2 * cryptsetup - setup cryptographic volumes for dm-crypt
4 * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
5 * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
6 * Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * version 2 as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 #include "cryptsetup.h"
24 static const char *opt_cipher = NULL;
25 static const char *opt_hash = NULL;
26 static int opt_verify_passphrase = 0;
28 static const char *opt_key_file = NULL;
29 static int opt_keyfiles_count = 0;
30 static const char *opt_keyfiles[MAX_KEYFILES];
32 static const char *opt_master_key_file = NULL;
33 static const char *opt_header_backup_file = NULL;
34 static const char *opt_uuid = NULL;
35 static const char *opt_header_device = NULL;
36 static int opt_key_size = 0;
37 static long opt_keyfile_size = 0;
38 static long opt_new_keyfile_size = 0;
39 static long opt_keyfile_offset = 0;
40 static long opt_new_keyfile_offset = 0;
41 static int opt_key_slot = CRYPT_ANY_SLOT;
42 static uint64_t opt_size = 0;
43 static uint64_t opt_offset = 0;
44 static uint64_t opt_skip = 0;
45 static int opt_skip_valid = 0;
46 static int opt_readonly = 0;
47 static int opt_iteration_time = DEFAULT_LUKS1_ITER_TIME;
48 static int opt_version_mode = 0;
49 static int opt_timeout = 0;
50 static int opt_tries = 3;
51 static int opt_align_payload = 0;
52 static int opt_random = 0;
53 static int opt_urandom = 0;
54 static int opt_dump_master_key = 0;
55 static int opt_shared = 0;
56 static int opt_allow_discards = 0;
57 static int opt_test_passphrase = 0;
58 static int opt_hidden = 0;
60 static const char **action_argv;
61 static int action_argc;
62 static const char *null_action_argv[] = {NULL, NULL};
64 static int action_create(int arg);
65 static int action_remove(int arg);
66 static int action_resize(int arg);
67 static int action_status(int arg);
68 static int action_benchmark(int arg);
69 static int action_luksFormat(int arg);
70 static int action_luksOpen(int arg);
71 static int action_luksAddKey(int arg);
72 static int action_luksKillSlot(int arg);
73 static int action_luksRemoveKey(int arg);
74 static int action_luksChangeKey(int arg);
75 static int action_isLuks(int arg);
76 static int action_luksUUID(int arg);
77 static int action_luksDump(int arg);
78 static int action_luksSuspend(int arg);
79 static int action_luksResume(int arg);
80 static int action_luksBackup(int arg);
81 static int action_luksRestore(int arg);
82 static int action_loopaesOpen(int arg);
83 static int action_luksRepair(int arg);
84 static int action_tcryptOpen(int arg);
85 static int action_tcryptDump(int arg);
87 static struct action_type {
91 int required_action_argc;
96 { "create", action_create, 0, 2, 1, N_("<name> <device>"),N_("create device") },
97 { "remove", action_remove, 0, 1, 1, N_("<name>"), N_("remove device") },
98 { "resize", action_resize, 0, 1, 1, N_("<name>"), N_("resize active device") },
99 { "status", action_status, 0, 1, 0, N_("<name>"), N_("show device status") },
100 { "benchmark", action_benchmark, 0, 0, 0, N_("<name>"), N_("benchmark cipher") },
101 { "repair", action_luksRepair, 0, 1, 1, N_("<device>"), N_("try to repair on-disk metadata") },
102 { "luksFormat", action_luksFormat, 0, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
103 { "luksOpen", action_luksOpen, 0, 2, 1, N_("<device> <name> "), N_("open LUKS device as mapping <name>") },
104 { "luksAddKey", action_luksAddKey, 0, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
105 { "luksRemoveKey",action_luksRemoveKey, 0, 1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
106 { "luksChangeKey",action_luksChangeKey, 0, 1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
107 { "luksKillSlot", action_luksKillSlot, 0, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
108 { "luksUUID", action_luksUUID, 0, 1, 0, N_("<device>"), N_("print UUID of LUKS device") },
109 { "isLuks", action_isLuks, 0, 1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
110 { "luksClose", action_remove, 0, 1, 1, N_("<name>"), N_("remove LUKS mapping") },
111 { "luksDump", action_luksDump, 0, 1, 1, N_("<device>"), N_("dump LUKS partition information") },
112 { "luksSuspend",action_luksSuspend, 0, 1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen).") },
113 { "luksResume", action_luksResume, 0, 1, 1, N_("<device>"), N_("Resume suspended LUKS device.") },
114 { "luksHeaderBackup",action_luksBackup, 0, 1, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
115 { "luksHeaderRestore",action_luksRestore,0,1, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
116 { "loopaesOpen",action_loopaesOpen, 0, 2, 1, N_("<device> <name> "), N_("open loop-AES device as mapping <name>") },
117 { "loopaesClose",action_remove, 0, 1, 1, N_("<name>"), N_("remove loop-AES mapping") },
118 { "tcryptOpen", action_tcryptOpen, 0, 2, 1, N_("<device> <name> "), N_("open TCRYPT device as mapping <name>") },
119 { "tcryptDump", action_tcryptDump, 0, 1, 1, N_("<device>"), N_("dump TCRYPT device information") },
120 { NULL, NULL, 0, 0, 0, NULL, NULL }
123 static int _verify_passphrase(int def)
125 /* Batch mode switch off verify - if not overrided by -y */
126 if (opt_verify_passphrase)
128 else if (opt_batch_mode)
131 /* Non-tty input doesn't allow verify */
132 if (def && !isatty(STDIN_FILENO)) {
133 if (opt_verify_passphrase)
134 log_err(_("Can't do passphrase verification on non-tty inputs.\n"));
141 static int action_create(int arg __attribute__((unused)))
143 struct crypt_device *cd = NULL;
144 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
145 struct crypt_params_plain params = {
146 .hash = opt_hash ?: DEFAULT_PLAIN_HASH,
148 .offset = opt_offset,
151 char *password = NULL;
153 size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
154 uint32_t activate_flags = 0;
157 if (params.hash && !strcmp(params.hash, "plain"))
160 /* FIXME: temporary hack */
161 if (opt_key_file && strcmp(opt_key_file, "-"))
164 if ((opt_keyfile_offset || opt_keyfile_size) && opt_key_file)
165 log_std(("Ignoring keyfile offset and size options, keyfile read "
166 "size is always the same as encryption key size.\n"));
168 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
169 cipher, NULL, cipher_mode);
171 log_err("No known cipher specification pattern detected.\n");
175 if ((r = crypt_init(&cd, action_argv[1])))
178 crypt_set_timeout(cd, opt_timeout);
179 crypt_set_password_retry(cd, opt_tries);
181 r = crypt_format(cd, CRYPT_PLAIN,
190 activate_flags |= CRYPT_ACTIVATE_READONLY;
193 activate_flags |= CRYPT_ACTIVATE_SHARED;
195 if (opt_allow_discards)
196 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
199 /* With hashing, read the whole keyfile */
200 r = crypt_activate_by_keyfile_offset(cd, action_argv[0],
201 CRYPT_ANY_SLOT, opt_key_file,
202 params.hash ? 0 : key_size, 0,
205 r = crypt_get_key(_("Enter passphrase: "),
206 &password, &passwordLen,
207 opt_keyfile_offset, opt_keyfile_size,
209 _verify_passphrase(0),
214 r = crypt_activate_by_passphrase(cd, action_argv[0],
215 CRYPT_ANY_SLOT, password, passwordLen, activate_flags);
219 crypt_safe_free(password);
224 static int action_loopaesOpen(int arg __attribute__((unused)))
226 struct crypt_device *cd = NULL;
227 struct crypt_params_loopaes params = {
228 .hash = opt_hash ?: NULL,
229 .offset = opt_offset,
230 .skip = opt_skip_valid ? opt_skip : opt_offset,
232 unsigned int key_size = (opt_key_size ?: DEFAULT_LOOPAES_KEYBITS) / 8;
233 uint32_t activate_flags = 0;
237 log_err(_("Option --key-file is required.\n"));
242 activate_flags |= CRYPT_ACTIVATE_READONLY;
244 if (opt_allow_discards)
245 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
247 if ((r = crypt_init(&cd, action_argv[0])))
250 r = crypt_format(cd, CRYPT_LOOPAES, opt_cipher ?: DEFAULT_LOOPAES_CIPHER,
251 NULL, NULL, NULL, key_size, ¶ms);
255 r = crypt_activate_by_keyfile_offset(cd, action_argv[1], CRYPT_ANY_SLOT,
256 opt_key_file, opt_keyfile_size,
257 opt_keyfile_size, activate_flags);
264 static int action_tcryptOpen(int arg __attribute__((unused)))
266 struct crypt_device *cd = NULL;
267 struct crypt_params_tcrypt params = {
268 .keyfiles = opt_keyfiles,
269 .keyfiles_count = opt_keyfiles_count,
270 .flags = CRYPT_TCRYPT_LEGACY_MODES,
272 const char *activated_name;
276 activated_name = opt_test_passphrase ? NULL : action_argv[1];
278 if ((r = crypt_init(&cd, action_argv[0])))
281 /* TCRYPT header is encrypted, get passphrase now */
282 r = crypt_get_key(_("Enter passphrase: "),
283 CONST_CAST(char**)¶ms.passphrase,
284 ¶ms.passphrase_size, 0, 0, NULL, opt_timeout,
285 _verify_passphrase(0), cd);
290 params.flags |= CRYPT_TCRYPT_HIDDEN_HEADER;
292 r = crypt_load(cd, CRYPT_TCRYPT, ¶ms);
297 flags |= CRYPT_ACTIVATE_READONLY;
300 r = crypt_activate_by_volume_key(cd, activated_name, NULL, 0, flags);
303 crypt_safe_free(CONST_CAST(char*)params.passphrase);
307 static int action_tcryptDump(int arg __attribute__((unused)))
309 struct crypt_device *cd = NULL;
310 struct crypt_params_tcrypt params = {
311 .keyfiles = opt_keyfiles,
312 .keyfiles_count = opt_keyfiles_count,
313 .flags = CRYPT_TCRYPT_LEGACY_MODES,
317 if ((r = crypt_init(&cd, action_argv[0])))
320 /* TCRYPT header is encrypted, get passphrase now */
321 r = crypt_get_key(_("Enter passphrase: "),
322 CONST_CAST(char**)¶ms.passphrase,
323 ¶ms.passphrase_size, 0, 0, NULL, opt_timeout,
324 _verify_passphrase(0), cd);
329 params.flags |= CRYPT_TCRYPT_HIDDEN_HEADER;
331 r = crypt_load(cd, CRYPT_TCRYPT, ¶ms);
338 crypt_safe_free(CONST_CAST(char*)params.passphrase);
342 static int action_remove(int arg __attribute__((unused)))
344 struct crypt_device *cd = NULL;
347 r = crypt_init_by_name(&cd, action_argv[0]);
349 r = crypt_deactivate(cd, action_argv[0]);
355 static int action_resize(int arg __attribute__((unused)))
357 struct crypt_device *cd = NULL;
360 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
362 r = crypt_resize(cd, action_argv[0], opt_size);
368 static int action_status(int arg __attribute__((unused)))
370 crypt_status_info ci;
371 struct crypt_active_device cad;
372 struct crypt_device *cd = NULL;
378 /* perhaps a path, not a dm device name */
379 if (strchr(action_argv[0], '/') && !stat(action_argv[0], &st))
382 ci = crypt_status(NULL, action_argv[0]);
389 log_std("%s is inactive.\n", action_argv[0]);
391 log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
397 log_std("%s is active%s.\n", action_argv[0],
398 ci == CRYPT_BUSY ? " and is in use" : "");
400 log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
401 ci == CRYPT_BUSY ? " and is in use" : "");
403 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
404 if (r < 0 || !crypt_get_type(cd))
407 log_std(" type: %s\n", crypt_get_type(cd));
409 r = crypt_get_active_device(cd, action_argv[0], &cad);
413 log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
414 log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
415 device = crypt_get_device_name(cd);
416 log_std(" device: %s\n", device);
417 if (crypt_loop_device(device)) {
418 backing_file = crypt_loop_backing_file(device);
419 log_std(" loop: %s\n", backing_file);
422 log_std(" offset: %" PRIu64 " sectors\n", cad.offset);
423 log_std(" size: %" PRIu64 " sectors\n", cad.size);
425 log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset);
426 log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
427 "readonly" : "read/write");
428 if (cad.flags & CRYPT_ACTIVATE_ALLOW_DISCARDS)
429 log_std(" flags: discards\n");
438 static int action_benchmark(int arg __attribute__((unused)))
446 { "aes", "cbc", 16, 16 },
447 { "serpent", "cbc", 16, 16 },
448 { "twofish", "cbc", 16, 16 },
449 { "aes", "cbc", 32, 16 },
450 { "serpent", "cbc", 32, 16 },
451 { "twofish", "cbc", 32, 16 },
452 { "aes", "xts", 32, 16 },
453 { "serpent", "xts", 32, 16 },
454 { "twofish", "xts", 32, 16 },
455 { "aes", "xts", 64, 16 },
456 { "serpent", "xts", 64, 16 },
457 { "twofish", "xts", 64, 16 },
460 char *header = "# Tests are approximate using memory only (no storage IO).\n"
461 "# Algorithm | Key | Encryption | Decryption\n";
462 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
463 double enc_mbr = 0, dec_mbr = 0;
464 int key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS);
466 int buffer_size = 1024 * 1024;
471 r = crypt_parse_name_and_mode(opt_cipher, cipher, NULL, cipher_mode);
473 log_err(_("No known cipher specification pattern detected.\n"));
476 if ((c = strchr(cipher_mode, '-')))
479 /* FIXME: not really clever :) */
480 if (strstr(cipher, "des"))
483 r = crypt_benchmark(NULL, cipher, cipher_mode,
484 key_size / 8, iv_size, buffer_size,
487 log_std("%s", header);
488 strncat(cipher, "-", MAX_CIPHER_LEN);
489 strncat(cipher, cipher_mode, MAX_CIPHER_LEN);
490 log_std("%11s %4db %5.1f MiB/s %5.1f MiB/s\n",
491 cipher, key_size, enc_mbr, dec_mbr);
493 log_err(_("Cannot benchmark %s.\n"), cipher);
495 log_std("%s", header);
496 for (i = 0; bciphers[i].cipher; i++) {
497 r = crypt_benchmark(NULL, bciphers[i].cipher, bciphers[i].mode,
498 bciphers[i].key_size, bciphers[i].iv_size,
499 buffer_size, &enc_mbr, &dec_mbr);
500 snprintf(cipher, MAX_CIPHER_LEN, "%s-%s",
501 bciphers[i].cipher, bciphers[i].mode);
503 log_std("%11s %4db %5.1f MiB/s %5.1f MiB/s\n",
504 cipher, bciphers[i].key_size*8, enc_mbr, dec_mbr);
506 log_std("%11s %4db %12s %12s\n", cipher,
507 bciphers[i].key_size*8, _("N/A"), _("N/A"));
514 static int _read_mk(const char *file, char **key, int keysize)
518 *key = crypt_safe_alloc(keysize);
522 fd = open(file, O_RDONLY);
524 log_err("Cannot read keyfile %s.\n", file);
527 if ((read(fd, *key, keysize) != keysize)) {
528 log_err("Cannot read %d bytes from keyfile %s.\n", keysize, file);
535 crypt_safe_free(*key);
540 static int action_luksRepair(int arg __attribute__((unused)))
542 struct crypt_device *cd = NULL;
545 if ((r = crypt_init(&cd, action_argv[0])))
548 /* Currently only LUKS1 allows repair */
549 crypt_set_log_callback(cd, quiet_log, NULL);
550 r = crypt_load(cd, CRYPT_LUKS1, NULL);
551 crypt_set_log_callback(cd, tool_log, NULL);
553 log_verbose( _("No known problems detected for LUKS header.\n"));
557 r = yesDialog(_("Really try to repair LUKS device header?"),
560 r = crypt_repair(cd, CRYPT_LUKS1, NULL);
566 static int action_luksFormat(int arg __attribute__((unused)))
568 int r = -EINVAL, keysize;
569 const char *header_device;
570 char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
571 char *password = NULL;
573 struct crypt_device *cd = NULL;
574 struct crypt_params_luks1 params = {
575 .hash = opt_hash ?: DEFAULT_LUKS1_HASH,
576 .data_alignment = opt_align_payload,
577 .data_device = opt_header_device ? action_argv[0] : NULL,
580 header_device = opt_header_device ?: action_argv[0];
582 if(asprintf(&msg, _("This will overwrite data on %s irrevocably."),
583 header_device) == -1) {
584 log_err(_("memory allocation error in action_luksFormat"));
588 r = yesDialog(msg, NULL) ? 0 : -EINVAL;
593 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
594 cipher, NULL, cipher_mode);
596 log_err(_("No known cipher specification pattern detected.\n"));
600 if ((r = crypt_init(&cd, header_device))) {
601 if (opt_header_device)
602 log_err(_("Cannot use %s as on-disk header.\n"), header_device);
606 keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
608 crypt_set_timeout(cd, opt_timeout);
609 if (opt_iteration_time)
610 crypt_set_iteration_time(cd, opt_iteration_time);
613 crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
614 else if (opt_urandom)
615 crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
617 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
618 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
619 opt_timeout, _verify_passphrase(1), cd);
623 if (opt_master_key_file) {
624 r = _read_mk(opt_master_key_file, &key, keysize);
629 r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
630 opt_uuid, key, keysize, ¶ms);
634 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
636 password, passwordLen);
639 crypt_safe_free(key);
640 crypt_safe_free(password);
645 static int action_luksOpen(int arg __attribute__((unused)))
647 struct crypt_device *cd = NULL;
648 const char *data_device, *header_device, *activated_name;
653 if (opt_header_device) {
654 header_device = uuid_or_device(opt_header_device);
655 data_device = action_argv[0];
657 header_device = uuid_or_device(action_argv[0]);
661 activated_name = opt_test_passphrase ? NULL : action_argv[1];
663 if ((r = crypt_init(&cd, header_device)))
666 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
670 (r = crypt_set_data_device(cd, data_device)))
673 if (!data_device && (crypt_get_data_offset(cd) < 8)) {
674 log_err(_("Reduced data offset is allowed only for detached LUKS header.\n"));
679 crypt_set_timeout(cd, opt_timeout);
680 crypt_set_password_retry(cd, opt_tries);
681 crypt_set_password_verify(cd, _verify_passphrase(0));
683 if (opt_iteration_time)
684 crypt_set_iteration_time(cd, opt_iteration_time);
687 flags |= CRYPT_ACTIVATE_READONLY;
689 if (opt_allow_discards)
690 flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
692 if (opt_master_key_file) {
693 keysize = crypt_get_volume_key_size(cd);
694 r = _read_mk(opt_master_key_file, &key, keysize);
697 r = crypt_activate_by_volume_key(cd, activated_name,
698 key, keysize, flags);
699 } else if (opt_key_file) {
700 crypt_set_password_retry(cd, 1);
701 r = crypt_activate_by_keyfile_offset(cd, activated_name,
702 opt_key_slot, opt_key_file, opt_keyfile_size,
703 opt_keyfile_offset, flags);
705 r = crypt_activate_by_passphrase(cd, activated_name,
706 opt_key_slot, NULL, 0, flags);
708 crypt_safe_free(key);
713 static int verify_keyslot(struct crypt_device *cd, int key_slot,
714 char *msg_last, char *msg_pass,
715 const char *key_file, int keyfile_offset,
718 crypt_keyslot_info ki;
719 char *password = NULL;
723 ki = crypt_keyslot_status(cd, key_slot);
724 if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !yesDialog(msg_last, NULL))
727 r = crypt_get_key(msg_pass, &password, &passwordLen,
728 keyfile_offset, keyfile_size, key_file, opt_timeout,
729 _verify_passphrase(0), cd);
733 if (ki == CRYPT_SLOT_ACTIVE_LAST) {
734 /* check the last keyslot */
735 r = crypt_activate_by_passphrase(cd, NULL, key_slot,
736 password, passwordLen, 0);
738 /* try all other keyslots */
739 for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
742 ki = crypt_keyslot_status(cd, key_slot);
743 if (ki == CRYPT_SLOT_ACTIVE)
744 r = crypt_activate_by_passphrase(cd, NULL, i,
745 password, passwordLen, 0);
752 log_err(_("No key available with this passphrase.\n"));
754 crypt_safe_free(password);
758 static int action_luksKillSlot(int arg __attribute__((unused)))
760 struct crypt_device *cd = NULL;
763 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
766 crypt_set_confirm_callback(cd, yesDialog, NULL);
767 crypt_set_timeout(cd, opt_timeout);
769 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
772 switch (crypt_keyslot_status(cd, opt_key_slot)) {
773 case CRYPT_SLOT_ACTIVE_LAST:
774 case CRYPT_SLOT_ACTIVE:
775 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
777 case CRYPT_SLOT_INACTIVE:
778 log_err(_("Key %d not active. Can't wipe.\n"), opt_key_slot);
779 case CRYPT_SLOT_INVALID:
784 if (!opt_batch_mode) {
785 r = verify_keyslot(cd, opt_key_slot,
786 _("This is the last keyslot. Device will become unusable after purging this key."),
787 _("Enter any remaining LUKS passphrase: "),
788 opt_key_file, opt_keyfile_offset, opt_keyfile_size);
793 r = crypt_keyslot_destroy(cd, opt_key_slot);
799 static int action_luksRemoveKey(int arg __attribute__((unused)))
801 struct crypt_device *cd = NULL;
802 char *password = NULL;
806 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
809 crypt_set_confirm_callback(cd, yesDialog, NULL);
810 crypt_set_timeout(cd, opt_timeout);
812 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
815 r = crypt_get_key(_("Enter LUKS passphrase to be deleted: "),
816 &password, &passwordLen,
817 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
819 _verify_passphrase(0),
824 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
825 password, passwordLen, 0);
830 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
832 if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_ACTIVE_LAST &&
833 !yesDialog(_("This is the last keyslot. "
834 "Device will become unusable after purging this key."),
840 r = crypt_keyslot_destroy(cd, opt_key_slot);
842 crypt_safe_free(password);
847 static int action_luksAddKey(int arg __attribute__((unused)))
849 int r = -EINVAL, keysize = 0;
851 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
852 struct crypt_device *cd = NULL;
854 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
857 crypt_set_confirm_callback(cd, yesDialog, NULL);
859 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
862 keysize = crypt_get_volume_key_size(cd);
863 /* FIXME: lib cannot properly set verification for new/old passphrase */
864 crypt_set_password_verify(cd, _verify_passphrase(0));
865 crypt_set_timeout(cd, opt_timeout);
866 if (opt_iteration_time)
867 crypt_set_iteration_time(cd, opt_iteration_time);
869 if (opt_master_key_file) {
870 r = _read_mk(opt_master_key_file, &key, keysize);
873 //FIXME: process keyfile arg
874 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
875 key, keysize, NULL, 0);
876 } else if (opt_key_file || opt_new_key_file) {
877 r = crypt_keyslot_add_by_keyfile_offset(cd, opt_key_slot,
878 opt_key_file, opt_keyfile_size, opt_keyfile_offset,
879 opt_new_key_file, opt_new_keyfile_size, opt_new_keyfile_offset);
881 r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
886 crypt_safe_free(key);
890 static int _slots_full(struct crypt_device *cd)
894 for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++)
895 if (crypt_keyslot_status(cd, i) == CRYPT_SLOT_INACTIVE)
900 static int action_luksChangeKey(int arg __attribute__((unused)))
902 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
903 struct crypt_device *cd = NULL;
904 char *vk = NULL, *password = NULL;
905 size_t passwordLen = 0;
907 int new_key_slot, old_key_slot, r;
909 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
912 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
915 if (opt_iteration_time)
916 crypt_set_iteration_time(cd, opt_iteration_time);
918 r = crypt_get_key(_("Enter LUKS passphrase to be changed: "),
919 &password, &passwordLen,
920 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
921 opt_timeout, _verify_passphrase(0), cd);
925 vk_size = crypt_get_volume_key_size(cd);
926 vk = crypt_safe_alloc(vk_size);
932 r = crypt_volume_key_get(cd, opt_key_slot, vk, &vk_size,
933 password, passwordLen);
935 if (opt_key_slot != CRYPT_ANY_SLOT)
936 log_err(_("No key available with this passphrase.\n"));
940 if (opt_key_slot != CRYPT_ANY_SLOT || _slots_full(cd)) {
941 log_dbg("Key slot %d is going to be overwritten (%s).",
942 r, opt_key_slot != CRYPT_ANY_SLOT ?
943 "explicit key slot specified" : "no free key slot");
947 log_dbg("Allocating new key slot.");
949 new_key_slot = CRYPT_ANY_SLOT;
952 crypt_safe_free(password);
955 r = crypt_get_key(_("Enter new LUKS passphrase: "),
956 &password, &passwordLen,
957 opt_new_keyfile_offset, opt_new_keyfile_size,
959 opt_timeout, _verify_passphrase(0), cd);
963 if (new_key_slot == old_key_slot) {
964 (void)crypt_keyslot_destroy(cd, old_key_slot);
965 r = crypt_keyslot_add_by_volume_key(cd, new_key_slot,
967 password, passwordLen);
969 log_verbose(_("Key slot %d changed.\n"), r);
971 r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT,
973 password, passwordLen);
975 log_verbose(_("Replaced with key slot %d.\n"), r);
976 r = crypt_keyslot_destroy(cd, old_key_slot);
980 log_err(_("Failed to swap new key slot.\n"));
983 crypt_safe_free(password);
988 static int action_isLuks(int arg __attribute__((unused)))
990 struct crypt_device *cd = NULL;
993 if ((r = crypt_init(&cd, action_argv[0])))
996 crypt_set_log_callback(cd, quiet_log, NULL);
997 r = crypt_load(cd, CRYPT_LUKS1, NULL);
1003 static int action_luksUUID(int arg __attribute__((unused)))
1005 struct crypt_device *cd = NULL;
1006 const char *existing_uuid = NULL;
1009 if ((r = crypt_init(&cd, action_argv[0])))
1012 crypt_set_confirm_callback(cd, yesDialog, NULL);
1014 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
1018 r = crypt_set_uuid(cd, opt_uuid);
1020 existing_uuid = crypt_get_uuid(cd);
1021 log_std("%s\n", existing_uuid ?: "");
1022 r = existing_uuid ? 0 : 1;
1029 static int luksDump_with_volume_key(struct crypt_device *cd)
1031 char *vk = NULL, *password = NULL;
1032 size_t passwordLen = 0;
1037 crypt_set_confirm_callback(cd, yesDialog, NULL);
1039 _("LUKS header dump with volume key is sensitive information\n"
1040 "which allows access to encrypted partition without passphrase.\n"
1041 "This dump should be always stored encrypted on safe place."),
1045 vk_size = crypt_get_volume_key_size(cd);
1046 vk = crypt_safe_alloc(vk_size);
1050 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
1051 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
1052 opt_timeout, 0, cd);
1056 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
1057 password, passwordLen);
1061 log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
1062 log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
1063 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
1064 log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
1065 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
1066 log_std("MK bits: \t%d\n", (int)vk_size * 8);
1067 log_std("MK dump:\t");
1069 for(i = 0; i < vk_size; i++) {
1072 log_std("%02hhx ", (char)vk[i]);
1077 crypt_safe_free(password);
1078 crypt_safe_free(vk);
1082 static int action_luksDump(int arg __attribute__((unused)))
1084 struct crypt_device *cd = NULL;
1087 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
1090 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
1093 if (opt_dump_master_key)
1094 r = luksDump_with_volume_key(cd);
1102 static int action_luksSuspend(int arg __attribute__((unused)))
1104 struct crypt_device *cd = NULL;
1107 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
1109 r = crypt_suspend(cd, action_argv[0]);
1115 static int action_luksResume(int arg __attribute__((unused)))
1117 struct crypt_device *cd = NULL;
1120 if ((r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device)))
1123 crypt_set_timeout(cd, opt_timeout);
1124 crypt_set_password_retry(cd, opt_tries);
1125 crypt_set_password_verify(cd, _verify_passphrase(0));
1128 r = crypt_resume_by_keyfile_offset(cd, action_argv[0], CRYPT_ANY_SLOT,
1129 opt_key_file, opt_keyfile_size, opt_keyfile_offset);
1131 r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
1138 static int action_luksBackup(int arg __attribute__((unused)))
1140 struct crypt_device *cd = NULL;
1143 if (!opt_header_backup_file) {
1144 log_err(_("Option --header-backup-file is required.\n"));
1148 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
1151 crypt_set_confirm_callback(cd, yesDialog, NULL);
1153 r = crypt_header_backup(cd, CRYPT_LUKS1, opt_header_backup_file);
1159 static int action_luksRestore(int arg __attribute__((unused)))
1161 struct crypt_device *cd = NULL;
1164 if (!opt_header_backup_file) {
1165 log_err(_("Option --header-backup-file is required.\n"));
1169 if ((r = crypt_init(&cd, action_argv[0])))
1172 crypt_set_confirm_callback(cd, yesDialog, NULL);
1173 r = crypt_header_restore(cd, CRYPT_LUKS1, opt_header_backup_file);
1179 static void help(poptContext popt_context,
1180 enum poptCallbackReason reason __attribute__((unused)),
1181 struct poptOption *key,
1182 const char *arg __attribute__((unused)),
1183 void *data __attribute__((unused)))
1185 if (key->shortName == '?') {
1186 struct action_type *action;
1188 log_std("%s\n",PACKAGE_STRING);
1190 poptPrintHelp(popt_context, stdout, 0);
1193 "<action> is one of:\n"));
1195 for(action = action_types; action->type; action++)
1196 log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
1199 "<name> is the device to create under %s\n"
1200 "<device> is the encrypted device\n"
1201 "<key slot> is the LUKS key slot number to modify\n"
1202 "<key file> optional key file for the new key for luksAddKey action\n"),
1205 log_std(_("\nDefault compiled-in key and passphrase parameters:\n"
1206 "\tMaximum keyfile size: %dkB, "
1207 "Maximum interactive passphrase length %d (characters)\n"
1208 "Default PBKDF2 iteration time for LUKS: %d (ms)\n"),
1209 DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX,
1210 DEFAULT_LUKS1_ITER_TIME);
1212 log_std(_("\nDefault compiled-in device cipher parameters:\n"
1213 "\tloop-AES: %s, Key %d bits\n"
1214 "\tplain: %s, Key: %d bits, Password hashing: %s\n"
1215 "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
1216 DEFAULT_LOOPAES_CIPHER, DEFAULT_LOOPAES_KEYBITS,
1217 DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
1218 DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
1222 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
1225 static int run_action(struct action_type *action)
1229 log_dbg("Running command %s.", action->type);
1231 if (action->required_memlock)
1232 crypt_memory_lock(NULL, 1);
1234 r = action->handler(action->arg);
1236 if (action->required_memlock)
1237 crypt_memory_lock(NULL, 0);
1239 /* Some functions returns keyslot # */
1244 return translate_errno(r);
1247 int main(int argc, const char **argv)
1249 static char *popt_tmp;
1250 static struct poptOption popt_help_options[] = {
1251 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
1252 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
1253 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
1256 static struct poptOption popt_options[] = {
1257 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
1258 { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
1259 { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
1260 { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
1261 { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
1262 { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
1263 { "verify-passphrase", 'y', POPT_ARG_NONE, &opt_verify_passphrase, 0, N_("Verifies the passphrase by asking for it twice"), NULL },
1264 { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 5, N_("Read the key from a file."), NULL },
1265 { "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL },
1266 { "dump-master-key", '\0', POPT_ARG_NONE, &opt_dump_master_key, 0, N_("Dump volume (master) key instead of keyslots info."), NULL },
1267 { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
1268 { "keyfile-size", 'l', POPT_ARG_LONG, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
1269 { "keyfile-offset", '\0', POPT_ARG_LONG, &opt_keyfile_offset, 0, N_("Number of bytes to skip in keyfile"), N_("bytes") },
1270 { "new-keyfile-size", '\0', POPT_ARG_LONG, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
1271 { "new-keyfile-offset",'\0', POPT_ARG_LONG, &opt_new_keyfile_offset, 0, N_("Number of bytes to skip in newly added keyfile"), N_("bytes") },
1272 { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL },
1273 { "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") },
1274 { "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
1275 { "skip", 'p', POPT_ARG_STRING, &popt_tmp, 3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
1276 { "readonly", 'r', POPT_ARG_NONE, &opt_readonly, 0, N_("Create a readonly mapping"), NULL },
1277 { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
1278 { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
1279 { "timeout", 't', POPT_ARG_INT, &opt_timeout, 0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
1280 { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
1281 { "align-payload", '\0', POPT_ARG_INT, &opt_align_payload, 0, N_("Align payload at <n> sector boundaries - for luksFormat"), N_("SECTORS") },
1282 { "header-backup-file",'\0', POPT_ARG_STRING, &opt_header_backup_file, 0, N_("File with LUKS header and keyslots backup."), NULL },
1283 { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
1284 { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
1285 { "shared", '\0', POPT_ARG_NONE, &opt_shared, 0, N_("Share device with another non-overlapping crypt segment."), NULL },
1286 { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
1287 { "allow-discards", '\0', POPT_ARG_NONE, &opt_allow_discards, 0, N_("Allow discards (aka TRIM) requests for device."), NULL },
1288 { "header", '\0', POPT_ARG_STRING, &opt_header_device, 0, N_("Device or file with separated LUKS header."), NULL },
1289 { "test-passphrase", '\0', POPT_ARG_NONE, &opt_test_passphrase, 0, N_("Do not activate device, just check passphrase."), NULL },
1290 { "hidden", '\0', POPT_ARG_NONE, &opt_hidden, 0, N_("Use hidden header (hiden TCRYPT device) ."), NULL },
1293 poptContext popt_context;
1294 struct action_type *action;
1298 crypt_set_log_callback(NULL, tool_log, NULL);
1300 setlocale(LC_ALL, "");
1301 bindtextdomain(PACKAGE, LOCALEDIR);
1302 textdomain(PACKAGE);
1304 crypt_fips_self_check(NULL);
1306 popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
1307 poptSetOtherOptionHelp(popt_context,
1308 _("[OPTION...] <action> <action-specific>"));
1310 while((r = poptGetNextOpt(popt_context)) > 0) {
1311 unsigned long long ull_value;
1315 if (opt_keyfiles_count < MAX_KEYFILES)
1316 opt_keyfiles[opt_keyfiles_count++] = poptGetOptArg(popt_context);
1321 ull_value = strtoull(popt_tmp, &endp, 0);
1322 if (*endp || !*popt_tmp ||
1323 (errno == ERANGE && ull_value == ULLONG_MAX) ||
1324 (errno != 0 && ull_value == 0))
1325 r = POPT_ERROR_BADNUMBER;
1329 opt_size = ull_value;
1332 opt_offset = ull_value;
1335 opt_skip = ull_value;
1345 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
1346 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
1347 if (opt_version_mode) {
1348 log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
1349 poptFreeContext(popt_context);
1353 if (!(aname = poptGetArg(popt_context)))
1354 usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
1355 poptGetInvocationName(popt_context));
1356 for(action = action_types; action->type; action++)
1357 if (strcmp(action->type, aname) == 0)
1360 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
1361 poptGetInvocationName(popt_context));
1364 action_argv = poptGetArgs(popt_context);
1365 /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
1367 action_argv = null_action_argv;
1369 /* Count args, somewhat unnice, change? */
1370 while(action_argv[action_argc] != NULL)
1373 if(action_argc < action->required_action_argc) {
1375 snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
1376 usage(popt_context, EXIT_FAILURE, buf,
1377 poptGetInvocationName(popt_context));
1380 /* FIXME: rewrite this from scratch */
1382 if (opt_shared && strcmp(aname, "create"))
1383 usage(popt_context, EXIT_FAILURE,
1384 _("Option --shared is allowed only for create operation.\n"),
1385 poptGetInvocationName(popt_context));
1387 if (opt_allow_discards &&
1388 strcmp(aname, "luksOpen") &&
1389 strcmp(aname, "create") &&
1390 strcmp(aname, "loopaesOpen"))
1391 usage(popt_context, EXIT_FAILURE,
1392 _("Option --allow-discards is allowed only for luksOpen, loopaesOpen and create operation.\n"),
1393 poptGetInvocationName(popt_context));
1396 strcmp(aname, "luksFormat") &&
1397 strcmp(aname, "create") &&
1398 strcmp(aname, "loopaesOpen") &&
1399 strcmp(aname, "benchmark"))
1400 usage(popt_context, EXIT_FAILURE,
1401 _("Option --key-size is allowed only for luksFormat, create, loopaesOpen and benchmark.\n"
1402 "To limit read from keyfile use --keyfile-size=(bytes)."),
1403 poptGetInvocationName(popt_context));
1405 if (opt_test_passphrase &&
1406 strcmp(aname, "luksOpen") &&
1407 strcmp(aname, "tcryptOpen"))
1408 usage(popt_context, EXIT_FAILURE,
1409 _("Option --test-passphrase is allowed only for luksOpen and tcryptOpen.\n"),
1410 poptGetInvocationName(popt_context));
1412 if (opt_key_size % 8)
1413 usage(popt_context, EXIT_FAILURE,
1414 _("Key size must be a multiple of 8 bits"),
1415 poptGetInvocationName(popt_context));
1417 if (!strcmp(aname, "luksKillSlot") && action_argc > 1)
1418 opt_key_slot = atoi(action_argv[1]);
1419 if (opt_key_slot != CRYPT_ANY_SLOT &&
1420 (opt_key_slot < 0 || opt_key_slot >= crypt_keyslot_max(CRYPT_LUKS1)))
1421 usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
1422 poptGetInvocationName(popt_context));
1424 if ((!strcmp(aname, "luksRemoveKey") ||
1425 !strcmp(aname, "luksFormat")) &&
1428 log_err(_("Option --key-file takes precedence over specified key file argument.\n"));
1430 opt_key_file = action_argv[1];
1433 if (opt_keyfile_size < 0 || opt_new_keyfile_size < 0 || opt_key_size < 0 ||
1434 opt_keyfile_offset < 0 || opt_new_keyfile_offset < 0)
1435 usage(popt_context, EXIT_FAILURE,
1436 _("Negative number for option not permitted."),
1437 poptGetInvocationName(popt_context));
1439 if (opt_random && opt_urandom)
1440 usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
1441 poptGetInvocationName(popt_context));
1443 if ((opt_random || opt_urandom) && strcmp(aname, "luksFormat"))
1444 usage(popt_context, EXIT_FAILURE, _("Option --use-[u]random is allowed only for luksFormat."),
1445 poptGetInvocationName(popt_context));
1447 if (opt_uuid && strcmp(aname, "luksFormat") && strcmp(aname, "luksUUID"))
1448 usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only for luksFormat and luksUUID."),
1449 poptGetInvocationName(popt_context));
1451 if (opt_align_payload && strcmp(aname, "luksFormat"))
1452 usage(popt_context, EXIT_FAILURE, _("Option --align-payload is allowed only for luksFormat."),
1453 poptGetInvocationName(popt_context));
1455 if (opt_skip && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1456 usage(popt_context, EXIT_FAILURE,
1457 _("Option --skip is supported only for create and loopaesOpen commands.\n"),
1458 poptGetInvocationName(popt_context));
1460 if (opt_offset && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1461 usage(popt_context, EXIT_FAILURE,
1462 _("Option --offset is supported only for create and loopaesOpen commands.\n"),
1463 poptGetInvocationName(popt_context));
1465 if (opt_hidden && strcmp(aname, "tcryptOpen") && strcmp(aname, "tcryptDump"))
1466 usage(popt_context, EXIT_FAILURE,
1467 _("Option --hidden is supported only for TCRYPT commands.\n"),
1468 poptGetInvocationName(popt_context));
1472 crypt_set_debug_level(-1);
1473 dbg_version_and_cmd(argc, argv);
1476 r = run_action(action);
1477 poptFreeContext(popt_context);