2 * cryptsetup - setup cryptographic volumes for dm-crypt
4 * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
5 * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
6 * Copyright (C) 2009-2011, Red Hat, Inc. All rights reserved.
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * version 2 as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
33 #include <libcryptsetup.h>
36 #include "../config.h"
38 #include "cryptsetup.h"
40 static int opt_verbose = 0;
41 static int opt_debug = 0;
42 static char *opt_cipher = NULL;
43 static char *opt_hash = NULL;
44 static int opt_verify_passphrase = 0;
45 static char *opt_key_file = NULL;
46 static char *opt_master_key_file = NULL;
47 static char *opt_header_backup_file = NULL;
48 static char *opt_uuid = NULL;
49 static unsigned int opt_key_size = 0;
50 static unsigned int opt_keyfile_size = 0;
51 static unsigned int opt_new_keyfile_size = 0;
52 static int opt_key_slot = CRYPT_ANY_SLOT;
53 static uint64_t opt_size = 0;
54 static uint64_t opt_offset = 0;
55 static uint64_t opt_skip = 0;
56 static int opt_readonly = 0;
57 static int opt_iteration_time = 1000;
58 static int opt_batch_mode = 0;
59 static int opt_version_mode = 0;
60 static int opt_timeout = 0;
61 static int opt_tries = 3;
62 static int opt_align_payload = 0;
63 static int opt_random = 0;
64 static int opt_urandom = 0;
65 static int opt_dump_master_key = 0;
67 static const char **action_argv;
68 static int action_argc;
70 static int action_create(int arg);
71 static int action_remove(int arg);
72 static int action_resize(int arg);
73 static int action_status(int arg);
74 static int action_luksFormat(int arg);
75 static int action_luksOpen(int arg);
76 static int action_luksAddKey(int arg);
77 static int action_luksKillSlot(int arg);
78 static int action_luksRemoveKey(int arg);
79 static int action_luksChangeKey(int arg);
80 static int action_isLuks(int arg);
81 static int action_luksUUID(int arg);
82 static int action_luksDump(int arg);
83 static int action_luksSuspend(int arg);
84 static int action_luksResume(int arg);
85 static int action_luksBackup(int arg);
86 static int action_luksRestore(int arg);
87 static int action_loopaesOpen(int arg);
89 static struct action_type {
93 int required_action_argc;
98 { "create", action_create, 0, 2, 1, N_("<name> <device>"),N_("create device") },
99 { "remove", action_remove, 0, 1, 1, N_("<name>"), N_("remove device") },
100 { "resize", action_resize, 0, 1, 1, N_("<name>"), N_("resize active device") },
101 { "status", action_status, 0, 1, 0, N_("<name>"), N_("show device status") },
102 { "luksFormat", action_luksFormat, 0, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
103 { "luksOpen", action_luksOpen, 0, 2, 1, N_("<device> <name> "), N_("open LUKS device as mapping <name>") },
104 { "luksAddKey", action_luksAddKey, 0, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
105 { "luksRemoveKey",action_luksRemoveKey, 0, 1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
106 { "luksChangeKey",action_luksChangeKey, 0, 1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
107 { "luksKillSlot", action_luksKillSlot, 0, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
108 { "luksUUID", action_luksUUID, 0, 1, 0, N_("<device>"), N_("print UUID of LUKS device") },
109 { "isLuks", action_isLuks, 0, 1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
110 { "luksClose", action_remove, 0, 1, 1, N_("<name>"), N_("remove LUKS mapping") },
111 { "luksDump", action_luksDump, 0, 1, 0, N_("<device>"), N_("dump LUKS partition information") },
112 { "luksSuspend",action_luksSuspend, 0, 1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen).") },
113 { "luksResume", action_luksResume, 0, 1, 1, N_("<device>"), N_("Resume suspended LUKS device.") },
114 { "luksHeaderBackup",action_luksBackup, 0, 1, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
115 { "luksHeaderRestore",action_luksRestore,0,1, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
116 { "loopaesOpen",action_loopaesOpen, 0, 2, 1, N_("<device> <name> "), N_("open loop-AES device as mapping <name>") },
117 { "loopaesClose",action_remove, 0, 1, 1, N_("<name>"), N_("remove loop-AES mapping") },
118 { NULL, NULL, 0, 0, 0, NULL, NULL }
121 static void clogger(struct crypt_device *cd, int level, const char *file,
122 int line, const char *format, ...)
127 va_start(argp, format);
129 if (vasprintf(&target, format, argp) > 0) {
131 crypt_log(cd, level, target);
133 } else if (opt_debug)
134 printf("# %s:%d %s\n", file ?: "?", line, target);
136 } else if (opt_debug)
137 printf("# %s\n", target);
145 static int _yesDialog(const char *msg, void *usrptr)
151 if(isatty(0) && !opt_batch_mode) {
152 log_std("\nWARNING!\n========\n");
153 log_std("%s\n\nAre you sure? (Type uppercase yes): ", msg);
154 if(getline(&answer, &size, stdin) == -1) {
159 if(strcmp(answer, "YES\n"))
167 static void _log(int level, const char *msg, void *usrptr)
171 case CRYPT_LOG_NORMAL:
174 case CRYPT_LOG_VERBOSE:
178 case CRYPT_LOG_ERROR:
182 fprintf(stderr, "Internal error on logging class for msg: %s", msg);
187 static void show_status(int errcode)
189 char error[256], *error_;
195 log_std(_("Command successful.\n"));
199 crypt_get_error(error, sizeof(error));
202 error_ = strerror_r(-errcode, error, sizeof(error));
203 if (error_ != error) {
204 strncpy(error, error_, sizeof(error));
205 error[sizeof(error) - 1] = '\0';
209 log_err(_("Command failed with code %i"), -errcode);
211 log_err(": %s\n", error);
216 static int action_create(int arg)
218 struct crypt_device *cd = NULL;
219 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
220 struct crypt_params_plain params = {
221 .hash = opt_hash ?: DEFAULT_PLAIN_HASH,
223 .offset = opt_offset,
225 char *password = NULL;
226 unsigned int passwordLen;
227 unsigned int key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
230 if (params.hash && !strcmp(params.hash, "plain"))
233 /* FIXME: temporary hack */
234 if (opt_key_file && strcmp(opt_key_file, "-"))
237 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
238 cipher, NULL, cipher_mode);
240 log_err("No known cipher specification pattern detected.\n");
244 if ((r = crypt_init(&cd, action_argv[1])))
247 crypt_set_timeout(cd, opt_timeout);
248 crypt_set_password_retry(cd, opt_tries);
250 r = crypt_format(cd, CRYPT_PLAIN,
259 r = crypt_activate_by_keyfile(cd, action_argv[0],
260 CRYPT_ANY_SLOT, opt_key_file, key_size,
261 opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
263 r = crypt_get_key(_("Enter passphrase: "),
264 &password, &passwordLen, 0, NULL,
266 opt_batch_mode ? 0 : opt_verify_passphrase,
271 r = crypt_activate_by_passphrase(cd, action_argv[0],
272 CRYPT_ANY_SLOT, password, passwordLen,
273 opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
277 crypt_safe_free(password);
282 static int action_loopaesOpen(int arg)
284 struct crypt_device *cd = NULL;
285 struct crypt_params_loopaes params = {
286 .hash = opt_hash ?: NULL, // FIXME
287 .offset = opt_offset,
289 unsigned int key_size = (opt_key_size ?: DEFAULT_LOOPAES_KEYBITS) / 8;
293 log_err(_("Option --key-file is required.\n"));
297 if ((r = crypt_init(&cd, action_argv[0])))
300 r = crypt_format(cd, CRYPT_LOOPAES, opt_cipher ?: DEFAULT_LOOPAES_CIPHER,
301 NULL, NULL, NULL, key_size, ¶ms);
305 r = crypt_activate_by_keyfile(cd, action_argv[1],
306 CRYPT_ANY_SLOT, opt_key_file, 0,
307 opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
314 static int action_remove(int arg)
316 struct crypt_device *cd = NULL;
319 r = crypt_init_by_name(&cd, action_argv[0]);
321 r = crypt_deactivate(cd, action_argv[0]);
327 static int action_resize(int arg)
329 struct crypt_device *cd = NULL;
332 r = crypt_init_by_name(&cd, action_argv[0]);
334 r = crypt_resize(cd, action_argv[0], opt_size);
340 static int action_status(int arg)
342 crypt_status_info ci;
343 struct crypt_active_device cad;
344 struct crypt_device *cd = NULL;
349 ci = crypt_status(NULL, action_argv[0]);
355 log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
359 log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
360 ci == CRYPT_BUSY ? " and is in use" : "");
361 r = crypt_init_by_name(&cd, action_argv[0]);
362 if (r < 0 || !crypt_get_type(cd))
365 log_std(" type: %s\n", crypt_get_type(cd));
367 r = crypt_get_active_device(cd, action_argv[0], &cad);
371 log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
372 log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
373 device = crypt_get_device_name(cd);
374 log_std(" device: %s\n", device);
375 if (crypt_loop_device(device)) {
376 backing_file = crypt_loop_backing_file(device);
377 log_std(" loop: %s\n", backing_file);
380 log_std(" offset: %" PRIu64 " sectors\n", cad.offset);
381 log_std(" size: %" PRIu64 " sectors\n", cad.size);
383 log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset);
384 log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
385 "readonly" : "read/write");
392 static int _read_mk(const char *file, char **key, int keysize)
396 *key = crypt_safe_alloc(keysize);
400 fd = open(file, O_RDONLY);
402 log_err("Cannot read keyfile %s.\n", file);
405 if ((read(fd, *key, keysize) != keysize)) {
406 log_err("Cannot read %d bytes from keyfile %s.\n", keysize, file);
413 crypt_safe_free(*key);
418 static int action_luksFormat(int arg)
420 int r = -EINVAL, keysize;
421 char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
422 char *password = NULL;
423 unsigned int passwordLen;
424 struct crypt_device *cd = NULL;
425 struct crypt_params_luks1 params = {
426 .hash = opt_hash ?: DEFAULT_LUKS1_HASH,
427 .data_alignment = opt_align_payload,
430 if(asprintf(&msg, _("This will overwrite data on %s irrevocably."), action_argv[0]) == -1) {
431 log_err(_("memory allocation error in action_luksFormat"));
435 r = _yesDialog(msg, NULL) ? 0 : -EINVAL;
440 r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
441 cipher, NULL, cipher_mode);
443 log_err("No known cipher specification pattern detected.\n");
447 if ((r = crypt_init(&cd, action_argv[0])))
450 keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
452 crypt_set_password_verify(cd, 1);
453 crypt_set_timeout(cd, opt_timeout);
454 if (opt_iteration_time)
455 crypt_set_iterarion_time(cd, opt_iteration_time);
458 crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
459 else if (opt_urandom)
460 crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
462 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
463 opt_keyfile_size, opt_key_file, opt_timeout,
464 opt_batch_mode ? 0 : 1 /* always verify */, cd);
468 if (opt_master_key_file) {
469 r = _read_mk(opt_master_key_file, &key, keysize);
474 r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
475 opt_uuid, key, keysize, ¶ms);
479 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
481 password, passwordLen);
484 crypt_safe_free(key);
485 crypt_safe_free(password);
490 static int action_luksOpen(int arg)
492 struct crypt_device *cd = NULL;
496 if ((r = crypt_init(&cd, action_argv[0])))
499 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
502 crypt_set_timeout(cd, opt_timeout);
503 crypt_set_password_retry(cd, opt_tries);
505 if (opt_iteration_time)
506 crypt_set_iterarion_time(cd, opt_iteration_time);
508 flags |= CRYPT_ACTIVATE_READONLY;
511 crypt_set_password_retry(cd, 1);
512 r = crypt_activate_by_keyfile(cd, action_argv[1],
513 CRYPT_ANY_SLOT, opt_key_file, opt_keyfile_size,
516 r = crypt_activate_by_passphrase(cd, action_argv[1],
517 CRYPT_ANY_SLOT, NULL, 0, flags);
523 static int verify_keyslot(struct crypt_device *cd, int key_slot,
524 char *msg_last, char *msg_pass,
525 const char *key_file, int keyfile_size)
527 crypt_keyslot_info ki;
528 char *password = NULL;
529 unsigned int passwordLen, i;
532 ki = crypt_keyslot_status(cd, key_slot);
533 if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !_yesDialog(msg_last, NULL))
536 r = crypt_get_key(msg_pass, &password, &passwordLen,
537 keyfile_size, key_file, opt_timeout,
538 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
542 if (ki == CRYPT_SLOT_ACTIVE_LAST) {
543 /* check the last keyslot */
544 r = crypt_activate_by_passphrase(cd, NULL, key_slot,
545 password, passwordLen, 0);
547 /* try all other keyslots */
548 for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
551 ki = crypt_keyslot_status(cd, key_slot);
552 if (ki == CRYPT_SLOT_ACTIVE)
553 r = crypt_activate_by_passphrase(cd, NULL, i,
554 password, passwordLen, 0);
561 log_err(_("No key available with this passphrase.\n"));
563 crypt_safe_free(password);
567 static int action_luksKillSlot(int arg)
569 struct crypt_device *cd = NULL;
572 if ((r = crypt_init(&cd, action_argv[0])))
575 crypt_set_confirm_callback(cd, _yesDialog, NULL);
576 crypt_set_timeout(cd, opt_timeout);
578 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
581 switch (crypt_keyslot_status(cd, opt_key_slot)) {
582 case CRYPT_SLOT_ACTIVE_LAST:
583 case CRYPT_SLOT_ACTIVE:
584 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
586 case CRYPT_SLOT_INACTIVE:
587 log_err(_("Key %d not active. Can't wipe.\n"), opt_key_slot);
588 case CRYPT_SLOT_INVALID:
592 if (!opt_batch_mode) {
593 r = verify_keyslot(cd, opt_key_slot,
594 _("This is the last keyslot. Device will become unusable after purging this key."),
595 _("Enter any remaining LUKS passphrase: "),
596 opt_key_file, opt_keyfile_size);
601 r = crypt_keyslot_destroy(cd, opt_key_slot);
607 static int action_luksRemoveKey(int arg)
609 struct crypt_device *cd = NULL;
610 char *password = NULL;
611 unsigned int passwordLen;
614 if ((r = crypt_init(&cd, action_argv[0])))
617 crypt_set_confirm_callback(cd, _yesDialog, NULL);
618 crypt_set_timeout(cd, opt_timeout);
620 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
623 r = crypt_get_key(_("Enter LUKS passphrase to be deleted: "),
624 &password, &passwordLen,
625 opt_keyfile_size, opt_key_file,
627 opt_batch_mode ? 0 : opt_verify_passphrase,
632 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
633 password, passwordLen, 0);
638 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
640 if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_ACTIVE_LAST &&
641 !_yesDialog(_("This is the last keyslot. "
642 "Device will become unusable after purging this key."),
648 r = crypt_keyslot_destroy(cd, opt_key_slot);
650 crypt_safe_free(password);
655 static int action_luksAddKey(int arg)
657 int r = -EINVAL, keysize = 0;
659 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
660 struct crypt_device *cd = NULL;
662 if ((r = crypt_init(&cd, action_argv[0])))
665 crypt_set_confirm_callback(cd, _yesDialog, NULL);
667 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
670 keysize = crypt_get_volume_key_size(cd);
671 crypt_set_password_verify(cd, opt_verify_passphrase ? 1 : 0);
672 crypt_set_timeout(cd, opt_timeout);
673 if (opt_iteration_time)
674 crypt_set_iterarion_time(cd, opt_iteration_time);
676 if (opt_master_key_file) {
677 r = _read_mk(opt_master_key_file, &key, keysize);
680 //FIXME: process keyfile arg
681 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
682 key, keysize, NULL, 0);
683 } else if (opt_key_file || opt_new_key_file) {
684 r = crypt_keyslot_add_by_keyfile(cd, opt_key_slot,
685 opt_key_file, opt_keyfile_size,
686 opt_new_key_file, opt_new_keyfile_size);
688 r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
693 crypt_safe_free(key);
697 static int _slots_full(struct crypt_device *cd)
701 for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++)
702 if (crypt_keyslot_status(cd, i) == CRYPT_SLOT_INACTIVE)
707 static int action_luksChangeKey(int arg)
709 const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
710 struct crypt_device *cd = NULL;
711 char *vk = NULL, *password = NULL;
712 unsigned int passwordLen = 0;
714 int new_key_slot, old_key_slot, r;
716 if ((r = crypt_init(&cd, action_argv[0])))
719 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
722 r = crypt_get_key(_("Enter LUKS passphrase to be changed: "),
723 &password, &passwordLen,
724 opt_keyfile_size, opt_key_file, opt_timeout,
725 opt_batch_mode ? 0 : opt_verify_passphrase, cd);
729 vk_size = crypt_get_volume_key_size(cd);
730 vk = crypt_safe_alloc(vk_size);
736 r = crypt_volume_key_get(cd, opt_key_slot, vk, &vk_size,
737 password, passwordLen);
739 if (opt_key_slot != CRYPT_ANY_SLOT)
740 log_err(_("No key available with this passphrase.\n"));
744 if (opt_key_slot != CRYPT_ANY_SLOT || _slots_full(cd)) {
745 log_dbg("Key slot %d is going to be overwritten (%s).",
746 r, opt_key_slot != CRYPT_ANY_SLOT ?
747 "explicit key slot specified" : "no free key slot");
751 log_dbg("Allocating new key slot.");
753 new_key_slot = CRYPT_ANY_SLOT;
756 crypt_safe_free(password);
759 r = crypt_get_key(_("Enter new LUKS passphrase: "),
760 &password, &passwordLen,
761 opt_new_keyfile_size, opt_new_key_file,
762 opt_timeout, opt_batch_mode ? 0 : 1, cd);
766 if (new_key_slot == old_key_slot) {
767 (void)crypt_keyslot_destroy(cd, old_key_slot);
768 r = crypt_keyslot_add_by_volume_key(cd, new_key_slot,
770 password, passwordLen);
772 log_verbose(_("Key slot %d changed.\n"), r);
774 r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT,
776 password, passwordLen);
778 log_verbose(_("Replaced with key slot %d.\n"), r);
779 r = crypt_keyslot_destroy(cd, old_key_slot);
783 log_err(_("Failed to swap new key slot.\n"));
786 crypt_safe_free(password);
791 static int action_isLuks(int arg)
793 struct crypt_device *cd = NULL;
796 if ((r = crypt_init(&cd, action_argv[0])))
799 r = crypt_load(cd, CRYPT_LUKS1, NULL);
805 static int action_luksUUID(int arg)
807 struct crypt_device *cd = NULL;
808 const char *existing_uuid = NULL;
811 if ((r = crypt_init(&cd, action_argv[0])))
814 crypt_set_confirm_callback(cd, _yesDialog, NULL);
816 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
820 r = crypt_set_uuid(cd, opt_uuid);
822 existing_uuid = crypt_get_uuid(cd);
823 log_std("%s\n", existing_uuid ?: "");
824 r = existing_uuid ? 0 : 1;
831 static int luksDump_with_volume_key(struct crypt_device *cd)
833 char *vk = NULL, *password = NULL;
834 unsigned int passwordLen = 0;
838 crypt_set_confirm_callback(cd, _yesDialog, NULL);
840 _("LUKS header dump with volume key is sensitive information\n"
841 "which allows access to encrypted partition without passphrase.\n"
842 "This dump should be always stored encrypted on safe place."),
846 vk_size = crypt_get_volume_key_size(cd);
847 vk = crypt_safe_alloc(vk_size);
851 r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
852 opt_keyfile_size, opt_key_file, opt_timeout, 0, cd);
856 r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
857 password, passwordLen);
861 log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
862 log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
863 log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
864 log_std("Payload offset:\t%d\n", crypt_get_data_offset(cd));
865 log_std("UUID: \t%s\n", crypt_get_uuid(cd));
866 log_std("MK bits: \t%d\n", vk_size * 8);
867 log_std("MK dump:\t");
869 for(i = 0; i < vk_size; i++) {
872 log_std("%02hhx ", (char)vk[i]);
877 crypt_safe_free(password);
882 static int action_luksDump(int arg)
884 struct crypt_device *cd = NULL;
887 if ((r = crypt_init(&cd, action_argv[0])))
890 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
893 if (opt_dump_master_key)
894 r = luksDump_with_volume_key(cd);
902 static int action_luksSuspend(int arg)
904 struct crypt_device *cd = NULL;
907 r = crypt_init_by_name(&cd, action_argv[0]);
909 r = crypt_suspend(cd, action_argv[0]);
915 static int action_luksResume(int arg)
917 struct crypt_device *cd = NULL;
920 if ((r = crypt_init_by_name(&cd, action_argv[0])))
923 if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
927 r = crypt_resume_by_keyfile(cd, action_argv[0], CRYPT_ANY_SLOT,
928 opt_key_file, opt_keyfile_size);
930 r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
937 static int action_luksBackup(int arg)
939 struct crypt_device *cd = NULL;
942 if (!opt_header_backup_file) {
943 log_err(_("Option --header-backup-file is required.\n"));
947 if ((r = crypt_init(&cd, action_argv[0])))
950 crypt_set_confirm_callback(cd, _yesDialog, NULL);
952 r = crypt_header_backup(cd, CRYPT_LUKS1, opt_header_backup_file);
958 static int action_luksRestore(int arg)
960 struct crypt_device *cd = NULL;
963 if (!opt_header_backup_file) {
964 log_err(_("Option --header-backup-file is required.\n"));
968 if ((r = crypt_init(&cd, action_argv[0])))
971 crypt_set_confirm_callback(cd, _yesDialog, NULL);
972 r = crypt_header_restore(cd, CRYPT_LUKS1, opt_header_backup_file);
978 static __attribute__ ((noreturn)) void usage(poptContext popt_context,
979 int exitcode, const char *error,
982 poptPrintUsage(popt_context, stderr, 0);
984 log_err("%s: %s\n", more, error);
988 static void help(poptContext popt_context, enum poptCallbackReason reason,
989 struct poptOption *key, const char * arg, void *data)
991 if (key->shortName == '?') {
992 struct action_type *action;
994 log_std("%s\n",PACKAGE_STRING);
996 poptPrintHelp(popt_context, stdout, 0);
999 "<action> is one of:\n"));
1001 for(action = action_types; action->type; action++)
1002 log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
1005 "<name> is the device to create under %s\n"
1006 "<device> is the encrypted device\n"
1007 "<key slot> is the LUKS key slot number to modify\n"
1008 "<key file> optional key file for the new key for luksAddKey action\n"),
1011 log_std(_("\nDefault compiled-in device cipher parameters:\n"
1012 "\tloop-AES: %s, Key %d bits\n"
1013 "\tplain: %s, Key: %d bits, Password hashing: %s\n"
1014 "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
1015 DEFAULT_LOOPAES_CIPHER, DEFAULT_LOOPAES_KEYBITS,
1016 DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
1017 DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
1021 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
1024 static void _dbg_version_and_cmd(int argc, char **argv)
1028 log_std("# %s %s processing \"", PACKAGE_NAME, PACKAGE_VERSION);
1029 for (i = 0; i < argc; i++) {
1037 static int run_action(struct action_type *action)
1041 log_dbg("Running command %s.", action->type);
1043 if (action->required_memlock)
1044 crypt_memory_lock(NULL, 1);
1046 r = action->handler(action->arg);
1048 if (action->required_memlock)
1049 crypt_memory_lock(NULL, 0);
1051 /* Some functions returns keyslot # */
1057 /* Translate exit code to simple codes */
1059 case 0: r = EXIT_SUCCESS; break;
1061 case -EBUSY: r = 5; break;
1063 case -ENODEV: r = 4; break;
1064 case -ENOMEM: r = 3; break;
1065 case -EPERM: r = 2; break;
1069 default: r = EXIT_FAILURE;
1074 int main(int argc, char **argv)
1076 static char *popt_tmp;
1077 static struct poptOption popt_help_options[] = {
1078 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
1079 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
1080 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
1083 static struct poptOption popt_options[] = {
1084 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
1085 { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
1086 { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
1087 { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
1088 { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
1089 { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
1090 { "verify-passphrase", 'y', POPT_ARG_NONE, &opt_verify_passphrase, 0, N_("Verifies the passphrase by asking for it twice"), NULL },
1091 { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 0, N_("Read the key from a file."), NULL },
1092 { "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL },
1093 { "dump-master-key", '\0', POPT_ARG_NONE, &opt_dump_master_key, 0, N_("Dump volume (master) key instead of keyslots info."), NULL },
1094 { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
1095 { "keyfile-size", 'l', POPT_ARG_INT, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
1096 { "new-keyfile-size", '\0', POPT_ARG_INT, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
1097 { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL },
1098 { "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") },
1099 { "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
1100 { "skip", 'p', POPT_ARG_STRING, &popt_tmp, 3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
1101 { "readonly", 'r', POPT_ARG_NONE, &opt_readonly, 0, N_("Create a readonly mapping"), NULL },
1102 { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
1103 { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
1104 { "timeout", 't', POPT_ARG_INT, &opt_timeout, 0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
1105 { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
1106 { "align-payload", '\0', POPT_ARG_INT, &opt_align_payload, 0, N_("Align payload at <n> sector boundaries - for luksFormat"), N_("SECTORS") },
1107 { "header-backup-file",'\0', POPT_ARG_STRING, &opt_header_backup_file, 0, N_("File with LUKS header and keyslots backup."), NULL },
1108 { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
1109 { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
1110 { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
1113 poptContext popt_context;
1114 struct action_type *action;
1117 const char *null_action_argv[] = {NULL};
1119 crypt_set_log_callback(NULL, _log, NULL);
1121 setlocale(LC_ALL, "");
1122 bindtextdomain(PACKAGE, LOCALEDIR);
1123 textdomain(PACKAGE);
1125 popt_context = poptGetContext(PACKAGE, argc, (const char **)argv,
1127 poptSetOtherOptionHelp(popt_context,
1128 N_("[OPTION...] <action> <action-specific>]"));
1130 while((r = poptGetNextOpt(popt_context)) > 0) {
1131 unsigned long long ull_value;
1134 ull_value = strtoull(popt_tmp, &endp, 0);
1135 if (*endp || !*popt_tmp)
1136 r = POPT_ERROR_BADNUMBER;
1140 opt_size = ull_value;
1143 opt_offset = ull_value;
1146 opt_skip = ull_value;
1155 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
1156 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
1157 if (opt_version_mode) {
1158 log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
1162 if (!(aname = (char *)poptGetArg(popt_context)))
1163 usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
1164 poptGetInvocationName(popt_context));
1165 for(action = action_types; action->type; action++)
1166 if (strcmp(action->type, aname) == 0)
1169 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
1170 poptGetInvocationName(popt_context));
1173 action_argv = poptGetArgs(popt_context);
1174 /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
1176 action_argv = null_action_argv;
1178 /* Count args, somewhat unnice, change? */
1179 while(action_argv[action_argc] != NULL)
1182 if(action_argc < action->required_action_argc) {
1184 snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
1185 usage(popt_context, EXIT_FAILURE, buf,
1186 poptGetInvocationName(popt_context));
1189 /* FIXME: rewrite this from scratch */
1192 strcmp(aname, "luksFormat") &&
1193 strcmp(aname, "create") &&
1194 strcmp(aname, "loopaesOpen")) {
1195 usage(popt_context, EXIT_FAILURE,
1196 _("Option --key-size is allowed only for luksFormat, create and loopaesOpen.\n"
1197 "To limit read from keyfile use --keyfile-size=(bytes)."),
1198 poptGetInvocationName(popt_context));
1201 if (opt_key_size % 8)
1202 usage(popt_context, EXIT_FAILURE,
1203 _("Key size must be a multiple of 8 bits"),
1204 poptGetInvocationName(popt_context));
1206 if (!strcmp(aname, "luksKillSlot") && action_argc > 1)
1207 opt_key_slot = atoi(action_argv[1]);
1208 if (opt_key_slot != CRYPT_ANY_SLOT &&
1209 (opt_key_slot < 0 || opt_key_slot > crypt_keyslot_max(CRYPT_LUKS1)))
1210 usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
1211 poptGetInvocationName(popt_context));
1213 if ((!strcmp(aname, "luksRemoveKey") ||
1214 !strcmp(aname, "luksFormat")) &&
1217 log_err(_("Option --key-file takes precedence over specified key file argument.\n"));
1219 opt_key_file = (char*)action_argv[1];
1222 if (opt_random && opt_urandom)
1223 usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
1224 poptGetInvocationName(popt_context));
1225 if ((opt_random || opt_urandom) && strcmp(aname, "luksFormat"))
1226 usage(popt_context, EXIT_FAILURE, _("Option --use-[u]random is allowed only for luksFormat."),
1227 poptGetInvocationName(popt_context));
1229 if (opt_uuid && strcmp(aname, "luksFormat") && strcmp(aname, "luksUUID"))
1230 usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only for luksFormat and luksUUID."),
1231 poptGetInvocationName(popt_context));
1233 if ((opt_offset || opt_skip) && strcmp(aname, "create"))
1234 usage(popt_context, EXIT_FAILURE, _("Options --offset and --skip are supported only for create command.\n"),
1235 poptGetInvocationName(popt_context));
1239 crypt_set_debug_level(-1);
1240 _dbg_version_and_cmd(argc, argv);
1243 return run_action(action);
projects / platform / upstream / cryptsetup.git / blob