eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-15 12:50:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow LUKS2 device activation after encryption initialization.

Browse Source 
It may be useful to activate device right after LUKS2 encryption
is initialized:

device is ready to use immediately even if data encryption runs in
the background for a long time

It simplifies encryption initialization during reboot.
This commit is contained in:
Ondrej Kozina
2019-09-10 14:47:41 +02:00
parent 630e336ea0
commit 5f2e8d6062
3 changed files with 61 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
man/cryptsetup.8
View File

@@ -161,7 +161,7 @@ above in LUKS2 metadata (only after successful refresh operation).
in dm-crypt driver. in dm-crypt driver.
.PP .PP
\fIreencrypt\fR <device> or --active-name <name> \fIreencrypt\fR <device> or --active-name <name> [<new_name>]
.IP .IP
Run resilient reencryption (LUKS2 device only). Run resilient reencryption (LUKS2 device only).
@@ -191,6 +191,10 @@ If the reencryption process was interrupted abruptly (reencryption process crash
it may require recovery. The recovery is currently run automatically on next activation (action \fIopen\fR) it may require recovery. The recovery is currently run automatically on next activation (action \fIopen\fR)
when needed. when needed.
Optional parameter <new_name> takes effect only with \-\-encrypt option and it activates device <new_name>
immediately after encryption initialization gets finished. That's useful when device needs to be ready
as soon as possible and mounted (used) before full data area encryption is completed.
Action supports following additional \fB<options>\fR [\-\-encrypt, \-\-decrypt, \-\-device\-size, Action supports following additional \fB<options>\fR [\-\-encrypt, \-\-decrypt, \-\-device\-size,
\-\-resilience, \-\-resilience-hash, \-\-hotzone-size, \-\-init\-only, \-\-resume\-only, \-\-resilience, \-\-resilience-hash, \-\-hotzone-size, \-\-init\-only, \-\-resume\-only,
\-\-reduce\-device\-size]. \-\-reduce\-device\-size].

20
src/cryptsetup.c
View File

@@ -2591,11 +2591,12 @@ static int action_reencrypt_load(struct crypt_device *cd)
static int action_encrypt_luks2(struct crypt_device **cd) static int action_encrypt_luks2(struct crypt_device **cd)
{ {
const char *type; const char *type, *activated_name = NULL;
int keyslot, r, fd; int keyslot, r, fd;
uuid_t uuid; uuid_t uuid;
size_t passwordLen; size_t passwordLen;
char *msg, uuid_str[37], header_file[PATH_MAX] = { 0 }, *password = NULL; char *msg, uuid_str[37], header_file[PATH_MAX] = { 0 }, *password = NULL;
uint32_t activate_flags = 0;
const struct crypt_params_luks2 luks2_params = { const struct crypt_params_luks2 luks2_params = {
.sector_size = opt_sector_size ?: SECTOR_SIZE .sector_size = opt_sector_size ?: SECTOR_SIZE
}; };
@@ -2729,6 +2730,7 @@ static int action_encrypt_luks2(struct crypt_device **cd)
goto err; goto err;
} }
/* Restore temporary header in head of data device */
if (*header_file) { if (*header_file) {
crypt_free(*cd); crypt_free(*cd);
*cd = NULL; *cd = NULL;
@@ -2743,10 +2745,22 @@ static int action_encrypt_luks2(struct crypt_device **cd)
} }
} }
/* activate device */
if (action_argc > 1) {
activated_name = action_argv[1];
_set_activation_flags(&activate_flags);
r = crypt_activate_by_passphrase(*cd, activated_name, opt_key_slot, password, passwordLen, activate_flags);
if (r >= 0)
log_std(_("%s/%s is now active.\n"), crypt_get_dir(), activated_name);
}
if (r < 0)
goto err;
/* just load reencryption context to continue reencryption */ /* just load reencryption context to continue reencryption */
if (r >= 0 && !opt_reencrypt_init_only) { if (!opt_reencrypt_init_only) {
params.flags &= ~CRYPT_REENCRYPT_INITIALIZE_ONLY; params.flags &= ~CRYPT_REENCRYPT_INITIALIZE_ONLY;
r = crypt_reencrypt_init_by_passphrase(*cd, NULL, password, passwordLen, r = crypt_reencrypt_init_by_passphrase(*cd, activated_name, password, passwordLen,
CRYPT_ANY_SLOT, keyslot, NULL, NULL, &params); CRYPT_ANY_SLOT, keyslot, NULL, NULL, &params);
} }
err: err:

39
tests/luks2-reencryption-test
View File

@@ -823,6 +823,26 @@ check_hash $PWD1 $HASH6 $IMG_HDR
$CRYPTSETUP luksHeaderRestore --header-backup-file $IMG_HDR $DEV -q || fail $CRYPTSETUP luksHeaderRestore --header-backup-file $IMG_HDR $DEV -q || fail
check_hash $PWD1 $HASH6 check_hash $PWD1 $HASH6
# Device activation after encryption initialization
wipe_dev $DEV
echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail
$CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
check_hash_dev /dev/mapper/$DEV_NAME $HASH5
echo $PWD1 | $CRYPTSETUP reencrypt --resume-only $DEV -q || fail
check_hash_dev /dev/mapper/$DEV_NAME $HASH5
echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M -q $FAST_PBKDF_ARGON $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP close $DEV_NAME
check_hash_head $PWD1 $((56*1024*2)) $HASH5
# Device activation using key file
wipe_dev $DEV
echo -n $PWD1 > $KEY1
$CRYPTSETUP reencrypt $DEV --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M --key-file $KEY1 -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail
$CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
$CRYPTSETUP close $DEV_NAME
echo $PWD1 | $CRYPTSETUP open $DEV --test-passphrase || fail
echo "[3] Encryption with detached header" echo "[3] Encryption with detached header"
preparebig 256 preparebig 256
wipe_dev $DEV wipe_dev $DEV
@@ -838,6 +858,25 @@ wipe_dev $DEV
echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -c serpent-xts-plain --resilience checksum --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -c serpent-xts-plain --resilience checksum --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
check_hash $PWD1 $HASH3 $IMG_HDR check_hash $PWD1 $HASH3 $IMG_HDR
# Device activation after encryption initialization
wipe_dev $DEV
echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV $DEV_NAME >/dev/null || fail
$CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
check_hash_dev /dev/mapper/$DEV_NAME $HASH3
echo $PWD1 | $CRYPTSETUP reencrypt --resume-only --header $IMG_HDR --active-name $DEV_NAME -q || fail
check_hash_dev /dev/mapper/$DEV_NAME $HASH3
echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M -q $FAST_PBKDF_ARGON $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP close $DEV_NAME
check_hash $PWD1 $HASH3 $IMG_HDR
# Device activation using key file
wipe_dev $DEV
echo -n $PWD1 > $KEY1
$CRYPTSETUP reencrypt $DEV --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR --key-file $KEY1 -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail
$CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
$CRYPTSETUP close $DEV_NAME
echo $PWD1 | $CRYPTSETUP open --header $IMG_HDR $DEV --test-passphrase || fail
echo "[4] Reencryption with detached header" echo "[4] Reencryption with detached header"
wipe $PWD1 $IMG_HDR wipe $PWD1 $IMG_HDR
echo $PWD1 | $CRYPTSETUP reencrypt -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail echo $PWD1 | $CRYPTSETUP reencrypt -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail