2 * cryptsetup - setup cryptographic volumes for dm-crypt
4 * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
5 * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
6 * Copyright (C) 2009-2011, Red Hat, Inc. All rights reserved.
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * version 2 as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
34 #include <libcryptsetup.h>
37 #include "cryptsetup.h"
39 static int opt_verbose = 0;
40 static int opt_debug = 0;
41 static const char *opt_cipher = NULL;
42 static const char *opt_hash = NULL;
43 static int opt_verify_passphrase = 0;
44 static const char *opt_key_file = NULL;
45 static const char *opt_master_key_file = NULL;
46 static const char *opt_header_backup_file = NULL;
47 static const char *opt_uuid = NULL;
48 static const char *opt_header_device = NULL;
49 static int opt_key_size = 0;
50 static long opt_keyfile_size = 0;
51 static long opt_new_keyfile_size = 0;
52 static int opt_key_slot = CRYPT_ANY_SLOT;
53 static uint64_t opt_size = 0;
54 static uint64_t opt_offset = 0;
55 static uint64_t opt_skip = 0;
56 static int opt_skip_valid = 0;
57 static int opt_readonly = 0;
58 static int opt_iteration_time = 1000;
59 static int opt_batch_mode = 0;
60 static int opt_version_mode = 0;
61 static int opt_timeout = 0;
62 static int opt_tries = 3;
63 static int opt_align_payload = 0;
64 static int opt_random = 0;
65 static int opt_urandom = 0;
66 static int opt_dump_master_key = 0;
67 static int opt_shared = 0;
68 static int opt_allow_discards = 0;
70 static const char **action_argv;
71 static int action_argc;
73 static int action_create(int arg);
74 static int action_remove(int arg);
75 static int action_resize(int arg);
76 static int action_status(int arg);
77 static int action_luksFormat(int arg);
78 static int action_luksOpen(int arg);
79 static int action_luksAddKey(int arg);
80 static int action_luksKillSlot(int arg);
81 static int action_luksRemoveKey(int arg);
82 static int action_luksChangeKey(int arg);
83 static int action_isLuks(int arg);
84 static int action_luksUUID(int arg);
85 static int action_luksDump(int arg);
86 static int action_luksSuspend(int arg);
87 static int action_luksResume(int arg);
88 static int action_luksBackup(int arg);
89 static int action_luksRestore(int arg);
90 static int action_loopaesOpen(int arg);
92 static struct action_type {
96 int required_action_argc;
101 { "create", action_create, 0, 2, 1, N_("<name> <device>"),N_("create device") },
102 { "remove", action_remove, 0, 1, 1, N_("<name>"), N_("remove device") },
103 { "resize", action_resize, 0, 1, 1, N_("<name>"), N_("resize active device") },
104 { "status", action_status, 0, 1, 0, N_("<name>"), N_("show device status") },
105 { "luksFormat", action_luksFormat, 0, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
106 { "luksOpen", action_luksOpen, 0, 2, 1, N_("<device> <name> "), N_("open LUKS device as mapping <name>") },
107 { "luksAddKey", action_luksAddKey, 0, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
108 { "luksRemoveKey",action_luksRemoveKey, 0, 1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
109 { "luksChangeKey",action_luksChangeKey, 0, 1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
110 { "luksKillSlot", action_luksKillSlot, 0, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
111 { "luksUUID", action_luksUUID, 0, 1, 0, N_("<device>"), N_("print UUID of LUKS device") },
112 { "isLuks", action_isLuks, 0, 1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
113 { "luksClose", action_remove, 0, 1, 1, N_("<name>"), N_("remove LUKS mapping") },
114 { "luksDump", action_luksDump, 0, 1, 1, N_("<device>"), N_("dump LUKS partition information") },
115 { "luksSuspend",action_luksSuspend, 0, 1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen).") },
116 { "luksResume", action_luksResume, 0, 1, 1, N_("<device>"), N_("Resume suspended LUKS device.") },
117 { "luksHeaderBackup",action_luksBackup, 0, 1, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
118 { "luksHeaderRestore",action_luksRestore,0,1, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
119 { "loopaesOpen",action_loopaesOpen, 0, 2, 1, N_("<device> <name> "), N_("open loop-AES device as mapping <name>") },
120 { "loopaesClose",action_remove, 0, 1, 1, N_("<name>"), N_("remove loop-AES mapping") },
121 { NULL, NULL, 0, 0, 0, NULL, NULL }
124 __attribute__((format(printf, 5, 6)))
125 static void clogger(struct crypt_device *cd, int level, const char *file,
126 int line, const char *format, ...)
131 va_start(argp, format);
133 if (vasprintf(&target, format, argp) > 0) {
135 crypt_log(cd, level, target);
137 } else if (opt_debug)
138 printf("# %s:%d %s\n", file ?: "?", line, target);
140 } else if (opt_debug)
141 printf("# %s\n", target);
149 static int _yesDialog(const char *msg, void *usrptr __attribute__((unused)))
155 if(isatty(0) && !opt_batch_mode) {
156 log_std("\nWARNING!\n========\n");
157 log_std("%s\n\nAre you sure? (Type uppercase yes): ", msg);
158 if(getline(&answer, &size, stdin) == -1) {
163 if(strcmp(answer, "YES\n"))
171 static void _log(int level, const char *msg, void *usrptr __attribute__((unused)))
175 case CRYPT_LOG_NORMAL:
178 case CRYPT_LOG_VERBOSE:
182 case CRYPT_LOG_ERROR:
185 case CRYPT_LOG_DEBUG:
187 printf("# %s\n", msg);
190 fprintf(stderr, "Internal error on logging class for msg: %s", msg);
195 static void _quiet_log(int level, const char *msg, void *usrptr)
197 if (!opt_verbose && (level == CRYPT_LOG_ERROR || level == CRYPT_LOG_NORMAL))
198 level = CRYPT_LOG_VERBOSE;
199 _log(level, msg, usrptr);
202 static void show_status(int errcode)
204 char error[256], *error_;
210 log_std(_("Command successful.\n"));
214 crypt_get_error(error, sizeof(error));
217 error_ = strerror_r(-errcode, error, sizeof(error));
218 if (error_ != error) {
219 strncpy(error, error_, sizeof(error));
220 error[sizeof(error) - 1] = '\0';
224 log_err(_("Command failed with code %i"), -errcode);
226 log_err(": %s\n", error);
231 static int action_create(int arg __attribute__((unused)))
233 struct crypt_device *cd = NULL;
234 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
235 struct crypt_params_plain params = {
236 .hash = opt_hash ?: DEFAULT_PLAIN_HASH,
238 .offset = opt_offset,
241 char *password = NULL;
243 size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
244 uint32_t activate_flags = 0;
247 if (params.hash && !strcmp(params.hash, "plain"))
250 /* FIXME: temporary hack */
251 if (opt_key_file && strcmp(opt_key_file, "-"))
254 if (opt_keyfile_size && opt_key_file)
255 log_std(("Ignoring keyfile size option, keyfile read size "
256 "is always the same as encryption key size.\n"));
258 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
259 cipher, NULL, cipher_mode);
261 log_err("No known cipher specification pattern detected.\n");
265 if ((r = crypt_init(&cd, action_argv[1])))
268 crypt_set_timeout(cd, opt_timeout);
269 crypt_set_password_retry(cd, opt_tries);
271 r = crypt_format(cd, CRYPT_PLAIN,
280 activate_flags |= CRYPT_ACTIVATE_READONLY;
283 activate_flags |= CRYPT_ACTIVATE_SHARED;
285 if (opt_allow_discards)
286 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
289 /* With hashing, read the whole keyfile */
290 r = crypt_activate_by_keyfile(cd, action_argv[0],
291 CRYPT_ANY_SLOT, opt_key_file, params.hash ? 0 : key_size,
294 r = crypt_get_key(_("Enter passphrase: "),
295 &password, &passwordLen, opt_keyfile_size,
297 opt_batch_mode ? 0 : opt_verify_passphrase,
302 r = crypt_activate_by_passphrase(cd, action_argv[0],
303 CRYPT_ANY_SLOT, password, passwordLen, activate_flags);
307 crypt_safe_free(password);
312 static int action_loopaesOpen(int arg __attribute__((unused)))
314 struct crypt_device *cd = NULL;
315 struct crypt_params_loopaes params = {
316 .hash = opt_hash ?: NULL,
317 .offset = opt_offset,
318 .skip = opt_skip_valid ? opt_skip : opt_offset,
320 unsigned int key_size = (opt_key_size ?: DEFAULT_LOOPAES_KEYBITS) / 8;
321 uint32_t activate_flags = 0;
325 log_err(_("Option --key-file is required.\n"));
330 activate_flags |= CRYPT_ACTIVATE_READONLY;
332 if (opt_allow_discards)
333 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
335 if ((r = crypt_init(&cd, action_argv[0])))
338 r = crypt_format(cd, CRYPT_LOOPAES, opt_cipher ?: DEFAULT_LOOPAES_CIPHER,
339 NULL, NULL, NULL, key_size, ¶ms);
343 r = crypt_activate_by_keyfile(cd, action_argv[1], CRYPT_ANY_SLOT,
344 opt_key_file, opt_keyfile_size, activate_flags);
351 static int action_remove(int arg __attribute__((unused)))
353 struct crypt_device *cd = NULL;
356 r = crypt_init_by_name(&cd, action_argv[0]);
358 r = crypt_deactivate(cd, action_argv[0]);
364 static int action_resize(int arg __attribute__((unused)))
366 struct crypt_device *cd = NULL;
369 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
371 r = crypt_resize(cd, action_argv[0], opt_size);
377 static int action_status(int arg __attribute__((unused)))
379 crypt_status_info ci;
380 struct crypt_active_device cad;
381 struct crypt_device *cd = NULL;
387 /* perhaps a path, not a dm device name */
388 if (strchr(action_argv[0], '/') && !stat(action_argv[0], &st))
391 ci = crypt_status(NULL, action_argv[0]);
398 log_std("%s is inactive.\n", action_argv[0]);
400 log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
406 log_std("%s is active%s.\n", action_argv[0],
407 ci == CRYPT_BUSY ? " and is in use" : "");
409 log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
410 ci == CRYPT_BUSY ? " and is in use" : "");
411 r = crypt_init_by_name(&cd, action_argv[0]);
412 if (r < 0 || !crypt_get_type(cd))
415 log_std(" type: %s\n", crypt_get_type(cd));
417 r = crypt_get_active_device(cd, action_argv[0], &cad);
421 log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
422 log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
423 device = crypt_get_device_name(cd);
424 log_std(" device: %s\n", device);
425 if (crypt_loop_device(device)) {
426 backing_file = crypt_loop_backing_file(device);
427 log_std(" loop: %s\n", backing_file);
430 log_std(" offset: %" PRIu64 " sectors\n", cad.offset);
431 log_std(" size: %" PRIu64 " sectors\n", cad.size);
433 log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset);
434 log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
435 "readonly" : "read/write");
436 if (cad.flags & CRYPT_ACTIVATE_ALLOW_DISCARDS)
437 log_std(" flags: discards\n");
444 static int _read_mk(const char *file, char **key, int keysize)
448 *key = crypt_safe_alloc(keysize);
452 fd = open(file, O_RDONLY);
454 log_err("Cannot read keyfile %s.\n", file);
457 if ((read(fd, *key, keysize) != keysize)) {
458 log_err("Cannot read %d bytes from keyfile %s.\n", keysize, file);
465 crypt_safe_free(*key);
470 static int action_luksFormat(int arg __attribute__((unused)))
472 int r = -EINVAL, keysize;
473 const char *header_device;
474 char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
475 char *password = NULL;
477 struct crypt_device *cd = NULL;
478 struct crypt_params_luks1 params = {
479 .hash = opt_hash ?: DEFAULT_LUKS1_HASH,
480 .data_alignment = opt_align_payload,
481 .data_device = opt_header_device ? action_argv[0] : NULL,
484 header_device = opt_header_device ?: action_argv[0];
486 if(asprintf(&msg, _("This will overwrite data on %s irrevocably."),
487 header_device) == -1) {
488 log_err(_("memory allocation error in action_luksFormat"));
492 r = _yesDialog(msg, NULL) ? 0 : -EINVAL;
497 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
498 cipher, NULL, cipher_mode);
500 log_err(_("No known cipher specification pattern detected.\n"));
504 if ((r = crypt_init(&cd, header_device))) {
505 if (opt_header_device)
506 log_err(_("Cannot use %s as on-disk header.\n"), header_device);
510 keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
512 crypt_set_password_verify(cd, 1);
513 crypt_set_timeout(cd, opt_timeout);
514 if (opt_iteration_time)
515 crypt_set_iteration_time(cd, opt_iteration_time);
518 crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
519 else if (opt_urandom)
520 crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
522 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
523 opt_keyfile_size, opt_key_file, opt_timeout,
524 opt_batch_mode ? 0 : 1 /* always verify */, cd);
528 if (opt_master_key_file) {
529 r = _read_mk(opt_master_key_file, &key, keysize);
534 r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
535 opt_uuid, key, keysize, ¶ms);
539 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
541 password, passwordLen);
544 crypt_safe_free(key);
545 crypt_safe_free(password);
550 static int action_luksOpen(int arg __attribute__((unused)))
552 struct crypt_device *cd = NULL;
553 const char *data_device, *header_device;
557 if (opt_header_device) {
558 header_device = opt_header_device;
559 data_device = action_argv[0];
561 header_device = action_argv[0];
565 if ((r = crypt_init(&cd, header_device)))
568 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
572 (r = crypt_set_data_device(cd, data_device)))
575 if (!data_device && (crypt_get_data_offset(cd) < 8)) {
576 log_err(_("Reduced data offset is allowed only for detached LUKS header.\n"));
581 crypt_set_timeout(cd, opt_timeout);
582 crypt_set_password_retry(cd, opt_tries);
584 if (opt_iteration_time)
585 crypt_set_iteration_time(cd, opt_iteration_time);
588 flags |= CRYPT_ACTIVATE_READONLY;
590 if (opt_allow_discards)
591 flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
594 crypt_set_password_retry(cd, 1);
595 r = crypt_activate_by_keyfile(cd, action_argv[1],
596 opt_key_slot, opt_key_file, opt_keyfile_size,
599 r = crypt_activate_by_passphrase(cd, action_argv[1],
600 opt_key_slot, NULL, 0, flags);
606 static int verify_keyslot(struct crypt_device *cd, int key_slot,
607 char *msg_last, char *msg_pass,
608 const char *key_file, int keyfile_size)
610 crypt_keyslot_info ki;
611 char *password = NULL;
615 ki = crypt_keyslot_status(cd, key_slot);
616 if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !_yesDialog(msg_last, NULL))
619 r = crypt_get_key(msg_pass, &password, &passwordLen,
620 keyfile_size, key_file, opt_timeout,
621 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
625 if (ki == CRYPT_SLOT_ACTIVE_LAST) {
626 /* check the last keyslot */
627 r = crypt_activate_by_passphrase(cd, NULL, key_slot,
628 password, passwordLen, 0);
630 /* try all other keyslots */
631 for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
634 ki = crypt_keyslot_status(cd, key_slot);
635 if (ki == CRYPT_SLOT_ACTIVE)
636 r = crypt_activate_by_passphrase(cd, NULL, i,
637 password, passwordLen, 0);
644 log_err(_("No key available with this passphrase.\n"));
646 crypt_safe_free(password);
650 static int action_luksKillSlot(int arg __attribute__((unused)))
652 struct crypt_device *cd = NULL;
655 if ((r = crypt_init(&cd, action_argv[0])))
658 crypt_set_confirm_callback(cd, _yesDialog, NULL);
659 crypt_set_timeout(cd, opt_timeout);
661 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
664 switch (crypt_keyslot_status(cd, opt_key_slot)) {
665 case CRYPT_SLOT_ACTIVE_LAST:
666 case CRYPT_SLOT_ACTIVE:
667 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
669 case CRYPT_SLOT_INACTIVE:
670 log_err(_("Key %d not active. Can't wipe.\n"), opt_key_slot);
671 case CRYPT_SLOT_INVALID:
676 if (!opt_batch_mode) {
677 r = verify_keyslot(cd, opt_key_slot,
678 _("This is the last keyslot. Device will become unusable after purging this key."),
679 _("Enter any remaining LUKS passphrase: "),
680 opt_key_file, opt_keyfile_size);
685 r = crypt_keyslot_destroy(cd, opt_key_slot);
691 static int action_luksRemoveKey(int arg __attribute__((unused)))
693 struct crypt_device *cd = NULL;
694 char *password = NULL;
698 if ((r = crypt_init(&cd, action_argv[0])))
701 crypt_set_confirm_callback(cd, _yesDialog, NULL);
702 crypt_set_timeout(cd, opt_timeout);
704 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
707 r = crypt_get_key(_("Enter LUKS passphrase to be deleted: "),
708 &password, &passwordLen,
709 opt_keyfile_size, opt_key_file,
711 opt_batch_mode ? 0 : opt_verify_passphrase,
716 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
717 password, passwordLen, 0);
722 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
724 if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_ACTIVE_LAST &&
725 !_yesDialog(_("This is the last keyslot. "
726 "Device will become unusable after purging this key."),
732 r = crypt_keyslot_destroy(cd, opt_key_slot);
734 crypt_safe_free(password);
739 static int action_luksAddKey(int arg __attribute__((unused)))
741 int r = -EINVAL, keysize = 0;
743 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
744 struct crypt_device *cd = NULL;
746 if ((r = crypt_init(&cd, action_argv[0])))
749 crypt_set_confirm_callback(cd, _yesDialog, NULL);
751 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
754 keysize = crypt_get_volume_key_size(cd);
755 crypt_set_password_verify(cd, opt_verify_passphrase ? 1 : 0);
756 crypt_set_timeout(cd, opt_timeout);
757 if (opt_iteration_time)
758 crypt_set_iteration_time(cd, opt_iteration_time);
760 if (opt_master_key_file) {
761 r = _read_mk(opt_master_key_file, &key, keysize);
764 //FIXME: process keyfile arg
765 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
766 key, keysize, NULL, 0);
767 } else if (opt_key_file || opt_new_key_file) {
768 r = crypt_keyslot_add_by_keyfile(cd, opt_key_slot,
769 opt_key_file, opt_keyfile_size,
770 opt_new_key_file, opt_new_keyfile_size);
772 r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
777 crypt_safe_free(key);
781 static int _slots_full(struct crypt_device *cd)
785 for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++)
786 if (crypt_keyslot_status(cd, i) == CRYPT_SLOT_INACTIVE)
791 static int action_luksChangeKey(int arg __attribute__((unused)))
793 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
794 struct crypt_device *cd = NULL;
795 char *vk = NULL, *password = NULL;
796 size_t passwordLen = 0;
798 int new_key_slot, old_key_slot, r;
800 if ((r = crypt_init(&cd, action_argv[0])))
803 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
806 if (opt_iteration_time)
807 crypt_set_iteration_time(cd, opt_iteration_time);
809 r = crypt_get_key(_("Enter LUKS passphrase to be changed: "),
810 &password, &passwordLen,
811 opt_keyfile_size, opt_key_file, opt_timeout,
812 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
816 vk_size = crypt_get_volume_key_size(cd);
817 vk = crypt_safe_alloc(vk_size);
823 r = crypt_volume_key_get(cd, opt_key_slot, vk, &vk_size,
824 password, passwordLen);
826 if (opt_key_slot != CRYPT_ANY_SLOT)
827 log_err(_("No key available with this passphrase.\n"));
831 if (opt_key_slot != CRYPT_ANY_SLOT || _slots_full(cd)) {
832 log_dbg("Key slot %d is going to be overwritten (%s).",
833 r, opt_key_slot != CRYPT_ANY_SLOT ?
834 "explicit key slot specified" : "no free key slot");
838 log_dbg("Allocating new key slot.");
840 new_key_slot = CRYPT_ANY_SLOT;
843 crypt_safe_free(password);
846 r = crypt_get_key(_("Enter new LUKS passphrase: "),
847 &password, &passwordLen,
848 opt_new_keyfile_size, opt_new_key_file,
849 opt_timeout, opt_batch_mode ? 0 : 1, cd);
853 if (new_key_slot == old_key_slot) {
854 (void)crypt_keyslot_destroy(cd, old_key_slot);
855 r = crypt_keyslot_add_by_volume_key(cd, new_key_slot,
857 password, passwordLen);
859 log_verbose(_("Key slot %d changed.\n"), r);
861 r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT,
863 password, passwordLen);
865 log_verbose(_("Replaced with key slot %d.\n"), r);
866 r = crypt_keyslot_destroy(cd, old_key_slot);
870 log_err(_("Failed to swap new key slot.\n"));
873 crypt_safe_free(password);
878 static int action_isLuks(int arg __attribute__((unused)))
880 struct crypt_device *cd = NULL;
883 if ((r = crypt_init(&cd, action_argv[0])))
886 crypt_set_log_callback(cd, _quiet_log, NULL);
887 r = crypt_load(cd, CRYPT_LUKS1, NULL);
893 static int action_luksUUID(int arg __attribute__((unused)))
895 struct crypt_device *cd = NULL;
896 const char *existing_uuid = NULL;
899 if ((r = crypt_init(&cd, action_argv[0])))
902 crypt_set_confirm_callback(cd, _yesDialog, NULL);
904 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
908 r = crypt_set_uuid(cd, opt_uuid);
910 existing_uuid = crypt_get_uuid(cd);
911 log_std("%s\n", existing_uuid ?: "");
912 r = existing_uuid ? 0 : 1;
919 static int luksDump_with_volume_key(struct crypt_device *cd)
921 char *vk = NULL, *password = NULL;
922 size_t passwordLen = 0;
927 crypt_set_confirm_callback(cd, _yesDialog, NULL);
929 _("LUKS header dump with volume key is sensitive information\n"
930 "which allows access to encrypted partition without passphrase.\n"
931 "This dump should be always stored encrypted on safe place."),
935 vk_size = crypt_get_volume_key_size(cd);
936 vk = crypt_safe_alloc(vk_size);
940 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
941 opt_keyfile_size, opt_key_file, opt_timeout, 0, cd);
945 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
946 password, passwordLen);
950 log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
951 log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
952 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
953 log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
954 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
955 log_std("MK bits: \t%d\n", (int)vk_size * 8);
956 log_std("MK dump:\t");
958 for(i = 0; i < vk_size; i++) {
961 log_std("%02hhx ", (char)vk[i]);
966 crypt_safe_free(password);
971 static int action_luksDump(int arg __attribute__((unused)))
973 struct crypt_device *cd = NULL;
976 if ((r = crypt_init(&cd, action_argv[0])))
979 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
982 if (opt_dump_master_key)
983 r = luksDump_with_volume_key(cd);
991 static int action_luksSuspend(int arg __attribute__((unused)))
993 struct crypt_device *cd = NULL;
996 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
998 r = crypt_suspend(cd, action_argv[0]);
1004 static int action_luksResume(int arg __attribute__((unused)))
1006 struct crypt_device *cd = NULL;
1009 if ((r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device)))
1012 crypt_set_timeout(cd, opt_timeout);
1013 crypt_set_password_retry(cd, opt_tries);
1016 r = crypt_resume_by_keyfile(cd, action_argv[0], CRYPT_ANY_SLOT,
1017 opt_key_file, opt_keyfile_size);
1019 r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
1026 static int action_luksBackup(int arg __attribute__((unused)))
1028 struct crypt_device *cd = NULL;
1031 if (!opt_header_backup_file) {
1032 log_err(_("Option --header-backup-file is required.\n"));
1036 if ((r = crypt_init(&cd, action_argv[0])))
1039 crypt_set_confirm_callback(cd, _yesDialog, NULL);
1041 r = crypt_header_backup(cd, CRYPT_LUKS1, opt_header_backup_file);
1047 static int action_luksRestore(int arg __attribute__((unused)))
1049 struct crypt_device *cd = NULL;
1052 if (!opt_header_backup_file) {
1053 log_err(_("Option --header-backup-file is required.\n"));
1057 if ((r = crypt_init(&cd, action_argv[0])))
1060 crypt_set_confirm_callback(cd, _yesDialog, NULL);
1061 r = crypt_header_restore(cd, CRYPT_LUKS1, opt_header_backup_file);
1067 static __attribute__ ((noreturn)) void usage(poptContext popt_context,
1068 int exitcode, const char *error,
1071 poptPrintUsage(popt_context, stderr, 0);
1073 log_err("%s: %s\n", more, error);
1074 poptFreeContext(popt_context);
1078 static void help(poptContext popt_context,
1079 enum poptCallbackReason reason __attribute__((unused)),
1080 struct poptOption *key,
1081 const char *arg __attribute__((unused)),
1082 void *data __attribute__((unused)))
1084 if (key->shortName == '?') {
1085 struct action_type *action;
1087 log_std("%s\n",PACKAGE_STRING);
1089 poptPrintHelp(popt_context, stdout, 0);
1092 "<action> is one of:\n"));
1094 for(action = action_types; action->type; action++)
1095 log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
1098 "<name> is the device to create under %s\n"
1099 "<device> is the encrypted device\n"
1100 "<key slot> is the LUKS key slot number to modify\n"
1101 "<key file> optional key file for the new key for luksAddKey action\n"),
1104 log_std(_("\nDefault compiled-in keyfile parameters:\n"
1105 "\tMaximum keyfile size: %dkB, "
1106 "Maximum interactive passphrase length %d (characters)\n"),
1107 DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX);
1109 log_std(_("\nDefault compiled-in device cipher parameters:\n"
1110 "\tloop-AES: %s, Key %d bits\n"
1111 "\tplain: %s, Key: %d bits, Password hashing: %s\n"
1112 "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
1113 DEFAULT_LOOPAES_CIPHER, DEFAULT_LOOPAES_KEYBITS,
1114 DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
1115 DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
1119 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
1122 static void _dbg_version_and_cmd(int argc, const char **argv)
1126 log_std("# %s %s processing \"", PACKAGE_NAME, PACKAGE_VERSION);
1127 for (i = 0; i < argc; i++) {
1130 log_std("%s", argv[i]);
1135 static int run_action(struct action_type *action)
1139 log_dbg("Running command %s.", action->type);
1141 if (action->required_memlock)
1142 crypt_memory_lock(NULL, 1);
1144 r = action->handler(action->arg);
1146 if (action->required_memlock)
1147 crypt_memory_lock(NULL, 0);
1149 /* Some functions returns keyslot # */
1155 /* Translate exit code to simple codes */
1157 case 0: r = EXIT_SUCCESS; break;
1159 case -EBUSY: r = 5; break;
1161 case -ENODEV: r = 4; break;
1162 case -ENOMEM: r = 3; break;
1163 case -EPERM: r = 2; break;
1167 default: r = EXIT_FAILURE;
1172 int main(int argc, const char **argv)
1174 static char *popt_tmp;
1175 static struct poptOption popt_help_options[] = {
1176 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
1177 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
1178 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
1181 static struct poptOption popt_options[] = {
1182 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
1183 { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
1184 { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
1185 { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
1186 { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
1187 { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
1188 { "verify-passphrase", 'y', POPT_ARG_NONE, &opt_verify_passphrase, 0, N_("Verifies the passphrase by asking for it twice"), NULL },
1189 { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 0, N_("Read the key from a file."), NULL },
1190 { "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL },
1191 { "dump-master-key", '\0', POPT_ARG_NONE, &opt_dump_master_key, 0, N_("Dump volume (master) key instead of keyslots info."), NULL },
1192 { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
1193 { "keyfile-size", 'l', POPT_ARG_LONG, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
1194 { "new-keyfile-size", '\0', POPT_ARG_LONG, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
1195 { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL },
1196 { "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") },
1197 { "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
1198 { "skip", 'p', POPT_ARG_STRING, &popt_tmp, 3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
1199 { "readonly", 'r', POPT_ARG_NONE, &opt_readonly, 0, N_("Create a readonly mapping"), NULL },
1200 { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
1201 { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
1202 { "timeout", 't', POPT_ARG_INT, &opt_timeout, 0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
1203 { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
1204 { "align-payload", '\0', POPT_ARG_INT, &opt_align_payload, 0, N_("Align payload at <n> sector boundaries - for luksFormat"), N_("SECTORS") },
1205 { "header-backup-file",'\0', POPT_ARG_STRING, &opt_header_backup_file, 0, N_("File with LUKS header and keyslots backup."), NULL },
1206 { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
1207 { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
1208 { "shared", '\0', POPT_ARG_NONE, &opt_shared, 0, N_("Share device with another non-overlapping crypt segment."), NULL },
1209 { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
1210 { "allow-discards", '\0', POPT_ARG_NONE, &opt_allow_discards, 0, N_("Allow discards (aka TRIM) requests for device."), NULL },
1211 { "header", '\0', POPT_ARG_STRING, &opt_header_device, 0, N_("Device or file with separated LUKS header."), NULL },
1214 poptContext popt_context;
1215 struct action_type *action;
1218 const char *null_action_argv[] = {NULL};
1220 crypt_set_log_callback(NULL, _log, NULL);
1222 setlocale(LC_ALL, "");
1223 bindtextdomain(PACKAGE, LOCALEDIR);
1224 textdomain(PACKAGE);
1226 popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
1227 poptSetOtherOptionHelp(popt_context,
1228 N_("[OPTION...] <action> <action-specific>]"));
1230 while((r = poptGetNextOpt(popt_context)) > 0) {
1231 unsigned long long ull_value;
1235 ull_value = strtoull(popt_tmp, &endp, 0);
1236 if (*endp || !*popt_tmp ||
1237 (errno == ERANGE && ull_value == ULLONG_MAX) ||
1238 (errno != 0 && ull_value == 0))
1239 r = POPT_ERROR_BADNUMBER;
1243 opt_size = ull_value;
1246 opt_offset = ull_value;
1249 opt_skip = ull_value;
1259 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
1260 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
1261 if (opt_version_mode) {
1262 log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
1263 poptFreeContext(popt_context);
1267 if (!(aname = poptGetArg(popt_context)))
1268 usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
1269 poptGetInvocationName(popt_context));
1270 for(action = action_types; action->type; action++)
1271 if (strcmp(action->type, aname) == 0)
1274 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
1275 poptGetInvocationName(popt_context));
1278 action_argv = poptGetArgs(popt_context);
1279 /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
1281 action_argv = null_action_argv;
1283 /* Count args, somewhat unnice, change? */
1284 while(action_argv[action_argc] != NULL)
1287 if(action_argc < action->required_action_argc) {
1289 snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
1290 usage(popt_context, EXIT_FAILURE, buf,
1291 poptGetInvocationName(popt_context));
1294 /* FIXME: rewrite this from scratch */
1296 if (opt_shared && strcmp(aname, "create")) {
1297 usage(popt_context, EXIT_FAILURE,
1298 _("Option --shared is allowed only for create operation.\n"),
1299 poptGetInvocationName(popt_context));
1302 if (opt_allow_discards &&
1303 strcmp(aname, "luksOpen") &&
1304 strcmp(aname, "create") &&
1305 strcmp(aname, "loopaesOpen")) {
1306 usage(popt_context, EXIT_FAILURE,
1307 _("Option --allow-discards is allowed only for luksOpen, loopaesOpen and create operation.\n"),
1308 poptGetInvocationName(popt_context));
1312 strcmp(aname, "luksFormat") &&
1313 strcmp(aname, "create") &&
1314 strcmp(aname, "loopaesOpen")) {
1315 usage(popt_context, EXIT_FAILURE,
1316 _("Option --key-size is allowed only for luksFormat, create and loopaesOpen.\n"
1317 "To limit read from keyfile use --keyfile-size=(bytes)."),
1318 poptGetInvocationName(popt_context));
1321 if (opt_key_size % 8)
1322 usage(popt_context, EXIT_FAILURE,
1323 _("Key size must be a multiple of 8 bits"),
1324 poptGetInvocationName(popt_context));
1326 if (!strcmp(aname, "luksKillSlot") && action_argc > 1)
1327 opt_key_slot = atoi(action_argv[1]);
1328 if (opt_key_slot != CRYPT_ANY_SLOT &&
1329 (opt_key_slot < 0 || opt_key_slot >= crypt_keyslot_max(CRYPT_LUKS1)))
1330 usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
1331 poptGetInvocationName(popt_context));
1333 if ((!strcmp(aname, "luksRemoveKey") ||
1334 !strcmp(aname, "luksFormat")) &&
1337 log_err(_("Option --key-file takes precedence over specified key file argument.\n"));
1339 opt_key_file = action_argv[1];
1342 if (opt_keyfile_size < 0 || opt_new_keyfile_size < 0 || opt_key_size < 0) {
1343 usage(popt_context, EXIT_FAILURE,
1344 _("Negative number for option not permitted."),
1345 poptGetInvocationName(popt_context));
1348 if (opt_random && opt_urandom)
1349 usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
1350 poptGetInvocationName(popt_context));
1351 if ((opt_random || opt_urandom) && strcmp(aname, "luksFormat"))
1352 usage(popt_context, EXIT_FAILURE, _("Option --use-[u]random is allowed only for luksFormat."),
1353 poptGetInvocationName(popt_context));
1355 if (opt_uuid && strcmp(aname, "luksFormat") && strcmp(aname, "luksUUID"))
1356 usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only for luksFormat and luksUUID."),
1357 poptGetInvocationName(popt_context));
1359 if (opt_skip && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1360 usage(popt_context, EXIT_FAILURE,
1361 _("Option --skip is supported only for create and loopaesOpen commands.\n"),
1362 poptGetInvocationName(popt_context));
1364 if (opt_offset && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1365 usage(popt_context, EXIT_FAILURE,
1366 _("Option --offset is supported only for create and loopaesOpen commands.\n"),
1367 poptGetInvocationName(popt_context));
1371 crypt_set_debug_level(-1);
1372 _dbg_version_and_cmd(argc, argv);
1375 r = run_action(action);
1376 poptFreeContext(popt_context);