2 * cryptsetup - setup cryptographic volumes for dm-crypt
4 * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
5 * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
6 * Copyright (C) 2009-2011, Red Hat, Inc. All rights reserved.
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * version 2 as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
32 #include <libcryptsetup.h>
35 #include "cryptsetup.h"
37 static int opt_verbose = 0;
38 static int opt_debug = 0;
39 static char *opt_cipher = NULL;
40 static char *opt_hash = NULL;
41 static int opt_verify_passphrase = 0;
42 static char *opt_key_file = NULL;
43 static char *opt_master_key_file = NULL;
44 static char *opt_header_backup_file = NULL;
45 static char *opt_uuid = NULL;
46 static int opt_key_size = 0;
47 static long opt_keyfile_size = 0;
48 static long opt_new_keyfile_size = 0;
49 static int opt_key_slot = CRYPT_ANY_SLOT;
50 static uint64_t opt_size = 0;
51 static uint64_t opt_offset = 0;
52 static uint64_t opt_skip = 0;
53 static int opt_readonly = 0;
54 static int opt_iteration_time = 1000;
55 static int opt_batch_mode = 0;
56 static int opt_version_mode = 0;
57 static int opt_timeout = 0;
58 static int opt_tries = 3;
59 static int opt_align_payload = 0;
60 static int opt_random = 0;
61 static int opt_urandom = 0;
62 static int opt_dump_master_key = 0;
64 static const char **action_argv;
65 static int action_argc;
67 static int action_create(int arg);
68 static int action_remove(int arg);
69 static int action_resize(int arg);
70 static int action_status(int arg);
71 static int action_luksFormat(int arg);
72 static int action_luksOpen(int arg);
73 static int action_luksAddKey(int arg);
74 static int action_luksKillSlot(int arg);
75 static int action_luksRemoveKey(int arg);
76 static int action_luksChangeKey(int arg);
77 static int action_isLuks(int arg);
78 static int action_luksUUID(int arg);
79 static int action_luksDump(int arg);
80 static int action_luksSuspend(int arg);
81 static int action_luksResume(int arg);
82 static int action_luksBackup(int arg);
83 static int action_luksRestore(int arg);
84 static int action_loopaesOpen(int arg);
86 static struct action_type {
90 int required_action_argc;
95 { "create", action_create, 0, 2, 1, N_("<name> <device>"),N_("create device") },
96 { "remove", action_remove, 0, 1, 1, N_("<name>"), N_("remove device") },
97 { "resize", action_resize, 0, 1, 1, N_("<name>"), N_("resize active device") },
98 { "status", action_status, 0, 1, 0, N_("<name>"), N_("show device status") },
99 { "luksFormat", action_luksFormat, 0, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
100 { "luksOpen", action_luksOpen, 0, 2, 1, N_("<device> <name> "), N_("open LUKS device as mapping <name>") },
101 { "luksAddKey", action_luksAddKey, 0, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
102 { "luksRemoveKey",action_luksRemoveKey, 0, 1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
103 { "luksChangeKey",action_luksChangeKey, 0, 1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
104 { "luksKillSlot", action_luksKillSlot, 0, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
105 { "luksUUID", action_luksUUID, 0, 1, 0, N_("<device>"), N_("print UUID of LUKS device") },
106 { "isLuks", action_isLuks, 0, 1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
107 { "luksClose", action_remove, 0, 1, 1, N_("<name>"), N_("remove LUKS mapping") },
108 { "luksDump", action_luksDump, 0, 1, 0, N_("<device>"), N_("dump LUKS partition information") },
109 { "luksSuspend",action_luksSuspend, 0, 1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen).") },
110 { "luksResume", action_luksResume, 0, 1, 1, N_("<device>"), N_("Resume suspended LUKS device.") },
111 { "luksHeaderBackup",action_luksBackup, 0, 1, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
112 { "luksHeaderRestore",action_luksRestore,0,1, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
113 { "loopaesOpen",action_loopaesOpen, 0, 2, 1, N_("<device> <name> "), N_("open loop-AES device as mapping <name>") },
114 { "loopaesClose",action_remove, 0, 1, 1, N_("<name>"), N_("remove loop-AES mapping") },
115 { NULL, NULL, 0, 0, 0, NULL, NULL }
118 static void clogger(struct crypt_device *cd, int level, const char *file,
119 int line, const char *format, ...)
124 va_start(argp, format);
126 if (vasprintf(&target, format, argp) > 0) {
128 crypt_log(cd, level, target);
130 } else if (opt_debug)
131 printf("# %s:%d %s\n", file ?: "?", line, target);
133 } else if (opt_debug)
134 printf("# %s\n", target);
142 static int _yesDialog(const char *msg, void *usrptr)
148 if(isatty(0) && !opt_batch_mode) {
149 log_std("\nWARNING!\n========\n");
150 log_std("%s\n\nAre you sure? (Type uppercase yes): ", msg);
151 if(getline(&answer, &size, stdin) == -1) {
156 if(strcmp(answer, "YES\n"))
164 static void _log(int level, const char *msg, void *usrptr)
168 case CRYPT_LOG_NORMAL:
171 case CRYPT_LOG_VERBOSE:
175 case CRYPT_LOG_ERROR:
178 case CRYPT_LOG_DEBUG:
180 printf("# %s\n", msg);
183 fprintf(stderr, "Internal error on logging class for msg: %s", msg);
188 static void show_status(int errcode)
190 char error[256], *error_;
196 log_std(_("Command successful.\n"));
200 crypt_get_error(error, sizeof(error));
203 error_ = strerror_r(-errcode, error, sizeof(error));
204 if (error_ != error) {
205 strncpy(error, error_, sizeof(error));
206 error[sizeof(error) - 1] = '\0';
210 log_err(_("Command failed with code %i"), -errcode);
212 log_err(": %s\n", error);
217 static int action_create(int arg)
219 struct crypt_device *cd = NULL;
220 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
221 struct crypt_params_plain params = {
222 .hash = opt_hash ?: DEFAULT_PLAIN_HASH,
224 .offset = opt_offset,
226 char *password = NULL;
228 size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
231 if (params.hash && !strcmp(params.hash, "plain"))
234 /* FIXME: temporary hack */
235 if (opt_key_file && strcmp(opt_key_file, "-"))
238 if (opt_keyfile_size && opt_key_file)
239 log_std(("Ignoring keyfile size option, keyfile read size "
240 "is always the same as encryption key size.\n"));
242 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
243 cipher, NULL, cipher_mode);
245 log_err("No known cipher specification pattern detected.\n");
249 if ((r = crypt_init(&cd, action_argv[1])))
252 crypt_set_timeout(cd, opt_timeout);
253 crypt_set_password_retry(cd, opt_tries);
255 r = crypt_format(cd, CRYPT_PLAIN,
264 r = crypt_activate_by_keyfile(cd, action_argv[0],
265 CRYPT_ANY_SLOT, opt_key_file, key_size,
266 opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
268 r = crypt_get_key(_("Enter passphrase: "),
269 &password, &passwordLen, opt_keyfile_size,
271 opt_batch_mode ? 0 : opt_verify_passphrase,
276 r = crypt_activate_by_passphrase(cd, action_argv[0],
277 CRYPT_ANY_SLOT, password, passwordLen,
278 opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
282 crypt_safe_free(password);
287 static int action_loopaesOpen(int arg)
289 struct crypt_device *cd = NULL;
290 struct crypt_params_loopaes params = {
291 .hash = opt_hash ?: NULL, // FIXME
292 .offset = opt_offset,
294 unsigned int key_size = (opt_key_size ?: DEFAULT_LOOPAES_KEYBITS) / 8;
298 log_err(_("Option --key-file is required.\n"));
302 if ((r = crypt_init(&cd, action_argv[0])))
305 r = crypt_format(cd, CRYPT_LOOPAES, opt_cipher ?: DEFAULT_LOOPAES_CIPHER,
306 NULL, NULL, NULL, key_size, ¶ms);
310 r = crypt_activate_by_keyfile(cd, action_argv[1],
311 CRYPT_ANY_SLOT, opt_key_file, opt_keyfile_size,
312 opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
319 static int action_remove(int arg)
321 struct crypt_device *cd = NULL;
324 r = crypt_init_by_name(&cd, action_argv[0]);
326 r = crypt_deactivate(cd, action_argv[0]);
332 static int action_resize(int arg)
334 struct crypt_device *cd = NULL;
337 r = crypt_init_by_name(&cd, action_argv[0]);
339 r = crypt_resize(cd, action_argv[0], opt_size);
345 static int action_status(int arg)
347 crypt_status_info ci;
348 struct crypt_active_device cad;
349 struct crypt_device *cd = NULL;
354 ci = crypt_status(NULL, action_argv[0]);
360 log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
364 log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
365 ci == CRYPT_BUSY ? " and is in use" : "");
366 r = crypt_init_by_name(&cd, action_argv[0]);
367 if (r < 0 || !crypt_get_type(cd))
370 log_std(" type: %s\n", crypt_get_type(cd));
372 r = crypt_get_active_device(cd, action_argv[0], &cad);
376 log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
377 log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
378 device = crypt_get_device_name(cd);
379 log_std(" device: %s\n", device);
380 if (crypt_loop_device(device)) {
381 backing_file = crypt_loop_backing_file(device);
382 log_std(" loop: %s\n", backing_file);
385 log_std(" offset: %" PRIu64 " sectors\n", cad.offset);
386 log_std(" size: %" PRIu64 " sectors\n", cad.size);
388 log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset);
389 log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
390 "readonly" : "read/write");
397 static int _read_mk(const char *file, char **key, int keysize)
401 *key = crypt_safe_alloc(keysize);
405 fd = open(file, O_RDONLY);
407 log_err("Cannot read keyfile %s.\n", file);
410 if ((read(fd, *key, keysize) != keysize)) {
411 log_err("Cannot read %d bytes from keyfile %s.\n", keysize, file);
418 crypt_safe_free(*key);
423 static int action_luksFormat(int arg)
425 int r = -EINVAL, keysize;
426 char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
427 char *password = NULL;
429 struct crypt_device *cd = NULL;
430 struct crypt_params_luks1 params = {
431 .hash = opt_hash ?: DEFAULT_LUKS1_HASH,
432 .data_alignment = opt_align_payload,
435 if(asprintf(&msg, _("This will overwrite data on %s irrevocably."), action_argv[0]) == -1) {
436 log_err(_("memory allocation error in action_luksFormat"));
440 r = _yesDialog(msg, NULL) ? 0 : -EINVAL;
445 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
446 cipher, NULL, cipher_mode);
448 log_err("No known cipher specification pattern detected.\n");
452 if ((r = crypt_init(&cd, action_argv[0])))
455 keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
457 crypt_set_password_verify(cd, 1);
458 crypt_set_timeout(cd, opt_timeout);
459 if (opt_iteration_time)
460 crypt_set_iterarion_time(cd, opt_iteration_time);
463 crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
464 else if (opt_urandom)
465 crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
467 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
468 opt_keyfile_size, opt_key_file, opt_timeout,
469 opt_batch_mode ? 0 : 1 /* always verify */, cd);
473 if (opt_master_key_file) {
474 r = _read_mk(opt_master_key_file, &key, keysize);
479 r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
480 opt_uuid, key, keysize, ¶ms);
484 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
486 password, passwordLen);
489 crypt_safe_free(key);
490 crypt_safe_free(password);
495 static int action_luksOpen(int arg)
497 struct crypt_device *cd = NULL;
501 if ((r = crypt_init(&cd, action_argv[0])))
504 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
507 crypt_set_timeout(cd, opt_timeout);
508 crypt_set_password_retry(cd, opt_tries);
510 if (opt_iteration_time)
511 crypt_set_iterarion_time(cd, opt_iteration_time);
513 flags |= CRYPT_ACTIVATE_READONLY;
516 crypt_set_password_retry(cd, 1);
517 r = crypt_activate_by_keyfile(cd, action_argv[1],
518 CRYPT_ANY_SLOT, opt_key_file, opt_keyfile_size,
521 r = crypt_activate_by_passphrase(cd, action_argv[1],
522 CRYPT_ANY_SLOT, NULL, 0, flags);
528 static int verify_keyslot(struct crypt_device *cd, int key_slot,
529 char *msg_last, char *msg_pass,
530 const char *key_file, int keyfile_size)
532 crypt_keyslot_info ki;
533 char *password = NULL;
537 ki = crypt_keyslot_status(cd, key_slot);
538 if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !_yesDialog(msg_last, NULL))
541 r = crypt_get_key(msg_pass, &password, &passwordLen,
542 keyfile_size, key_file, opt_timeout,
543 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
547 if (ki == CRYPT_SLOT_ACTIVE_LAST) {
548 /* check the last keyslot */
549 r = crypt_activate_by_passphrase(cd, NULL, key_slot,
550 password, passwordLen, 0);
552 /* try all other keyslots */
553 for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
556 ki = crypt_keyslot_status(cd, key_slot);
557 if (ki == CRYPT_SLOT_ACTIVE)
558 r = crypt_activate_by_passphrase(cd, NULL, i,
559 password, passwordLen, 0);
566 log_err(_("No key available with this passphrase.\n"));
568 crypt_safe_free(password);
572 static int action_luksKillSlot(int arg)
574 struct crypt_device *cd = NULL;
577 if ((r = crypt_init(&cd, action_argv[0])))
580 crypt_set_confirm_callback(cd, _yesDialog, NULL);
581 crypt_set_timeout(cd, opt_timeout);
583 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
586 switch (crypt_keyslot_status(cd, opt_key_slot)) {
587 case CRYPT_SLOT_ACTIVE_LAST:
588 case CRYPT_SLOT_ACTIVE:
589 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
591 case CRYPT_SLOT_INACTIVE:
592 log_err(_("Key %d not active. Can't wipe.\n"), opt_key_slot);
593 case CRYPT_SLOT_INVALID:
597 if (!opt_batch_mode) {
598 r = verify_keyslot(cd, opt_key_slot,
599 _("This is the last keyslot. Device will become unusable after purging this key."),
600 _("Enter any remaining LUKS passphrase: "),
601 opt_key_file, opt_keyfile_size);
606 r = crypt_keyslot_destroy(cd, opt_key_slot);
612 static int action_luksRemoveKey(int arg)
614 struct crypt_device *cd = NULL;
615 char *password = NULL;
619 if ((r = crypt_init(&cd, action_argv[0])))
622 crypt_set_confirm_callback(cd, _yesDialog, NULL);
623 crypt_set_timeout(cd, opt_timeout);
625 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
628 r = crypt_get_key(_("Enter LUKS passphrase to be deleted: "),
629 &password, &passwordLen,
630 opt_keyfile_size, opt_key_file,
632 opt_batch_mode ? 0 : opt_verify_passphrase,
637 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
638 password, passwordLen, 0);
643 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
645 if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_ACTIVE_LAST &&
646 !_yesDialog(_("This is the last keyslot. "
647 "Device will become unusable after purging this key."),
653 r = crypt_keyslot_destroy(cd, opt_key_slot);
655 crypt_safe_free(password);
660 static int action_luksAddKey(int arg)
662 int r = -EINVAL, keysize = 0;
664 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
665 struct crypt_device *cd = NULL;
667 if ((r = crypt_init(&cd, action_argv[0])))
670 crypt_set_confirm_callback(cd, _yesDialog, NULL);
672 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
675 keysize = crypt_get_volume_key_size(cd);
676 crypt_set_password_verify(cd, opt_verify_passphrase ? 1 : 0);
677 crypt_set_timeout(cd, opt_timeout);
678 if (opt_iteration_time)
679 crypt_set_iterarion_time(cd, opt_iteration_time);
681 if (opt_master_key_file) {
682 r = _read_mk(opt_master_key_file, &key, keysize);
685 //FIXME: process keyfile arg
686 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
687 key, keysize, NULL, 0);
688 } else if (opt_key_file || opt_new_key_file) {
689 r = crypt_keyslot_add_by_keyfile(cd, opt_key_slot,
690 opt_key_file, opt_keyfile_size,
691 opt_new_key_file, opt_new_keyfile_size);
693 r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
698 crypt_safe_free(key);
702 static int _slots_full(struct crypt_device *cd)
706 for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++)
707 if (crypt_keyslot_status(cd, i) == CRYPT_SLOT_INACTIVE)
712 static int action_luksChangeKey(int arg)
714 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
715 struct crypt_device *cd = NULL;
716 char *vk = NULL, *password = NULL;
717 size_t passwordLen = 0;
719 int new_key_slot, old_key_slot, r;
721 if ((r = crypt_init(&cd, action_argv[0])))
724 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
727 if (opt_iteration_time)
728 crypt_set_iterarion_time(cd, opt_iteration_time);
730 r = crypt_get_key(_("Enter LUKS passphrase to be changed: "),
731 &password, &passwordLen,
732 opt_keyfile_size, opt_key_file, opt_timeout,
733 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
737 vk_size = crypt_get_volume_key_size(cd);
738 vk = crypt_safe_alloc(vk_size);
744 r = crypt_volume_key_get(cd, opt_key_slot, vk, &vk_size,
745 password, passwordLen);
747 if (opt_key_slot != CRYPT_ANY_SLOT)
748 log_err(_("No key available with this passphrase.\n"));
752 if (opt_key_slot != CRYPT_ANY_SLOT || _slots_full(cd)) {
753 log_dbg("Key slot %d is going to be overwritten (%s).",
754 r, opt_key_slot != CRYPT_ANY_SLOT ?
755 "explicit key slot specified" : "no free key slot");
759 log_dbg("Allocating new key slot.");
761 new_key_slot = CRYPT_ANY_SLOT;
764 crypt_safe_free(password);
767 r = crypt_get_key(_("Enter new LUKS passphrase: "),
768 &password, &passwordLen,
769 opt_new_keyfile_size, opt_new_key_file,
770 opt_timeout, opt_batch_mode ? 0 : 1, cd);
774 if (new_key_slot == old_key_slot) {
775 (void)crypt_keyslot_destroy(cd, old_key_slot);
776 r = crypt_keyslot_add_by_volume_key(cd, new_key_slot,
778 password, passwordLen);
780 log_verbose(_("Key slot %d changed.\n"), r);
782 r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT,
784 password, passwordLen);
786 log_verbose(_("Replaced with key slot %d.\n"), r);
787 r = crypt_keyslot_destroy(cd, old_key_slot);
791 log_err(_("Failed to swap new key slot.\n"));
794 crypt_safe_free(password);
799 static int action_isLuks(int arg)
801 struct crypt_device *cd = NULL;
804 if ((r = crypt_init(&cd, action_argv[0])))
807 r = crypt_load(cd, CRYPT_LUKS1, NULL);
813 static int action_luksUUID(int arg)
815 struct crypt_device *cd = NULL;
816 const char *existing_uuid = NULL;
819 if ((r = crypt_init(&cd, action_argv[0])))
822 crypt_set_confirm_callback(cd, _yesDialog, NULL);
824 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
828 r = crypt_set_uuid(cd, opt_uuid);
830 existing_uuid = crypt_get_uuid(cd);
831 log_std("%s\n", existing_uuid ?: "");
832 r = existing_uuid ? 0 : 1;
839 static int luksDump_with_volume_key(struct crypt_device *cd)
841 char *vk = NULL, *password = NULL;
842 size_t passwordLen = 0;
846 crypt_set_confirm_callback(cd, _yesDialog, NULL);
848 _("LUKS header dump with volume key is sensitive information\n"
849 "which allows access to encrypted partition without passphrase.\n"
850 "This dump should be always stored encrypted on safe place."),
854 vk_size = crypt_get_volume_key_size(cd);
855 vk = crypt_safe_alloc(vk_size);
859 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
860 opt_keyfile_size, opt_key_file, opt_timeout, 0, cd);
864 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
865 password, passwordLen);
869 log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
870 log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
871 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
872 log_std("Payload offset:\t%d\n", crypt_get_data_offset(cd));
873 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
874 log_std("MK bits: \t%d\n", vk_size * 8);
875 log_std("MK dump:\t");
877 for(i = 0; i < vk_size; i++) {
880 log_std("%02hhx ", (char)vk[i]);
885 crypt_safe_free(password);
890 static int action_luksDump(int arg)
892 struct crypt_device *cd = NULL;
895 if ((r = crypt_init(&cd, action_argv[0])))
898 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
901 if (opt_dump_master_key)
902 r = luksDump_with_volume_key(cd);
910 static int action_luksSuspend(int arg)
912 struct crypt_device *cd = NULL;
915 r = crypt_init_by_name(&cd, action_argv[0]);
917 r = crypt_suspend(cd, action_argv[0]);
923 static int action_luksResume(int arg)
925 struct crypt_device *cd = NULL;
928 if ((r = crypt_init_by_name(&cd, action_argv[0])))
931 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
935 r = crypt_resume_by_keyfile(cd, action_argv[0], CRYPT_ANY_SLOT,
936 opt_key_file, opt_keyfile_size);
938 r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
945 static int action_luksBackup(int arg)
947 struct crypt_device *cd = NULL;
950 if (!opt_header_backup_file) {
951 log_err(_("Option --header-backup-file is required.\n"));
955 if ((r = crypt_init(&cd, action_argv[0])))
958 crypt_set_confirm_callback(cd, _yesDialog, NULL);
960 r = crypt_header_backup(cd, CRYPT_LUKS1, opt_header_backup_file);
966 static int action_luksRestore(int arg)
968 struct crypt_device *cd = NULL;
971 if (!opt_header_backup_file) {
972 log_err(_("Option --header-backup-file is required.\n"));
976 if ((r = crypt_init(&cd, action_argv[0])))
979 crypt_set_confirm_callback(cd, _yesDialog, NULL);
980 r = crypt_header_restore(cd, CRYPT_LUKS1, opt_header_backup_file);
986 static __attribute__ ((noreturn)) void usage(poptContext popt_context,
987 int exitcode, const char *error,
990 poptPrintUsage(popt_context, stderr, 0);
992 log_err("%s: %s\n", more, error);
996 static void help(poptContext popt_context, enum poptCallbackReason reason,
997 struct poptOption *key, const char * arg, void *data)
999 if (key->shortName == '?') {
1000 struct action_type *action;
1002 log_std("%s\n",PACKAGE_STRING);
1004 poptPrintHelp(popt_context, stdout, 0);
1007 "<action> is one of:\n"));
1009 for(action = action_types; action->type; action++)
1010 log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
1013 "<name> is the device to create under %s\n"
1014 "<device> is the encrypted device\n"
1015 "<key slot> is the LUKS key slot number to modify\n"
1016 "<key file> optional key file for the new key for luksAddKey action\n"),
1019 log_std(_("\nDefault compiled-in keyfile parameters:\n"
1020 "\tMaximum keyfile size: %dkB, "
1021 "Maximum interactive passphrase length %d (characters)\n"),
1022 DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX);
1024 log_std(_("\nDefault compiled-in device cipher parameters:\n"
1025 "\tloop-AES: %s, Key %d bits\n"
1026 "\tplain: %s, Key: %d bits, Password hashing: %s\n"
1027 "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
1028 DEFAULT_LOOPAES_CIPHER, DEFAULT_LOOPAES_KEYBITS,
1029 DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
1030 DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
1034 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
1037 static void _dbg_version_and_cmd(int argc, char **argv)
1041 log_std("# %s %s processing \"", PACKAGE_NAME, PACKAGE_VERSION);
1042 for (i = 0; i < argc; i++) {
1050 static int run_action(struct action_type *action)
1054 log_dbg("Running command %s.", action->type);
1056 if (action->required_memlock)
1057 crypt_memory_lock(NULL, 1);
1059 r = action->handler(action->arg);
1061 if (action->required_memlock)
1062 crypt_memory_lock(NULL, 0);
1064 /* Some functions returns keyslot # */
1070 /* Translate exit code to simple codes */
1072 case 0: r = EXIT_SUCCESS; break;
1074 case -EBUSY: r = 5; break;
1076 case -ENODEV: r = 4; break;
1077 case -ENOMEM: r = 3; break;
1078 case -EPERM: r = 2; break;
1082 default: r = EXIT_FAILURE;
1087 int main(int argc, char **argv)
1089 static char *popt_tmp;
1090 static struct poptOption popt_help_options[] = {
1091 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
1092 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
1093 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
1096 static struct poptOption popt_options[] = {
1097 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
1098 { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
1099 { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
1100 { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
1101 { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
1102 { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
1103 { "verify-passphrase", 'y', POPT_ARG_NONE, &opt_verify_passphrase, 0, N_("Verifies the passphrase by asking for it twice"), NULL },
1104 { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 0, N_("Read the key from a file."), NULL },
1105 { "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL },
1106 { "dump-master-key", '\0', POPT_ARG_NONE, &opt_dump_master_key, 0, N_("Dump volume (master) key instead of keyslots info."), NULL },
1107 { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
1108 { "keyfile-size", 'l', POPT_ARG_LONG, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
1109 { "new-keyfile-size", '\0', POPT_ARG_LONG, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
1110 { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL },
1111 { "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") },
1112 { "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
1113 { "skip", 'p', POPT_ARG_STRING, &popt_tmp, 3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
1114 { "readonly", 'r', POPT_ARG_NONE, &opt_readonly, 0, N_("Create a readonly mapping"), NULL },
1115 { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
1116 { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
1117 { "timeout", 't', POPT_ARG_INT, &opt_timeout, 0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
1118 { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
1119 { "align-payload", '\0', POPT_ARG_INT, &opt_align_payload, 0, N_("Align payload at <n> sector boundaries - for luksFormat"), N_("SECTORS") },
1120 { "header-backup-file",'\0', POPT_ARG_STRING, &opt_header_backup_file, 0, N_("File with LUKS header and keyslots backup."), NULL },
1121 { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
1122 { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
1123 { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
1126 poptContext popt_context;
1127 struct action_type *action;
1130 const char *null_action_argv[] = {NULL};
1132 crypt_set_log_callback(NULL, _log, NULL);
1134 setlocale(LC_ALL, "");
1135 bindtextdomain(PACKAGE, LOCALEDIR);
1136 textdomain(PACKAGE);
1138 popt_context = poptGetContext(PACKAGE, argc, (const char **)argv,
1140 poptSetOtherOptionHelp(popt_context,
1141 N_("[OPTION...] <action> <action-specific>]"));
1143 while((r = poptGetNextOpt(popt_context)) > 0) {
1144 unsigned long long ull_value;
1147 ull_value = strtoull(popt_tmp, &endp, 0);
1148 if (*endp || !*popt_tmp)
1149 r = POPT_ERROR_BADNUMBER;
1153 opt_size = ull_value;
1156 opt_offset = ull_value;
1159 opt_skip = ull_value;
1168 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
1169 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
1170 if (opt_version_mode) {
1171 log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
1175 if (!(aname = (char *)poptGetArg(popt_context)))
1176 usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
1177 poptGetInvocationName(popt_context));
1178 for(action = action_types; action->type; action++)
1179 if (strcmp(action->type, aname) == 0)
1182 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
1183 poptGetInvocationName(popt_context));
1186 action_argv = poptGetArgs(popt_context);
1187 /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
1189 action_argv = null_action_argv;
1191 /* Count args, somewhat unnice, change? */
1192 while(action_argv[action_argc] != NULL)
1195 if(action_argc < action->required_action_argc) {
1197 snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
1198 usage(popt_context, EXIT_FAILURE, buf,
1199 poptGetInvocationName(popt_context));
1202 /* FIXME: rewrite this from scratch */
1205 strcmp(aname, "luksFormat") &&
1206 strcmp(aname, "create") &&
1207 strcmp(aname, "loopaesOpen")) {
1208 usage(popt_context, EXIT_FAILURE,
1209 _("Option --key-size is allowed only for luksFormat, create and loopaesOpen.\n"
1210 "To limit read from keyfile use --keyfile-size=(bytes)."),
1211 poptGetInvocationName(popt_context));
1214 if (opt_key_size % 8)
1215 usage(popt_context, EXIT_FAILURE,
1216 _("Key size must be a multiple of 8 bits"),
1217 poptGetInvocationName(popt_context));
1219 if (!strcmp(aname, "luksKillSlot") && action_argc > 1)
1220 opt_key_slot = atoi(action_argv[1]);
1221 if (opt_key_slot != CRYPT_ANY_SLOT &&
1222 (opt_key_slot < 0 || opt_key_slot > crypt_keyslot_max(CRYPT_LUKS1)))
1223 usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
1224 poptGetInvocationName(popt_context));
1226 if ((!strcmp(aname, "luksRemoveKey") ||
1227 !strcmp(aname, "luksFormat")) &&
1230 log_err(_("Option --key-file takes precedence over specified key file argument.\n"));
1232 opt_key_file = (char*)action_argv[1];
1235 if (opt_keyfile_size < 0 || opt_new_keyfile_size < 0 || opt_key_size < 0) {
1236 usage(popt_context, EXIT_FAILURE,
1237 _("Negative number for option not permitted."),
1238 poptGetInvocationName(popt_context));
1241 if (opt_random && opt_urandom)
1242 usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
1243 poptGetInvocationName(popt_context));
1244 if ((opt_random || opt_urandom) && strcmp(aname, "luksFormat"))
1245 usage(popt_context, EXIT_FAILURE, _("Option --use-[u]random is allowed only for luksFormat."),
1246 poptGetInvocationName(popt_context));
1248 if (opt_uuid && strcmp(aname, "luksFormat") && strcmp(aname, "luksUUID"))
1249 usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only for luksFormat and luksUUID."),
1250 poptGetInvocationName(popt_context));
1252 if ((opt_offset || opt_skip) && strcmp(aname, "create"))
1253 usage(popt_context, EXIT_FAILURE, _("Options --offset and --skip are supported only for create command.\n"),
1254 poptGetInvocationName(popt_context));
1258 crypt_set_debug_level(-1);
1259 _dbg_version_and_cmd(argc, argv);
1262 return run_action(action);