diff --git a/man/cryptsetup.8 b/man/cryptsetup.8 index 11c746d1..851b9d19 100644 --- a/man/cryptsetup.8 +++ b/man/cryptsetup.8 @@ -161,7 +161,7 @@ above in LUKS2 metadata (only after successful refresh operation). in dm-crypt driver. .PP -\fIreencrypt\fR or --active-name +\fIreencrypt\fR or --active-name [] .IP Run resilient reencryption (LUKS2 device only). @@ -191,6 +191,10 @@ If the reencryption process was interrupted abruptly (reencryption process crash it may require recovery. The recovery is currently run automatically on next activation (action \fIopen\fR) when needed. +Optional parameter takes effect only with \-\-encrypt option and it activates device +immediately after encryption initialization gets finished. That's useful when device needs to be ready +as soon as possible and mounted (used) before full data area encryption is completed. + Action supports following additional \fB\fR [\-\-encrypt, \-\-decrypt, \-\-device\-size, \-\-resilience, \-\-resilience-hash, \-\-hotzone-size, \-\-init\-only, \-\-resume\-only, \-\-reduce\-device\-size]. diff --git a/src/cryptsetup.c b/src/cryptsetup.c index 7e9d6677..014c154f 100644 --- a/src/cryptsetup.c +++ b/src/cryptsetup.c @@ -2591,11 +2591,12 @@ static int action_reencrypt_load(struct crypt_device *cd) static int action_encrypt_luks2(struct crypt_device **cd) { - const char *type; + const char *type, *activated_name = NULL; int keyslot, r, fd; uuid_t uuid; size_t passwordLen; char *msg, uuid_str[37], header_file[PATH_MAX] = { 0 }, *password = NULL; + uint32_t activate_flags = 0; const struct crypt_params_luks2 luks2_params = { .sector_size = opt_sector_size ?: SECTOR_SIZE }; @@ -2729,6 +2730,7 @@ static int action_encrypt_luks2(struct crypt_device **cd) goto err; } + /* Restore temporary header in head of data device */ if (*header_file) { crypt_free(*cd); *cd = NULL; @@ -2743,10 +2745,22 @@ static int action_encrypt_luks2(struct crypt_device **cd) } } + /* activate device */ + if (action_argc > 1) { + activated_name = action_argv[1]; + _set_activation_flags(&activate_flags); + r = crypt_activate_by_passphrase(*cd, activated_name, opt_key_slot, password, passwordLen, activate_flags); + if (r >= 0) + log_std(_("%s/%s is now active.\n"), crypt_get_dir(), activated_name); + } + + if (r < 0) + goto err; + /* just load reencryption context to continue reencryption */ - if (r >= 0 && !opt_reencrypt_init_only) { + if (!opt_reencrypt_init_only) { params.flags &= ~CRYPT_REENCRYPT_INITIALIZE_ONLY; - r = crypt_reencrypt_init_by_passphrase(*cd, NULL, password, passwordLen, + r = crypt_reencrypt_init_by_passphrase(*cd, activated_name, password, passwordLen, CRYPT_ANY_SLOT, keyslot, NULL, NULL, ¶ms); } err: diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test index 5062ccf3..832544d8 100755 --- a/tests/luks2-reencryption-test +++ b/tests/luks2-reencryption-test @@ -823,6 +823,26 @@ check_hash $PWD1 $HASH6 $IMG_HDR $CRYPTSETUP luksHeaderRestore --header-backup-file $IMG_HDR $DEV -q || fail check_hash $PWD1 $HASH6 +# Device activation after encryption initialization +wipe_dev $DEV +echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail +$CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail +check_hash_dev /dev/mapper/$DEV_NAME $HASH5 +echo $PWD1 | $CRYPTSETUP reencrypt --resume-only $DEV -q || fail +check_hash_dev /dev/mapper/$DEV_NAME $HASH5 + +echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M -q $FAST_PBKDF_ARGON $DEV_NAME 2>/dev/null && fail +$CRYPTSETUP close $DEV_NAME +check_hash_head $PWD1 $((56*1024*2)) $HASH5 + +# Device activation using key file +wipe_dev $DEV +echo -n $PWD1 > $KEY1 +$CRYPTSETUP reencrypt $DEV --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M --key-file $KEY1 -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail +$CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail +$CRYPTSETUP close $DEV_NAME +echo $PWD1 | $CRYPTSETUP open $DEV --test-passphrase || fail + echo "[3] Encryption with detached header" preparebig 256 wipe_dev $DEV @@ -838,6 +858,25 @@ wipe_dev $DEV echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -c serpent-xts-plain --resilience checksum --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail check_hash $PWD1 $HASH3 $IMG_HDR +# Device activation after encryption initialization +wipe_dev $DEV +echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV $DEV_NAME >/dev/null || fail +$CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail +check_hash_dev /dev/mapper/$DEV_NAME $HASH3 +echo $PWD1 | $CRYPTSETUP reencrypt --resume-only --header $IMG_HDR --active-name $DEV_NAME -q || fail +check_hash_dev /dev/mapper/$DEV_NAME $HASH3 +echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M -q $FAST_PBKDF_ARGON $DEV_NAME 2>/dev/null && fail +$CRYPTSETUP close $DEV_NAME +check_hash $PWD1 $HASH3 $IMG_HDR + +# Device activation using key file +wipe_dev $DEV +echo -n $PWD1 > $KEY1 +$CRYPTSETUP reencrypt $DEV --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR --key-file $KEY1 -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail +$CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail +$CRYPTSETUP close $DEV_NAME +echo $PWD1 | $CRYPTSETUP open --header $IMG_HDR $DEV --test-passphrase || fail + echo "[4] Reencryption with detached header" wipe $PWD1 $IMG_HDR echo $PWD1 | $CRYPTSETUP reencrypt -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail