2 * cryptsetup - setup cryptographic volumes for dm-crypt
4 * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
5 * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
6 * Copyright (C) 2009-2011, Red Hat, Inc. All rights reserved.
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * version 2 as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
35 #include <libcryptsetup.h>
38 #include "cryptsetup.h"
40 static int opt_verbose = 0;
41 static int opt_debug = 0;
42 static const char *opt_cipher = NULL;
43 static const char *opt_hash = NULL;
44 static int opt_verify_passphrase = 0;
45 static const char *opt_key_file = NULL;
46 static const char *opt_master_key_file = NULL;
47 static const char *opt_header_backup_file = NULL;
48 static const char *opt_uuid = NULL;
49 static const char *opt_header_device = NULL;
50 static int opt_key_size = 0;
51 static long opt_keyfile_size = 0;
52 static long opt_new_keyfile_size = 0;
53 static long opt_keyfile_offset = 0;
54 static long opt_new_keyfile_offset = 0;
55 static int opt_key_slot = CRYPT_ANY_SLOT;
56 static uint64_t opt_size = 0;
57 static uint64_t opt_offset = 0;
58 static uint64_t opt_skip = 0;
59 static int opt_skip_valid = 0;
60 static int opt_readonly = 0;
61 static int opt_iteration_time = 1000;
62 static int opt_batch_mode = 0;
63 static int opt_version_mode = 0;
64 static int opt_timeout = 0;
65 static int opt_tries = 3;
66 static int opt_align_payload = 0;
67 static int opt_random = 0;
68 static int opt_urandom = 0;
69 static int opt_dump_master_key = 0;
70 static int opt_shared = 0;
71 static int opt_allow_discards = 0;
73 static const char **action_argv;
74 static int action_argc;
76 static int action_create(int arg);
77 static int action_remove(int arg);
78 static int action_resize(int arg);
79 static int action_status(int arg);
80 static int action_luksFormat(int arg);
81 static int action_luksOpen(int arg);
82 static int action_luksAddKey(int arg);
83 static int action_luksKillSlot(int arg);
84 static int action_luksRemoveKey(int arg);
85 static int action_luksChangeKey(int arg);
86 static int action_isLuks(int arg);
87 static int action_luksUUID(int arg);
88 static int action_luksDump(int arg);
89 static int action_luksSuspend(int arg);
90 static int action_luksResume(int arg);
91 static int action_luksBackup(int arg);
92 static int action_luksRestore(int arg);
93 static int action_loopaesOpen(int arg);
95 static struct action_type {
99 int required_action_argc;
100 int required_memlock;
101 const char *arg_desc;
104 { "create", action_create, 0, 2, 1, N_("<name> <device>"),N_("create device") },
105 { "remove", action_remove, 0, 1, 1, N_("<name>"), N_("remove device") },
106 { "resize", action_resize, 0, 1, 1, N_("<name>"), N_("resize active device") },
107 { "status", action_status, 0, 1, 0, N_("<name>"), N_("show device status") },
108 { "luksFormat", action_luksFormat, 0, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
109 { "luksOpen", action_luksOpen, 0, 2, 1, N_("<device> <name> "), N_("open LUKS device as mapping <name>") },
110 { "luksAddKey", action_luksAddKey, 0, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
111 { "luksRemoveKey",action_luksRemoveKey, 0, 1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
112 { "luksChangeKey",action_luksChangeKey, 0, 1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
113 { "luksKillSlot", action_luksKillSlot, 0, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
114 { "luksUUID", action_luksUUID, 0, 1, 0, N_("<device>"), N_("print UUID of LUKS device") },
115 { "isLuks", action_isLuks, 0, 1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
116 { "luksClose", action_remove, 0, 1, 1, N_("<name>"), N_("remove LUKS mapping") },
117 { "luksDump", action_luksDump, 0, 1, 1, N_("<device>"), N_("dump LUKS partition information") },
118 { "luksSuspend",action_luksSuspend, 0, 1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen).") },
119 { "luksResume", action_luksResume, 0, 1, 1, N_("<device>"), N_("Resume suspended LUKS device.") },
120 { "luksHeaderBackup",action_luksBackup, 0, 1, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
121 { "luksHeaderRestore",action_luksRestore,0,1, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
122 { "loopaesOpen",action_loopaesOpen, 0, 2, 1, N_("<device> <name> "), N_("open loop-AES device as mapping <name>") },
123 { "loopaesClose",action_remove, 0, 1, 1, N_("<name>"), N_("remove loop-AES mapping") },
124 { NULL, NULL, 0, 0, 0, NULL, NULL }
127 __attribute__((format(printf, 5, 6)))
128 static void clogger(struct crypt_device *cd, int level, const char *file,
129 int line, const char *format, ...)
134 va_start(argp, format);
136 if (vasprintf(&target, format, argp) > 0) {
138 crypt_log(cd, level, target);
140 } else if (opt_debug)
141 printf("# %s:%d %s\n", file ?: "?", line, target);
143 } else if (opt_debug)
144 printf("# %s\n", target);
152 static int _yesDialog(const char *msg, void *usrptr __attribute__((unused)))
158 if(isatty(STDIN_FILENO) && !opt_batch_mode) {
159 log_std("\nWARNING!\n========\n");
160 log_std("%s\n\nAre you sure? (Type uppercase yes): ", msg);
161 if(getline(&answer, &size, stdin) == -1) {
166 if(strcmp(answer, "YES\n"))
174 static void _log(int level, const char *msg, void *usrptr __attribute__((unused)))
178 case CRYPT_LOG_NORMAL:
181 case CRYPT_LOG_VERBOSE:
185 case CRYPT_LOG_ERROR:
188 case CRYPT_LOG_DEBUG:
190 printf("# %s\n", msg);
193 fprintf(stderr, "Internal error on logging class for msg: %s", msg);
198 static void _quiet_log(int level, const char *msg, void *usrptr)
200 if (!opt_verbose && (level == CRYPT_LOG_ERROR || level == CRYPT_LOG_NORMAL))
201 level = CRYPT_LOG_VERBOSE;
202 _log(level, msg, usrptr);
205 static int _verify_passphrase(int def)
207 /* Batch mode switch off verify - if not overrided by -y */
208 if (opt_verify_passphrase)
210 else if (opt_batch_mode)
213 /* Non-tty input doesn't allow verify */
214 if (def && !isatty(STDIN_FILENO)) {
215 if (opt_verify_passphrase)
216 log_err(_("Can't do passphrase verification on non-tty inputs.\n"));
223 static void show_status(int errcode)
225 char error[256], *error_;
231 log_std(_("Command successful.\n"));
235 crypt_get_error(error, sizeof(error));
238 error_ = strerror_r(-errcode, error, sizeof(error));
239 if (error_ != error) {
240 strncpy(error, error_, sizeof(error));
241 error[sizeof(error) - 1] = '\0';
245 log_err(_("Command failed with code %i"), -errcode);
247 log_err(": %s\n", error);
252 static const char *uuid_or_device(const char *spec)
254 static char device[PATH_MAX];
256 int i = 0, uuid_len = 5;
258 /* Check if it is correct UUID=<LUKS_UUID> format */
259 if (spec && !strncmp(spec, "UUID=", uuid_len)) {
260 strcpy(device, "/dev/disk/by-uuid/");
261 ptr = &device[strlen(device)];
263 while ((s = spec[i++]) && i < PATH_MAX) {
264 if (!isxdigit(s) && s != '-')
265 return spec; /* Bail it out */
277 static int action_create(int arg __attribute__((unused)))
279 struct crypt_device *cd = NULL;
280 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
281 struct crypt_params_plain params = {
282 .hash = opt_hash ?: DEFAULT_PLAIN_HASH,
284 .offset = opt_offset,
287 char *password = NULL;
289 size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
290 uint32_t activate_flags = 0;
293 if (params.hash && !strcmp(params.hash, "plain"))
296 /* FIXME: temporary hack */
297 if (opt_key_file && strcmp(opt_key_file, "-"))
300 if ((opt_keyfile_offset || opt_keyfile_size) && opt_key_file)
301 log_std(("Ignoring keyfile offset and size options, keyfile read "
302 "size is always the same as encryption key size.\n"));
304 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
305 cipher, NULL, cipher_mode);
307 log_err("No known cipher specification pattern detected.\n");
311 if ((r = crypt_init(&cd, action_argv[1])))
314 crypt_set_timeout(cd, opt_timeout);
315 crypt_set_password_retry(cd, opt_tries);
317 r = crypt_format(cd, CRYPT_PLAIN,
326 activate_flags |= CRYPT_ACTIVATE_READONLY;
329 activate_flags |= CRYPT_ACTIVATE_SHARED;
331 if (opt_allow_discards)
332 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
335 /* With hashing, read the whole keyfile */
336 r = crypt_activate_by_keyfile_offset(cd, action_argv[0],
337 CRYPT_ANY_SLOT, opt_key_file,
338 params.hash ? 0 : key_size, 0,
341 r = crypt_get_key(_("Enter passphrase: "),
342 &password, &passwordLen,
343 opt_keyfile_offset, opt_keyfile_size,
345 _verify_passphrase(0),
350 r = crypt_activate_by_passphrase(cd, action_argv[0],
351 CRYPT_ANY_SLOT, password, passwordLen, activate_flags);
355 crypt_safe_free(password);
360 static int action_loopaesOpen(int arg __attribute__((unused)))
362 struct crypt_device *cd = NULL;
363 struct crypt_params_loopaes params = {
364 .hash = opt_hash ?: NULL,
365 .offset = opt_offset,
366 .skip = opt_skip_valid ? opt_skip : opt_offset,
368 unsigned int key_size = (opt_key_size ?: DEFAULT_LOOPAES_KEYBITS) / 8;
369 uint32_t activate_flags = 0;
373 log_err(_("Option --key-file is required.\n"));
378 activate_flags |= CRYPT_ACTIVATE_READONLY;
380 if (opt_allow_discards)
381 activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
383 if ((r = crypt_init(&cd, action_argv[0])))
386 r = crypt_format(cd, CRYPT_LOOPAES, opt_cipher ?: DEFAULT_LOOPAES_CIPHER,
387 NULL, NULL, NULL, key_size, ¶ms);
391 r = crypt_activate_by_keyfile_offset(cd, action_argv[1], CRYPT_ANY_SLOT,
392 opt_key_file, opt_keyfile_size,
393 opt_keyfile_size, activate_flags);
400 static int action_remove(int arg __attribute__((unused)))
402 struct crypt_device *cd = NULL;
405 r = crypt_init_by_name(&cd, action_argv[0]);
407 r = crypt_deactivate(cd, action_argv[0]);
413 static int action_resize(int arg __attribute__((unused)))
415 struct crypt_device *cd = NULL;
418 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
420 r = crypt_resize(cd, action_argv[0], opt_size);
426 static int action_status(int arg __attribute__((unused)))
428 crypt_status_info ci;
429 struct crypt_active_device cad;
430 struct crypt_device *cd = NULL;
436 /* perhaps a path, not a dm device name */
437 if (strchr(action_argv[0], '/') && !stat(action_argv[0], &st))
440 ci = crypt_status(NULL, action_argv[0]);
447 log_std("%s is inactive.\n", action_argv[0]);
449 log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
455 log_std("%s is active%s.\n", action_argv[0],
456 ci == CRYPT_BUSY ? " and is in use" : "");
458 log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
459 ci == CRYPT_BUSY ? " and is in use" : "");
461 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
462 if (r < 0 || !crypt_get_type(cd))
465 log_std(" type: %s\n", crypt_get_type(cd));
467 r = crypt_get_active_device(cd, action_argv[0], &cad);
471 log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
472 log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
473 device = crypt_get_device_name(cd);
474 log_std(" device: %s\n", device);
475 if (crypt_loop_device(device)) {
476 backing_file = crypt_loop_backing_file(device);
477 log_std(" loop: %s\n", backing_file);
480 log_std(" offset: %" PRIu64 " sectors\n", cad.offset);
481 log_std(" size: %" PRIu64 " sectors\n", cad.size);
483 log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset);
484 log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
485 "readonly" : "read/write");
486 if (cad.flags & CRYPT_ACTIVATE_ALLOW_DISCARDS)
487 log_std(" flags: discards\n");
494 static int _read_mk(const char *file, char **key, int keysize)
498 *key = crypt_safe_alloc(keysize);
502 fd = open(file, O_RDONLY);
504 log_err("Cannot read keyfile %s.\n", file);
507 if ((read(fd, *key, keysize) != keysize)) {
508 log_err("Cannot read %d bytes from keyfile %s.\n", keysize, file);
515 crypt_safe_free(*key);
520 static int action_luksFormat(int arg __attribute__((unused)))
522 int r = -EINVAL, keysize;
523 const char *header_device;
524 char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
525 char *password = NULL;
527 struct crypt_device *cd = NULL;
528 struct crypt_params_luks1 params = {
529 .hash = opt_hash ?: DEFAULT_LUKS1_HASH,
530 .data_alignment = opt_align_payload,
531 .data_device = opt_header_device ? action_argv[0] : NULL,
534 header_device = opt_header_device ?: action_argv[0];
536 if(asprintf(&msg, _("This will overwrite data on %s irrevocably."),
537 header_device) == -1) {
538 log_err(_("memory allocation error in action_luksFormat"));
542 r = _yesDialog(msg, NULL) ? 0 : -EINVAL;
547 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
548 cipher, NULL, cipher_mode);
550 log_err(_("No known cipher specification pattern detected.\n"));
554 if ((r = crypt_init(&cd, header_device))) {
555 if (opt_header_device)
556 log_err(_("Cannot use %s as on-disk header.\n"), header_device);
560 keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
562 crypt_set_timeout(cd, opt_timeout);
563 if (opt_iteration_time)
564 crypt_set_iteration_time(cd, opt_iteration_time);
567 crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
568 else if (opt_urandom)
569 crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
571 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
572 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
573 opt_timeout, _verify_passphrase(1), cd);
577 if (opt_master_key_file) {
578 r = _read_mk(opt_master_key_file, &key, keysize);
583 r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
584 opt_uuid, key, keysize, ¶ms);
588 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
590 password, passwordLen);
593 crypt_safe_free(key);
594 crypt_safe_free(password);
599 static int action_luksOpen(int arg __attribute__((unused)))
601 struct crypt_device *cd = NULL;
602 const char *data_device, *header_device;
607 if (opt_header_device) {
608 header_device = uuid_or_device(opt_header_device);
609 data_device = action_argv[0];
611 header_device = uuid_or_device(action_argv[0]);
615 if ((r = crypt_init(&cd, header_device)))
618 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
622 (r = crypt_set_data_device(cd, data_device)))
625 if (!data_device && (crypt_get_data_offset(cd) < 8)) {
626 log_err(_("Reduced data offset is allowed only for detached LUKS header.\n"));
631 crypt_set_timeout(cd, opt_timeout);
632 crypt_set_password_retry(cd, opt_tries);
633 crypt_set_password_verify(cd, _verify_passphrase(0));
635 if (opt_iteration_time)
636 crypt_set_iteration_time(cd, opt_iteration_time);
639 flags |= CRYPT_ACTIVATE_READONLY;
641 if (opt_allow_discards)
642 flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
644 if (opt_master_key_file) {
645 keysize = crypt_get_volume_key_size(cd);
646 r = _read_mk(opt_master_key_file, &key, keysize);
649 r = crypt_activate_by_volume_key(cd, action_argv[1],
650 key, keysize, flags);
651 } else if (opt_key_file) {
652 crypt_set_password_retry(cd, 1);
653 r = crypt_activate_by_keyfile_offset(cd, action_argv[1],
654 opt_key_slot, opt_key_file, opt_keyfile_size,
655 opt_keyfile_offset, flags);
657 r = crypt_activate_by_passphrase(cd, action_argv[1],
658 opt_key_slot, NULL, 0, flags);
660 crypt_safe_free(key);
665 static int verify_keyslot(struct crypt_device *cd, int key_slot,
666 char *msg_last, char *msg_pass,
667 const char *key_file, int keyfile_offset,
670 crypt_keyslot_info ki;
671 char *password = NULL;
675 ki = crypt_keyslot_status(cd, key_slot);
676 if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !_yesDialog(msg_last, NULL))
679 r = crypt_get_key(msg_pass, &password, &passwordLen,
680 keyfile_offset, keyfile_size, key_file, opt_timeout,
681 _verify_passphrase(0), cd);
685 if (ki == CRYPT_SLOT_ACTIVE_LAST) {
686 /* check the last keyslot */
687 r = crypt_activate_by_passphrase(cd, NULL, key_slot,
688 password, passwordLen, 0);
690 /* try all other keyslots */
691 for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
694 ki = crypt_keyslot_status(cd, key_slot);
695 if (ki == CRYPT_SLOT_ACTIVE)
696 r = crypt_activate_by_passphrase(cd, NULL, i,
697 password, passwordLen, 0);
704 log_err(_("No key available with this passphrase.\n"));
706 crypt_safe_free(password);
710 static int action_luksKillSlot(int arg __attribute__((unused)))
712 struct crypt_device *cd = NULL;
715 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
718 crypt_set_confirm_callback(cd, _yesDialog, NULL);
719 crypt_set_timeout(cd, opt_timeout);
721 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
724 switch (crypt_keyslot_status(cd, opt_key_slot)) {
725 case CRYPT_SLOT_ACTIVE_LAST:
726 case CRYPT_SLOT_ACTIVE:
727 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
729 case CRYPT_SLOT_INACTIVE:
730 log_err(_("Key %d not active. Can't wipe.\n"), opt_key_slot);
731 case CRYPT_SLOT_INVALID:
736 if (!opt_batch_mode) {
737 r = verify_keyslot(cd, opt_key_slot,
738 _("This is the last keyslot. Device will become unusable after purging this key."),
739 _("Enter any remaining LUKS passphrase: "),
740 opt_key_file, opt_keyfile_offset, opt_keyfile_size);
745 r = crypt_keyslot_destroy(cd, opt_key_slot);
751 static int action_luksRemoveKey(int arg __attribute__((unused)))
753 struct crypt_device *cd = NULL;
754 char *password = NULL;
758 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
761 crypt_set_confirm_callback(cd, _yesDialog, NULL);
762 crypt_set_timeout(cd, opt_timeout);
764 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
767 r = crypt_get_key(_("Enter LUKS passphrase to be deleted: "),
768 &password, &passwordLen,
769 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
771 _verify_passphrase(0),
776 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
777 password, passwordLen, 0);
782 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
784 if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_ACTIVE_LAST &&
785 !_yesDialog(_("This is the last keyslot. "
786 "Device will become unusable after purging this key."),
792 r = crypt_keyslot_destroy(cd, opt_key_slot);
794 crypt_safe_free(password);
799 static int action_luksAddKey(int arg __attribute__((unused)))
801 int r = -EINVAL, keysize = 0;
803 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
804 struct crypt_device *cd = NULL;
806 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
809 crypt_set_confirm_callback(cd, _yesDialog, NULL);
811 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
814 keysize = crypt_get_volume_key_size(cd);
815 /* FIXME: lib cannot properly set verification for new/old passphrase */
816 crypt_set_password_verify(cd, _verify_passphrase(0));
817 crypt_set_timeout(cd, opt_timeout);
818 if (opt_iteration_time)
819 crypt_set_iteration_time(cd, opt_iteration_time);
821 if (opt_master_key_file) {
822 r = _read_mk(opt_master_key_file, &key, keysize);
825 //FIXME: process keyfile arg
826 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
827 key, keysize, NULL, 0);
828 } else if (opt_key_file || opt_new_key_file) {
829 r = crypt_keyslot_add_by_keyfile_offset(cd, opt_key_slot,
830 opt_key_file, opt_keyfile_size, opt_keyfile_offset,
831 opt_new_key_file, opt_new_keyfile_size, opt_new_keyfile_offset);
833 r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
838 crypt_safe_free(key);
842 static int _slots_full(struct crypt_device *cd)
846 for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++)
847 if (crypt_keyslot_status(cd, i) == CRYPT_SLOT_INACTIVE)
852 static int action_luksChangeKey(int arg __attribute__((unused)))
854 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
855 struct crypt_device *cd = NULL;
856 char *vk = NULL, *password = NULL;
857 size_t passwordLen = 0;
859 int new_key_slot, old_key_slot, r;
861 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
864 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
867 if (opt_iteration_time)
868 crypt_set_iteration_time(cd, opt_iteration_time);
870 r = crypt_get_key(_("Enter LUKS passphrase to be changed: "),
871 &password, &passwordLen,
872 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
873 opt_timeout, _verify_passphrase(0), cd);
877 vk_size = crypt_get_volume_key_size(cd);
878 vk = crypt_safe_alloc(vk_size);
884 r = crypt_volume_key_get(cd, opt_key_slot, vk, &vk_size,
885 password, passwordLen);
887 if (opt_key_slot != CRYPT_ANY_SLOT)
888 log_err(_("No key available with this passphrase.\n"));
892 if (opt_key_slot != CRYPT_ANY_SLOT || _slots_full(cd)) {
893 log_dbg("Key slot %d is going to be overwritten (%s).",
894 r, opt_key_slot != CRYPT_ANY_SLOT ?
895 "explicit key slot specified" : "no free key slot");
899 log_dbg("Allocating new key slot.");
901 new_key_slot = CRYPT_ANY_SLOT;
904 crypt_safe_free(password);
907 r = crypt_get_key(_("Enter new LUKS passphrase: "),
908 &password, &passwordLen,
909 opt_new_keyfile_offset, opt_new_keyfile_size,
911 opt_timeout, _verify_passphrase(0), cd);
915 if (new_key_slot == old_key_slot) {
916 (void)crypt_keyslot_destroy(cd, old_key_slot);
917 r = crypt_keyslot_add_by_volume_key(cd, new_key_slot,
919 password, passwordLen);
921 log_verbose(_("Key slot %d changed.\n"), r);
923 r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT,
925 password, passwordLen);
927 log_verbose(_("Replaced with key slot %d.\n"), r);
928 r = crypt_keyslot_destroy(cd, old_key_slot);
932 log_err(_("Failed to swap new key slot.\n"));
935 crypt_safe_free(password);
940 static int action_isLuks(int arg __attribute__((unused)))
942 struct crypt_device *cd = NULL;
945 if ((r = crypt_init(&cd, action_argv[0])))
948 crypt_set_log_callback(cd, _quiet_log, NULL);
949 r = crypt_load(cd, CRYPT_LUKS1, NULL);
955 static int action_luksUUID(int arg __attribute__((unused)))
957 struct crypt_device *cd = NULL;
958 const char *existing_uuid = NULL;
961 if ((r = crypt_init(&cd, action_argv[0])))
964 crypt_set_confirm_callback(cd, _yesDialog, NULL);
966 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
970 r = crypt_set_uuid(cd, opt_uuid);
972 existing_uuid = crypt_get_uuid(cd);
973 log_std("%s\n", existing_uuid ?: "");
974 r = existing_uuid ? 0 : 1;
981 static int luksDump_with_volume_key(struct crypt_device *cd)
983 char *vk = NULL, *password = NULL;
984 size_t passwordLen = 0;
989 crypt_set_confirm_callback(cd, _yesDialog, NULL);
991 _("LUKS header dump with volume key is sensitive information\n"
992 "which allows access to encrypted partition without passphrase.\n"
993 "This dump should be always stored encrypted on safe place."),
997 vk_size = crypt_get_volume_key_size(cd);
998 vk = crypt_safe_alloc(vk_size);
1002 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
1003 opt_keyfile_offset, opt_keyfile_size, opt_key_file,
1004 opt_timeout, 0, cd);
1008 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
1009 password, passwordLen);
1013 log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
1014 log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
1015 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
1016 log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
1017 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
1018 log_std("MK bits: \t%d\n", (int)vk_size * 8);
1019 log_std("MK dump:\t");
1021 for(i = 0; i < vk_size; i++) {
1024 log_std("%02hhx ", (char)vk[i]);
1029 crypt_safe_free(password);
1030 crypt_safe_free(vk);
1034 static int action_luksDump(int arg __attribute__((unused)))
1036 struct crypt_device *cd = NULL;
1039 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
1042 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
1045 if (opt_dump_master_key)
1046 r = luksDump_with_volume_key(cd);
1054 static int action_luksSuspend(int arg __attribute__((unused)))
1056 struct crypt_device *cd = NULL;
1059 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
1061 r = crypt_suspend(cd, action_argv[0]);
1067 static int action_luksResume(int arg __attribute__((unused)))
1069 struct crypt_device *cd = NULL;
1072 if ((r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device)))
1075 crypt_set_timeout(cd, opt_timeout);
1076 crypt_set_password_retry(cd, opt_tries);
1077 crypt_set_password_verify(cd, _verify_passphrase(0));
1080 r = crypt_resume_by_keyfile_offset(cd, action_argv[0], CRYPT_ANY_SLOT,
1081 opt_key_file, opt_keyfile_size, opt_keyfile_offset);
1083 r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
1090 static int action_luksBackup(int arg __attribute__((unused)))
1092 struct crypt_device *cd = NULL;
1095 if (!opt_header_backup_file) {
1096 log_err(_("Option --header-backup-file is required.\n"));
1100 if ((r = crypt_init(&cd, uuid_or_device(action_argv[0]))))
1103 crypt_set_confirm_callback(cd, _yesDialog, NULL);
1105 r = crypt_header_backup(cd, CRYPT_LUKS1, opt_header_backup_file);
1111 static int action_luksRestore(int arg __attribute__((unused)))
1113 struct crypt_device *cd = NULL;
1116 if (!opt_header_backup_file) {
1117 log_err(_("Option --header-backup-file is required.\n"));
1121 if ((r = crypt_init(&cd, action_argv[0])))
1124 crypt_set_confirm_callback(cd, _yesDialog, NULL);
1125 r = crypt_header_restore(cd, CRYPT_LUKS1, opt_header_backup_file);
1131 static __attribute__ ((noreturn)) void usage(poptContext popt_context,
1132 int exitcode, const char *error,
1135 poptPrintUsage(popt_context, stderr, 0);
1137 log_err("%s: %s\n", more, error);
1138 poptFreeContext(popt_context);
1142 static void help(poptContext popt_context,
1143 enum poptCallbackReason reason __attribute__((unused)),
1144 struct poptOption *key,
1145 const char *arg __attribute__((unused)),
1146 void *data __attribute__((unused)))
1148 if (key->shortName == '?') {
1149 struct action_type *action;
1151 log_std("%s\n",PACKAGE_STRING);
1153 poptPrintHelp(popt_context, stdout, 0);
1156 "<action> is one of:\n"));
1158 for(action = action_types; action->type; action++)
1159 log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
1162 "<name> is the device to create under %s\n"
1163 "<device> is the encrypted device\n"
1164 "<key slot> is the LUKS key slot number to modify\n"
1165 "<key file> optional key file for the new key for luksAddKey action\n"),
1168 log_std(_("\nDefault compiled-in keyfile parameters:\n"
1169 "\tMaximum keyfile size: %dkB, "
1170 "Maximum interactive passphrase length %d (characters)\n"),
1171 DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX);
1173 log_std(_("\nDefault compiled-in device cipher parameters:\n"
1174 "\tloop-AES: %s, Key %d bits\n"
1175 "\tplain: %s, Key: %d bits, Password hashing: %s\n"
1176 "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
1177 DEFAULT_LOOPAES_CIPHER, DEFAULT_LOOPAES_KEYBITS,
1178 DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
1179 DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
1183 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
1186 static void _dbg_version_and_cmd(int argc, const char **argv)
1190 log_std("# %s %s processing \"", PACKAGE_NAME, PACKAGE_VERSION);
1191 for (i = 0; i < argc; i++) {
1194 log_std("%s", argv[i]);
1199 static int run_action(struct action_type *action)
1203 log_dbg("Running command %s.", action->type);
1205 if (action->required_memlock)
1206 crypt_memory_lock(NULL, 1);
1208 r = action->handler(action->arg);
1210 if (action->required_memlock)
1211 crypt_memory_lock(NULL, 0);
1213 /* Some functions returns keyslot # */
1219 /* Translate exit code to simple codes */
1221 case 0: r = EXIT_SUCCESS; break;
1223 case -EBUSY: r = 5; break;
1225 case -ENODEV: r = 4; break;
1226 case -ENOMEM: r = 3; break;
1227 case -EPERM: r = 2; break;
1231 default: r = EXIT_FAILURE;
1236 int main(int argc, const char **argv)
1238 static char *popt_tmp;
1239 static struct poptOption popt_help_options[] = {
1240 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
1241 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
1242 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
1245 static struct poptOption popt_options[] = {
1246 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
1247 { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
1248 { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
1249 { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
1250 { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
1251 { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
1252 { "verify-passphrase", 'y', POPT_ARG_NONE, &opt_verify_passphrase, 0, N_("Verifies the passphrase by asking for it twice"), NULL },
1253 { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 0, N_("Read the key from a file."), NULL },
1254 { "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL },
1255 { "dump-master-key", '\0', POPT_ARG_NONE, &opt_dump_master_key, 0, N_("Dump volume (master) key instead of keyslots info."), NULL },
1256 { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
1257 { "keyfile-size", 'l', POPT_ARG_LONG, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
1258 { "keyfile-offset", '\0', POPT_ARG_LONG, &opt_keyfile_offset, 0, N_("Number of bytes to skip in keyfile"), N_("bytes") },
1259 { "new-keyfile-size", '\0', POPT_ARG_LONG, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
1260 { "new-keyfile-offset",'\0', POPT_ARG_LONG, &opt_new_keyfile_offset, 0, N_("Number of bytes to skip in newly added keyfile"), N_("bytes") },
1261 { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL },
1262 { "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") },
1263 { "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
1264 { "skip", 'p', POPT_ARG_STRING, &popt_tmp, 3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
1265 { "readonly", 'r', POPT_ARG_NONE, &opt_readonly, 0, N_("Create a readonly mapping"), NULL },
1266 { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
1267 { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
1268 { "timeout", 't', POPT_ARG_INT, &opt_timeout, 0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
1269 { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
1270 { "align-payload", '\0', POPT_ARG_INT, &opt_align_payload, 0, N_("Align payload at <n> sector boundaries - for luksFormat"), N_("SECTORS") },
1271 { "header-backup-file",'\0', POPT_ARG_STRING, &opt_header_backup_file, 0, N_("File with LUKS header and keyslots backup."), NULL },
1272 { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
1273 { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
1274 { "shared", '\0', POPT_ARG_NONE, &opt_shared, 0, N_("Share device with another non-overlapping crypt segment."), NULL },
1275 { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
1276 { "allow-discards", '\0', POPT_ARG_NONE, &opt_allow_discards, 0, N_("Allow discards (aka TRIM) requests for device."), NULL },
1277 { "header", '\0', POPT_ARG_STRING, &opt_header_device, 0, N_("Device or file with separated LUKS header."), NULL },
1280 poptContext popt_context;
1281 struct action_type *action;
1284 const char *null_action_argv[] = {NULL};
1286 crypt_set_log_callback(NULL, _log, NULL);
1288 setlocale(LC_ALL, "");
1289 bindtextdomain(PACKAGE, LOCALEDIR);
1290 textdomain(PACKAGE);
1292 popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
1293 poptSetOtherOptionHelp(popt_context,
1294 N_("[OPTION...] <action> <action-specific>]"));
1296 while((r = poptGetNextOpt(popt_context)) > 0) {
1297 unsigned long long ull_value;
1301 ull_value = strtoull(popt_tmp, &endp, 0);
1302 if (*endp || !*popt_tmp ||
1303 (errno == ERANGE && ull_value == ULLONG_MAX) ||
1304 (errno != 0 && ull_value == 0))
1305 r = POPT_ERROR_BADNUMBER;
1309 opt_size = ull_value;
1312 opt_offset = ull_value;
1315 opt_skip = ull_value;
1325 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
1326 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
1327 if (opt_version_mode) {
1328 log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
1329 poptFreeContext(popt_context);
1333 if (!(aname = poptGetArg(popt_context)))
1334 usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
1335 poptGetInvocationName(popt_context));
1336 for(action = action_types; action->type; action++)
1337 if (strcmp(action->type, aname) == 0)
1340 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
1341 poptGetInvocationName(popt_context));
1344 action_argv = poptGetArgs(popt_context);
1345 /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
1347 action_argv = null_action_argv;
1349 /* Count args, somewhat unnice, change? */
1350 while(action_argv[action_argc] != NULL)
1353 if(action_argc < action->required_action_argc) {
1355 snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
1356 usage(popt_context, EXIT_FAILURE, buf,
1357 poptGetInvocationName(popt_context));
1360 /* FIXME: rewrite this from scratch */
1362 if (opt_shared && strcmp(aname, "create")) {
1363 usage(popt_context, EXIT_FAILURE,
1364 _("Option --shared is allowed only for create operation.\n"),
1365 poptGetInvocationName(popt_context));
1368 if (opt_allow_discards &&
1369 strcmp(aname, "luksOpen") &&
1370 strcmp(aname, "create") &&
1371 strcmp(aname, "loopaesOpen")) {
1372 usage(popt_context, EXIT_FAILURE,
1373 _("Option --allow-discards is allowed only for luksOpen, loopaesOpen and create operation.\n"),
1374 poptGetInvocationName(popt_context));
1378 strcmp(aname, "luksFormat") &&
1379 strcmp(aname, "create") &&
1380 strcmp(aname, "loopaesOpen")) {
1381 usage(popt_context, EXIT_FAILURE,
1382 _("Option --key-size is allowed only for luksFormat, create and loopaesOpen.\n"
1383 "To limit read from keyfile use --keyfile-size=(bytes)."),
1384 poptGetInvocationName(popt_context));
1387 if (opt_key_size % 8)
1388 usage(popt_context, EXIT_FAILURE,
1389 _("Key size must be a multiple of 8 bits"),
1390 poptGetInvocationName(popt_context));
1392 if (!strcmp(aname, "luksKillSlot") && action_argc > 1)
1393 opt_key_slot = atoi(action_argv[1]);
1394 if (opt_key_slot != CRYPT_ANY_SLOT &&
1395 (opt_key_slot < 0 || opt_key_slot >= crypt_keyslot_max(CRYPT_LUKS1)))
1396 usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
1397 poptGetInvocationName(popt_context));
1399 if ((!strcmp(aname, "luksRemoveKey") ||
1400 !strcmp(aname, "luksFormat")) &&
1403 log_err(_("Option --key-file takes precedence over specified key file argument.\n"));
1405 opt_key_file = action_argv[1];
1408 if (opt_keyfile_size < 0 || opt_new_keyfile_size < 0 || opt_key_size < 0 ||
1409 opt_keyfile_offset < 0 || opt_new_keyfile_offset < 0) {
1410 usage(popt_context, EXIT_FAILURE,
1411 _("Negative number for option not permitted."),
1412 poptGetInvocationName(popt_context));
1415 if (opt_random && opt_urandom)
1416 usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
1417 poptGetInvocationName(popt_context));
1418 if ((opt_random || opt_urandom) && strcmp(aname, "luksFormat"))
1419 usage(popt_context, EXIT_FAILURE, _("Option --use-[u]random is allowed only for luksFormat."),
1420 poptGetInvocationName(popt_context));
1422 if (opt_uuid && strcmp(aname, "luksFormat") && strcmp(aname, "luksUUID"))
1423 usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only for luksFormat and luksUUID."),
1424 poptGetInvocationName(popt_context));
1426 if (opt_skip && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1427 usage(popt_context, EXIT_FAILURE,
1428 _("Option --skip is supported only for create and loopaesOpen commands.\n"),
1429 poptGetInvocationName(popt_context));
1431 if (opt_offset && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1432 usage(popt_context, EXIT_FAILURE,
1433 _("Option --offset is supported only for create and loopaesOpen commands.\n"),
1434 poptGetInvocationName(popt_context));
1438 crypt_set_debug_level(-1);
1439 _dbg_version_and_cmd(argc, argv);
1442 r = run_action(action);
1443 poptFreeContext(popt_context);