+2012-02-11 Milan Broz <mbroz@redhat.com>
+ * Add --master-key-file option to luksOpen (open using volume key).
+
2012-01-12 Milan Broz <mbroz@redhat.com>
* Fix use of empty keyfile.
\fB<options>\fR can be [\-\-cipher, \-\-verify-passphrase, \-\-key-size,
\-\-key-slot, \-\-key-file (takes precedence over optional second argument),
-\-\-keyfile-size, \-\-use-random | \-\-use-urandom, \-\-uuid].
+\-\-keyfile-size, \-\-use-random | \-\-use-urandom, \-\-uuid, \-\-master-key-file].
.PP
\fIluksOpen\fR <device> <name>
.IP
(either via key file by \-\-key-file, or via prompting).
\fB<options>\fR can be [\-\-key-file, \-\-keyfile-size, \-\-readonly, \-\-allow-discards,
-\-\-header, \-\-key-slot].
+\-\-header, \-\-key-slot, \-\-master-key-file].
.PP
\fIluksClose\fR <name>
.IP
(via \-\-key-file) must be supplied.
The key file with the new material is supplied as a positional argument.
-\fB<options>\fR can be [\-\-key-file, \-\-keyfile-size, \-\-new-keyfile-size, \-\-key-slot].
+\fB<options>\fR can be [\-\-key-file, \-\-keyfile-size, \-\-new-keyfile-size, \-\-key-slot,
+\-\-master-key-file].
.PP
\fIluksRemoveKey\fR <device> [<key file>]
.IP
are the same existing encrypted data remains intact).
For \fIluksAddKey\fR it allows adding new passphrase with only master key knowledge.
+
+For \fIluksOpen\fR it allows to open the LUKS device with only master key knowledge.
+
.TP
.B "\-\-dump-master-key"
For \fIluksDump\fR it allows LUKS header dump including volume (master) key.
{
struct crypt_device *cd = NULL;
const char *data_device, *header_device;
+ char *key = NULL;
uint32_t flags = 0;
- int r;
+ int r, keysize;
if (opt_header_device) {
header_device = opt_header_device;
if (opt_allow_discards)
flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
- if (opt_key_file) {
+ if (opt_master_key_file) {
+ keysize = crypt_get_volume_key_size(cd);
+ r = _read_mk(opt_master_key_file, &key, keysize);
+ if (r < 0)
+ goto out;
+ r = crypt_activate_by_volume_key(cd, action_argv[1],
+ key, keysize, flags);
+ } else if (opt_key_file) {
crypt_set_password_retry(cd, 1);
r = crypt_activate_by_keyfile(cd, action_argv[1],
opt_key_slot, opt_key_file, opt_keyfile_size,
r = crypt_activate_by_passphrase(cd, action_argv[1],
opt_key_slot, NULL, 0, flags);
out:
+ crypt_safe_free(key);
crypt_free(cd);
return r;
}
$CRYPTSETUP -q luksFormat $LOOPDEV $KEYE || fail
$CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
+# open by volume key
+echo "key0" | $CRYPTSETUP -q luksFormat -s 256 --master-key-file $KEY1 $LOOPDEV || fail
+$CRYPTSETUP luksOpen --master-key-file $KEY1 $LOOPDEV $DEV_NAME || fail
+$CRYPTSETUP -q luksClose $DEV_NAME || fail
prepare "[17] AddKey volume key, passphrase and keyfile" wipe
# masterkey