LUKS2 should use keyring for dm-crypt volume keys by default
when possible. crypt_activate_by_token didn't load keys in
keyring by default. It was a bug.
When information about original keyslot size is missing (no active
keyslot assigned to default segment) we have to fallback to
default luks2 encryption parameters even though we know default
segment cipher and mode.
Fixes: #442.
This patch makes available LUKS2 per-keyslot encryption settings to user.
In LUKS2, keyslot can use different encryption that data.
We can use new crypt_keyslot_get_encryption and crypt_keyslot_set_encryption
API calls to set/get this encryption.
For cryptsetup new --keyslot-cipher and --keyslot-key-size options are added.
The default keyslot encryption algorithm (if cannot be derived from data encryption)
is now available as configure options (default is aes-xts-plain64 with 512-bits key).
NOTE: default was increased from 256-bits.
The crypt_set_data_offset sets the data offset for LUKS and LUKS2 devices
to specified value in 512-byte sectors.
This value should replace alignment calculation in LUKS param structures.
a) checks crypt_load() fails when single LUKS2 header is corrupted and
blkid detect other device signature from LUKS or none.
b) check explicit crypt_repair is able to override blkid restriction
and fix corrupted primary header
c) check a) and b) with disabled locks
A keyslot not bound to any segment can store any key for any purpose.
To easily check slot status, new enum value is introduced.
This status is valid only for LUKS2, so the functions are backward compatible
with LUKS1.
Some ciphers and key sizes created on-disk metadata that cannot be used.
Use the same test for length-preserving cipher as LUKS1.
Also check if key for integrity algorithm is not too small.
Fixes#373.
This fixes crypt_keyslot_add_by_key where we were unable to store
keyslot (unbound to segment) with different key_size.
The code used (new) volume key size implicitly which could be wrong
if new size was not compatible with cipher parameter for keyslot area.
Add yet another flawed dm-crypt test (keyring)
and test crypt_get_volume_key_size works
as expected after LUKS2 crypt_format (before
adding first keyslot).
cryptsetup now requires dm-crypt v1.18.1 or higher
to use kernel keyring service for passing VKs.
Also, relevant API functions fail if CRYPT_ACTIVATE_KEYRING_KEY
is set, but library is not allowed to use kernel keyring for
VK.
Originally the key description for VK was derived
from segment id. This could lead to ambiguity when
keyslot key is verified and loaded in kernel keyring
using activation functions with CRYPT_ACTIVATE_KEYRING_KEY
flag raised.
