2 * cryptsetup - setup cryptographic volumes for dm-crypt
4 * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
5 * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
6 * Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * version 2 as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 #include "cryptsetup.h"
24 static const char *opt_cipher = NULL;
25 static const char *opt_hash = NULL;
26 static int opt_verify_passphrase = 0;
28 static const char *opt_key_file = NULL;
29 static int opt_keyfiles_count = 0;
30 static const char *opt_keyfiles[MAX_KEYFILES];
32 static const char *opt_master_key_file = NULL;
33 static const char *opt_header_backup_file = NULL;
34 static const char *opt_uuid = NULL;
35 static const char *opt_header_device = NULL;
36 static int opt_key_size = 0;
37 static long opt_keyfile_size = 0;
38 static long opt_new_keyfile_size = 0;
39 static long opt_keyfile_offset = 0;
40 static long opt_new_keyfile_offset = 0;
41 static int opt_key_slot = CRYPT_ANY_SLOT;
42 static uint64_t opt_size = 0;
43 static uint64_t opt_offset = 0;
44 static uint64_t opt_skip = 0;
45 static int opt_skip_valid = 0;
46 static int opt_readonly = 0;
47 static int opt_iteration_time = DEFAULT_LUKS1_ITER_TIME;
48 static int opt_version_mode = 0;
49 static int opt_timeout = 0;
50 static int opt_tries = 3;
51 static int opt_align_payload = 0;
52 static int opt_random = 0;
53 static int opt_urandom = 0;
54 static int opt_dump_master_key = 0;
55 static int opt_shared = 0;
56 static int opt_allow_discards = 0;
57 static int opt_test_passphrase = 0;
58 static int opt_hidden = 0;
60 static const char **action_argv;
61 static int action_argc;
62 static const char *null_action_argv[] = {NULL, NULL};
64 static int action_create(int arg);
65 static int action_remove(int arg);
66 static int action_resize(int arg);
67 static int action_status(int arg);
68 static int action_benchmark(int arg);
69 static int action_luksFormat(int arg);
70 static int action_luksOpen(int arg);
71 static int action_luksAddKey(int arg);
72 static int action_luksKillSlot(int arg);
73 static int action_luksRemoveKey(int arg);
74 static int action_luksChangeKey(int arg);
75 static int action_isLuks(int arg);
76 static int action_luksUUID(int arg);
77 static int action_luksDump(int arg);
78 static int action_luksSuspend(int arg);
79 static int action_luksResume(int arg);
80 static int action_luksBackup(int arg);
81 static int action_luksRestore(int arg);
82 static int action_loopaesOpen(int arg);
83 static int action_luksRepair(int arg);
84 static int action_tcryptOpen(int arg);
85 static int action_tcryptDump(int arg);
87 static struct action_type {
91 int required_action_argc;
96 { "create", action_create, 0, 2, 1, N_("<name> <device>"),N_("create device") },
97 { "remove", action_remove, 0, 1, 1, N_("<name>"), N_("remove device") },
98 { "resize", action_resize, 0, 1, 1, N_("<name>"), N_("resize active device") },
99 { "status", action_status, 0, 1, 0, N_("<name>"), N_("show device status") },
100 { "benchmark", action_benchmark, 0, 0, 0, N_("<name>"), N_("benchmark cipher") },
101 { "repair", action_luksRepair, 0, 1, 1, N_("<device>"), N_("try to repair on-disk metadata") },
102 { "luksFormat", action_luksFormat, 0, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
103 { "luksOpen", action_luksOpen, 0, 2, 1, N_("<device> <name> "), N_("open LUKS device as mapping <name>") },
104 { "luksAddKey", action_luksAddKey, 0, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
105 { "luksRemoveKey",action_luksRemoveKey, 0, 1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
106 { "luksChangeKey",action_luksChangeKey, 0, 1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
107 { "luksKillSlot", action_luksKillSlot, 0, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
108 { "luksUUID", action_luksUUID, 0, 1, 0, N_("<device>"), N_("print UUID of LUKS device") },
109 { "isLuks", action_isLuks, 0, 1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
110 { "luksClose", action_remove, 0, 1, 1, N_("<name>"), N_("remove LUKS mapping") },
111 { "luksDump", action_luksDump, 0, 1, 1, N_("<device>"), N_("dump LUKS partition information") },
112 { "luksSuspend",action_luksSuspend, 0, 1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen).") },
113 { "luksResume", action_luksResume, 0, 1, 1, N_("<device>"), N_("Resume suspended LUKS device.") },
114 { "luksHeaderBackup",action_luksBackup, 0, 1, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
115 { "luksHeaderRestore",action_luksRestore,0,1, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
116 { "loopaesOpen",action_loopaesOpen, 0, 2, 1, N_("<device> <name> "), N_("open loop-AES device as mapping <name>") },
117 { "loopaesClose",action_remove, 0, 1, 1, N_("<name>"), N_("remove loop-AES mapping") },
118 { "tcryptOpen", action_tcryptOpen, 0, 2, 1, N_("<device> <name> "), N_("open TCRYPT device as mapping <name>") },
119 { "tcryptDump", action_tcryptDump, 0, 1, 1, N_("<device>"), N_("dump TCRYPT device information") },
120 { NULL, NULL, 0, 0, 0, NULL, NULL }
123 static int _verify_passphrase(int def)
125 /* Batch mode switch off verify - if not overrided by -y */
126 if (opt_verify_passphrase)
128 else if (opt_batch_mode)
131 /* Non-tty input doesn't allow verify */
132 if (def && !isatty(STDIN_FILENO)) {
133 if (opt_verify_passphrase)
134 log_err(_("Can't do passphrase verification on non-tty inputs.\n"));
141 static int action_create(int arg __attribute__((unused)))
143 struct crypt_device *cd = NULL;
144 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
145 struct crypt_params_plain params = {
146 .hash = opt_hash ?: DEFAULT_PLAIN_HASH,
148 .offset = opt_offset,
151 char *password = NULL;
153 size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
154 uint32_t activate_flags = 0;
157 if (params.hash && !strcmp(params.hash, "plain"))
160 /* FIXME: temporary hack */
161 if (opt_key_file && strcmp(opt_key_file, "-"))
164 if ((opt_keyfile_offset || opt_keyfile_size) && opt_key_file)
165 log_std(("Ignoring keyfile offset and size options, keyfile read "
166 "size is always the same as encryption key size.\n"));
168 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
169 cipher, NULL, cipher_mode);
171 log_err("No known cipher specification pattern detected.\n");
175 if ((r = crypt_init(&cd, action_argv[1])))
178 crypt_set_timeout(cd, opt_timeout);
179 crypt_set_password_retry(cd, opt_tries);
181 r = crypt_format(cd, CRYPT_PLAIN,
190 activate_flags |= CRYPT_ACTIVATE_READONLY;
193 activate_flags |= CRYPT_ACTIVATE_SHARED;
195 if (opt_allow_discards)
196 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
199 /* With hashing, read the whole keyfile */
200 r = crypt_activate_by_keyfile_offset(cd, action_argv[0],
201 CRYPT_ANY_SLOT, opt_key_file,
202 params.hash ? 0 : key_size, 0,
205 r = crypt_get_key(_("Enter passphrase: "),
206 &password, &passwordLen,
207 opt_keyfile_offset, opt_keyfile_size,
209 _verify_passphrase(0),
214 r = crypt_activate_by_passphrase(cd, action_argv[0],
215 CRYPT_ANY_SLOT, password, passwordLen, activate_flags);
219 crypt_safe_free(password);
224 static int action_loopaesOpen(int arg __attribute__((unused)))
226 struct crypt_device *cd = NULL;
227 struct crypt_params_loopaes params = {
228 .hash = opt_hash ?: NULL,
229 .offset = opt_offset,
230 .skip = opt_skip_valid ? opt_skip : opt_offset,
232 unsigned int key_size = (opt_key_size ?: DEFAULT_LOOPAES_KEYBITS) / 8;
233 uint32_t activate_flags = 0;
237 log_err(_("Option --key-file is required.\n"));
242 activate_flags |= CRYPT_ACTIVATE_READONLY;
244 if (opt_allow_discards)
245 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
247 if ((r = crypt_init(&cd, action_argv[0])))
250 r = crypt_format(cd, CRYPT_LOOPAES, opt_cipher ?: DEFAULT_LOOPAES_CIPHER,
251 NULL, NULL, NULL, key_size, ¶ms);
255 r = crypt_activate_by_keyfile_offset(cd, action_argv[1], CRYPT_ANY_SLOT,
256 opt_key_file, opt_keyfile_size,
257 opt_keyfile_size, activate_flags);
264 static int action_tcryptOpen(int arg __attribute__((unused)))
266 struct crypt_device *cd = NULL;
267 struct crypt_params_tcrypt params = {
268 .keyfiles = opt_keyfiles,
269 .keyfiles_count = opt_keyfiles_count,
270 .flags = CRYPT_TCRYPT_LEGACY_MODES,
272 const char *activated_name;
276 activated_name = opt_test_passphrase ? NULL : action_argv[1];
278 if ((r = crypt_init(&cd, action_argv[0])))
281 /* TCRYPT header is encrypted, get passphrase now */
282 r = crypt_get_key(_("Enter passphrase: "),
283 CONST_CAST(char**)¶ms.passphrase,
284 ¶ms.passphrase_size, 0, 0, NULL, opt_timeout,
285 _verify_passphrase(0), cd);
290 params.flags |= CRYPT_TCRYPT_HIDDEN_HEADER;
292 r = crypt_load(cd, CRYPT_TCRYPT, ¶ms);
297 flags |= CRYPT_ACTIVATE_READONLY;
300 r = crypt_activate_by_volume_key(cd, activated_name, NULL, 0, flags);
303 crypt_safe_free(CONST_CAST(char*)params.passphrase);
307 static int action_tcryptDump(int arg __attribute__((unused)))
309 struct crypt_device *cd = NULL;
310 struct crypt_params_tcrypt params = {
311 .keyfiles = opt_keyfiles,
312 .keyfiles_count = opt_keyfiles_count,
313 .flags = CRYPT_TCRYPT_LEGACY_MODES,
317 if ((r = crypt_init(&cd, action_argv[0])))
320 /* TCRYPT header is encrypted, get passphrase now */
321 r = crypt_get_key(_("Enter passphrase: "),
322 CONST_CAST(char**)¶ms.passphrase,
323 ¶ms.passphrase_size, 0, 0, NULL, opt_timeout,
324 _verify_passphrase(0), cd);
329 params.flags |= CRYPT_TCRYPT_HIDDEN_HEADER;
331 r = crypt_load(cd, CRYPT_TCRYPT, ¶ms);
338 crypt_safe_free(CONST_CAST(char*)params.passphrase);
342 static int action_remove(int arg __attribute__((unused)))
344 struct crypt_device *cd = NULL;
347 r = crypt_init_by_name(&cd, action_argv[0]);
349 r = crypt_deactivate(cd, action_argv[0]);
355 static int action_resize(int arg __attribute__((unused)))
357 struct crypt_device *cd = NULL;
360 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
362 r = crypt_resize(cd, action_argv[0], opt_size);
368 static int action_status(int arg __attribute__((unused)))
370 crypt_status_info ci;
371 struct crypt_active_device cad;
372 struct crypt_device *cd = NULL;
378 /* perhaps a path, not a dm device name */
379 if (strchr(action_argv[0], '/') && !stat(action_argv[0], &st))
382 ci = crypt_status(NULL, action_argv[0]);
389 log_std("%s is inactive.\n", action_argv[0]);
391 log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
397 log_std("%s is active%s.\n", action_argv[0],
398 ci == CRYPT_BUSY ? " and is in use" : "");
400 log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
401 ci == CRYPT_BUSY ? " and is in use" : "");
403 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
404 if (r < 0 || !crypt_get_type(cd))
407 log_std(" type: %s\n", crypt_get_type(cd));
409 r = crypt_get_active_device(cd, action_argv[0], &cad);
413 log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
414 log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
415 device = crypt_get_device_name(cd);
416 log_std(" device: %s\n", device);
417 if (crypt_loop_device(device)) {
418 backing_file = crypt_loop_backing_file(device);
419 log_std(" loop: %s\n", backing_file);
422 log_std(" offset: %" PRIu64 " sectors\n", cad.offset);
423 log_std(" size: %" PRIu64 " sectors\n", cad.size);
425 log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset);
426 log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
427 "readonly" : "read/write");
428 if (cad.flags & CRYPT_ACTIVATE_ALLOW_DISCARDS)
429 log_std(" flags: discards\n");
438 static int action_benchmark(int arg __attribute__((unused)))
446 { "aes", "cbc", 16, 16 },
447 { "serpent", "cbc", 16, 16 },
448 { "twofish", "cbc", 16, 16 },
449 { "aes", "cbc", 32, 16 },
450 { "serpent", "cbc", 32, 16 },
451 { "twofish", "cbc", 32, 16 },
452 { "aes", "xts", 32, 16 },
453 { "serpent", "xts", 32, 16 },
454 { "twofish", "xts", 32, 16 },
455 { "aes", "xts", 64, 16 },
456 { "serpent", "xts", 64, 16 },
457 { "twofish", "xts", 64, 16 },
460 char *header = "# Tests are approximate using memory only (no storage IO).\n"
461 "# Algorithm | Key | Encryption | Decryption\n";
462 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
463 double enc_mbr = 0, dec_mbr = 0;
464 int key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS);
465 int iv_size = 16, skipped = 0;
466 int buffer_size = 1024 * 1024;
471 r = crypt_parse_name_and_mode(opt_cipher, cipher, NULL, cipher_mode);
473 log_err(_("No known cipher specification pattern detected.\n"));
476 if ((c = strchr(cipher_mode, '-')))
479 /* FIXME: not really clever :) */
480 if (strstr(cipher, "des"))
483 r = crypt_benchmark(NULL, cipher, cipher_mode,
484 key_size / 8, iv_size, buffer_size,
487 log_std("%s", header);
488 strncat(cipher, "-", MAX_CIPHER_LEN);
489 strncat(cipher, cipher_mode, MAX_CIPHER_LEN);
490 log_std("%11s %4db %5.1f MiB/s %5.1f MiB/s\n",
491 cipher, key_size, enc_mbr, dec_mbr);
492 } else if (r == -ENOENT)
493 log_err(_("Cipher %s is not available.\n"), opt_cipher);
495 for (i = 0; bciphers[i].cipher; i++) {
496 r = crypt_benchmark(NULL, bciphers[i].cipher, bciphers[i].mode,
497 bciphers[i].key_size, bciphers[i].iv_size,
498 buffer_size, &enc_mbr, &dec_mbr);
504 log_std("%s", header);
506 snprintf(cipher, MAX_CIPHER_LEN, "%s-%s",
507 bciphers[i].cipher, bciphers[i].mode);
509 log_std("%11s %4db %5.1f MiB/s %5.1f MiB/s\n",
510 cipher, bciphers[i].key_size*8, enc_mbr, dec_mbr);
512 log_std("%11s %4db %12s %12s\n", cipher,
513 bciphers[i].key_size*8, _("N/A"), _("N/A"));
515 if (skipped && skipped == i)
520 log_err( _("Required kernel crypto interface not available.\n"
521 "Ensure you have algif_skcipher kernel module loaded.\n"));
525 static int _read_mk(const char *file, char **key, int keysize)
529 *key = crypt_safe_alloc(keysize);
533 fd = open(file, O_RDONLY);
535 log_err("Cannot read keyfile %s.\n", file);
538 if ((read(fd, *key, keysize) != keysize)) {
539 log_err("Cannot read %d bytes from keyfile %s.\n", keysize, file);
546 crypt_safe_free(*key);
551 static int action_luksRepair(int arg __attribute__((unused)))
553 struct crypt_device *cd = NULL;
556 if ((r = crypt_init(&cd, action_argv[0])))
559 /* Currently only LUKS1 allows repair */
560 crypt_set_log_callback(cd, quiet_log, NULL);
561 r = crypt_load(cd, CRYPT_LUKS1, NULL);
562 crypt_set_log_callback(cd, tool_log, NULL);
564 log_verbose( _("No known problems detected for LUKS header.\n"));
568 r = yesDialog(_("Really try to repair LUKS device header?"),
571 r = crypt_repair(cd, CRYPT_LUKS1, NULL);
577 static int action_luksFormat(int arg __attribute__((unused)))
579 int r = -EINVAL, keysize;
580 const char *header_device;
581 char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
582 char *password = NULL;
584 struct crypt_device *cd = NULL;
585 struct crypt_params_luks1 params = {
586 .hash = opt_hash ?: DEFAULT_LUKS1_HASH,
587 .data_alignment = opt_align_payload,
588 .data_device = opt_header_device ? action_argv[0] : NULL,
591 header_device = opt_header_device ?: action_argv[0];
593 if(asprintf(&msg, _("This will overwrite data on %s irrevocably."),
594 header_device) == -1) {
595 log_err(_("memory allocation error in action_luksFormat"));
599 r = yesDialog(msg, NULL) ? 0 : -EINVAL;
604 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
605 cipher, NULL, cipher_mode);
607 log_err(_("No known cipher specification pattern detected.\n"));
611 if ((r = crypt_init(&cd, header_device))) {
612 if (opt_header_device)
613 log_err(_("Cannot use %s as on-disk header.\n"), header_device);
617 keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
619 crypt_set_timeout(cd, opt_timeout);
620 if (opt_iteration_time)
621 crypt_set_iteration_time(cd, opt_iteration_time);
624 crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
625 else if (opt_urandom)
626 crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
628 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
629 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
630 opt_timeout, _verify_passphrase(1), cd);
634 if (opt_master_key_file) {
635 r = _read_mk(opt_master_key_file, &key, keysize);
640 r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
641 opt_uuid, key, keysize, ¶ms);
645 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
647 password, passwordLen);
650 crypt_safe_free(key);
651 crypt_safe_free(password);
656 static int action_luksOpen(int arg __attribute__((unused)))
658 struct crypt_device *cd = NULL;
659 const char *data_device, *header_device, *activated_name;
664 if (opt_header_device) {
665 header_device = uuid_or_device(opt_header_device);
666 data_device = action_argv[0];
668 header_device = uuid_or_device(action_argv[0]);
672 activated_name = opt_test_passphrase ? NULL : action_argv[1];
674 if ((r = crypt_init(&cd, header_device)))
677 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
681 (r = crypt_set_data_device(cd, data_device)))
684 if (!data_device && (crypt_get_data_offset(cd) < 8)) {
685 log_err(_("Reduced data offset is allowed only for detached LUKS header.\n"));
690 crypt_set_timeout(cd, opt_timeout);
691 crypt_set_password_retry(cd, opt_tries);
692 crypt_set_password_verify(cd, _verify_passphrase(0));
694 if (opt_iteration_time)
695 crypt_set_iteration_time(cd, opt_iteration_time);
698 flags |= CRYPT_ACTIVATE_READONLY;
700 if (opt_allow_discards)
701 flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
703 if (opt_master_key_file) {
704 keysize = crypt_get_volume_key_size(cd);
705 r = _read_mk(opt_master_key_file, &key, keysize);
708 r = crypt_activate_by_volume_key(cd, activated_name,
709 key, keysize, flags);
710 } else if (opt_key_file) {
711 crypt_set_password_retry(cd, 1);
712 r = crypt_activate_by_keyfile_offset(cd, activated_name,
713 opt_key_slot, opt_key_file, opt_keyfile_size,
714 opt_keyfile_offset, flags);
716 r = crypt_activate_by_passphrase(cd, activated_name,
717 opt_key_slot, NULL, 0, flags);
719 crypt_safe_free(key);
724 static int verify_keyslot(struct crypt_device *cd, int key_slot,
725 char *msg_last, char *msg_pass,
726 const char *key_file, int keyfile_offset,
729 crypt_keyslot_info ki;
730 char *password = NULL;
734 ki = crypt_keyslot_status(cd, key_slot);
735 if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !yesDialog(msg_last, NULL))
738 r = crypt_get_key(msg_pass, &password, &passwordLen,
739 keyfile_offset, keyfile_size, key_file, opt_timeout,
740 _verify_passphrase(0), cd);
744 if (ki == CRYPT_SLOT_ACTIVE_LAST) {
745 /* check the last keyslot */
746 r = crypt_activate_by_passphrase(cd, NULL, key_slot,
747 password, passwordLen, 0);
749 /* try all other keyslots */
750 for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
753 ki = crypt_keyslot_status(cd, key_slot);
754 if (ki == CRYPT_SLOT_ACTIVE)
755 r = crypt_activate_by_passphrase(cd, NULL, i,
756 password, passwordLen, 0);
763 log_err(_("No key available with this passphrase.\n"));
765 crypt_safe_free(password);
769 static int action_luksKillSlot(int arg __attribute__((unused)))
771 struct crypt_device *cd = NULL;
774 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
777 crypt_set_confirm_callback(cd, yesDialog, NULL);
778 crypt_set_timeout(cd, opt_timeout);
780 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
783 switch (crypt_keyslot_status(cd, opt_key_slot)) {
784 case CRYPT_SLOT_ACTIVE_LAST:
785 case CRYPT_SLOT_ACTIVE:
786 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
788 case CRYPT_SLOT_INACTIVE:
789 log_err(_("Key %d not active. Can't wipe.\n"), opt_key_slot);
790 case CRYPT_SLOT_INVALID:
795 if (!opt_batch_mode) {
796 r = verify_keyslot(cd, opt_key_slot,
797 _("This is the last keyslot. Device will become unusable after purging this key."),
798 _("Enter any remaining LUKS passphrase: "),
799 opt_key_file, opt_keyfile_offset, opt_keyfile_size);
804 r = crypt_keyslot_destroy(cd, opt_key_slot);
810 static int action_luksRemoveKey(int arg __attribute__((unused)))
812 struct crypt_device *cd = NULL;
813 char *password = NULL;
817 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
820 crypt_set_confirm_callback(cd, yesDialog, NULL);
821 crypt_set_timeout(cd, opt_timeout);
823 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
826 r = crypt_get_key(_("Enter LUKS passphrase to be deleted: "),
827 &password, &passwordLen,
828 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
830 _verify_passphrase(0),
835 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
836 password, passwordLen, 0);
841 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
843 if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_ACTIVE_LAST &&
844 !yesDialog(_("This is the last keyslot. "
845 "Device will become unusable after purging this key."),
851 r = crypt_keyslot_destroy(cd, opt_key_slot);
853 crypt_safe_free(password);
858 static int action_luksAddKey(int arg __attribute__((unused)))
860 int r = -EINVAL, keysize = 0;
862 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
863 struct crypt_device *cd = NULL;
865 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
868 crypt_set_confirm_callback(cd, yesDialog, NULL);
870 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
873 keysize = crypt_get_volume_key_size(cd);
874 /* FIXME: lib cannot properly set verification for new/old passphrase */
875 crypt_set_password_verify(cd, _verify_passphrase(0));
876 crypt_set_timeout(cd, opt_timeout);
877 if (opt_iteration_time)
878 crypt_set_iteration_time(cd, opt_iteration_time);
880 if (opt_master_key_file) {
881 r = _read_mk(opt_master_key_file, &key, keysize);
884 //FIXME: process keyfile arg
885 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
886 key, keysize, NULL, 0);
887 } else if (opt_key_file || opt_new_key_file) {
888 r = crypt_keyslot_add_by_keyfile_offset(cd, opt_key_slot,
889 opt_key_file, opt_keyfile_size, opt_keyfile_offset,
890 opt_new_key_file, opt_new_keyfile_size, opt_new_keyfile_offset);
892 r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
897 crypt_safe_free(key);
901 static int _slots_full(struct crypt_device *cd)
905 for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++)
906 if (crypt_keyslot_status(cd, i) == CRYPT_SLOT_INACTIVE)
911 static int action_luksChangeKey(int arg __attribute__((unused)))
913 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
914 struct crypt_device *cd = NULL;
915 char *vk = NULL, *password = NULL;
916 size_t passwordLen = 0;
918 int new_key_slot, old_key_slot, r;
920 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
923 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
926 if (opt_iteration_time)
927 crypt_set_iteration_time(cd, opt_iteration_time);
929 r = crypt_get_key(_("Enter LUKS passphrase to be changed: "),
930 &password, &passwordLen,
931 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
932 opt_timeout, _verify_passphrase(0), cd);
936 vk_size = crypt_get_volume_key_size(cd);
937 vk = crypt_safe_alloc(vk_size);
943 r = crypt_volume_key_get(cd, opt_key_slot, vk, &vk_size,
944 password, passwordLen);
946 if (opt_key_slot != CRYPT_ANY_SLOT)
947 log_err(_("No key available with this passphrase.\n"));
951 if (opt_key_slot != CRYPT_ANY_SLOT || _slots_full(cd)) {
952 log_dbg("Key slot %d is going to be overwritten (%s).",
953 r, opt_key_slot != CRYPT_ANY_SLOT ?
954 "explicit key slot specified" : "no free key slot");
958 log_dbg("Allocating new key slot.");
960 new_key_slot = CRYPT_ANY_SLOT;
963 crypt_safe_free(password);
966 r = crypt_get_key(_("Enter new LUKS passphrase: "),
967 &password, &passwordLen,
968 opt_new_keyfile_offset, opt_new_keyfile_size,
970 opt_timeout, _verify_passphrase(0), cd);
974 if (new_key_slot == old_key_slot) {
975 (void)crypt_keyslot_destroy(cd, old_key_slot);
976 r = crypt_keyslot_add_by_volume_key(cd, new_key_slot,
978 password, passwordLen);
980 log_verbose(_("Key slot %d changed.\n"), r);
982 r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT,
984 password, passwordLen);
986 log_verbose(_("Replaced with key slot %d.\n"), r);
987 r = crypt_keyslot_destroy(cd, old_key_slot);
991 log_err(_("Failed to swap new key slot.\n"));
994 crypt_safe_free(password);
999 static int action_isLuks(int arg __attribute__((unused)))
1001 struct crypt_device *cd = NULL;
1004 if ((r = crypt_init(&cd, action_argv[0])))
1007 crypt_set_log_callback(cd, quiet_log, NULL);
1008 r = crypt_load(cd, CRYPT_LUKS1, NULL);
1014 static int action_luksUUID(int arg __attribute__((unused)))
1016 struct crypt_device *cd = NULL;
1017 const char *existing_uuid = NULL;
1020 if ((r = crypt_init(&cd, action_argv[0])))
1023 crypt_set_confirm_callback(cd, yesDialog, NULL);
1025 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
1029 r = crypt_set_uuid(cd, opt_uuid);
1031 existing_uuid = crypt_get_uuid(cd);
1032 log_std("%s\n", existing_uuid ?: "");
1033 r = existing_uuid ? 0 : 1;
1040 static int luksDump_with_volume_key(struct crypt_device *cd)
1042 char *vk = NULL, *password = NULL;
1043 size_t passwordLen = 0;
1048 crypt_set_confirm_callback(cd, yesDialog, NULL);
1050 _("LUKS header dump with volume key is sensitive information\n"
1051 "which allows access to encrypted partition without passphrase.\n"
1052 "This dump should be always stored encrypted on safe place."),
1056 vk_size = crypt_get_volume_key_size(cd);
1057 vk = crypt_safe_alloc(vk_size);
1061 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
1062 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
1063 opt_timeout, 0, cd);
1067 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
1068 password, passwordLen);
1072 log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
1073 log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
1074 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
1075 log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
1076 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
1077 log_std("MK bits: \t%d\n", (int)vk_size * 8);
1078 log_std("MK dump:\t");
1080 for(i = 0; i < vk_size; i++) {
1083 log_std("%02hhx ", (char)vk[i]);
1088 crypt_safe_free(password);
1089 crypt_safe_free(vk);
1093 static int action_luksDump(int arg __attribute__((unused)))
1095 struct crypt_device *cd = NULL;
1098 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
1101 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
1104 if (opt_dump_master_key)
1105 r = luksDump_with_volume_key(cd);
1113 static int action_luksSuspend(int arg __attribute__((unused)))
1115 struct crypt_device *cd = NULL;
1118 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
1120 r = crypt_suspend(cd, action_argv[0]);
1126 static int action_luksResume(int arg __attribute__((unused)))
1128 struct crypt_device *cd = NULL;
1131 if ((r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device)))
1134 crypt_set_timeout(cd, opt_timeout);
1135 crypt_set_password_retry(cd, opt_tries);
1136 crypt_set_password_verify(cd, _verify_passphrase(0));
1139 r = crypt_resume_by_keyfile_offset(cd, action_argv[0], CRYPT_ANY_SLOT,
1140 opt_key_file, opt_keyfile_size, opt_keyfile_offset);
1142 r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
1149 static int action_luksBackup(int arg __attribute__((unused)))
1151 struct crypt_device *cd = NULL;
1154 if (!opt_header_backup_file) {
1155 log_err(_("Option --header-backup-file is required.\n"));
1159 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
1162 crypt_set_confirm_callback(cd, yesDialog, NULL);
1164 r = crypt_header_backup(cd, CRYPT_LUKS1, opt_header_backup_file);
1170 static int action_luksRestore(int arg __attribute__((unused)))
1172 struct crypt_device *cd = NULL;
1175 if (!opt_header_backup_file) {
1176 log_err(_("Option --header-backup-file is required.\n"));
1180 if ((r = crypt_init(&cd, action_argv[0])))
1183 crypt_set_confirm_callback(cd, yesDialog, NULL);
1184 r = crypt_header_restore(cd, CRYPT_LUKS1, opt_header_backup_file);
1190 static void help(poptContext popt_context,
1191 enum poptCallbackReason reason __attribute__((unused)),
1192 struct poptOption *key,
1193 const char *arg __attribute__((unused)),
1194 void *data __attribute__((unused)))
1196 if (key->shortName == '?') {
1197 struct action_type *action;
1199 log_std("%s\n",PACKAGE_STRING);
1201 poptPrintHelp(popt_context, stdout, 0);
1204 "<action> is one of:\n"));
1206 for(action = action_types; action->type; action++)
1207 log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
1210 "<name> is the device to create under %s\n"
1211 "<device> is the encrypted device\n"
1212 "<key slot> is the LUKS key slot number to modify\n"
1213 "<key file> optional key file for the new key for luksAddKey action\n"),
1216 log_std(_("\nDefault compiled-in key and passphrase parameters:\n"
1217 "\tMaximum keyfile size: %dkB, "
1218 "Maximum interactive passphrase length %d (characters)\n"
1219 "Default PBKDF2 iteration time for LUKS: %d (ms)\n"),
1220 DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX,
1221 DEFAULT_LUKS1_ITER_TIME);
1223 log_std(_("\nDefault compiled-in device cipher parameters:\n"
1224 "\tloop-AES: %s, Key %d bits\n"
1225 "\tplain: %s, Key: %d bits, Password hashing: %s\n"
1226 "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
1227 DEFAULT_LOOPAES_CIPHER, DEFAULT_LOOPAES_KEYBITS,
1228 DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
1229 DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
1233 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
1236 static int run_action(struct action_type *action)
1240 log_dbg("Running command %s.", action->type);
1242 if (action->required_memlock)
1243 crypt_memory_lock(NULL, 1);
1245 r = action->handler(action->arg);
1247 if (action->required_memlock)
1248 crypt_memory_lock(NULL, 0);
1250 /* Some functions returns keyslot # */
1255 return translate_errno(r);
1258 int main(int argc, const char **argv)
1260 static char *popt_tmp;
1261 static struct poptOption popt_help_options[] = {
1262 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
1263 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
1264 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
1267 static struct poptOption popt_options[] = {
1268 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
1269 { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
1270 { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
1271 { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
1272 { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
1273 { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
1274 { "verify-passphrase", 'y', POPT_ARG_NONE, &opt_verify_passphrase, 0, N_("Verifies the passphrase by asking for it twice"), NULL },
1275 { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 5, N_("Read the key from a file."), NULL },
1276 { "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL },
1277 { "dump-master-key", '\0', POPT_ARG_NONE, &opt_dump_master_key, 0, N_("Dump volume (master) key instead of keyslots info."), NULL },
1278 { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
1279 { "keyfile-size", 'l', POPT_ARG_LONG, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
1280 { "keyfile-offset", '\0', POPT_ARG_LONG, &opt_keyfile_offset, 0, N_("Number of bytes to skip in keyfile"), N_("bytes") },
1281 { "new-keyfile-size", '\0', POPT_ARG_LONG, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
1282 { "new-keyfile-offset",'\0', POPT_ARG_LONG, &opt_new_keyfile_offset, 0, N_("Number of bytes to skip in newly added keyfile"), N_("bytes") },
1283 { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL },
1284 { "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") },
1285 { "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
1286 { "skip", 'p', POPT_ARG_STRING, &popt_tmp, 3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
1287 { "readonly", 'r', POPT_ARG_NONE, &opt_readonly, 0, N_("Create a readonly mapping"), NULL },
1288 { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
1289 { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
1290 { "timeout", 't', POPT_ARG_INT, &opt_timeout, 0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
1291 { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
1292 { "align-payload", '\0', POPT_ARG_INT, &opt_align_payload, 0, N_("Align payload at <n> sector boundaries - for luksFormat"), N_("SECTORS") },
1293 { "header-backup-file",'\0', POPT_ARG_STRING, &opt_header_backup_file, 0, N_("File with LUKS header and keyslots backup."), NULL },
1294 { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
1295 { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
1296 { "shared", '\0', POPT_ARG_NONE, &opt_shared, 0, N_("Share device with another non-overlapping crypt segment."), NULL },
1297 { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
1298 { "allow-discards", '\0', POPT_ARG_NONE, &opt_allow_discards, 0, N_("Allow discards (aka TRIM) requests for device."), NULL },
1299 { "header", '\0', POPT_ARG_STRING, &opt_header_device, 0, N_("Device or file with separated LUKS header."), NULL },
1300 { "test-passphrase", '\0', POPT_ARG_NONE, &opt_test_passphrase, 0, N_("Do not activate device, just check passphrase."), NULL },
1301 { "hidden", '\0', POPT_ARG_NONE, &opt_hidden, 0, N_("Use hidden header (hiden TCRYPT device) ."), NULL },
1304 poptContext popt_context;
1305 struct action_type *action;
1309 crypt_set_log_callback(NULL, tool_log, NULL);
1311 setlocale(LC_ALL, "");
1312 bindtextdomain(PACKAGE, LOCALEDIR);
1313 textdomain(PACKAGE);
1315 crypt_fips_self_check(NULL);
1317 popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
1318 poptSetOtherOptionHelp(popt_context,
1319 _("[OPTION...] <action> <action-specific>"));
1321 while((r = poptGetNextOpt(popt_context)) > 0) {
1322 unsigned long long ull_value;
1326 if (opt_keyfiles_count < MAX_KEYFILES)
1327 opt_keyfiles[opt_keyfiles_count++] = poptGetOptArg(popt_context);
1332 ull_value = strtoull(popt_tmp, &endp, 0);
1333 if (*endp || !*popt_tmp ||
1334 (errno == ERANGE && ull_value == ULLONG_MAX) ||
1335 (errno != 0 && ull_value == 0))
1336 r = POPT_ERROR_BADNUMBER;
1340 opt_size = ull_value;
1343 opt_offset = ull_value;
1346 opt_skip = ull_value;
1356 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
1357 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
1358 if (opt_version_mode) {
1359 log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
1360 poptFreeContext(popt_context);
1364 if (!(aname = poptGetArg(popt_context)))
1365 usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
1366 poptGetInvocationName(popt_context));
1367 for(action = action_types; action->type; action++)
1368 if (strcmp(action->type, aname) == 0)
1371 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
1372 poptGetInvocationName(popt_context));
1375 action_argv = poptGetArgs(popt_context);
1376 /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
1378 action_argv = null_action_argv;
1380 /* Count args, somewhat unnice, change? */
1381 while(action_argv[action_argc] != NULL)
1384 if(action_argc < action->required_action_argc) {
1386 snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
1387 usage(popt_context, EXIT_FAILURE, buf,
1388 poptGetInvocationName(popt_context));
1391 /* FIXME: rewrite this from scratch */
1393 if (opt_shared && strcmp(aname, "create"))
1394 usage(popt_context, EXIT_FAILURE,
1395 _("Option --shared is allowed only for create operation.\n"),
1396 poptGetInvocationName(popt_context));
1398 if (opt_allow_discards &&
1399 strcmp(aname, "luksOpen") &&
1400 strcmp(aname, "create") &&
1401 strcmp(aname, "loopaesOpen"))
1402 usage(popt_context, EXIT_FAILURE,
1403 _("Option --allow-discards is allowed only for luksOpen, loopaesOpen and create operation.\n"),
1404 poptGetInvocationName(popt_context));
1407 strcmp(aname, "luksFormat") &&
1408 strcmp(aname, "create") &&
1409 strcmp(aname, "loopaesOpen") &&
1410 strcmp(aname, "benchmark"))
1411 usage(popt_context, EXIT_FAILURE,
1412 _("Option --key-size is allowed only for luksFormat, create, loopaesOpen and benchmark.\n"
1413 "To limit read from keyfile use --keyfile-size=(bytes)."),
1414 poptGetInvocationName(popt_context));
1416 if (opt_test_passphrase &&
1417 strcmp(aname, "luksOpen") &&
1418 strcmp(aname, "tcryptOpen"))
1419 usage(popt_context, EXIT_FAILURE,
1420 _("Option --test-passphrase is allowed only for luksOpen and tcryptOpen.\n"),
1421 poptGetInvocationName(popt_context));
1423 if (opt_key_size % 8)
1424 usage(popt_context, EXIT_FAILURE,
1425 _("Key size must be a multiple of 8 bits"),
1426 poptGetInvocationName(popt_context));
1428 if (!strcmp(aname, "luksKillSlot") && action_argc > 1)
1429 opt_key_slot = atoi(action_argv[1]);
1430 if (opt_key_slot != CRYPT_ANY_SLOT &&
1431 (opt_key_slot < 0 || opt_key_slot >= crypt_keyslot_max(CRYPT_LUKS1)))
1432 usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
1433 poptGetInvocationName(popt_context));
1435 if ((!strcmp(aname, "luksRemoveKey") ||
1436 !strcmp(aname, "luksFormat")) &&
1439 log_err(_("Option --key-file takes precedence over specified key file argument.\n"));
1441 opt_key_file = action_argv[1];
1444 if (opt_keyfile_size < 0 || opt_new_keyfile_size < 0 || opt_key_size < 0 ||
1445 opt_keyfile_offset < 0 || opt_new_keyfile_offset < 0)
1446 usage(popt_context, EXIT_FAILURE,
1447 _("Negative number for option not permitted."),
1448 poptGetInvocationName(popt_context));
1450 if (opt_random && opt_urandom)
1451 usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
1452 poptGetInvocationName(popt_context));
1454 if ((opt_random || opt_urandom) && strcmp(aname, "luksFormat"))
1455 usage(popt_context, EXIT_FAILURE, _("Option --use-[u]random is allowed only for luksFormat."),
1456 poptGetInvocationName(popt_context));
1458 if (opt_uuid && strcmp(aname, "luksFormat") && strcmp(aname, "luksUUID"))
1459 usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only for luksFormat and luksUUID."),
1460 poptGetInvocationName(popt_context));
1462 if (opt_align_payload && strcmp(aname, "luksFormat"))
1463 usage(popt_context, EXIT_FAILURE, _("Option --align-payload is allowed only for luksFormat."),
1464 poptGetInvocationName(popt_context));
1466 if (opt_skip && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1467 usage(popt_context, EXIT_FAILURE,
1468 _("Option --skip is supported only for create and loopaesOpen commands.\n"),
1469 poptGetInvocationName(popt_context));
1471 if (opt_offset && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1472 usage(popt_context, EXIT_FAILURE,
1473 _("Option --offset is supported only for create and loopaesOpen commands.\n"),
1474 poptGetInvocationName(popt_context));
1476 if (opt_hidden && strcmp(aname, "tcryptOpen") && strcmp(aname, "tcryptDump"))
1477 usage(popt_context, EXIT_FAILURE,
1478 _("Option --hidden is supported only for TCRYPT commands.\n"),
1479 poptGetInvocationName(popt_context));
1483 crypt_set_debug_level(-1);
1484 dbg_version_and_cmd(argc, argv);
1487 r = run_action(action);
1488 poptFreeContext(popt_context);