It's possible to retain all keyslots (passphrases) when
performing LUKS2 reencryption provided there's enough
space in LUKS2 json metadata.
When specific keyslot is selected all other keyslots
bound to old volume key get deleted after reencryption
is finished.
Existing tokens are assigned to new keyslots.
Currently it's used only in LUKS2 reencryption code
for reencrypting initial part of data device only.
It may be used to encrypt/reencrypt only initial part
of data device if user is aware that rest of the device
is empty.
This is very ugly workaround for situation when multiple
devices are being activated in parallel (systemd crypttab)
and system instead of returning ENOMEM use OOM killer
to randomly kill processes.
This flag is intended to be used only in very specific situations.
The JSON structures should not be printed by default to debug log.
This flag introduces new debug level that prints JSON structures
and keeps default debug output separate.
This patch makes available LUKS2 per-keyslot encryption settings to user.
In LUKS2, keyslot can use different encryption that data.
We can use new crypt_keyslot_get_encryption and crypt_keyslot_set_encryption
API calls to set/get this encryption.
For cryptsetup new --keyslot-cipher and --keyslot-key-size options are added.
The default keyslot encryption algorithm (if cannot be derived from data encryption)
is now available as configure options (default is aes-xts-plain64 with 512-bits key).
NOTE: default was increased from 256-bits.
Also print these area sizes in dump command.
NOTE: since now, the metadata area size in dump command contains
mandatory 4k binary section (to be aligned with API definition).
This reverts commit 71dd149ca2.
Enforcing data alignment to be encryption sector size aligned
is completelly wrong. The underlying data device alignment
has nothing to do with dm-crypt internal encryption sector size.
The restriction is however valid for dm-crypt segment size.
Move all messages to cryptsetup tools and print these
verbose messages:
- Key slot X unlocked.
- Key slot X created.
- Key slot X removed.
and
- Token X created.
- Token X removed.
Also print error, if unknown token is tried to be removed.
As poptGetOptArg() returns "const char *", assigning it to a
"const char *" varible triggers a warning on Clang:
"incompatible-pointer-types-discards-qualifiers".
