Add support for --master-key-file to luksOpen.

ChangeLog

@@ -1,3 +1,6 @@
+2012-02-11  Milan Broz  <mbroz@redhat.com>
+	* Add --master-key-file option to luksOpen (open using volume key).
+
 2012-01-12  Milan Broz  <mbroz@redhat.com>
 	* Fix use of empty keyfile.
 

man/cryptsetup.8

@@ -51,7 +51,7 @@ initializes a LUKS partition and sets the initial key, either via prompting or v
 
 \fB<options>\fR can be [\-\-cipher, \-\-verify-passphrase, \-\-key-size,
 \-\-key-slot, \-\-key-file (takes precedence over optional second argument),
-\-\-keyfile-size, \-\-use-random | \-\-use-urandom, \-\-uuid].
+\-\-keyfile-size, \-\-use-random | \-\-use-urandom, \-\-uuid, \-\-master-key-file].
 .PP
 \fIluksOpen\fR <device> <name>
 .IP
@@ -60,7 +60,7 @@ successful verification of the supplied key material
 (either via key file by \-\-key-file, or via prompting).
 
 \fB<options>\fR can be [\-\-key-file, \-\-keyfile-size, \-\-readonly, \-\-allow-discards,
-\-\-header, \-\-key-slot].
+\-\-header, \-\-key-slot, \-\-master-key-file].
 .PP
 \fIluksClose\fR <name>
 .IP
@@ -91,7 +91,8 @@ add a new key file/passphrase. An existing passphrase or key file
 (via \-\-key-file) must be supplied.
 The key file with the new material is supplied as a positional argument.
 
-\fB<options>\fR can be [\-\-key-file, \-\-keyfile-size, \-\-new-keyfile-size, \-\-key-slot].
+\fB<options>\fR can be [\-\-key-file, \-\-keyfile-size, \-\-new-keyfile-size, \-\-key-slot,
+\-\-master-key-file].
 .PP
 \fIluksRemoveKey\fR <device> [<key file>] 
 .IP
@@ -276,6 +277,9 @@ LUKS header reformatting with the same master key (if all other parameters
 are the same existing encrypted data remains intact).
 
 For \fIluksAddKey\fR it allows adding new passphrase with only master key knowledge.
+
+For \fIluksOpen\fR it allows to open the LUKS device with only master key knowledge.
+
 .TP
 .B "\-\-dump-master-key"
 For \fIluksDump\fR it allows LUKS header dump including volume (master) key.

src/cryptsetup.c

@@ -552,8 +552,9 @@ static int action_luksOpen(int arg __attribute__((unused)))
 {
 	struct crypt_device *cd = NULL;
 	const char *data_device, *header_device;
+	char *key = NULL;
 	uint32_t flags = 0;
-	int r;
+	int r, keysize;
 
 	if (opt_header_device) {
 		header_device = opt_header_device;
@@ -591,7 +592,14 @@ static int action_luksOpen(int arg __attribute__((unused)))
 	if (opt_allow_discards)
 		flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
 
-	if (opt_key_file) {
+	if (opt_master_key_file) {
+		keysize = crypt_get_volume_key_size(cd);
+		r = _read_mk(opt_master_key_file, &key, keysize);
+		if (r < 0)
+			goto out;
+		r = crypt_activate_by_volume_key(cd, action_argv[1],
+						 key, keysize, flags);
+	} else if (opt_key_file) {
 		crypt_set_password_retry(cd, 1);
 		r = crypt_activate_by_keyfile(cd, action_argv[1],
 			opt_key_slot, opt_key_file, opt_keyfile_size,
@@ -600,6 +608,7 @@ static int action_luksOpen(int arg __attribute__((unused)))
 		r = crypt_activate_by_passphrase(cd, action_argv[1],
 			opt_key_slot, NULL, 0, flags);
 out:
+	crypt_safe_free(key);
 	crypt_free(cd);
 	return r;
 }

tests/compat-test

@@ -246,6 +246,10 @@ $CRYPTSETUP -q luksClose  $DEV_NAME || fail
 $CRYPTSETUP -q luksFormat $LOOPDEV $KEYE || fail
 $CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
 $CRYPTSETUP -q luksClose  $DEV_NAME || fail
+# open by volume key
+echo "key0" | $CRYPTSETUP -q luksFormat -s 256 --master-key-file $KEY1 $LOOPDEV || fail
+$CRYPTSETUP luksOpen --master-key-file $KEY1 $LOOPDEV $DEV_NAME || fail
+$CRYPTSETUP -q luksClose  $DEV_NAME || fail
 
 prepare "[17] AddKey volume key, passphrase and keyfile" wipe
 # masterkey