eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-13 20:00:08 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add ability to encrypt plain device.

Browse Source
This commit is contained in:
Milan Broz
2012-06-18 14:29:22 +02:00
parent 0894814148
commit b773823a1b
4 changed files with 195 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
lib/luks1/keymanage.c
View File

@@ -66,14 +66,22 @@ static uint64_t LUKS_device_sectors(size_t keyLen)
static int LUKS_check_device_size(struct crypt_device *ctx, const char *device, static int LUKS_check_device_size(struct crypt_device *ctx, const char *device,
size_t keyLength) size_t keyLength)
{ {
uint64_t dev_size; uint64_t dev_sectors, hdr_sectors;
if(device_size(device, &dev_size)) { if (!keyLength)
return -EINVAL;
if(device_size(device, &dev_sectors)) {
log_dbg("Cannot get device size for device %s.", device); log_dbg("Cannot get device size for device %s.", device);
return -EIO; return -EIO;
} }
if (LUKS_device_sectors(keyLength) > (dev_size >> SECTOR_SHIFT)) { dev_sectors >>= SECTOR_SHIFT;
hdr_sectors = LUKS_device_sectors(keyLength);
log_dbg("Key length %u, device size %" PRIu64 " sectors, header size %"
PRIu64 " sectors.",keyLength, dev_sectors, hdr_sectors);
if (hdr_sectors > dev_sectors) {
log_err(ctx, _("Device %s is too small.\n"), device); log_err(ctx, _("Device %s is too small.\n"), device);
return -EINVAL; return -EINVAL;
} }

8
man/cryptsetup-reencrypt.8
View File

@@ -120,6 +120,14 @@ WARNING: This is destructive operation and cannot be reverted.
Use with extreme care - shrinked filesystems are usually unrecoverable. Use with extreme care - shrinked filesystems are usually unrecoverable.
You cannot shrink device more than by 64 MiB (131072 sectors). You cannot shrink device more than by 64 MiB (131072 sectors).
.TP
.B "\-\-new, N"
Create new header (encrypt not yet encrypted device).
This option must be used together with \-\-reduce-device-size.
WARNING: This is destructive operation and cannot be reverted.
.TP .TP
.B "\-\-use-directio" .B "\-\-use-directio"
Use direct-io (O_DIRECT) for all read/write data operations. Use direct-io (O_DIRECT) for all read/write data operations.

195
src/cryptsetup_reencrypt.c
View File

@@ -23,6 +23,8 @@
#define _LARGEFILE64_SOURCE #define _LARGEFILE64_SOURCE
#define _FILE_OFFSET_BITS 64 #define _FILE_OFFSET_BITS 64
#define SECTOR_SIZE 512 #define SECTOR_SIZE 512
#define NO_UUID "cafecafe-cafe-cafe-cafe-cafecafeeeee"
#define MAX_BCK_SECTORS 8192
#include <string.h> #include <string.h>
#include <stdio.h> #include <stdio.h>
@@ -63,6 +65,7 @@ static int opt_write_log = 0;
static int opt_tries = 3; static int opt_tries = 3;
static int opt_key_slot = CRYPT_ANY_SLOT; static int opt_key_slot = CRYPT_ANY_SLOT;
static int opt_key_size = 0; static int opt_key_size = 0;
static int opt_new = 0;
static const char **action_argv; static const char **action_argv;
@@ -284,20 +287,22 @@ static int create_empty_header(const char *new_file, const char *old_file,
uint64_t data_sector) uint64_t data_sector)
{ {
struct stat st; struct stat st;
ssize_t size; ssize_t size = 0;
int fd, r = 0; int fd, r = 0;
char *buf; char *buf;
/* Never create header > 4MiB */ /* Never create header > 4MiB */
if (data_sector > 8192) if (data_sector > MAX_BCK_SECTORS)
data_sector = 8192; data_sector = MAX_BCK_SECTORS;
/* new header file of the same size as old backup */ /* new header file of the same size as old backup */
if (stat(old_file, &st) == -1 || if (old_file) {
(st.st_mode & S_IFMT) != S_IFREG || if (stat(old_file, &st) == -1 ||
(st.st_size > 16 * 1024 * 1024)) (st.st_mode & S_IFMT) != S_IFREG ||
return -EINVAL; (st.st_size > 16 * 1024 * 1024))
size = st.st_size; return -EINVAL;
size = st.st_size;
}
/* /*
* if requesting key size change, try to use offset * if requesting key size change, try to use offset
@@ -501,12 +506,49 @@ out:
return r; return r;
} }
static int create_new_header(struct reenc_ctx *rc, const char *cipher,
const char *cipher_mode, const char *uuid,
int key_size, struct crypt_params_luks1 *params)
{
struct crypt_device *cd_new = NULL;
int i, r;
if ((r = crypt_init(&cd_new, rc->header_file_new)))
goto out;
if (opt_random)
crypt_set_rng_type(cd_new, CRYPT_RNG_RANDOM);
else if (opt_urandom)
crypt_set_rng_type(cd_new, CRYPT_RNG_URANDOM);
if (opt_iteration_time)
crypt_set_iteration_time(cd_new, opt_iteration_time);
if ((r = crypt_format(cd_new, CRYPT_LUKS1, cipher, cipher_mode,
uuid, NULL, key_size, params)))
goto out;
log_verbose(_("New LUKS header for device %s created.\n"), rc->device);
for (i = 0; i < MAX_SLOT; i++) {
if (!rc->p[i].password)
continue;
if ((r = crypt_keyslot_add_by_volume_key(cd_new, i,
NULL, 0, rc->p[i].password, rc->p[i].passwordLen)) < 0)
goto out;
log_verbose(_("Activated keyslot %i.\n"), r);
r = 0;
}
out:
crypt_free(cd_new);
return r;
}
static int backup_luks_headers(struct reenc_ctx *rc) static int backup_luks_headers(struct reenc_ctx *rc)
{ {
struct crypt_device *cd = NULL, *cd_new = NULL; struct crypt_device *cd = NULL;
struct crypt_params_luks1 params = {0}; struct crypt_params_luks1 params = {0};
char cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN]; char cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
int i, r; int r;
log_dbg("Creating LUKS header backup for device %s.", rc->device); log_dbg("Creating LUKS header backup for device %s.", rc->device);
@@ -528,17 +570,40 @@ static int backup_luks_headers(struct reenc_ctx *rc)
params.data_alignment += opt_reduce_device_size; params.data_alignment += opt_reduce_device_size;
params.data_device = rc->device; params.data_device = rc->device;
if (opt_cipher) {
r = crypt_parse_name_and_mode(opt_cipher, cipher, NULL, cipher_mode);
if (r < 0) {
log_err(_("No known cipher specification pattern detected.\n"));
goto out;
}
}
if ((r = crypt_init(&cd_new, rc->header_file_new))) r = create_new_header(rc,
goto out; opt_cipher ? cipher : crypt_get_cipher(cd),
opt_cipher ? cipher_mode : crypt_get_cipher_mode(cd),
crypt_get_uuid(cd),
opt_key_size ? opt_key_size / 8 : crypt_get_volume_key_size(cd),
&params);
out:
crypt_free(cd);
if (r)
log_err(_("Creation of LUKS backup headers failed.\n"));
return r;
}
if (opt_random) /* Create fake header for original device */
crypt_set_rng_type(cd_new, CRYPT_RNG_RANDOM); static int backup_fake_header(struct reenc_ctx *rc)
else if (opt_urandom) {
crypt_set_rng_type(cd_new, CRYPT_RNG_URANDOM); struct crypt_device *cd_new = NULL;
struct crypt_params_luks1 params = {0};
char cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
if (opt_iteration_time) int r;
crypt_set_iteration_time(cd_new, opt_iteration_time);
log_dbg("Creating fake (cipher_null) header for original device.");
if (!opt_key_size)
opt_key_size = DEFAULT_LUKS1_KEYBITS;
if (opt_cipher) { if (opt_cipher) {
r = crypt_parse_name_and_mode(opt_cipher, cipher, NULL, cipher_mode); r = crypt_parse_name_and_mode(opt_cipher, cipher, NULL, cipher_mode);
@@ -548,30 +613,41 @@ static int backup_luks_headers(struct reenc_ctx *rc)
} }
} }
if ((r = crypt_format(cd_new, CRYPT_LUKS1, r = create_empty_header(rc->header_file_org, NULL, 0);
opt_cipher ? cipher : crypt_get_cipher(cd), if (r < 0)
opt_cipher ? cipher_mode : crypt_get_cipher_mode(cd), return r;
crypt_get_uuid(cd),
NULL,
opt_key_size ? opt_key_size / 8 : crypt_get_volume_key_size(cd),
&params)))
goto out;
log_verbose(_("New LUKS header for device %s created.\n"), rc->device);
for (i = 0; i < MAX_SLOT; i++) { params.hash = opt_hash ?: DEFAULT_LUKS1_HASH;
if (!rc->p[i].password) params.data_alignment = 0;
continue; params.data_device = rc->device;
if ((r = crypt_keyslot_add_by_volume_key(cd_new, i,
NULL, 0, rc->p[i].password, rc->p[i].passwordLen)) < 0) r = crypt_init(&cd_new, rc->header_file_org);
goto out; if (r < 0)
log_verbose(_("Activated keyslot %i.\n"), r); return r;
r = 0;
} r = crypt_format(cd_new, CRYPT_LUKS1, "cipher_null", "ecb",
NO_UUID, NULL, opt_key_size / 8, &params);
if (r < 0)
goto out;
r = crypt_keyslot_add_by_volume_key(cd_new, 0, NULL, 0,
rc->p[0].password, rc->p[0].passwordLen);
if (r < 0)
goto out;
r = create_empty_header(rc->header_file_new, rc->header_file_org, 0);
if (r < 0)
goto out;
params.data_alignment = opt_reduce_device_size;
r = create_new_header(rc,
opt_cipher ? cipher : DEFAULT_LUKS1_CIPHER,
opt_cipher ? cipher_mode : DEFAULT_LUKS1_MODE,
NULL,
(opt_key_size ? opt_key_size : DEFAULT_LUKS1_KEYBITS) / 8,
&params);
out: out:
crypt_free(cd);
crypt_free(cd_new); crypt_free(cd_new);
if (r)
log_err(_("Creation of LUKS backup headers failed.\n"));
return r; return r;
} }
@@ -829,6 +905,11 @@ static int initialize_uuid(struct reenc_ctx *rc)
log_dbg("Initialising UUID."); log_dbg("Initialising UUID.");
if (opt_new) {
rc->device_uuid = strdup(NO_UUID);
return 0;
}
/* Try to load LUKS from device */ /* Try to load LUKS from device */
if ((r = crypt_init(&cd, rc->device))) if ((r = crypt_init(&cd, rc->device)))
return r; return r;
@@ -845,11 +926,11 @@ static int initialize_uuid(struct reenc_ctx *rc)
} }
static int init_passphrase1(struct reenc_ctx *rc, struct crypt_device *cd, static int init_passphrase1(struct reenc_ctx *rc, struct crypt_device *cd,
const char *msg, int slot_check) const char *msg, int slot_to_check, int check)
{ {
int r = -EINVAL, slot, retry_count; int r = -EINVAL, slot, retry_count;
slot = (slot_check == CRYPT_ANY_SLOT) ? 0 : slot_check; slot = (slot_to_check == CRYPT_ANY_SLOT) ? 0 : slot_to_check;
retry_count = opt_tries ?: 1; retry_count = opt_tries ?: 1;
while (retry_count--) { while (retry_count--) {
@@ -865,8 +946,11 @@ static int init_passphrase1(struct reenc_ctx *rc, struct crypt_device *cd,
/* library uses sigint internally, until it is fixed...*/ /* library uses sigint internally, until it is fixed...*/
set_int_block(1); set_int_block(1);
r = crypt_activate_by_passphrase(cd, NULL, slot_check, if (check)
rc->p[slot].password, rc->p[slot].passwordLen, 0); r = crypt_activate_by_passphrase(cd, NULL, slot_to_check,
rc->p[slot].password, rc->p[slot].passwordLen, 0);
else
r = slot;
if (r < 0) { if (r < 0) {
crypt_safe_free(rc->p[slot].password); crypt_safe_free(rc->p[slot].password);
@@ -930,6 +1014,11 @@ static int initialize_passphrase(struct reenc_ctx *rc, const char *device)
log_dbg("Passhrases initialization."); log_dbg("Passhrases initialization.");
if (opt_new) {
r = init_passphrase1(rc, cd, _("Enter new LUKS passphrase: "), 0, 0);
return r > 0 ? 0 : r;
}
if ((r = crypt_init(&cd, device)) || if ((r = crypt_init(&cd, device)) ||
(r = crypt_load(cd, CRYPT_LUKS1, NULL)) || (r = crypt_load(cd, CRYPT_LUKS1, NULL)) ||
(r = crypt_set_data_device(cd, rc->device))) { (r = crypt_set_data_device(cd, rc->device))) {
@@ -940,14 +1029,15 @@ static int initialize_passphrase(struct reenc_ctx *rc, const char *device)
if (opt_key_file) { if (opt_key_file) {
r = init_keyfile(rc, cd, opt_key_slot); r = init_keyfile(rc, cd, opt_key_slot);
} else if (rc->in_progress) { } else if (rc->in_progress) {
r = init_passphrase1(rc, cd, _("Enter any LUKS passphrase: "), CRYPT_ANY_SLOT); r = init_passphrase1(rc, cd, _("Enter any LUKS passphrase: "),
CRYPT_ANY_SLOT, 1);
} else for (i = 0; i < MAX_SLOT; i++) { } else for (i = 0; i < MAX_SLOT; i++) {
ki = crypt_keyslot_status(cd, i); ki = crypt_keyslot_status(cd, i);
if (ki != CRYPT_SLOT_ACTIVE && ki != CRYPT_SLOT_ACTIVE_LAST) if (ki != CRYPT_SLOT_ACTIVE && ki != CRYPT_SLOT_ACTIVE_LAST)
continue; continue;
snprintf(msg, sizeof(msg), _("Enter LUKS passphrase for key slot %u: "), i); snprintf(msg, sizeof(msg), _("Enter LUKS passphrase for key slot %u: "), i);
r = init_passphrase1(rc, cd, msg, i); r = init_passphrase1(rc, cd, msg, i, 1);
if (r < 0) if (r < 0)
break; break;
} }
@@ -1047,9 +1137,13 @@ static int run_reencrypt(const char *device)
log_dbg("Running reencryption."); log_dbg("Running reencryption.");
if (!rc.in_progress) { if (!rc.in_progress) {
if ((r = initialize_passphrase(&rc, rc.device)) || if (opt_new) {
(r = backup_luks_headers(&rc)) || if ((r = initialize_passphrase(&rc, rc.device)) ||
(r = device_check(&rc, MAKE_UNUSABLE))) (r = backup_fake_header(&rc)))
goto out;
} else if ((r = initialize_passphrase(&rc, rc.device)) ||
(r = backup_luks_headers(&rc)) ||
(r = device_check(&rc, MAKE_UNUSABLE)))
goto out; goto out;
} else { } else {
if ((r = initialize_passphrase(&rc, rc.header_file_new))) if ((r = initialize_passphrase(&rc, rc.header_file_new)))
@@ -1136,6 +1230,7 @@ int main(int argc, const char **argv)
{ "keyfile-offset", '\0', POPT_ARG_LONG, &opt_keyfile_offset, 0, N_("Number of bytes to skip in keyfile"), N_("bytes") }, { "keyfile-offset", '\0', POPT_ARG_LONG, &opt_keyfile_offset, 0, N_("Number of bytes to skip in keyfile"), N_("bytes") },
{ "keyfile-size", 'l', POPT_ARG_LONG, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") }, { "keyfile-size", 'l', POPT_ARG_LONG, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
{ "reduce-device-size",'\0', POPT_ARG_INT, &opt_reduce_device_size, 0, N_("Reduce data device size (move data offset). DANGEROUS!"), N_("SECTORS") }, { "reduce-device-size",'\0', POPT_ARG_INT, &opt_reduce_device_size, 0, N_("Reduce data device size (move data offset). DANGEROUS!"), N_("SECTORS") },
{ "new", 'N', POPT_ARG_NONE,&opt_new, 0, N_("Create new header on not encrypted device."), NULL },
POPT_TABLEEND POPT_TABLEEND
}; };
poptContext popt_context; poptContext popt_context;
@@ -1212,6 +1307,10 @@ int main(int argc, const char **argv)
usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."), usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
poptGetInvocationName(popt_context)); poptGetInvocationName(popt_context));
if (opt_new && !opt_reduce_device_size)
usage(popt_context, EXIT_FAILURE, _("Option --new must be used together with --reduce_device_size."),
poptGetInvocationName(popt_context));
if (opt_debug) { if (opt_debug) {
opt_verbose = 1; opt_verbose = 1;
crypt_set_debug_level(-1); crypt_set_debug_level(-1);

32
tests/reencryption-compat-test
View File

@@ -4,11 +4,13 @@ CRYPTSETUP=../src/cryptsetup
REENC=../src/cryptsetup-reencrypt REENC=../src/cryptsetup-reencrypt
DEV_NAME=reenc9768 DEV_NAME=reenc9768
DEV_NAME2=reenc1273
IMG=reenc-data IMG=reenc-data
KEY1=key1 KEY1=key1
function remove_mapping() function remove_mapping()
{ {
[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove $DEV_NAME2
[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove $DEV_NAME [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove $DEV_NAME
[ ! -z "$LOOPDEV1" ] && losetup -d $LOOPDEV1 >/dev/null 2>&1 [ ! -z "$LOOPDEV1" ] && losetup -d $LOOPDEV1 >/dev/null 2>&1
rm -f $IMG $KEY1 >/dev/null 2>&1 rm -f $IMG $KEY1 >/dev/null 2>&1
@@ -38,10 +40,15 @@ function open_crypt()
fi fi
} }
function wipe_dev() # $1 dev
{
dd if=/dev/zero of=$1 bs=256k >/dev/null 2>&1
}
function wipe() # $1 pass function wipe() # $1 pass
{ {
open_crypt $1 open_crypt $1
dd if=/dev/zero of=/dev/mapper/$DEV_NAME bs=256k >/dev/null 2>&1 wipe_dev /dev/mapper/$DEV_NAME
$CRYPTSETUP luksClose $DEV_NAME || fail $CRYPTSETUP luksClose $DEV_NAME || fail
} }
@@ -59,11 +66,16 @@ function prepare() # $1 dev1_siz
fi fi
} }
function check_hash_dev() # $1 dev, $2 hash
{
HASH=$(sha256sum $1 | cut -d' ' -f 1)
[ $HASH != "$2" ] && fail "HASH differs ($HASH)"
}
function check_hash() # $1 pwd, $2 hash function check_hash() # $1 pwd, $2 hash
{ {
open_crypt $1 open_crypt $1
HASH=$(sha256sum /dev/mapper/$DEV_NAME | cut -d' ' -f 1) check_hash_dev /dev/mapper/$DEV_NAME $2
[ $HASH != "$2" ] && fail "HASH differs ($HASH)"
$CRYPTSETUP remove $DEV_NAME || fail $CRYPTSETUP remove $DEV_NAME || fail
} }
@@ -74,6 +86,7 @@ function check_hash() # $1 pwd, $2 hash
HASH1=b69dae56a14d1a8314ed40664c4033ea0a550eea2673e04df42a66ac6b9faf2c HASH1=b69dae56a14d1a8314ed40664c4033ea0a550eea2673e04df42a66ac6b9faf2c
HASH2=d85ef2a08aeac2812a648deb875485a6e3848fc3d43ce4aa380937f08199f86b HASH2=d85ef2a08aeac2812a648deb875485a6e3848fc3d43ce4aa380937f08199f86b
HASH3=e4e5749032a5163c45125eccf3e8598ba5ed840df442c97e1d5ad4ad84359605
echo "[1] Reencryption" echo "[1] Reencryption"
prepare 8192 prepare 8192
@@ -86,6 +99,7 @@ echo "key0" | $REENC $LOOPDEV1 -q -s 256
check_hash "key0" $HASH1 check_hash "key0" $HASH1
echo "key0" | $REENC $LOOPDEV1 -q -s 256 -c aes-xts-plain64 -h sha256 echo "key0" | $REENC $LOOPDEV1 -q -s 256 -c aes-xts-plain64 -h sha256
check_hash "key0" $HASH1 check_hash "key0" $HASH1
echo "[2] Reencryption with data shift" echo "[2] Reencryption with data shift"
echo "key0" | $CRYPTSETUP -q luksFormat -s 128 -i 1 --align-payload 2048 $LOOPDEV1 || fail echo "key0" | $CRYPTSETUP -q luksFormat -s 128 -i 1 --align-payload 2048 $LOOPDEV1 || fail
wipe "key0" wipe "key0"
@@ -93,6 +107,7 @@ echo "key0" | $REENC $LOOPDEV1 -q -s 256 --reduce-device-size 1024 || fail
check_hash "key0" $HASH2 check_hash "key0" $HASH2
echo "key0" | $REENC $LOOPDEV1 -q -i 1 || fail echo "key0" | $REENC $LOOPDEV1 -q -i 1 || fail
check_hash "key0" $HASH2 check_hash "key0" $HASH2
echo "[3] Reencryption with keyfile" echo "[3] Reencryption with keyfile"
echo "key0" | $CRYPTSETUP -q luksFormat -d key1 -s 128 -i 1 --align-payload 4096 $LOOPDEV1 || fail echo "key0" | $CRYPTSETUP -q luksFormat -d key1 -s 128 -i 1 --align-payload 4096 $LOOPDEV1 || fail
wipe wipe
@@ -102,5 +117,16 @@ $REENC $LOOPDEV1 -d key1 -S 0 -i 1 -q || fail
check_hash "" $HASH1 check_hash "" $HASH1
# FIXME echo "key0" | $REENC ... # FIXME echo "key0" | $REENC ...
echo "[4] Encryption of not yet encrypted device"
# well, movin' zeroes :-)
OFFSET=2048
SIZE=$(blockdev --getsz $LOOPDEV1)
wipe_dev $LOOPDEV1
dmsetup create $DEV_NAME2 --table "0 $(($SIZE - $OFFSET)) linear $LOOPDEV1 0" || fail
check_hash_dev /dev/mapper/$DEV_NAME2 $HASH3
dmsetup remove $DEV_NAME2 || fail
echo "key0" | $REENC $LOOPDEV1 -s 128 --new --reduce-device-size $OFFSET -q
check_hash "key0" $HASH3
remove_mapping remove_mapping
exit 0 exit 0