eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-16 13:20:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

Extend options for initializing reencrypiton from cli.

Browse Source 
This patch extends available options for LUKS2 reencryption
initialization.

When no specific keyslot is selected by --key-slot option, all active
keyslots needs to be refreshed. With current patch user does not
have to provide passphrase via interactive prompt when token is
available and can unlock assigned keyslot. Only keyslots not assigned
to tokens (and unlocked by tokens) must be provided with passphrase.

Furthermore user may directly narrow down selection of keyslots
suitable for reencryption by specifying either --token-id, --token-type
or --token-only option. In that case only keyslots associated to the
specific token (--token-id) or specific type (--token-type) or any token
specified in LUKS2 metadata (--token-only) will be used for
reencryption and refreshed with new volume key. All other keyslots will
not be refreshed and will be erased after reencryption is finished. The token
association will be carried over to refreshed keyslots.

The third new method available in this patch is support for reencryption
by passing volume keys directly. The LUKS2 device may be reencrypted
by passing volume keys by --volume-key-file, --new-volume-key-file,
--volume-key-keyring or --new-volume-key-keyring options. With this
options user may reencrypt device with no active keyslots. If there's
any active keyslot and volume keys are passed directly user may enforce
volume key based reencryption by passing --force-no-keyslots option.
If --force-no-keyslots option is passed all active keyslots will be
erased after reencryption operation is finished and the device may be
unlocked only by passing new volume key directly.

Fixes: #774, #780.
This commit is contained in:
Ondrej Kozina
2024-10-08 10:49:09 +02:00
parent 0dc630b911
commit ad21502d06
5 changed files with 893 additions and 198 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/cryptsetup.c
View File

@@ -3364,6 +3364,12 @@ static const char *verify_reencrypt(void)
if (ARG_SET(OPT_ACTIVE_NAME_ID) && ARG_SET(OPT_FORCE_OFFLINE_REENCRYPT_ID))
return _("Options --active-name and --force-offline-reencrypt cannot be combined.");
if (ARG_SET(OPT_NEW_VOLUME_KEY_FILE_ID) && ARG_SET(OPT_KEEP_KEY_ID))
return _("Options --new-volume-key-file and --keep-key cannot be combined.");
if (ARG_SET(OPT_NEW_VOLUME_KEY_KEYRING_ID) && ARG_SET(OPT_KEEP_KEY_ID))
return _("Options --new-volume-key-keyring and --keep-key cannot be combined.");
return NULL;
}