diff --git a/configure.in b/configure.in index 3345f0e6..fbc5e3e8 100644 --- a/configure.in +++ b/configure.in @@ -193,6 +193,11 @@ AC_ARG_ENABLE(veritysetup, [disable veritysetup support]),[], [enable_veritysetup=yes]) AM_CONDITIONAL(VERITYSETUP, test x$enable_veritysetup = xyes) +AC_ARG_ENABLE([cryptsetup-reencrypt], + AS_HELP_STRING([--enable-cryptsetup-reencrypt], + [enable cryptsetup-reencrypt tool])) +AM_CONDITIONAL(REENCRYPT, test x$enable_cryptsetup_reencrypt = xyes) + AC_ARG_ENABLE(selinux, AS_HELP_STRING([--disable-selinux], [disable selinux support [default=auto]]),[], []) diff --git a/man/Makefile.am b/man/Makefile.am index 520e5eab..c78b389f 100644 --- a/man/Makefile.am +++ b/man/Makefile.am @@ -4,4 +4,8 @@ if VERITYSETUP man8_MANS += veritysetup.8 endif +if REENCRYPT +man8_MANS += cryptsetup-reencrypt.8 +endif + EXTRA_DIST = $(man8_MANS) diff --git a/man/cryptsetup-reencrypt.8 b/man/cryptsetup-reencrypt.8 new file mode 100644 index 00000000..dab17504 --- /dev/null +++ b/man/cryptsetup-reencrypt.8 @@ -0,0 +1,136 @@ +.TH CRYPTSETUP-REENCRYPT "8" "June 2012" "cryptsetup-reencrypt" "Maintenance Commands" +.SH NAME +cryptsetup-reencrypt - tool for offline LUKS device re-encryption +.SH SYNOPSIS +.B cryptsetup-reencrypt +.SH DESCRIPTION +.PP +Cryptsetup-reencrypt can be used to change reencryption parameters +which otherwise require full on-disk data change (re-encryption). + +You can regenerate \fBvolume key\fR (the real key used in on-disk encryption +unclocked by passphrase), \fBcipher\fR, \fBcipher mode\fR. + +Cryptsetup-reencrypt reencrypts data on LUKS device in-place. During +reencryption process the LUKS device is marked unavailable. + +\fIWARNING\fR: The cryptsetup-reencrypt program is not resistant to hardware +or kernel failures during reencryption (you can lose you data in this case). + +\fIALWAYS BE SURE YOU HAVE RELIABLE BACKUP BEFORE USING THIS TOOL.\fR +.br +\fITHIS TOOL IS EXPERIMENTAL.\fR + +The reencryption can be temporarily suspended (by TERM signal or by +using ctrl+c) but you need to retain temporary files named LUKS-.[log|org|new]. +LUKS device is unavailable until reencryption is finished though. + +For more info about LUKS see cryptsetup(8). +.PP +.SH OPTIONS +.TP +To start (or continue) re-encryption for use: +.PP +\fIcryptsetup-reencrypt\fR + +\fB\fR can be [\-\-block-size, \-\-cipher, \-\-hash, \-\-iter-time, +\-\-use-random | \-\-use-urandom, \-\-key-file, \-\-key-slot, \-\-keyfile-offset, +\-\-keyfile-size, \-\-tries, \-\-use-directio, \-\-use-fsync, \-\-write-log] + +For detailed description of encryption and key file options see \fIcryptsetup(8)\fR +man page. +.TP +.B "\-\-verbose, \-v" +Print more information on command execution. +.TP +.B "\-\-debug" +Run in debug mode with full diagnostic logs. Debug output +lines are always prefixed by '#'. +.TP +.B "\-\-cipher, \-c" \fI\fR +Set the cipher specification string. +.TP +.B "\-\-hash, \-h \fI\fR" +Specifies the hash used in the LUKS key setup scheme and volume key digest. +.TP +.B "\-\-iter-time, \-i \fI\fR" +The number of milliseconds to spend with PBKDF2 passphrase processing for the +new LUKS header. +.TP +.B "\-\-use-random" +.TP +.B "\-\-use-urandom" +Define which kernel random number generator will be used to create the volume key. +.TP +.B "\-\-key-file, \-d \fIname\fR" +Read the passphrase from file. +.br +WARNING: \-\-key-file option can be used only if there only one active keyslot, +or alternatively, also if \-\-key-slot option is specified (then all other keyslots +will be disabled in new LUKS device). + +If this option is not used, cryptswtup-reencrypt will ask for all active keyslot +passphrases. +.TP +.B "\-\-key-slot, \-S <0-7>" +Specify which key slot is used. +.br +WARNING: All other keyslots will be disabled if this option is used. +.TP +.B "\-\-keyfile-offset \fIvalue\fR" +Skip \fIvalue\fR bytes at the beginning of the key file. +.TP +.B "\-\-keyfile-size, \-l" +Read a maximum of \fIvalue\fR bytes from the key file. +Default is to read the whole file up to the compiled-in +maximum. +.TP +.B "\-\-tries, \-T" +Number of retries for invalid passphrase entry. +.TP +.B "\-\-block-size, \-B \fIvalue\fR" +Use re-encryption block size of in MiB. +.br +Values can be between 1 and 64 MiB. +.TP +.B "\-\-use-directio" +Use direct-io (O_DIRECT) for all read/write data operations. +.br +Usefull if direct-io operations perform better than normal buffered +operations (e.g. in virtual environments). +.TP +.B "\-\-use-fsync" +Use fsync call after every written block. +.TP +.B "\-\-write-log" +Update log file after every block write. This can slow down reencryption +but will minimize data loss in the case of system crash. +.TP +.B "\-\-batch-mode, \-q" +Suppresses all warnings and reencryption progress output. +.TP +.B "\-\-version" +Show the program version. +.SH RETURN CODES +Cryptsetup-reencrypt returns 0 on success and a non-zero value on error. + +Error codes are: 1 wrong parameters, 2 no permission, +3 out of memory, 4 wrong device specified, 5 device already exists +or device is busy. +.SH REPORTING BUGS +Report bugs, including ones in the documentation, on +the cryptsetup mailing list at +or in the 'Issues' section on LUKS website. +Please attach the output of the failed command with the +\-\-debug option added. +.SH AUTHORS +Cryptsetup-reencrypt was written by Milan Broz . +.SH COPYRIGHT +Copyright \(co 2012 Milan Broz +.br +Copyright \(co 2012 Red Hat, Inc. + +This is free software; see the source for copying conditions. There is NO +warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +.SH SEE ALSO +The project website at \fBhttp://code.google.com/p/cryptsetup/\fR diff --git a/src/Makefile.am b/src/Makefile.am index e7728756..a8264466 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -66,11 +66,25 @@ endif endif # reencrypt -crypt_reencrypt_SOURCES = \ +if REENCRYPT +cryptsetup_reencrypt_SOURCES = \ $(top_builddir)/lib/utils_crypt.c \ - crypt_reencrypt.c \ + cryptsetup_reencrypt.c \ cryptsetup.h -crypt_reencrypt_LDADD = $(cryptsetup_LDADD) -crypt_reencrypt_CFLAGS = $(cryptsetup_CFLAGS) -sbin_PROGRAMS += crypt_reencrypt +cryptsetup_reencrypt_LDADD = $(cryptsetup_LDADD) +cryptsetup_reencrypt_CFLAGS = $(cryptsetup_CFLAGS) + +sbin_PROGRAMS += cryptsetup-reencrypt + +if STATIC_TOOLS +sbin_PROGRAMS += cryptsetup-reencrypt.static +cryptsetup_reencrypt_static_SOURCES = $(cryptsetup_reencrypt_SOURCES) +cryptsetup_reencrypt_static_CFLAGS = $(cryptsetup_reencrypt_CFLAGS) +cryptsetup_reencrypt_static_LDFLAGS = -all-static +cryptsetup_reencrypt_static_LDADD = $(cryptsetup_reencrypt_LDADD) \ + @CRYPTO_STATIC_LIBS@ \ + @DEVMAPPER_STATIC_LIBS@ \ + @UUID_LIBS@ +endif +endif diff --git a/src/crypt_reencrypt.c b/src/cryptsetup_reencrypt.c similarity index 98% rename from src/crypt_reencrypt.c rename to src/cryptsetup_reencrypt.c index 642b8049..8b54e5ee 100644 --- a/src/crypt_reencrypt.c +++ b/src/cryptsetup_reencrypt.c @@ -151,8 +151,8 @@ static void _log(int level, const char *msg, void *usrptr __attribute__((unused) static void _quiet_log(int level, const char *msg, void *usrptr) { - if (!opt_verbose && (level == CRYPT_LOG_ERROR || level == CRYPT_LOG_NORMAL)) - level = CRYPT_LOG_VERBOSE; + if (!opt_debug) + return; _log(level, msg, usrptr); } @@ -1122,8 +1122,12 @@ int main(int argc, const char **argv) exit(EXIT_SUCCESS); } - if (!opt_batch_mode) - log_err(_("WARNING: this is experimental code, it can completely break your data.\n")); + if (!opt_batch_mode) { + log_std(_("WARNING: this is experimental code, it can completely break your data.\n")); + log_verbose(_("Reencryption will change: volume key%s%s%s%s.\n"), + opt_hash ? _(", set hash to ") : "", opt_hash ?: "", + opt_cipher ? _(", set cipher to "): "", opt_cipher ?: ""); + } action_argv = poptGetArgs(popt_context); if(!action_argv)