2 * cryptsetup - setup cryptographic volumes for dm-crypt
4 * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
5 * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
6 * Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * version 2 as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 #include "cryptsetup.h"
24 static const char *opt_cipher = NULL;
25 static const char *opt_hash = NULL;
26 static int opt_verify_passphrase = 0;
28 static const char *opt_key_file = NULL;
29 static int opt_keyfiles_count = 0;
30 static const char *opt_keyfiles[MAX_KEYFILES];
32 static const char *opt_master_key_file = NULL;
33 static const char *opt_header_backup_file = NULL;
34 static const char *opt_uuid = NULL;
35 static const char *opt_header_device = NULL;
36 static int opt_key_size = 0;
37 static long opt_keyfile_size = 0;
38 static long opt_new_keyfile_size = 0;
39 static long opt_keyfile_offset = 0;
40 static long opt_new_keyfile_offset = 0;
41 static int opt_key_slot = CRYPT_ANY_SLOT;
42 static uint64_t opt_size = 0;
43 static uint64_t opt_offset = 0;
44 static uint64_t opt_skip = 0;
45 static int opt_skip_valid = 0;
46 static int opt_readonly = 0;
47 static int opt_iteration_time = DEFAULT_LUKS1_ITER_TIME;
48 static int opt_version_mode = 0;
49 static int opt_timeout = 0;
50 static int opt_tries = 3;
51 static int opt_align_payload = 0;
52 static int opt_random = 0;
53 static int opt_urandom = 0;
54 static int opt_dump_master_key = 0;
55 static int opt_shared = 0;
56 static int opt_allow_discards = 0;
57 static int opt_test_passphrase = 0;
58 static int opt_hidden = 0;
60 static const char **action_argv;
61 static int action_argc;
62 static const char *null_action_argv[] = {NULL, NULL};
64 static int action_create(int arg);
65 static int action_remove(int arg);
66 static int action_resize(int arg);
67 static int action_status(int arg);
68 static int action_benchmark(int arg);
69 static int action_luksFormat(int arg);
70 static int action_luksOpen(int arg);
71 static int action_luksAddKey(int arg);
72 static int action_luksKillSlot(int arg);
73 static int action_luksRemoveKey(int arg);
74 static int action_luksChangeKey(int arg);
75 static int action_isLuks(int arg);
76 static int action_luksUUID(int arg);
77 static int action_luksDump(int arg);
78 static int action_luksSuspend(int arg);
79 static int action_luksResume(int arg);
80 static int action_luksBackup(int arg);
81 static int action_luksRestore(int arg);
82 static int action_loopaesOpen(int arg);
83 static int action_luksRepair(int arg);
84 static int action_tcryptOpen(int arg);
85 static int action_tcryptDump(int arg);
87 static struct action_type {
91 int required_action_argc;
96 { "create", action_create, 0, 2, 1, N_("<name> <device>"),N_("create device") },
97 { "remove", action_remove, 0, 1, 1, N_("<name>"), N_("remove device") },
98 { "resize", action_resize, 0, 1, 1, N_("<name>"), N_("resize active device") },
99 { "status", action_status, 0, 1, 0, N_("<name>"), N_("show device status") },
100 { "benchmark", action_benchmark, 0, 0, 0, N_("<name>"), N_("benchmark cipher") },
101 { "repair", action_luksRepair, 0, 1, 1, N_("<device>"), N_("try to repair on-disk metadata") },
102 { "luksFormat", action_luksFormat, 0, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
103 { "luksOpen", action_luksOpen, 0, 2, 1, N_("<device> <name> "), N_("open LUKS device as mapping <name>") },
104 { "luksAddKey", action_luksAddKey, 0, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
105 { "luksRemoveKey",action_luksRemoveKey, 0, 1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
106 { "luksChangeKey",action_luksChangeKey, 0, 1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
107 { "luksKillSlot", action_luksKillSlot, 0, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
108 { "luksUUID", action_luksUUID, 0, 1, 0, N_("<device>"), N_("print UUID of LUKS device") },
109 { "isLuks", action_isLuks, 0, 1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
110 { "luksClose", action_remove, 0, 1, 1, N_("<name>"), N_("remove LUKS mapping") },
111 { "luksDump", action_luksDump, 0, 1, 1, N_("<device>"), N_("dump LUKS partition information") },
112 { "luksSuspend",action_luksSuspend, 0, 1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen).") },
113 { "luksResume", action_luksResume, 0, 1, 1, N_("<device>"), N_("Resume suspended LUKS device.") },
114 { "luksHeaderBackup",action_luksBackup, 0, 1, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
115 { "luksHeaderRestore",action_luksRestore,0,1, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
116 { "loopaesOpen",action_loopaesOpen, 0, 2, 1, N_("<device> <name> "), N_("open loop-AES device as mapping <name>") },
117 { "loopaesClose",action_remove, 0, 1, 1, N_("<name>"), N_("remove loop-AES mapping") },
118 { "tcryptOpen", action_tcryptOpen, 0, 2, 1, N_("<device> <name> "), N_("open TCRYPT device as mapping <name>") },
119 { "tcryptDump", action_tcryptDump, 0, 1, 1, N_("<device>"), N_("dump TCRYPT device information") },
120 { NULL, NULL, 0, 0, 0, NULL, NULL }
123 static int _verify_passphrase(int def)
125 /* Batch mode switch off verify - if not overrided by -y */
126 if (opt_verify_passphrase)
128 else if (opt_batch_mode)
131 /* Non-tty input doesn't allow verify */
132 if (def && !isatty(STDIN_FILENO)) {
133 if (opt_verify_passphrase)
134 log_err(_("Can't do passphrase verification on non-tty inputs.\n"));
141 static int action_create(int arg __attribute__((unused)))
143 struct crypt_device *cd = NULL;
144 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
145 struct crypt_params_plain params = {
146 .hash = opt_hash ?: DEFAULT_PLAIN_HASH,
148 .offset = opt_offset,
151 char *password = NULL;
153 size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
154 uint32_t activate_flags = 0;
157 if (params.hash && !strcmp(params.hash, "plain"))
160 /* FIXME: temporary hack */
161 if (opt_key_file && strcmp(opt_key_file, "-"))
164 if ((opt_keyfile_offset || opt_keyfile_size) && opt_key_file)
165 log_std(("Ignoring keyfile offset and size options, keyfile read "
166 "size is always the same as encryption key size.\n"));
168 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
169 cipher, NULL, cipher_mode);
171 log_err("No known cipher specification pattern detected.\n");
175 if ((r = crypt_init(&cd, action_argv[1])))
178 crypt_set_timeout(cd, opt_timeout);
179 crypt_set_password_retry(cd, opt_tries);
181 r = crypt_format(cd, CRYPT_PLAIN,
190 activate_flags |= CRYPT_ACTIVATE_READONLY;
193 activate_flags |= CRYPT_ACTIVATE_SHARED;
195 if (opt_allow_discards)
196 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
199 /* With hashing, read the whole keyfile */
200 r = crypt_activate_by_keyfile_offset(cd, action_argv[0],
201 CRYPT_ANY_SLOT, opt_key_file,
202 params.hash ? 0 : key_size, 0,
205 r = crypt_get_key(_("Enter passphrase: "),
206 &password, &passwordLen,
207 opt_keyfile_offset, opt_keyfile_size,
209 _verify_passphrase(0),
214 r = crypt_activate_by_passphrase(cd, action_argv[0],
215 CRYPT_ANY_SLOT, password, passwordLen, activate_flags);
219 crypt_safe_free(password);
224 static int action_loopaesOpen(int arg __attribute__((unused)))
226 struct crypt_device *cd = NULL;
227 struct crypt_params_loopaes params = {
228 .hash = opt_hash ?: NULL,
229 .offset = opt_offset,
230 .skip = opt_skip_valid ? opt_skip : opt_offset,
232 unsigned int key_size = (opt_key_size ?: DEFAULT_LOOPAES_KEYBITS) / 8;
233 uint32_t activate_flags = 0;
237 log_err(_("Option --key-file is required.\n"));
242 activate_flags |= CRYPT_ACTIVATE_READONLY;
244 if (opt_allow_discards)
245 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
247 if ((r = crypt_init(&cd, action_argv[0])))
250 r = crypt_format(cd, CRYPT_LOOPAES, opt_cipher ?: DEFAULT_LOOPAES_CIPHER,
251 NULL, NULL, NULL, key_size, ¶ms);
255 r = crypt_activate_by_keyfile_offset(cd, action_argv[1], CRYPT_ANY_SLOT,
256 opt_key_file, opt_keyfile_size,
257 opt_keyfile_size, activate_flags);
264 static int action_tcryptOpen(int arg __attribute__((unused)))
266 struct crypt_device *cd = NULL;
267 struct crypt_params_tcrypt params = {
268 .keyfiles = opt_keyfiles,
269 .keyfiles_count = opt_keyfiles_count,
270 .flags = CRYPT_TCRYPT_LEGACY_MODES,
272 const char *activated_name;
276 activated_name = opt_test_passphrase ? NULL : action_argv[1];
278 if ((r = crypt_init(&cd, action_argv[0])))
281 /* TCRYPT header is encrypted, get passphrase now */
282 r = crypt_get_key(_("Enter passphrase: "),
283 CONST_CAST(char**)¶ms.passphrase,
284 ¶ms.passphrase_size, 0, 0, NULL, opt_timeout,
285 _verify_passphrase(0), cd);
290 params.flags |= CRYPT_TCRYPT_HIDDEN_HEADER;
292 r = crypt_load(cd, CRYPT_TCRYPT, ¶ms);
297 flags |= CRYPT_ACTIVATE_READONLY;
300 r = crypt_activate_by_volume_key(cd, activated_name, NULL, 0, flags);
303 crypt_safe_free(CONST_CAST(char*)params.passphrase);
307 static int action_tcryptDump(int arg __attribute__((unused)))
309 struct crypt_device *cd = NULL;
310 struct crypt_params_tcrypt params = {
311 .keyfiles = opt_keyfiles,
312 .keyfiles_count = opt_keyfiles_count,
313 .flags = CRYPT_TCRYPT_LEGACY_MODES,
317 if ((r = crypt_init(&cd, action_argv[0])))
320 /* TCRYPT header is encrypted, get passphrase now */
321 r = crypt_get_key(_("Enter passphrase: "),
322 CONST_CAST(char**)¶ms.passphrase,
323 ¶ms.passphrase_size, 0, 0, NULL, opt_timeout,
324 _verify_passphrase(0), cd);
329 params.flags |= CRYPT_TCRYPT_HIDDEN_HEADER;
331 r = crypt_load(cd, CRYPT_TCRYPT, ¶ms);
338 crypt_safe_free(CONST_CAST(char*)params.passphrase);
342 static int action_remove(int arg __attribute__((unused)))
344 struct crypt_device *cd = NULL;
347 r = crypt_init_by_name(&cd, action_argv[0]);
349 r = crypt_deactivate(cd, action_argv[0]);
355 static int action_resize(int arg __attribute__((unused)))
357 struct crypt_device *cd = NULL;
360 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
362 r = crypt_resize(cd, action_argv[0], opt_size);
368 static int action_status(int arg __attribute__((unused)))
370 crypt_status_info ci;
371 struct crypt_active_device cad;
372 struct crypt_device *cd = NULL;
378 /* perhaps a path, not a dm device name */
379 if (strchr(action_argv[0], '/') && !stat(action_argv[0], &st))
382 ci = crypt_status(NULL, action_argv[0]);
389 log_std("%s is inactive.\n", action_argv[0]);
391 log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
397 log_std("%s is active%s.\n", action_argv[0],
398 ci == CRYPT_BUSY ? " and is in use" : "");
400 log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
401 ci == CRYPT_BUSY ? " and is in use" : "");
403 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
404 if (r < 0 || !crypt_get_type(cd))
407 log_std(" type: %s\n", crypt_get_type(cd));
409 r = crypt_get_active_device(cd, action_argv[0], &cad);
413 log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
414 log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
415 device = crypt_get_device_name(cd);
416 log_std(" device: %s\n", device);
417 if (crypt_loop_device(device)) {
418 backing_file = crypt_loop_backing_file(device);
419 log_std(" loop: %s\n", backing_file);
422 log_std(" offset: %" PRIu64 " sectors\n", cad.offset);
423 log_std(" size: %" PRIu64 " sectors\n", cad.size);
425 log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset);
426 log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
427 "readonly" : "read/write");
428 if (cad.flags & CRYPT_ACTIVATE_ALLOW_DISCARDS)
429 log_std(" flags: discards\n");
438 static int action_benchmark(int arg __attribute__((unused)))
446 { "aes", "cbc", 16, 16 },
447 { "serpent", "cbc", 16, 16 },
448 { "twofish", "cbc", 16, 16 },
449 { "aes", "cbc", 32, 16 },
450 { "serpent", "cbc", 32, 16 },
451 { "twofish", "cbc", 32, 16 },
452 { "aes", "xts", 32, 16 },
453 { "serpent", "xts", 32, 16 },
454 { "twofish", "xts", 32, 16 },
455 { "aes", "xts", 64, 16 },
456 { "serpent", "xts", 64, 16 },
457 { "twofish", "xts", 64, 16 },
460 char *header = "# Tests are approximate using memory only (no storage IO).\n"
461 "# Algorithm | Key | Encryption | Decryption\n";
462 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
463 double enc_mbr = 0, dec_mbr = 0;
464 int key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS);
466 int buffer_size = 1024 * 1024;
471 r = crypt_parse_name_and_mode(opt_cipher, cipher, NULL, cipher_mode);
473 log_err(_("No known cipher specification pattern detected.\n"));
476 if ((c = strchr(cipher_mode, '-')))
479 /* FIXME: not really clever :) */
480 if (strstr(cipher, "des"))
483 r = crypt_benchmark(NULL, cipher, cipher_mode,
484 key_size / 8, iv_size, buffer_size,
487 log_std("%s", header);
488 strncat(cipher, "-", MAX_CIPHER_LEN);
489 strncat(cipher, cipher_mode, MAX_CIPHER_LEN);
490 log_std("%11s %4db %5.1f MiB/s %5.1f MiB/s\n",
491 cipher, key_size, enc_mbr, dec_mbr);
492 } else if (r == -ENOTSUP)
493 log_err(_("Cipher %s is not available.\n"), opt_cipher);
495 for (i = 0; bciphers[i].cipher; i++) {
496 r = crypt_benchmark(NULL, bciphers[i].cipher, bciphers[i].mode,
497 bciphers[i].key_size, bciphers[i].iv_size,
498 buffer_size, &enc_mbr, &dec_mbr);
502 log_std("%s", header);
504 snprintf(cipher, MAX_CIPHER_LEN, "%s-%s",
505 bciphers[i].cipher, bciphers[i].mode);
507 log_std("%11s %4db %5.1f MiB/s %5.1f MiB/s\n",
508 cipher, bciphers[i].key_size*8, enc_mbr, dec_mbr);
510 log_std("%11s %4db %12s %12s\n", cipher,
511 bciphers[i].key_size*8, _("N/A"), _("N/A"));
516 log_err( _("Required kernel crypto interface is not available.\n"
517 "Ensure you have af_skcipher kernel module loaded.\n"));
521 static int _read_mk(const char *file, char **key, int keysize)
525 *key = crypt_safe_alloc(keysize);
529 fd = open(file, O_RDONLY);
531 log_err("Cannot read keyfile %s.\n", file);
534 if ((read(fd, *key, keysize) != keysize)) {
535 log_err("Cannot read %d bytes from keyfile %s.\n", keysize, file);
542 crypt_safe_free(*key);
547 static int action_luksRepair(int arg __attribute__((unused)))
549 struct crypt_device *cd = NULL;
552 if ((r = crypt_init(&cd, action_argv[0])))
555 /* Currently only LUKS1 allows repair */
556 crypt_set_log_callback(cd, quiet_log, NULL);
557 r = crypt_load(cd, CRYPT_LUKS1, NULL);
558 crypt_set_log_callback(cd, tool_log, NULL);
560 log_verbose( _("No known problems detected for LUKS header.\n"));
564 r = yesDialog(_("Really try to repair LUKS device header?"),
567 r = crypt_repair(cd, CRYPT_LUKS1, NULL);
573 static int action_luksFormat(int arg __attribute__((unused)))
575 int r = -EINVAL, keysize;
576 const char *header_device;
577 char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
578 char *password = NULL;
580 struct crypt_device *cd = NULL;
581 struct crypt_params_luks1 params = {
582 .hash = opt_hash ?: DEFAULT_LUKS1_HASH,
583 .data_alignment = opt_align_payload,
584 .data_device = opt_header_device ? action_argv[0] : NULL,
587 header_device = opt_header_device ?: action_argv[0];
589 if(asprintf(&msg, _("This will overwrite data on %s irrevocably."),
590 header_device) == -1) {
591 log_err(_("memory allocation error in action_luksFormat"));
595 r = yesDialog(msg, NULL) ? 0 : -EINVAL;
600 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
601 cipher, NULL, cipher_mode);
603 log_err(_("No known cipher specification pattern detected.\n"));
607 if ((r = crypt_init(&cd, header_device))) {
608 if (opt_header_device)
609 log_err(_("Cannot use %s as on-disk header.\n"), header_device);
613 keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
615 crypt_set_timeout(cd, opt_timeout);
616 if (opt_iteration_time)
617 crypt_set_iteration_time(cd, opt_iteration_time);
620 crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
621 else if (opt_urandom)
622 crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
624 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
625 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
626 opt_timeout, _verify_passphrase(1), cd);
630 if (opt_master_key_file) {
631 r = _read_mk(opt_master_key_file, &key, keysize);
636 r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
637 opt_uuid, key, keysize, ¶ms);
641 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
643 password, passwordLen);
646 crypt_safe_free(key);
647 crypt_safe_free(password);
652 static int action_luksOpen(int arg __attribute__((unused)))
654 struct crypt_device *cd = NULL;
655 const char *data_device, *header_device, *activated_name;
660 if (opt_header_device) {
661 header_device = uuid_or_device(opt_header_device);
662 data_device = action_argv[0];
664 header_device = uuid_or_device(action_argv[0]);
668 activated_name = opt_test_passphrase ? NULL : action_argv[1];
670 if ((r = crypt_init(&cd, header_device)))
673 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
677 (r = crypt_set_data_device(cd, data_device)))
680 if (!data_device && (crypt_get_data_offset(cd) < 8)) {
681 log_err(_("Reduced data offset is allowed only for detached LUKS header.\n"));
686 crypt_set_timeout(cd, opt_timeout);
687 crypt_set_password_retry(cd, opt_tries);
688 crypt_set_password_verify(cd, _verify_passphrase(0));
690 if (opt_iteration_time)
691 crypt_set_iteration_time(cd, opt_iteration_time);
694 flags |= CRYPT_ACTIVATE_READONLY;
696 if (opt_allow_discards)
697 flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
699 if (opt_master_key_file) {
700 keysize = crypt_get_volume_key_size(cd);
701 r = _read_mk(opt_master_key_file, &key, keysize);
704 r = crypt_activate_by_volume_key(cd, activated_name,
705 key, keysize, flags);
706 } else if (opt_key_file) {
707 crypt_set_password_retry(cd, 1);
708 r = crypt_activate_by_keyfile_offset(cd, activated_name,
709 opt_key_slot, opt_key_file, opt_keyfile_size,
710 opt_keyfile_offset, flags);
712 r = crypt_activate_by_passphrase(cd, activated_name,
713 opt_key_slot, NULL, 0, flags);
715 crypt_safe_free(key);
720 static int verify_keyslot(struct crypt_device *cd, int key_slot,
721 char *msg_last, char *msg_pass,
722 const char *key_file, int keyfile_offset,
725 crypt_keyslot_info ki;
726 char *password = NULL;
730 ki = crypt_keyslot_status(cd, key_slot);
731 if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !yesDialog(msg_last, NULL))
734 r = crypt_get_key(msg_pass, &password, &passwordLen,
735 keyfile_offset, keyfile_size, key_file, opt_timeout,
736 _verify_passphrase(0), cd);
740 if (ki == CRYPT_SLOT_ACTIVE_LAST) {
741 /* check the last keyslot */
742 r = crypt_activate_by_passphrase(cd, NULL, key_slot,
743 password, passwordLen, 0);
745 /* try all other keyslots */
746 for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
749 ki = crypt_keyslot_status(cd, key_slot);
750 if (ki == CRYPT_SLOT_ACTIVE)
751 r = crypt_activate_by_passphrase(cd, NULL, i,
752 password, passwordLen, 0);
759 log_err(_("No key available with this passphrase.\n"));
761 crypt_safe_free(password);
765 static int action_luksKillSlot(int arg __attribute__((unused)))
767 struct crypt_device *cd = NULL;
770 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
773 crypt_set_confirm_callback(cd, yesDialog, NULL);
774 crypt_set_timeout(cd, opt_timeout);
776 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
779 switch (crypt_keyslot_status(cd, opt_key_slot)) {
780 case CRYPT_SLOT_ACTIVE_LAST:
781 case CRYPT_SLOT_ACTIVE:
782 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
784 case CRYPT_SLOT_INACTIVE:
785 log_err(_("Key %d not active. Can't wipe.\n"), opt_key_slot);
786 case CRYPT_SLOT_INVALID:
791 if (!opt_batch_mode) {
792 r = verify_keyslot(cd, opt_key_slot,
793 _("This is the last keyslot. Device will become unusable after purging this key."),
794 _("Enter any remaining LUKS passphrase: "),
795 opt_key_file, opt_keyfile_offset, opt_keyfile_size);
800 r = crypt_keyslot_destroy(cd, opt_key_slot);
806 static int action_luksRemoveKey(int arg __attribute__((unused)))
808 struct crypt_device *cd = NULL;
809 char *password = NULL;
813 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
816 crypt_set_confirm_callback(cd, yesDialog, NULL);
817 crypt_set_timeout(cd, opt_timeout);
819 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
822 r = crypt_get_key(_("Enter LUKS passphrase to be deleted: "),
823 &password, &passwordLen,
824 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
826 _verify_passphrase(0),
831 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
832 password, passwordLen, 0);
837 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
839 if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_ACTIVE_LAST &&
840 !yesDialog(_("This is the last keyslot. "
841 "Device will become unusable after purging this key."),
847 r = crypt_keyslot_destroy(cd, opt_key_slot);
849 crypt_safe_free(password);
854 static int action_luksAddKey(int arg __attribute__((unused)))
856 int r = -EINVAL, keysize = 0;
858 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
859 struct crypt_device *cd = NULL;
861 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
864 crypt_set_confirm_callback(cd, yesDialog, NULL);
866 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
869 keysize = crypt_get_volume_key_size(cd);
870 /* FIXME: lib cannot properly set verification for new/old passphrase */
871 crypt_set_password_verify(cd, _verify_passphrase(0));
872 crypt_set_timeout(cd, opt_timeout);
873 if (opt_iteration_time)
874 crypt_set_iteration_time(cd, opt_iteration_time);
876 if (opt_master_key_file) {
877 r = _read_mk(opt_master_key_file, &key, keysize);
880 //FIXME: process keyfile arg
881 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
882 key, keysize, NULL, 0);
883 } else if (opt_key_file || opt_new_key_file) {
884 r = crypt_keyslot_add_by_keyfile_offset(cd, opt_key_slot,
885 opt_key_file, opt_keyfile_size, opt_keyfile_offset,
886 opt_new_key_file, opt_new_keyfile_size, opt_new_keyfile_offset);
888 r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
893 crypt_safe_free(key);
897 static int _slots_full(struct crypt_device *cd)
901 for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++)
902 if (crypt_keyslot_status(cd, i) == CRYPT_SLOT_INACTIVE)
907 static int action_luksChangeKey(int arg __attribute__((unused)))
909 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
910 struct crypt_device *cd = NULL;
911 char *vk = NULL, *password = NULL;
912 size_t passwordLen = 0;
914 int new_key_slot, old_key_slot, r;
916 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
919 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
922 if (opt_iteration_time)
923 crypt_set_iteration_time(cd, opt_iteration_time);
925 r = crypt_get_key(_("Enter LUKS passphrase to be changed: "),
926 &password, &passwordLen,
927 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
928 opt_timeout, _verify_passphrase(0), cd);
932 vk_size = crypt_get_volume_key_size(cd);
933 vk = crypt_safe_alloc(vk_size);
939 r = crypt_volume_key_get(cd, opt_key_slot, vk, &vk_size,
940 password, passwordLen);
942 if (opt_key_slot != CRYPT_ANY_SLOT)
943 log_err(_("No key available with this passphrase.\n"));
947 if (opt_key_slot != CRYPT_ANY_SLOT || _slots_full(cd)) {
948 log_dbg("Key slot %d is going to be overwritten (%s).",
949 r, opt_key_slot != CRYPT_ANY_SLOT ?
950 "explicit key slot specified" : "no free key slot");
954 log_dbg("Allocating new key slot.");
956 new_key_slot = CRYPT_ANY_SLOT;
959 crypt_safe_free(password);
962 r = crypt_get_key(_("Enter new LUKS passphrase: "),
963 &password, &passwordLen,
964 opt_new_keyfile_offset, opt_new_keyfile_size,
966 opt_timeout, _verify_passphrase(0), cd);
970 if (new_key_slot == old_key_slot) {
971 (void)crypt_keyslot_destroy(cd, old_key_slot);
972 r = crypt_keyslot_add_by_volume_key(cd, new_key_slot,
974 password, passwordLen);
976 log_verbose(_("Key slot %d changed.\n"), r);
978 r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT,
980 password, passwordLen);
982 log_verbose(_("Replaced with key slot %d.\n"), r);
983 r = crypt_keyslot_destroy(cd, old_key_slot);
987 log_err(_("Failed to swap new key slot.\n"));
990 crypt_safe_free(password);
995 static int action_isLuks(int arg __attribute__((unused)))
997 struct crypt_device *cd = NULL;
1000 if ((r = crypt_init(&cd, action_argv[0])))
1003 crypt_set_log_callback(cd, quiet_log, NULL);
1004 r = crypt_load(cd, CRYPT_LUKS1, NULL);
1010 static int action_luksUUID(int arg __attribute__((unused)))
1012 struct crypt_device *cd = NULL;
1013 const char *existing_uuid = NULL;
1016 if ((r = crypt_init(&cd, action_argv[0])))
1019 crypt_set_confirm_callback(cd, yesDialog, NULL);
1021 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
1025 r = crypt_set_uuid(cd, opt_uuid);
1027 existing_uuid = crypt_get_uuid(cd);
1028 log_std("%s\n", existing_uuid ?: "");
1029 r = existing_uuid ? 0 : 1;
1036 static int luksDump_with_volume_key(struct crypt_device *cd)
1038 char *vk = NULL, *password = NULL;
1039 size_t passwordLen = 0;
1044 crypt_set_confirm_callback(cd, yesDialog, NULL);
1046 _("LUKS header dump with volume key is sensitive information\n"
1047 "which allows access to encrypted partition without passphrase.\n"
1048 "This dump should be always stored encrypted on safe place."),
1052 vk_size = crypt_get_volume_key_size(cd);
1053 vk = crypt_safe_alloc(vk_size);
1057 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
1058 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
1059 opt_timeout, 0, cd);
1063 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
1064 password, passwordLen);
1068 log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
1069 log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
1070 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
1071 log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
1072 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
1073 log_std("MK bits: \t%d\n", (int)vk_size * 8);
1074 log_std("MK dump:\t");
1076 for(i = 0; i < vk_size; i++) {
1079 log_std("%02hhx ", (char)vk[i]);
1084 crypt_safe_free(password);
1085 crypt_safe_free(vk);
1089 static int action_luksDump(int arg __attribute__((unused)))
1091 struct crypt_device *cd = NULL;
1094 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
1097 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
1100 if (opt_dump_master_key)
1101 r = luksDump_with_volume_key(cd);
1109 static int action_luksSuspend(int arg __attribute__((unused)))
1111 struct crypt_device *cd = NULL;
1114 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
1116 r = crypt_suspend(cd, action_argv[0]);
1122 static int action_luksResume(int arg __attribute__((unused)))
1124 struct crypt_device *cd = NULL;
1127 if ((r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device)))
1130 crypt_set_timeout(cd, opt_timeout);
1131 crypt_set_password_retry(cd, opt_tries);
1132 crypt_set_password_verify(cd, _verify_passphrase(0));
1135 r = crypt_resume_by_keyfile_offset(cd, action_argv[0], CRYPT_ANY_SLOT,
1136 opt_key_file, opt_keyfile_size, opt_keyfile_offset);
1138 r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
1145 static int action_luksBackup(int arg __attribute__((unused)))
1147 struct crypt_device *cd = NULL;
1150 if (!opt_header_backup_file) {
1151 log_err(_("Option --header-backup-file is required.\n"));
1155 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
1158 crypt_set_confirm_callback(cd, yesDialog, NULL);
1160 r = crypt_header_backup(cd, CRYPT_LUKS1, opt_header_backup_file);
1166 static int action_luksRestore(int arg __attribute__((unused)))
1168 struct crypt_device *cd = NULL;
1171 if (!opt_header_backup_file) {
1172 log_err(_("Option --header-backup-file is required.\n"));
1176 if ((r = crypt_init(&cd, action_argv[0])))
1179 crypt_set_confirm_callback(cd, yesDialog, NULL);
1180 r = crypt_header_restore(cd, CRYPT_LUKS1, opt_header_backup_file);
1186 static void help(poptContext popt_context,
1187 enum poptCallbackReason reason __attribute__((unused)),
1188 struct poptOption *key,
1189 const char *arg __attribute__((unused)),
1190 void *data __attribute__((unused)))
1192 if (key->shortName == '?') {
1193 struct action_type *action;
1195 log_std("%s\n",PACKAGE_STRING);
1197 poptPrintHelp(popt_context, stdout, 0);
1200 "<action> is one of:\n"));
1202 for(action = action_types; action->type; action++)
1203 log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
1206 "<name> is the device to create under %s\n"
1207 "<device> is the encrypted device\n"
1208 "<key slot> is the LUKS key slot number to modify\n"
1209 "<key file> optional key file for the new key for luksAddKey action\n"),
1212 log_std(_("\nDefault compiled-in key and passphrase parameters:\n"
1213 "\tMaximum keyfile size: %dkB, "
1214 "Maximum interactive passphrase length %d (characters)\n"
1215 "Default PBKDF2 iteration time for LUKS: %d (ms)\n"),
1216 DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX,
1217 DEFAULT_LUKS1_ITER_TIME);
1219 log_std(_("\nDefault compiled-in device cipher parameters:\n"
1220 "\tloop-AES: %s, Key %d bits\n"
1221 "\tplain: %s, Key: %d bits, Password hashing: %s\n"
1222 "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
1223 DEFAULT_LOOPAES_CIPHER, DEFAULT_LOOPAES_KEYBITS,
1224 DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
1225 DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
1229 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
1232 static int run_action(struct action_type *action)
1236 log_dbg("Running command %s.", action->type);
1238 if (action->required_memlock)
1239 crypt_memory_lock(NULL, 1);
1241 r = action->handler(action->arg);
1243 if (action->required_memlock)
1244 crypt_memory_lock(NULL, 0);
1246 /* Some functions returns keyslot # */
1251 return translate_errno(r);
1254 int main(int argc, const char **argv)
1256 static char *popt_tmp;
1257 static struct poptOption popt_help_options[] = {
1258 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
1259 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
1260 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
1263 static struct poptOption popt_options[] = {
1264 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
1265 { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
1266 { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
1267 { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
1268 { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
1269 { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
1270 { "verify-passphrase", 'y', POPT_ARG_NONE, &opt_verify_passphrase, 0, N_("Verifies the passphrase by asking for it twice"), NULL },
1271 { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 5, N_("Read the key from a file."), NULL },
1272 { "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL },
1273 { "dump-master-key", '\0', POPT_ARG_NONE, &opt_dump_master_key, 0, N_("Dump volume (master) key instead of keyslots info."), NULL },
1274 { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
1275 { "keyfile-size", 'l', POPT_ARG_LONG, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
1276 { "keyfile-offset", '\0', POPT_ARG_LONG, &opt_keyfile_offset, 0, N_("Number of bytes to skip in keyfile"), N_("bytes") },
1277 { "new-keyfile-size", '\0', POPT_ARG_LONG, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
1278 { "new-keyfile-offset",'\0', POPT_ARG_LONG, &opt_new_keyfile_offset, 0, N_("Number of bytes to skip in newly added keyfile"), N_("bytes") },
1279 { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL },
1280 { "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") },
1281 { "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
1282 { "skip", 'p', POPT_ARG_STRING, &popt_tmp, 3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
1283 { "readonly", 'r', POPT_ARG_NONE, &opt_readonly, 0, N_("Create a readonly mapping"), NULL },
1284 { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
1285 { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
1286 { "timeout", 't', POPT_ARG_INT, &opt_timeout, 0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
1287 { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
1288 { "align-payload", '\0', POPT_ARG_INT, &opt_align_payload, 0, N_("Align payload at <n> sector boundaries - for luksFormat"), N_("SECTORS") },
1289 { "header-backup-file",'\0', POPT_ARG_STRING, &opt_header_backup_file, 0, N_("File with LUKS header and keyslots backup."), NULL },
1290 { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
1291 { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
1292 { "shared", '\0', POPT_ARG_NONE, &opt_shared, 0, N_("Share device with another non-overlapping crypt segment."), NULL },
1293 { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
1294 { "allow-discards", '\0', POPT_ARG_NONE, &opt_allow_discards, 0, N_("Allow discards (aka TRIM) requests for device."), NULL },
1295 { "header", '\0', POPT_ARG_STRING, &opt_header_device, 0, N_("Device or file with separated LUKS header."), NULL },
1296 { "test-passphrase", '\0', POPT_ARG_NONE, &opt_test_passphrase, 0, N_("Do not activate device, just check passphrase."), NULL },
1297 { "hidden", '\0', POPT_ARG_NONE, &opt_hidden, 0, N_("Use hidden header (hiden TCRYPT device) ."), NULL },
1300 poptContext popt_context;
1301 struct action_type *action;
1305 crypt_set_log_callback(NULL, tool_log, NULL);
1307 setlocale(LC_ALL, "");
1308 bindtextdomain(PACKAGE, LOCALEDIR);
1309 textdomain(PACKAGE);
1311 crypt_fips_self_check(NULL);
1313 popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
1314 poptSetOtherOptionHelp(popt_context,
1315 _("[OPTION...] <action> <action-specific>"));
1317 while((r = poptGetNextOpt(popt_context)) > 0) {
1318 unsigned long long ull_value;
1322 if (opt_keyfiles_count < MAX_KEYFILES)
1323 opt_keyfiles[opt_keyfiles_count++] = poptGetOptArg(popt_context);
1328 ull_value = strtoull(popt_tmp, &endp, 0);
1329 if (*endp || !*popt_tmp ||
1330 (errno == ERANGE && ull_value == ULLONG_MAX) ||
1331 (errno != 0 && ull_value == 0))
1332 r = POPT_ERROR_BADNUMBER;
1336 opt_size = ull_value;
1339 opt_offset = ull_value;
1342 opt_skip = ull_value;
1352 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
1353 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
1354 if (opt_version_mode) {
1355 log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
1356 poptFreeContext(popt_context);
1360 if (!(aname = poptGetArg(popt_context)))
1361 usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
1362 poptGetInvocationName(popt_context));
1363 for(action = action_types; action->type; action++)
1364 if (strcmp(action->type, aname) == 0)
1367 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
1368 poptGetInvocationName(popt_context));
1371 action_argv = poptGetArgs(popt_context);
1372 /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
1374 action_argv = null_action_argv;
1376 /* Count args, somewhat unnice, change? */
1377 while(action_argv[action_argc] != NULL)
1380 if(action_argc < action->required_action_argc) {
1382 snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
1383 usage(popt_context, EXIT_FAILURE, buf,
1384 poptGetInvocationName(popt_context));
1387 /* FIXME: rewrite this from scratch */
1389 if (opt_shared && strcmp(aname, "create"))
1390 usage(popt_context, EXIT_FAILURE,
1391 _("Option --shared is allowed only for create operation.\n"),
1392 poptGetInvocationName(popt_context));
1394 if (opt_allow_discards &&
1395 strcmp(aname, "luksOpen") &&
1396 strcmp(aname, "create") &&
1397 strcmp(aname, "loopaesOpen"))
1398 usage(popt_context, EXIT_FAILURE,
1399 _("Option --allow-discards is allowed only for luksOpen, loopaesOpen and create operation.\n"),
1400 poptGetInvocationName(popt_context));
1403 strcmp(aname, "luksFormat") &&
1404 strcmp(aname, "create") &&
1405 strcmp(aname, "loopaesOpen") &&
1406 strcmp(aname, "benchmark"))
1407 usage(popt_context, EXIT_FAILURE,
1408 _("Option --key-size is allowed only for luksFormat, create, loopaesOpen and benchmark.\n"
1409 "To limit read from keyfile use --keyfile-size=(bytes)."),
1410 poptGetInvocationName(popt_context));
1412 if (opt_test_passphrase &&
1413 strcmp(aname, "luksOpen") &&
1414 strcmp(aname, "tcryptOpen"))
1415 usage(popt_context, EXIT_FAILURE,
1416 _("Option --test-passphrase is allowed only for luksOpen and tcryptOpen.\n"),
1417 poptGetInvocationName(popt_context));
1419 if (opt_key_size % 8)
1420 usage(popt_context, EXIT_FAILURE,
1421 _("Key size must be a multiple of 8 bits"),
1422 poptGetInvocationName(popt_context));
1424 if (!strcmp(aname, "luksKillSlot") && action_argc > 1)
1425 opt_key_slot = atoi(action_argv[1]);
1426 if (opt_key_slot != CRYPT_ANY_SLOT &&
1427 (opt_key_slot < 0 || opt_key_slot >= crypt_keyslot_max(CRYPT_LUKS1)))
1428 usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
1429 poptGetInvocationName(popt_context));
1431 if ((!strcmp(aname, "luksRemoveKey") ||
1432 !strcmp(aname, "luksFormat")) &&
1435 log_err(_("Option --key-file takes precedence over specified key file argument.\n"));
1437 opt_key_file = action_argv[1];
1440 if (opt_keyfile_size < 0 || opt_new_keyfile_size < 0 || opt_key_size < 0 ||
1441 opt_keyfile_offset < 0 || opt_new_keyfile_offset < 0)
1442 usage(popt_context, EXIT_FAILURE,
1443 _("Negative number for option not permitted."),
1444 poptGetInvocationName(popt_context));
1446 if (opt_random && opt_urandom)
1447 usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
1448 poptGetInvocationName(popt_context));
1450 if ((opt_random || opt_urandom) && strcmp(aname, "luksFormat"))
1451 usage(popt_context, EXIT_FAILURE, _("Option --use-[u]random is allowed only for luksFormat."),
1452 poptGetInvocationName(popt_context));
1454 if (opt_uuid && strcmp(aname, "luksFormat") && strcmp(aname, "luksUUID"))
1455 usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only for luksFormat and luksUUID."),
1456 poptGetInvocationName(popt_context));
1458 if (opt_align_payload && strcmp(aname, "luksFormat"))
1459 usage(popt_context, EXIT_FAILURE, _("Option --align-payload is allowed only for luksFormat."),
1460 poptGetInvocationName(popt_context));
1462 if (opt_skip && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1463 usage(popt_context, EXIT_FAILURE,
1464 _("Option --skip is supported only for create and loopaesOpen commands.\n"),
1465 poptGetInvocationName(popt_context));
1467 if (opt_offset && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1468 usage(popt_context, EXIT_FAILURE,
1469 _("Option --offset is supported only for create and loopaesOpen commands.\n"),
1470 poptGetInvocationName(popt_context));
1472 if (opt_hidden && strcmp(aname, "tcryptOpen") && strcmp(aname, "tcryptDump"))
1473 usage(popt_context, EXIT_FAILURE,
1474 _("Option --hidden is supported only for TCRYPT commands.\n"),
1475 poptGetInvocationName(popt_context));
1479 crypt_set_debug_level(-1);
1480 dbg_version_and_cmd(argc, argv);
1483 r = run_action(action);
1484 poptFreeContext(popt_context);