_error_offsets 32 $OFFSET 4096 $((32-1024*2-$OFFSET))
2133 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 4096 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
2134 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
2135 wipe_dev /dev/mapper/$DEV_NAME
2137 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
2138 echo -n "resilience:"
2139 decrypt_recover_online $HASH1 $IMG_HDR $((32*1024*2-$OFFSET))
2143 echo "[36] Decryption with datashift recovery (online i/o error in moved segment)."
2144 echo "sector size 512"
2146 # move injected error in moved segment area
2147 get_error_offsets 32 0 512 $HZ_SIZE
2148 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
2150 echo -n "resilience:"
2151 for res in datashift-journal datashift-checksum; do
2153 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
2154 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
2155 wipe_dev /dev/mapper/$DEV_NAME
2157 decrypt_recover_online_moved $HASH1 $IMG_HDR $((32*1024*2-$OFFSET)) $res $(($HZ_SIZE*512))
2160 if [ -n "$DM_SECTOR_SIZE" ]; then
2161 echo -e "\nsector size 4096"
2163 get_error_offsets 32 0 4096 $HZ_SIZE
2164 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
2166 echo -n "resilience:"
2167 for res in datashift-journal datashift-checksum; do
2169 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 4096 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
2170 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
2171 wipe_dev /dev/mapper/$DEV_NAME
2173 decrypt_recover_online_moved $HASH1 $IMG_HDR $((32*1024*2-$OFFSET)) $res $(($HZ_SIZE*512))
2178 echo "[37] Decryption with datashift (large data offsets)"
2179 prepare_linear_dev 512
2181 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset 1015808 --luks2-keyslots-size 16M $FAST_PBKDF_ARGON $DEV || fail
2183 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --header $IMG_HDR $DEV -q || fail
2184 check_hash_dev_head $DEV $((16*1024*2)) $HASH10
2187 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset 1015808 --luks2-keyslots-size 16M $FAST_PBKDF_ARGON $DEV || fail
2188 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME
2189 wipe_dev /dev/mapper/$DEV_NAME
2190 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --header $IMG_HDR $DEV -q || fail
2191 check_hash_dev_head $DEV $((16*1024*2)) $HASH10
2194 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset 1046528 --luks2-keyslots-size 16M $FAST_PBKDF_ARGON $DEV || fail
2196 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --header $IMG_HDR $DEV -q || fail
2197 check_hash_dev_head $DEV 2048 $HASH2
2200 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset 1046528 --luks2-keyslots-size 16M $FAST_PBKDF_ARGON $DEV || fail
2201 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME
2202 wipe_dev /dev/mapper/$DEV_NAME
2203 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --header $IMG_HDR $DEV -q || fail
2204 check_hash_dev_head $DEV 2048 $HASH2