Add support for LUKS2 decryption with datashift.

Adds support for LUKS2 decryption of devices with a header put in the head of data device. During the initialization header is exported to a file and first data segment is moved to head of data device in place of original header. The feature introduces several new resilience modes (combination of existing modes datashift and "checksum" or "journal"). Where datashift resilience mode is applied for data moved towards the first segment and first segment is decrypted in-place. The mode is not backward compatible with prior LUKS2 reencryption and therefor interrupted operation in progress can not be resumed using older cryptsetup releases. Fixes: #669.
2025-12-05 16:00:05 +01:00 · 2022-04-26 10:05:37 +02:00
parent f3a46b8e93
commit c36f9899cf
7 changed files with 813 additions and 123 deletions
--- a/lib/luks2/luks2_reencrypt_digest.c
+++ b/lib/luks2/luks2_reencrypt_digest.c
@@ -231,8 +231,22 @@ static size_t reenc_keyslot_serialize(struct luks2_hdr *hdr, uint8_t *buffer)
 		{ JU32, jobj_area,    "sector_size" },
 		{}
 	};
+	struct jtype j_datashift_checksum[] = {
+		{ JSTR, jobj_keyslot, "mode" },
+		{ JSTR, jobj_keyslot, "direction" },
+		{ JSTR, jobj_area,    "type" },
+		{ JU64, jobj_area,    "offset" },
+		{ JU64, jobj_area,    "size" },
+		{ JSTR, jobj_area,    "hash" },
+		{ JU32, jobj_area,    "sector_size" },
+		{ JU64, jobj_area,    "shift_size" },
+		{}
+	};

-	if (!strcmp(area_type, "datashift"))
+	if (!strcmp(area_type, "datashift-checksum"))
+		return srs(j_datashift_checksum, buffer);
+	else if (!strcmp(area_type, "datashift") ||
+		 !strcmp(area_type, "datashift-journal"))
 		return srs(j_datashift, buffer);
 	else if (!strcmp(area_type, "checksum"))
 		return srs(j_checksum, buffer);