diff --git a/man/cryptsetup.8 b/man/cryptsetup.8 index b13a4c82..ac53cdce 100644 --- a/man/cryptsetup.8 +++ b/man/cryptsetup.8 @@ -429,6 +429,9 @@ device not the system partition as the device parameter. To use hidden header (and map hidden device, if available), use \fB\-\-tcrypt\-hidden\fR option. +To explicitly use backup (secondary) header, use \fB\-\-tcrypt\-backup\fR +option. + \fBNOTE:\fR There is no protection for a hidden volume if the outer volume is mounted. The reason is that if there were any protection, it would require some metadata describing @@ -444,7 +447,7 @@ Opens the TCRYPT (a TrueCrypt-compatible) and sets up a mapping . \fB\fR can be [\-\-key\-file, \-\-tcrypt\-hidden, -\-\-tcrypt\-system, \-\-readonly, \-\-test\-passphrase]. +\-\-tcrypt\-system, \-\-tcrypt\-backup, \-\-readonly, \-\-test\-passphrase]. The keyfile parameter allows combination of file content with the passphrase and can be repeated. Note that using keyfiles is compatible @@ -463,7 +466,7 @@ This means that if the master key is compromised, the whole device has to be erased to prevent further access. Use this option carefully. \fB\fR can be [\-\-dump\-master\-key, \-\-key\-file, -\-\-tcrypt\-hidden, \-\-tcrypt\-system]. +\-\-tcrypt\-hidden, \-\-tcrypt\-system, \-\-tcrypt\-backup]. The keyfile parameter allows combination of file content with the passphrase and can be repeated. diff --git a/src/cryptsetup.c b/src/cryptsetup.c index 5c2b96a5..b8941ab6 100644 --- a/src/cryptsetup.c +++ b/src/cryptsetup.c @@ -60,6 +60,7 @@ static int opt_allow_discards = 0; static int opt_test_passphrase = 0; static int opt_tcrypt_hidden = 0; static int opt_tcrypt_system = 0; +static int opt_tcrypt_backup = 0; static const char **action_argv; static int action_argc; @@ -239,6 +240,9 @@ static int action_open_tcrypt(void) if (opt_tcrypt_system) params.flags |= CRYPT_TCRYPT_SYSTEM_HEADER; + if (opt_tcrypt_backup) + params.flags |= CRYPT_TCRYPT_BACKUP_HEADER; + r = crypt_load(cd, CRYPT_TCRYPT, ¶ms); check_signal(&r); if (r < 0) @@ -326,6 +330,9 @@ static int action_tcryptDump(void) if (opt_tcrypt_system) params.flags |= CRYPT_TCRYPT_SYSTEM_HEADER; + if (opt_tcrypt_backup) + params.flags |= CRYPT_TCRYPT_BACKUP_HEADER; + r = crypt_load(cd, CRYPT_TCRYPT, ¶ms); check_signal(&r); if (r < 0) @@ -1390,6 +1397,7 @@ int main(int argc, const char **argv) { "test-passphrase", '\0', POPT_ARG_NONE, &opt_test_passphrase, 0, N_("Do not activate device, just check passphrase."), NULL }, { "tcrypt-hidden", '\0', POPT_ARG_NONE, &opt_tcrypt_hidden, 0, N_("Use hidden header (hidden TCRYPT device)."), NULL }, { "tcrypt-system", '\0', POPT_ARG_NONE, &opt_tcrypt_system, 0, N_("Device is system TCRYPT drive (with bootloader)."), NULL }, + { "tcrypt-backup", '\0', POPT_ARG_NONE, &opt_tcrypt_backup, 0, N_("Use backup (secondary) TCRYPT header."), NULL }, { "type", 'M', POPT_ARG_STRING, &opt_type, 0, N_("Type of device metadata: luks, plain, loopaes, tcrypt."), NULL }, { "force-password", '\0', POPT_ARG_NONE, &opt_force_password, 0, N_("Disable password quality check (if enabled)."), NULL }, POPT_TABLEEND @@ -1591,10 +1599,10 @@ int main(int argc, const char **argv) _("Option --offset is supported only for open of plain and loopaes devices.\n"), poptGetInvocationName(popt_context)); - if ((opt_tcrypt_hidden || opt_tcrypt_system) && strcmp(aname, "tcryptDump") && + if ((opt_tcrypt_hidden || opt_tcrypt_system || opt_tcrypt_backup) && strcmp(aname, "tcryptDump") && (strcmp(aname, "open") || strcmp(opt_type, "tcrypt"))) usage(popt_context, EXIT_FAILURE, - _("Option --tcrypt-hidden or --tcrypt-system is supported only for TCRYPT device.\n"), + _("Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"), poptGetInvocationName(popt_context)); if (opt_debug) {