Extend options for initializing reencrypiton from cli.

This patch extends available options for LUKS2 reencryption
initialization.

When no specific keyslot is selected by --key-slot option, all active
keyslots needs to be refreshed. With current patch user does not
have to provide passphrase via interactive prompt when token is
available and can unlock assigned keyslot. Only keyslots not assigned
to tokens (and unlocked by tokens) must be provided with passphrase.

Furthermore user may directly narrow down selection of keyslots
suitable for reencryption by specifying either --token-id, --token-type
or --token-only option. In that case only keyslots associated to the
specific token (--token-id) or specific type (--token-type) or any token
specified in LUKS2 metadata (--token-only) will be used for
reencryption and refreshed with new volume key. All other keyslots will
not be refreshed and will be erased after reencryption is finished. The token
association will be carried over to refreshed keyslots.

The third new method available in this patch is support for reencryption
by passing volume keys directly. The LUKS2 device may be reencrypted
by passing volume keys by --volume-key-file, --new-volume-key-file,
--volume-key-keyring or --new-volume-key-keyring options. With this
options user may reencrypt device with no active keyslots. If there's
any active keyslot and volume keys are passed directly user may enforce
volume key based reencryption by passing --force-no-keyslots option.
If --force-no-keyslots option is passed all active keyslots will be
erased after reencryption operation is finished and the device may be
unlocked only by passing new volume key directly.

Fixes: #774, #780.

man/common_options.adoc

@@ -197,6 +197,20 @@ Override system directory path where cryptsetup searches for external token
 handlers (or token plugins). It must be absolute path (starting with '/' character).
 endif::[]
 
+ifdef::ACTION_REENCRYPT[]
+*--force-no-keyslots (LUKS2 only)*::
+Enforce initialization of reencryption operation with additional --volume-key-file,
+--new-volume-key-file, --volume-key-keyring or --new-volume-key-keyring parameters
+that would result in deletion of all remaining LUKS2 keyslots containing volume key.
++
+*NOTE:* LUKS2 keyslot with new volume key may be added after the reencryption
+operation is finished. See *cryptsetup-luksAddKey*(8) command.
++
+*WARNING:* Use with extreme caution! If you loose volume key stored in a file or
+in a kernel keyring before adding LUKS2 keyslot containing new volume key
+the device will become unusable and all data will be lost.
+endif::[]
+
 ifdef::ACTION_REENCRYPT[]
 *--force-offline-reencrypt (LUKS2 only)*::
 Bypass active device auto-detection and enforce offline reencryption.
@@ -1158,8 +1172,18 @@ does not input a passphrase, e.g. during boot. The default is a value
 of 0 seconds, which means to wait forever.
 endif::[]
 
-ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSRESUME,ACTION_TOKEN,ACTION_LUKSADDKEY[]
+ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSRESUME,ACTION_TOKEN,ACTION_LUKSADDKEY,ACTION_REENCRYPT[]
 *--token-id*::
+ifdef::ACTION_REENCRYPT[]
+*LUKS2 reencryption initialization:*
+Specify what keyslots (associated with selected token) to use for LUKS2 reencryption.
+If reencryption operation changes effective volume key only keyslots associated
+the token and unlocked successfully will be available after the reencryption operation
+is finished.
++
+*LUKS2 reencryption resume:*
+// paragraph continues below
+endif::[]
 ifndef::ACTION_TOKEN,ACTION_LUKSADDKEY[]
 Specify what token to use and allow token PIN prompt to take precedence over interactive
 keyslot passphrase prompt. If omitted, all available tokens (not protected by PIN)
@@ -1174,8 +1198,17 @@ new token.
 endif::[]
 endif::[]
 
-ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSRESUME,ACTION_LUKSADDKEY[]
+ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSRESUME,ACTION_LUKSADDKEY,ACTION_REENCRYPT[]
 *--token-only*::
+ifdef::ACTION_REENCRYPT[]
+*LUKS2 reencryption initialization:*
+Specify all keyslots associated with any token will be used for LUKS2 reencryption.
+If reencryption operation changes effective volume key only keyslots associated
+with any token will be available after the reencryption operation is finished.
++
+*LUKS2 reencryption resume:*
+// paragraph continues below
+endif::[]
 ifndef::ACTION_LUKSADDKEY[]
 Do not proceed further with action if token based keyslot unlock failed. Without the
 option, action asks for passphrase to proceed further.
@@ -1196,8 +1229,18 @@ Replace an existing token when adding or importing a token with the
 --token-id option.
 endif::[]
 
-ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSRESUME,ACTION_LUKSADDKEY[]
+ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSRESUME,ACTION_LUKSADDKEY,ACTION_REENCRYPT[]
 *--token-type* _type_::
+ifdef::ACTION_REENCRYPT[]
+*LUKS2 reencryption initialization:*
+Specify what keyslots (associated with selected token type) to use for LUKS2 reencryption.
+If reencryption operation changes effective volume key only keyslots associated
+the token type and unlocked successfully will be available after the reencryption operation
+is finished.
++
+*LUKS2 reencryption resume:*
+// paragraph continues below
+endif::[]
 ifndef::ACTION_LUKSADDKEY[]
 Restrict tokens eligible for operation to specific token _type_.
 Mostly useful when no --token-id is specified.

src/cryptsetup.c

@@ -3364,6 +3364,12 @@ static const char *verify_reencrypt(void)
 	if (ARG_SET(OPT_ACTIVE_NAME_ID) && ARG_SET(OPT_FORCE_OFFLINE_REENCRYPT_ID))
 		return _("Options --active-name and --force-offline-reencrypt cannot be combined.");
 
+	if (ARG_SET(OPT_NEW_VOLUME_KEY_FILE_ID) && ARG_SET(OPT_KEEP_KEY_ID))
+		return _("Options --new-volume-key-file and --keep-key cannot be combined.");
+
+	if (ARG_SET(OPT_NEW_VOLUME_KEY_KEYRING_ID) && ARG_SET(OPT_KEEP_KEY_ID))
+		return _("Options --new-volume-key-keyring and --keep-key cannot be combined.");
+
 	return NULL;
 }
 

src/cryptsetup_arg_list.h

@@ -52,6 +52,8 @@ ARG(OPT_FORCE_PASSWORD, '\0', POPT_ARG_NONE, N_("Disable password quality check
 
 ARG(OPT_FORCE_OFFLINE_REENCRYPT, '\0', POPT_ARG_NONE, N_("Force offline LUKS2 reencryption and bypass active device detection"), NULL, CRYPT_ARG_BOOL, {}, OPT_FORCE_OFFLINE_REENCRYPT_ACTIONS)
 
+ARG(OPT_FORCE_NO_KEYSLOTS, '\0', POPT_ARG_NONE, N_("Force dangerous reencryption operation erasing all remaining keyslots"), NULL, CRYPT_ARG_BOOL, {}, OPT_FORCE_NO_KEYSLOTS_ACTIONS)
+
 ARG(OPT_HASH, 'h', POPT_ARG_STRING, N_("The hash used to create the encryption key from the passphrase"), NULL, CRYPT_ARG_STRING, {}, {})
 
 ARG(OPT_HEADER, '\0', POPT_ARG_STRING, N_("Device or file with separated LUKS header"), NULL, CRYPT_ARG_STRING, {}, {})

src/cryptsetup_args.h

@@ -50,6 +50,7 @@
 #define OPT_ERASE_ACTIONS			{ ERASE_ACTION }
 #define OPT_EXTERNAL_TOKENS_PATH_ACTIONS	{ RESIZE_ACTION, OPEN_ACTION, ADDKEY_ACTION, LUKSDUMP_ACTION, RESUME_ACTION, TOKEN_ACTION }
 #define OPT_FORCE_OFFLINE_REENCRYPT_ACTIONS	{ REENCRYPT_ACTION }
+#define OPT_FORCE_NO_KEYSLOTS_ACTIONS		{ REENCRYPT_ACTION }
 #define OPT_HOTZONE_SIZE_ACTIONS		{ REENCRYPT_ACTION }
 #define OPT_HW_OPAL_ACTIONS			{ FORMAT_ACTION }
 #define OPT_HW_OPAL_ONLY_ACTIONS		OPT_HW_OPAL_ACTIONS
@@ -58,7 +59,7 @@
 #define OPT_ITER_TIME_ACTIONS			{ BENCHMARK_ACTION, FORMAT_ACTION, ADDKEY_ACTION, CHANGEKEY_ACTION, CONVERTKEY_ACTION, REENCRYPT_ACTION }
 #define OPT_IV_LARGE_SECTORS_ACTIONS		{ OPEN_ACTION }
 #define OPT_KEEP_KEY_ACTIONS			{ REENCRYPT_ACTION }
-#define OPT_KEY_DESCRIPTION_ACTIONS		{ TOKEN_ACTION, LUKSDUMP_ACTION, FORMAT_ACTION, RESIZE_ACTION, OPEN_ACTION, RESUME_ACTION, ADDKEY_ACTION }
+#define OPT_KEY_DESCRIPTION_ACTIONS		{ TOKEN_ACTION, LUKSDUMP_ACTION, FORMAT_ACTION, RESIZE_ACTION, OPEN_ACTION, RESUME_ACTION, ADDKEY_ACTION, REENCRYPT_ACTION }
 #define OPT_KEY_SIZE_ACTIONS			{ OPEN_ACTION, BENCHMARK_ACTION, FORMAT_ACTION, REENCRYPT_ACTION, ADDKEY_ACTION }
 #define OPT_KEY_SLOT_ACTIONS			{ OPEN_ACTION, REENCRYPT_ACTION, CONFIG_ACTION, FORMAT_ACTION, ADDKEY_ACTION, CHANGEKEY_ACTION, CONVERTKEY_ACTION, LUKSDUMP_ACTION, TOKEN_ACTION, RESUME_ACTION }
 #define OPT_KEYSLOT_CIPHER_ACTIONS		{ FORMAT_ACTION, REENCRYPT_ACTION, ADDKEY_ACTION, CHANGEKEY_ACTION, CONVERTKEY_ACTION }