Add commandline option --tcrypt-backup to access TCRYPT backup header.

man/cryptsetup.8

@@ -429,6 +429,9 @@ device not the system partition as the device parameter.
 To use hidden header (and map hidden device, if available),
 use \fB\-\-tcrypt\-hidden\fR option.
 
+To explicitly use backup (secondary) header, use \fB\-\-tcrypt\-backup\fR
+option.
+
 \fBNOTE:\fR There is no protection for a hidden volume if
 the outer volume is mounted. The reason is that if there
 were any protection, it would require some metadata describing
@@ -444,7 +447,7 @@ Opens the TCRYPT (a TrueCrypt-compatible) <device> and sets up
 a mapping <name>.
 
 \fB<options>\fR can be [\-\-key\-file, \-\-tcrypt\-hidden, 
-\-\-tcrypt\-system, \-\-readonly, \-\-test\-passphrase].
+\-\-tcrypt\-system, \-\-tcrypt\-backup, \-\-readonly, \-\-test\-passphrase].
 
 The keyfile parameter allows combination of file content with the
 passphrase and can be repeated. Note that using keyfiles is compatible
@@ -463,7 +466,7 @@ This means that if the master key is compromised, the whole device has
 to be erased to prevent further access. Use this option carefully.
 
 \fB<options>\fR can be [\-\-dump\-master\-key, \-\-key\-file, 
-\-\-tcrypt\-hidden, \-\-tcrypt\-system].
+\-\-tcrypt\-hidden, \-\-tcrypt\-system, \-\-tcrypt\-backup].
 
 The keyfile parameter allows combination of file content with the
 passphrase and can be repeated.

src/cryptsetup.c

@@ -60,6 +60,7 @@ static int opt_allow_discards = 0;
 static int opt_test_passphrase = 0;
 static int opt_tcrypt_hidden = 0;
 static int opt_tcrypt_system = 0;
+static int opt_tcrypt_backup = 0;
 
 static const char **action_argv;
 static int action_argc;
@@ -239,6 +240,9 @@ static int action_open_tcrypt(void)
 	if (opt_tcrypt_system)
 		params.flags |= CRYPT_TCRYPT_SYSTEM_HEADER;
 
+	if (opt_tcrypt_backup)
+		params.flags |= CRYPT_TCRYPT_BACKUP_HEADER;
+
 	r = crypt_load(cd, CRYPT_TCRYPT, &params);
 	check_signal(&r);
 	if (r < 0)
@@ -326,6 +330,9 @@ static int action_tcryptDump(void)
 	if (opt_tcrypt_system)
 		params.flags |= CRYPT_TCRYPT_SYSTEM_HEADER;
 
+	if (opt_tcrypt_backup)
+		params.flags |= CRYPT_TCRYPT_BACKUP_HEADER;
+
 	r = crypt_load(cd, CRYPT_TCRYPT, &params);
 	check_signal(&r);
 	if (r < 0)
@@ -1390,6 +1397,7 @@ int main(int argc, const char **argv)
 		{ "test-passphrase",   '\0', POPT_ARG_NONE, &opt_test_passphrase,       0, N_("Do not activate device, just check passphrase."), NULL },
 		{ "tcrypt-hidden",     '\0', POPT_ARG_NONE, &opt_tcrypt_hidden,         0, N_("Use hidden header (hidden TCRYPT device)."), NULL },
 		{ "tcrypt-system",     '\0', POPT_ARG_NONE, &opt_tcrypt_system,         0, N_("Device is system TCRYPT drive (with bootloader)."), NULL },
+		{ "tcrypt-backup",     '\0', POPT_ARG_NONE, &opt_tcrypt_backup,         0, N_("Use backup (secondary) TCRYPT header."), NULL },
 		{ "type",               'M', POPT_ARG_STRING, &opt_type,                0, N_("Type of device metadata: luks, plain, loopaes, tcrypt."), NULL },
 		{ "force-password",    '\0', POPT_ARG_NONE, &opt_force_password,        0, N_("Disable password quality check (if enabled)."), NULL },
 		POPT_TABLEEND
@@ -1591,10 +1599,10 @@ int main(int argc, const char **argv)
 		_("Option --offset is supported only for open of plain and loopaes devices.\n"),
 		poptGetInvocationName(popt_context));
 
-	if ((opt_tcrypt_hidden || opt_tcrypt_system) && strcmp(aname, "tcryptDump") &&
+	if ((opt_tcrypt_hidden || opt_tcrypt_system || opt_tcrypt_backup) && strcmp(aname, "tcryptDump") &&
 	    (strcmp(aname, "open") || strcmp(opt_type, "tcrypt")))
 		usage(popt_context, EXIT_FAILURE,
-		_("Option --tcrypt-hidden or --tcrypt-system is supported only for TCRYPT device.\n"),
+		_("Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"),
 		poptGetInvocationName(popt_context));
 
 	if (opt_debug) {