Allow LUKS2 device activation after encryption initialization.

It may be useful to activate device right after LUKS2 encryption
is initialized:

device is ready to use immediately even if data encryption runs in
the background for a long time

It simplifies encryption initialization during reboot.

man/cryptsetup.8

@@ -161,7 +161,7 @@ above in LUKS2 metadata (only after successful refresh operation).
 in dm-crypt driver.
 
 .PP
-\fIreencrypt\fR <device> or --active-name <name>
+\fIreencrypt\fR <device> or --active-name <name> [<new_name>]
 .IP
 Run resilient reencryption (LUKS2 device only).
 
@@ -191,6 +191,10 @@ If the reencryption process was interrupted abruptly (reencryption process crash
 it may require recovery. The recovery is currently run automatically on next activation (action \fIopen\fR)
 when needed.
 
+Optional parameter <new_name> takes effect only with \-\-encrypt option and it activates device <new_name>
+immediately after encryption initialization gets finished. That's useful when device needs to be ready
+as soon as possible and mounted (used) before full data area encryption is completed.
+
 Action supports following additional \fB<options>\fR [\-\-encrypt, \-\-decrypt, \-\-device\-size,
 \-\-resilience, \-\-resilience-hash, \-\-hotzone-size, \-\-init\-only, \-\-resume\-only,
 \-\-reduce\-device\-size].

src/cryptsetup.c

@@ -2591,11 +2591,12 @@ static int action_reencrypt_load(struct crypt_device *cd)
 
 static int action_encrypt_luks2(struct crypt_device **cd)
 {
-	const char *type;
+	const char *type, *activated_name = NULL;
 	int keyslot, r, fd;
 	uuid_t uuid;
 	size_t passwordLen;
 	char *msg, uuid_str[37], header_file[PATH_MAX] = { 0 }, *password = NULL;
+	uint32_t activate_flags = 0;
 	const struct crypt_params_luks2 luks2_params = {
 		.sector_size = opt_sector_size ?: SECTOR_SIZE
 	};
@@ -2729,6 +2730,7 @@ static int action_encrypt_luks2(struct crypt_device **cd)
 		goto err;
 	}
 
+	/* Restore temporary header in head of data device */
 	if (*header_file) {
 		crypt_free(*cd);
 		*cd = NULL;
@@ -2743,10 +2745,22 @@ static int action_encrypt_luks2(struct crypt_device **cd)
 		}
 	}
 
+	/* activate device */
+	if (action_argc > 1) {
+		activated_name = action_argv[1];
+		_set_activation_flags(&activate_flags);
+		r = crypt_activate_by_passphrase(*cd, activated_name, opt_key_slot, password, passwordLen, activate_flags);
+		if (r >= 0)
+			log_std(_("%s/%s is now active.\n"), crypt_get_dir(), activated_name);
+	}
+
+	if (r < 0)
+		goto err;
+
 	/* just load reencryption context to continue reencryption */
-	if (r >= 0 && !opt_reencrypt_init_only) {
+	if (!opt_reencrypt_init_only) {
 		params.flags &= ~CRYPT_REENCRYPT_INITIALIZE_ONLY;
-		r = crypt_reencrypt_init_by_passphrase(*cd, NULL, password, passwordLen,
+		r = crypt_reencrypt_init_by_passphrase(*cd, activated_name, password, passwordLen,
 				CRYPT_ANY_SLOT, keyslot, NULL, NULL, &params);
 	}
 err:

tests/luks2-reencryption-test

@@ -823,6 +823,26 @@ check_hash $PWD1 $HASH6 $IMG_HDR
 $CRYPTSETUP luksHeaderRestore --header-backup-file $IMG_HDR $DEV -q || fail
 check_hash $PWD1 $HASH6
 
+# Device activation after encryption initialization
+wipe_dev $DEV
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail
+$CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
+check_hash_dev /dev/mapper/$DEV_NAME $HASH5
+echo $PWD1 | $CRYPTSETUP reencrypt --resume-only $DEV -q || fail
+check_hash_dev /dev/mapper/$DEV_NAME $HASH5
+
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M -q $FAST_PBKDF_ARGON $DEV_NAME 2>/dev/null && fail
+$CRYPTSETUP close $DEV_NAME
+check_hash_head $PWD1 $((56*1024*2)) $HASH5
+
+# Device activation using key file
+wipe_dev $DEV
+echo -n $PWD1 > $KEY1
+$CRYPTSETUP reencrypt $DEV --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M --key-file $KEY1 -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail
+$CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
+$CRYPTSETUP close $DEV_NAME
+echo $PWD1 | $CRYPTSETUP open $DEV --test-passphrase || fail
+
 echo "[3] Encryption with detached header"
 preparebig 256
 wipe_dev $DEV
@@ -838,6 +858,25 @@ wipe_dev $DEV
 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -c serpent-xts-plain --resilience checksum --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
 check_hash $PWD1 $HASH3 $IMG_HDR
 
+# Device activation after encryption initialization
+wipe_dev $DEV
+echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV $DEV_NAME >/dev/null || fail
+$CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
+check_hash_dev /dev/mapper/$DEV_NAME $HASH3
+echo $PWD1 | $CRYPTSETUP reencrypt --resume-only --header $IMG_HDR --active-name $DEV_NAME -q || fail
+check_hash_dev /dev/mapper/$DEV_NAME $HASH3
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M -q $FAST_PBKDF_ARGON $DEV_NAME 2>/dev/null && fail
+$CRYPTSETUP close $DEV_NAME
+check_hash $PWD1 $HASH3 $IMG_HDR
+
+# Device activation using key file
+wipe_dev $DEV
+echo -n $PWD1 > $KEY1
+$CRYPTSETUP reencrypt $DEV --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR --key-file $KEY1 -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail
+$CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
+$CRYPTSETUP close $DEV_NAME
+echo $PWD1 | $CRYPTSETUP open --header $IMG_HDR $DEV --test-passphrase || fail
+
 echo "[4] Reencryption with detached header"
 wipe $PWD1 $IMG_HDR
 echo $PWD1 | $CRYPTSETUP reencrypt -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail