eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-22 08:10:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow to use --header option in all LUKS commands.

Browse Source 
The --header always takes precedence over positional device argument.

Also allow specify UUID= for luksSuspend and luksResume if used with
detached header.
This commit is contained in:
Milan Broz
2015-01-26 12:50:18 +01:00
parent c13a8003fa
commit 62b0138dad
3 changed files with 41 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
man/cryptsetup.8
View File

@@ -160,6 +160,14 @@ Key operations that do not specify a slot affect the first slot
that matches the supplied passphrase or the first empty slot if that matches the supplied passphrase or the first empty slot if
a new passphrase is added. a new passphrase is added.
The \fB<device>\fR parameter can be also specified by a LUKS UUID in the
format UUID=<uuid>. Translation to real device name uses symlinks
in /dev/disk/by-uuid directory.
To specify a detached header, the \fB\-\-header\fR parameter can be used
in all LUKS commands and always takes precedence over positional \fB<device>\fR
parameter.
The following are valid LUKS actions: The following are valid LUKS actions:
\fIluksFormat\fR <device> [<key file>] \fIluksFormat\fR <device> [<key file>]
@@ -196,9 +204,6 @@ successful verification of the supplied passphrase.
If the passphrase is not supplied via \-\-key-file, the command If the passphrase is not supplied via \-\-key-file, the command
prompts for it interactively. prompts for it interactively.
The <device> parameter can be also specified by LUKS UUID in the
format UUID=<uuid>, which uses the symlinks in /dev/disk/by-uuid.
\fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset, \fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
\-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase, \-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase,
\-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file]. \-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file].
@@ -235,7 +240,7 @@ or read from the file given as positional argument.
\fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset, \fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
\-\-keyfile\-size, \-\-new\-keyfile\-offset, \-\-keyfile\-size, \-\-new\-keyfile\-offset,
\-\-new\-keyfile\-size, \-\-key\-slot, \-\-master\-key\-file, \-\-new\-keyfile\-size, \-\-key\-slot, \-\-master\-key\-file,
\-\-iter\-time, \-\-force\-password]. \-\-iter\-time, \-\-force\-password, \-\-header].
.PP .PP
\fIluksRemoveKey\fR <device> [<key file with passphrase to be removed>] \fIluksRemoveKey\fR <device> [<key file with passphrase to be removed>]
.IP .IP
@@ -244,7 +249,7 @@ passphrase to be removed can be specified interactively,
as positional argument or via \-\-key-file. as positional argument or via \-\-key-file.
\fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset, \fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
\-\-keyfile\-size] \-\-keyfile\-size, \-\-header]
\fBWARNING:\fR If you read the passphrase from stdin \fBWARNING:\fR If you read the passphrase from stdin
(without further argument or with '-' as argument (without further argument or with '-' as argument
@@ -277,7 +282,7 @@ inaccessible.
\fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset, \fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
\-\-keyfile\-size, \-\-new\-keyfile\-offset, \-\-keyfile\-size, \-\-new\-keyfile\-offset,
\-\-new\-keyfile\-size, \-\-key\-slot, \-\-force\-password]. \-\-new\-keyfile\-size, \-\-key\-slot, \-\-force\-password, \-\-header].
.PP .PP
\fIluksKillSlot\fR <device> <key slot number> \fIluksKillSlot\fR <device> <key slot number>
.IP .IP
@@ -288,7 +293,7 @@ an interactive confirmation when doing so. Removing the last
passphrase makes a LUKS container permanently inaccessible. passphrase makes a LUKS container permanently inaccessible.
\fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset, \fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
\-\-keyfile\-size]. \-\-keyfile\-size, \-\-header].
\fBWARNING:\fR If you read the passphrase from stdin \fBWARNING:\fR If you read the passphrase from stdin
(without further argument or with '-' as argument (without further argument or with '-' as argument
@@ -334,7 +339,7 @@ In order to dump the master key, a passphrase has to be supplied,
either interactively or via \-\-key\-file. either interactively or via \-\-key\-file.
\fB<options>\fR can be [\-\-dump\-master\-key, \-\-key\-file, \fB<options>\fR can be [\-\-dump\-master\-key, \-\-key\-file,
\-\-keyfile\-offset, \-\-keyfile\-size]. \-\-keyfile\-offset, \-\-keyfile\-size, \-\-header].
\fBWARNING:\fR If \-\-dump\-master\-key is used with \-\-key\-file \fBWARNING:\fR If \-\-dump\-master\-key is used with \-\-key\-file
and the argument to \-\-key\-file is '-', no validation question and the argument to \-\-key\-file is '-', no validation question
@@ -1026,7 +1031,7 @@ Copyright \(co 2004-2006 Clemens Fruhwirth
.br .br
Copyright \(co 2009-2012 Red Hat, Inc. Copyright \(co 2009-2012 Red Hat, Inc.
.br .br
Copyright \(co 2009-2014 Milan Broz Copyright \(co 2009-2015 Milan Broz
.br .br
Copyright \(co 2012-2014 Arno Wagner Copyright \(co 2012-2014 Arno Wagner

44
src/cryptsetup.c
View File

@@ -4,7 +4,7 @@
* Copyright (C) 2004, Jana Saout <jana@saout.de> * Copyright (C) 2004, Jana Saout <jana@saout.de>
* Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org> * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
* Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved. * Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2014, Milan Broz * Copyright (C) 2009-2015, Milan Broz
* *
* This program is free software; you can redistribute it and/or * This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License * modify it under the terms of the GNU General Public License
@@ -66,6 +66,14 @@ static const char **action_argv;
static int action_argc; static int action_argc;
static const char *null_action_argv[] = {NULL, NULL}; static const char *null_action_argv[] = {NULL, NULL};
static const char *uuid_or_device_header(const char **data_device)
{
if (data_device)
*data_device = opt_header_device ? action_argv[0] : NULL;
return uuid_or_device(opt_header_device ?: action_argv[0]);
}
static int _verify_passphrase(int def) static int _verify_passphrase(int def)
{ {
/* Batch mode switch off verify - if not overrided by -y */ /* Batch mode switch off verify - if not overrided by -y */
@@ -733,13 +741,7 @@ static int action_open_luks(void)
uint32_t flags = 0; uint32_t flags = 0;
int r, keysize; int r, keysize;
if (opt_header_device) { header_device = uuid_or_device_header(&data_device);
header_device = uuid_or_device(opt_header_device);
data_device = action_argv[0];
} else {
header_device = uuid_or_device(action_argv[0]);
data_device = NULL;
}
activated_name = opt_test_passphrase ? NULL : action_argv[1]; activated_name = opt_test_passphrase ? NULL : action_argv[1];
@@ -843,7 +845,7 @@ static int action_luksKillSlot(void)
struct crypt_device *cd = NULL; struct crypt_device *cd = NULL;
int r; int r;
if ((r = crypt_init(&cd, uuid_or_device(action_argv[0])))) if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
goto out; goto out;
crypt_set_confirm_callback(cd, yesDialog, NULL); crypt_set_confirm_callback(cd, yesDialog, NULL);
@@ -886,7 +888,7 @@ static int action_luksRemoveKey(void)
size_t passwordLen; size_t passwordLen;
int r; int r;
if ((r = crypt_init(&cd, uuid_or_device(action_argv[0])))) if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
goto out; goto out;
crypt_set_confirm_callback(cd, yesDialog, NULL); crypt_set_confirm_callback(cd, yesDialog, NULL);
@@ -937,7 +939,7 @@ static int action_luksAddKey(void)
size_t password_size = 0, password_new_size = 0; size_t password_size = 0, password_new_size = 0;
struct crypt_device *cd = NULL; struct crypt_device *cd = NULL;
if ((r = crypt_init(&cd, uuid_or_device(action_argv[0])))) if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
goto out; goto out;
crypt_set_confirm_callback(cd, yesDialog, NULL); crypt_set_confirm_callback(cd, yesDialog, NULL);
@@ -1004,7 +1006,7 @@ static int action_luksChangeKey(void)
size_t password_size = 0, password_new_size = 0; size_t password_size = 0, password_new_size = 0;
int r; int r;
if ((r = crypt_init(&cd, uuid_or_device(action_argv[0])))) if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
goto out; goto out;
if ((r = crypt_load(cd, CRYPT_LUKS1, NULL))) if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
@@ -1055,7 +1057,7 @@ static int action_isLuks(void)
return -ENODEV; return -ENODEV;
} }
if ((r = crypt_init(&cd, action_argv[0]))) if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
goto out; goto out;
crypt_set_log_callback(cd, quiet_log, NULL); crypt_set_log_callback(cd, quiet_log, NULL);
@@ -1071,7 +1073,7 @@ static int action_luksUUID(void)
const char *existing_uuid = NULL; const char *existing_uuid = NULL;
int r; int r;
if ((r = crypt_init(&cd, action_argv[0]))) if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
goto out; goto out;
crypt_set_confirm_callback(cd, yesDialog, NULL); crypt_set_confirm_callback(cd, yesDialog, NULL);
@@ -1150,7 +1152,7 @@ static int action_luksDump(void)
struct crypt_device *cd = NULL; struct crypt_device *cd = NULL;
int r; int r;
if ((r = crypt_init(&cd, uuid_or_device(action_argv[0])))) if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
goto out; goto out;
if ((r = crypt_load(cd, CRYPT_LUKS1, NULL))) if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
@@ -1170,7 +1172,7 @@ static int action_luksSuspend(void)
struct crypt_device *cd = NULL; struct crypt_device *cd = NULL;
int r; int r;
r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device); r = crypt_init_by_name_and_header(&cd, action_argv[0], uuid_or_device(opt_header_device));
if (!r) if (!r)
r = crypt_suspend(cd, action_argv[0]); r = crypt_suspend(cd, action_argv[0]);
@@ -1183,7 +1185,7 @@ static int action_luksResume(void)
struct crypt_device *cd = NULL; struct crypt_device *cd = NULL;
int r; int r;
if ((r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device))) if ((r = crypt_init_by_name_and_header(&cd, action_argv[0], uuid_or_device(opt_header_device))))
goto out; goto out;
crypt_set_timeout(cd, opt_timeout); crypt_set_timeout(cd, opt_timeout);
@@ -1211,7 +1213,7 @@ static int action_luksBackup(void)
return -EINVAL; return -EINVAL;
} }
if ((r = crypt_init(&cd, uuid_or_device(action_argv[0])))) if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
goto out; goto out;
crypt_set_confirm_callback(cd, yesDialog, NULL); crypt_set_confirm_callback(cd, yesDialog, NULL);
@@ -1232,7 +1234,7 @@ static int action_luksRestore(void)
return -EINVAL; return -EINVAL;
} }
if ((r = crypt_init(&cd, action_argv[0]))) if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
goto out; goto out;
crypt_set_confirm_callback(cd, yesDialog, NULL); crypt_set_confirm_callback(cd, yesDialog, NULL);
@@ -1279,7 +1281,7 @@ static int action_luksErase(void)
char *msg = NULL; char *msg = NULL;
int i, r; int i, r;
if ((r = crypt_init(&cd, uuid_or_device(action_argv[0])))) if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
goto out; goto out;
crypt_set_confirm_callback(cd, yesDialog, NULL); crypt_set_confirm_callback(cd, yesDialog, NULL);
@@ -1289,7 +1291,7 @@ static int action_luksErase(void)
if(asprintf(&msg, _("This operation will erase all keyslots on device %s.\n" if(asprintf(&msg, _("This operation will erase all keyslots on device %s.\n"
"Device will become unusable after this operation."), "Device will become unusable after this operation."),
uuid_or_device(action_argv[0])) == -1) { uuid_or_device_header(NULL)) == -1) {
r = -ENOMEM; r = -ENOMEM;
goto out; goto out;
} }

4
tests/compat-test
View File

@@ -538,6 +538,10 @@ $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
$CRYPTSETUP luksSuspend $DEV_NAME --header $HEADER_IMG || fail $CRYPTSETUP luksSuspend $DEV_NAME --header $HEADER_IMG || fail
echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail
$CRYPTSETUP luksClose $DEV_NAME || fail $CRYPTSETUP luksClose $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP luksAddKey -S 5 _fakedev_ --header $HEADER_IMG $KEY5 || fail
$CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "Key Slot 5: ENABLED" || fail
$CRYPTSETUP luksKillSlot -q _fakedev_ --header $HEADER_IMG 5 || fail
$CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "Key Slot 5: DISABLED" || fail
prepare "[29] Repair metadata" wipe prepare "[29] Repair metadata" wipe
$CRYPTSETUP -q luksFormat -i1 $LOOPDEV $KEY1 --key-slot 0 || fail $CRYPTSETUP -q luksFormat -i1 $LOOPDEV $KEY1 --key-slot 0 || fail