For some reason the volume key file have to exists.
Let's change the logic to the same as for luksBackupHeader
(a file is created and operation fails if it already exists).
Move all messages to cryptsetup tools and print these
verbose messages:
- Key slot X unlocked.
- Key slot X created.
- Key slot X removed.
and
- Token X created.
- Token X removed.
Also print error, if unknown token is tried to be removed.
As poptGetOptArg() returns "const char *", assigning it to a
"const char *" varible triggers a warning on Clang:
"incompatible-pointer-types-discards-qualifiers".
If removed subcondition was true --keep-key parameter (alone)
would fail the command. But it is valid to request reencryption
of LUKS header and applying defaults to pbkdf parameters.
the user provided PIM value was not forwarded to the respective
implementation dumping the VeraCrypt header information.
extends the tcrypt-compat-test such that tcryptDump is performed
on VeraCrypt containers as well.
A keyslot not bound to any segment can store any key for any purpose.
To easily check slot status, new enum value is introduced.
This status is valid only for LUKS2, so the functions are backward compatible
with LUKS1.
An unbound keyslot is slot not assigned to a segment;
such a keyslot cannot be used to activate LUKS device, but
can be used for an arbitrary key store.
This patch adds --unboud option for luksAddKey cryptsetup command.
Some ciphers and key sizes created on-disk metadata that cannot be used.
Use the same test for length-preserving cipher as LUKS1.
Also check if key for integrity algorithm is not too small.
Fixes#373.
The kernel 4.17 will include a new dm-verity flag that
instructs kernel to verify data blocks only once.
This patch adds support for it to libcryptsetup and veritysetup.
This flag can be dangerous; if you can control underlying device
(you can change its content after it was verified) it will no longer
prevent reading tampered data and also it does not prevent to silent
data corrruptions that appears after the block was once read.
It there is an input on stdin (pipe), we cannot retry for password,
a retry applies only for the real terminal.
Also the retry lost EPERM (wrong passphrase) return code in this case,
replacing it with tty read error.
Fixes#321.
This patch allows encryption/decryption of the whole device,
IOW add encryption later with detached header.
This operation can be dangerous, there is no fixed bindings between
the specific LUKS header and data device (encrypted data device
contains no magic signatures).
With --persistent option, write only flags actually
used during activation. In other words we will not
store anymore flags not supported by running kernel.
