eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-11 10:50:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow volume key store in a file with cryptsetup.

Browse Source 
The --dump-master-key together with --master-key-file allows cryptsetup
to store the volume key to a file instead of standard output.
This commit is contained in:
Ondrej Kozina
2018-04-12 14:08:58 +02:00
committed by Milan Broz
parent 1f01754ea6
commit 0c6129c54e
5 changed files with 45 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
man/cryptsetup.8
View File

@@ -398,17 +398,19 @@ means the device is a LUKS device.
Dump the header information of a LUKS device. Dump the header information of a LUKS device.
If the \-\-dump\-master\-key option is used, the LUKS device master key is If the \-\-dump\-master\-key option is used, the LUKS device master key is
dumped instead of the keyslot info. Beware that the master key cannot be dumped instead of the keyslot info. Together with \-\-master\-key\-file option,
changed and can be used to decrypt the data stored in the LUKS container master key is dumped to a file instead of standard output. Beware that the
without a passphrase and even without the LUKS header. This means master key cannot be changed without reencryption and can be used to decrypt
that if the master key is compromised, the whole device has to be the data stored in the LUKS container without a passphrase and even without the
erased to prevent further access. Use this option carefully. LUKS header. This means that if the master key is compromised, the whole device
has to be erased to prevent further access. Use this option carefully.
To dump the master key, a passphrase has to be supplied, To dump the master key, a passphrase has to be supplied,
either interactively or via \-\-key\-file. either interactively or via \-\-key\-file.
\fB<options>\fR can be [\-\-dump\-master\-key, \-\-key\-file, \fB<options>\fR can be [\-\-dump\-master\-key, \-\-key\-file,
\-\-keyfile\-offset, \-\-keyfile\-size, \-\-header, \-\-disable\-locks]. \-\-keyfile\-offset, \-\-keyfile\-size, \-\-header, \-\-disable\-locks,
\-\-master\-key\-file].
\fBWARNING:\fR If \-\-dump\-master\-key is used with \-\-key\-file \fBWARNING:\fR If \-\-dump\-master\-key is used with \-\-key\-file
and the argument to \-\-key\-file is '-', no validation question and the argument to \-\-key\-file is '-', no validation question
@@ -794,6 +796,10 @@ LUKS header and all other parameters are the same,
then the new header decrypts the data encrypted with the then the new header decrypts the data encrypted with the
header the master key was taken from. header the master key was taken from.
Action \fIluksDump\fR together with \-\-dump\-master\-key
option: The volume (master) key is stored in a file instead of
being printed out to standard output.
\fBWARNING:\fR If you create your own master key, you \fBWARNING:\fR If you create your own master key, you
need to make sure to do it right. Otherwise, you can end need to make sure to do it right. Otherwise, you can end
up with a low-entropy or otherwise partially predictable up with a low-entropy or otherwise partially predictable

2
src/Makemodule.am
View File

@@ -4,6 +4,7 @@ if CRYPTSETUP
cryptsetup_SOURCES = \ cryptsetup_SOURCES = \
lib/utils_crypt.c \ lib/utils_crypt.c \
lib/utils_loop.c \ lib/utils_loop.c \
lib/utils_io.c \
src/utils_tools.c \ src/utils_tools.c \
src/utils_password.c \ src/utils_password.c \
src/cryptsetup.c \ src/cryptsetup.c \
@@ -91,6 +92,7 @@ endif
if REENCRYPT if REENCRYPT
cryptsetup_reencrypt_SOURCES = \ cryptsetup_reencrypt_SOURCES = \
lib/utils_crypt.c \ lib/utils_crypt.c \
lib/utils_io.c \
src/utils_tools.c \ src/utils_tools.c \
src/utils_password.c \ src/utils_password.c \
src/cryptsetup_reencrypt.c \ src/cryptsetup_reencrypt.c \

10
src/cryptsetup.c
View File

@@ -1542,12 +1542,22 @@ static int luksDump_with_volume_key(struct crypt_device *cd)
if (r < 0) if (r < 0)
goto out; goto out;
if (opt_master_key_file) {
r = tools_write_mk(opt_master_key_file, vk, vk_size);
if (r < 0)
goto out;
}
log_std("LUKS header information for %s\n", crypt_get_device_name(cd)); log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
log_std("Cipher name: \t%s\n", crypt_get_cipher(cd)); log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd)); log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd)); log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
log_std("UUID: \t%s\n", crypt_get_uuid(cd)); log_std("UUID: \t%s\n", crypt_get_uuid(cd));
log_std("MK bits: \t%d\n", (int)vk_size * 8); log_std("MK bits: \t%d\n", (int)vk_size * 8);
if (opt_master_key_file) {
log_std("Key stored to file %s.\n", opt_master_key_file);
goto out;
}
log_std("MK dump:\t"); log_std("MK dump:\t");
for(i = 0; i < vk_size; i++) { for(i = 0; i < vk_size; i++) {

2
src/cryptsetup.h
View File

@@ -43,6 +43,7 @@
#include "lib/utils_crypt.h" #include "lib/utils_crypt.h"
#include "lib/utils_loop.h" #include "lib/utils_loop.h"
#include "lib/utils_fips.h" #include "lib/utils_fips.h"
#include "lib/utils_io.h"
#include "libcryptsetup.h" #include "libcryptsetup.h"
@@ -99,6 +100,7 @@ void tools_time_progress(uint64_t device_size, uint64_t bytes,
int tools_wipe_progress(uint64_t size, uint64_t offset, void *usrptr); int tools_wipe_progress(uint64_t size, uint64_t offset, void *usrptr);
int tools_read_mk(const char *file, char **key, int keysize); int tools_read_mk(const char *file, char **key, int keysize);
int tools_write_mk(const char *file, const char *key, int keysize);
/* Log */ /* Log */
#define log_dbg(x...) clogger(NULL, CRYPT_LOG_DEBUG, __FILE__, __LINE__, x) #define log_dbg(x...) clogger(NULL, CRYPT_LOG_DEBUG, __FILE__, __LINE__, x)

19
src/utils_password.c
View File

@@ -329,3 +329,22 @@ fail:
*key = NULL; *key = NULL;
return -EINVAL; return -EINVAL;
} }
int tools_write_mk(const char *file, const char *key, int keysize)
{
int fd, r = -EINVAL;
fd = open(file, O_WRONLY);
if (fd < 0) {
log_err(_("Cannot open keyfile %s for write.\n"), file);
return r;
}
if (write_buffer(fd, key, keysize) == keysize)
r = 0;
else
log_err(_("Cannot write to keyfile %s.\n"), file);
close(fd);
return r;
}