Allow volume key store in a file with cryptsetup.

The --dump-master-key together with --master-key-file allows cryptsetup
to store the volume key to a file instead of standard output.

man/cryptsetup.8

@@ -398,17 +398,19 @@ means the device is a LUKS device.
 Dump the header information of a LUKS device.
 
 If the \-\-dump\-master\-key option is used, the LUKS device master key is
-dumped instead of the keyslot info. Beware that the master key cannot be
-changed and can be used to decrypt the data stored in the LUKS container
-without a passphrase and even without the LUKS header. This means
-that if the master key is compromised, the whole device has to be
-erased to prevent further access. Use this option carefully.
+dumped instead of the keyslot info. Together with \-\-master\-key\-file option,
+master key is dumped to a file instead of standard output. Beware that the
+master key cannot be changed without reencryption and can be used to decrypt
+the data stored in the LUKS container without a passphrase and even without the
+LUKS header. This means that if the master key is compromised, the whole device
+has to be erased to prevent further access. Use this option carefully.
 
 To dump the master key, a passphrase has to be supplied,
 either interactively or via \-\-key\-file.
 
 \fB<options>\fR can be [\-\-dump\-master\-key, \-\-key\-file,
-\-\-keyfile\-offset, \-\-keyfile\-size, \-\-header, \-\-disable\-locks].
+\-\-keyfile\-offset, \-\-keyfile\-size, \-\-header, \-\-disable\-locks,
+\-\-master\-key\-file].
 
 \fBWARNING:\fR If \-\-dump\-master\-key is used with \-\-key\-file
 and the argument to \-\-key\-file is '-', no validation question
@@ -794,6 +796,10 @@ LUKS header and all other parameters are the same,
 then the new header decrypts the data encrypted with the
 header the master key was taken from.
 
+Action \fIluksDump\fR together with \-\-dump\-master\-key
+option: The volume (master) key is stored in a file instead of
+being printed out to standard output.
+
 \fBWARNING:\fR If you create your own master key, you
 need to make sure to do it right. Otherwise, you can end
 up with a low-entropy or otherwise partially predictable

src/Makemodule.am

@@ -4,6 +4,7 @@ if CRYPTSETUP
 cryptsetup_SOURCES =		\
 	lib/utils_crypt.c	\
 	lib/utils_loop.c	\
+	lib/utils_io.c		\
 	src/utils_tools.c	\
 	src/utils_password.c	\
 	src/cryptsetup.c	\
@@ -91,6 +92,7 @@ endif
 if REENCRYPT
 cryptsetup_reencrypt_SOURCES =		\
 	lib/utils_crypt.c		\
+	lib/utils_io.c			\
 	src/utils_tools.c		\
 	src/utils_password.c		\
 	src/cryptsetup_reencrypt.c	\

src/cryptsetup.c

@@ -1542,12 +1542,22 @@ static int luksDump_with_volume_key(struct crypt_device *cd)
 	if (r < 0)
 		goto out;
 
+	if (opt_master_key_file) {
+		r = tools_write_mk(opt_master_key_file, vk, vk_size);
+		if (r < 0)
+			goto out;
+	}
+
 	log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
 	log_std("Cipher name:   \t%s\n", crypt_get_cipher(cd));
 	log_std("Cipher mode:   \t%s\n", crypt_get_cipher_mode(cd));
 	log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
 	log_std("UUID:          \t%s\n", crypt_get_uuid(cd));
 	log_std("MK bits:       \t%d\n", (int)vk_size * 8);
+	if (opt_master_key_file) {
+		log_std("Key stored to file %s.\n", opt_master_key_file);
+		goto out;
+	}
 	log_std("MK dump:\t");
 
 	for(i = 0; i < vk_size; i++) {

src/cryptsetup.h

@@ -43,6 +43,7 @@
 #include "lib/utils_crypt.h"
 #include "lib/utils_loop.h"
 #include "lib/utils_fips.h"
+#include "lib/utils_io.h"
 
 #include "libcryptsetup.h"
 
@@ -99,6 +100,7 @@ void tools_time_progress(uint64_t device_size, uint64_t bytes,
 int tools_wipe_progress(uint64_t size, uint64_t offset, void *usrptr);
 
 int tools_read_mk(const char *file, char **key, int keysize);
+int tools_write_mk(const char *file, const char *key, int keysize);
 
 /* Log */
 #define log_dbg(x...) clogger(NULL, CRYPT_LOG_DEBUG, __FILE__, __LINE__, x)

src/utils_password.c

@@ -329,3 +329,22 @@ fail:
 	*key = NULL;
 	return -EINVAL;
 }
+
+int tools_write_mk(const char *file, const char *key, int keysize)
+{
+	int fd, r = -EINVAL;
+
+	fd = open(file, O_WRONLY);
+	if (fd < 0) {
+		log_err(_("Cannot open keyfile %s for write.\n"), file);
+		return r;
+	}
+
+	if (write_buffer(fd, key, keysize) == keysize)
+		r = 0;
+	else
+		log_err(_("Cannot write to keyfile %s.\n"), file);
+
+	close(fd);
+	return r;
+}