2 * cryptsetup - setup cryptographic volumes for dm-crypt
4 * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
5 * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
6 * Copyright (C) 2009-2011, Red Hat, Inc. All rights reserved.
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * version 2 as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
32 #include <libcryptsetup.h>
35 #include "cryptsetup.h"
37 static int opt_verbose = 0;
38 static int opt_debug = 0;
39 static const char *opt_cipher = NULL;
40 static const char *opt_hash = NULL;
41 static int opt_verify_passphrase = 0;
42 static const char *opt_key_file = NULL;
43 static const char *opt_master_key_file = NULL;
44 static const char *opt_header_backup_file = NULL;
45 static const char *opt_uuid = NULL;
46 static int opt_key_size = 0;
47 static long opt_keyfile_size = 0;
48 static long opt_new_keyfile_size = 0;
49 static int opt_key_slot = CRYPT_ANY_SLOT;
50 static uint64_t opt_size = 0;
51 static uint64_t opt_offset = 0;
52 static uint64_t opt_skip = 0;
53 static int opt_skip_valid = 0;
54 static int opt_readonly = 0;
55 static int opt_iteration_time = 1000;
56 static int opt_batch_mode = 0;
57 static int opt_version_mode = 0;
58 static int opt_timeout = 0;
59 static int opt_tries = 3;
60 static int opt_align_payload = 0;
61 static int opt_random = 0;
62 static int opt_urandom = 0;
63 static int opt_dump_master_key = 0;
65 static const char **action_argv;
66 static int action_argc;
68 static int action_create(int arg);
69 static int action_remove(int arg);
70 static int action_resize(int arg);
71 static int action_status(int arg);
72 static int action_luksFormat(int arg);
73 static int action_luksOpen(int arg);
74 static int action_luksAddKey(int arg);
75 static int action_luksKillSlot(int arg);
76 static int action_luksRemoveKey(int arg);
77 static int action_luksChangeKey(int arg);
78 static int action_isLuks(int arg);
79 static int action_luksUUID(int arg);
80 static int action_luksDump(int arg);
81 static int action_luksSuspend(int arg);
82 static int action_luksResume(int arg);
83 static int action_luksBackup(int arg);
84 static int action_luksRestore(int arg);
85 static int action_loopaesOpen(int arg);
87 static struct action_type {
91 int required_action_argc;
96 { "create", action_create, 0, 2, 1, N_("<name> <device>"),N_("create device") },
97 { "remove", action_remove, 0, 1, 1, N_("<name>"), N_("remove device") },
98 { "resize", action_resize, 0, 1, 1, N_("<name>"), N_("resize active device") },
99 { "status", action_status, 0, 1, 0, N_("<name>"), N_("show device status") },
100 { "luksFormat", action_luksFormat, 0, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
101 { "luksOpen", action_luksOpen, 0, 2, 1, N_("<device> <name> "), N_("open LUKS device as mapping <name>") },
102 { "luksAddKey", action_luksAddKey, 0, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
103 { "luksRemoveKey",action_luksRemoveKey, 0, 1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
104 { "luksChangeKey",action_luksChangeKey, 0, 1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
105 { "luksKillSlot", action_luksKillSlot, 0, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
106 { "luksUUID", action_luksUUID, 0, 1, 0, N_("<device>"), N_("print UUID of LUKS device") },
107 { "isLuks", action_isLuks, 0, 1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
108 { "luksClose", action_remove, 0, 1, 1, N_("<name>"), N_("remove LUKS mapping") },
109 { "luksDump", action_luksDump, 0, 1, 1, N_("<device>"), N_("dump LUKS partition information") },
110 { "luksSuspend",action_luksSuspend, 0, 1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen).") },
111 { "luksResume", action_luksResume, 0, 1, 1, N_("<device>"), N_("Resume suspended LUKS device.") },
112 { "luksHeaderBackup",action_luksBackup, 0, 1, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
113 { "luksHeaderRestore",action_luksRestore,0,1, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
114 { "loopaesOpen",action_loopaesOpen, 0, 2, 1, N_("<device> <name> "), N_("open loop-AES device as mapping <name>") },
115 { "loopaesClose",action_remove, 0, 1, 1, N_("<name>"), N_("remove loop-AES mapping") },
116 { NULL, NULL, 0, 0, 0, NULL, NULL }
119 __attribute__((format(printf, 5, 6)))
120 static void clogger(struct crypt_device *cd, int level, const char *file,
121 int line, const char *format, ...)
126 va_start(argp, format);
128 if (vasprintf(&target, format, argp) > 0) {
130 crypt_log(cd, level, target);
132 } else if (opt_debug)
133 printf("# %s:%d %s\n", file ?: "?", line, target);
135 } else if (opt_debug)
136 printf("# %s\n", target);
144 static int _yesDialog(const char *msg, void *usrptr __attribute__((unused)))
150 if(isatty(0) && !opt_batch_mode) {
151 log_std("\nWARNING!\n========\n");
152 log_std("%s\n\nAre you sure? (Type uppercase yes): ", msg);
153 if(getline(&answer, &size, stdin) == -1) {
158 if(strcmp(answer, "YES\n"))
166 static void _log(int level, const char *msg, void *usrptr __attribute__((unused)))
170 case CRYPT_LOG_NORMAL:
173 case CRYPT_LOG_VERBOSE:
177 case CRYPT_LOG_ERROR:
180 case CRYPT_LOG_DEBUG:
182 printf("# %s\n", msg);
185 fprintf(stderr, "Internal error on logging class for msg: %s", msg);
190 static void show_status(int errcode)
192 char error[256], *error_;
198 log_std(_("Command successful.\n"));
202 crypt_get_error(error, sizeof(error));
205 error_ = strerror_r(-errcode, error, sizeof(error));
206 if (error_ != error) {
207 strncpy(error, error_, sizeof(error));
208 error[sizeof(error) - 1] = '\0';
212 log_err(_("Command failed with code %i"), -errcode);
214 log_err(": %s\n", error);
219 static int action_create(int arg __attribute__((unused)))
221 struct crypt_device *cd = NULL;
222 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
223 struct crypt_params_plain params = {
224 .hash = opt_hash ?: DEFAULT_PLAIN_HASH,
226 .offset = opt_offset,
228 char *password = NULL;
230 size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
233 if (params.hash && !strcmp(params.hash, "plain"))
236 /* FIXME: temporary hack */
237 if (opt_key_file && strcmp(opt_key_file, "-"))
240 if (opt_keyfile_size && opt_key_file)
241 log_std(("Ignoring keyfile size option, keyfile read size "
242 "is always the same as encryption key size.\n"));
244 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
245 cipher, NULL, cipher_mode);
247 log_err("No known cipher specification pattern detected.\n");
251 if ((r = crypt_init(&cd, action_argv[1])))
254 crypt_set_timeout(cd, opt_timeout);
255 crypt_set_password_retry(cd, opt_tries);
257 r = crypt_format(cd, CRYPT_PLAIN,
266 r = crypt_activate_by_keyfile(cd, action_argv[0],
267 CRYPT_ANY_SLOT, opt_key_file, key_size,
268 opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
270 r = crypt_get_key(_("Enter passphrase: "),
271 &password, &passwordLen, opt_keyfile_size,
273 opt_batch_mode ? 0 : opt_verify_passphrase,
278 r = crypt_activate_by_passphrase(cd, action_argv[0],
279 CRYPT_ANY_SLOT, password, passwordLen,
280 opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
283 /* FIXME: workaround, new api missing format parameter for size.
284 * Properly fix it after bumping library version,
285 * add start_offset and size into "PLAIN" format specifiers.
287 if (r >= 0 && opt_size)
288 r = crypt_resize(cd, action_argv[0], opt_size);
292 crypt_safe_free(password);
297 static int action_loopaesOpen(int arg __attribute__((unused)))
299 struct crypt_device *cd = NULL;
300 struct crypt_params_loopaes params = {
301 .hash = opt_hash ?: NULL,
302 .offset = opt_offset,
303 .skip = opt_skip_valid ? opt_skip : opt_offset,
305 unsigned int key_size = (opt_key_size ?: DEFAULT_LOOPAES_KEYBITS) / 8;
309 log_err(_("Option --key-file is required.\n"));
313 if ((r = crypt_init(&cd, action_argv[0])))
316 r = crypt_format(cd, CRYPT_LOOPAES, opt_cipher ?: DEFAULT_LOOPAES_CIPHER,
317 NULL, NULL, NULL, key_size, ¶ms);
321 r = crypt_activate_by_keyfile(cd, action_argv[1],
322 CRYPT_ANY_SLOT, opt_key_file, opt_keyfile_size,
323 opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
330 static int action_remove(int arg __attribute__((unused)))
332 struct crypt_device *cd = NULL;
335 r = crypt_init_by_name(&cd, action_argv[0]);
337 r = crypt_deactivate(cd, action_argv[0]);
343 static int action_resize(int arg __attribute__((unused)))
345 struct crypt_device *cd = NULL;
348 r = crypt_init_by_name(&cd, action_argv[0]);
350 r = crypt_resize(cd, action_argv[0], opt_size);
356 static int action_status(int arg __attribute__((unused)))
358 crypt_status_info ci;
359 struct crypt_active_device cad;
360 struct crypt_device *cd = NULL;
365 ci = crypt_status(NULL, action_argv[0]);
371 log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
375 log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
376 ci == CRYPT_BUSY ? " and is in use" : "");
377 r = crypt_init_by_name(&cd, action_argv[0]);
378 if (r < 0 || !crypt_get_type(cd))
381 log_std(" type: %s\n", crypt_get_type(cd));
383 r = crypt_get_active_device(cd, action_argv[0], &cad);
387 log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
388 log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
389 device = crypt_get_device_name(cd);
390 log_std(" device: %s\n", device);
391 if (crypt_loop_device(device)) {
392 backing_file = crypt_loop_backing_file(device);
393 log_std(" loop: %s\n", backing_file);
396 log_std(" offset: %" PRIu64 " sectors\n", cad.offset);
397 log_std(" size: %" PRIu64 " sectors\n", cad.size);
399 log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset);
400 log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
401 "readonly" : "read/write");
408 static int _read_mk(const char *file, char **key, int keysize)
412 *key = crypt_safe_alloc(keysize);
416 fd = open(file, O_RDONLY);
418 log_err("Cannot read keyfile %s.\n", file);
421 if ((read(fd, *key, keysize) != keysize)) {
422 log_err("Cannot read %d bytes from keyfile %s.\n", keysize, file);
429 crypt_safe_free(*key);
434 static int action_luksFormat(int arg __attribute__((unused)))
436 int r = -EINVAL, keysize;
437 char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
438 char *password = NULL;
440 struct crypt_device *cd = NULL;
441 struct crypt_params_luks1 params = {
442 .hash = opt_hash ?: DEFAULT_LUKS1_HASH,
443 .data_alignment = opt_align_payload,
446 if(asprintf(&msg, _("This will overwrite data on %s irrevocably."), action_argv[0]) == -1) {
447 log_err(_("memory allocation error in action_luksFormat"));
451 r = _yesDialog(msg, NULL) ? 0 : -EINVAL;
456 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
457 cipher, NULL, cipher_mode);
459 log_err("No known cipher specification pattern detected.\n");
463 if ((r = crypt_init(&cd, action_argv[0])))
466 keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
468 crypt_set_password_verify(cd, 1);
469 crypt_set_timeout(cd, opt_timeout);
470 if (opt_iteration_time)
471 crypt_set_iterarion_time(cd, opt_iteration_time);
474 crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
475 else if (opt_urandom)
476 crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
478 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
479 opt_keyfile_size, opt_key_file, opt_timeout,
480 opt_batch_mode ? 0 : 1 /* always verify */, cd);
484 if (opt_master_key_file) {
485 r = _read_mk(opt_master_key_file, &key, keysize);
490 r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
491 opt_uuid, key, keysize, ¶ms);
495 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
497 password, passwordLen);
500 crypt_safe_free(key);
501 crypt_safe_free(password);
506 static int action_luksOpen(int arg __attribute__((unused)))
508 struct crypt_device *cd = NULL;
512 if ((r = crypt_init(&cd, action_argv[0])))
515 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
518 crypt_set_timeout(cd, opt_timeout);
519 crypt_set_password_retry(cd, opt_tries);
521 if (opt_iteration_time)
522 crypt_set_iterarion_time(cd, opt_iteration_time);
524 flags |= CRYPT_ACTIVATE_READONLY;
527 crypt_set_password_retry(cd, 1);
528 r = crypt_activate_by_keyfile(cd, action_argv[1],
529 CRYPT_ANY_SLOT, opt_key_file, opt_keyfile_size,
532 r = crypt_activate_by_passphrase(cd, action_argv[1],
533 CRYPT_ANY_SLOT, NULL, 0, flags);
539 static int verify_keyslot(struct crypt_device *cd, int key_slot,
540 char *msg_last, char *msg_pass,
541 const char *key_file, int keyfile_size)
543 crypt_keyslot_info ki;
544 char *password = NULL;
548 ki = crypt_keyslot_status(cd, key_slot);
549 if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !_yesDialog(msg_last, NULL))
552 r = crypt_get_key(msg_pass, &password, &passwordLen,
553 keyfile_size, key_file, opt_timeout,
554 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
558 if (ki == CRYPT_SLOT_ACTIVE_LAST) {
559 /* check the last keyslot */
560 r = crypt_activate_by_passphrase(cd, NULL, key_slot,
561 password, passwordLen, 0);
563 /* try all other keyslots */
564 for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
567 ki = crypt_keyslot_status(cd, key_slot);
568 if (ki == CRYPT_SLOT_ACTIVE)
569 r = crypt_activate_by_passphrase(cd, NULL, i,
570 password, passwordLen, 0);
577 log_err(_("No key available with this passphrase.\n"));
579 crypt_safe_free(password);
583 static int action_luksKillSlot(int arg __attribute__((unused)))
585 struct crypt_device *cd = NULL;
588 if ((r = crypt_init(&cd, action_argv[0])))
591 crypt_set_confirm_callback(cd, _yesDialog, NULL);
592 crypt_set_timeout(cd, opt_timeout);
594 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
597 switch (crypt_keyslot_status(cd, opt_key_slot)) {
598 case CRYPT_SLOT_ACTIVE_LAST:
599 case CRYPT_SLOT_ACTIVE:
600 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
602 case CRYPT_SLOT_INACTIVE:
603 log_err(_("Key %d not active. Can't wipe.\n"), opt_key_slot);
604 case CRYPT_SLOT_INVALID:
608 if (!opt_batch_mode) {
609 r = verify_keyslot(cd, opt_key_slot,
610 _("This is the last keyslot. Device will become unusable after purging this key."),
611 _("Enter any remaining LUKS passphrase: "),
612 opt_key_file, opt_keyfile_size);
617 r = crypt_keyslot_destroy(cd, opt_key_slot);
623 static int action_luksRemoveKey(int arg __attribute__((unused)))
625 struct crypt_device *cd = NULL;
626 char *password = NULL;
630 if ((r = crypt_init(&cd, action_argv[0])))
633 crypt_set_confirm_callback(cd, _yesDialog, NULL);
634 crypt_set_timeout(cd, opt_timeout);
636 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
639 r = crypt_get_key(_("Enter LUKS passphrase to be deleted: "),
640 &password, &passwordLen,
641 opt_keyfile_size, opt_key_file,
643 opt_batch_mode ? 0 : opt_verify_passphrase,
648 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
649 password, passwordLen, 0);
654 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
656 if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_ACTIVE_LAST &&
657 !_yesDialog(_("This is the last keyslot. "
658 "Device will become unusable after purging this key."),
664 r = crypt_keyslot_destroy(cd, opt_key_slot);
666 crypt_safe_free(password);
671 static int action_luksAddKey(int arg __attribute__((unused)))
673 int r = -EINVAL, keysize = 0;
675 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
676 struct crypt_device *cd = NULL;
678 if ((r = crypt_init(&cd, action_argv[0])))
681 crypt_set_confirm_callback(cd, _yesDialog, NULL);
683 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
686 keysize = crypt_get_volume_key_size(cd);
687 crypt_set_password_verify(cd, opt_verify_passphrase ? 1 : 0);
688 crypt_set_timeout(cd, opt_timeout);
689 if (opt_iteration_time)
690 crypt_set_iterarion_time(cd, opt_iteration_time);
692 if (opt_master_key_file) {
693 r = _read_mk(opt_master_key_file, &key, keysize);
696 //FIXME: process keyfile arg
697 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
698 key, keysize, NULL, 0);
699 } else if (opt_key_file || opt_new_key_file) {
700 r = crypt_keyslot_add_by_keyfile(cd, opt_key_slot,
701 opt_key_file, opt_keyfile_size,
702 opt_new_key_file, opt_new_keyfile_size);
704 r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
709 crypt_safe_free(key);
713 static int _slots_full(struct crypt_device *cd)
717 for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++)
718 if (crypt_keyslot_status(cd, i) == CRYPT_SLOT_INACTIVE)
723 static int action_luksChangeKey(int arg __attribute__((unused)))
725 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
726 struct crypt_device *cd = NULL;
727 char *vk = NULL, *password = NULL;
728 size_t passwordLen = 0;
730 int new_key_slot, old_key_slot, r;
732 if ((r = crypt_init(&cd, action_argv[0])))
735 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
738 if (opt_iteration_time)
739 crypt_set_iterarion_time(cd, opt_iteration_time);
741 r = crypt_get_key(_("Enter LUKS passphrase to be changed: "),
742 &password, &passwordLen,
743 opt_keyfile_size, opt_key_file, opt_timeout,
744 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
748 vk_size = crypt_get_volume_key_size(cd);
749 vk = crypt_safe_alloc(vk_size);
755 r = crypt_volume_key_get(cd, opt_key_slot, vk, &vk_size,
756 password, passwordLen);
758 if (opt_key_slot != CRYPT_ANY_SLOT)
759 log_err(_("No key available with this passphrase.\n"));
763 if (opt_key_slot != CRYPT_ANY_SLOT || _slots_full(cd)) {
764 log_dbg("Key slot %d is going to be overwritten (%s).",
765 r, opt_key_slot != CRYPT_ANY_SLOT ?
766 "explicit key slot specified" : "no free key slot");
770 log_dbg("Allocating new key slot.");
772 new_key_slot = CRYPT_ANY_SLOT;
775 crypt_safe_free(password);
778 r = crypt_get_key(_("Enter new LUKS passphrase: "),
779 &password, &passwordLen,
780 opt_new_keyfile_size, opt_new_key_file,
781 opt_timeout, opt_batch_mode ? 0 : 1, cd);
785 if (new_key_slot == old_key_slot) {
786 (void)crypt_keyslot_destroy(cd, old_key_slot);
787 r = crypt_keyslot_add_by_volume_key(cd, new_key_slot,
789 password, passwordLen);
791 log_verbose(_("Key slot %d changed.\n"), r);
793 r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT,
795 password, passwordLen);
797 log_verbose(_("Replaced with key slot %d.\n"), r);
798 r = crypt_keyslot_destroy(cd, old_key_slot);
802 log_err(_("Failed to swap new key slot.\n"));
805 crypt_safe_free(password);
810 static int action_isLuks(int arg __attribute__((unused)))
812 struct crypt_device *cd = NULL;
815 if ((r = crypt_init(&cd, action_argv[0])))
818 r = crypt_load(cd, CRYPT_LUKS1, NULL);
824 static int action_luksUUID(int arg __attribute__((unused)))
826 struct crypt_device *cd = NULL;
827 const char *existing_uuid = NULL;
830 if ((r = crypt_init(&cd, action_argv[0])))
833 crypt_set_confirm_callback(cd, _yesDialog, NULL);
835 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
839 r = crypt_set_uuid(cd, opt_uuid);
841 existing_uuid = crypt_get_uuid(cd);
842 log_std("%s\n", existing_uuid ?: "");
843 r = existing_uuid ? 0 : 1;
850 static int luksDump_with_volume_key(struct crypt_device *cd)
852 char *vk = NULL, *password = NULL;
853 size_t passwordLen = 0;
858 crypt_set_confirm_callback(cd, _yesDialog, NULL);
860 _("LUKS header dump with volume key is sensitive information\n"
861 "which allows access to encrypted partition without passphrase.\n"
862 "This dump should be always stored encrypted on safe place."),
866 vk_size = crypt_get_volume_key_size(cd);
867 vk = crypt_safe_alloc(vk_size);
871 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
872 opt_keyfile_size, opt_key_file, opt_timeout, 0, cd);
876 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
877 password, passwordLen);
881 log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
882 log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
883 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
884 log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
885 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
886 log_std("MK bits: \t%d\n", (int)vk_size * 8);
887 log_std("MK dump:\t");
889 for(i = 0; i < vk_size; i++) {
892 log_std("%02hhx ", (char)vk[i]);
897 crypt_safe_free(password);
902 static int action_luksDump(int arg __attribute__((unused)))
904 struct crypt_device *cd = NULL;
907 if ((r = crypt_init(&cd, action_argv[0])))
910 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
913 if (opt_dump_master_key)
914 r = luksDump_with_volume_key(cd);
922 static int action_luksSuspend(int arg __attribute__((unused)))
924 struct crypt_device *cd = NULL;
927 r = crypt_init_by_name(&cd, action_argv[0]);
929 r = crypt_suspend(cd, action_argv[0]);
935 static int action_luksResume(int arg __attribute__((unused)))
937 struct crypt_device *cd = NULL;
940 if ((r = crypt_init_by_name(&cd, action_argv[0])))
943 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
947 r = crypt_resume_by_keyfile(cd, action_argv[0], CRYPT_ANY_SLOT,
948 opt_key_file, opt_keyfile_size);
950 r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
957 static int action_luksBackup(int arg __attribute__((unused)))
959 struct crypt_device *cd = NULL;
962 if (!opt_header_backup_file) {
963 log_err(_("Option --header-backup-file is required.\n"));
967 if ((r = crypt_init(&cd, action_argv[0])))
970 crypt_set_confirm_callback(cd, _yesDialog, NULL);
972 r = crypt_header_backup(cd, CRYPT_LUKS1, opt_header_backup_file);
978 static int action_luksRestore(int arg __attribute__((unused)))
980 struct crypt_device *cd = NULL;
983 if (!opt_header_backup_file) {
984 log_err(_("Option --header-backup-file is required.\n"));
988 if ((r = crypt_init(&cd, action_argv[0])))
991 crypt_set_confirm_callback(cd, _yesDialog, NULL);
992 r = crypt_header_restore(cd, CRYPT_LUKS1, opt_header_backup_file);
998 static __attribute__ ((noreturn)) void usage(poptContext popt_context,
999 int exitcode, const char *error,
1002 poptPrintUsage(popt_context, stderr, 0);
1004 log_err("%s: %s\n", more, error);
1008 static void help(poptContext popt_context,
1009 enum poptCallbackReason reason __attribute__((unused)),
1010 struct poptOption *key,
1011 const char *arg __attribute__((unused)),
1012 void *data __attribute__((unused)))
1014 if (key->shortName == '?') {
1015 struct action_type *action;
1017 log_std("%s\n",PACKAGE_STRING);
1019 poptPrintHelp(popt_context, stdout, 0);
1022 "<action> is one of:\n"));
1024 for(action = action_types; action->type; action++)
1025 log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
1028 "<name> is the device to create under %s\n"
1029 "<device> is the encrypted device\n"
1030 "<key slot> is the LUKS key slot number to modify\n"
1031 "<key file> optional key file for the new key for luksAddKey action\n"),
1034 log_std(_("\nDefault compiled-in keyfile parameters:\n"
1035 "\tMaximum keyfile size: %dkB, "
1036 "Maximum interactive passphrase length %d (characters)\n"),
1037 DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX);
1039 log_std(_("\nDefault compiled-in device cipher parameters:\n"
1040 "\tloop-AES: %s, Key %d bits\n"
1041 "\tplain: %s, Key: %d bits, Password hashing: %s\n"
1042 "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
1043 DEFAULT_LOOPAES_CIPHER, DEFAULT_LOOPAES_KEYBITS,
1044 DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
1045 DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
1049 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
1052 static void _dbg_version_and_cmd(int argc, const char **argv)
1056 log_std("# %s %s processing \"", PACKAGE_NAME, PACKAGE_VERSION);
1057 for (i = 0; i < argc; i++) {
1060 log_std("%s", argv[i]);
1065 static int run_action(struct action_type *action)
1069 log_dbg("Running command %s.", action->type);
1071 if (action->required_memlock)
1072 crypt_memory_lock(NULL, 1);
1074 r = action->handler(action->arg);
1076 if (action->required_memlock)
1077 crypt_memory_lock(NULL, 0);
1079 /* Some functions returns keyslot # */
1085 /* Translate exit code to simple codes */
1087 case 0: r = EXIT_SUCCESS; break;
1089 case -EBUSY: r = 5; break;
1091 case -ENODEV: r = 4; break;
1092 case -ENOMEM: r = 3; break;
1093 case -EPERM: r = 2; break;
1097 default: r = EXIT_FAILURE;
1102 int main(int argc, const char **argv)
1104 static char *popt_tmp;
1105 static struct poptOption popt_help_options[] = {
1106 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
1107 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
1108 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
1111 static struct poptOption popt_options[] = {
1112 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
1113 { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
1114 { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
1115 { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
1116 { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
1117 { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
1118 { "verify-passphrase", 'y', POPT_ARG_NONE, &opt_verify_passphrase, 0, N_("Verifies the passphrase by asking for it twice"), NULL },
1119 { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 0, N_("Read the key from a file."), NULL },
1120 { "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL },
1121 { "dump-master-key", '\0', POPT_ARG_NONE, &opt_dump_master_key, 0, N_("Dump volume (master) key instead of keyslots info."), NULL },
1122 { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
1123 { "keyfile-size", 'l', POPT_ARG_LONG, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
1124 { "new-keyfile-size", '\0', POPT_ARG_LONG, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
1125 { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL },
1126 { "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") },
1127 { "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
1128 { "skip", 'p', POPT_ARG_STRING, &popt_tmp, 3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
1129 { "readonly", 'r', POPT_ARG_NONE, &opt_readonly, 0, N_("Create a readonly mapping"), NULL },
1130 { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
1131 { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
1132 { "timeout", 't', POPT_ARG_INT, &opt_timeout, 0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
1133 { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
1134 { "align-payload", '\0', POPT_ARG_INT, &opt_align_payload, 0, N_("Align payload at <n> sector boundaries - for luksFormat"), N_("SECTORS") },
1135 { "header-backup-file",'\0', POPT_ARG_STRING, &opt_header_backup_file, 0, N_("File with LUKS header and keyslots backup."), NULL },
1136 { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
1137 { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
1138 { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
1141 poptContext popt_context;
1142 struct action_type *action;
1145 const char *null_action_argv[] = {NULL};
1147 crypt_set_log_callback(NULL, _log, NULL);
1149 setlocale(LC_ALL, "");
1150 bindtextdomain(PACKAGE, LOCALEDIR);
1151 textdomain(PACKAGE);
1153 popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
1154 poptSetOtherOptionHelp(popt_context,
1155 N_("[OPTION...] <action> <action-specific>]"));
1157 while((r = poptGetNextOpt(popt_context)) > 0) {
1158 unsigned long long ull_value;
1161 ull_value = strtoull(popt_tmp, &endp, 0);
1162 if (*endp || !*popt_tmp)
1163 r = POPT_ERROR_BADNUMBER;
1167 opt_size = ull_value;
1170 opt_offset = ull_value;
1173 opt_skip = ull_value;
1183 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
1184 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
1185 if (opt_version_mode) {
1186 log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
1190 if (!(aname = poptGetArg(popt_context)))
1191 usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
1192 poptGetInvocationName(popt_context));
1193 for(action = action_types; action->type; action++)
1194 if (strcmp(action->type, aname) == 0)
1197 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
1198 poptGetInvocationName(popt_context));
1201 action_argv = poptGetArgs(popt_context);
1202 /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
1204 action_argv = null_action_argv;
1206 /* Count args, somewhat unnice, change? */
1207 while(action_argv[action_argc] != NULL)
1210 if(action_argc < action->required_action_argc) {
1212 snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
1213 usage(popt_context, EXIT_FAILURE, buf,
1214 poptGetInvocationName(popt_context));
1217 /* FIXME: rewrite this from scratch */
1220 strcmp(aname, "luksFormat") &&
1221 strcmp(aname, "create") &&
1222 strcmp(aname, "loopaesOpen")) {
1223 usage(popt_context, EXIT_FAILURE,
1224 _("Option --key-size is allowed only for luksFormat, create and loopaesOpen.\n"
1225 "To limit read from keyfile use --keyfile-size=(bytes)."),
1226 poptGetInvocationName(popt_context));
1229 if (opt_key_size % 8)
1230 usage(popt_context, EXIT_FAILURE,
1231 _("Key size must be a multiple of 8 bits"),
1232 poptGetInvocationName(popt_context));
1234 if (!strcmp(aname, "luksKillSlot") && action_argc > 1)
1235 opt_key_slot = atoi(action_argv[1]);
1236 if (opt_key_slot != CRYPT_ANY_SLOT &&
1237 (opt_key_slot < 0 || opt_key_slot > crypt_keyslot_max(CRYPT_LUKS1)))
1238 usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
1239 poptGetInvocationName(popt_context));
1241 if ((!strcmp(aname, "luksRemoveKey") ||
1242 !strcmp(aname, "luksFormat")) &&
1245 log_err(_("Option --key-file takes precedence over specified key file argument.\n"));
1247 opt_key_file = action_argv[1];
1250 if (opt_keyfile_size < 0 || opt_new_keyfile_size < 0 || opt_key_size < 0) {
1251 usage(popt_context, EXIT_FAILURE,
1252 _("Negative number for option not permitted."),
1253 poptGetInvocationName(popt_context));
1256 if (opt_random && opt_urandom)
1257 usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
1258 poptGetInvocationName(popt_context));
1259 if ((opt_random || opt_urandom) && strcmp(aname, "luksFormat"))
1260 usage(popt_context, EXIT_FAILURE, _("Option --use-[u]random is allowed only for luksFormat."),
1261 poptGetInvocationName(popt_context));
1263 if (opt_uuid && strcmp(aname, "luksFormat") && strcmp(aname, "luksUUID"))
1264 usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only for luksFormat and luksUUID."),
1265 poptGetInvocationName(popt_context));
1267 if (opt_skip && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1268 usage(popt_context, EXIT_FAILURE,
1269 _("Option --skip is supported only for create and loopaesOpen commands.\n"),
1270 poptGetInvocationName(popt_context));
1272 if (opt_offset && strcmp(aname, "create") && strcmp(aname, "loopaesOpen"))
1273 usage(popt_context, EXIT_FAILURE,
1274 _("Option --offset is supported only for create and loopaesOpen commands.\n"),
1275 poptGetInvocationName(popt_context));
1279 crypt_set_debug_level(-1);
1280 _dbg_version_and_cmd(argc, argv);
1283 return run_action(action);