eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-18 22:30:07 +01:00
Code Issues Packages Projects Releases Wiki Activity
3,915 Commits 13 Branches 80 Tags
f147c823ea44d15793e67d6ea1eee189102c3391
Commit Graph

18 Commits

Author SHA1 Message Date
Milan Broz
1c31b93e5c Add --disable-blkid CLI option. 
To be used with luksFormat if blkid fails for unknown reason.
 2023-09-12 22:09:06 +02:00
Daniel Zatovic
1aab3afcba Allow activation, resume and luksAddKey using VK stored in keyring. 
Add --volume-key-keyring option, which takes a name of a key in keyring,
which will be used as a VK during device activation. The key can be
specified in keyctl-compatible syntax "%<key_type>:<key_name>".
 2023-08-16 14:17:34 +02:00
Ondrej Kozina
b65fb6072e Do not mention --new-keyfile option in luksChangeKey action man page. 2023-08-15 15:23:17 +02:00
Milan Broz
d173514b81 Do not decrease PBKDF parameters if a user forces them. 
If a user explicitly specifies PBKDF parameters (like iterations,
used memory of threads), do not limit them, even if it can cause
resource exhaustion.

The only limits are hard limits per the PBKDF algorithm.

The force options were mostly used for decreasing parameters,
but it should work even opposite - despite the fact it can mean
shooting yourself in the foot (OOM).

Fixes: #812
 2023-04-24 13:09:34 +02:00
Ondrej Kozina
93c5013577 Clarify when cryptsetup asks for LUKS2 token PINs. 2023-02-09 12:40:50 +00:00
Milan Broz
9f8fe3da16 Fix some typos. 2022-10-01 22:35:52 +02:00
Ondrej Kozina
5fce0c2ad1 Extend luksAddKey action options via crypt_keyslot_add_by_keyslot_context API. 
In practice luksAddKey action does two operations. It unlocks existing
device volume key and stores unlocked volume key in a new keyslot.
Previously the options were limited to key files and passphrases.
With this patch user may combine freely following options:

To unlock keyslot with volume key user may:
- provide existing passphrase via interactive prompt (default method)
- use --key-file option to provide file with a valid passphrase to existing keyslot
- provide volume key directly via --volume-key-file
- unlock keyslot via all available LUKS2 tokens by --token-only
- unlock keyslot via specific token with --token-id
- unlock keyslot via specific token type by --token-type

To provide the passphrase for a new keyslot user may:
- provide existing passphrase via interactive prompt (default method)
- use --new-keyfile parameter or positional parameter to read the
  passphrase from file.
- use --new-token-id to select specific LUKS2 token to get passphrase
  for new keyslot. New keyslot is assigned to selected token id if
  operation is succesfull.

Fixes: #725.
 2022-09-29 17:31:29 +02:00
Ondrej Kozina
2e29eb7906 cryptsetup-luksAddKey man page cleanup. 2022-09-22 17:45:20 +02:00
Ondrej Kozina
90ad841a45 Add cryptsetup token unassign action. 
Allows removing token binding on specific keyslot.
 2022-09-16 14:34:28 +02:00
Ondrej Kozina
033ff34109 Enable adding unassigned luks2-keyring token in cryptsetup. 
There was no easy way to add unassigned luks2-keyring token.
Reuse --unbound parameter for it.
 2022-09-16 12:34:32 +02:00
Ondrej Kozina
0d61e4c20f Clarify --unbound usage in man pages. 2022-09-16 12:32:24 +02:00
Milan Broz
766ac108ec Fix option descriptions and lists mentioned in man pages. 2022-07-28 10:51:22 +00:00
Ondrej Kozina
b9b7c3a9bd Add detached header warning in reencrypt man page. 2022-07-28 10:41:20 +00:00
Guilhem Moulin
3e178caeaf Document more supported options in cryptsetup-luksResume(8). 
`cryptsetup luksResume --disable-external-tokens --keyfile-offset 123`
does work but these options weren't documented.
 2022-07-21 02:29:05 +02:00
Guilhem Moulin
3106b4e2c1 More typo and spelling fixes. 
Reported by `git ls-tree -rz --name-only | grep -Evz -e '\.(pdf|xz)$' -e
^po/ | xargs -r0 spellintian --`.  All changes are
documentation-related (comments, manuals, etc.) except for s/fial/fail/
in tests/unit-wipe-test.

The remaining entry are AFAICT all false positives, mostly annotations
such as `@param name name of xyz` or `struct foo foo`:

	$ git ls-tree -rz HEAD --name-only | grep -Evz -e '\.(pdf|xz)$' -e ^po/ | xargs -r0 spellintian --
	COPYING.LGPL: "GNU Library Public License" -> "GNU Library General Public License"
	autogen.sh: echo echo (duplicate word) -> echo
	configure.ac: fi fi (duplicate word) -> fi
	docs/v1.7.2-ReleaseNotes: option option (duplicate word) -> option
	lib/crypto_backend/cipher_check.c: block block (duplicate word) -> block
	lib/libcryptsetup.h: name name (duplicate word) -> name
	lib/libcryptsetup.h: type type (duplicate word) -> type
	lib/libcryptsetup.h: passphrase passphrase (duplicate word) -> passphrase
	lib/libcryptsetup.h: flags flags (duplicate word) -> flags
	lib/libcryptsetup.h: password password (duplicate word) -> password
	lib/libcryptsetup.h: salt salt (duplicate word) -> salt
	lib/libcryptsetup.h: keyslot keyslot (duplicate word) -> keyslot
	lib/libcryptsetup.h: priority priority (duplicate word) -> priority
	lib/libcryptsetup.h: offset offset (duplicate word) -> offset
	lib/libcryptsetup.h: length length (duplicate word) -> length
	lib/libcryptsetup.h: keyfile keyfile (duplicate word) -> keyfile
	lib/libcryptsetup.h: token token (duplicate word) -> token
	lib/libcryptsetup.h: cipher cipher (duplicate word) -> cipher
	lib/libcryptsetup.h: size size (duplicate word) -> size
	lib/luks2/luks2_json_metadata.c: long long (duplicate word) -> long
	lib/luks2/luks2_keyslot_luks2.c: AFEKSize AFEKSize (duplicate word) -> AFEKSize
	lib/luks2/luks2_reencrypt.c: alignment alignment (duplicate word) -> alignment
	lib/luks2/luks2_reencrypt_digest.c: ptr ptr (duplicate word) -> ptr
	lib/luks2/luks2_reencrypt_digest.c: buffer buffer (duplicate word) -> buffer
	lib/luks2/luks2_segment.c: min min (duplicate word) -> min
	lib/verity/verity_fec.c: blocks blocks (duplicate word) -> blocks
	man/cryptsetup.8.adoc: LUKS LUKS (duplicate word) -> LUKS
	scripts/cryptsetup.conf.in: root root (duplicate word) -> root
	src/Makemodule.am: endif endif (duplicate word) -> endif
	src/cryptsetup.c: long long (duplicate word) -> long
	src/utils_args.c: long long (duplicate word) -> long
	tests/compat-test2: fi fi (duplicate word) -> fi
	tests/device-test: echo echo (duplicate word) -> echo
	tests/differ.c: long long (duplicate word) -> long
	tests/loopaes-test: done done (duplicate word) -> done
	tests/luks2-integrity-test: aead aead (duplicate word) -> aead
	tests/luks2-reencryption-test: fi fi (duplicate word) -> fi
	tests/mode-test: done done (duplicate word) -> done
	tests/password-hash-test: cat cat (duplicate word) -> cat
	tests/password-hash-test: fi fi (duplicate word) -> fi
	tests/unit-wipe.c: long long (duplicate word) -> long
	tests/verity-compat-test: done done (duplicate word) -> done
	tests/verity-compat-test: fi fi (duplicate word) -> fi
	tokens/ssh/cryptsetup-ssh.c: argp argp (duplicate word) -> argp
	tokens/ssh/cryptsetup-ssh.c: arguments arguments (duplicate word) -> arguments

(Treated COPYING.LGPL as a false positive too since it's the exact text
from https://www.gnu.org/licenses/old-licenses/lgpl-2.1.html .)
 2022-07-15 16:35:02 +02:00
Guilhem Moulin
5d711c000f Fix minor spelling errors. 
(Found by Lintian.)
 2022-07-15 12:16:39 +02:00
Ondrej Kozina
d943b2efb9 Clarify cryptsetup-open options in man page. 2022-07-14 13:51:37 +00:00
daniel.zatovic
a2afe0396f Split manual pages into per-action page and use AsciiDoc format 
Use pre-generated man pages in make dist.

[Added fixes and updates from Ondrej Kozina and Milan Broz]
 2022-07-13 21:08:02 +02:00