Rename option hidden to tcrypt-hidden.
#define CRYPT_TCRYPT_HIDDEN_HEADER (1 << 1)
/** Try to load backup header */
#define CRYPT_TCRYPT_BACKUP_HEADER (1 << 2)
+/** Device contains encrypted system (with boot loader) */
+#define CRYPT_TCRYPT_SYSTEM_HEADER (1 << 3)
struct crypt_params_tcrypt {
const char *passphrase; /**< passphrase to unlock header (input only) */
}
r = -EIO;
- if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
+ if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) {
+ if (lseek(devfd, TCRYPT_HDR_SYSTEM_OFFSET, SEEK_SET) >= 0 &&
+ read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
+ r = TCRYPT_init_hdr(cd, hdr, params);
+ } else if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
if (params->flags & CRYPT_TCRYPT_BACKUP_HEADER) {
if (lseek(devfd, TCRYPT_HDR_HIDDEN_OFFSET_BCK, SEEK_END) >= 0 &&
read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
/* No real header loaded, initialized by active device */
if (!hdr->d.version)
- return hdr->d.mk_offset / hdr->d.sector_size;
+ goto hdr_offset;
+
+ /* Mapping through whole device, not partition! */
+ if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER)
+ goto hdr_offset;
if (params->mode && !strncmp(params->mode, "xts", 3)) {
if (hdr->d.version < 3)
return (size - hdr->d.hidden_volume_size +
(TCRYPT_HDR_HIDDEN_OFFSET_OLD)) / hdr->d.sector_size;
}
- return (hdr->d.mk_offset / hdr->d.sector_size);
+ goto hdr_offset;
}
if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
(TCRYPT_HDR_HIDDEN_OFFSET_OLD)) / hdr->d.sector_size;
}
- // FIXME: system vol.
+hdr_offset:
return hdr->d.mk_offset / hdr->d.sector_size;
}
#define TCRYPT_HDR_HIDDEN_OFFSET_BCK -65536
#define TCRYPT_HDR_OFFSET_BCK -131072
+#define TCRYPT_HDR_SYSTEM_OFFSET 31744
+
#define TCRYPT_LRW_IKEY_LEN 16
#define TCRYPT_KEY_POOL_LEN 64
#define TCRYPT_KEYFILE_LEN 1048576
The \fBtcryptDump\fR command should work for all recognized TCRYPT devices
and doesn't require superuser privilege.
+To map system device (device with boot loader where the whole encrypted
+system resides) use \fB\-\-tcrypt-system\fR option. Use the whole
+device not the system partition as the device parameter.
+
To use hidden header (and map hidden device, if available),
-use \fB\-\-hidden\fR option.
+use \fB\-\-tcrypt-hidden\fR option.
.PP
\fIopen\fR \-\-type tcrypt <device> <name>
.br
.IP
Opens the TCRYPT (a TrueCrypt-compatible) <device> and sets up a mapping <name>.
-\fB<options>\fR can be [\-\-key-file, \-\-hidden, \-\-readonly,
-\-\-test-passphrase].
+\fB<options>\fR can be [\-\-key-file, \-\-tcrypt-hidden, \-\-tcrypt-system,
+\-\-readonly, \-\-test-passphrase].
The keyfile parameter allows combination of file content with the
passphrase and can be repeated. Note that using keyfiles is compatible
This means that if the master key is compromised, the whole device has
to be erased to prevent further access. Use this option carefully.
-\fB<options>\fR can be [\-\-dump-master-key, \-\-key-file, \-\-hidden].
+\fB<options>\fR can be [\-\-dump-master-key, \-\-key-file, \-\-tcrypt-hidden,
+\-\-tcrypt-system].
The keyfile parameter allows combination of file content with the
passphrase and can be repeated.
static int opt_shared = 0;
static int opt_allow_discards = 0;
static int opt_test_passphrase = 0;
-static int opt_hidden = 0;
+static int opt_tcrypt_hidden = 0;
+static int opt_tcrypt_system = 0;
static const char **action_argv;
static int action_argc;
if (r < 0)
goto out;
- if (opt_hidden)
+ if (opt_tcrypt_hidden)
params.flags |= CRYPT_TCRYPT_HIDDEN_HEADER;
+ if (opt_tcrypt_system)
+ params.flags |= CRYPT_TCRYPT_SYSTEM_HEADER;
+
r = crypt_load(cd, CRYPT_TCRYPT, ¶ms);
check_signal(&r);
if (r < 0)
if (r < 0)
goto out;
- if (opt_hidden)
+ if (opt_tcrypt_hidden)
params.flags |= CRYPT_TCRYPT_HIDDEN_HEADER;
+ if (opt_tcrypt_system)
+ params.flags |= CRYPT_TCRYPT_SYSTEM_HEADER;
+
r = crypt_load(cd, CRYPT_TCRYPT, ¶ms);
check_signal(&r);
if (r < 0)
{ "allow-discards", '\0', POPT_ARG_NONE, &opt_allow_discards, 0, N_("Allow discards (aka TRIM) requests for device."), NULL },
{ "header", '\0', POPT_ARG_STRING, &opt_header_device, 0, N_("Device or file with separated LUKS header."), NULL },
{ "test-passphrase", '\0', POPT_ARG_NONE, &opt_test_passphrase, 0, N_("Do not activate device, just check passphrase."), NULL },
- { "hidden", '\0', POPT_ARG_NONE, &opt_hidden, 0, N_("Use hidden header (hidden TCRYPT device) ."), NULL },
+ { "tcrypt-hidden", '\0', POPT_ARG_NONE, &opt_tcrypt_hidden, 0, N_("Use hidden header (hidden TCRYPT device)."), NULL },
+ { "tcrypt-system", '\0', POPT_ARG_NONE, &opt_tcrypt_system, 0, N_("Device is system TCRYPT drive (with bootloader)."), NULL },
{ "type", 'M', POPT_ARG_STRING, &opt_type, 0, N_("Type of device metadata: luks, plain, loopaes, tcrypt."), NULL },
- { "force-password", '\0', POPT_ARG_NONE, &opt_force_password, 0, N_("Disable password quality check (if enabled)."), NULL },
+ { "force-password", '\0', POPT_ARG_NONE, &opt_force_password, 0, N_("Disable password quality check (if enabled)."), NULL },
POPT_TABLEEND
};
poptContext popt_context;
_("Option --offset is supported only for open of plain and loopaes devices.\n"),
poptGetInvocationName(popt_context));
- if (opt_hidden && strcmp(aname, "tcryptDump") &&
+ if ((opt_tcrypt_hidden || opt_tcrypt_system) && strcmp(aname, "tcryptDump") &&
(strcmp(aname, "open") || strcmp(opt_type, "tcrypt")))
usage(popt_context, EXIT_FAILURE,
- _("Option --hidden is supported only for TCRYPT device.\n"),
+ _("Option --tcrypt-hidden or --tcrypt-system is supported only for TCRYPT device.\n"),
poptGetInvocationName(popt_context));
if (opt_debug) {
echo "HEADER CHECK (HIDDEN)"
for file in $(ls $TST_DIR/tc_*-hidden) ; do
echo -n " $file (hidden)"
- echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptDump --hidden $file >/dev/null || fail
+ echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptDump --tcrypt-hidden $file >/dev/null || fail
echo " [OK]"
done
echo "HEADER KEYFILES CHECK"
for file in $(ls $TST_DIR/tck_*) ; do
- echo -n " $file (hidden)"
+ echo -n " $file"
echo $PASSWORD | $CRYPTSETUP tcryptDump -d $TST_DIR/keyfile1 -d $TST_DIR/keyfile2 $file >/dev/null || fail
echo " [OK]"
done
echo "ACTIVATION FS UUID (HIDDEN) CHECK (LRW/XTS modes only)"
for file in $(ls $TST_DIR/tc_*-lrw-*-hidden $TST_DIR/tc_*-xts-*-hidden) ; do
echo -n " $file"
- echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptOpen -r $file $MAP --hidden || fail
+ echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptOpen -r $file $MAP --tcrypt-hidden || fail
UUID=$(lsblk -n -o UUID /dev/mapper/$MAP)
$CRYPTSETUP remove $MAP || fail
[ "$UUID" != "CAFE-BABE" ] && fail "UUID check failed."