2 * cryptsetup - setup cryptographic volumes for dm-crypt
4 * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
5 * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
6 * Copyright (C) 2009-2011, Red Hat, Inc. All rights reserved.
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * version 2 as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
32 #include <libcryptsetup.h>
35 #include "cryptsetup.h"
37 static int opt_verbose = 0;
38 static int opt_debug = 0;
39 static char *opt_cipher = NULL;
40 static char *opt_hash = NULL;
41 static int opt_verify_passphrase = 0;
42 static char *opt_key_file = NULL;
43 static char *opt_master_key_file = NULL;
44 static char *opt_header_backup_file = NULL;
45 static char *opt_uuid = NULL;
46 static int opt_key_size = 0;
47 static long opt_keyfile_size = 0;
48 static long opt_new_keyfile_size = 0;
49 static int opt_key_slot = CRYPT_ANY_SLOT;
50 static uint64_t opt_size = 0;
51 static uint64_t opt_offset = 0;
52 static uint64_t opt_skip = 0;
53 static int opt_skip_valid = 0;
54 static int opt_readonly = 0;
55 static int opt_iteration_time = 1000;
56 static int opt_batch_mode = 0;
57 static int opt_version_mode = 0;
58 static int opt_timeout = 0;
59 static int opt_tries = 3;
60 static int opt_align_payload = 0;
61 static int opt_random = 0;
62 static int opt_urandom = 0;
63 static int opt_dump_master_key = 0;
65 static const char **action_argv;
66 static int action_argc;
68 static int action_create(int arg);
69 static int action_remove(int arg);
70 static int action_resize(int arg);
71 static int action_status(int arg);
72 static int action_luksFormat(int arg);
73 static int action_luksOpen(int arg);
74 static int action_luksAddKey(int arg);
75 static int action_luksKillSlot(int arg);
76 static int action_luksRemoveKey(int arg);
77 static int action_luksChangeKey(int arg);
78 static int action_isLuks(int arg);
79 static int action_luksUUID(int arg);
80 static int action_luksDump(int arg);
81 static int action_luksSuspend(int arg);
82 static int action_luksResume(int arg);
83 static int action_luksBackup(int arg);
84 static int action_luksRestore(int arg);
85 static int action_loopaesOpen(int arg);
87 static struct action_type {
91 int required_action_argc;
96 { "create", action_create, 0, 2, 1, N_("<name> <device>"),N_("create device") },
97 { "remove", action_remove, 0, 1, 1, N_("<name>"), N_("remove device") },
98 { "resize", action_resize, 0, 1, 1, N_("<name>"), N_("resize active device") },
99 { "status", action_status, 0, 1, 0, N_("<name>"), N_("show device status") },
100 { "luksFormat", action_luksFormat, 0, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
101 { "luksOpen", action_luksOpen, 0, 2, 1, N_("<device> <name> "), N_("open LUKS device as mapping <name>") },
102 { "luksAddKey", action_luksAddKey, 0, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
103 { "luksRemoveKey",action_luksRemoveKey, 0, 1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
104 { "luksChangeKey",action_luksChangeKey, 0, 1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
105 { "luksKillSlot", action_luksKillSlot, 0, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
106 { "luksUUID", action_luksUUID, 0, 1, 0, N_("<device>"), N_("print UUID of LUKS device") },
107 { "isLuks", action_isLuks, 0, 1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
108 { "luksClose", action_remove, 0, 1, 1, N_("<name>"), N_("remove LUKS mapping") },
109 { "luksDump", action_luksDump, 0, 1, 1, N_("<device>"), N_("dump LUKS partition information") },
110 { "luksSuspend",action_luksSuspend, 0, 1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen).") },
111 { "luksResume", action_luksResume, 0, 1, 1, N_("<device>"), N_("Resume suspended LUKS device.") },
112 { "luksHeaderBackup",action_luksBackup, 0, 1, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
113 { "luksHeaderRestore",action_luksRestore,0,1, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
114 { "loopaesOpen",action_loopaesOpen, 0, 2, 1, N_("<device> <name> "), N_("open loop-AES device as mapping <name>") },
115 { "loopaesClose",action_remove, 0, 1, 1, N_("<name>"), N_("remove loop-AES mapping") },
116 { NULL, NULL, 0, 0, 0, NULL, NULL }
119 static void clogger(struct crypt_device *cd, int level, const char *file,
120 int line, const char *format, ...)
125 va_start(argp, format);
127 if (vasprintf(&target, format, argp) > 0) {
129 crypt_log(cd, level, target);
131 } else if (opt_debug)
132 printf("# %s:%d %s\n", file ?: "?", line, target);
134 } else if (opt_debug)
135 printf("# %s\n", target);
143 static int _yesDialog(const char *msg, void *usrptr)
149 if(isatty(0) && !opt_batch_mode) {
150 log_std("\nWARNING!\n========\n");
151 log_std("%s\n\nAre you sure? (Type uppercase yes): ", msg);
152 if(getline(&answer, &size, stdin) == -1) {
157 if(strcmp(answer, "YES\n"))
165 static void _log(int level, const char *msg, void *usrptr)
169 case CRYPT_LOG_NORMAL:
172 case CRYPT_LOG_VERBOSE:
176 case CRYPT_LOG_ERROR:
179 case CRYPT_LOG_DEBUG:
181 printf("# %s\n", msg);
184 fprintf(stderr, "Internal error on logging class for msg: %s", msg);
189 static void show_status(int errcode)
191 char error[256], *error_;
197 log_std(_("Command successful.\n"));
201 crypt_get_error(error, sizeof(error));
204 error_ = strerror_r(-errcode, error, sizeof(error));
205 if (error_ != error) {
206 strncpy(error, error_, sizeof(error));
207 error[sizeof(error) - 1] = '\0';
211 log_err(_("Command failed with code %i"), -errcode);
213 log_err(": %s\n", error);
218 static int action_create(int arg)
220 struct crypt_device *cd = NULL;
221 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
222 struct crypt_params_plain params = {
223 .hash = opt_hash ?: DEFAULT_PLAIN_HASH,
225 .offset = opt_offset,
227 char *password = NULL;
229 size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
232 if (params.hash && !strcmp(params.hash, "plain"))
235 /* FIXME: temporary hack */
236 if (opt_key_file && strcmp(opt_key_file, "-"))
239 if (opt_keyfile_size && opt_key_file)
240 log_std(("Ignoring keyfile size option, keyfile read size "
241 "is always the same as encryption key size.\n"));
243 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
244 cipher, NULL, cipher_mode);
246 log_err("No known cipher specification pattern detected.\n");
250 if ((r = crypt_init(&cd, action_argv[1])))
253 crypt_set_timeout(cd, opt_timeout);
254 crypt_set_password_retry(cd, opt_tries);
256 r = crypt_format(cd, CRYPT_PLAIN,
265 r = crypt_activate_by_keyfile(cd, action_argv[0],
266 CRYPT_ANY_SLOT, opt_key_file, key_size,
267 opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
269 r = crypt_get_key(_("Enter passphrase: "),
270 &password, &passwordLen, opt_keyfile_size,
272 opt_batch_mode ? 0 : opt_verify_passphrase,
277 r = crypt_activate_by_passphrase(cd, action_argv[0],
278 CRYPT_ANY_SLOT, password, passwordLen,
279 opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
283 crypt_safe_free(password);
288 static int action_loopaesOpen(int arg)
290 struct crypt_device *cd = NULL;
291 struct crypt_params_loopaes params = {
292 .hash = opt_hash ?: NULL, // FIXME
293 .offset = opt_offset,
294 .skip = opt_skip_valid ? opt_skip : opt_offset,
296 unsigned int key_size = (opt_key_size ?: DEFAULT_LOOPAES_KEYBITS) / 8;
300 log_err(_("Option --key-file is required.\n"));
304 if ((r = crypt_init(&cd, action_argv[0])))
307 r = crypt_format(cd, CRYPT_LOOPAES, opt_cipher ?: DEFAULT_LOOPAES_CIPHER,
308 NULL, NULL, NULL, key_size, ¶ms);
312 r = crypt_activate_by_keyfile(cd, action_argv[1],
313 CRYPT_ANY_SLOT, opt_key_file, opt_keyfile_size,
314 opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
321 static int action_remove(int arg)
323 struct crypt_device *cd = NULL;
326 r = crypt_init_by_name(&cd, action_argv[0]);
328 r = crypt_deactivate(cd, action_argv[0]);
334 static int action_resize(int arg)
336 struct crypt_device *cd = NULL;
339 r = crypt_init_by_name(&cd, action_argv[0]);
341 r = crypt_resize(cd, action_argv[0], opt_size);
347 static int action_status(int arg)
349 crypt_status_info ci;
350 struct crypt_active_device cad;
351 struct crypt_device *cd = NULL;
356 ci = crypt_status(NULL, action_argv[0]);
362 log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
366 log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
367 ci == CRYPT_BUSY ? " and is in use" : "");
368 r = crypt_init_by_name(&cd, action_argv[0]);
369 if (r < 0 || !crypt_get_type(cd))
372 log_std(" type: %s\n", crypt_get_type(cd));
374 r = crypt_get_active_device(cd, action_argv[0], &cad);
378 log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
379 log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
380 device = crypt_get_device_name(cd);
381 log_std(" device: %s\n", device);
382 if (crypt_loop_device(device)) {
383 backing_file = crypt_loop_backing_file(device);
384 log_std(" loop: %s\n", backing_file);
387 log_std(" offset: %" PRIu64 " sectors\n", cad.offset);
388 log_std(" size: %" PRIu64 " sectors\n", cad.size);
390 log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset);
391 log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
392 "readonly" : "read/write");
399 static int _read_mk(const char *file, char **key, int keysize)
403 *key = crypt_safe_alloc(keysize);
407 fd = open(file, O_RDONLY);
409 log_err("Cannot read keyfile %s.\n", file);
412 if ((read(fd, *key, keysize) != keysize)) {
413 log_err("Cannot read %d bytes from keyfile %s.\n", keysize, file);
420 crypt_safe_free(*key);
425 static int action_luksFormat(int arg)
427 int r = -EINVAL, keysize;
428 char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
429 char *password = NULL;
431 struct crypt_device *cd = NULL;
432 struct crypt_params_luks1 params = {
433 .hash = opt_hash ?: DEFAULT_LUKS1_HASH,
434 .data_alignment = opt_align_payload,
437 if(asprintf(&msg, _("This will overwrite data on %s irrevocably."), action_argv[0]) == -1) {
438 log_err(_("memory allocation error in action_luksFormat"));
442 r = _yesDialog(msg, NULL) ? 0 : -EINVAL;
447 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
448 cipher, NULL, cipher_mode);
450 log_err("No known cipher specification pattern detected.\n");
454 if ((r = crypt_init(&cd, action_argv[0])))
457 keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
459 crypt_set_password_verify(cd, 1);
460 crypt_set_timeout(cd, opt_timeout);
461 if (opt_iteration_time)
462 crypt_set_iterarion_time(cd, opt_iteration_time);
465 crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
466 else if (opt_urandom)
467 crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
469 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
470 opt_keyfile_size, opt_key_file, opt_timeout,
471 opt_batch_mode ? 0 : 1 /* always verify */, cd);
475 if (opt_master_key_file) {
476 r = _read_mk(opt_master_key_file, &key, keysize);
481 r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
482 opt_uuid, key, keysize, ¶ms);
486 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
488 password, passwordLen);
491 crypt_safe_free(key);
492 crypt_safe_free(password);
497 static int action_luksOpen(int arg)
499 struct crypt_device *cd = NULL;
503 if ((r = crypt_init(&cd, action_argv[0])))
506 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
509 crypt_set_timeout(cd, opt_timeout);
510 crypt_set_password_retry(cd, opt_tries);
512 if (opt_iteration_time)
513 crypt_set_iterarion_time(cd, opt_iteration_time);
515 flags |= CRYPT_ACTIVATE_READONLY;
518 crypt_set_password_retry(cd, 1);
519 r = crypt_activate_by_keyfile(cd, action_argv[1],
520 CRYPT_ANY_SLOT, opt_key_file, opt_keyfile_size,
523 r = crypt_activate_by_passphrase(cd, action_argv[1],
524 CRYPT_ANY_SLOT, NULL, 0, flags);
530 static int verify_keyslot(struct crypt_device *cd, int key_slot,
531 char *msg_last, char *msg_pass,
532 const char *key_file, int keyfile_size)
534 crypt_keyslot_info ki;
535 char *password = NULL;
539 ki = crypt_keyslot_status(cd, key_slot);
540 if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !_yesDialog(msg_last, NULL))
543 r = crypt_get_key(msg_pass, &password, &passwordLen,
544 keyfile_size, key_file, opt_timeout,
545 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
549 if (ki == CRYPT_SLOT_ACTIVE_LAST) {
550 /* check the last keyslot */
551 r = crypt_activate_by_passphrase(cd, NULL, key_slot,
552 password, passwordLen, 0);
554 /* try all other keyslots */
555 for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
558 ki = crypt_keyslot_status(cd, key_slot);
559 if (ki == CRYPT_SLOT_ACTIVE)
560 r = crypt_activate_by_passphrase(cd, NULL, i,
561 password, passwordLen, 0);
568 log_err(_("No key available with this passphrase.\n"));
570 crypt_safe_free(password);
574 static int action_luksKillSlot(int arg)
576 struct crypt_device *cd = NULL;
579 if ((r = crypt_init(&cd, action_argv[0])))
582 crypt_set_confirm_callback(cd, _yesDialog, NULL);
583 crypt_set_timeout(cd, opt_timeout);
585 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
588 switch (crypt_keyslot_status(cd, opt_key_slot)) {
589 case CRYPT_SLOT_ACTIVE_LAST:
590 case CRYPT_SLOT_ACTIVE:
591 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
593 case CRYPT_SLOT_INACTIVE:
594 log_err(_("Key %d not active. Can't wipe.\n"), opt_key_slot);
595 case CRYPT_SLOT_INVALID:
599 if (!opt_batch_mode) {
600 r = verify_keyslot(cd, opt_key_slot,
601 _("This is the last keyslot. Device will become unusable after purging this key."),
602 _("Enter any remaining LUKS passphrase: "),
603 opt_key_file, opt_keyfile_size);
608 r = crypt_keyslot_destroy(cd, opt_key_slot);
614 static int action_luksRemoveKey(int arg)
616 struct crypt_device *cd = NULL;
617 char *password = NULL;
621 if ((r = crypt_init(&cd, action_argv[0])))
624 crypt_set_confirm_callback(cd, _yesDialog, NULL);
625 crypt_set_timeout(cd, opt_timeout);
627 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
630 r = crypt_get_key(_("Enter LUKS passphrase to be deleted: "),
631 &password, &passwordLen,
632 opt_keyfile_size, opt_key_file,
634 opt_batch_mode ? 0 : opt_verify_passphrase,
639 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
640 password, passwordLen, 0);
645 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
647 if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_ACTIVE_LAST &&
648 !_yesDialog(_("This is the last keyslot. "
649 "Device will become unusable after purging this key."),
655 r = crypt_keyslot_destroy(cd, opt_key_slot);
657 crypt_safe_free(password);
662 static int action_luksAddKey(int arg)
664 int r = -EINVAL, keysize = 0;
666 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
667 struct crypt_device *cd = NULL;
669 if ((r = crypt_init(&cd, action_argv[0])))
672 crypt_set_confirm_callback(cd, _yesDialog, NULL);
674 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
677 keysize = crypt_get_volume_key_size(cd);
678 crypt_set_password_verify(cd, opt_verify_passphrase ? 1 : 0);
679 crypt_set_timeout(cd, opt_timeout);
680 if (opt_iteration_time)
681 crypt_set_iterarion_time(cd, opt_iteration_time);
683 if (opt_master_key_file) {
684 r = _read_mk(opt_master_key_file, &key, keysize);
687 //FIXME: process keyfile arg
688 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
689 key, keysize, NULL, 0);
690 } else if (opt_key_file || opt_new_key_file) {
691 r = crypt_keyslot_add_by_keyfile(cd, opt_key_slot,
692 opt_key_file, opt_keyfile_size,
693 opt_new_key_file, opt_new_keyfile_size);
695 r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
700 crypt_safe_free(key);
704 static int _slots_full(struct crypt_device *cd)
708 for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++)
709 if (crypt_keyslot_status(cd, i) == CRYPT_SLOT_INACTIVE)
714 static int action_luksChangeKey(int arg)
716 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
717 struct crypt_device *cd = NULL;
718 char *vk = NULL, *password = NULL;
719 size_t passwordLen = 0;
721 int new_key_slot, old_key_slot, r;
723 if ((r = crypt_init(&cd, action_argv[0])))
726 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
729 if (opt_iteration_time)
730 crypt_set_iterarion_time(cd, opt_iteration_time);
732 r = crypt_get_key(_("Enter LUKS passphrase to be changed: "),
733 &password, &passwordLen,
734 opt_keyfile_size, opt_key_file, opt_timeout,
735 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
739 vk_size = crypt_get_volume_key_size(cd);
740 vk = crypt_safe_alloc(vk_size);
746 r = crypt_volume_key_get(cd, opt_key_slot, vk, &vk_size,
747 password, passwordLen);
749 if (opt_key_slot != CRYPT_ANY_SLOT)
750 log_err(_("No key available with this passphrase.\n"));
754 if (opt_key_slot != CRYPT_ANY_SLOT || _slots_full(cd)) {
755 log_dbg("Key slot %d is going to be overwritten (%s).",
756 r, opt_key_slot != CRYPT_ANY_SLOT ?
757 "explicit key slot specified" : "no free key slot");
761 log_dbg("Allocating new key slot.");
763 new_key_slot = CRYPT_ANY_SLOT;
766 crypt_safe_free(password);
769 r = crypt_get_key(_("Enter new LUKS passphrase: "),
770 &password, &passwordLen,
771 opt_new_keyfile_size, opt_new_key_file,
772 opt_timeout, opt_batch_mode ? 0 : 1, cd);
776 if (new_key_slot == old_key_slot) {
777 (void)crypt_keyslot_destroy(cd, old_key_slot);
778 r = crypt_keyslot_add_by_volume_key(cd, new_key_slot,
780 password, passwordLen);
782 log_verbose(_("Key slot %d changed.\n"), r);
784 r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT,
786 password, passwordLen);
788 log_verbose(_("Replaced with key slot %d.\n"), r);
789 r = crypt_keyslot_destroy(cd, old_key_slot);
793 log_err(_("Failed to swap new key slot.\n"));
796 crypt_safe_free(password);
801 static int action_isLuks(int arg)
803 struct crypt_device *cd = NULL;
806 if ((r = crypt_init(&cd, action_argv[0])))
809 r = crypt_load(cd, CRYPT_LUKS1, NULL);
815 static int action_luksUUID(int arg)
817 struct crypt_device *cd = NULL;
818 const char *existing_uuid = NULL;
821 if ((r = crypt_init(&cd, action_argv[0])))
824 crypt_set_confirm_callback(cd, _yesDialog, NULL);
826 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
830 r = crypt_set_uuid(cd, opt_uuid);
832 existing_uuid = crypt_get_uuid(cd);
833 log_std("%s\n", existing_uuid ?: "");
834 r = existing_uuid ? 0 : 1;
841 static int luksDump_with_volume_key(struct crypt_device *cd)
843 char *vk = NULL, *password = NULL;
844 size_t passwordLen = 0;
848 crypt_set_confirm_callback(cd, _yesDialog, NULL);
850 _("LUKS header dump with volume key is sensitive information\n"
851 "which allows access to encrypted partition without passphrase.\n"
852 "This dump should be always stored encrypted on safe place."),
856 vk_size = crypt_get_volume_key_size(cd);
857 vk = crypt_safe_alloc(vk_size);
861 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
862 opt_keyfile_size, opt_key_file, opt_timeout, 0, cd);
866 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
867 password, passwordLen);
871 log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
872 log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
873 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
874 log_std("Payload offset:\t%d\n", crypt_get_data_offset(cd));
875 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
876 log_std("MK bits: \t%d\n", vk_size * 8);
877 log_std("MK dump:\t");
879 for(i = 0; i < vk_size; i++) {
882 log_std("%02hhx ", (char)vk[i]);
887 crypt_safe_free(password);
892 static int action_luksDump(int arg)
894 struct crypt_device *cd = NULL;
897 if ((r = crypt_init(&cd, action_argv[0])))
900 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
903 if (opt_dump_master_key)
904 r = luksDump_with_volume_key(cd);
912 static int action_luksSuspend(int arg)
914 struct crypt_device *cd = NULL;
917 r = crypt_init_by_name(&cd, action_argv[0]);
919 r = crypt_suspend(cd, action_argv[0]);
925 static int action_luksResume(int arg)
927 struct crypt_device *cd = NULL;
930 if ((r = crypt_init_by_name(&cd, action_argv[0])))
933 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
937 r = crypt_resume_by_keyfile(cd, action_argv[0], CRYPT_ANY_SLOT,
938 opt_key_file, opt_keyfile_size);
940 r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
947 static int action_luksBackup(int arg)
949 struct crypt_device *cd = NULL;
952 if (!opt_header_backup_file) {
953 log_err(_("Option --header-backup-file is required.\n"));
957 if ((r = crypt_init(&cd, action_argv[0])))
960 crypt_set_confirm_callback(cd, _yesDialog, NULL);
962 r = crypt_header_backup(cd, CRYPT_LUKS1, opt_header_backup_file);
968 static int action_luksRestore(int arg)
970 struct crypt_device *cd = NULL;
973 if (!opt_header_backup_file) {
974 log_err(_("Option --header-backup-file is required.\n"));
978 if ((r = crypt_init(&cd, action_argv[0])))
981 crypt_set_confirm_callback(cd, _yesDialog, NULL);
982 r = crypt_header_restore(cd, CRYPT_LUKS1, opt_header_backup_file);
988 static __attribute__ ((noreturn)) void usage(poptContext popt_context,
989 int exitcode, const char *error,
992 poptPrintUsage(popt_context, stderr, 0);
994 log_err("%s: %s\n", more, error);
998 static void help(poptContext popt_context, enum poptCallbackReason reason,
999 struct poptOption *key, const char * arg, void *data)
1001 if (key->shortName == '?') {
1002 struct action_type *action;
1004 log_std("%s\n",PACKAGE_STRING);
1006 poptPrintHelp(popt_context, stdout, 0);
1009 "<action> is one of:\n"));
1011 for(action = action_types; action->type; action++)
1012 log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
1015 "<name> is the device to create under %s\n"
1016 "<device> is the encrypted device\n"
1017 "<key slot> is the LUKS key slot number to modify\n"
1018 "<key file> optional key file for the new key for luksAddKey action\n"),
1021 log_std(_("\nDefault compiled-in keyfile parameters:\n"
1022 "\tMaximum keyfile size: %dkB, "
1023 "Maximum interactive passphrase length %d (characters)\n"),
1024 DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX);
1026 log_std(_("\nDefault compiled-in device cipher parameters:\n"
1027 "\tloop-AES: %s, Key %d bits\n"
1028 "\tplain: %s, Key: %d bits, Password hashing: %s\n"
1029 "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
1030 DEFAULT_LOOPAES_CIPHER, DEFAULT_LOOPAES_KEYBITS,
1031 DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
1032 DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
1036 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
1039 static void _dbg_version_and_cmd(int argc, char **argv)
1043 log_std("# %s %s processing \"", PACKAGE_NAME, PACKAGE_VERSION);
1044 for (i = 0; i < argc; i++) {
1052 static int run_action(struct action_type *action)
1056 log_dbg("Running command %s.", action->type);
1058 if (action->required_memlock)
1059 crypt_memory_lock(NULL, 1);
1061 r = action->handler(action->arg);
1063 if (action->required_memlock)
1064 crypt_memory_lock(NULL, 0);
1066 /* Some functions returns keyslot # */
1072 /* Translate exit code to simple codes */
1074 case 0: r = EXIT_SUCCESS; break;
1076 case -EBUSY: r = 5; break;
1078 case -ENODEV: r = 4; break;
1079 case -ENOMEM: r = 3; break;
1080 case -EPERM: r = 2; break;
1084 default: r = EXIT_FAILURE;
1089 int main(int argc, char **argv)
1091 static char *popt_tmp;
1092 static struct poptOption popt_help_options[] = {
1093 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
1094 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
1095 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
1098 static struct poptOption popt_options[] = {
1099 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
1100 { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
1101 { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
1102 { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
1103 { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
1104 { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
1105 { "verify-passphrase", 'y', POPT_ARG_NONE, &opt_verify_passphrase, 0, N_("Verifies the passphrase by asking for it twice"), NULL },
1106 { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 0, N_("Read the key from a file."), NULL },
1107 { "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL },
1108 { "dump-master-key", '\0', POPT_ARG_NONE, &opt_dump_master_key, 0, N_("Dump volume (master) key instead of keyslots info."), NULL },
1109 { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
1110 { "keyfile-size", 'l', POPT_ARG_LONG, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
1111 { "new-keyfile-size", '\0', POPT_ARG_LONG, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
1112 { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL },
1113 { "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") },
1114 { "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
1115 { "skip", 'p', POPT_ARG_STRING, &popt_tmp, 3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
1116 { "readonly", 'r', POPT_ARG_NONE, &opt_readonly, 0, N_("Create a readonly mapping"), NULL },
1117 { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
1118 { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
1119 { "timeout", 't', POPT_ARG_INT, &opt_timeout, 0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
1120 { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
1121 { "align-payload", '\0', POPT_ARG_INT, &opt_align_payload, 0, N_("Align payload at <n> sector boundaries - for luksFormat"), N_("SECTORS") },
1122 { "header-backup-file",'\0', POPT_ARG_STRING, &opt_header_backup_file, 0, N_("File with LUKS header and keyslots backup."), NULL },
1123 { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
1124 { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
1125 { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
1128 poptContext popt_context;
1129 struct action_type *action;
1132 const char *null_action_argv[] = {NULL};
1134 crypt_set_log_callback(NULL, _log, NULL);
1136 setlocale(LC_ALL, "");
1137 bindtextdomain(PACKAGE, LOCALEDIR);
1138 textdomain(PACKAGE);
1140 popt_context = poptGetContext(PACKAGE, argc, (const char **)argv,
1142 poptSetOtherOptionHelp(popt_context,
1143 N_("[OPTION...] <action> <action-specific>]"));
1145 while((r = poptGetNextOpt(popt_context)) > 0) {
1146 unsigned long long ull_value;
1149 ull_value = strtoull(popt_tmp, &endp, 0);
1150 if (*endp || !*popt_tmp)
1151 r = POPT_ERROR_BADNUMBER;
1155 opt_size = ull_value;
1158 opt_offset = ull_value;
1161 opt_skip = ull_value;
1171 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
1172 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
1173 if (opt_version_mode) {
1174 log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
1178 if (!(aname = (char *)poptGetArg(popt_context)))
1179 usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
1180 poptGetInvocationName(popt_context));
1181 for(action = action_types; action->type; action++)
1182 if (strcmp(action->type, aname) == 0)
1185 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
1186 poptGetInvocationName(popt_context));
1189 action_argv = poptGetArgs(popt_context);
1190 /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
1192 action_argv = null_action_argv;
1194 /* Count args, somewhat unnice, change? */
1195 while(action_argv[action_argc] != NULL)
1198 if(action_argc < action->required_action_argc) {
1200 snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
1201 usage(popt_context, EXIT_FAILURE, buf,
1202 poptGetInvocationName(popt_context));
1205 /* FIXME: rewrite this from scratch */
1208 strcmp(aname, "luksFormat") &&
1209 strcmp(aname, "create") &&
1210 strcmp(aname, "loopaesOpen")) {
1211 usage(popt_context, EXIT_FAILURE,
1212 _("Option --key-size is allowed only for luksFormat, create and loopaesOpen.\n"
1213 "To limit read from keyfile use --keyfile-size=(bytes)."),
1214 poptGetInvocationName(popt_context));
1217 if (opt_key_size % 8)
1218 usage(popt_context, EXIT_FAILURE,
1219 _("Key size must be a multiple of 8 bits"),
1220 poptGetInvocationName(popt_context));
1222 if (!strcmp(aname, "luksKillSlot") && action_argc > 1)
1223 opt_key_slot = atoi(action_argv[1]);
1224 if (opt_key_slot != CRYPT_ANY_SLOT &&
1225 (opt_key_slot < 0 || opt_key_slot > crypt_keyslot_max(CRYPT_LUKS1)))
1226 usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
1227 poptGetInvocationName(popt_context));
1229 if ((!strcmp(aname, "luksRemoveKey") ||
1230 !strcmp(aname, "luksFormat")) &&
1233 log_err(_("Option --key-file takes precedence over specified key file argument.\n"));
1235 opt_key_file = (char*)action_argv[1];
1238 if (opt_keyfile_size < 0 || opt_new_keyfile_size < 0 || opt_key_size < 0) {
1239 usage(popt_context, EXIT_FAILURE,
1240 _("Negative number for option not permitted."),
1241 poptGetInvocationName(popt_context));
1244 if (opt_random && opt_urandom)
1245 usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
1246 poptGetInvocationName(popt_context));
1247 if ((opt_random || opt_urandom) && strcmp(aname, "luksFormat"))
1248 usage(popt_context, EXIT_FAILURE, _("Option --use-[u]random is allowed only for luksFormat."),
1249 poptGetInvocationName(popt_context));
1251 if (opt_uuid && strcmp(aname, "luksFormat") && strcmp(aname, "luksUUID"))
1252 usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only for luksFormat and luksUUID."),
1253 poptGetInvocationName(popt_context));
1255 if (opt_skip && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1256 usage(popt_context, EXIT_FAILURE,
1257 _("Option --skip is supported only for create and loopaesOpen commands.\n"),
1258 poptGetInvocationName(popt_context));
1260 if (opt_offset && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1261 usage(popt_context, EXIT_FAILURE,
1262 _("Option --offset is supported only for create and loopaesOpen commands.\n"),
1263 poptGetInvocationName(popt_context));
1267 crypt_set_debug_level(-1);
1268 _dbg_version_and_cmd(argc, argv);
1271 return run_action(action);