diff --git a/man/cryptsetup.8 b/man/cryptsetup.8 index c54480ac..abc30dea 100644 --- a/man/cryptsetup.8 +++ b/man/cryptsetup.8 @@ -570,8 +570,12 @@ successfully imported token is also assigned to the key slot. Action \fIexport\fR writes requested token json to a file passed with \-\-json\-file or to standard output. +If \-\-token\-id is used with action \fIadd\fR or action \fIimport\fR and a token with +that ID already exists, option \-\-token\-replace can be used to replace the existing token. + \fB\fR can be [\-\-header, \-\-token\-id, \-\-key\-slot, \-\-key\-description, -\-\-disable\-external\-tokens, \-\-disable\-locks, \-\-disable\-keyring, \-\-json\-file]. +\-\-disable\-external\-tokens, \-\-disable\-locks, \-\-disable\-keyring, \-\-json\-file, +\-\-token\-replace]. .PP \fIconvert\fR \-\-type .IP @@ -997,6 +1001,11 @@ Read token json from a file or write token to it. See \fItoken\fR action for mor information. \-\-json\-file=- reads json from standard input or writes it to standard output respectively. .TP +.TP +.B "\-\-token\-replace" +Replace an existing token when adding or importing a token with the \-\-token\-id +option. +.TP .B "\-\-use\-random" .TP .B "\-\-use\-urandom" diff --git a/src/cryptsetup.c b/src/cryptsetup.c index 9cfcad2a..a8a51917 100644 --- a/src/cryptsetup.c +++ b/src/cryptsetup.c @@ -2622,7 +2622,7 @@ static int _token_add(struct crypt_device *cd) if (token_info < CRYPT_TOKEN_INACTIVE) { log_err(_("Token %d is invalid."), ARG_INT32(OPT_TOKEN_ID_ID)); return -EINVAL; - } else if (token_info > CRYPT_TOKEN_INACTIVE) { + } else if (token_info > CRYPT_TOKEN_INACTIVE && !ARG_SET(OPT_TOKEN_REPLACE_ID)) { log_err(_("Token %d in use."), ARG_INT32(OPT_TOKEN_ID_ID)); return -EINVAL; } @@ -2679,7 +2679,7 @@ static int _token_import(struct crypt_device *cd) if (token_info < CRYPT_TOKEN_INACTIVE) { log_err(_("Token %d is invalid."), ARG_INT32(OPT_TOKEN_ID_ID)); return -EINVAL; - } else if (token_info > CRYPT_TOKEN_INACTIVE) { + } else if (token_info > CRYPT_TOKEN_INACTIVE && !ARG_SET(OPT_TOKEN_REPLACE_ID)) { log_err(_("Token %d in use."), ARG_INT32(OPT_TOKEN_ID_ID)); return -EINVAL; } diff --git a/src/cryptsetup_arg_list.h b/src/cryptsetup_arg_list.h index 491fe8f6..ae4f622f 100644 --- a/src/cryptsetup_arg_list.h +++ b/src/cryptsetup_arg_list.h @@ -175,6 +175,8 @@ ARG(OPT_TOKEN_ID, '\0', POPT_ARG_STRING, N_("Token number (default: any)"), "INT ARG(OPT_TOKEN_ONLY, '\0', POPT_ARG_NONE, N_("Do not ask for passphrase if activation by token fails"), NULL, CRYPT_ARG_BOOL, {}, {}) +ARG(OPT_TOKEN_REPLACE, '\0', POPT_ARG_NONE, N_("Replace the current token"), NULL, CRYPT_ARG_BOOL, {}, OPT_TOKEN_REPLACE_ACTIONS) + ARG(OPT_TOKEN_TYPE, '\0', POPT_ARG_STRING, N_("Restrict allowed token types used to retrieve LUKS2 key"), NULL, CRYPT_ARG_STRING, {}, {}) ARG(OPT_TRIES, 'T', POPT_ARG_STRING, N_("How often the input of the passphrase can be retried"), "INT", CRYPT_ARG_UINT32, { .u32_value = 3 }, {}) diff --git a/src/cryptsetup_args.h b/src/cryptsetup_args.h index a5a4137f..5e3ec3cc 100644 --- a/src/cryptsetup_args.h +++ b/src/cryptsetup_args.h @@ -75,6 +75,7 @@ #define OPT_TCRYPT_HIDDEN_ACTIONS { OPEN_ACTION, TCRYPTDUMP_ACTION } #define OPT_TCRYPT_SYSTEM_ACTIONS { OPEN_ACTION, TCRYPTDUMP_ACTION } #define OPT_TEST_PASSPHRASE_ACTIONS { OPEN_ACTION } +#define OPT_TOKEN_REPLACE_ACTIONS { TOKEN_ACTION } #define OPT_UNBOUND_ACTIONS { ADDKEY_ACTION, LUKSDUMP_ACTION } #define OPT_USE_RANDOM_ACTIONS { FORMAT_ACTION } #define OPT_USE_URANDOM_ACTIONS { FORMAT_ACTION } diff --git a/src/utils_arg_names.h b/src/utils_arg_names.h index d536d571..5926c7ba 100644 --- a/src/utils_arg_names.h +++ b/src/utils_arg_names.h @@ -144,6 +144,7 @@ #define OPT_TIMEOUT "timeout" #define OPT_TOKEN_ID "token-id" #define OPT_TOKEN_ONLY "token-only" +#define OPT_TOKEN_REPLACE "token-replace" #define OPT_TOKEN_TYPE "token-type" #define OPT_TRIES "tries" #define OPT_TYPE "type"