Milan Broz
98b4243432
Add support for high-priority dm-crypt flag.
...
This patch add new --perf-high_priority cryptsetup option
for flga added in Linux kernel 6.10, dm-crypt target version 1.26.
2024-06-18 11:00:38 +00:00
Milan Broz
bd8cfe1efb
Mention need for possible PSID reset for some OPAL drives in man page.
...
Fixes : #879
2024-05-23 06:29:20 +00:00
Milan Broz
1e58ad570e
Add --key-description and --new-key-description for luksAddKey command.
2024-05-10 10:54:59 +02:00
Milan Broz
73975857a3
Add --key-description for luksResume command.
2024-05-10 10:54:55 +02:00
Milan Broz
3c79fd6c4b
Add --key-description for open command.
2024-05-10 10:54:50 +02:00
Milan Broz
82118bdd5f
Add --key-description for resize command.
2024-05-10 10:54:47 +02:00
Milan Broz
3e01e151f8
Add --key-description for luksFormat command.
2024-05-10 10:54:43 +02:00
Milan Broz
e085ae461f
Add --key-description for luksDump command.
2024-05-10 10:54:37 +02:00
Milan Broz
4a40d79322
Fix --key-description actions and define --new-key-description.
2024-05-10 10:54:32 +02:00
Milan Broz
bc62204a41
Add warning about OPAL admin PIN to man page and release notes.
2024-04-09 10:46:13 +02:00
Ondrej Kozina
3e29dbe6f2
Add --hw-opal-factory-reset switch in erase options explicitly.
2024-03-26 12:01:27 +00:00
Ondrej Kozina
5a0208cd06
Allow --link-vk-to-keyring with --test-passphrase option.
...
To make it possible to upload volume key in user specified kernel
keyring without need to (re)activate the device.
2024-02-29 16:25:17 +01:00
Milan Broz
82f37d7a10
Sort options in man pages alphabetically.
2024-02-22 20:58:35 +00:00
Milan Broz
cbf818a660
Fix JSON exampe in progress-frequency option.
2024-02-22 20:58:35 +00:00
Milan Broz
e1ef5214e7
Fix some typos found by lintian.
2023-11-29 09:49:55 +01:00
Ondrej Kozina
836e5e4539
Add --external-tokens-path parameter in cryptsetup.
2023-11-16 17:49:09 +01:00
Ondrej Kozina
32fbac17b1
Improve cmd line options man pages related to SED OPAL.
2023-10-31 11:13:58 +01:00
Ondrej Kozina
4081037bdb
Add --key-file support in luksErase action with LUKS2 opal.
2023-10-31 11:13:58 +01:00
Ondrej Kozina
51a1e218cf
Split logic for uploading keys in kernel key service.
...
We can not link internal VK kernel key in custom user
keyring. There are two reasons for it:
The internal VK kernel key description can not be
acquired via API and it may change over time
(LUKS2 reencryption).
With recent SED OPAL support volume key becomes a 'blob'
containing up to two keys (dm-crypt key for SWE and key
for unlocking SED OPAL locking range). The internal
kernel key contains only dm-crypt (if required) but
custom user keyring needs to be provided with whole
volume key (blob).
Added user specified key description for the linked key
in custom user keyring. The linked key can be reached by
the specified description after successful activation (resume).
2023-09-25 18:59:09 +00:00
Milan Broz
1c31b93e5c
Add --disable-blkid CLI option.
...
To be used with luksFormat if blkid fails for unknown reason.
2023-09-12 22:09:06 +02:00
Daniel Zatovic
1aab3afcba
Allow activation, resume and luksAddKey using VK stored in keyring.
...
Add --volume-key-keyring option, which takes a name of a key in keyring,
which will be used as a VK during device activation. The key can be
specified in keyctl-compatible syntax "%<key_type>:<key_name>".
2023-08-16 14:17:34 +02:00
Ondrej Kozina
b65fb6072e
Do not mention --new-keyfile option in luksChangeKey action man page.
2023-08-15 15:23:17 +02:00
Milan Broz
d173514b81
Do not decrease PBKDF parameters if a user forces them.
...
If a user explicitly specifies PBKDF parameters (like iterations,
used memory of threads), do not limit them, even if it can cause
resource exhaustion.
The only limits are hard limits per the PBKDF algorithm.
The force options were mostly used for decreasing parameters,
but it should work even opposite - despite the fact it can mean
shooting yourself in the foot (OOM).
Fixes : #812
2023-04-24 13:09:34 +02:00
Ondrej Kozina
93c5013577
Clarify when cryptsetup asks for LUKS2 token PINs.
2023-02-09 12:40:50 +00:00
Milan Broz
9f8fe3da16
Fix some typos.
2022-10-01 22:35:52 +02:00
Ondrej Kozina
5fce0c2ad1
Extend luksAddKey action options via crypt_keyslot_add_by_keyslot_context API.
...
In practice luksAddKey action does two operations. It unlocks existing
device volume key and stores unlocked volume key in a new keyslot.
Previously the options were limited to key files and passphrases.
With this patch user may combine freely following options:
To unlock keyslot with volume key user may:
- provide existing passphrase via interactive prompt (default method)
- use --key-file option to provide file with a valid passphrase to existing keyslot
- provide volume key directly via --volume-key-file
- unlock keyslot via all available LUKS2 tokens by --token-only
- unlock keyslot via specific token with --token-id
- unlock keyslot via specific token type by --token-type
To provide the passphrase for a new keyslot user may:
- provide existing passphrase via interactive prompt (default method)
- use --new-keyfile parameter or positional parameter to read the
passphrase from file.
- use --new-token-id to select specific LUKS2 token to get passphrase
for new keyslot. New keyslot is assigned to selected token id if
operation is succesfull.
Fixes : #725 .
2022-09-29 17:31:29 +02:00
Ondrej Kozina
2e29eb7906
cryptsetup-luksAddKey man page cleanup.
2022-09-22 17:45:20 +02:00
Ondrej Kozina
90ad841a45
Add cryptsetup token unassign action.
...
Allows removing token binding on specific keyslot.
2022-09-16 14:34:28 +02:00
Ondrej Kozina
033ff34109
Enable adding unassigned luks2-keyring token in cryptsetup.
...
There was no easy way to add unassigned luks2-keyring token.
Reuse --unbound parameter for it.
2022-09-16 12:34:32 +02:00
Ondrej Kozina
0d61e4c20f
Clarify --unbound usage in man pages.
2022-09-16 12:32:24 +02:00
Milan Broz
766ac108ec
Fix option descriptions and lists mentioned in man pages.
2022-07-28 10:51:22 +00:00
Ondrej Kozina
b9b7c3a9bd
Add detached header warning in reencrypt man page.
2022-07-28 10:41:20 +00:00
Guilhem Moulin
3e178caeaf
Document more supported options in cryptsetup-luksResume(8).
...
`cryptsetup luksResume --disable-external-tokens --keyfile-offset 123`
does work but these options weren't documented.
2022-07-21 02:29:05 +02:00
Guilhem Moulin
3106b4e2c1
More typo and spelling fixes.
...
Reported by `git ls-tree -rz --name-only | grep -Evz -e '\.(pdf|xz)$' -e
^po/ | xargs -r0 spellintian --`. All changes are
documentation-related (comments, manuals, etc.) except for s/fial/fail/
in tests/unit-wipe-test.
The remaining entry are AFAICT all false positives, mostly annotations
such as `@param name name of xyz` or `struct foo foo`:
$ git ls-tree -rz HEAD --name-only | grep -Evz -e '\.(pdf|xz)$' -e ^po/ | xargs -r0 spellintian --
COPYING.LGPL: "GNU Library Public License" -> "GNU Library General Public License"
autogen.sh: echo echo (duplicate word) -> echo
configure.ac: fi fi (duplicate word) -> fi
docs/v1.7.2-ReleaseNotes: option option (duplicate word) -> option
lib/crypto_backend/cipher_check.c: block block (duplicate word) -> block
lib/libcryptsetup.h: name name (duplicate word) -> name
lib/libcryptsetup.h: type type (duplicate word) -> type
lib/libcryptsetup.h: passphrase passphrase (duplicate word) -> passphrase
lib/libcryptsetup.h: flags flags (duplicate word) -> flags
lib/libcryptsetup.h: password password (duplicate word) -> password
lib/libcryptsetup.h: salt salt (duplicate word) -> salt
lib/libcryptsetup.h: keyslot keyslot (duplicate word) -> keyslot
lib/libcryptsetup.h: priority priority (duplicate word) -> priority
lib/libcryptsetup.h: offset offset (duplicate word) -> offset
lib/libcryptsetup.h: length length (duplicate word) -> length
lib/libcryptsetup.h: keyfile keyfile (duplicate word) -> keyfile
lib/libcryptsetup.h: token token (duplicate word) -> token
lib/libcryptsetup.h: cipher cipher (duplicate word) -> cipher
lib/libcryptsetup.h: size size (duplicate word) -> size
lib/luks2/luks2_json_metadata.c: long long (duplicate word) -> long
lib/luks2/luks2_keyslot_luks2.c: AFEKSize AFEKSize (duplicate word) -> AFEKSize
lib/luks2/luks2_reencrypt.c: alignment alignment (duplicate word) -> alignment
lib/luks2/luks2_reencrypt_digest.c: ptr ptr (duplicate word) -> ptr
lib/luks2/luks2_reencrypt_digest.c: buffer buffer (duplicate word) -> buffer
lib/luks2/luks2_segment.c: min min (duplicate word) -> min
lib/verity/verity_fec.c: blocks blocks (duplicate word) -> blocks
man/cryptsetup.8.adoc: LUKS LUKS (duplicate word) -> LUKS
scripts/cryptsetup.conf.in: root root (duplicate word) -> root
src/Makemodule.am: endif endif (duplicate word) -> endif
src/cryptsetup.c: long long (duplicate word) -> long
src/utils_args.c: long long (duplicate word) -> long
tests/compat-test2: fi fi (duplicate word) -> fi
tests/device-test: echo echo (duplicate word) -> echo
tests/differ.c: long long (duplicate word) -> long
tests/loopaes-test: done done (duplicate word) -> done
tests/luks2-integrity-test: aead aead (duplicate word) -> aead
tests/luks2-reencryption-test: fi fi (duplicate word) -> fi
tests/mode-test: done done (duplicate word) -> done
tests/password-hash-test: cat cat (duplicate word) -> cat
tests/password-hash-test: fi fi (duplicate word) -> fi
tests/unit-wipe.c: long long (duplicate word) -> long
tests/verity-compat-test: done done (duplicate word) -> done
tests/verity-compat-test: fi fi (duplicate word) -> fi
tokens/ssh/cryptsetup-ssh.c: argp argp (duplicate word) -> argp
tokens/ssh/cryptsetup-ssh.c: arguments arguments (duplicate word) -> arguments
(Treated COPYING.LGPL as a false positive too since it's the exact text
from https://www.gnu.org/licenses/old-licenses/lgpl-2.1.html .)
2022-07-15 16:35:02 +02:00
Guilhem Moulin
5d711c000f
Fix minor spelling errors.
...
(Found by Lintian.)
2022-07-15 12:16:39 +02:00
Ondrej Kozina
d943b2efb9
Clarify cryptsetup-open options in man page.
2022-07-14 13:51:37 +00:00
daniel.zatovic
a2afe0396f
Split manual pages into per-action page and use AsciiDoc format
...
Use pre-generated man pages in make dist.
[Added fixes and updates from Ondrej Kozina and Milan Broz]
2022-07-13 21:08:02 +02:00
