2 * cryptsetup - setup cryptographic volumes for dm-crypt
4 * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
5 * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
6 * Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * version 2 as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
37 #include "cryptsetup.h"
39 static int opt_verbose = 0;
40 static int opt_debug = 0;
41 static const char *opt_cipher = NULL;
42 static const char *opt_hash = NULL;
43 static int opt_verify_passphrase = 0;
44 static const char *opt_key_file = NULL;
45 static const char *opt_master_key_file = NULL;
46 static const char *opt_header_backup_file = NULL;
47 static const char *opt_uuid = NULL;
48 static const char *opt_header_device = NULL;
49 static int opt_key_size = 0;
50 static long opt_keyfile_size = 0;
51 static long opt_new_keyfile_size = 0;
52 static long opt_keyfile_offset = 0;
53 static long opt_new_keyfile_offset = 0;
54 static int opt_key_slot = CRYPT_ANY_SLOT;
55 static uint64_t opt_size = 0;
56 static uint64_t opt_offset = 0;
57 static uint64_t opt_skip = 0;
58 static int opt_skip_valid = 0;
59 static int opt_readonly = 0;
60 static int opt_iteration_time = 1000;
61 static int opt_batch_mode = 0;
62 static int opt_version_mode = 0;
63 static int opt_timeout = 0;
64 static int opt_tries = 3;
65 static int opt_align_payload = 0;
66 static int opt_random = 0;
67 static int opt_urandom = 0;
68 static int opt_dump_master_key = 0;
69 static int opt_shared = 0;
70 static int opt_allow_discards = 0;
72 static const char **action_argv;
73 static int action_argc;
75 static int action_create(int arg);
76 static int action_remove(int arg);
77 static int action_resize(int arg);
78 static int action_status(int arg);
79 static int action_luksFormat(int arg);
80 static int action_luksOpen(int arg);
81 static int action_luksAddKey(int arg);
82 static int action_luksKillSlot(int arg);
83 static int action_luksRemoveKey(int arg);
84 static int action_luksChangeKey(int arg);
85 static int action_isLuks(int arg);
86 static int action_luksUUID(int arg);
87 static int action_luksDump(int arg);
88 static int action_luksSuspend(int arg);
89 static int action_luksResume(int arg);
90 static int action_luksBackup(int arg);
91 static int action_luksRestore(int arg);
92 static int action_loopaesOpen(int arg);
93 static int action_luksRepair(int arg);
95 static struct action_type {
99 int required_action_argc;
100 int required_memlock;
101 const char *arg_desc;
104 { "create", action_create, 0, 2, 1, N_("<name> <device>"),N_("create device") },
105 { "remove", action_remove, 0, 1, 1, N_("<name>"), N_("remove device") },
106 { "resize", action_resize, 0, 1, 1, N_("<name>"), N_("resize active device") },
107 { "status", action_status, 0, 1, 0, N_("<name>"), N_("show device status") },
108 { "repair", action_luksRepair, 0, 1, 1, N_("<device>"), N_("try to repair on-disk metadata") },
109 { "luksFormat", action_luksFormat, 0, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
110 { "luksOpen", action_luksOpen, 0, 2, 1, N_("<device> <name> "), N_("open LUKS device as mapping <name>") },
111 { "luksAddKey", action_luksAddKey, 0, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
112 { "luksRemoveKey",action_luksRemoveKey, 0, 1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
113 { "luksChangeKey",action_luksChangeKey, 0, 1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
114 { "luksKillSlot", action_luksKillSlot, 0, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
115 { "luksUUID", action_luksUUID, 0, 1, 0, N_("<device>"), N_("print UUID of LUKS device") },
116 { "isLuks", action_isLuks, 0, 1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
117 { "luksClose", action_remove, 0, 1, 1, N_("<name>"), N_("remove LUKS mapping") },
118 { "luksDump", action_luksDump, 0, 1, 1, N_("<device>"), N_("dump LUKS partition information") },
119 { "luksSuspend",action_luksSuspend, 0, 1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen).") },
120 { "luksResume", action_luksResume, 0, 1, 1, N_("<device>"), N_("Resume suspended LUKS device.") },
121 { "luksHeaderBackup",action_luksBackup, 0, 1, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
122 { "luksHeaderRestore",action_luksRestore,0,1, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
123 { "loopaesOpen",action_loopaesOpen, 0, 2, 1, N_("<device> <name> "), N_("open loop-AES device as mapping <name>") },
124 { "loopaesClose",action_remove, 0, 1, 1, N_("<name>"), N_("remove loop-AES mapping") },
125 { NULL, NULL, 0, 0, 0, NULL, NULL }
128 __attribute__((format(printf, 5, 6)))
129 static void clogger(struct crypt_device *cd, int level, const char *file,
130 int line, const char *format, ...)
135 va_start(argp, format);
137 if (vasprintf(&target, format, argp) > 0) {
139 crypt_log(cd, level, target);
141 } else if (opt_debug)
142 printf("# %s:%d %s\n", file ?: "?", line, target);
144 } else if (opt_debug)
145 printf("# %s\n", target);
153 static int _yesDialog(const char *msg, void *usrptr __attribute__((unused)))
159 if(isatty(STDIN_FILENO) && !opt_batch_mode) {
160 log_std("\nWARNING!\n========\n");
161 log_std("%s\n\nAre you sure? (Type uppercase yes): ", msg);
162 if(getline(&answer, &size, stdin) == -1) {
167 if(strcmp(answer, "YES\n"))
175 static void _log(int level, const char *msg, void *usrptr __attribute__((unused)))
179 case CRYPT_LOG_NORMAL:
182 case CRYPT_LOG_VERBOSE:
186 case CRYPT_LOG_ERROR:
189 case CRYPT_LOG_DEBUG:
191 printf("# %s\n", msg);
194 fprintf(stderr, "Internal error on logging class for msg: %s", msg);
199 static void _quiet_log(int level, const char *msg, void *usrptr)
201 if (!opt_verbose && (level == CRYPT_LOG_ERROR || level == CRYPT_LOG_NORMAL))
202 level = CRYPT_LOG_VERBOSE;
203 _log(level, msg, usrptr);
206 static int _verify_passphrase(int def)
208 /* Batch mode switch off verify - if not overrided by -y */
209 if (opt_verify_passphrase)
211 else if (opt_batch_mode)
214 /* Non-tty input doesn't allow verify */
215 if (def && !isatty(STDIN_FILENO)) {
216 if (opt_verify_passphrase)
217 log_err(_("Can't do passphrase verification on non-tty inputs.\n"));
224 static void show_status(int errcode)
226 char error[256], *error_;
232 log_std(_("Command successful.\n"));
236 crypt_get_error(error, sizeof(error));
239 error_ = strerror_r(-errcode, error, sizeof(error));
240 if (error_ != error) {
241 strncpy(error, error_, sizeof(error));
242 error[sizeof(error) - 1] = '\0';
246 log_err(_("Command failed with code %i"), -errcode);
248 log_err(": %s\n", error);
253 static const char *uuid_or_device(const char *spec)
255 static char device[PATH_MAX];
257 int i = 0, uuid_len = 5;
259 /* Check if it is correct UUID=<LUKS_UUID> format */
260 if (spec && !strncmp(spec, "UUID=", uuid_len)) {
261 strcpy(device, "/dev/disk/by-uuid/");
262 ptr = &device[strlen(device)];
264 while ((s = spec[i++]) && i < PATH_MAX) {
265 if (!isxdigit(s) && s != '-')
266 return spec; /* Bail it out */
278 static int action_create(int arg __attribute__((unused)))
280 struct crypt_device *cd = NULL;
281 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
282 struct crypt_params_plain params = {
283 .hash = opt_hash ?: DEFAULT_PLAIN_HASH,
285 .offset = opt_offset,
288 char *password = NULL;
290 size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
291 uint32_t activate_flags = 0;
294 if (params.hash && !strcmp(params.hash, "plain"))
297 /* FIXME: temporary hack */
298 if (opt_key_file && strcmp(opt_key_file, "-"))
301 if ((opt_keyfile_offset || opt_keyfile_size) && opt_key_file)
302 log_std(("Ignoring keyfile offset and size options, keyfile read "
303 "size is always the same as encryption key size.\n"));
305 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
306 cipher, NULL, cipher_mode);
308 log_err("No known cipher specification pattern detected.\n");
312 if ((r = crypt_init(&cd, action_argv[1])))
315 crypt_set_timeout(cd, opt_timeout);
316 crypt_set_password_retry(cd, opt_tries);
318 r = crypt_format(cd, CRYPT_PLAIN,
327 activate_flags |= CRYPT_ACTIVATE_READONLY;
330 activate_flags |= CRYPT_ACTIVATE_SHARED;
332 if (opt_allow_discards)
333 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
336 /* With hashing, read the whole keyfile */
337 r = crypt_activate_by_keyfile_offset(cd, action_argv[0],
338 CRYPT_ANY_SLOT, opt_key_file,
339 params.hash ? 0 : key_size, 0,
342 r = crypt_get_key(_("Enter passphrase: "),
343 &password, &passwordLen,
344 opt_keyfile_offset, opt_keyfile_size,
346 _verify_passphrase(0),
351 r = crypt_activate_by_passphrase(cd, action_argv[0],
352 CRYPT_ANY_SLOT, password, passwordLen, activate_flags);
356 crypt_safe_free(password);
361 static int action_loopaesOpen(int arg __attribute__((unused)))
363 struct crypt_device *cd = NULL;
364 struct crypt_params_loopaes params = {
365 .hash = opt_hash ?: NULL,
366 .offset = opt_offset,
367 .skip = opt_skip_valid ? opt_skip : opt_offset,
369 unsigned int key_size = (opt_key_size ?: DEFAULT_LOOPAES_KEYBITS) / 8;
370 uint32_t activate_flags = 0;
374 log_err(_("Option --key-file is required.\n"));
379 activate_flags |= CRYPT_ACTIVATE_READONLY;
381 if (opt_allow_discards)
382 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
384 if ((r = crypt_init(&cd, action_argv[0])))
387 r = crypt_format(cd, CRYPT_LOOPAES, opt_cipher ?: DEFAULT_LOOPAES_CIPHER,
388 NULL, NULL, NULL, key_size, ¶ms);
392 r = crypt_activate_by_keyfile_offset(cd, action_argv[1], CRYPT_ANY_SLOT,
393 opt_key_file, opt_keyfile_size,
394 opt_keyfile_size, activate_flags);
401 static int action_remove(int arg __attribute__((unused)))
403 struct crypt_device *cd = NULL;
406 r = crypt_init_by_name(&cd, action_argv[0]);
408 r = crypt_deactivate(cd, action_argv[0]);
414 static int action_resize(int arg __attribute__((unused)))
416 struct crypt_device *cd = NULL;
419 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
421 r = crypt_resize(cd, action_argv[0], opt_size);
427 static int action_status(int arg __attribute__((unused)))
429 crypt_status_info ci;
430 struct crypt_active_device cad;
431 struct crypt_device *cd = NULL;
437 /* perhaps a path, not a dm device name */
438 if (strchr(action_argv[0], '/') && !stat(action_argv[0], &st))
441 ci = crypt_status(NULL, action_argv[0]);
448 log_std("%s is inactive.\n", action_argv[0]);
450 log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
456 log_std("%s is active%s.\n", action_argv[0],
457 ci == CRYPT_BUSY ? " and is in use" : "");
459 log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
460 ci == CRYPT_BUSY ? " and is in use" : "");
462 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
463 if (r < 0 || !crypt_get_type(cd))
466 log_std(" type: %s\n", crypt_get_type(cd));
468 r = crypt_get_active_device(cd, action_argv[0], &cad);
472 log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
473 log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
474 device = crypt_get_device_name(cd);
475 log_std(" device: %s\n", device);
476 if (crypt_loop_device(device)) {
477 backing_file = crypt_loop_backing_file(device);
478 log_std(" loop: %s\n", backing_file);
481 log_std(" offset: %" PRIu64 " sectors\n", cad.offset);
482 log_std(" size: %" PRIu64 " sectors\n", cad.size);
484 log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset);
485 log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
486 "readonly" : "read/write");
487 if (cad.flags & CRYPT_ACTIVATE_ALLOW_DISCARDS)
488 log_std(" flags: discards\n");
497 static int _read_mk(const char *file, char **key, int keysize)
501 *key = crypt_safe_alloc(keysize);
505 fd = open(file, O_RDONLY);
507 log_err("Cannot read keyfile %s.\n", file);
510 if ((read(fd, *key, keysize) != keysize)) {
511 log_err("Cannot read %d bytes from keyfile %s.\n", keysize, file);
518 crypt_safe_free(*key);
523 static int action_luksRepair(int arg __attribute__((unused)))
525 struct crypt_device *cd = NULL;
528 if ((r = crypt_init(&cd, action_argv[0])))
531 /* Currently only LUKS1 allows repair */
532 crypt_set_log_callback(cd, _quiet_log, NULL);
533 r = crypt_load(cd, CRYPT_LUKS1, NULL);
534 crypt_set_log_callback(cd, _log, NULL);
536 log_verbose( _("No known problems detected for LUKS header.\n"));
540 r = _yesDialog(_("Really try to repair LUKS device header?"),
543 r = crypt_repair(cd, CRYPT_LUKS1, NULL);
549 static int action_luksFormat(int arg __attribute__((unused)))
551 int r = -EINVAL, keysize;
552 const char *header_device;
553 char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
554 char *password = NULL;
556 struct crypt_device *cd = NULL;
557 struct crypt_params_luks1 params = {
558 .hash = opt_hash ?: DEFAULT_LUKS1_HASH,
559 .data_alignment = opt_align_payload,
560 .data_device = opt_header_device ? action_argv[0] : NULL,
563 header_device = opt_header_device ?: action_argv[0];
565 if(asprintf(&msg, _("This will overwrite data on %s irrevocably."),
566 header_device) == -1) {
567 log_err(_("memory allocation error in action_luksFormat"));
571 r = _yesDialog(msg, NULL) ? 0 : -EINVAL;
576 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
577 cipher, NULL, cipher_mode);
579 log_err(_("No known cipher specification pattern detected.\n"));
583 if ((r = crypt_init(&cd, header_device))) {
584 if (opt_header_device)
585 log_err(_("Cannot use %s as on-disk header.\n"), header_device);
589 keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
591 crypt_set_timeout(cd, opt_timeout);
592 if (opt_iteration_time)
593 crypt_set_iteration_time(cd, opt_iteration_time);
596 crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
597 else if (opt_urandom)
598 crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
600 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
601 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
602 opt_timeout, _verify_passphrase(1), cd);
606 if (opt_master_key_file) {
607 r = _read_mk(opt_master_key_file, &key, keysize);
612 r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
613 opt_uuid, key, keysize, ¶ms);
617 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
619 password, passwordLen);
622 crypt_safe_free(key);
623 crypt_safe_free(password);
628 static int action_luksOpen(int arg __attribute__((unused)))
630 struct crypt_device *cd = NULL;
631 const char *data_device, *header_device;
636 if (opt_header_device) {
637 header_device = uuid_or_device(opt_header_device);
638 data_device = action_argv[0];
640 header_device = uuid_or_device(action_argv[0]);
644 if ((r = crypt_init(&cd, header_device)))
647 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
651 (r = crypt_set_data_device(cd, data_device)))
654 if (!data_device && (crypt_get_data_offset(cd) < 8)) {
655 log_err(_("Reduced data offset is allowed only for detached LUKS header.\n"));
660 crypt_set_timeout(cd, opt_timeout);
661 crypt_set_password_retry(cd, opt_tries);
662 crypt_set_password_verify(cd, _verify_passphrase(0));
664 if (opt_iteration_time)
665 crypt_set_iteration_time(cd, opt_iteration_time);
668 flags |= CRYPT_ACTIVATE_READONLY;
670 if (opt_allow_discards)
671 flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
673 if (opt_master_key_file) {
674 keysize = crypt_get_volume_key_size(cd);
675 r = _read_mk(opt_master_key_file, &key, keysize);
678 r = crypt_activate_by_volume_key(cd, action_argv[1],
679 key, keysize, flags);
680 } else if (opt_key_file) {
681 crypt_set_password_retry(cd, 1);
682 r = crypt_activate_by_keyfile_offset(cd, action_argv[1],
683 opt_key_slot, opt_key_file, opt_keyfile_size,
684 opt_keyfile_offset, flags);
686 r = crypt_activate_by_passphrase(cd, action_argv[1],
687 opt_key_slot, NULL, 0, flags);
689 crypt_safe_free(key);
694 static int verify_keyslot(struct crypt_device *cd, int key_slot,
695 char *msg_last, char *msg_pass,
696 const char *key_file, int keyfile_offset,
699 crypt_keyslot_info ki;
700 char *password = NULL;
704 ki = crypt_keyslot_status(cd, key_slot);
705 if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !_yesDialog(msg_last, NULL))
708 r = crypt_get_key(msg_pass, &password, &passwordLen,
709 keyfile_offset, keyfile_size, key_file, opt_timeout,
710 _verify_passphrase(0), cd);
714 if (ki == CRYPT_SLOT_ACTIVE_LAST) {
715 /* check the last keyslot */
716 r = crypt_activate_by_passphrase(cd, NULL, key_slot,
717 password, passwordLen, 0);
719 /* try all other keyslots */
720 for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
723 ki = crypt_keyslot_status(cd, key_slot);
724 if (ki == CRYPT_SLOT_ACTIVE)
725 r = crypt_activate_by_passphrase(cd, NULL, i,
726 password, passwordLen, 0);
733 log_err(_("No key available with this passphrase.\n"));
735 crypt_safe_free(password);
739 static int action_luksKillSlot(int arg __attribute__((unused)))
741 struct crypt_device *cd = NULL;
744 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
747 crypt_set_confirm_callback(cd, _yesDialog, NULL);
748 crypt_set_timeout(cd, opt_timeout);
750 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
753 switch (crypt_keyslot_status(cd, opt_key_slot)) {
754 case CRYPT_SLOT_ACTIVE_LAST:
755 case CRYPT_SLOT_ACTIVE:
756 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
758 case CRYPT_SLOT_INACTIVE:
759 log_err(_("Key %d not active. Can't wipe.\n"), opt_key_slot);
760 case CRYPT_SLOT_INVALID:
765 if (!opt_batch_mode) {
766 r = verify_keyslot(cd, opt_key_slot,
767 _("This is the last keyslot. Device will become unusable after purging this key."),
768 _("Enter any remaining LUKS passphrase: "),
769 opt_key_file, opt_keyfile_offset, opt_keyfile_size);
774 r = crypt_keyslot_destroy(cd, opt_key_slot);
780 static int action_luksRemoveKey(int arg __attribute__((unused)))
782 struct crypt_device *cd = NULL;
783 char *password = NULL;
787 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
790 crypt_set_confirm_callback(cd, _yesDialog, NULL);
791 crypt_set_timeout(cd, opt_timeout);
793 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
796 r = crypt_get_key(_("Enter LUKS passphrase to be deleted: "),
797 &password, &passwordLen,
798 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
800 _verify_passphrase(0),
805 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
806 password, passwordLen, 0);
811 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
813 if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_ACTIVE_LAST &&
814 !_yesDialog(_("This is the last keyslot. "
815 "Device will become unusable after purging this key."),
821 r = crypt_keyslot_destroy(cd, opt_key_slot);
823 crypt_safe_free(password);
828 static int action_luksAddKey(int arg __attribute__((unused)))
830 int r = -EINVAL, keysize = 0;
832 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
833 struct crypt_device *cd = NULL;
835 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
838 crypt_set_confirm_callback(cd, _yesDialog, NULL);
840 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
843 keysize = crypt_get_volume_key_size(cd);
844 /* FIXME: lib cannot properly set verification for new/old passphrase */
845 crypt_set_password_verify(cd, _verify_passphrase(0));
846 crypt_set_timeout(cd, opt_timeout);
847 if (opt_iteration_time)
848 crypt_set_iteration_time(cd, opt_iteration_time);
850 if (opt_master_key_file) {
851 r = _read_mk(opt_master_key_file, &key, keysize);
854 //FIXME: process keyfile arg
855 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
856 key, keysize, NULL, 0);
857 } else if (opt_key_file || opt_new_key_file) {
858 r = crypt_keyslot_add_by_keyfile_offset(cd, opt_key_slot,
859 opt_key_file, opt_keyfile_size, opt_keyfile_offset,
860 opt_new_key_file, opt_new_keyfile_size, opt_new_keyfile_offset);
862 r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
867 crypt_safe_free(key);
871 static int _slots_full(struct crypt_device *cd)
875 for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++)
876 if (crypt_keyslot_status(cd, i) == CRYPT_SLOT_INACTIVE)
881 static int action_luksChangeKey(int arg __attribute__((unused)))
883 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
884 struct crypt_device *cd = NULL;
885 char *vk = NULL, *password = NULL;
886 size_t passwordLen = 0;
888 int new_key_slot, old_key_slot, r;
890 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
893 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
896 if (opt_iteration_time)
897 crypt_set_iteration_time(cd, opt_iteration_time);
899 r = crypt_get_key(_("Enter LUKS passphrase to be changed: "),
900 &password, &passwordLen,
901 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
902 opt_timeout, _verify_passphrase(0), cd);
906 vk_size = crypt_get_volume_key_size(cd);
907 vk = crypt_safe_alloc(vk_size);
913 r = crypt_volume_key_get(cd, opt_key_slot, vk, &vk_size,
914 password, passwordLen);
916 if (opt_key_slot != CRYPT_ANY_SLOT)
917 log_err(_("No key available with this passphrase.\n"));
921 if (opt_key_slot != CRYPT_ANY_SLOT || _slots_full(cd)) {
922 log_dbg("Key slot %d is going to be overwritten (%s).",
923 r, opt_key_slot != CRYPT_ANY_SLOT ?
924 "explicit key slot specified" : "no free key slot");
928 log_dbg("Allocating new key slot.");
930 new_key_slot = CRYPT_ANY_SLOT;
933 crypt_safe_free(password);
936 r = crypt_get_key(_("Enter new LUKS passphrase: "),
937 &password, &passwordLen,
938 opt_new_keyfile_offset, opt_new_keyfile_size,
940 opt_timeout, _verify_passphrase(0), cd);
944 if (new_key_slot == old_key_slot) {
945 (void)crypt_keyslot_destroy(cd, old_key_slot);
946 r = crypt_keyslot_add_by_volume_key(cd, new_key_slot,
948 password, passwordLen);
950 log_verbose(_("Key slot %d changed.\n"), r);
952 r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT,
954 password, passwordLen);
956 log_verbose(_("Replaced with key slot %d.\n"), r);
957 r = crypt_keyslot_destroy(cd, old_key_slot);
961 log_err(_("Failed to swap new key slot.\n"));
964 crypt_safe_free(password);
969 static int action_isLuks(int arg __attribute__((unused)))
971 struct crypt_device *cd = NULL;
974 if ((r = crypt_init(&cd, action_argv[0])))
977 crypt_set_log_callback(cd, _quiet_log, NULL);
978 r = crypt_load(cd, CRYPT_LUKS1, NULL);
984 static int action_luksUUID(int arg __attribute__((unused)))
986 struct crypt_device *cd = NULL;
987 const char *existing_uuid = NULL;
990 if ((r = crypt_init(&cd, action_argv[0])))
993 crypt_set_confirm_callback(cd, _yesDialog, NULL);
995 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
999 r = crypt_set_uuid(cd, opt_uuid);
1001 existing_uuid = crypt_get_uuid(cd);
1002 log_std("%s\n", existing_uuid ?: "");
1003 r = existing_uuid ? 0 : 1;
1010 static int luksDump_with_volume_key(struct crypt_device *cd)
1012 char *vk = NULL, *password = NULL;
1013 size_t passwordLen = 0;
1018 crypt_set_confirm_callback(cd, _yesDialog, NULL);
1020 _("LUKS header dump with volume key is sensitive information\n"
1021 "which allows access to encrypted partition without passphrase.\n"
1022 "This dump should be always stored encrypted on safe place."),
1026 vk_size = crypt_get_volume_key_size(cd);
1027 vk = crypt_safe_alloc(vk_size);
1031 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
1032 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
1033 opt_timeout, 0, cd);
1037 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
1038 password, passwordLen);
1042 log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
1043 log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
1044 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
1045 log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
1046 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
1047 log_std("MK bits: \t%d\n", (int)vk_size * 8);
1048 log_std("MK dump:\t");
1050 for(i = 0; i < vk_size; i++) {
1053 log_std("%02hhx ", (char)vk[i]);
1058 crypt_safe_free(password);
1059 crypt_safe_free(vk);
1063 static int action_luksDump(int arg __attribute__((unused)))
1065 struct crypt_device *cd = NULL;
1068 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
1071 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
1074 if (opt_dump_master_key)
1075 r = luksDump_with_volume_key(cd);
1083 static int action_luksSuspend(int arg __attribute__((unused)))
1085 struct crypt_device *cd = NULL;
1088 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
1090 r = crypt_suspend(cd, action_argv[0]);
1096 static int action_luksResume(int arg __attribute__((unused)))
1098 struct crypt_device *cd = NULL;
1101 if ((r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device)))
1104 crypt_set_timeout(cd, opt_timeout);
1105 crypt_set_password_retry(cd, opt_tries);
1106 crypt_set_password_verify(cd, _verify_passphrase(0));
1109 r = crypt_resume_by_keyfile_offset(cd, action_argv[0], CRYPT_ANY_SLOT,
1110 opt_key_file, opt_keyfile_size, opt_keyfile_offset);
1112 r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
1119 static int action_luksBackup(int arg __attribute__((unused)))
1121 struct crypt_device *cd = NULL;
1124 if (!opt_header_backup_file) {
1125 log_err(_("Option --header-backup-file is required.\n"));
1129 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
1132 crypt_set_confirm_callback(cd, _yesDialog, NULL);
1134 r = crypt_header_backup(cd, CRYPT_LUKS1, opt_header_backup_file);
1140 static int action_luksRestore(int arg __attribute__((unused)))
1142 struct crypt_device *cd = NULL;
1145 if (!opt_header_backup_file) {
1146 log_err(_("Option --header-backup-file is required.\n"));
1150 if ((r = crypt_init(&cd, action_argv[0])))
1153 crypt_set_confirm_callback(cd, _yesDialog, NULL);
1154 r = crypt_header_restore(cd, CRYPT_LUKS1, opt_header_backup_file);
1160 static __attribute__ ((noreturn)) void usage(poptContext popt_context,
1161 int exitcode, const char *error,
1164 poptPrintUsage(popt_context, stderr, 0);
1166 log_err("%s: %s\n", more, error);
1167 poptFreeContext(popt_context);
1171 static void help(poptContext popt_context,
1172 enum poptCallbackReason reason __attribute__((unused)),
1173 struct poptOption *key,
1174 const char *arg __attribute__((unused)),
1175 void *data __attribute__((unused)))
1177 if (key->shortName == '?') {
1178 struct action_type *action;
1180 log_std("%s\n",PACKAGE_STRING);
1182 poptPrintHelp(popt_context, stdout, 0);
1185 "<action> is one of:\n"));
1187 for(action = action_types; action->type; action++)
1188 log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
1191 "<name> is the device to create under %s\n"
1192 "<device> is the encrypted device\n"
1193 "<key slot> is the LUKS key slot number to modify\n"
1194 "<key file> optional key file for the new key for luksAddKey action\n"),
1197 log_std(_("\nDefault compiled-in keyfile parameters:\n"
1198 "\tMaximum keyfile size: %dkB, "
1199 "Maximum interactive passphrase length %d (characters)\n"),
1200 DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX);
1202 log_std(_("\nDefault compiled-in device cipher parameters:\n"
1203 "\tloop-AES: %s, Key %d bits\n"
1204 "\tplain: %s, Key: %d bits, Password hashing: %s\n"
1205 "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
1206 DEFAULT_LOOPAES_CIPHER, DEFAULT_LOOPAES_KEYBITS,
1207 DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
1208 DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
1212 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
1215 static void _dbg_version_and_cmd(int argc, const char **argv)
1219 log_std("# %s %s processing \"", PACKAGE_NAME, PACKAGE_VERSION);
1220 for (i = 0; i < argc; i++) {
1223 log_std("%s", argv[i]);
1228 static int run_action(struct action_type *action)
1232 log_dbg("Running command %s.", action->type);
1234 if (action->required_memlock)
1235 crypt_memory_lock(NULL, 1);
1237 r = action->handler(action->arg);
1239 if (action->required_memlock)
1240 crypt_memory_lock(NULL, 0);
1242 /* Some functions returns keyslot # */
1248 /* Translate exit code to simple codes */
1250 case 0: r = EXIT_SUCCESS; break;
1252 case -EBUSY: r = 5; break;
1254 case -ENODEV: r = 4; break;
1255 case -ENOMEM: r = 3; break;
1256 case -EPERM: r = 2; break;
1260 default: r = EXIT_FAILURE;
1265 int main(int argc, const char **argv)
1267 static char *popt_tmp;
1268 static struct poptOption popt_help_options[] = {
1269 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
1270 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
1271 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
1274 static struct poptOption popt_options[] = {
1275 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
1276 { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
1277 { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
1278 { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
1279 { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
1280 { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
1281 { "verify-passphrase", 'y', POPT_ARG_NONE, &opt_verify_passphrase, 0, N_("Verifies the passphrase by asking for it twice"), NULL },
1282 { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 0, N_("Read the key from a file."), NULL },
1283 { "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL },
1284 { "dump-master-key", '\0', POPT_ARG_NONE, &opt_dump_master_key, 0, N_("Dump volume (master) key instead of keyslots info."), NULL },
1285 { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
1286 { "keyfile-size", 'l', POPT_ARG_LONG, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
1287 { "keyfile-offset", '\0', POPT_ARG_LONG, &opt_keyfile_offset, 0, N_("Number of bytes to skip in keyfile"), N_("bytes") },
1288 { "new-keyfile-size", '\0', POPT_ARG_LONG, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
1289 { "new-keyfile-offset",'\0', POPT_ARG_LONG, &opt_new_keyfile_offset, 0, N_("Number of bytes to skip in newly added keyfile"), N_("bytes") },
1290 { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL },
1291 { "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") },
1292 { "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
1293 { "skip", 'p', POPT_ARG_STRING, &popt_tmp, 3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
1294 { "readonly", 'r', POPT_ARG_NONE, &opt_readonly, 0, N_("Create a readonly mapping"), NULL },
1295 { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
1296 { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
1297 { "timeout", 't', POPT_ARG_INT, &opt_timeout, 0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
1298 { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
1299 { "align-payload", '\0', POPT_ARG_INT, &opt_align_payload, 0, N_("Align payload at <n> sector boundaries - for luksFormat"), N_("SECTORS") },
1300 { "header-backup-file",'\0', POPT_ARG_STRING, &opt_header_backup_file, 0, N_("File with LUKS header and keyslots backup."), NULL },
1301 { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
1302 { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
1303 { "shared", '\0', POPT_ARG_NONE, &opt_shared, 0, N_("Share device with another non-overlapping crypt segment."), NULL },
1304 { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
1305 { "allow-discards", '\0', POPT_ARG_NONE, &opt_allow_discards, 0, N_("Allow discards (aka TRIM) requests for device."), NULL },
1306 { "header", '\0', POPT_ARG_STRING, &opt_header_device, 0, N_("Device or file with separated LUKS header."), NULL },
1309 poptContext popt_context;
1310 struct action_type *action;
1313 const char *null_action_argv[] = {NULL};
1315 crypt_set_log_callback(NULL, _log, NULL);
1317 setlocale(LC_ALL, "");
1318 bindtextdomain(PACKAGE, LOCALEDIR);
1319 textdomain(PACKAGE);
1321 crypt_fips_self_check(NULL);
1323 popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
1324 poptSetOtherOptionHelp(popt_context,
1325 N_("[OPTION...] <action> <action-specific>"));
1327 while((r = poptGetNextOpt(popt_context)) > 0) {
1328 unsigned long long ull_value;
1332 ull_value = strtoull(popt_tmp, &endp, 0);
1333 if (*endp || !*popt_tmp ||
1334 (errno == ERANGE && ull_value == ULLONG_MAX) ||
1335 (errno != 0 && ull_value == 0))
1336 r = POPT_ERROR_BADNUMBER;
1340 opt_size = ull_value;
1343 opt_offset = ull_value;
1346 opt_skip = ull_value;
1356 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
1357 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
1358 if (opt_version_mode) {
1359 log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
1360 poptFreeContext(popt_context);
1364 if (!(aname = poptGetArg(popt_context)))
1365 usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
1366 poptGetInvocationName(popt_context));
1367 for(action = action_types; action->type; action++)
1368 if (strcmp(action->type, aname) == 0)
1371 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
1372 poptGetInvocationName(popt_context));
1375 action_argv = poptGetArgs(popt_context);
1376 /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
1378 action_argv = null_action_argv;
1380 /* Count args, somewhat unnice, change? */
1381 while(action_argv[action_argc] != NULL)
1384 if(action_argc < action->required_action_argc) {
1386 snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
1387 usage(popt_context, EXIT_FAILURE, buf,
1388 poptGetInvocationName(popt_context));
1391 /* FIXME: rewrite this from scratch */
1393 if (opt_shared && strcmp(aname, "create")) {
1394 usage(popt_context, EXIT_FAILURE,
1395 _("Option --shared is allowed only for create operation.\n"),
1396 poptGetInvocationName(popt_context));
1399 if (opt_allow_discards &&
1400 strcmp(aname, "luksOpen") &&
1401 strcmp(aname, "create") &&
1402 strcmp(aname, "loopaesOpen")) {
1403 usage(popt_context, EXIT_FAILURE,
1404 _("Option --allow-discards is allowed only for luksOpen, loopaesOpen and create operation.\n"),
1405 poptGetInvocationName(popt_context));
1409 strcmp(aname, "luksFormat") &&
1410 strcmp(aname, "create") &&
1411 strcmp(aname, "loopaesOpen")) {
1412 usage(popt_context, EXIT_FAILURE,
1413 _("Option --key-size is allowed only for luksFormat, create and loopaesOpen.\n"
1414 "To limit read from keyfile use --keyfile-size=(bytes)."),
1415 poptGetInvocationName(popt_context));
1418 if (opt_key_size % 8)
1419 usage(popt_context, EXIT_FAILURE,
1420 _("Key size must be a multiple of 8 bits"),
1421 poptGetInvocationName(popt_context));
1423 if (!strcmp(aname, "luksKillSlot") && action_argc > 1)
1424 opt_key_slot = atoi(action_argv[1]);
1425 if (opt_key_slot != CRYPT_ANY_SLOT &&
1426 (opt_key_slot < 0 || opt_key_slot >= crypt_keyslot_max(CRYPT_LUKS1)))
1427 usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
1428 poptGetInvocationName(popt_context));
1430 if ((!strcmp(aname, "luksRemoveKey") ||
1431 !strcmp(aname, "luksFormat")) &&
1434 log_err(_("Option --key-file takes precedence over specified key file argument.\n"));
1436 opt_key_file = action_argv[1];
1439 if (opt_keyfile_size < 0 || opt_new_keyfile_size < 0 || opt_key_size < 0 ||
1440 opt_keyfile_offset < 0 || opt_new_keyfile_offset < 0) {
1441 usage(popt_context, EXIT_FAILURE,
1442 _("Negative number for option not permitted."),
1443 poptGetInvocationName(popt_context));
1446 if (opt_random && opt_urandom)
1447 usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
1448 poptGetInvocationName(popt_context));
1450 if ((opt_random || opt_urandom) && strcmp(aname, "luksFormat"))
1451 usage(popt_context, EXIT_FAILURE, _("Option --use-[u]random is allowed only for luksFormat."),
1452 poptGetInvocationName(popt_context));
1454 if (opt_uuid && strcmp(aname, "luksFormat") && strcmp(aname, "luksUUID"))
1455 usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only for luksFormat and luksUUID."),
1456 poptGetInvocationName(popt_context));
1458 if (opt_align_payload && strcmp(aname, "luksFormat"))
1459 usage(popt_context, EXIT_FAILURE, _("Option --align-payload is allowed only for luksFormat."),
1460 poptGetInvocationName(popt_context));
1462 if (opt_skip && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1463 usage(popt_context, EXIT_FAILURE,
1464 _("Option --skip is supported only for create and loopaesOpen commands.\n"),
1465 poptGetInvocationName(popt_context));
1467 if (opt_offset && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1468 usage(popt_context, EXIT_FAILURE,
1469 _("Option --offset is supported only for create and loopaesOpen commands.\n"),
1470 poptGetInvocationName(popt_context));
1474 crypt_set_debug_level(-1);
1475 _dbg_version_and_cmd(argc, argv);
1478 r = run_action(action);
1479 poptFreeContext(popt_context);
projects / platform / upstream / cryptsetup.git / blob