diff --git a/man/cryptsetup.8 b/man/cryptsetup.8 index d9755e31..df9126f3 100644 --- a/man/cryptsetup.8 +++ b/man/cryptsetup.8 @@ -398,17 +398,19 @@ means the device is a LUKS device. Dump the header information of a LUKS device. If the \-\-dump\-master\-key option is used, the LUKS device master key is -dumped instead of the keyslot info. Beware that the master key cannot be -changed and can be used to decrypt the data stored in the LUKS container -without a passphrase and even without the LUKS header. This means -that if the master key is compromised, the whole device has to be -erased to prevent further access. Use this option carefully. +dumped instead of the keyslot info. Together with \-\-master\-key\-file option, +master key is dumped to a file instead of standard output. Beware that the +master key cannot be changed without reencryption and can be used to decrypt +the data stored in the LUKS container without a passphrase and even without the +LUKS header. This means that if the master key is compromised, the whole device +has to be erased to prevent further access. Use this option carefully. To dump the master key, a passphrase has to be supplied, either interactively or via \-\-key\-file. \fB\fR can be [\-\-dump\-master\-key, \-\-key\-file, -\-\-keyfile\-offset, \-\-keyfile\-size, \-\-header, \-\-disable\-locks]. +\-\-keyfile\-offset, \-\-keyfile\-size, \-\-header, \-\-disable\-locks, +\-\-master\-key\-file]. \fBWARNING:\fR If \-\-dump\-master\-key is used with \-\-key\-file and the argument to \-\-key\-file is '-', no validation question @@ -794,6 +796,10 @@ LUKS header and all other parameters are the same, then the new header decrypts the data encrypted with the header the master key was taken from. +Action \fIluksDump\fR together with \-\-dump\-master\-key +option: The volume (master) key is stored in a file instead of +being printed out to standard output. + \fBWARNING:\fR If you create your own master key, you need to make sure to do it right. Otherwise, you can end up with a low-entropy or otherwise partially predictable diff --git a/src/Makemodule.am b/src/Makemodule.am index b6889ebf..e8392415 100644 --- a/src/Makemodule.am +++ b/src/Makemodule.am @@ -4,6 +4,7 @@ if CRYPTSETUP cryptsetup_SOURCES = \ lib/utils_crypt.c \ lib/utils_loop.c \ + lib/utils_io.c \ src/utils_tools.c \ src/utils_password.c \ src/cryptsetup.c \ @@ -91,6 +92,7 @@ endif if REENCRYPT cryptsetup_reencrypt_SOURCES = \ lib/utils_crypt.c \ + lib/utils_io.c \ src/utils_tools.c \ src/utils_password.c \ src/cryptsetup_reencrypt.c \ diff --git a/src/cryptsetup.c b/src/cryptsetup.c index 9b166aed..ef3d3baa 100644 --- a/src/cryptsetup.c +++ b/src/cryptsetup.c @@ -1542,12 +1542,22 @@ static int luksDump_with_volume_key(struct crypt_device *cd) if (r < 0) goto out; + if (opt_master_key_file) { + r = tools_write_mk(opt_master_key_file, vk, vk_size); + if (r < 0) + goto out; + } + log_std("LUKS header information for %s\n", crypt_get_device_name(cd)); log_std("Cipher name: \t%s\n", crypt_get_cipher(cd)); log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd)); log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd)); log_std("UUID: \t%s\n", crypt_get_uuid(cd)); log_std("MK bits: \t%d\n", (int)vk_size * 8); + if (opt_master_key_file) { + log_std("Key stored to file %s.\n", opt_master_key_file); + goto out; + } log_std("MK dump:\t"); for(i = 0; i < vk_size; i++) { diff --git a/src/cryptsetup.h b/src/cryptsetup.h index 125a3ac7..23930dec 100644 --- a/src/cryptsetup.h +++ b/src/cryptsetup.h @@ -43,6 +43,7 @@ #include "lib/utils_crypt.h" #include "lib/utils_loop.h" #include "lib/utils_fips.h" +#include "lib/utils_io.h" #include "libcryptsetup.h" @@ -99,6 +100,7 @@ void tools_time_progress(uint64_t device_size, uint64_t bytes, int tools_wipe_progress(uint64_t size, uint64_t offset, void *usrptr); int tools_read_mk(const char *file, char **key, int keysize); +int tools_write_mk(const char *file, const char *key, int keysize); /* Log */ #define log_dbg(x...) clogger(NULL, CRYPT_LOG_DEBUG, __FILE__, __LINE__, x) diff --git a/src/utils_password.c b/src/utils_password.c index c0d5a1f8..065849bd 100644 --- a/src/utils_password.c +++ b/src/utils_password.c @@ -329,3 +329,22 @@ fail: *key = NULL; return -EINVAL; } + +int tools_write_mk(const char *file, const char *key, int keysize) +{ + int fd, r = -EINVAL; + + fd = open(file, O_WRONLY); + if (fd < 0) { + log_err(_("Cannot open keyfile %s for write.\n"), file); + return r; + } + + if (write_buffer(fd, key, keysize) == keysize) + r = 0; + else + log_err(_("Cannot write to keyfile %s.\n"), file); + + close(fd); + return r; +}