2 * cryptsetup - setup cryptographic volumes for dm-crypt
4 * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
5 * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
6 * Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * version 2 as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 #include "cryptsetup.h"
24 static const char *opt_cipher = NULL;
25 static const char *opt_hash = NULL;
26 static int opt_verify_passphrase = 0;
27 static const char *opt_key_file = NULL;
28 static const char *opt_master_key_file = NULL;
29 static const char *opt_header_backup_file = NULL;
30 static const char *opt_uuid = NULL;
31 static const char *opt_header_device = NULL;
32 static int opt_key_size = 0;
33 static long opt_keyfile_size = 0;
34 static long opt_new_keyfile_size = 0;
35 static long opt_keyfile_offset = 0;
36 static long opt_new_keyfile_offset = 0;
37 static int opt_key_slot = CRYPT_ANY_SLOT;
38 static uint64_t opt_size = 0;
39 static uint64_t opt_offset = 0;
40 static uint64_t opt_skip = 0;
41 static int opt_skip_valid = 0;
42 static int opt_readonly = 0;
43 static int opt_iteration_time = 1000;
44 static int opt_version_mode = 0;
45 static int opt_timeout = 0;
46 static int opt_tries = 3;
47 static int opt_align_payload = 0;
48 static int opt_random = 0;
49 static int opt_urandom = 0;
50 static int opt_dump_master_key = 0;
51 static int opt_shared = 0;
52 static int opt_allow_discards = 0;
53 static int opt_test_passphrase = 0;
55 static const char **action_argv;
56 static int action_argc;
58 static int action_create(int arg);
59 static int action_remove(int arg);
60 static int action_resize(int arg);
61 static int action_status(int arg);
62 static int action_luksFormat(int arg);
63 static int action_luksOpen(int arg);
64 static int action_luksAddKey(int arg);
65 static int action_luksKillSlot(int arg);
66 static int action_luksRemoveKey(int arg);
67 static int action_luksChangeKey(int arg);
68 static int action_isLuks(int arg);
69 static int action_luksUUID(int arg);
70 static int action_luksDump(int arg);
71 static int action_luksSuspend(int arg);
72 static int action_luksResume(int arg);
73 static int action_luksBackup(int arg);
74 static int action_luksRestore(int arg);
75 static int action_loopaesOpen(int arg);
76 static int action_luksRepair(int arg);
78 static struct action_type {
82 int required_action_argc;
87 { "create", action_create, 0, 2, 1, N_("<name> <device>"),N_("create device") },
88 { "remove", action_remove, 0, 1, 1, N_("<name>"), N_("remove device") },
89 { "resize", action_resize, 0, 1, 1, N_("<name>"), N_("resize active device") },
90 { "status", action_status, 0, 1, 0, N_("<name>"), N_("show device status") },
91 { "repair", action_luksRepair, 0, 1, 1, N_("<device>"), N_("try to repair on-disk metadata") },
92 { "luksFormat", action_luksFormat, 0, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
93 { "luksOpen", action_luksOpen, 0, 2, 1, N_("<device> <name> "), N_("open LUKS device as mapping <name>") },
94 { "luksAddKey", action_luksAddKey, 0, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
95 { "luksRemoveKey",action_luksRemoveKey, 0, 1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
96 { "luksChangeKey",action_luksChangeKey, 0, 1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
97 { "luksKillSlot", action_luksKillSlot, 0, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
98 { "luksUUID", action_luksUUID, 0, 1, 0, N_("<device>"), N_("print UUID of LUKS device") },
99 { "isLuks", action_isLuks, 0, 1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
100 { "luksClose", action_remove, 0, 1, 1, N_("<name>"), N_("remove LUKS mapping") },
101 { "luksDump", action_luksDump, 0, 1, 1, N_("<device>"), N_("dump LUKS partition information") },
102 { "luksSuspend",action_luksSuspend, 0, 1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen).") },
103 { "luksResume", action_luksResume, 0, 1, 1, N_("<device>"), N_("Resume suspended LUKS device.") },
104 { "luksHeaderBackup",action_luksBackup, 0, 1, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
105 { "luksHeaderRestore",action_luksRestore,0,1, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
106 { "loopaesOpen",action_loopaesOpen, 0, 2, 1, N_("<device> <name> "), N_("open loop-AES device as mapping <name>") },
107 { "loopaesClose",action_remove, 0, 1, 1, N_("<name>"), N_("remove loop-AES mapping") },
108 { NULL, NULL, 0, 0, 0, NULL, NULL }
111 static int _verify_passphrase(int def)
113 /* Batch mode switch off verify - if not overrided by -y */
114 if (opt_verify_passphrase)
116 else if (opt_batch_mode)
119 /* Non-tty input doesn't allow verify */
120 if (def && !isatty(STDIN_FILENO)) {
121 if (opt_verify_passphrase)
122 log_err(_("Can't do passphrase verification on non-tty inputs.\n"));
129 static int action_create(int arg __attribute__((unused)))
131 struct crypt_device *cd = NULL;
132 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
133 struct crypt_params_plain params = {
134 .hash = opt_hash ?: DEFAULT_PLAIN_HASH,
136 .offset = opt_offset,
139 char *password = NULL;
141 size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
142 uint32_t activate_flags = 0;
145 if (params.hash && !strcmp(params.hash, "plain"))
148 /* FIXME: temporary hack */
149 if (opt_key_file && strcmp(opt_key_file, "-"))
152 if ((opt_keyfile_offset || opt_keyfile_size) && opt_key_file)
153 log_std(("Ignoring keyfile offset and size options, keyfile read "
154 "size is always the same as encryption key size.\n"));
156 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
157 cipher, NULL, cipher_mode);
159 log_err("No known cipher specification pattern detected.\n");
163 if ((r = crypt_init(&cd, action_argv[1])))
166 crypt_set_timeout(cd, opt_timeout);
167 crypt_set_password_retry(cd, opt_tries);
169 r = crypt_format(cd, CRYPT_PLAIN,
178 activate_flags |= CRYPT_ACTIVATE_READONLY;
181 activate_flags |= CRYPT_ACTIVATE_SHARED;
183 if (opt_allow_discards)
184 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
187 /* With hashing, read the whole keyfile */
188 r = crypt_activate_by_keyfile_offset(cd, action_argv[0],
189 CRYPT_ANY_SLOT, opt_key_file,
190 params.hash ? 0 : key_size, 0,
193 r = crypt_get_key(_("Enter passphrase: "),
194 &password, &passwordLen,
195 opt_keyfile_offset, opt_keyfile_size,
197 _verify_passphrase(0),
202 r = crypt_activate_by_passphrase(cd, action_argv[0],
203 CRYPT_ANY_SLOT, password, passwordLen, activate_flags);
207 crypt_safe_free(password);
212 static int action_loopaesOpen(int arg __attribute__((unused)))
214 struct crypt_device *cd = NULL;
215 struct crypt_params_loopaes params = {
216 .hash = opt_hash ?: NULL,
217 .offset = opt_offset,
218 .skip = opt_skip_valid ? opt_skip : opt_offset,
220 unsigned int key_size = (opt_key_size ?: DEFAULT_LOOPAES_KEYBITS) / 8;
221 uint32_t activate_flags = 0;
225 log_err(_("Option --key-file is required.\n"));
230 activate_flags |= CRYPT_ACTIVATE_READONLY;
232 if (opt_allow_discards)
233 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
235 if ((r = crypt_init(&cd, action_argv[0])))
238 r = crypt_format(cd, CRYPT_LOOPAES, opt_cipher ?: DEFAULT_LOOPAES_CIPHER,
239 NULL, NULL, NULL, key_size, ¶ms);
243 r = crypt_activate_by_keyfile_offset(cd, action_argv[1], CRYPT_ANY_SLOT,
244 opt_key_file, opt_keyfile_size,
245 opt_keyfile_size, activate_flags);
252 static int action_remove(int arg __attribute__((unused)))
254 struct crypt_device *cd = NULL;
257 r = crypt_init_by_name(&cd, action_argv[0]);
259 r = crypt_deactivate(cd, action_argv[0]);
265 static int action_resize(int arg __attribute__((unused)))
267 struct crypt_device *cd = NULL;
270 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
272 r = crypt_resize(cd, action_argv[0], opt_size);
278 static int action_status(int arg __attribute__((unused)))
280 crypt_status_info ci;
281 struct crypt_active_device cad;
282 struct crypt_device *cd = NULL;
288 /* perhaps a path, not a dm device name */
289 if (strchr(action_argv[0], '/') && !stat(action_argv[0], &st))
292 ci = crypt_status(NULL, action_argv[0]);
299 log_std("%s is inactive.\n", action_argv[0]);
301 log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
307 log_std("%s is active%s.\n", action_argv[0],
308 ci == CRYPT_BUSY ? " and is in use" : "");
310 log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
311 ci == CRYPT_BUSY ? " and is in use" : "");
313 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
314 if (r < 0 || !crypt_get_type(cd))
317 log_std(" type: %s\n", crypt_get_type(cd));
319 r = crypt_get_active_device(cd, action_argv[0], &cad);
323 log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
324 log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
325 device = crypt_get_device_name(cd);
326 log_std(" device: %s\n", device);
327 if (crypt_loop_device(device)) {
328 backing_file = crypt_loop_backing_file(device);
329 log_std(" loop: %s\n", backing_file);
332 log_std(" offset: %" PRIu64 " sectors\n", cad.offset);
333 log_std(" size: %" PRIu64 " sectors\n", cad.size);
335 log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset);
336 log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
337 "readonly" : "read/write");
338 if (cad.flags & CRYPT_ACTIVATE_ALLOW_DISCARDS)
339 log_std(" flags: discards\n");
348 static int _read_mk(const char *file, char **key, int keysize)
352 *key = crypt_safe_alloc(keysize);
356 fd = open(file, O_RDONLY);
358 log_err("Cannot read keyfile %s.\n", file);
361 if ((read(fd, *key, keysize) != keysize)) {
362 log_err("Cannot read %d bytes from keyfile %s.\n", keysize, file);
369 crypt_safe_free(*key);
374 static int action_luksRepair(int arg __attribute__((unused)))
376 struct crypt_device *cd = NULL;
379 if ((r = crypt_init(&cd, action_argv[0])))
382 /* Currently only LUKS1 allows repair */
383 crypt_set_log_callback(cd, quiet_log, NULL);
384 r = crypt_load(cd, CRYPT_LUKS1, NULL);
385 crypt_set_log_callback(cd, tool_log, NULL);
387 log_verbose( _("No known problems detected for LUKS header.\n"));
391 r = yesDialog(_("Really try to repair LUKS device header?"),
394 r = crypt_repair(cd, CRYPT_LUKS1, NULL);
400 static int action_luksFormat(int arg __attribute__((unused)))
402 int r = -EINVAL, keysize;
403 const char *header_device;
404 char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
405 char *password = NULL;
407 struct crypt_device *cd = NULL;
408 struct crypt_params_luks1 params = {
409 .hash = opt_hash ?: DEFAULT_LUKS1_HASH,
410 .data_alignment = opt_align_payload,
411 .data_device = opt_header_device ? action_argv[0] : NULL,
414 header_device = opt_header_device ?: action_argv[0];
416 if(asprintf(&msg, _("This will overwrite data on %s irrevocably."),
417 header_device) == -1) {
418 log_err(_("memory allocation error in action_luksFormat"));
422 r = yesDialog(msg, NULL) ? 0 : -EINVAL;
427 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
428 cipher, NULL, cipher_mode);
430 log_err(_("No known cipher specification pattern detected.\n"));
434 if ((r = crypt_init(&cd, header_device))) {
435 if (opt_header_device)
436 log_err(_("Cannot use %s as on-disk header.\n"), header_device);
440 keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
442 crypt_set_timeout(cd, opt_timeout);
443 if (opt_iteration_time)
444 crypt_set_iteration_time(cd, opt_iteration_time);
447 crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
448 else if (opt_urandom)
449 crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
451 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
452 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
453 opt_timeout, _verify_passphrase(1), cd);
457 if (opt_master_key_file) {
458 r = _read_mk(opt_master_key_file, &key, keysize);
463 r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
464 opt_uuid, key, keysize, ¶ms);
468 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
470 password, passwordLen);
473 crypt_safe_free(key);
474 crypt_safe_free(password);
479 static int action_luksOpen(int arg __attribute__((unused)))
481 struct crypt_device *cd = NULL;
482 const char *data_device, *header_device, *activated_name;
487 if (opt_header_device) {
488 header_device = uuid_or_device(opt_header_device);
489 data_device = action_argv[0];
491 header_device = uuid_or_device(action_argv[0]);
495 activated_name = opt_test_passphrase ? NULL : action_argv[1];
497 if ((r = crypt_init(&cd, header_device)))
500 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
504 (r = crypt_set_data_device(cd, data_device)))
507 if (!data_device && (crypt_get_data_offset(cd) < 8)) {
508 log_err(_("Reduced data offset is allowed only for detached LUKS header.\n"));
513 crypt_set_timeout(cd, opt_timeout);
514 crypt_set_password_retry(cd, opt_tries);
515 crypt_set_password_verify(cd, _verify_passphrase(0));
517 if (opt_iteration_time)
518 crypt_set_iteration_time(cd, opt_iteration_time);
521 flags |= CRYPT_ACTIVATE_READONLY;
523 if (opt_allow_discards)
524 flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
526 if (opt_master_key_file) {
527 keysize = crypt_get_volume_key_size(cd);
528 r = _read_mk(opt_master_key_file, &key, keysize);
531 r = crypt_activate_by_volume_key(cd, activated_name,
532 key, keysize, flags);
533 } else if (opt_key_file) {
534 crypt_set_password_retry(cd, 1);
535 r = crypt_activate_by_keyfile_offset(cd, activated_name,
536 opt_key_slot, opt_key_file, opt_keyfile_size,
537 opt_keyfile_offset, flags);
539 r = crypt_activate_by_passphrase(cd, activated_name,
540 opt_key_slot, NULL, 0, flags);
542 crypt_safe_free(key);
547 static int verify_keyslot(struct crypt_device *cd, int key_slot,
548 char *msg_last, char *msg_pass,
549 const char *key_file, int keyfile_offset,
552 crypt_keyslot_info ki;
553 char *password = NULL;
557 ki = crypt_keyslot_status(cd, key_slot);
558 if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !yesDialog(msg_last, NULL))
561 r = crypt_get_key(msg_pass, &password, &passwordLen,
562 keyfile_offset, keyfile_size, key_file, opt_timeout,
563 _verify_passphrase(0), cd);
567 if (ki == CRYPT_SLOT_ACTIVE_LAST) {
568 /* check the last keyslot */
569 r = crypt_activate_by_passphrase(cd, NULL, key_slot,
570 password, passwordLen, 0);
572 /* try all other keyslots */
573 for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
576 ki = crypt_keyslot_status(cd, key_slot);
577 if (ki == CRYPT_SLOT_ACTIVE)
578 r = crypt_activate_by_passphrase(cd, NULL, i,
579 password, passwordLen, 0);
586 log_err(_("No key available with this passphrase.\n"));
588 crypt_safe_free(password);
592 static int action_luksKillSlot(int arg __attribute__((unused)))
594 struct crypt_device *cd = NULL;
597 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
600 crypt_set_confirm_callback(cd, yesDialog, NULL);
601 crypt_set_timeout(cd, opt_timeout);
603 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
606 switch (crypt_keyslot_status(cd, opt_key_slot)) {
607 case CRYPT_SLOT_ACTIVE_LAST:
608 case CRYPT_SLOT_ACTIVE:
609 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
611 case CRYPT_SLOT_INACTIVE:
612 log_err(_("Key %d not active. Can't wipe.\n"), opt_key_slot);
613 case CRYPT_SLOT_INVALID:
618 if (!opt_batch_mode) {
619 r = verify_keyslot(cd, opt_key_slot,
620 _("This is the last keyslot. Device will become unusable after purging this key."),
621 _("Enter any remaining LUKS passphrase: "),
622 opt_key_file, opt_keyfile_offset, opt_keyfile_size);
627 r = crypt_keyslot_destroy(cd, opt_key_slot);
633 static int action_luksRemoveKey(int arg __attribute__((unused)))
635 struct crypt_device *cd = NULL;
636 char *password = NULL;
640 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
643 crypt_set_confirm_callback(cd, yesDialog, NULL);
644 crypt_set_timeout(cd, opt_timeout);
646 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
649 r = crypt_get_key(_("Enter LUKS passphrase to be deleted: "),
650 &password, &passwordLen,
651 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
653 _verify_passphrase(0),
658 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
659 password, passwordLen, 0);
664 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
666 if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_ACTIVE_LAST &&
667 !yesDialog(_("This is the last keyslot. "
668 "Device will become unusable after purging this key."),
674 r = crypt_keyslot_destroy(cd, opt_key_slot);
676 crypt_safe_free(password);
681 static int action_luksAddKey(int arg __attribute__((unused)))
683 int r = -EINVAL, keysize = 0;
685 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
686 struct crypt_device *cd = NULL;
688 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
691 crypt_set_confirm_callback(cd, yesDialog, NULL);
693 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
696 keysize = crypt_get_volume_key_size(cd);
697 /* FIXME: lib cannot properly set verification for new/old passphrase */
698 crypt_set_password_verify(cd, _verify_passphrase(0));
699 crypt_set_timeout(cd, opt_timeout);
700 if (opt_iteration_time)
701 crypt_set_iteration_time(cd, opt_iteration_time);
703 if (opt_master_key_file) {
704 r = _read_mk(opt_master_key_file, &key, keysize);
707 //FIXME: process keyfile arg
708 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
709 key, keysize, NULL, 0);
710 } else if (opt_key_file || opt_new_key_file) {
711 r = crypt_keyslot_add_by_keyfile_offset(cd, opt_key_slot,
712 opt_key_file, opt_keyfile_size, opt_keyfile_offset,
713 opt_new_key_file, opt_new_keyfile_size, opt_new_keyfile_offset);
715 r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
720 crypt_safe_free(key);
724 static int _slots_full(struct crypt_device *cd)
728 for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++)
729 if (crypt_keyslot_status(cd, i) == CRYPT_SLOT_INACTIVE)
734 static int action_luksChangeKey(int arg __attribute__((unused)))
736 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
737 struct crypt_device *cd = NULL;
738 char *vk = NULL, *password = NULL;
739 size_t passwordLen = 0;
741 int new_key_slot, old_key_slot, r;
743 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
746 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
749 if (opt_iteration_time)
750 crypt_set_iteration_time(cd, opt_iteration_time);
752 r = crypt_get_key(_("Enter LUKS passphrase to be changed: "),
753 &password, &passwordLen,
754 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
755 opt_timeout, _verify_passphrase(0), cd);
759 vk_size = crypt_get_volume_key_size(cd);
760 vk = crypt_safe_alloc(vk_size);
766 r = crypt_volume_key_get(cd, opt_key_slot, vk, &vk_size,
767 password, passwordLen);
769 if (opt_key_slot != CRYPT_ANY_SLOT)
770 log_err(_("No key available with this passphrase.\n"));
774 if (opt_key_slot != CRYPT_ANY_SLOT || _slots_full(cd)) {
775 log_dbg("Key slot %d is going to be overwritten (%s).",
776 r, opt_key_slot != CRYPT_ANY_SLOT ?
777 "explicit key slot specified" : "no free key slot");
781 log_dbg("Allocating new key slot.");
783 new_key_slot = CRYPT_ANY_SLOT;
786 crypt_safe_free(password);
789 r = crypt_get_key(_("Enter new LUKS passphrase: "),
790 &password, &passwordLen,
791 opt_new_keyfile_offset, opt_new_keyfile_size,
793 opt_timeout, _verify_passphrase(0), cd);
797 if (new_key_slot == old_key_slot) {
798 (void)crypt_keyslot_destroy(cd, old_key_slot);
799 r = crypt_keyslot_add_by_volume_key(cd, new_key_slot,
801 password, passwordLen);
803 log_verbose(_("Key slot %d changed.\n"), r);
805 r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT,
807 password, passwordLen);
809 log_verbose(_("Replaced with key slot %d.\n"), r);
810 r = crypt_keyslot_destroy(cd, old_key_slot);
814 log_err(_("Failed to swap new key slot.\n"));
817 crypt_safe_free(password);
822 static int action_isLuks(int arg __attribute__((unused)))
824 struct crypt_device *cd = NULL;
827 if ((r = crypt_init(&cd, action_argv[0])))
830 crypt_set_log_callback(cd, quiet_log, NULL);
831 r = crypt_load(cd, CRYPT_LUKS1, NULL);
837 static int action_luksUUID(int arg __attribute__((unused)))
839 struct crypt_device *cd = NULL;
840 const char *existing_uuid = NULL;
843 if ((r = crypt_init(&cd, action_argv[0])))
846 crypt_set_confirm_callback(cd, yesDialog, NULL);
848 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
852 r = crypt_set_uuid(cd, opt_uuid);
854 existing_uuid = crypt_get_uuid(cd);
855 log_std("%s\n", existing_uuid ?: "");
856 r = existing_uuid ? 0 : 1;
863 static int luksDump_with_volume_key(struct crypt_device *cd)
865 char *vk = NULL, *password = NULL;
866 size_t passwordLen = 0;
871 crypt_set_confirm_callback(cd, yesDialog, NULL);
873 _("LUKS header dump with volume key is sensitive information\n"
874 "which allows access to encrypted partition without passphrase.\n"
875 "This dump should be always stored encrypted on safe place."),
879 vk_size = crypt_get_volume_key_size(cd);
880 vk = crypt_safe_alloc(vk_size);
884 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
885 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
890 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
891 password, passwordLen);
895 log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
896 log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
897 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
898 log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
899 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
900 log_std("MK bits: \t%d\n", (int)vk_size * 8);
901 log_std("MK dump:\t");
903 for(i = 0; i < vk_size; i++) {
906 log_std("%02hhx ", (char)vk[i]);
911 crypt_safe_free(password);
916 static int action_luksDump(int arg __attribute__((unused)))
918 struct crypt_device *cd = NULL;
921 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
924 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
927 if (opt_dump_master_key)
928 r = luksDump_with_volume_key(cd);
936 static int action_luksSuspend(int arg __attribute__((unused)))
938 struct crypt_device *cd = NULL;
941 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
943 r = crypt_suspend(cd, action_argv[0]);
949 static int action_luksResume(int arg __attribute__((unused)))
951 struct crypt_device *cd = NULL;
954 if ((r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device)))
957 crypt_set_timeout(cd, opt_timeout);
958 crypt_set_password_retry(cd, opt_tries);
959 crypt_set_password_verify(cd, _verify_passphrase(0));
962 r = crypt_resume_by_keyfile_offset(cd, action_argv[0], CRYPT_ANY_SLOT,
963 opt_key_file, opt_keyfile_size, opt_keyfile_offset);
965 r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
972 static int action_luksBackup(int arg __attribute__((unused)))
974 struct crypt_device *cd = NULL;
977 if (!opt_header_backup_file) {
978 log_err(_("Option --header-backup-file is required.\n"));
982 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
985 crypt_set_confirm_callback(cd, yesDialog, NULL);
987 r = crypt_header_backup(cd, CRYPT_LUKS1, opt_header_backup_file);
993 static int action_luksRestore(int arg __attribute__((unused)))
995 struct crypt_device *cd = NULL;
998 if (!opt_header_backup_file) {
999 log_err(_("Option --header-backup-file is required.\n"));
1003 if ((r = crypt_init(&cd, action_argv[0])))
1006 crypt_set_confirm_callback(cd, yesDialog, NULL);
1007 r = crypt_header_restore(cd, CRYPT_LUKS1, opt_header_backup_file);
1013 static void help(poptContext popt_context,
1014 enum poptCallbackReason reason __attribute__((unused)),
1015 struct poptOption *key,
1016 const char *arg __attribute__((unused)),
1017 void *data __attribute__((unused)))
1019 if (key->shortName == '?') {
1020 struct action_type *action;
1022 log_std("%s\n",PACKAGE_STRING);
1024 poptPrintHelp(popt_context, stdout, 0);
1027 "<action> is one of:\n"));
1029 for(action = action_types; action->type; action++)
1030 log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
1033 "<name> is the device to create under %s\n"
1034 "<device> is the encrypted device\n"
1035 "<key slot> is the LUKS key slot number to modify\n"
1036 "<key file> optional key file for the new key for luksAddKey action\n"),
1039 log_std(_("\nDefault compiled-in keyfile parameters:\n"
1040 "\tMaximum keyfile size: %dkB, "
1041 "Maximum interactive passphrase length %d (characters)\n"),
1042 DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX);
1044 log_std(_("\nDefault compiled-in device cipher parameters:\n"
1045 "\tloop-AES: %s, Key %d bits\n"
1046 "\tplain: %s, Key: %d bits, Password hashing: %s\n"
1047 "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
1048 DEFAULT_LOOPAES_CIPHER, DEFAULT_LOOPAES_KEYBITS,
1049 DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
1050 DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
1054 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
1057 static int run_action(struct action_type *action)
1061 log_dbg("Running command %s.", action->type);
1063 if (action->required_memlock)
1064 crypt_memory_lock(NULL, 1);
1066 r = action->handler(action->arg);
1068 if (action->required_memlock)
1069 crypt_memory_lock(NULL, 0);
1071 /* Some functions returns keyslot # */
1076 return translate_errno(r);
1079 int main(int argc, const char **argv)
1081 static char *popt_tmp;
1082 static struct poptOption popt_help_options[] = {
1083 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
1084 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
1085 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
1088 static struct poptOption popt_options[] = {
1089 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
1090 { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
1091 { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
1092 { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
1093 { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
1094 { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
1095 { "verify-passphrase", 'y', POPT_ARG_NONE, &opt_verify_passphrase, 0, N_("Verifies the passphrase by asking for it twice"), NULL },
1096 { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 0, N_("Read the key from a file."), NULL },
1097 { "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL },
1098 { "dump-master-key", '\0', POPT_ARG_NONE, &opt_dump_master_key, 0, N_("Dump volume (master) key instead of keyslots info."), NULL },
1099 { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
1100 { "keyfile-size", 'l', POPT_ARG_LONG, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
1101 { "keyfile-offset", '\0', POPT_ARG_LONG, &opt_keyfile_offset, 0, N_("Number of bytes to skip in keyfile"), N_("bytes") },
1102 { "new-keyfile-size", '\0', POPT_ARG_LONG, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
1103 { "new-keyfile-offset",'\0', POPT_ARG_LONG, &opt_new_keyfile_offset, 0, N_("Number of bytes to skip in newly added keyfile"), N_("bytes") },
1104 { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL },
1105 { "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") },
1106 { "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
1107 { "skip", 'p', POPT_ARG_STRING, &popt_tmp, 3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
1108 { "readonly", 'r', POPT_ARG_NONE, &opt_readonly, 0, N_("Create a readonly mapping"), NULL },
1109 { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
1110 { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
1111 { "timeout", 't', POPT_ARG_INT, &opt_timeout, 0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
1112 { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
1113 { "align-payload", '\0', POPT_ARG_INT, &opt_align_payload, 0, N_("Align payload at <n> sector boundaries - for luksFormat"), N_("SECTORS") },
1114 { "header-backup-file",'\0', POPT_ARG_STRING, &opt_header_backup_file, 0, N_("File with LUKS header and keyslots backup."), NULL },
1115 { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
1116 { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
1117 { "shared", '\0', POPT_ARG_NONE, &opt_shared, 0, N_("Share device with another non-overlapping crypt segment."), NULL },
1118 { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
1119 { "allow-discards", '\0', POPT_ARG_NONE, &opt_allow_discards, 0, N_("Allow discards (aka TRIM) requests for device."), NULL },
1120 { "header", '\0', POPT_ARG_STRING, &opt_header_device, 0, N_("Device or file with separated LUKS header."), NULL },
1121 { "test-passphrase", '\0', POPT_ARG_NONE, &opt_test_passphrase, 0, N_("Do not activate device, just check passphrase."), NULL },
1124 poptContext popt_context;
1125 struct action_type *action;
1128 const char *null_action_argv[] = {NULL};
1130 crypt_set_log_callback(NULL, tool_log, NULL);
1132 setlocale(LC_ALL, "");
1133 bindtextdomain(PACKAGE, LOCALEDIR);
1134 textdomain(PACKAGE);
1136 crypt_fips_self_check(NULL);
1138 popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
1139 poptSetOtherOptionHelp(popt_context,
1140 _("[OPTION...] <action> <action-specific>"));
1142 while((r = poptGetNextOpt(popt_context)) > 0) {
1143 unsigned long long ull_value;
1147 ull_value = strtoull(popt_tmp, &endp, 0);
1148 if (*endp || !*popt_tmp ||
1149 (errno == ERANGE && ull_value == ULLONG_MAX) ||
1150 (errno != 0 && ull_value == 0))
1151 r = POPT_ERROR_BADNUMBER;
1155 opt_size = ull_value;
1158 opt_offset = ull_value;
1161 opt_skip = ull_value;
1171 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
1172 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
1173 if (opt_version_mode) {
1174 log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
1175 poptFreeContext(popt_context);
1179 if (!(aname = poptGetArg(popt_context)))
1180 usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
1181 poptGetInvocationName(popt_context));
1182 for(action = action_types; action->type; action++)
1183 if (strcmp(action->type, aname) == 0)
1186 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
1187 poptGetInvocationName(popt_context));
1190 action_argv = poptGetArgs(popt_context);
1191 /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
1193 action_argv = null_action_argv;
1195 /* Count args, somewhat unnice, change? */
1196 while(action_argv[action_argc] != NULL)
1199 if(action_argc < action->required_action_argc) {
1201 snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
1202 usage(popt_context, EXIT_FAILURE, buf,
1203 poptGetInvocationName(popt_context));
1206 /* FIXME: rewrite this from scratch */
1208 if (opt_shared && strcmp(aname, "create"))
1209 usage(popt_context, EXIT_FAILURE,
1210 _("Option --shared is allowed only for create operation.\n"),
1211 poptGetInvocationName(popt_context));
1213 if (opt_allow_discards &&
1214 strcmp(aname, "luksOpen") &&
1215 strcmp(aname, "create") &&
1216 strcmp(aname, "loopaesOpen"))
1217 usage(popt_context, EXIT_FAILURE,
1218 _("Option --allow-discards is allowed only for luksOpen, loopaesOpen and create operation.\n"),
1219 poptGetInvocationName(popt_context));
1222 strcmp(aname, "luksFormat") &&
1223 strcmp(aname, "create") &&
1224 strcmp(aname, "loopaesOpen"))
1225 usage(popt_context, EXIT_FAILURE,
1226 _("Option --key-size is allowed only for luksFormat, create and loopaesOpen.\n"
1227 "To limit read from keyfile use --keyfile-size=(bytes)."),
1228 poptGetInvocationName(popt_context));
1230 if (opt_test_passphrase &&
1231 strcmp(aname, "luksOpen"))
1232 usage(popt_context, EXIT_FAILURE,
1233 _("Option --test-passphrase is allowed only for luksOpen.\n"),
1234 poptGetInvocationName(popt_context));
1236 if (opt_key_size % 8)
1237 usage(popt_context, EXIT_FAILURE,
1238 _("Key size must be a multiple of 8 bits"),
1239 poptGetInvocationName(popt_context));
1241 if (!strcmp(aname, "luksKillSlot") && action_argc > 1)
1242 opt_key_slot = atoi(action_argv[1]);
1243 if (opt_key_slot != CRYPT_ANY_SLOT &&
1244 (opt_key_slot < 0 || opt_key_slot >= crypt_keyslot_max(CRYPT_LUKS1)))
1245 usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
1246 poptGetInvocationName(popt_context));
1248 if ((!strcmp(aname, "luksRemoveKey") ||
1249 !strcmp(aname, "luksFormat")) &&
1252 log_err(_("Option --key-file takes precedence over specified key file argument.\n"));
1254 opt_key_file = action_argv[1];
1257 if (opt_keyfile_size < 0 || opt_new_keyfile_size < 0 || opt_key_size < 0 ||
1258 opt_keyfile_offset < 0 || opt_new_keyfile_offset < 0)
1259 usage(popt_context, EXIT_FAILURE,
1260 _("Negative number for option not permitted."),
1261 poptGetInvocationName(popt_context));
1263 if (opt_random && opt_urandom)
1264 usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
1265 poptGetInvocationName(popt_context));
1267 if ((opt_random || opt_urandom) && strcmp(aname, "luksFormat"))
1268 usage(popt_context, EXIT_FAILURE, _("Option --use-[u]random is allowed only for luksFormat."),
1269 poptGetInvocationName(popt_context));
1271 if (opt_uuid && strcmp(aname, "luksFormat") && strcmp(aname, "luksUUID"))
1272 usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only for luksFormat and luksUUID."),
1273 poptGetInvocationName(popt_context));
1275 if (opt_align_payload && strcmp(aname, "luksFormat"))
1276 usage(popt_context, EXIT_FAILURE, _("Option --align-payload is allowed only for luksFormat."),
1277 poptGetInvocationName(popt_context));
1279 if (opt_skip && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1280 usage(popt_context, EXIT_FAILURE,
1281 _("Option --skip is supported only for create and loopaesOpen commands.\n"),
1282 poptGetInvocationName(popt_context));
1284 if (opt_offset && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1285 usage(popt_context, EXIT_FAILURE,
1286 _("Option --offset is supported only for create and loopaesOpen commands.\n"),
1287 poptGetInvocationName(popt_context));
1291 crypt_set_debug_level(-1);
1292 dbg_version_and_cmd(argc, argv);
1295 r = run_action(action);
1296 poptFreeContext(popt_context);