diff --git a/man/cryptsetup.8 b/man/cryptsetup.8 index 9927bf30..b69fbd94 100644 --- a/man/cryptsetup.8 +++ b/man/cryptsetup.8 @@ -1342,6 +1342,16 @@ with the \-\-header option. Use with care. .B "\-\-header\-backup\-file " Specify file with header backup for \fIluksHeaderBackup\fR or \fIluksHeaderRestore\fR actions. +.TP +.B "\-\-force\-offline\-reencrypt" +Bypass active device auto-detection and enforce offline LUKS2 reencryption. + +This option is useful in case active device auto-detection on particular data +device does not work or report errors. + +\fBWARNING:\fR Use with extreme caution! This may destroy data +if the device is activated and/or actively used. + .TP .B "\-\-force\-password" Do not use password quality checking for new LUKS passwords. diff --git a/src/cryptsetup.c b/src/cryptsetup.c index 6c751f8e..0cd82df0 100644 --- a/src/cryptsetup.c +++ b/src/cryptsetup.c @@ -2787,6 +2787,9 @@ static const char *verify_reencrypt(void) if (isLUKS1(luksType(device_type)) && ARG_SET(OPT_ACTIVE_NAME_ID)) return _("Option --active-name can be set only for LUKS2 device."); + if (ARG_SET(OPT_ACTIVE_NAME_ID) && ARG_SET(OPT_FORCE_OFFLINE_REENCRYPT_ID)) + return _("Options --active-name and --force-offline-reencrypt cannot be combined."); + return NULL; } diff --git a/src/cryptsetup_arg_list.h b/src/cryptsetup_arg_list.h index e6daf550..b0b8e50d 100644 --- a/src/cryptsetup_arg_list.h +++ b/src/cryptsetup_arg_list.h @@ -59,6 +59,8 @@ ARG(OPT_ENCRYPT, '\0', POPT_ARG_NONE, N_("Encrypt LUKS2 device (in-place encrypt ARG(OPT_FORCE_PASSWORD, '\0', POPT_ARG_NONE, N_("Disable password quality check (if enabled)"), NULL, CRYPT_ARG_BOOL, {}, {}) +ARG(OPT_FORCE_OFFLINE_REENCRYPT, '\0', POPT_ARG_NONE, N_("Force offline LUKS2 reencryption and bypass active device detection."), NULL, CRYPT_ARG_BOOL, {}, OPT_FORCE_OFFLINE_REENCRYPT_ACTIONS) + ARG(OPT_HASH, 'h', POPT_ARG_STRING, N_("The hash used to create the encryption key from the passphrase"), NULL, CRYPT_ARG_STRING, {}, {}) ARG(OPT_HEADER, '\0', POPT_ARG_STRING, N_("Device or file with separated LUKS header"), NULL, CRYPT_ARG_STRING, {}, {}) diff --git a/src/cryptsetup_args.h b/src/cryptsetup_args.h index abcc5d7f..1b0c56be 100644 --- a/src/cryptsetup_args.h +++ b/src/cryptsetup_args.h @@ -59,6 +59,7 @@ #define OPT_DEVICE_SIZE_ACTIONS { OPEN_ACTION, RESIZE_ACTION, REENCRYPT_ACTION } #define OPT_DISABLE_VERACRYPT_ACTIONS { OPEN_ACTION, TCRYPTDUMP_ACTION } #define OPT_HOTZONE_SIZE_ACTIONS { REENCRYPT_ACTION } +#define OPT_FORCE_OFFLINE_REENCRYPT_ACTIONS { REENCRYPT_ACTION } #define OPT_INTEGRITY_ACTIONS { FORMAT_ACTION, REENCRYPT_ACTION } #define OPT_INTEGRITY_NO_WIPE_ACTIONS { FORMAT_ACTION, REENCRYPT_ACTION } #define OPT_ITER_TIME_ACTIONS { BENCHMARK_ACTION, FORMAT_ACTION, ADDKEY_ACTION, CHANGEKEY_ACTION, CONVERTKEY_ACTION, REENCRYPT_ACTION } diff --git a/src/utils_arg_names.h b/src/utils_arg_names.h index d129bf64..81b868cc 100644 --- a/src/utils_arg_names.h +++ b/src/utils_arg_names.h @@ -53,6 +53,7 @@ #define OPT_FEC_OFFSET "fec-offset" #define OPT_FEC_ROOTS "fec-roots" #define OPT_FORCE_PASSWORD "force-password" +#define OPT_FORCE_OFFLINE_REENCRYPT "force-offline-reencrypt" #define OPT_FORMAT "format" #define OPT_HASH "hash" #define OPT_HASH_BLOCK_SIZE "hash-block-size" diff --git a/src/utils_reencrypt.c b/src/utils_reencrypt.c index 42e2842e..c01f048d 100644 --- a/src/utils_reencrypt.c +++ b/src/utils_reencrypt.c @@ -126,7 +126,7 @@ static int reencrypt_get_active_name(struct crypt_device *cd, const char *data_d assert(cd); assert(r_active_name); - if (ARG_SET(OPT_INIT_ONLY_ID)) { + if (ARG_SET(OPT_INIT_ONLY_ID) || ARG_SET(OPT_FORCE_OFFLINE_REENCRYPT_ID)) { *r_active_name = NULL; return 0; } @@ -870,6 +870,9 @@ static int reencrypt_luks2_resume(struct crypt_device *cd) .device = tools_get_device_name(crypt_get_device_name(cd), &backing_file) }; + if (ARG_SET(OPT_FORCE_OFFLINE_REENCRYPT_ID) && !ARG_SET(OPT_BATCH_MODE_ID)) + log_std(_("Resuming LUKS reencryption in forced offline mode.\n")); + set_int_handler(0); r = crypt_reencrypt_run(cd, tools_progress, &prog_parms); free(backing_file); diff --git a/tests/luks2-reencryption-mangle-test b/tests/luks2-reencryption-mangle-test index 1f4f1387..3e6ab69b 100755 --- a/tests/luks2-reencryption-mangle-test +++ b/tests/luks2-reencryption-mangle-test @@ -155,37 +155,12 @@ function img_check_fail() function img_run_reenc_ok() { -local EXPECT_TIMEOUT=60 -# For now, we cannot run reencryption in batch mode for non-block device. Just fake the terminal here. -expect_run - >/dev/null </dev/null </dev/null && fail "Reencryption passed (should have failed)." img_hash_unchanged } @@ -218,18 +193,11 @@ function valgrind_run() INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@" } -function expect_run() -{ - export INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" - expect "$@" -} - [ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped." bin_check jq bin_check sha256sum bin_check xxd -bin_check expect export LANG=C