2 * cryptsetup - setup cryptographic volumes for dm-crypt
4 * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
5 * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
6 * Copyright (C) 2009-2011, Red Hat, Inc. All rights reserved.
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * version 2 as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
34 #include <libcryptsetup.h>
37 #include "cryptsetup.h"
39 static int opt_verbose = 0;
40 static int opt_debug = 0;
41 static const char *opt_cipher = NULL;
42 static const char *opt_hash = NULL;
43 static int opt_verify_passphrase = 0;
44 static const char *opt_key_file = NULL;
45 static const char *opt_master_key_file = NULL;
46 static const char *opt_header_backup_file = NULL;
47 static const char *opt_uuid = NULL;
48 static const char *opt_header_device = NULL;
49 static int opt_key_size = 0;
50 static long opt_keyfile_size = 0;
51 static long opt_new_keyfile_size = 0;
52 static int opt_key_slot = CRYPT_ANY_SLOT;
53 static uint64_t opt_size = 0;
54 static uint64_t opt_offset = 0;
55 static uint64_t opt_skip = 0;
56 static int opt_skip_valid = 0;
57 static int opt_readonly = 0;
58 static int opt_iteration_time = 1000;
59 static int opt_batch_mode = 0;
60 static int opt_version_mode = 0;
61 static int opt_timeout = 0;
62 static int opt_tries = 3;
63 static int opt_align_payload = 0;
64 static int opt_random = 0;
65 static int opt_urandom = 0;
66 static int opt_dump_master_key = 0;
67 static int opt_shared = 0;
68 static int opt_allow_discards = 0;
70 static const char **action_argv;
71 static int action_argc;
73 static int action_create(int arg);
74 static int action_remove(int arg);
75 static int action_resize(int arg);
76 static int action_status(int arg);
77 static int action_luksFormat(int arg);
78 static int action_luksOpen(int arg);
79 static int action_luksAddKey(int arg);
80 static int action_luksKillSlot(int arg);
81 static int action_luksRemoveKey(int arg);
82 static int action_luksChangeKey(int arg);
83 static int action_isLuks(int arg);
84 static int action_luksUUID(int arg);
85 static int action_luksDump(int arg);
86 static int action_luksSuspend(int arg);
87 static int action_luksResume(int arg);
88 static int action_luksBackup(int arg);
89 static int action_luksRestore(int arg);
90 static int action_loopaesOpen(int arg);
92 static struct action_type {
96 int required_action_argc;
101 { "create", action_create, 0, 2, 1, N_("<name> <device>"),N_("create device") },
102 { "remove", action_remove, 0, 1, 1, N_("<name>"), N_("remove device") },
103 { "resize", action_resize, 0, 1, 1, N_("<name>"), N_("resize active device") },
104 { "status", action_status, 0, 1, 0, N_("<name>"), N_("show device status") },
105 { "luksFormat", action_luksFormat, 0, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
106 { "luksOpen", action_luksOpen, 0, 2, 1, N_("<device> <name> "), N_("open LUKS device as mapping <name>") },
107 { "luksAddKey", action_luksAddKey, 0, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
108 { "luksRemoveKey",action_luksRemoveKey, 0, 1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
109 { "luksChangeKey",action_luksChangeKey, 0, 1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
110 { "luksKillSlot", action_luksKillSlot, 0, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
111 { "luksUUID", action_luksUUID, 0, 1, 0, N_("<device>"), N_("print UUID of LUKS device") },
112 { "isLuks", action_isLuks, 0, 1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
113 { "luksClose", action_remove, 0, 1, 1, N_("<name>"), N_("remove LUKS mapping") },
114 { "luksDump", action_luksDump, 0, 1, 1, N_("<device>"), N_("dump LUKS partition information") },
115 { "luksSuspend",action_luksSuspend, 0, 1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen).") },
116 { "luksResume", action_luksResume, 0, 1, 1, N_("<device>"), N_("Resume suspended LUKS device.") },
117 { "luksHeaderBackup",action_luksBackup, 0, 1, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
118 { "luksHeaderRestore",action_luksRestore,0,1, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
119 { "loopaesOpen",action_loopaesOpen, 0, 2, 1, N_("<device> <name> "), N_("open loop-AES device as mapping <name>") },
120 { "loopaesClose",action_remove, 0, 1, 1, N_("<name>"), N_("remove loop-AES mapping") },
121 { NULL, NULL, 0, 0, 0, NULL, NULL }
124 __attribute__((format(printf, 5, 6)))
125 static void clogger(struct crypt_device *cd, int level, const char *file,
126 int line, const char *format, ...)
131 va_start(argp, format);
133 if (vasprintf(&target, format, argp) > 0) {
135 crypt_log(cd, level, target);
137 } else if (opt_debug)
138 printf("# %s:%d %s\n", file ?: "?", line, target);
140 } else if (opt_debug)
141 printf("# %s\n", target);
149 static int _yesDialog(const char *msg, void *usrptr __attribute__((unused)))
155 if(isatty(0) && !opt_batch_mode) {
156 log_std("\nWARNING!\n========\n");
157 log_std("%s\n\nAre you sure? (Type uppercase yes): ", msg);
158 if(getline(&answer, &size, stdin) == -1) {
163 if(strcmp(answer, "YES\n"))
171 static void _log(int level, const char *msg, void *usrptr __attribute__((unused)))
175 case CRYPT_LOG_NORMAL:
178 case CRYPT_LOG_VERBOSE:
182 case CRYPT_LOG_ERROR:
185 case CRYPT_LOG_DEBUG:
187 printf("# %s\n", msg);
190 fprintf(stderr, "Internal error on logging class for msg: %s", msg);
195 static void _quiet_log(int level, const char *msg, void *usrptr)
197 if (!opt_verbose && (level == CRYPT_LOG_ERROR || level == CRYPT_LOG_NORMAL))
198 level = CRYPT_LOG_VERBOSE;
199 _log(level, msg, usrptr);
202 static void show_status(int errcode)
204 char error[256], *error_;
210 log_std(_("Command successful.\n"));
214 crypt_get_error(error, sizeof(error));
217 error_ = strerror_r(-errcode, error, sizeof(error));
218 if (error_ != error) {
219 strncpy(error, error_, sizeof(error));
220 error[sizeof(error) - 1] = '\0';
224 log_err(_("Command failed with code %i"), -errcode);
226 log_err(": %s\n", error);
231 static int action_create(int arg __attribute__((unused)))
233 struct crypt_device *cd = NULL;
234 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
235 struct crypt_params_plain params = {
236 .hash = opt_hash ?: DEFAULT_PLAIN_HASH,
238 .offset = opt_offset,
241 char *password = NULL;
243 size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
244 uint32_t activate_flags = 0;
247 if (params.hash && !strcmp(params.hash, "plain"))
250 /* FIXME: temporary hack */
251 if (opt_key_file && strcmp(opt_key_file, "-"))
254 if (opt_keyfile_size && opt_key_file)
255 log_std(("Ignoring keyfile size option, keyfile read size "
256 "is always the same as encryption key size.\n"));
258 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
259 cipher, NULL, cipher_mode);
261 log_err("No known cipher specification pattern detected.\n");
265 if ((r = crypt_init(&cd, action_argv[1])))
268 crypt_set_timeout(cd, opt_timeout);
269 crypt_set_password_retry(cd, opt_tries);
271 r = crypt_format(cd, CRYPT_PLAIN,
280 activate_flags |= CRYPT_ACTIVATE_READONLY;
283 activate_flags |= CRYPT_ACTIVATE_SHARED;
285 if (opt_allow_discards)
286 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
289 /* With hashing, read the whole keyfile */
290 r = crypt_activate_by_keyfile(cd, action_argv[0],
291 CRYPT_ANY_SLOT, opt_key_file, params.hash ? 0 : key_size,
294 r = crypt_get_key(_("Enter passphrase: "),
295 &password, &passwordLen, opt_keyfile_size,
297 opt_batch_mode ? 0 : opt_verify_passphrase,
302 r = crypt_activate_by_passphrase(cd, action_argv[0],
303 CRYPT_ANY_SLOT, password, passwordLen, activate_flags);
307 crypt_safe_free(password);
312 static int action_loopaesOpen(int arg __attribute__((unused)))
314 struct crypt_device *cd = NULL;
315 struct crypt_params_loopaes params = {
316 .hash = opt_hash ?: NULL,
317 .offset = opt_offset,
318 .skip = opt_skip_valid ? opt_skip : opt_offset,
320 unsigned int key_size = (opt_key_size ?: DEFAULT_LOOPAES_KEYBITS) / 8;
321 uint32_t activate_flags = 0;
325 log_err(_("Option --key-file is required.\n"));
330 activate_flags |= CRYPT_ACTIVATE_READONLY;
332 if (opt_allow_discards)
333 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
335 if ((r = crypt_init(&cd, action_argv[0])))
338 r = crypt_format(cd, CRYPT_LOOPAES, opt_cipher ?: DEFAULT_LOOPAES_CIPHER,
339 NULL, NULL, NULL, key_size, ¶ms);
343 r = crypt_activate_by_keyfile(cd, action_argv[1], CRYPT_ANY_SLOT,
344 opt_key_file, opt_keyfile_size, activate_flags);
351 static int action_remove(int arg __attribute__((unused)))
353 struct crypt_device *cd = NULL;
356 r = crypt_init_by_name(&cd, action_argv[0]);
358 r = crypt_deactivate(cd, action_argv[0]);
364 static int action_resize(int arg __attribute__((unused)))
366 struct crypt_device *cd = NULL;
369 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
371 r = crypt_resize(cd, action_argv[0], opt_size);
377 static int action_status(int arg __attribute__((unused)))
379 crypt_status_info ci;
380 struct crypt_active_device cad;
381 struct crypt_device *cd = NULL;
387 /* perhaps a path, not a dm device name */
388 if (strchr(action_argv[0], '/') && !stat(action_argv[0], &st))
391 ci = crypt_status(NULL, action_argv[0]);
398 log_std("%s is inactive.\n", action_argv[0]);
400 log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
406 log_std("%s is active%s.\n", action_argv[0],
407 ci == CRYPT_BUSY ? " and is in use" : "");
409 log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
410 ci == CRYPT_BUSY ? " and is in use" : "");
412 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
413 if (r < 0 || !crypt_get_type(cd))
416 log_std(" type: %s\n", crypt_get_type(cd));
418 r = crypt_get_active_device(cd, action_argv[0], &cad);
422 log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
423 log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
424 device = crypt_get_device_name(cd);
425 log_std(" device: %s\n", device);
426 if (crypt_loop_device(device)) {
427 backing_file = crypt_loop_backing_file(device);
428 log_std(" loop: %s\n", backing_file);
431 log_std(" offset: %" PRIu64 " sectors\n", cad.offset);
432 log_std(" size: %" PRIu64 " sectors\n", cad.size);
434 log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset);
435 log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
436 "readonly" : "read/write");
437 if (cad.flags & CRYPT_ACTIVATE_ALLOW_DISCARDS)
438 log_std(" flags: discards\n");
445 static int _read_mk(const char *file, char **key, int keysize)
449 *key = crypt_safe_alloc(keysize);
453 fd = open(file, O_RDONLY);
455 log_err("Cannot read keyfile %s.\n", file);
458 if ((read(fd, *key, keysize) != keysize)) {
459 log_err("Cannot read %d bytes from keyfile %s.\n", keysize, file);
466 crypt_safe_free(*key);
471 static int action_luksFormat(int arg __attribute__((unused)))
473 int r = -EINVAL, keysize;
474 const char *header_device;
475 char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
476 char *password = NULL;
478 struct crypt_device *cd = NULL;
479 struct crypt_params_luks1 params = {
480 .hash = opt_hash ?: DEFAULT_LUKS1_HASH,
481 .data_alignment = opt_align_payload,
482 .data_device = opt_header_device ? action_argv[0] : NULL,
485 header_device = opt_header_device ?: action_argv[0];
487 if(asprintf(&msg, _("This will overwrite data on %s irrevocably."),
488 header_device) == -1) {
489 log_err(_("memory allocation error in action_luksFormat"));
493 r = _yesDialog(msg, NULL) ? 0 : -EINVAL;
498 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
499 cipher, NULL, cipher_mode);
501 log_err(_("No known cipher specification pattern detected.\n"));
505 if ((r = crypt_init(&cd, header_device))) {
506 if (opt_header_device)
507 log_err(_("Cannot use %s as on-disk header.\n"), header_device);
511 keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
513 crypt_set_password_verify(cd, 1);
514 crypt_set_timeout(cd, opt_timeout);
515 if (opt_iteration_time)
516 crypt_set_iteration_time(cd, opt_iteration_time);
519 crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
520 else if (opt_urandom)
521 crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
523 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
524 opt_keyfile_size, opt_key_file, opt_timeout,
525 opt_batch_mode ? 0 : 1 /* always verify */, cd);
529 if (opt_master_key_file) {
530 r = _read_mk(opt_master_key_file, &key, keysize);
535 r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
536 opt_uuid, key, keysize, ¶ms);
540 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
542 password, passwordLen);
545 crypt_safe_free(key);
546 crypt_safe_free(password);
551 static int action_luksOpen(int arg __attribute__((unused)))
553 struct crypt_device *cd = NULL;
554 const char *data_device, *header_device;
558 if (opt_header_device) {
559 header_device = opt_header_device;
560 data_device = action_argv[0];
562 header_device = action_argv[0];
566 if ((r = crypt_init(&cd, header_device)))
569 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
573 (r = crypt_set_data_device(cd, data_device)))
576 if (!data_device && (crypt_get_data_offset(cd) < 8)) {
577 log_err(_("Reduced data offset is allowed only for detached LUKS header.\n"));
582 crypt_set_timeout(cd, opt_timeout);
583 crypt_set_password_retry(cd, opt_tries);
585 if (opt_iteration_time)
586 crypt_set_iteration_time(cd, opt_iteration_time);
589 flags |= CRYPT_ACTIVATE_READONLY;
591 if (opt_allow_discards)
592 flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
595 crypt_set_password_retry(cd, 1);
596 r = crypt_activate_by_keyfile(cd, action_argv[1],
597 opt_key_slot, opt_key_file, opt_keyfile_size,
600 r = crypt_activate_by_passphrase(cd, action_argv[1],
601 opt_key_slot, NULL, 0, flags);
607 static int verify_keyslot(struct crypt_device *cd, int key_slot,
608 char *msg_last, char *msg_pass,
609 const char *key_file, int keyfile_size)
611 crypt_keyslot_info ki;
612 char *password = NULL;
616 ki = crypt_keyslot_status(cd, key_slot);
617 if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !_yesDialog(msg_last, NULL))
620 r = crypt_get_key(msg_pass, &password, &passwordLen,
621 keyfile_size, key_file, opt_timeout,
622 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
626 if (ki == CRYPT_SLOT_ACTIVE_LAST) {
627 /* check the last keyslot */
628 r = crypt_activate_by_passphrase(cd, NULL, key_slot,
629 password, passwordLen, 0);
631 /* try all other keyslots */
632 for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
635 ki = crypt_keyslot_status(cd, key_slot);
636 if (ki == CRYPT_SLOT_ACTIVE)
637 r = crypt_activate_by_passphrase(cd, NULL, i,
638 password, passwordLen, 0);
645 log_err(_("No key available with this passphrase.\n"));
647 crypt_safe_free(password);
651 static int action_luksKillSlot(int arg __attribute__((unused)))
653 struct crypt_device *cd = NULL;
656 if ((r = crypt_init(&cd, action_argv[0])))
659 crypt_set_confirm_callback(cd, _yesDialog, NULL);
660 crypt_set_timeout(cd, opt_timeout);
662 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
665 switch (crypt_keyslot_status(cd, opt_key_slot)) {
666 case CRYPT_SLOT_ACTIVE_LAST:
667 case CRYPT_SLOT_ACTIVE:
668 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
670 case CRYPT_SLOT_INACTIVE:
671 log_err(_("Key %d not active. Can't wipe.\n"), opt_key_slot);
672 case CRYPT_SLOT_INVALID:
677 if (!opt_batch_mode) {
678 r = verify_keyslot(cd, opt_key_slot,
679 _("This is the last keyslot. Device will become unusable after purging this key."),
680 _("Enter any remaining LUKS passphrase: "),
681 opt_key_file, opt_keyfile_size);
686 r = crypt_keyslot_destroy(cd, opt_key_slot);
692 static int action_luksRemoveKey(int arg __attribute__((unused)))
694 struct crypt_device *cd = NULL;
695 char *password = NULL;
699 if ((r = crypt_init(&cd, action_argv[0])))
702 crypt_set_confirm_callback(cd, _yesDialog, NULL);
703 crypt_set_timeout(cd, opt_timeout);
705 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
708 r = crypt_get_key(_("Enter LUKS passphrase to be deleted: "),
709 &password, &passwordLen,
710 opt_keyfile_size, opt_key_file,
712 opt_batch_mode ? 0 : opt_verify_passphrase,
717 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
718 password, passwordLen, 0);
723 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
725 if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_ACTIVE_LAST &&
726 !_yesDialog(_("This is the last keyslot. "
727 "Device will become unusable after purging this key."),
733 r = crypt_keyslot_destroy(cd, opt_key_slot);
735 crypt_safe_free(password);
740 static int action_luksAddKey(int arg __attribute__((unused)))
742 int r = -EINVAL, keysize = 0;
744 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
745 struct crypt_device *cd = NULL;
747 if ((r = crypt_init(&cd, action_argv[0])))
750 crypt_set_confirm_callback(cd, _yesDialog, NULL);
752 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
755 keysize = crypt_get_volume_key_size(cd);
756 crypt_set_password_verify(cd, opt_verify_passphrase ? 1 : 0);
757 crypt_set_timeout(cd, opt_timeout);
758 if (opt_iteration_time)
759 crypt_set_iteration_time(cd, opt_iteration_time);
761 if (opt_master_key_file) {
762 r = _read_mk(opt_master_key_file, &key, keysize);
765 //FIXME: process keyfile arg
766 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
767 key, keysize, NULL, 0);
768 } else if (opt_key_file || opt_new_key_file) {
769 r = crypt_keyslot_add_by_keyfile(cd, opt_key_slot,
770 opt_key_file, opt_keyfile_size,
771 opt_new_key_file, opt_new_keyfile_size);
773 r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
778 crypt_safe_free(key);
782 static int _slots_full(struct crypt_device *cd)
786 for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++)
787 if (crypt_keyslot_status(cd, i) == CRYPT_SLOT_INACTIVE)
792 static int action_luksChangeKey(int arg __attribute__((unused)))
794 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
795 struct crypt_device *cd = NULL;
796 char *vk = NULL, *password = NULL;
797 size_t passwordLen = 0;
799 int new_key_slot, old_key_slot, r;
801 if ((r = crypt_init(&cd, action_argv[0])))
804 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
807 if (opt_iteration_time)
808 crypt_set_iteration_time(cd, opt_iteration_time);
810 r = crypt_get_key(_("Enter LUKS passphrase to be changed: "),
811 &password, &passwordLen,
812 opt_keyfile_size, opt_key_file, opt_timeout,
813 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
817 vk_size = crypt_get_volume_key_size(cd);
818 vk = crypt_safe_alloc(vk_size);
824 r = crypt_volume_key_get(cd, opt_key_slot, vk, &vk_size,
825 password, passwordLen);
827 if (opt_key_slot != CRYPT_ANY_SLOT)
828 log_err(_("No key available with this passphrase.\n"));
832 if (opt_key_slot != CRYPT_ANY_SLOT || _slots_full(cd)) {
833 log_dbg("Key slot %d is going to be overwritten (%s).",
834 r, opt_key_slot != CRYPT_ANY_SLOT ?
835 "explicit key slot specified" : "no free key slot");
839 log_dbg("Allocating new key slot.");
841 new_key_slot = CRYPT_ANY_SLOT;
844 crypt_safe_free(password);
847 r = crypt_get_key(_("Enter new LUKS passphrase: "),
848 &password, &passwordLen,
849 opt_new_keyfile_size, opt_new_key_file,
850 opt_timeout, opt_batch_mode ? 0 : 1, cd);
854 if (new_key_slot == old_key_slot) {
855 (void)crypt_keyslot_destroy(cd, old_key_slot);
856 r = crypt_keyslot_add_by_volume_key(cd, new_key_slot,
858 password, passwordLen);
860 log_verbose(_("Key slot %d changed.\n"), r);
862 r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT,
864 password, passwordLen);
866 log_verbose(_("Replaced with key slot %d.\n"), r);
867 r = crypt_keyslot_destroy(cd, old_key_slot);
871 log_err(_("Failed to swap new key slot.\n"));
874 crypt_safe_free(password);
879 static int action_isLuks(int arg __attribute__((unused)))
881 struct crypt_device *cd = NULL;
884 if ((r = crypt_init(&cd, action_argv[0])))
887 crypt_set_log_callback(cd, _quiet_log, NULL);
888 r = crypt_load(cd, CRYPT_LUKS1, NULL);
894 static int action_luksUUID(int arg __attribute__((unused)))
896 struct crypt_device *cd = NULL;
897 const char *existing_uuid = NULL;
900 if ((r = crypt_init(&cd, action_argv[0])))
903 crypt_set_confirm_callback(cd, _yesDialog, NULL);
905 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
909 r = crypt_set_uuid(cd, opt_uuid);
911 existing_uuid = crypt_get_uuid(cd);
912 log_std("%s\n", existing_uuid ?: "");
913 r = existing_uuid ? 0 : 1;
920 static int luksDump_with_volume_key(struct crypt_device *cd)
922 char *vk = NULL, *password = NULL;
923 size_t passwordLen = 0;
928 crypt_set_confirm_callback(cd, _yesDialog, NULL);
930 _("LUKS header dump with volume key is sensitive information\n"
931 "which allows access to encrypted partition without passphrase.\n"
932 "This dump should be always stored encrypted on safe place."),
936 vk_size = crypt_get_volume_key_size(cd);
937 vk = crypt_safe_alloc(vk_size);
941 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
942 opt_keyfile_size, opt_key_file, opt_timeout, 0, cd);
946 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
947 password, passwordLen);
951 log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
952 log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
953 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
954 log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
955 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
956 log_std("MK bits: \t%d\n", (int)vk_size * 8);
957 log_std("MK dump:\t");
959 for(i = 0; i < vk_size; i++) {
962 log_std("%02hhx ", (char)vk[i]);
967 crypt_safe_free(password);
972 static int action_luksDump(int arg __attribute__((unused)))
974 struct crypt_device *cd = NULL;
977 if ((r = crypt_init(&cd, action_argv[0])))
980 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
983 if (opt_dump_master_key)
984 r = luksDump_with_volume_key(cd);
992 static int action_luksSuspend(int arg __attribute__((unused)))
994 struct crypt_device *cd = NULL;
997 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
999 r = crypt_suspend(cd, action_argv[0]);
1005 static int action_luksResume(int arg __attribute__((unused)))
1007 struct crypt_device *cd = NULL;
1010 if ((r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device)))
1013 crypt_set_timeout(cd, opt_timeout);
1014 crypt_set_password_retry(cd, opt_tries);
1017 r = crypt_resume_by_keyfile(cd, action_argv[0], CRYPT_ANY_SLOT,
1018 opt_key_file, opt_keyfile_size);
1020 r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
1027 static int action_luksBackup(int arg __attribute__((unused)))
1029 struct crypt_device *cd = NULL;
1032 if (!opt_header_backup_file) {
1033 log_err(_("Option --header-backup-file is required.\n"));
1037 if ((r = crypt_init(&cd, action_argv[0])))
1040 crypt_set_confirm_callback(cd, _yesDialog, NULL);
1042 r = crypt_header_backup(cd, CRYPT_LUKS1, opt_header_backup_file);
1048 static int action_luksRestore(int arg __attribute__((unused)))
1050 struct crypt_device *cd = NULL;
1053 if (!opt_header_backup_file) {
1054 log_err(_("Option --header-backup-file is required.\n"));
1058 if ((r = crypt_init(&cd, action_argv[0])))
1061 crypt_set_confirm_callback(cd, _yesDialog, NULL);
1062 r = crypt_header_restore(cd, CRYPT_LUKS1, opt_header_backup_file);
1068 static __attribute__ ((noreturn)) void usage(poptContext popt_context,
1069 int exitcode, const char *error,
1072 poptPrintUsage(popt_context, stderr, 0);
1074 log_err("%s: %s\n", more, error);
1075 poptFreeContext(popt_context);
1079 static void help(poptContext popt_context,
1080 enum poptCallbackReason reason __attribute__((unused)),
1081 struct poptOption *key,
1082 const char *arg __attribute__((unused)),
1083 void *data __attribute__((unused)))
1085 if (key->shortName == '?') {
1086 struct action_type *action;
1088 log_std("%s\n",PACKAGE_STRING);
1090 poptPrintHelp(popt_context, stdout, 0);
1093 "<action> is one of:\n"));
1095 for(action = action_types; action->type; action++)
1096 log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
1099 "<name> is the device to create under %s\n"
1100 "<device> is the encrypted device\n"
1101 "<key slot> is the LUKS key slot number to modify\n"
1102 "<key file> optional key file for the new key for luksAddKey action\n"),
1105 log_std(_("\nDefault compiled-in keyfile parameters:\n"
1106 "\tMaximum keyfile size: %dkB, "
1107 "Maximum interactive passphrase length %d (characters)\n"),
1108 DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX);
1110 log_std(_("\nDefault compiled-in device cipher parameters:\n"
1111 "\tloop-AES: %s, Key %d bits\n"
1112 "\tplain: %s, Key: %d bits, Password hashing: %s\n"
1113 "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
1114 DEFAULT_LOOPAES_CIPHER, DEFAULT_LOOPAES_KEYBITS,
1115 DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
1116 DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
1120 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
1123 static void _dbg_version_and_cmd(int argc, const char **argv)
1127 log_std("# %s %s processing \"", PACKAGE_NAME, PACKAGE_VERSION);
1128 for (i = 0; i < argc; i++) {
1131 log_std("%s", argv[i]);
1136 static int run_action(struct action_type *action)
1140 log_dbg("Running command %s.", action->type);
1142 if (action->required_memlock)
1143 crypt_memory_lock(NULL, 1);
1145 r = action->handler(action->arg);
1147 if (action->required_memlock)
1148 crypt_memory_lock(NULL, 0);
1150 /* Some functions returns keyslot # */
1156 /* Translate exit code to simple codes */
1158 case 0: r = EXIT_SUCCESS; break;
1160 case -EBUSY: r = 5; break;
1162 case -ENODEV: r = 4; break;
1163 case -ENOMEM: r = 3; break;
1164 case -EPERM: r = 2; break;
1168 default: r = EXIT_FAILURE;
1173 int main(int argc, const char **argv)
1175 static char *popt_tmp;
1176 static struct poptOption popt_help_options[] = {
1177 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
1178 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
1179 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
1182 static struct poptOption popt_options[] = {
1183 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
1184 { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
1185 { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
1186 { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
1187 { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
1188 { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
1189 { "verify-passphrase", 'y', POPT_ARG_NONE, &opt_verify_passphrase, 0, N_("Verifies the passphrase by asking for it twice"), NULL },
1190 { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 0, N_("Read the key from a file."), NULL },
1191 { "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL },
1192 { "dump-master-key", '\0', POPT_ARG_NONE, &opt_dump_master_key, 0, N_("Dump volume (master) key instead of keyslots info."), NULL },
1193 { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
1194 { "keyfile-size", 'l', POPT_ARG_LONG, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
1195 { "new-keyfile-size", '\0', POPT_ARG_LONG, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
1196 { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL },
1197 { "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") },
1198 { "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
1199 { "skip", 'p', POPT_ARG_STRING, &popt_tmp, 3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
1200 { "readonly", 'r', POPT_ARG_NONE, &opt_readonly, 0, N_("Create a readonly mapping"), NULL },
1201 { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
1202 { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
1203 { "timeout", 't', POPT_ARG_INT, &opt_timeout, 0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
1204 { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
1205 { "align-payload", '\0', POPT_ARG_INT, &opt_align_payload, 0, N_("Align payload at <n> sector boundaries - for luksFormat"), N_("SECTORS") },
1206 { "header-backup-file",'\0', POPT_ARG_STRING, &opt_header_backup_file, 0, N_("File with LUKS header and keyslots backup."), NULL },
1207 { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
1208 { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
1209 { "shared", '\0', POPT_ARG_NONE, &opt_shared, 0, N_("Share device with another non-overlapping crypt segment."), NULL },
1210 { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
1211 { "allow-discards", '\0', POPT_ARG_NONE, &opt_allow_discards, 0, N_("Allow discards (aka TRIM) requests for device."), NULL },
1212 { "header", '\0', POPT_ARG_STRING, &opt_header_device, 0, N_("Device or file with separated LUKS header."), NULL },
1215 poptContext popt_context;
1216 struct action_type *action;
1219 const char *null_action_argv[] = {NULL};
1221 crypt_set_log_callback(NULL, _log, NULL);
1223 setlocale(LC_ALL, "");
1224 bindtextdomain(PACKAGE, LOCALEDIR);
1225 textdomain(PACKAGE);
1227 popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
1228 poptSetOtherOptionHelp(popt_context,
1229 N_("[OPTION...] <action> <action-specific>]"));
1231 while((r = poptGetNextOpt(popt_context)) > 0) {
1232 unsigned long long ull_value;
1236 ull_value = strtoull(popt_tmp, &endp, 0);
1237 if (*endp || !*popt_tmp ||
1238 (errno == ERANGE && ull_value == ULLONG_MAX) ||
1239 (errno != 0 && ull_value == 0))
1240 r = POPT_ERROR_BADNUMBER;
1244 opt_size = ull_value;
1247 opt_offset = ull_value;
1250 opt_skip = ull_value;
1260 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
1261 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
1262 if (opt_version_mode) {
1263 log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
1264 poptFreeContext(popt_context);
1268 if (!(aname = poptGetArg(popt_context)))
1269 usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
1270 poptGetInvocationName(popt_context));
1271 for(action = action_types; action->type; action++)
1272 if (strcmp(action->type, aname) == 0)
1275 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
1276 poptGetInvocationName(popt_context));
1279 action_argv = poptGetArgs(popt_context);
1280 /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
1282 action_argv = null_action_argv;
1284 /* Count args, somewhat unnice, change? */
1285 while(action_argv[action_argc] != NULL)
1288 if(action_argc < action->required_action_argc) {
1290 snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
1291 usage(popt_context, EXIT_FAILURE, buf,
1292 poptGetInvocationName(popt_context));
1295 /* FIXME: rewrite this from scratch */
1297 if (opt_shared && strcmp(aname, "create")) {
1298 usage(popt_context, EXIT_FAILURE,
1299 _("Option --shared is allowed only for create operation.\n"),
1300 poptGetInvocationName(popt_context));
1303 if (opt_allow_discards &&
1304 strcmp(aname, "luksOpen") &&
1305 strcmp(aname, "create") &&
1306 strcmp(aname, "loopaesOpen")) {
1307 usage(popt_context, EXIT_FAILURE,
1308 _("Option --allow-discards is allowed only for luksOpen, loopaesOpen and create operation.\n"),
1309 poptGetInvocationName(popt_context));
1313 strcmp(aname, "luksFormat") &&
1314 strcmp(aname, "create") &&
1315 strcmp(aname, "loopaesOpen")) {
1316 usage(popt_context, EXIT_FAILURE,
1317 _("Option --key-size is allowed only for luksFormat, create and loopaesOpen.\n"
1318 "To limit read from keyfile use --keyfile-size=(bytes)."),
1319 poptGetInvocationName(popt_context));
1322 if (opt_key_size % 8)
1323 usage(popt_context, EXIT_FAILURE,
1324 _("Key size must be a multiple of 8 bits"),
1325 poptGetInvocationName(popt_context));
1327 if (!strcmp(aname, "luksKillSlot") && action_argc > 1)
1328 opt_key_slot = atoi(action_argv[1]);
1329 if (opt_key_slot != CRYPT_ANY_SLOT &&
1330 (opt_key_slot < 0 || opt_key_slot >= crypt_keyslot_max(CRYPT_LUKS1)))
1331 usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
1332 poptGetInvocationName(popt_context));
1334 if ((!strcmp(aname, "luksRemoveKey") ||
1335 !strcmp(aname, "luksFormat")) &&
1338 log_err(_("Option --key-file takes precedence over specified key file argument.\n"));
1340 opt_key_file = action_argv[1];
1343 if (opt_keyfile_size < 0 || opt_new_keyfile_size < 0 || opt_key_size < 0) {
1344 usage(popt_context, EXIT_FAILURE,
1345 _("Negative number for option not permitted."),
1346 poptGetInvocationName(popt_context));
1349 if (opt_random && opt_urandom)
1350 usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
1351 poptGetInvocationName(popt_context));
1352 if ((opt_random || opt_urandom) && strcmp(aname, "luksFormat"))
1353 usage(popt_context, EXIT_FAILURE, _("Option --use-[u]random is allowed only for luksFormat."),
1354 poptGetInvocationName(popt_context));
1356 if (opt_uuid && strcmp(aname, "luksFormat") && strcmp(aname, "luksUUID"))
1357 usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only for luksFormat and luksUUID."),
1358 poptGetInvocationName(popt_context));
1360 if (opt_skip && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1361 usage(popt_context, EXIT_FAILURE,
1362 _("Option --skip is supported only for create and loopaesOpen commands.\n"),
1363 poptGetInvocationName(popt_context));
1365 if (opt_offset && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1366 usage(popt_context, EXIT_FAILURE,
1367 _("Option --offset is supported only for create and loopaesOpen commands.\n"),
1368 poptGetInvocationName(popt_context));
1372 crypt_set_debug_level(-1);
1373 _dbg_version_and_cmd(argc, argv);
1376 r = run_action(action);
1377 poptFreeContext(popt_context);