diff --git a/ChangeLog b/ChangeLog index 445ee07a..917b1f97 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +2012-02-11 Milan Broz + * Add --master-key-file option to luksOpen (open using volume key). + 2012-01-12 Milan Broz * Fix use of empty keyfile. diff --git a/man/cryptsetup.8 b/man/cryptsetup.8 index a685e1e6..a396439c 100644 --- a/man/cryptsetup.8 +++ b/man/cryptsetup.8 @@ -51,7 +51,7 @@ initializes a LUKS partition and sets the initial key, either via prompting or v \fB\fR can be [\-\-cipher, \-\-verify-passphrase, \-\-key-size, \-\-key-slot, \-\-key-file (takes precedence over optional second argument), -\-\-keyfile-size, \-\-use-random | \-\-use-urandom, \-\-uuid]. +\-\-keyfile-size, \-\-use-random | \-\-use-urandom, \-\-uuid, \-\-master-key-file]. .PP \fIluksOpen\fR .IP @@ -60,7 +60,7 @@ successful verification of the supplied key material (either via key file by \-\-key-file, or via prompting). \fB\fR can be [\-\-key-file, \-\-keyfile-size, \-\-readonly, \-\-allow-discards, -\-\-header, \-\-key-slot]. +\-\-header, \-\-key-slot, \-\-master-key-file]. .PP \fIluksClose\fR .IP @@ -91,7 +91,8 @@ add a new key file/passphrase. An existing passphrase or key file (via \-\-key-file) must be supplied. The key file with the new material is supplied as a positional argument. -\fB\fR can be [\-\-key-file, \-\-keyfile-size, \-\-new-keyfile-size, \-\-key-slot]. +\fB\fR can be [\-\-key-file, \-\-keyfile-size, \-\-new-keyfile-size, \-\-key-slot, +\-\-master-key-file]. .PP \fIluksRemoveKey\fR [] .IP @@ -276,6 +277,9 @@ LUKS header reformatting with the same master key (if all other parameters are the same existing encrypted data remains intact). For \fIluksAddKey\fR it allows adding new passphrase with only master key knowledge. + +For \fIluksOpen\fR it allows to open the LUKS device with only master key knowledge. + .TP .B "\-\-dump-master-key" For \fIluksDump\fR it allows LUKS header dump including volume (master) key. diff --git a/src/cryptsetup.c b/src/cryptsetup.c index fac38b72..055f046e 100644 --- a/src/cryptsetup.c +++ b/src/cryptsetup.c @@ -552,8 +552,9 @@ static int action_luksOpen(int arg __attribute__((unused))) { struct crypt_device *cd = NULL; const char *data_device, *header_device; + char *key = NULL; uint32_t flags = 0; - int r; + int r, keysize; if (opt_header_device) { header_device = opt_header_device; @@ -591,7 +592,14 @@ static int action_luksOpen(int arg __attribute__((unused))) if (opt_allow_discards) flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS; - if (opt_key_file) { + if (opt_master_key_file) { + keysize = crypt_get_volume_key_size(cd); + r = _read_mk(opt_master_key_file, &key, keysize); + if (r < 0) + goto out; + r = crypt_activate_by_volume_key(cd, action_argv[1], + key, keysize, flags); + } else if (opt_key_file) { crypt_set_password_retry(cd, 1); r = crypt_activate_by_keyfile(cd, action_argv[1], opt_key_slot, opt_key_file, opt_keyfile_size, @@ -600,6 +608,7 @@ static int action_luksOpen(int arg __attribute__((unused))) r = crypt_activate_by_passphrase(cd, action_argv[1], opt_key_slot, NULL, 0, flags); out: + crypt_safe_free(key); crypt_free(cd); return r; } diff --git a/tests/compat-test b/tests/compat-test index a1d6bfc5..5231173f 100755 --- a/tests/compat-test +++ b/tests/compat-test @@ -246,6 +246,10 @@ $CRYPTSETUP -q luksClose $DEV_NAME || fail $CRYPTSETUP -q luksFormat $LOOPDEV $KEYE || fail $CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail $CRYPTSETUP -q luksClose $DEV_NAME || fail +# open by volume key +echo "key0" | $CRYPTSETUP -q luksFormat -s 256 --master-key-file $KEY1 $LOOPDEV || fail +$CRYPTSETUP luksOpen --master-key-file $KEY1 $LOOPDEV $DEV_NAME || fail +$CRYPTSETUP -q luksClose $DEV_NAME || fail prepare "[17] AddKey volume key, passphrase and keyfile" wipe # masterkey