This is part of effort to eliminate all memory leaks related
to options parsing in popt but for that to work we must avoid
passing constant strings to free().
These performance options, introduced in kernel 5.9, configures
dm-crypt to bypass read or write workqueues and run encryption
synchronously.
Also support persistent storage of these flags for LUKS2.
The iv_large_sector option is supported in dm-crypt since introduction
of larger sectors encryption.
It counts Initialization Vector (IV) in larger sector size (if set) instead
of 512 bytes sectors.
This option does not have any performance or security impact, but it can be
used for accessing incompatible existing disk images from other systems.
(It is used internally in BitLocker compatibily code).
This patch allows it to be used for plain type device, so users
can manually map foreign disk images.
Only open action with plain device and sector size > 512 bytes is supported.
Adds option to dump content of LUKS2 unbound keyslot
in to a file:
'cryptsetup luksDump --unbound --master-key-file /file -S 12 /dev/luks2'
or to terminal:
'cryptsetup luksDump --unbound -S 12 /dev/luks2'
Parameters -S (specific keyslot) is mandatory with --unbound.
Fixes: #549
It also fixes minor regression where we return backing file
for partition on top of loop device when prompting for passphrase.
Partition on loop has different major number so it should not be
considered loop device at all.
It may be useful to activate device right after LUKS2 encryption
is initialized:
device is ready to use immediately even if data encryption runs in
the background for a long time
It simplifies encryption initialization during reboot.
If all keyslots are removed, LUKS2 has no longer information about
the volume key size (there is only key digest present).
If user wants to open or add new keyslot, it must get information
about key size externally.
We do not want to guess key size from the file size (it does not
work for block devices for example), so require explicit --keyfil
option in these cases.
Fixes#470.
It's possible to retain all keyslots (passphrases) when
performing LUKS2 reencryption provided there's enough
space in LUKS2 json metadata.
When specific keyslot is selected all other keyslots
bound to old volume key get deleted after reencryption
is finished.
Existing tokens are assigned to new keyslots.
