cryptsetup-reencrypt: enable resume of decryption

to enable resume of interrupted decryption user has to pass uuid of the former luks device. That uuid is used to resume the operation if temporary files LUKS-* still exist.
2025-12-11 02:40:01 +01:00 · 2016-04-12 15:42:55 +02:00
parent f2cdc6f5f4
commit b5365ba13d
2 changed files with 33 additions and 4 deletions
--- a/man/cryptsetup-reencrypt.8
+++ b/man/cryptsetup-reencrypt.8
@@ -37,7 +37,8 @@ To start (or continue) re-encryption for <device> use:
 \fB<options>\fR can be [\-\-batch-mode, \-\-block-size, \-\-cipher, \-\-debug,
 \-\-device-size, \-\-hash, \-\-iter-time, \-\-use-random | \-\-use-urandom,
 \-\-keep-key, \-\-key-size, \-\-key-file, \-\-key-slot, \-\-keyfile-offset,
-\-\-keyfile-size, \-\-tries, \-\-use-directio, \-\-use-fsync, \-\-verbose, \-\-write-log]
+\-\-keyfile-size, \-\-tries, \-\-use-directio, \-\-use-fsync, \-\-verbose, \-\-write-log,
+\-\-uuid]

 To encrypt data on (not yet encrypted) device, use \fI\-\-new\fR with combination
 with \fI\-\-reduce-device-size\fR.
@@ -153,7 +154,7 @@ Use with extreme care - shrinked filesystems are usually unrecoverable.

 You cannot shrink device more than by 64 MiB (131072 sectors).
 .TP
-.B "\-\-new, N"
+.B "\-\-new, \-N"
 Create new header (encrypt not yet encrypted device).

 This option must be used together with \-\-reduce-device-size.
@@ -180,6 +181,11 @@ log files as well.
 Update log file after every block write. This can slow down reencryption
 but will minimize data loss in the case of system crash.
 .TP
+.B "\-\-uuid" \fI<uuid>\fR
+Use only while resuming an interrupted decryption process (see \-\-decrypt).
+To find out what \fI<uuid>\fR to pass look for temporary files LUKS-<uuid>.[|log|org|new] of the
+interrupted decryption process.
+.TP
 .B "\-\-batch-mode, \-q"
 Suppresses all warnings and reencryption progress output.
 .TP
--- a/src/cryptsetup_reencrypt.c
+++ b/src/cryptsetup_reencrypt.c
@@ -24,6 +24,7 @@
 #include <sys/time.h>
 #include <linux/fs.h>
 #include <arpa/inet.h>
+#include <uuid/uuid.h>

 #define PACKAGE_REENC "crypt_reencrypt"

@@ -33,6 +34,7 @@
 static const char *opt_cipher = NULL;
 static const char *opt_hash = NULL;
 static const char *opt_key_file = NULL;
+static const char *opt_uuid = NULL;
 static long opt_keyfile_size = 0;
 static long opt_keyfile_offset = 0;
 static int opt_iteration_time = 1000;
@@ -957,6 +959,7 @@ static int initialize_uuid(struct reenc_ctx *rc)
 {
 	struct crypt_device *cd = NULL;
 	int r;
+	uuid_t device_uuid;

 	log_dbg("Initialising UUID.");

@@ -965,6 +968,16 @@ static int initialize_uuid(struct reenc_ctx *rc)
 		return 0;
 	}

+	if (opt_decrypt && opt_uuid) {
+		r = uuid_parse(opt_uuid, device_uuid);
+		if (!r)
+			rc->device_uuid = strdup(opt_uuid);
+		else
+			log_err(_("Passed UUID is invalid.\n"));
+
+		return r;
+	}
+
 	/* Try to load LUKS from device */
 	if ((r = crypt_init(&cd, rc->device)))
 		return r;
@@ -1117,7 +1130,7 @@ static int initialize_context(struct reenc_ctx *rc, const char *device)
 {
 	log_dbg("Initialising reencryption context.");

-	rc->log_fd =-1;
+	rc->log_fd = -1;

 	if (!(rc->device = strndup(device, PATH_MAX)))
 		return -ENOMEM;
@@ -1157,6 +1170,11 @@ static int initialize_context(struct reenc_ctx *rc, const char *device)
 	}

 	if (!rc->in_progress) {
+		if (opt_uuid) {
+			log_err(_("Cannot use passed UUID unless decryption in progress.\n"));
+			return -EINVAL;
+		}
+
 		if (!opt_reduce_size)
 			rc->reencrypt_direction = FORWARD;
 		else {
@@ -1228,7 +1246,7 @@ static int run_reencrypt(const char *device)
 				goto out;
 		}
 	} else {
-		if ((r = initialize_passphrase(&rc, rc.header_file_new)))
+		if ((r = initialize_passphrase(&rc, opt_decrypt ? rc.header_file_org : rc.header_file_new)))
 			goto out;
 	}

@@ -1300,6 +1318,7 @@ int main(int argc, const char **argv)
 		{ "device-size",       '\0', POPT_ARG_STRING, &opt_device_size_str,     0, N_("Use only specified device size (ignore rest of device). DANGEROUS!"), N_("bytes") },
 		{ "new",               'N',  POPT_ARG_NONE, &opt_new,                   0, N_("Create new header on not encrypted device."), NULL },
 		{ "decrypt",           '\0', POPT_ARG_NONE, &opt_decrypt,               0, N_("Permanently decrypt device (remove encryption)."), NULL },
+		{ "uuid",              '\0', POPT_ARG_STRING, &opt_uuid,                0, N_("The uuid used to resume decryption."), NULL },
 		POPT_TABLEEND
 	};
 	poptContext popt_context;
@@ -1400,6 +1419,10 @@ int main(int argc, const char **argv)
 		usage(popt_context, EXIT_FAILURE, _("Option --decrypt is incompatible with specified parameters."),
 		      poptGetInvocationName(popt_context));

+	if (opt_uuid && !opt_decrypt)
+		usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only together with --decrypt."),
+		      poptGetInvocationName(popt_context));
+
 	if (opt_debug) {
 		opt_verbose = 1;
 		crypt_set_debug_level(-1);