2 * cryptsetup - setup cryptographic volumes for dm-crypt
4 * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
5 * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
6 * Copyright (C) 2009-2011, Red Hat, Inc. All rights reserved.
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * version 2 as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
32 #include <libcryptsetup.h>
35 #include "cryptsetup.h"
37 static int opt_verbose = 0;
38 static int opt_debug = 0;
39 static const char *opt_cipher = NULL;
40 static const char *opt_hash = NULL;
41 static int opt_verify_passphrase = 0;
42 static const char *opt_key_file = NULL;
43 static const char *opt_master_key_file = NULL;
44 static const char *opt_header_backup_file = NULL;
45 static const char *opt_uuid = NULL;
46 static int opt_key_size = 0;
47 static long opt_keyfile_size = 0;
48 static long opt_new_keyfile_size = 0;
49 static int opt_key_slot = CRYPT_ANY_SLOT;
50 static uint64_t opt_size = 0;
51 static uint64_t opt_offset = 0;
52 static uint64_t opt_skip = 0;
53 static int opt_skip_valid = 0;
54 static int opt_readonly = 0;
55 static int opt_iteration_time = 1000;
56 static int opt_batch_mode = 0;
57 static int opt_version_mode = 0;
58 static int opt_timeout = 0;
59 static int opt_tries = 3;
60 static int opt_align_payload = 0;
61 static int opt_random = 0;
62 static int opt_urandom = 0;
63 static int opt_dump_master_key = 0;
65 static const char **action_argv;
66 static int action_argc;
68 static int action_create(int arg);
69 static int action_remove(int arg);
70 static int action_resize(int arg);
71 static int action_status(int arg);
72 static int action_luksFormat(int arg);
73 static int action_luksOpen(int arg);
74 static int action_luksAddKey(int arg);
75 static int action_luksKillSlot(int arg);
76 static int action_luksRemoveKey(int arg);
77 static int action_luksChangeKey(int arg);
78 static int action_isLuks(int arg);
79 static int action_luksUUID(int arg);
80 static int action_luksDump(int arg);
81 static int action_luksSuspend(int arg);
82 static int action_luksResume(int arg);
83 static int action_luksBackup(int arg);
84 static int action_luksRestore(int arg);
85 static int action_loopaesOpen(int arg);
87 static struct action_type {
91 int required_action_argc;
96 { "create", action_create, 0, 2, 1, N_("<name> <device>"),N_("create device") },
97 { "remove", action_remove, 0, 1, 1, N_("<name>"), N_("remove device") },
98 { "resize", action_resize, 0, 1, 1, N_("<name>"), N_("resize active device") },
99 { "status", action_status, 0, 1, 0, N_("<name>"), N_("show device status") },
100 { "luksFormat", action_luksFormat, 0, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
101 { "luksOpen", action_luksOpen, 0, 2, 1, N_("<device> <name> "), N_("open LUKS device as mapping <name>") },
102 { "luksAddKey", action_luksAddKey, 0, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
103 { "luksRemoveKey",action_luksRemoveKey, 0, 1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
104 { "luksChangeKey",action_luksChangeKey, 0, 1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
105 { "luksKillSlot", action_luksKillSlot, 0, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
106 { "luksUUID", action_luksUUID, 0, 1, 0, N_("<device>"), N_("print UUID of LUKS device") },
107 { "isLuks", action_isLuks, 0, 1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
108 { "luksClose", action_remove, 0, 1, 1, N_("<name>"), N_("remove LUKS mapping") },
109 { "luksDump", action_luksDump, 0, 1, 1, N_("<device>"), N_("dump LUKS partition information") },
110 { "luksSuspend",action_luksSuspend, 0, 1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen).") },
111 { "luksResume", action_luksResume, 0, 1, 1, N_("<device>"), N_("Resume suspended LUKS device.") },
112 { "luksHeaderBackup",action_luksBackup, 0, 1, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
113 { "luksHeaderRestore",action_luksRestore,0,1, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
114 { "loopaesOpen",action_loopaesOpen, 0, 2, 1, N_("<device> <name> "), N_("open loop-AES device as mapping <name>") },
115 { "loopaesClose",action_remove, 0, 1, 1, N_("<name>"), N_("remove loop-AES mapping") },
116 { NULL, NULL, 0, 0, 0, NULL, NULL }
119 __attribute__((format(printf, 5, 6)))
120 static void clogger(struct crypt_device *cd, int level, const char *file,
121 int line, const char *format, ...)
126 va_start(argp, format);
128 if (vasprintf(&target, format, argp) > 0) {
130 crypt_log(cd, level, target);
132 } else if (opt_debug)
133 printf("# %s:%d %s\n", file ?: "?", line, target);
135 } else if (opt_debug)
136 printf("# %s\n", target);
144 static int _yesDialog(const char *msg, void *usrptr __attribute__((unused)))
150 if(isatty(0) && !opt_batch_mode) {
151 log_std("\nWARNING!\n========\n");
152 log_std("%s\n\nAre you sure? (Type uppercase yes): ", msg);
153 if(getline(&answer, &size, stdin) == -1) {
158 if(strcmp(answer, "YES\n"))
166 static void _log(int level, const char *msg, void *usrptr __attribute__((unused)))
170 case CRYPT_LOG_NORMAL:
173 case CRYPT_LOG_VERBOSE:
177 case CRYPT_LOG_ERROR:
180 case CRYPT_LOG_DEBUG:
182 printf("# %s\n", msg);
185 fprintf(stderr, "Internal error on logging class for msg: %s", msg);
190 static void show_status(int errcode)
192 char error[256], *error_;
198 log_std(_("Command successful.\n"));
202 crypt_get_error(error, sizeof(error));
205 error_ = strerror_r(-errcode, error, sizeof(error));
206 if (error_ != error) {
207 strncpy(error, error_, sizeof(error));
208 error[sizeof(error) - 1] = '\0';
212 log_err(_("Command failed with code %i"), -errcode);
214 log_err(": %s\n", error);
219 static int action_create(int arg __attribute__((unused)))
221 struct crypt_device *cd = NULL;
222 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
223 struct crypt_params_plain params = {
224 .hash = opt_hash ?: DEFAULT_PLAIN_HASH,
226 .offset = opt_offset,
228 char *password = NULL;
230 size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
233 if (params.hash && !strcmp(params.hash, "plain"))
236 /* FIXME: temporary hack */
237 if (opt_key_file && strcmp(opt_key_file, "-"))
240 if (opt_keyfile_size && opt_key_file)
241 log_std(("Ignoring keyfile size option, keyfile read size "
242 "is always the same as encryption key size.\n"));
244 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
245 cipher, NULL, cipher_mode);
247 log_err("No known cipher specification pattern detected.\n");
251 if ((r = crypt_init(&cd, action_argv[1])))
254 crypt_set_timeout(cd, opt_timeout);
255 crypt_set_password_retry(cd, opt_tries);
257 r = crypt_format(cd, CRYPT_PLAIN,
266 r = crypt_activate_by_keyfile(cd, action_argv[0],
267 CRYPT_ANY_SLOT, opt_key_file, key_size,
268 opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
270 r = crypt_get_key(_("Enter passphrase: "),
271 &password, &passwordLen, opt_keyfile_size,
273 opt_batch_mode ? 0 : opt_verify_passphrase,
278 r = crypt_activate_by_passphrase(cd, action_argv[0],
279 CRYPT_ANY_SLOT, password, passwordLen,
280 opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
284 crypt_safe_free(password);
289 static int action_loopaesOpen(int arg __attribute__((unused)))
291 struct crypt_device *cd = NULL;
292 struct crypt_params_loopaes params = {
293 .hash = opt_hash ?: NULL,
294 .offset = opt_offset,
295 .skip = opt_skip_valid ? opt_skip : opt_offset,
297 unsigned int key_size = (opt_key_size ?: DEFAULT_LOOPAES_KEYBITS) / 8;
301 log_err(_("Option --key-file is required.\n"));
305 if ((r = crypt_init(&cd, action_argv[0])))
308 r = crypt_format(cd, CRYPT_LOOPAES, opt_cipher ?: DEFAULT_LOOPAES_CIPHER,
309 NULL, NULL, NULL, key_size, ¶ms);
313 r = crypt_activate_by_keyfile(cd, action_argv[1],
314 CRYPT_ANY_SLOT, opt_key_file, opt_keyfile_size,
315 opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
322 static int action_remove(int arg __attribute__((unused)))
324 struct crypt_device *cd = NULL;
327 r = crypt_init_by_name(&cd, action_argv[0]);
329 r = crypt_deactivate(cd, action_argv[0]);
335 static int action_resize(int arg __attribute__((unused)))
337 struct crypt_device *cd = NULL;
340 r = crypt_init_by_name(&cd, action_argv[0]);
342 r = crypt_resize(cd, action_argv[0], opt_size);
348 static int action_status(int arg __attribute__((unused)))
350 crypt_status_info ci;
351 struct crypt_active_device cad;
352 struct crypt_device *cd = NULL;
357 ci = crypt_status(NULL, action_argv[0]);
363 log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
367 log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
368 ci == CRYPT_BUSY ? " and is in use" : "");
369 r = crypt_init_by_name(&cd, action_argv[0]);
370 if (r < 0 || !crypt_get_type(cd))
373 log_std(" type: %s\n", crypt_get_type(cd));
375 r = crypt_get_active_device(cd, action_argv[0], &cad);
379 log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
380 log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
381 device = crypt_get_device_name(cd);
382 log_std(" device: %s\n", device);
383 if (crypt_loop_device(device)) {
384 backing_file = crypt_loop_backing_file(device);
385 log_std(" loop: %s\n", backing_file);
388 log_std(" offset: %" PRIu64 " sectors\n", cad.offset);
389 log_std(" size: %" PRIu64 " sectors\n", cad.size);
391 log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset);
392 log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
393 "readonly" : "read/write");
400 static int _read_mk(const char *file, char **key, int keysize)
404 *key = crypt_safe_alloc(keysize);
408 fd = open(file, O_RDONLY);
410 log_err("Cannot read keyfile %s.\n", file);
413 if ((read(fd, *key, keysize) != keysize)) {
414 log_err("Cannot read %d bytes from keyfile %s.\n", keysize, file);
421 crypt_safe_free(*key);
426 static int action_luksFormat(int arg __attribute__((unused)))
428 int r = -EINVAL, keysize;
429 char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
430 char *password = NULL;
432 struct crypt_device *cd = NULL;
433 struct crypt_params_luks1 params = {
434 .hash = opt_hash ?: DEFAULT_LUKS1_HASH,
435 .data_alignment = opt_align_payload,
438 if(asprintf(&msg, _("This will overwrite data on %s irrevocably."), action_argv[0]) == -1) {
439 log_err(_("memory allocation error in action_luksFormat"));
443 r = _yesDialog(msg, NULL) ? 0 : -EINVAL;
448 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
449 cipher, NULL, cipher_mode);
451 log_err("No known cipher specification pattern detected.\n");
455 if ((r = crypt_init(&cd, action_argv[0])))
458 keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
460 crypt_set_password_verify(cd, 1);
461 crypt_set_timeout(cd, opt_timeout);
462 if (opt_iteration_time)
463 crypt_set_iterarion_time(cd, opt_iteration_time);
466 crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
467 else if (opt_urandom)
468 crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
470 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
471 opt_keyfile_size, opt_key_file, opt_timeout,
472 opt_batch_mode ? 0 : 1 /* always verify */, cd);
476 if (opt_master_key_file) {
477 r = _read_mk(opt_master_key_file, &key, keysize);
482 r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
483 opt_uuid, key, keysize, ¶ms);
487 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
489 password, passwordLen);
492 crypt_safe_free(key);
493 crypt_safe_free(password);
498 static int action_luksOpen(int arg __attribute__((unused)))
500 struct crypt_device *cd = NULL;
504 if ((r = crypt_init(&cd, action_argv[0])))
507 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
510 crypt_set_timeout(cd, opt_timeout);
511 crypt_set_password_retry(cd, opt_tries);
513 if (opt_iteration_time)
514 crypt_set_iterarion_time(cd, opt_iteration_time);
516 flags |= CRYPT_ACTIVATE_READONLY;
519 crypt_set_password_retry(cd, 1);
520 r = crypt_activate_by_keyfile(cd, action_argv[1],
521 CRYPT_ANY_SLOT, opt_key_file, opt_keyfile_size,
524 r = crypt_activate_by_passphrase(cd, action_argv[1],
525 CRYPT_ANY_SLOT, NULL, 0, flags);
531 static int verify_keyslot(struct crypt_device *cd, int key_slot,
532 char *msg_last, char *msg_pass,
533 const char *key_file, int keyfile_size)
535 crypt_keyslot_info ki;
536 char *password = NULL;
540 ki = crypt_keyslot_status(cd, key_slot);
541 if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !_yesDialog(msg_last, NULL))
544 r = crypt_get_key(msg_pass, &password, &passwordLen,
545 keyfile_size, key_file, opt_timeout,
546 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
550 if (ki == CRYPT_SLOT_ACTIVE_LAST) {
551 /* check the last keyslot */
552 r = crypt_activate_by_passphrase(cd, NULL, key_slot,
553 password, passwordLen, 0);
555 /* try all other keyslots */
556 for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
559 ki = crypt_keyslot_status(cd, key_slot);
560 if (ki == CRYPT_SLOT_ACTIVE)
561 r = crypt_activate_by_passphrase(cd, NULL, i,
562 password, passwordLen, 0);
569 log_err(_("No key available with this passphrase.\n"));
571 crypt_safe_free(password);
575 static int action_luksKillSlot(int arg __attribute__((unused)))
577 struct crypt_device *cd = NULL;
580 if ((r = crypt_init(&cd, action_argv[0])))
583 crypt_set_confirm_callback(cd, _yesDialog, NULL);
584 crypt_set_timeout(cd, opt_timeout);
586 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
589 switch (crypt_keyslot_status(cd, opt_key_slot)) {
590 case CRYPT_SLOT_ACTIVE_LAST:
591 case CRYPT_SLOT_ACTIVE:
592 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
594 case CRYPT_SLOT_INACTIVE:
595 log_err(_("Key %d not active. Can't wipe.\n"), opt_key_slot);
596 case CRYPT_SLOT_INVALID:
600 if (!opt_batch_mode) {
601 r = verify_keyslot(cd, opt_key_slot,
602 _("This is the last keyslot. Device will become unusable after purging this key."),
603 _("Enter any remaining LUKS passphrase: "),
604 opt_key_file, opt_keyfile_size);
609 r = crypt_keyslot_destroy(cd, opt_key_slot);
615 static int action_luksRemoveKey(int arg __attribute__((unused)))
617 struct crypt_device *cd = NULL;
618 char *password = NULL;
622 if ((r = crypt_init(&cd, action_argv[0])))
625 crypt_set_confirm_callback(cd, _yesDialog, NULL);
626 crypt_set_timeout(cd, opt_timeout);
628 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
631 r = crypt_get_key(_("Enter LUKS passphrase to be deleted: "),
632 &password, &passwordLen,
633 opt_keyfile_size, opt_key_file,
635 opt_batch_mode ? 0 : opt_verify_passphrase,
640 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
641 password, passwordLen, 0);
646 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
648 if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_ACTIVE_LAST &&
649 !_yesDialog(_("This is the last keyslot. "
650 "Device will become unusable after purging this key."),
656 r = crypt_keyslot_destroy(cd, opt_key_slot);
658 crypt_safe_free(password);
663 static int action_luksAddKey(int arg __attribute__((unused)))
665 int r = -EINVAL, keysize = 0;
667 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
668 struct crypt_device *cd = NULL;
670 if ((r = crypt_init(&cd, action_argv[0])))
673 crypt_set_confirm_callback(cd, _yesDialog, NULL);
675 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
678 keysize = crypt_get_volume_key_size(cd);
679 crypt_set_password_verify(cd, opt_verify_passphrase ? 1 : 0);
680 crypt_set_timeout(cd, opt_timeout);
681 if (opt_iteration_time)
682 crypt_set_iterarion_time(cd, opt_iteration_time);
684 if (opt_master_key_file) {
685 r = _read_mk(opt_master_key_file, &key, keysize);
688 //FIXME: process keyfile arg
689 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
690 key, keysize, NULL, 0);
691 } else if (opt_key_file || opt_new_key_file) {
692 r = crypt_keyslot_add_by_keyfile(cd, opt_key_slot,
693 opt_key_file, opt_keyfile_size,
694 opt_new_key_file, opt_new_keyfile_size);
696 r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
701 crypt_safe_free(key);
705 static int _slots_full(struct crypt_device *cd)
709 for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++)
710 if (crypt_keyslot_status(cd, i) == CRYPT_SLOT_INACTIVE)
715 static int action_luksChangeKey(int arg __attribute__((unused)))
717 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
718 struct crypt_device *cd = NULL;
719 char *vk = NULL, *password = NULL;
720 size_t passwordLen = 0;
722 int new_key_slot, old_key_slot, r;
724 if ((r = crypt_init(&cd, action_argv[0])))
727 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
730 if (opt_iteration_time)
731 crypt_set_iterarion_time(cd, opt_iteration_time);
733 r = crypt_get_key(_("Enter LUKS passphrase to be changed: "),
734 &password, &passwordLen,
735 opt_keyfile_size, opt_key_file, opt_timeout,
736 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
740 vk_size = crypt_get_volume_key_size(cd);
741 vk = crypt_safe_alloc(vk_size);
747 r = crypt_volume_key_get(cd, opt_key_slot, vk, &vk_size,
748 password, passwordLen);
750 if (opt_key_slot != CRYPT_ANY_SLOT)
751 log_err(_("No key available with this passphrase.\n"));
755 if (opt_key_slot != CRYPT_ANY_SLOT || _slots_full(cd)) {
756 log_dbg("Key slot %d is going to be overwritten (%s).",
757 r, opt_key_slot != CRYPT_ANY_SLOT ?
758 "explicit key slot specified" : "no free key slot");
762 log_dbg("Allocating new key slot.");
764 new_key_slot = CRYPT_ANY_SLOT;
767 crypt_safe_free(password);
770 r = crypt_get_key(_("Enter new LUKS passphrase: "),
771 &password, &passwordLen,
772 opt_new_keyfile_size, opt_new_key_file,
773 opt_timeout, opt_batch_mode ? 0 : 1, cd);
777 if (new_key_slot == old_key_slot) {
778 (void)crypt_keyslot_destroy(cd, old_key_slot);
779 r = crypt_keyslot_add_by_volume_key(cd, new_key_slot,
781 password, passwordLen);
783 log_verbose(_("Key slot %d changed.\n"), r);
785 r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT,
787 password, passwordLen);
789 log_verbose(_("Replaced with key slot %d.\n"), r);
790 r = crypt_keyslot_destroy(cd, old_key_slot);
794 log_err(_("Failed to swap new key slot.\n"));
797 crypt_safe_free(password);
802 static int action_isLuks(int arg __attribute__((unused)))
804 struct crypt_device *cd = NULL;
807 if ((r = crypt_init(&cd, action_argv[0])))
810 r = crypt_load(cd, CRYPT_LUKS1, NULL);
816 static int action_luksUUID(int arg __attribute__((unused)))
818 struct crypt_device *cd = NULL;
819 const char *existing_uuid = NULL;
822 if ((r = crypt_init(&cd, action_argv[0])))
825 crypt_set_confirm_callback(cd, _yesDialog, NULL);
827 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
831 r = crypt_set_uuid(cd, opt_uuid);
833 existing_uuid = crypt_get_uuid(cd);
834 log_std("%s\n", existing_uuid ?: "");
835 r = existing_uuid ? 0 : 1;
842 static int luksDump_with_volume_key(struct crypt_device *cd)
844 char *vk = NULL, *password = NULL;
845 size_t passwordLen = 0;
850 crypt_set_confirm_callback(cd, _yesDialog, NULL);
852 _("LUKS header dump with volume key is sensitive information\n"
853 "which allows access to encrypted partition without passphrase.\n"
854 "This dump should be always stored encrypted on safe place."),
858 vk_size = crypt_get_volume_key_size(cd);
859 vk = crypt_safe_alloc(vk_size);
863 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
864 opt_keyfile_size, opt_key_file, opt_timeout, 0, cd);
868 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
869 password, passwordLen);
873 log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
874 log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
875 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
876 log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
877 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
878 log_std("MK bits: \t%d\n", (int)vk_size * 8);
879 log_std("MK dump:\t");
881 for(i = 0; i < vk_size; i++) {
884 log_std("%02hhx ", (char)vk[i]);
889 crypt_safe_free(password);
894 static int action_luksDump(int arg __attribute__((unused)))
896 struct crypt_device *cd = NULL;
899 if ((r = crypt_init(&cd, action_argv[0])))
902 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
905 if (opt_dump_master_key)
906 r = luksDump_with_volume_key(cd);
914 static int action_luksSuspend(int arg __attribute__((unused)))
916 struct crypt_device *cd = NULL;
919 r = crypt_init_by_name(&cd, action_argv[0]);
921 r = crypt_suspend(cd, action_argv[0]);
927 static int action_luksResume(int arg __attribute__((unused)))
929 struct crypt_device *cd = NULL;
932 if ((r = crypt_init_by_name(&cd, action_argv[0])))
935 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
939 r = crypt_resume_by_keyfile(cd, action_argv[0], CRYPT_ANY_SLOT,
940 opt_key_file, opt_keyfile_size);
942 r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
949 static int action_luksBackup(int arg __attribute__((unused)))
951 struct crypt_device *cd = NULL;
954 if (!opt_header_backup_file) {
955 log_err(_("Option --header-backup-file is required.\n"));
959 if ((r = crypt_init(&cd, action_argv[0])))
962 crypt_set_confirm_callback(cd, _yesDialog, NULL);
964 r = crypt_header_backup(cd, CRYPT_LUKS1, opt_header_backup_file);
970 static int action_luksRestore(int arg __attribute__((unused)))
972 struct crypt_device *cd = NULL;
975 if (!opt_header_backup_file) {
976 log_err(_("Option --header-backup-file is required.\n"));
980 if ((r = crypt_init(&cd, action_argv[0])))
983 crypt_set_confirm_callback(cd, _yesDialog, NULL);
984 r = crypt_header_restore(cd, CRYPT_LUKS1, opt_header_backup_file);
990 static __attribute__ ((noreturn)) void usage(poptContext popt_context,
991 int exitcode, const char *error,
994 poptPrintUsage(popt_context, stderr, 0);
996 log_err("%s: %s\n", more, error);
1000 static void help(poptContext popt_context,
1001 enum poptCallbackReason reason __attribute__((unused)),
1002 struct poptOption *key,
1003 const char *arg __attribute__((unused)),
1004 void *data __attribute__((unused)))
1006 if (key->shortName == '?') {
1007 struct action_type *action;
1009 log_std("%s\n",PACKAGE_STRING);
1011 poptPrintHelp(popt_context, stdout, 0);
1014 "<action> is one of:\n"));
1016 for(action = action_types; action->type; action++)
1017 log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
1020 "<name> is the device to create under %s\n"
1021 "<device> is the encrypted device\n"
1022 "<key slot> is the LUKS key slot number to modify\n"
1023 "<key file> optional key file for the new key for luksAddKey action\n"),
1026 log_std(_("\nDefault compiled-in keyfile parameters:\n"
1027 "\tMaximum keyfile size: %dkB, "
1028 "Maximum interactive passphrase length %d (characters)\n"),
1029 DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX);
1031 log_std(_("\nDefault compiled-in device cipher parameters:\n"
1032 "\tloop-AES: %s, Key %d bits\n"
1033 "\tplain: %s, Key: %d bits, Password hashing: %s\n"
1034 "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
1035 DEFAULT_LOOPAES_CIPHER, DEFAULT_LOOPAES_KEYBITS,
1036 DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
1037 DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
1041 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
1044 static void _dbg_version_and_cmd(int argc, const char **argv)
1048 log_std("# %s %s processing \"", PACKAGE_NAME, PACKAGE_VERSION);
1049 for (i = 0; i < argc; i++) {
1052 log_std("%s", argv[i]);
1057 static int run_action(struct action_type *action)
1061 log_dbg("Running command %s.", action->type);
1063 if (action->required_memlock)
1064 crypt_memory_lock(NULL, 1);
1066 r = action->handler(action->arg);
1068 if (action->required_memlock)
1069 crypt_memory_lock(NULL, 0);
1071 /* Some functions returns keyslot # */
1077 /* Translate exit code to simple codes */
1079 case 0: r = EXIT_SUCCESS; break;
1081 case -EBUSY: r = 5; break;
1083 case -ENODEV: r = 4; break;
1084 case -ENOMEM: r = 3; break;
1085 case -EPERM: r = 2; break;
1089 default: r = EXIT_FAILURE;
1094 int main(int argc, const char **argv)
1096 static char *popt_tmp;
1097 static struct poptOption popt_help_options[] = {
1098 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
1099 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
1100 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
1103 static struct poptOption popt_options[] = {
1104 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
1105 { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
1106 { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
1107 { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
1108 { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
1109 { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
1110 { "verify-passphrase", 'y', POPT_ARG_NONE, &opt_verify_passphrase, 0, N_("Verifies the passphrase by asking for it twice"), NULL },
1111 { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 0, N_("Read the key from a file."), NULL },
1112 { "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL },
1113 { "dump-master-key", '\0', POPT_ARG_NONE, &opt_dump_master_key, 0, N_("Dump volume (master) key instead of keyslots info."), NULL },
1114 { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
1115 { "keyfile-size", 'l', POPT_ARG_LONG, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
1116 { "new-keyfile-size", '\0', POPT_ARG_LONG, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
1117 { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL },
1118 { "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") },
1119 { "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
1120 { "skip", 'p', POPT_ARG_STRING, &popt_tmp, 3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
1121 { "readonly", 'r', POPT_ARG_NONE, &opt_readonly, 0, N_("Create a readonly mapping"), NULL },
1122 { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
1123 { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
1124 { "timeout", 't', POPT_ARG_INT, &opt_timeout, 0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
1125 { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
1126 { "align-payload", '\0', POPT_ARG_INT, &opt_align_payload, 0, N_("Align payload at <n> sector boundaries - for luksFormat"), N_("SECTORS") },
1127 { "header-backup-file",'\0', POPT_ARG_STRING, &opt_header_backup_file, 0, N_("File with LUKS header and keyslots backup."), NULL },
1128 { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
1129 { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
1130 { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
1133 poptContext popt_context;
1134 struct action_type *action;
1137 const char *null_action_argv[] = {NULL};
1139 crypt_set_log_callback(NULL, _log, NULL);
1141 setlocale(LC_ALL, "");
1142 bindtextdomain(PACKAGE, LOCALEDIR);
1143 textdomain(PACKAGE);
1145 popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
1146 poptSetOtherOptionHelp(popt_context,
1147 N_("[OPTION...] <action> <action-specific>]"));
1149 while((r = poptGetNextOpt(popt_context)) > 0) {
1150 unsigned long long ull_value;
1153 ull_value = strtoull(popt_tmp, &endp, 0);
1154 if (*endp || !*popt_tmp)
1155 r = POPT_ERROR_BADNUMBER;
1159 opt_size = ull_value;
1162 opt_offset = ull_value;
1165 opt_skip = ull_value;
1175 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
1176 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
1177 if (opt_version_mode) {
1178 log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
1182 if (!(aname = poptGetArg(popt_context)))
1183 usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
1184 poptGetInvocationName(popt_context));
1185 for(action = action_types; action->type; action++)
1186 if (strcmp(action->type, aname) == 0)
1189 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
1190 poptGetInvocationName(popt_context));
1193 action_argv = poptGetArgs(popt_context);
1194 /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
1196 action_argv = null_action_argv;
1198 /* Count args, somewhat unnice, change? */
1199 while(action_argv[action_argc] != NULL)
1202 if(action_argc < action->required_action_argc) {
1204 snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
1205 usage(popt_context, EXIT_FAILURE, buf,
1206 poptGetInvocationName(popt_context));
1209 /* FIXME: rewrite this from scratch */
1212 strcmp(aname, "luksFormat") &&
1213 strcmp(aname, "create") &&
1214 strcmp(aname, "loopaesOpen")) {
1215 usage(popt_context, EXIT_FAILURE,
1216 _("Option --key-size is allowed only for luksFormat, create and loopaesOpen.\n"
1217 "To limit read from keyfile use --keyfile-size=(bytes)."),
1218 poptGetInvocationName(popt_context));
1221 if (opt_key_size % 8)
1222 usage(popt_context, EXIT_FAILURE,
1223 _("Key size must be a multiple of 8 bits"),
1224 poptGetInvocationName(popt_context));
1226 if (!strcmp(aname, "luksKillSlot") && action_argc > 1)
1227 opt_key_slot = atoi(action_argv[1]);
1228 if (opt_key_slot != CRYPT_ANY_SLOT &&
1229 (opt_key_slot < 0 || opt_key_slot > crypt_keyslot_max(CRYPT_LUKS1)))
1230 usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
1231 poptGetInvocationName(popt_context));
1233 if ((!strcmp(aname, "luksRemoveKey") ||
1234 !strcmp(aname, "luksFormat")) &&
1237 log_err(_("Option --key-file takes precedence over specified key file argument.\n"));
1239 opt_key_file = action_argv[1];
1242 if (opt_keyfile_size < 0 || opt_new_keyfile_size < 0 || opt_key_size < 0) {
1243 usage(popt_context, EXIT_FAILURE,
1244 _("Negative number for option not permitted."),
1245 poptGetInvocationName(popt_context));
1248 if (opt_random && opt_urandom)
1249 usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
1250 poptGetInvocationName(popt_context));
1251 if ((opt_random || opt_urandom) && strcmp(aname, "luksFormat"))
1252 usage(popt_context, EXIT_FAILURE, _("Option --use-[u]random is allowed only for luksFormat."),
1253 poptGetInvocationName(popt_context));
1255 if (opt_uuid && strcmp(aname, "luksFormat") && strcmp(aname, "luksUUID"))
1256 usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only for luksFormat and luksUUID."),
1257 poptGetInvocationName(popt_context));
1259 if (opt_skip && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1260 usage(popt_context, EXIT_FAILURE,
1261 _("Option --skip is supported only for create and loopaesOpen commands.\n"),
1262 poptGetInvocationName(popt_context));
1264 if (opt_offset && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1265 usage(popt_context, EXIT_FAILURE,
1266 _("Option --offset is supported only for create and loopaesOpen commands.\n"),
1267 poptGetInvocationName(popt_context));
1271 crypt_set_debug_level(-1);
1272 _dbg_version_and_cmd(argc, argv);
1275 return run_action(action);