mirror of
https://gitlab.com/cryptsetup/cryptsetup.git
synced 2025-12-11 19:00:02 +01:00
Add --external-tokens-path parameter in cryptsetup.
This commit is contained in:
Ondrej Kozina
@@ -1234,6 +1234,12 @@ Enlarge data offset to specified value by shrinking device size.
|
||||
You cannot shrink device more than by 64 MiB (131072 sectors).
|
||||
endif::[]
|
||||
|
||||
ifdef::ACTION_RESIZE,ACTION_OPEN,ACTION_LUKSADDKEY,ACTION_LUKSDUMP,ACTION_LUKSRESUME,ACTION_TOKEN[]
|
||||
*--external-tokens-path* _absolute_path_::
|
||||
Override system directory path where cryptsetup searches for external token
|
||||
handlers (or token plugins). It must be absolute path (starting with '/' character).
|
||||
endif::[]
|
||||
|
||||
ifdef::COMMON_OPTIONS[]
|
||||
*--batch-mode, -q*::
|
||||
Suppresses all confirmation questions. Use with care!
|
||||
|
||||
@@ -38,7 +38,7 @@ algorithm is always the same for all keyslots.
|
||||
--hash, --header, --disable-locks, --iter-time, --pbkdf,
|
||||
--pbkdf-force-iterations, --pbkdf-memory, --pbkdf-parallel, --unbound, --type,
|
||||
--keyslot-cipher, --keyslot-key-size, --key-size, --timeout, --token-id,
|
||||
--token-type, --token-only, --new-token-id, --verify-passphrase].
|
||||
--token-type, --token-only, --new-token-id, --verify-passphrase, --external-tokens-path].
|
||||
|
||||
include::man/common_options.adoc[]
|
||||
|
||||
|
||||
@@ -40,7 +40,7 @@ use --dump-json-metadata option.
|
||||
|
||||
*<options>* can be [--dump-volume-key, --dump-json-metadata, --key-file,
|
||||
--keyfile-offset, --keyfile-size, --header, --disable-locks,
|
||||
--volume-key-file, --type, --unbound, --key-slot, --timeout].
|
||||
--volume-key-file, --type, --unbound, --key-slot, --timeout, --external-tokens-path].
|
||||
|
||||
*WARNING:* If --dump-volume-key is used with --key-file and the argument
|
||||
to --key-file is '-', no validation question will be asked and no
|
||||
|
||||
@@ -23,7 +23,8 @@ interactively for a passphrase if no token is usable (LUKS2 only) or
|
||||
*<options>* can be [--key-file, --keyfile-size, --keyfile-offset,
|
||||
--key-slot, --header, --disable-keyring, --disable-locks, --token-id,
|
||||
--token-only, --token-type, --disable-external-tokens, --type, --tries,
|
||||
--timeout, --verify-passphrase, --volume-key-keyring, --link-vk-to-keyring].
|
||||
--timeout, --verify-passphrase, --volume-key-keyring, --link-vk-to-keyring,
|
||||
--external-tokens-path].
|
||||
|
||||
include::man/common_options.adoc[]
|
||||
include::man/common_footer.adoc[]
|
||||
|
||||
@@ -78,7 +78,8 @@ matching PIN protected token.
|
||||
--volume-key-file, --token-id, --token-only, --token-type,
|
||||
--disable-external-tokens, --disable-keyring, --disable-locks, --type,
|
||||
--refresh, --serialize-memory-hard-pbkdf, --unbound, --tries, --timeout,
|
||||
--verify-passphrase, --persistent, --volume-key-keyring, --link-vk-to-keyring].
|
||||
--verify-passphrase, --persistent, --volume-key-keyring, --link-vk-to-keyring,
|
||||
--external-tokens-path].
|
||||
|
||||
=== loopAES
|
||||
*open --type loopaes <device> <name> --key-file <keyfile>* +
|
||||
|
||||
@@ -36,7 +36,7 @@ keyring is used by default for LUKS2 devices.
|
||||
*<options>* can be [--size, --device-size, --token-id, --token-only,
|
||||
--token-type, --key-slot, --key-file, --keyfile-size, --keyfile-offset,
|
||||
--timeout, --disable-external-tokens, --disable-locks, --disable-keyring,
|
||||
--verify-passphrase, --timeout].
|
||||
--verify-passphrase, --timeout, --external-tokens-path].
|
||||
|
||||
include::man/common_options.adoc[]
|
||||
include::man/common_footer.adoc[]
|
||||
|
||||
@@ -49,7 +49,7 @@ replace the existing token.
|
||||
|
||||
*<options>* can be [--header, --token-id, --key-slot, --key-description,
|
||||
--disable-external-tokens, --disable-locks, --disable-keyring,
|
||||
--json-file, --token-replace, --unbound].
|
||||
--json-file, --token-replace, --unbound, --external-tokens-path].
|
||||
|
||||
include::man/common_options.adoc[]
|
||||
include::man/common_footer.adoc[]
|
||||
|
||||
@@ -878,6 +878,15 @@ static int action_resize(void)
|
||||
else if (ARG_SET(OPT_SIZE_ID))
|
||||
dev_size = ARG_UINT64(OPT_SIZE_ID);
|
||||
|
||||
if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) {
|
||||
r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
|
||||
if (r < 0) {
|
||||
log_err(_("Failed to set external tokens path %s."),
|
||||
ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
|
||||
if (cad.flags & CRYPT_ACTIVATE_KEYRING_KEY) {
|
||||
if (ARG_SET(OPT_DISABLE_KEYRING_ID)) {
|
||||
r = -EINVAL;
|
||||
@@ -1809,6 +1818,15 @@ static int action_open_luks(void)
|
||||
|
||||
set_activation_flags(&activate_flags);
|
||||
|
||||
if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) {
|
||||
r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
|
||||
if (r < 0) {
|
||||
log_err(_("Failed to set external tokens path %s."),
|
||||
ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
|
||||
if (ARG_SET(OPT_LINK_VK_TO_KEYRING_ID)) {
|
||||
r = parse_vk_and_keyring_description(cd, ARG_STR(OPT_LINK_VK_TO_KEYRING_ID));
|
||||
if (r < 0)
|
||||
@@ -2056,6 +2074,15 @@ static int luksAddUnboundKey(void)
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) {
|
||||
r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
|
||||
if (r < 0) {
|
||||
log_err(_("Failed to set external tokens path %s."),
|
||||
ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
|
||||
r = _set_keyslot_encryption_params(cd);
|
||||
if (r < 0)
|
||||
goto out;
|
||||
@@ -2201,6 +2228,15 @@ static int action_luksAddKey(void)
|
||||
if (r < 0)
|
||||
goto out;
|
||||
|
||||
if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) {
|
||||
r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
|
||||
if (r < 0) {
|
||||
log_err(_("Failed to set external tokens path %s."),
|
||||
ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
|
||||
/* Never call pwquality if using null cipher */
|
||||
if (crypt_is_cipher_null(crypt_get_cipher(cd)))
|
||||
ARG_SET_TRUE(OPT_FORCE_PASSWORD_ID);
|
||||
@@ -2639,6 +2675,15 @@ static int action_luksDump(void)
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) {
|
||||
r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
|
||||
if (r < 0) {
|
||||
log_err(_("Failed to set external tokens path %s."),
|
||||
ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
|
||||
if (ARG_SET(OPT_DUMP_VOLUME_KEY_ID))
|
||||
r = luksDump_with_volume_key(cd);
|
||||
else if (ARG_SET(OPT_UNBOUND_ID))
|
||||
@@ -2712,6 +2757,15 @@ static int action_luksResume(void)
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) {
|
||||
r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
|
||||
if (r < 0) {
|
||||
log_err(_("Failed to set external tokens path %s."),
|
||||
ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
|
||||
/* try to resume LUKS2 device by token first */
|
||||
r = _try_token_unlock(cd, ARG_INT32(OPT_KEY_SLOT_ID), ARG_INT32(OPT_TOKEN_ID_ID),
|
||||
action_argv[0], ARG_STR(OPT_TOKEN_TYPE_ID), 0,
|
||||
@@ -3230,6 +3284,16 @@ static int action_token(void)
|
||||
return r;
|
||||
}
|
||||
|
||||
if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) {
|
||||
r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
|
||||
if (r < 0) {
|
||||
log_err(_("Failed to set external tokens path %s."),
|
||||
ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
|
||||
crypt_free(cd);
|
||||
return r;
|
||||
}
|
||||
}
|
||||
|
||||
r = -EINVAL;
|
||||
|
||||
if (!strcmp(action_argv[0], "add")) {
|
||||
|
||||
@@ -59,6 +59,8 @@ ARG(OPT_DUMP_VOLUME_KEY, '\0', POPT_ARG_NONE, N_("Dump volume key instead of key
|
||||
|
||||
ARG(OPT_ENCRYPT, '\0', POPT_ARG_NONE, N_("Encrypt LUKS2 device (in-place encryption)"), NULL, CRYPT_ARG_BOOL, {}, {})
|
||||
|
||||
ARG(OPT_EXTERNAL_TOKENS_PATH, '\0', POPT_ARG_STRING, N_("Path to directory with external token handlers (plugins)."), NULL, CRYPT_ARG_STRING, {}, OPT_EXTERNAL_TOKENS_PATH_ACTIONS)
|
||||
|
||||
ARG(OPT_FORCE_PASSWORD, '\0', POPT_ARG_NONE, N_("Disable password quality check (if enabled)"), NULL, CRYPT_ARG_BOOL, {}, {})
|
||||
|
||||
ARG(OPT_FORCE_OFFLINE_REENCRYPT, '\0', POPT_ARG_NONE, N_("Force offline LUKS2 reencryption and bypass active device detection"), NULL, CRYPT_ARG_BOOL, {}, OPT_FORCE_OFFLINE_REENCRYPT_ACTIONS)
|
||||
|
||||
@@ -61,6 +61,7 @@
|
||||
#define OPT_DISABLE_BLKID_ACTIONS { FORMAT_ACTION, REENCRYPT_ACTION }
|
||||
#define OPT_DISABLE_VERACRYPT_ACTIONS { OPEN_ACTION, TCRYPTDUMP_ACTION }
|
||||
#define OPT_ERASE_ACTIONS { ERASE_ACTION }
|
||||
#define OPT_EXTERNAL_TOKENS_PATH_ACTIONS { RESIZE_ACTION, OPEN_ACTION, ADDKEY_ACTION, LUKSDUMP_ACTION, RESUME_ACTION, TOKEN_ACTION }
|
||||
#define OPT_FORCE_OFFLINE_REENCRYPT_ACTIONS { REENCRYPT_ACTION }
|
||||
#define OPT_HOTZONE_SIZE_ACTIONS { REENCRYPT_ACTION }
|
||||
#define OPT_HW_OPAL_ACTIONS { FORMAT_ACTION }
|
||||
|
||||
@@ -50,6 +50,7 @@
|
||||
#define OPT_DUMP_MASTER_KEY "dump-master-key"
|
||||
#define OPT_DUMP_VOLUME_KEY "dump-volume-key"
|
||||
#define OPT_ENCRYPT "encrypt"
|
||||
#define OPT_EXTERNAL_TOKENS_PATH "external-tokens-path"
|
||||
#define OPT_FEC_DEVICE "fec-device"
|
||||
#define OPT_FEC_OFFSET "fec-offset"
|
||||
#define OPT_FEC_ROOTS "fec-roots"
|
||||
|
||||
Reference in New Issue
Block a user