eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-06 16:30:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: eessppeelllloo:v2.8.0-rc1
Branches Tags
eessppeelllloo:main eessppeelllloo:doxygen-fixes eessppeelllloo:ci-fuzzing eessppeelllloo:master eessppeelllloo:tcrypt-argon2 eessppeelllloo:vm-test eessppeelllloo:coverity_scan eessppeelllloo:v2.8.x eessppeelllloo:v2.7.x eessppeelllloo:v2.3.x eessppeelllloo:v2.4.x eessppeelllloo:v2.2.x eessppeelllloo:v2_0_x eessppeelllloo:v1_7_x
eessppeelllloo:v2.8.1 eessppeelllloo:v2.8.1-rc0 eessppeelllloo:v2.8.0 eessppeelllloo:v2.8.0-rc1 eessppeelllloo:v2.8.0-rc0 eessppeelllloo:v2.7.5 eessppeelllloo:v2.7.4 eessppeelllloo:v2.7.3 eessppeelllloo:v2.7.2 eessppeelllloo:v2.7.1 eessppeelllloo:v2.7.0 eessppeelllloo:v2.7.0-rc1 eessppeelllloo:v2.7.0-rc0 eessppeelllloo:v2.6.1 eessppeelllloo:v2.6.0 eessppeelllloo:v2.6.0-rc0 eessppeelllloo:v2.5.0 eessppeelllloo:v2.5.0-rc1 eessppeelllloo:v2.3.7 eessppeelllloo:v2.4.3 eessppeelllloo:v2.4.2 eessppeelllloo:v2.4.1 eessppeelllloo:v2.4.0 eessppeelllloo:v2.4.0-rc1 eessppeelllloo:v2.4.0-rc0 eessppeelllloo:v2.3.6 eessppeelllloo:v2.3.5 eessppeelllloo:v2.3.5-rc0 eessppeelllloo:v2.3.4 eessppeelllloo:v2.3.3 eessppeelllloo:v2.3.2 eessppeelllloo:v2.3.1 eessppeelllloo:v2.3.0 eessppeelllloo:v2.3.0-rc0 eessppeelllloo:v2.2.2 eessppeelllloo:v2.2.1 eessppeelllloo:v2.2.0 eessppeelllloo:v2.2.0-rc1 eessppeelllloo:v2.2.0-rc0 eessppeelllloo:v2.1.0 eessppeelllloo:v2.0.6 eessppeelllloo:v2.0.5 eessppeelllloo:v2.0.4 eessppeelllloo:v2.0.3 eessppeelllloo:v2.0.2 eessppeelllloo:v2.0.1 eessppeelllloo:v2.0.0 eessppeelllloo:v2.0.0-rc1 eessppeelllloo:v2.0.0-rc0 eessppeelllloo:v1_7_5 eessppeelllloo:v1_7_4 eessppeelllloo:v1_7_3 eessppeelllloo:v1_7_2 eessppeelllloo:v1_7_1 eessppeelllloo:v1_7_0 eessppeelllloo:v1_6_8 eessppeelllloo:v1_6_7 eessppeelllloo:v1_6_6 eessppeelllloo:v1_6_5 eessppeelllloo:v1_6_4 eessppeelllloo:v1_6_3 eessppeelllloo:v1_6_2 eessppeelllloo:v1_6_1 eessppeelllloo:v1_6_0 eessppeelllloo:v1_5_1 eessppeelllloo:v1_5_0 eessppeelllloo:v1_4_3 eessppeelllloo:v1_4_2 eessppeelllloo:v1_4_1 eessppeelllloo:v1_4_0 eessppeelllloo:v1_3_1 eessppeelllloo:v1_3_0 eessppeelllloo:v1_2_0 eessppeelllloo:v1_1_3 eessppeelllloo:v1_1_2 eessppeelllloo:v1_1_1 eessppeelllloo:v1_1_0 eessppeelllloo:v1_0_7
..
compare: eessppeelllloo:master
Branches Tags
eessppeelllloo:doxygen-fixes eessppeelllloo:ci-fuzzing eessppeelllloo:main eessppeelllloo:master eessppeelllloo:tcrypt-argon2 eessppeelllloo:vm-test eessppeelllloo:coverity_scan eessppeelllloo:v2.8.x eessppeelllloo:v2.7.x eessppeelllloo:v2.3.x eessppeelllloo:v2.4.x eessppeelllloo:v2.2.x eessppeelllloo:v2_0_x eessppeelllloo:v1_7_x
eessppeelllloo:v2.8.1 eessppeelllloo:v2.8.1-rc0 eessppeelllloo:v2.8.0 eessppeelllloo:v2.8.0-rc1 eessppeelllloo:v2.8.0-rc0 eessppeelllloo:v2.7.5 eessppeelllloo:v2.7.4 eessppeelllloo:v2.7.3 eessppeelllloo:v2.7.2 eessppeelllloo:v2.7.1 eessppeelllloo:v2.7.0 eessppeelllloo:v2.7.0-rc1 eessppeelllloo:v2.7.0-rc0 eessppeelllloo:v2.6.1 eessppeelllloo:v2.6.0 eessppeelllloo:v2.6.0-rc0 eessppeelllloo:v2.5.0 eessppeelllloo:v2.5.0-rc1 eessppeelllloo:v2.3.7 eessppeelllloo:v2.4.3 eessppeelllloo:v2.4.2 eessppeelllloo:v2.4.1 eessppeelllloo:v2.4.0 eessppeelllloo:v2.4.0-rc1 eessppeelllloo:v2.4.0-rc0 eessppeelllloo:v2.3.6 eessppeelllloo:v2.3.5 eessppeelllloo:v2.3.5-rc0 eessppeelllloo:v2.3.4 eessppeelllloo:v2.3.3 eessppeelllloo:v2.3.2 eessppeelllloo:v2.3.1 eessppeelllloo:v2.3.0 eessppeelllloo:v2.3.0-rc0 eessppeelllloo:v2.2.2 eessppeelllloo:v2.2.1 eessppeelllloo:v2.2.0 eessppeelllloo:v2.2.0-rc1 eessppeelllloo:v2.2.0-rc0 eessppeelllloo:v2.1.0 eessppeelllloo:v2.0.6 eessppeelllloo:v2.0.5 eessppeelllloo:v2.0.4 eessppeelllloo:v2.0.3 eessppeelllloo:v2.0.2 eessppeelllloo:v2.0.1 eessppeelllloo:v2.0.0 eessppeelllloo:v2.0.0-rc1 eessppeelllloo:v2.0.0-rc0 eessppeelllloo:v1_7_5 eessppeelllloo:v1_7_4 eessppeelllloo:v1_7_3 eessppeelllloo:v1_7_2 eessppeelllloo:v1_7_1 eessppeelllloo:v1_7_0 eessppeelllloo:v1_6_8 eessppeelllloo:v1_6_7 eessppeelllloo:v1_6_6 eessppeelllloo:v1_6_5 eessppeelllloo:v1_6_4 eessppeelllloo:v1_6_3 eessppeelllloo:v1_6_2 eessppeelllloo:v1_6_1 eessppeelllloo:v1_6_0 eessppeelllloo:v1_5_1 eessppeelllloo:v1_5_0 eessppeelllloo:v1_4_3 eessppeelllloo:v1_4_2 eessppeelllloo:v1_4_1 eessppeelllloo:v1_4_0 eessppeelllloo:v1_3_1 eessppeelllloo:v1_3_0 eessppeelllloo:v1_2_0 eessppeelllloo:v1_1_3 eessppeelllloo:v1_1_2 eessppeelllloo:v1_1_1 eessppeelllloo:v1_1_0 eessppeelllloo:v1_0_7

122 Commits
v2.8.0-rc1 ... master

Author SHA1 Message Date
Ondrej Kozina
5d69c34f59 Reinstate pbkdf serialization flag in device activation. 
crypt_activate_by_keyslot_context never respected pbkdf serialation
flag (CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF).

In fact it worked only when device was activated via passphrase or via
passphrase file. It was never respected when device was activated
by a token for example.

When the internal code was fully switched to activation via keyslot
context the legacy code for passphrase based activation was dropped
and we lost track of serialization flag completely.

This fixes all of the issues so now the serialization flag will be
respected also with tokens (and all other activation methods unlocking
LUKS2 keyslot with memory hard pbkdf).

Fixes: 58385d68d8 (Allow activation via keyslot context)
Fixes: #968.
 2025-11-27 14:51:44 +01:00
Ondrej Kozina
e1cbd4ecba tests: add simple verification test for --serialize-memory-hard-pbkdf 2025-11-27 14:51:32 +01:00
Kfir Kahanov
9ea9af1bcd tests: Add Bitlocker images for clearkey 2025-11-21 22:07:01 +02:00
Kfir Kahanov
4fe1601d9c bitlocker: Open bitlocker devices with clearkey 
Always trying to open with clearkey when available
 2025-11-21 22:07:01 +02:00
Kfir Kahanov
72173b2777 bitlocker: Handle getting NULL passwords 2025-11-21 22:07:01 +02:00
Kfir Kahanov
f304132b2b bitlocker: Support clearkey 
Clearkey does not mean partially encrypted, and may be on fully
encrypted volumes.
 2025-11-21 22:07:01 +02:00
Milan Broz
0779c8ceed Explicitly mention units (bytes) for volume key in header. 2025-11-21 16:34:47 +01:00
Milan Broz
153aed3d16 Fix key-size descriptions 
For compatibility reasons, cryptsetup uses key size in BITS
while integritysetup in BYTES.

The help is confusing here, this patch fixes it.

Thanks Daniel Tang for notification.
 2025-11-21 16:34:47 +01:00
Milan Broz
8a3e16fa25 tests: Avoid verity concurrent test failure on device node check 
This regularly crashes on Alpine Linux that use some strange
configuration.
Udev settle seems to help, despite it should be noop on recent systems...
 2025-11-21 14:29:38 +01:00
Milan Broz
8da66c3066 verity: Support status info about FEC repaired events 
Kernel 6.19 will support additional info on dm-verity status
line that contains number of FEC successful repair events.

This patch adds support to libcryptsetup and veritysetup status command.

Ref. https://lore.kernel.org/dm-devel/074e1ecc-6690-1c22-0dba-454e191e1b6f@redhat.com/T/#m1af31c9c4263fe2b1fb58dee2fd7f0bdf045c463
 2025-11-20 17:18:37 +01:00
Milan Broz
11a4fc6790 tests: use utility to detect FIPS mode 
Also try to use crypto lib/kernel check where appropriate.

This can be useful for local testing (non-FIPS kernel) byt
should not break real FIPS systems.
 2025-11-19 22:09:27 +01:00
Milan Broz
e4c498d15b Remove fips argument from crypt_backend_init() 
It is really not needed, as it is detected automagically.
 2025-11-19 22:09:27 +01:00
Milan Broz
e609c47916 tests: Add fips mode detection to crypt check tool 2025-11-19 22:09:27 +01:00
Milan Broz
ccc0c69cd7 Add fips_mode check for kernel. 
Akso add a separate function so we can detect that kernel and crypto
lib is in different FIPS state (only for testing).
 2025-11-19 22:09:27 +01:00
Milan Broz
7fba92260a ci: Fix Alpine runner dependences 
gettext-dev install asli gettext.
argp-standalone is needed for with musl
This ensures that we can later use simplified package mappings.
 2025-11-19 18:16:17 +01:00
Milan Broz
76ea8f13cf tests: Fix coding style (tabs) 2025-11-18 19:39:18 +01:00
Ondrej Kozina
bbc053682a Do not read test hotzone device repeatadly. 
While allocating internal data structure for a device
overlaying reencryption hotzone we accidentally read
tested the device in each reencryption step. This
was suboptimal so now the device is read only once
while initializing the reencryption device-mapper stack.
 2025-11-17 13:56:39 +01:00
Milan Broz
c9fd8b5ed4 Set devel version. 2025-11-17 13:55:40 +01:00
Kristina Hanicova
fbd295259c ci: remove ubuntu 2025-11-14 15:47:28 +01:00
Ondrej Kozina
5490d28aa4 Drop never used code in storage wrapper utils. 
It was never used...
 2025-11-13 15:24:12 +01:00
Ingo Franzki
296eb39c60 Changes to support PHMAC with integritysetup and cryptsetup 
Make the PHMAC integrity algorithm know to libcryptsetup.

The size of a key for PHMAC is not known, because PHMAC gets an opaque
blob as key, who's physical size has nothing to do with the cryptographic
size. Thus, let INTEGRITY_key_size() and crypt_parse_integrity_mode()
return the required_key_size as key size for PHMAC, or -EINVAL if
required_key_size is zero, to indicate that the size is unknown.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
 2025-11-13 09:21:40 +01:00
Ondrej Kozina
917b6836a9 Always use json-c types in internal code. 
Sometimes we used "struct json_foo_bar" and sometimes "json_foo_bar"
json-c defined type. Stick with one notation in internal code.
 2025-11-12 13:13:02 +01:00
Ondrej Kozina
b36d4be8fa opal: supress confusing debug messages. 
Do not print sed-opal spefic debug messages with confusing
error codes if ioctl() call failed with -1. Usually that means
the kernel does not support sed-opal interface or the requested
ioctl number is not implemented.
 2025-11-06 11:14:56 +01:00
Ondrej Kozina
0a8e7da7ae opal: fix debug message on failed sed-opal ioctl. 
ioctl syscall always returns -1 on error (see ioctl(2)).
On error the actual reason is reported via errno varible.
Let's store the original errno code in the variable
so that it can be printed out in debug mode.

Before this fix the debug message always reported "Operation not
permited" (the translation of errno EPERM (1)).
 2025-11-06 11:09:43 +01:00
Ondrej Kozina
83a7310ca2 opal: do not initialize LRs array in activation. 
The lr member in opal_lr_act kernel structure is
ingnored unless the device is being activated in SUM
mode.

See kernel implementation of IOC_OPAL_ACTIVATE_LSP
in block/sed-opal.c
 2025-11-03 16:05:08 +01:00
Ondrej Kozina
441802773f opal: simplify User setup routine. 
Reduce memory copying by reusing nested structure in opal_lock.
 2025-11-03 16:05:08 +01:00
Ondrej Kozina
cc66b1fa52 opal: pull User setup in separate function. 2025-11-03 16:05:08 +01:00
Ondrej Kozina
a0d5d2bf5e opal: pull individual range setup in separate function. 2025-11-03 16:05:08 +01:00
Ondrej Kozina
61dbb69319 opal: pull reuse of active device in separate function. 2025-11-03 16:05:08 +01:00
Ondrej Kozina
32b33541a8 opal: pull LSP activation in separate function. 2025-11-03 16:05:08 +01:00
Ondrej Kozina
346db2e42a opal: add a named constant for TCG FAIL status. 
Will be checked upon later when we add support
for OPAL2 SUM Reactivate method.
 2025-11-03 16:05:08 +01:00
Milan Broz
0d07e80077 Fix typo in volume-key-file help. 
Fixes: #966
 2025-11-03 10:58:15 +01:00
Milan Broz
dc2251b88d man: Fix typo in integritysetup man page. 2025-10-31 08:31:21 +01:00
Ondrej Kozina
a8e8e39007 Fix possible use of uninitialized variable. 
device_tag_size variable was not initialized and used
when device_is_nop_dif returned negative error code.
 2025-10-30 13:59:54 +01:00
Kristina Hanicova
bcef385346 ci: Add Centos Stream 10 runner 2025-10-19 22:20:47 +02:00
Ondrej Kozina
9810c6fb2f Read integrity profile info from top level device. 
When formating device with --integrity-inline option
there's a check if underlying device properly advertise
integrity profile support. The check did not work
properly for partition device nodes. We have to read
integrity profile info from top level block device.

Fixes: #964.
 2025-10-17 15:25:32 +02:00
Ondrej Kozina
4d98add260 opal: Submit PSID reset command to R/W file descriptor. 
The PSID reset erases the block device it's submitted to
succesfully.

By submitting the command to read-only fd previously
there were partition device nodes still visible in
the /dev directory because kernel does not trigger rescan
after OPAL2 PSID reset. Even though all the partition were
actually erased (including the partition table).

We workaround the issue by submitting the PSID reset
to R/W fd so that it triggers rescan event on close.
 2025-10-06 10:37:37 +02:00
Milan Broz
0eaaa4553e Fix handling of too long label and subsystem fields 
These LUKS2 labels are stored in the binary header area that has limited size.

While we have been silently truncating strings here, it is something that
is not expected, as the final label is then different than expected.

Let's fix the code to explicitly print and return error here.

Also remove the comment about duplicate check. It is incorrect  optimization,
as some users will expect a real write on disk, we should no skip it.

Fixes: #958
 2025-10-01 21:41:55 +02:00
Ondrej Kozina
3a8feb8be7 Improve check for a function attribute support. 
The compiler may advertise function attribute support
with __has_attribute operator even though it does
not implement the feature on some architecture.

This fixes the issue with  GCC 11 on ppc64le with
__attribute__((zero_call_used_regs("used"))).

Fixes: #959.
 2025-09-11 14:18:39 +02:00
Kristina Hanicova
2b9523a1ef ci: Remove rhel runner 2025-08-29 15:21:26 +02:00
Maxim Suhanov
68d4749d8a bitlk: implement validation of FVE metadata 
This commit implements FVE metadata block validation based on:
* CRC-32 (to detect random corruption);
* AES-CCM-encrypted SHA-256 (to detect malicious manipulations).

The hash-based validation requires us to decrypt the VMK first, so
it's only performed when obtaining the volume key.

This allows us to detect corrupted/altered FVE metadata blocks and
pick the valid one (before this commit: the first FVE metadata block
is always selected).

Fixes: #953

tests: add BitLocker image with corrupted headers

The image contains 2 manually corrupted metadata blocks (out of 3),
the library should use the third one to correctly load the volume.

Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
 2025-08-29 15:16:36 +02:00
Milan Broz
9cfdd6ba06 Version 2.8.1. 2025-08-19 10:57:12 +02:00
Marián Haburaj
4749473c39 po: update sk.po (from translationproject.org) 2025-08-18 20:02:14 +02:00
Milan Broz
4a1384452c Add release notes for 2.8.1. 2025-08-18 16:38:45 +02:00
Milan Broz
b0821b11a5 Add the same cipher_null restriction to LUKS2 keyslot as in LUKS1. 
LUKS2 keyslot cannot be created with cipher_null using standard
tools, but activation of such a keyslot is allowed.

As this can be confusing and create a false sense of security,
let's apply the same restriction as in LUKS1 - such a keyslot
is used only with an empty passphrase.

This will reject activation with a real password, avoiding
possible activation of insecure LUKS containers.

Fixes: #954
 2025-08-18 08:22:51 +02:00
Milan Broz
098d2122e5 Remove redundant test in LUKS2 keyslot cipher incompatible test. 
The null_cipher is tested twice there.
 2025-08-18 08:22:51 +02:00
Jakub Bogusz
df58aa5aee po: update pl.po (from translationproject.org) 2025-08-18 08:21:53 +02:00
Antonio Ceballos
9e9f6bcb5b po: update es.po (from translationproject.org) 2025-08-18 08:21:53 +02:00
Roland Illig
c8166fc696 po: update de.po (from translationproject.org) 2025-08-18 08:21:53 +02:00
Petr Pisar
c48cac6c65 po: update cs.po (from translationproject.org) 2025-08-18 08:21:53 +02:00
Yuri Chornoivan
c9d32b7462 po: update uk.po (from translationproject.org) 2025-08-14 17:23:28 +02:00
Мирослав Николић
c91d641e0c po: update sr.po (from translationproject.org) 2025-08-14 17:23:28 +02:00
Remus-Gabriel Chelu
5ac42f98bd po: update ro.po (from translationproject.org) 2025-08-14 17:23:28 +02:00
Temuri Doghonadze
d825083baa po: update ka.po (from translationproject.org) 2025-08-14 17:23:28 +02:00
Hiroshi Takekawa
79b09a897f po: update ja.po (from translationproject.org) 2025-08-14 17:23:28 +02:00
Frédéric Marchal
a42083e6c8 po: update fr.po (from translationproject.org) 2025-08-14 17:23:28 +02:00
Milan Broz
b8d3ff3b1a Version 2.8.1-rc0 (for translation). 2025-08-13 15:25:39 +02:00
Milan Broz
b7ec4a9d9b test: fix warning about missing NUL terminator 
Both gcc-15 and clang-22 now warn if there is no space for null character.

As we use this as binary buffer, just do not use fixed char array here.
 2025-08-13 11:03:30 +02:00
Milan Broz
10e5ab1a87 tcrypt: Fix detecting status of chained modes 
The function dm_uuid_cmp cannot be used for TCRYPT, it expects
LUKS UUID, not a device name.

Fixes: #952
 2025-08-08 11:15:32 +02:00
Milan Broz
57a8837879 ci: Disable fd leak detection for gcc analyzer on Alpine 
This generates false positives, probably another system header
incompatibility in musl.
 2025-08-01 16:48:08 +02:00
Milan Broz
b0d38f932f Add (ugly) wrorkaround for musl broken macro 
Nobody fixes this for years, there are multiple discussions.
Let's just ignore it.
 2025-08-01 16:48:08 +02:00
Milan Broz
b7e3ea592b Avoid warning about unused parameter. 
This fixes compilation warning:
   error: unused parameter 'version' [-Werror=unused-parameter]
 2025-08-01 16:48:08 +02:00
Milan Broz
c618a50de8 Avoid truncatted NULL ternminator gcc warning 
This prevents gcc warnings:
  warning: initializer-string for array of 'unsigned char' truncates
  NUL terminator but destination lacks 'nonstring' attribute

While there is "nonstring" attribute, clang does not support it,
so this is the simplest solution.
 2025-08-01 16:48:08 +02:00
Milan Broz
7b43c6a784 ci: Add stringop-overread warning to compilations test 2025-08-01 16:47:25 +02:00
Milan Broz
149a414c93 ci: Add Apline shared runner test for gcc/clang compilation 
Alpine is continuously updated in GitLab; we get new errors automatically
once a new version is deployed.
 2025-08-01 16:47:25 +02:00
Milan Broz
e33a315776 ci: Update clang version 
And remove unneeded variable, we do not run test in shared runners.
 2025-08-01 16:47:25 +02:00
Milan Broz
8546260a49 ci: Move compiler version report to script 
Preparation for Alpine jobs.
 2025-08-01 16:47:25 +02:00
Milan Broz
fa5ab78837 Support --prefix also in Meson for tmpfilesdir 2025-08-01 15:27:27 +02:00
Milan Broz
80a1ebe93e Define EXTERNAL_LUKS2_TOKENS_PATH even for autoconf 
Meson already uses config.h here, do the seame instead of commandline
define option.

Expanding the variable is tricky, though...
 2025-08-01 15:27:27 +02:00
Milan Broz
70a69b5059 Fix luks2-external-tokens-path option for meson 
The variable was never called default-* in autoconf,
name is the same.

Morever, it defines unneeded DEFAULT_* entry in config.h.
 2025-08-01 15:27:27 +02:00
Milan Broz
32e9bed060 Fix wrongly generated config.h paths 
For some reason, external token path and tmpfilesdir uses a macro
that generates entry in config.h, producing these #defines:
  DEFAULT_LUKS2_EXTERNAL_TOKENS_PATH
  DEFAULT_TMPFILESDIR

Neiter one is used in C code, moreover, definitions are wrong,
as variables are modified after entry is pushed to config.

Remove the macro call and use AC_ARG_WITH directly.
 2025-08-01 15:27:27 +02:00
Milan Broz
12eaacaaaf Do not try to install tmpfiles in system path if $prefix is set 
If cryptsetup is being installed to different directory using --prefix
configure switch, it tyries to use absolute system path (and fails).

Let's instruct pkgconfig to return proper prefixed tmpfiles variable.
 2025-08-01 15:27:27 +02:00
Milan Broz
d0312d6c34 man: Install fvault2Open man page in Meson. 2025-08-01 15:27:27 +02:00
Milan Broz
4a67af439e Do not silently decrease PBKDF parallel cost (threads) 
The maximum parallel cost is set since the introduction of Argon2 to 4.

Do not silently decrease the value (if explicitly set by the option)
but fail instead.
 2025-08-01 12:31:02 +02:00
Vojtech Trefny
d77ece493d tests: Add BitLocker image with multibyte character in passphrase 2025-07-30 13:43:14 +02:00
Vojtech Trefny
04d307d9c0 bitlk: Fix unlocking bitlocker with multibyte utf8 characters 
Fixes: #950

Co-authored-by: Thomas Lidén
 2025-07-30 13:43:14 +02:00
Ondrej Kozina
6c7c8d36bb Fix bug in parsing of tcrypt device in crypt_init_by_name. 
When TCRYPT subdevices was moved to use SUBDEV dm uuid prefix
we did not correctly modified the TCRYPT_status_one routine
to correctly expect the SUBDEV uuid prefix.

Fixes: cf630f578d
Fixes: #952.
 2025-07-29 13:49:37 +02:00
Ondrej Kozina
b6ddaa40bf Refactor tcrypt subdev check in a helper routine. 
Add comments what parts will be removed later.
 2025-07-29 13:49:37 +02:00
Funda Wang
1c75cd0dc4 meson: install binaries 2025-07-29 12:23:22 +02:00
Milan Broz
267de08586 man: Try to explain PBKDF hardcoded limits. 2025-07-29 09:14:56 +02:00
Milan Broz
e0a5fb2c25 man: Add better explanation for automatic integrity tag recalculation. 2025-07-29 09:14:56 +02:00
Milan Broz
b995ab243c man: Mention crypt/verity/integritytab. 2025-07-29 09:14:56 +02:00
Milan Broz
a498757fd4 man: Use *WARNING* only for serious issues. 
Use highlighted warning only for possibility of data loss or serious security issues.

No need to scary people everywhere :)
 2025-07-29 09:14:56 +02:00
Milan Broz
349912fec2 man: Do not use *NOTE*, it is just a normal description. 2025-07-29 09:14:56 +02:00
Milan Broz
b0e3b94839 man: Remove mentions about archeologic kernel 2.6 and kernel 4.x 2025-07-29 09:14:56 +02:00
Milan Broz
c66c520e26 man: Always mention <options> as the last paragraph. 
Move all notes and warnings to description text.
Refine some small clarification.

Do not use NOTE/WARNING unless there is a serious reason (data loss).
 2025-07-29 09:14:56 +02:00
Milan Broz
2c95933bb5 man: Clarify that commands do not wipes data, unify OPAL reset wording. 2025-07-29 09:14:56 +02:00
Milan Broz
bc1b149ee4 man: Better mark option --align-payload as deprecated. 2025-07-29 09:14:56 +02:00
Milan Broz
55272bee98 man: Make --sector-size option description more clear. 2025-07-29 09:14:56 +02:00
Milan Broz
9590d6fe62 man: Clarify --label option. 2025-07-29 09:14:56 +02:00
Milan Broz
5af06cb6cc man: Weaken warning about /dev/urandom as recent kernels behave much better. 2025-07-29 09:14:56 +02:00
Milan Broz
a9e245f68c man: Update and clarify cryptsetup man page notes. 2025-07-29 09:14:56 +02:00
Milan Broz
74a4de9fdd man: Unify tools description and add some context. 2025-07-29 09:14:56 +02:00
Milan Broz
2d4c40e627 CI: update gcc explicitly on Alpine Linux 2025-07-28 22:27:07 +02:00
Milan Broz
2cf4c9a360 man: Avoid forced line breaks where not necessary. 2025-07-17 15:18:21 +02:00
Milan Broz
360f85dde7 man: Grammar and simple stylistic fixes. 
This is based mainly on Grammarly.

It unifies man pages to at least some level of grammar,
so later we can focus on adding more readable content.
 2025-07-17 15:01:39 +02:00
Milan Broz
1438140ce3 man: Do not wrap sentences in man pages. 
This helps to use external tools for language checking.
 2025-07-17 12:38:17 +02:00
Milan Broz
a52e1aadca man: unify formatting of options 
- do not use bold if option is the text
- unify argument format
- do not highlight obsolete syntax
 2025-07-17 11:51:18 +02:00
Milan Broz
19a4f53c07 man: Do not use bold font in text/URL to avoid format issues. 2025-07-17 11:39:57 +02:00
Milan Broz
8a73750ba9 doc: Mention Asciidoctor in Readme required packages. 2025-07-14 10:55:56 +02:00
Ondrej Kozina
db720abcc3 ci: enable systemd-test-plugin on Rawhide. 2025-06-26 16:24:04 +02:00
Ondrej Kozina
ebbecb6df0 Drop unused variable in systemd-test-plugin. 2025-06-26 14:38:08 +02:00
Ondrej Kozina
830bd02160 tests: enable systemd-tpm2 test to run with default system path. 
If run in Makefile.localtest there was unset CRYPTSETUP_TOKENS_PATH.
It's valid test case to run with systemd-tpm2 plugin installed on
the system (integration tests).
 2025-06-26 14:34:23 +02:00
Milan Broz
ea96360efc Include fuzz/meson.build in release 
Fixes: #949
 2025-06-25 21:10:27 +02:00
Milan Broz
eb9f0a63b8 Set devel version. 2025-06-25 21:09:33 +02:00
Milan Broz
13306948c8 Version 2.8.0. 2025-06-24 09:30:17 +02:00
Vojtech Trefny
cdc451a61a Fix expected keyslot context for LUKS1 activate_by_keyring 2025-06-23 14:22:13 +02:00
Ondrej Kozina
04ca5087f8 man: Add cryptsetup-reencrypt token usage examples. 2025-06-23 14:10:16 +02:00
Milan Broz
2262641c74 tests: Reinitialize integrity device after inline test 2025-06-22 09:35:39 +02:00
Milan Broz
232ba8dd3a Add missing crypto backend init in crypt_format_inline. 
This triggers abort() in various crypto backends.
 2025-06-22 09:35:18 +02:00
Antonio Ceballos
3490944c27 po: update es.po (from translationproject.org) 2025-06-18 11:53:22 +02:00
Petr Pisar
e8c32e5c41 po: update cs.po (from translationproject.org) 2025-06-18 11:53:22 +02:00
Milan Broz
ccc9a977f7 tests: Use truncate and detect failure. 
The fallocate can fail, while it has -x option,
we user truncate in different tests, so switch to it.

Also fail early if truncate fails.
 2025-06-18 10:10:52 +02:00
Yuri Chornoivan
a0929f67f1 po: update uk.po (from translationproject.org) 2025-06-17 14:46:59 +02:00
Marián Haburaj
e57f1b3dd8 po: update sk.po (from translationproject.org) 2025-06-17 14:46:59 +02:00
Remus-Gabriel Chelu
e9a20ad3dc po: update ro.po (from translationproject.org) 2025-06-17 14:46:59 +02:00
Jakub Bogusz
f3d348776d po: update pl.po (from translationproject.org) 2025-06-17 14:46:59 +02:00
Hiroshi Takekawa
e9c626cccd po: update ja.po (from translationproject.org) 2025-06-17 14:46:59 +02:00
Frédéric Marchal
ef592405dd po: update fr.po (from translationproject.org) 2025-06-17 14:46:59 +02:00
Roland Illig
5ce481a8c2 po: update de.po (from translationproject.org) 2025-06-17 14:46:59 +02:00
Guilhem Moulin
9b5ed35078 bitlk-compat-test: Use eval in load_vars(). 
It that appears using the `source` builtin with process substitution
yields a race condition:

	./tests$ ./bitlk-compat-test; echo RV=$?
	HEADER CHECK
	 bitlk-images/bitlk-aes-cbc-128-4k.img [OK]
	 bitlk-images/bitlk-aes-cbc-128.img [OK]
	 bitlk-images/bitlk-aes-cbc-256.img [OK]
	 bitlk-images/bitlk-aes-cbc-elephant-128.img [OK]
	 bitlk-images/bitlk-aes-cbc-elephant-256.img [OK]
	 bitlk-images/bitlk-aes-xts-128-4k.img [OK]
	 bitlk-images/bitlk-aes-xts-128-eow.img./bitlk-compat-test: trap: line 2: unexpected EOF while looking for matching `)'
	./bitlk-compat-test: command substitution: line 70: syntax error near unexpected token `)'
	./bitlk-compat-test: command substitution: line 70: `echo "$dump" | grep "Volume size:" | cut -d: -f2 | tr -d "\t\n ")'
	WARNING: You must be root to run activation part of test, test skipped.
	RV=0

This is with bash 5.2.37 on a Debian sid system.  It doesn't fail the
test, but affects coverage as subsequent images are not tested.
`eval`'ing the output of a pipe solves the race condition.

It's arguably not robust code, but load_vars() appears to make
assumption about images.conf's content and didn't account for edge cases
either.
 2025-06-16 17:34:12 +02:00
Milan Broz
bf7d2c5a3b Use CDN in release links. 2025-06-16 14:40:42 +02:00
128 changed files with 7020 additions and 6246 deletions
Expand all files Collapse all files

2
.gitlab-ci.yml
View File

@@ -10,7 +10,6 @@ include:
- local: .gitlab/ci/debian.yml
- local: .gitlab/ci/fedora.yml
- local: .gitlab/ci/fedora-opal.yml
- local: .gitlab/ci/rhel.yml
- local: .gitlab/ci/centos.yml
# - local: .gitlab/ci/annocheck.yml
- local: .gitlab/ci/csmock.yml
@@ -22,4 +21,3 @@ include:
- local: .gitlab/ci/alpinelinux.yml
- local: .gitlab/ci/debian-i686.yml
- local: .gitlab/ci/cifuzz.yml
- local: .gitlab/ci/ubuntu.yml

4
.gitlab/ci/alpinelinux.yml
View File

@@ -7,8 +7,10 @@
- >
sudo apk add
lvm2-dev openssl-dev popt-dev util-linux-dev json-c-dev
argon2-dev device-mapper which sharutils gettext gettext-dev automake
argon2-dev device-mapper which sharutils gettext-dev argp-standalone automake
autoconf libtool build-base keyutils tar jq expect git asciidoctor
# Be sure we have updated basic tools and system
- sudo apk upgrade gcc binutils build-base musl
- ./autogen.sh
- ./configure --prefix=/usr --libdir=/lib --sbindir=/sbin --disable-static --enable-libargon2 --with-crypto_backend=openssl --disable-external-tokens --disable-ssh-token --enable-asciidoc

50
.gitlab/ci/centos.yml
View File

@@ -1,6 +1,4 @@
.centos-openssl-backend:
variables:
DISTRO: cryptsetup-centos-stream-9
extends:
- .fail_if_coredump_generated
before_script:
@@ -29,6 +27,7 @@ test-main-commit-centos-stream9:
stage: test
interruptible: true
variables:
DISTRO: cryptsetup-centos-stream-9
RUN_SSH_PLUGIN_TEST: "1"
RUN_KEYRING_TRUSTED_TEST: "1"
rules:
@@ -51,6 +50,53 @@ test-mergerq-centos-stream9:
stage: test
interruptible: true
variables:
DISTRO: cryptsetup-centos-stream-9
RUN_SSH_PLUGIN_TEST: "1"
RUN_KEYRING_TRUSTED_TEST: "1"
rules:
- if: $RUN_SYSTEMD_PLUGIN_TEST != null
when: never
- if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
when: never
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
script:
- make -j
- make -j -C tests check-programs
- sudo -E make check
test-main-commit-centos-stream10:
extends:
- .centos-openssl-backend
tags:
- libvirt
- cryptsetup-centos-stream-10
stage: test
interruptible: true
variables:
DISTRO: cryptsetup-centos-stream-10
RUN_SSH_PLUGIN_TEST: "1"
RUN_KEYRING_TRUSTED_TEST: "1"
rules:
- if: $RUN_SYSTEMD_PLUGIN_TEST != null
when: never
- if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
when: never
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
script:
- make -j
- make -j -C tests check-programs
- sudo -E make check
test-mergerq-centos-stream10:
extends:
- .centos-openssl-backend
tags:
- libvirt
- cryptsetup-centos-stream-10
stage: test
interruptible: true
variables:
DISTRO: cryptsetup-centos-stream-10
RUN_SSH_PLUGIN_TEST: "1"
RUN_KEYRING_TRUSTED_TEST: "1"
rules:

8
.gitlab/ci/cibuild-setup-ubuntu.sh
View File

@@ -45,11 +45,3 @@ fi
DEBIAN_FRONTEND=noninteractive apt-get -yq install "${PACKAGES[@]}"
apt-get -y build-dep cryptsetup
echo "====================== VERSIONS ==================="
if [[ $COMPILER == "clang" ]]; then
echo "Using scan-build${COMPILER_VERSION:+-$COMPILER_VERSION}"
fi
${COMPILER}-$COMPILER_VERSION -v
echo "====================== END VERSIONS ==================="

33
.gitlab/ci/compilation-clang.gitlab-ci.yml
View File

@@ -4,26 +4,54 @@ test-clang-compilation:
script:
- export CFLAGS="-Wall -Werror"
- ./autogen.sh
- $CC --version
- ./configure
- make -j
- make -j check-programs
test-clang-Wall-script:
test-clang-Wall-script-ubuntu:
extends:
- .gitlab-shared-clang
script:
- export CFLAGS="-g -O0"
- export CC="$CI_PROJECT_DIR/.gitlab/ci/clang-Wall"
- ./autogen.sh
- $CC --version
- ./configure
- make -j CFLAGS="-g -O0 -Werror"
- make -j CFLAGS="-g -O0 -Werror" check-programs
test-scan-build:
test-clang-Wall-script-alpine:
extends:
- .gitlab-shared-clang-alpine
allow_failure: true
script:
- export CFLAGS="-g -O0"
- export CC="$CI_PROJECT_DIR/.gitlab/ci/clang-Wall"
- ./autogen.sh
- $CC --version
- ./configure
- make -j CFLAGS="-g -O0 -Werror"
- make -j CFLAGS="-g -O0 -Werror" check-programs
test-scan-build-ubuntu:
extends:
- .gitlab-shared-clang
script:
- ./autogen.sh
- echo "scan-build${COMPILER_VERSION:+-$COMPILER_VERSION}"
- scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} -V ./configure CFLAGS="-g -O0"
- make clean
- scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} --status-bugs -maxloop 10 make -j
- scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} --status-bugs -maxloop 10 make -j check-programs
test-scan-build-alpine:
extends:
- .gitlab-shared-clang-alpine
allow_failure: true
script:
- ./autogen.sh
- echo "scan-build${COMPILER_VERSION:+-$COMPILER_VERSION}"
- scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} -V ./configure CFLAGS="-g -O0"
- make clean
- scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} --status-bugs -maxloop 10 make -j
@@ -52,6 +80,7 @@ test-scan-build-backends:
- DEBIAN_FRONTEND=noninteractive apt-get -yq install libgcrypt20-dev libnss3-dev nettle-dev libmbedtls-dev
- ./autogen.sh
- echo "Configuring with crypto backend $BACKENDS"
- echo "scan-build${COMPILER_VERSION:+-$COMPILER_VERSION}"
- scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} -V ./configure CFLAGS="-g -O0" --with-crypto_backend=$BACKENDS
- make clean
- scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} --status-bugs -maxloop 10 make -j

32
.gitlab/ci/compilation-gcc.gitlab-ci.yml
View File

@@ -4,30 +4,57 @@ test-gcc-compilation:
script:
- export CFLAGS="-Wall -Werror"
- ./autogen.sh
- $CC --version
- ./configure
- make -j
- make -j check-programs
test-gcc-Wall-script:
test-gcc-Wall-script-ubuntu:
extends:
- .gitlab-shared-gcc
script:
- export CFLAGS="-g -O0"
- export CC="$CI_PROJECT_DIR/.gitlab/ci/gcc-Wall"
- ./autogen.sh
- $CC --version
- ./configure
- make -j CFLAGS="-g -O0 -Werror"
- make -j CFLAGS="-g -O0 -Werror" check-programs
test-gcc-fanalyzer:
test-gcc-Wall-script-alpine:
extends:
- .gitlab-shared-gcc-alpine
allow_failure: true
script:
- export CFLAGS="-g -O0"
- export CC="$CI_PROJECT_DIR/.gitlab/ci/gcc-Wall"
- ./autogen.sh
- $CC --version
- ./configure
- make -j CFLAGS="-g -O0 -Werror"
- make -j CFLAGS="-g -O0 -Werror" check-programs
test-gcc-fanalyzer-ubuntu:
extends:
- .gitlab-shared-gcc
script:
- ./autogen.sh
- $CC --version
- ./configure CFLAGS="-Wall -Werror -g -O0 -fanalyzer -fdiagnostics-path-format=separate-events" --host=x86_64
- make -j
- make -j check-programs
test-gcc-fanalyzer-alpine:
extends:
- .gitlab-shared-gcc-alpine
allow_failure: true
script:
- ./autogen.sh
- $CC --version
- ./configure CFLAGS="-Wall -Werror -g -O0 -fanalyzer -fdiagnostics-path-format=separate-events -Wno-analyzer-fd-leak" --host=x86_64
- make -j
- make -j check-programs
test-gcc-fanalyzer-backends:
extends:
- .gitlab-shared-gcc
@@ -50,6 +77,7 @@ test-gcc-fanalyzer-backends:
script:
- DEBIAN_FRONTEND=noninteractive apt-get -yq install libgcrypt20-dev libnss3-dev nettle-dev libmbedtls-dev
- ./autogen.sh
- $CC --version
- echo "Configuring with crypto backend $BACKENDS"
- ./configure CFLAGS="-Wall -Werror -g -O0 -fanalyzer -fdiagnostics-path-format=separate-events" --host=x86_64 --with-crypto_backend=$BACKENDS
- make -j

2
.gitlab/ci/fedora.yml
View File

@@ -30,6 +30,7 @@ test-main-commit-job-rawhide:
variables:
RUN_SSH_PLUGIN_TEST: "1"
RUN_KEYRING_TRUSTED_TEST: "1"
RUN_SYSTEMD_PLUGIN_TEST: "1"
rules:
- if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
when: never
@@ -51,6 +52,7 @@ test-mergerq-job-rawhide:
variables:
RUN_SSH_PLUGIN_TEST: "1"
RUN_KEYRING_TRUSTED_TEST: "1"
RUN_SYSTEMD_PLUGIN_TEST: "1"
rules:
- if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
when: never

3
.gitlab/ci/gcc-Wall
View File

@@ -36,7 +36,8 @@ EXTRA="-Wextra \
-Wmaybe-uninitialized \
-Wvla \
-Wformat-overflow \
-Wformat-truncation"
-Wformat-truncation \
-Wstringop-overread"
exec $GCC $PEDANTIC $CONVERSION \
-Wall $Wuninitialized \

43
.gitlab/ci/gitlab-shared-docker.yml
View File

@@ -1,4 +1,5 @@
.gitlab-shared-docker:
# Ubuntu
.gitlab-shared-docker-ubuntu:
image: ubuntu:noble
tags:
- gitlab-org-docker
@@ -13,20 +14,48 @@
- export CC="${COMPILER}${COMPILER_VERSION:+-$COMPILER_VERSION}"
- export CXX="${COMPILER}++${COMPILER_VERSION:+-$COMPILER_VERSION}"
# Alpine
.gitlab-shared-docker-alpine:
image: alpine:latest
tags:
- gitlab-org-docker
stage: test
interruptible: true
rules:
- if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
when: never
- if: $CI_PIPELINE_SOURCE == "merge_request_event" || $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
before_script:
- apk add bash build-base clang clang-analyzer argp-standalone lvm2-dev openssl-dev popt-dev util-linux-dev json-c-dev device-mapper gettext-dev libssh-dev automake autoconf libtool tar asciidoctor
- export CC="${COMPILER}${COMPILER_VERSION:+-$COMPILER_VERSION}"
- export CXX="${COMPILER}++${COMPILER_VERSION:+-$COMPILER_VERSION}"
.gitlab-shared-gcc:
extends:
- .gitlab-shared-docker
- .gitlab-shared-docker-ubuntu
variables:
COMPILER: "gcc"
COMPILER_VERSION: "14"
CC: "gcc-14"
RUN_SSH_PLUGIN_TEST: "1"
.gitlab-shared-clang:
extends:
- .gitlab-shared-docker
- .gitlab-shared-docker-ubuntu
variables:
COMPILER: "clang"
COMPILER_VERSION: "19"
CC: "clang-19"
RUN_SSH_PLUGIN_TEST: "1"
COMPILER_VERSION: "20"
CC: "clang-20"
.gitlab-shared-gcc-alpine:
extends:
- .gitlab-shared-docker-alpine
variables:
COMPILER: "gcc"
CC: "gcc"
.gitlab-shared-clang-alpine:
extends:
- .gitlab-shared-docker-alpine
variables:
COMPILER: "clang"
CC: "clang"

157
.gitlab/ci/rhel.yml
View File

@@ -1,157 +0,0 @@
.rhel-openssl-backend:
extends:
- .fail_if_coredump_generated
before_script:
- >
sudo yum -y -q install
autoconf automake device-mapper-devel gcc gettext-devel json-c-devel
libblkid-devel libpwquality-devel libselinux-devel libssh-devel libtool
libuuid-devel make popt-devel libsepol-devel nc openssh-clients passwd
pkgconfig sharutils sshpass tar uuid-devel vim-common device-mapper
expect gettext git jq keyutils openssl-devel openssl gem
- sudo gem install asciidoctor
- sudo -E git clean -xdf
- ./autogen.sh
- ./configure --enable-fips --enable-pwquality --with-crypto_backend=openssl --enable-asciidoc
# non-FIPS jobs
test-main-commit-rhel8:
extends:
- .rhel-openssl-backend
tags:
- libvirt
- cryptsetup-rhel-8
stage: test
interruptible: true
variables:
DISTRO: cryptsetup-rhel-8
RUN_SSH_PLUGIN_TEST: "1"
rules:
- if: $RUN_SYSTEMD_PLUGIN_TEST != null
when: never
- if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
when: never
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
script:
- make -j
- make -j -C tests check-programs
- sudo -E make check
test-main-commit-rhel9:
extends:
- .rhel-openssl-backend
tags:
- libvirt
- cryptsetup-rhel-9
stage: test
interruptible: true
variables:
DISTRO: cryptsetup-rhel-9
RUN_SSH_PLUGIN_TEST: "1"
rules:
- if: $RUN_SYSTEMD_PLUGIN_TEST != null
when: never
- if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
when: never
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
script:
- make -j
- make -j -C tests check-programs
- sudo -E make check
test-main-commit-rhel10:
extends:
- .rhel-openssl-backend
tags:
- libvirt
- cryptsetup-rhel-10
stage: test
interruptible: true
allow_failure: true
variables:
DISTRO: cryptsetup-rhel-10
RUN_SSH_PLUGIN_TEST: "1"
rules:
- if: $RUN_SYSTEMD_PLUGIN_TEST != null
when: never
- if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
when: never
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
script:
- make -j
- make -j -C tests check-programs
- sudo -E make check
# FIPS jobs
test-main-commit-rhel8-fips:
extends:
- .rhel-openssl-backend
tags:
- libvirt
- cryptsetup-rhel-8-fips
stage: test
interruptible: true
variables:
DISTRO: cryptsetup-rhel-8-fips
RUN_SSH_PLUGIN_TEST: "1"
rules:
- if: $RUN_SYSTEMD_PLUGIN_TEST != null
when: never
- if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
when: never
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
script:
- grep -q fips=1 /proc/cmdline || exit 1
- make -j
- make -j -C tests check-programs
- sudo -E make check
test-main-commit-rhel9-fips:
extends:
- .rhel-openssl-backend
tags:
- libvirt
- cryptsetup-rhel-9-fips
stage: test
interruptible: true
allow_failure: true
variables:
DISTRO: cryptsetup-rhel-9-fips
RUN_SSH_PLUGIN_TEST: "1"
rules:
- if: $RUN_SYSTEMD_PLUGIN_TEST != null
when: never
- if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
when: never
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
script:
- grep -q fips=1 /proc/cmdline || exit 1
- make -j
- make -j -C tests check-programs
- sudo -E make check
test-main-commit-rhel10-fips:
extends:
- .rhel-openssl-backend
tags:
- libvirt
- cryptsetup-rhel-10-fips
stage: test
interruptible: true
allow_failure: true
variables:
DISTRO: cryptsetup-rhel-10-fips
RUN_SSH_PLUGIN_TEST: "1"
rules:
- if: $RUN_SYSTEMD_PLUGIN_TEST != null
when: never
- if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
when: never
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
script:
- grep -q fips=1 /proc/cmdline || exit 1
- make -j
- make -j -C tests check-programs
- sudo -E make check

106
.gitlab/ci/ubuntu.yml
View File

@@ -1,106 +0,0 @@
.ubuntu-prep:
extends:
- .fail_if_coredump_generated
before_script:
- sudo apt-get -y update
- >
sudo apt-get -y install -y -qq git gcc make autoconf automake autopoint
pkgconf libtool libtool-bin gettext libssl-dev libdevmapper-dev
libpopt-dev uuid-dev libsepol-dev libjson-c-dev libssh-dev libblkid-dev
tar libargon2-dev libpwquality-dev sharutils dmsetup jq xxd expect
keyutils netcat-openbsd passwd openssh-client sshpass asciidoctor
swtpm meson ninja-build python3-jinja2 gperf libcap-dev libtss2-dev
libmount-dev swtpm-tools tpm2-tools
# scsi_debug, gost crypto
- sudo apt-get -y install dkms linux-headers-$(uname -r) linux-modules-extra-$(uname -r) gost-crypto-dkms
- sudo apt-get -y build-dep cryptsetup
- sudo -E git clean -xdf
- ./autogen.sh
- ./configure --enable-libargon2 --enable-asciidoc
test-mergerq-job-ubuntu:
extends:
- .ubuntu-prep
tags:
- libvirt
- cryptsetup-ubuntu-2404
stage: test
interruptible: true
variables:
DISTRO: cryptsetup-ubuntu-2404
RUN_SSH_PLUGIN_TEST: "1"
RUN_KEYRING_TRUSTED_TEST: "1"
rules:
- if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
when: never
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
script:
- make -j
- make -j -C tests check-programs
- sudo -E make check
test-main-commit-job-ubuntu:
extends:
- .ubuntu-prep
tags:
- libvirt
- cryptsetup-ubuntu-2404
stage: test
interruptible: true
variables:
DISTRO: cryptsetup-ubuntu-2404
RUN_SSH_PLUGIN_TEST: "1"
RUN_KEYRING_TRUSTED_TEST: "1"
rules:
- if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
when: never
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
script:
- make -j
- make -j -C tests check-programs
- sudo -E make check
# meson tests
test-mergerq-job-ubuntu-meson:
extends:
- .ubuntu-prep
tags:
- libvirt
- cryptsetup-ubuntu-2404
stage: test
interruptible: true
variables:
DISTRO: cryptsetup-ubuntu-2404
RUN_SSH_PLUGIN_TEST: "1"
RUN_KEYRING_TRUSTED_TEST: "1"
rules:
- if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
when: never
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
script:
- sudo apt-get -y install -y -qq meson ninja-build
- meson setup build
- ninja -C build
- cd build && sudo -E meson test --verbose --print-errorlogs
test-main-commit-job-ubuntu-meson:
extends:
- .ubuntu-prep
tags:
- libvirt
- cryptsetup-ubuntu-2404
stage: test
interruptible: true
variables:
DISTRO: cryptsetup-ubuntu-2404
RUN_SSH_PLUGIN_TEST: "1"
RUN_KEYRING_TRUSTED_TEST: "1"
rules:
- if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
when: never
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
script:
- sudo apt-get -y install -y -qq meson ninja-build
- meson setup build
- ninja -C build
- cd build && sudo -E meson test --verbose --print-errorlogs

4
Makefile.am
View File

@@ -9,6 +9,7 @@ EXTRA_DIST += meson_options.txt \
scripts/meson.build \
src/meson.build \
tests/meson.build \
tests/fuzz/meson.build \
tokens/meson.build \
tokens/ssh/meson.build
@@ -24,8 +25,7 @@ AM_CPPFLAGS = \
-DLIBDIR=\""$(libdir)"\" \
-DPREFIX=\""$(prefix)"\" \
-DSYSCONFDIR=\""$(sysconfdir)"\" \
-DVERSION=\""$(VERSION)"\" \
-DEXTERNAL_LUKS2_TOKENS_PATH=\"${EXTERNAL_LUKS2_TOKENS_PATH}\"
-DVERSION=\""$(VERSION)"\"
AM_CFLAGS = -Wall
AM_CXXFLAGS = -Wall
AM_LDFLAGS =

18
README.md
View File

@@ -39,17 +39,11 @@ Download
Release notes and tarballs are available at
[kernel.org](https://cdn.kernel.org/pub/linux/utils/cryptsetup/).
**The latest stable cryptsetup release candidate version is 2.8.0-rc1**
* [cryptsetup-2.8.0-rc1.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.8/cryptsetup-2.8.0-rc1.tar.xz)
* Signature [cryptsetup-2.8.0-rc1.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.8/cryptsetup-2.8.0-rc1.tar.sign)
**The latest stable cryptsetup release version is 2.8.1**
* [cryptsetup-2.8.1.tar.xz](https://cdn.kernel.org/pub/linux/utils/cryptsetup/v2.8/cryptsetup-2.8.1.tar.xz)
* Signature [cryptsetup-2.8.1.tar.sign](https://cdn.kernel.org/pub/linux/utils/cryptsetup/v2.8/cryptsetup-2.8.1.tar.sign)
_(You need to decompress file first to check signature.)_
* [Cryptsetup 2.8.0-rc1 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.8/v2.8.0-rc1-ReleaseNotes).
**The latest stable cryptsetup release version is 2.7.5**
* [cryptsetup-2.7.5.tar.xz](https://cdn.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-2.7.5.tar.xz)
* Signature [cryptsetup-2.7.5.tar.sign](https://cdn.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-2.7.5.tar.sign)
_(You need to decompress file first to check signature.)_
* [Cryptsetup 2.7.5 Release Notes](https://cdn.kernel.org/pub/linux/utils/cryptsetup/v2.7/v2.7.5-ReleaseNotes).
* [Cryptsetup 2.8.1 Release Notes](https://cdn.kernel.org/pub/linux/utils/cryptsetup/v2.8/v2.8.1-ReleaseNotes).
[Previous versions](https://cdn.kernel.org/pub/linux/utils/cryptsetup)
@@ -76,7 +70,7 @@ Below are the packages needed to build for certain Linux distributions:
**For Fedora**:
```
git gcc make autoconf automake gettext-devel pkgconfig openssl-devel popt-devel device-mapper-devel libuuid-devel json-c-devel libblkid-devel findutils libtool libssh-devel tar
git gcc make autoconf automake gettext-devel pkgconfig openssl-devel popt-devel device-mapper-devel libuuid-devel json-c-devel libblkid-devel findutils libtool libssh-devel tar rubygem-asciidoctor
Optionally: libargon2-devel libpwquality-devel
```
@@ -87,7 +81,7 @@ sharutils device-mapper jq vim-common expect keyutils netcat shadow-utils openss
**For Debian and Ubuntu**:
```
git gcc make autoconf automake autopoint pkg-config libtool gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol-dev libjson-c-dev libssh-dev libblkid-dev tar
git gcc make autoconf automake autopoint pkg-config libtool gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol-dev libjson-c-dev libssh-dev libblkid-dev tar asciidoctor
Optionally: libargon2-0-dev libpwquality-dev
```

52
configure.ac
View File

@@ -1,5 +1,5 @@
AC_PREREQ([2.67])
AC_INIT([cryptsetup],[2.8.0-rc1])
AC_INIT([cryptsetup],[2.9.0-git])
dnl library version from <major>.<minor>.<release>[-<suffix>]
LIBCRYPTSETUP_VERSION=$(echo $PACKAGE_VERSION | cut -f1 -d-)
@@ -680,8 +680,36 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
])
CFLAGS=$saved_CFLAGS
dnl Force compiler to use zero_call_used_regs("used") to check for the function attribute support.
dnl Otherwise the compiler may falsely advertise it with __has_attribute operator, even though
dnl it does not implement it on some archs.
AC_MSG_CHECKING([for zero_call_used_regs(user)])
saved_CFLAGS=$CFLAGS
CFLAGS="-O0 -Werror"
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
void _test_function(void);
__attribute__((zero_call_used_regs("used"))) void _test_function(void) {
volatile int *i; volatile int j = 0; if (j) *i = 0;
}
]],
[[ _test_function() ]]
)],[
AC_DEFINE([HAVE_ATTRIBUTE_ZEROCALLUSEDREGS], 1, [Define to 1 to use __attribute__((zero_call_used_regs("used")))])
AC_MSG_RESULT([yes])
], [
AC_MSG_RESULT([no])
])
CFLAGS=$saved_CFLAGS
AC_MSG_CHECKING([for systemd tmpfiles config directory])
PKG_CHECK_VAR([systemd_tmpfilesdir], [systemd], [tmpfilesdir], [], [systemd_tmpfilesdir=no])
if test "x$prefix" != "xNONE"; then
saved_PKG_CONFIG=$PKG_CONFIG
PKG_CONFIG="$PKG_CONFIG --define-variable=prefix='${prefix}'"
PKG_CHECK_VAR([systemd_tmpfilesdir], [systemd], [tmpfilesdir], [], [systemd_tmpfilesdir=no])
PKG_CONFIG=$saved_PKG_CONFIG
else
PKG_CHECK_VAR([systemd_tmpfilesdir], [systemd], [tmpfilesdir], [], [systemd_tmpfilesdir=no])
fi
AC_MSG_RESULT([$systemd_tmpfilesdir])
AC_SUBST([DEVMAPPER_LIBS])
@@ -795,8 +823,9 @@ CS_NUM_WITH([verity-hash-block], [hash block size for verity mode], [4096])
CS_NUM_WITH([verity-salt-size], [salt size for verity mode], [32])
CS_NUM_WITH([verity-fec-roots], [parity bytes for verity FEC], [2])
CS_STR_WITH([tmpfilesdir], [override default path to directory with systemd temporary files], [])
test -z "$with_tmpfilesdir" && with_tmpfilesdir=$systemd_tmpfilesdir
AC_ARG_WITH([tmpfilesdir],
AS_HELP_STRING([--with-tmpfilesdir=DIR], [override default path to directory with systemd temporary files]),
[], [with_tmpfilesdir=$systemd_tmpfilesdir])
test "x$with_tmpfilesdir" = "xno" || {
CS_ABSPATH([${with_tmpfilesdir}],[with-tmpfilesdir])
DEFAULT_TMPFILESDIR=$with_tmpfilesdir
@@ -815,7 +844,9 @@ test -z "$with_luks2_lock_dir_perms" && with_luks2_lock_dir_perms=0700
DEFAULT_LUKS2_LOCK_DIR_PERMS=$with_luks2_lock_dir_perms
AC_SUBST(DEFAULT_LUKS2_LOCK_DIR_PERMS)
CS_STR_WITH([luks2-external-tokens-path], [path to directory with LUKSv2 external token handlers (plugins)], [LIBDIR/cryptsetup])
AC_ARG_WITH([luks2-external-tokens-path],
AS_HELP_STRING([--with-luks2-external-tokens-path=DIR], [path to directory with LUKSv2 external token handlers (plugins)]),
[], [with_luks2_external_tokens_path=""])
if test -n "$with_luks2_external_tokens_path"; then
CS_ABSPATH([${with_luks2_external_tokens_path}],[with-luks2-external-tokens-path])
EXTERNAL_LUKS2_TOKENS_PATH=$with_luks2_external_tokens_path
@@ -823,6 +854,17 @@ else
EXTERNAL_LUKS2_TOKENS_PATH="\${libdir}/cryptsetup"
fi
AC_SUBST(EXTERNAL_LUKS2_TOKENS_PATH)
dnl We need to define expanded EXTERNAL_LUKS2_TOKENS_PATH, but some other code can depend on prefix=NONE.
dnl Pretend you do not see this hack :-)
saved_prefix=$prefix
saved_exec_prefix=$exec_prefix
test "x$prefix" = "xNONE" && prefix="$ac_default_prefix"
test "x$exec_prefix" = "xNONE" && exec_prefix="$prefix"
expanded_EXTERNAL_LUKS2_TOKENS_PATH=$(eval echo "$EXTERNAL_LUKS2_TOKENS_PATH")
expanded_EXTERNAL_LUKS2_TOKENS_PATH=$(eval echo "$expanded_EXTERNAL_LUKS2_TOKENS_PATH")
AC_DEFINE_UNQUOTED([EXTERNAL_LUKS2_TOKENS_PATH], ["$expanded_EXTERNAL_LUKS2_TOKENS_PATH"], [path to directory with LUKSv2 external token handlers (plugins)])
prefix=$saved_prefix
exec_prefix=$saved_exec_prefix
dnl Override default LUKS format version (for cryptsetup or cryptsetup-reencrypt format actions only).
AC_ARG_WITH([default_luks_format],

4
docs/v2.8.0-rc1-ReleaseNotes → docs/v2.8.0-ReleaseNotes
View File

@@ -1,5 +1,5 @@
Cryptsetup 2.8.0-rc1 Release Notes
==================================
Cryptsetup 2.8.0 Release Notes
==============================
Stable release with new features and bug fixes
All users of cryptsetup 2.7 must upgrade to this version.

40
docs/v2.8.1-ReleaseNotes Normal file
View File

@@ -0,0 +1,40 @@
Cryptsetup 2.8.1 Release Notes
==============================
Stable bug-fix release with minor extensions.
All users of cryptsetup 2.8.0 must upgrade to this version.
Changes since version 2.8.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Fix status and deactivation of TCRYPT (VeraCrypt compatible) devices that use chained ciphers.
* Fix unlocking BITLK (BitLocker compatible) devices with multibyte UTF8 characters in the passphrase.
* Do not allow activation of the LUKS2 device if the used keyslot is not encrypted (it uses a null cipher).
Such a configuration cannot be created by cryptsetup, but can be crafted outside of it.
Null cipher is sometimes used to create an empty container for later reencryption.
Only an empty passphrase can activate such a container (the same as in LUKS1).
* Do not silently decrease PBKDF parallel cost (threads) if set by an option.
The maximum parallel cost is limited to 4 threads.
* Fixes to configuration and installation scripts.
Meson and autoconf tools now properly support --prefix option for temporary directory installation.
Multiple fixes and cleanups to config.h for compatibility between Meson and autoconf.
Fix the luks2-external-tokens-path Meson option to work the same as in autoconf.
Fix Meson install for tool binaries, install fvault2Open man page and include test/fuzz/meson.build in release.
* Major update to manual pages.
Try to explain the PBKDF hardcoded limits.
Add a better explanation for automatic integrity tag recalculation.
Mention crypt/verity/integritytab.
Remove or reformulate some misleading warnings present only with old and no longer supported kernels.
Clarify that some commands do not wipe data and unify OPAL reset wording.
Clarify the --label option.
There are also many other grammar and stylistic fixes to unify the man-page style.
* Fixes for false-positive and annoying (optional) warnings added in recent compilers.

311
lib/bitlk/bitlk.c
View File

@@ -111,6 +111,7 @@ struct bitlk_superblock {
struct bitlk_fve_metadata {
/* FVE metadata block header */
uint8_t signature[8];
/* size of this block (in 16-byte units) */
uint16_t fve_size;
uint16_t fve_version;
uint16_t curr_state;
@@ -132,6 +133,32 @@ struct bitlk_fve_metadata {
uint64_t creation_time;
} __attribute__ ((packed));
struct bitlk_validation_hash {
uint16_t size;
uint16_t role;
uint16_t type;
uint16_t flags;
/* likely a hash type code, anything other than 0x2005 isn't supported */
uint16_t hash_type;
uint16_t unknown1;
/* SHA-256 */
uint8_t hash[32];
} __attribute__ ((packed));
struct bitlk_fve_metadata_validation {
/* FVE metadata validation block header */
uint16_t validation_size;
uint16_t validation_version;
uint32_t fve_crc32;
/* this is a single nested structure's header defined here for simplicity */
uint16_t nested_struct_size;
uint16_t nested_struct_role;
uint16_t nested_struct_type;
uint16_t nested_struct_flags;
/* datum containing a similar nested structure (encrypted using VMK) with hash (SHA256) */
uint8_t nested_struct_data[BITLK_VALIDATION_VMK_DATA_SIZE];
} __attribute__ ((packed));
struct bitlk_entry_header_block {
uint64_t offset;
uint64_t size;
@@ -237,10 +264,11 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in
bool supported = false;
int r = 0;
/* only passphrase or recovery passphrase vmks are supported (can be used to activate) */
/* only passphrase, recovery passphrase, startup key and clearkey vmks are supported (can be used to activate) */
supported = (*vmk)->protection == BITLK_PROTECTION_PASSPHRASE ||
(*vmk)->protection == BITLK_PROTECTION_RECOVERY_PASSPHRASE ||
(*vmk)->protection == BITLK_PROTECTION_STARTUP_KEY;
(*vmk)->protection == BITLK_PROTECTION_STARTUP_KEY ||
(*vmk)->protection == BITLK_PROTECTION_CLEAR_KEY;
while ((end - start) >= (ssize_t)(sizeof(key_entry_size) + sizeof(key_entry_type) + sizeof(key_entry_value))) {
/* size of this entry */
@@ -297,17 +325,13 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in
crypt_volume_key_add_next(&((*vmk)->vk), vk);
/* clear key for a partially decrypted volume */
} else if (key_entry_value == BITLK_ENTRY_VALUE_KEY) {
/* We currently don't want to support opening a partially decrypted
* device so we don't need to store this key.
*
* key_size = key_entry_size - (BITLK_ENTRY_HEADER_LEN + 4);
* key = (const char *) data + start + BITLK_ENTRY_HEADER_LEN + 4;
* vk = crypt_alloc_volume_key(key_size, key);
* if (vk == NULL)
* return -ENOMEM;
* crypt_volume_key_add_next(&((*vmk)->vk), vk);
*/
log_dbg(cd, "Skipping clear key metadata entry.");
/* For clearkey protection, we need to store this key */
key_size = key_entry_size - (BITLK_ENTRY_HEADER_LEN + 4);
key = (const char *) data + start + BITLK_ENTRY_HEADER_LEN + 4;
vk = crypt_alloc_volume_key(key_size, key);
if (vk == NULL)
return -ENOMEM;
crypt_volume_key_add_next(&((*vmk)->vk), vk);
/* unknown timestamps in recovery protected VMK */
} else if (key_entry_value == BITLK_ENTRY_VALUE_RECOVERY_TIME) {
;
@@ -361,6 +385,54 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in
return 0;
}
static bool check_fve_metadata(struct bitlk_fve_metadata *fve)
{
if (memcmp(fve->signature, BITLK_SIGNATURE, sizeof(fve->signature)) || le16_to_cpu(fve->fve_version) != 2 ||
(fve->fve_size << 4) > BITLK_FVE_METADATA_SIZE)
return false;
return true;
}
static bool check_fve_metadata_validation(struct bitlk_fve_metadata_validation *validation)
{
/* only check if there is room for CRC-32, the actual size must be larger */
if (le16_to_cpu(validation->validation_size) < 8 || le16_to_cpu(validation->validation_version > 2))
return false;
return true;
}
static bool parse_fve_metadata_validation(struct bitlk_metadata *params, struct bitlk_fve_metadata_validation *validation)
{
/* extra checks for a nested structure (MAC) and BITLK FVE metadata */
if (le16_to_cpu(validation->validation_size) < sizeof(struct bitlk_fve_metadata_validation))
return false;
if (le16_to_cpu(validation->nested_struct_size != BITLK_VALIDATION_VMK_HEADER_SIZE + BITLK_VALIDATION_VMK_DATA_SIZE) ||
le16_to_cpu(validation->nested_struct_role) != 0 ||
le16_to_cpu(validation->nested_struct_type) != 5)
return false;
/* nonce */
memcpy(params->validation->nonce,
validation->nested_struct_data,
BITLK_NONCE_SIZE);
/* MAC tag */
memcpy(params->validation->mac_tag,
validation->nested_struct_data + BITLK_NONCE_SIZE,
BITLK_VMK_MAC_TAG_SIZE);
/* AES-CCM encrypted datum with SHA256 hash */
memcpy(params->validation->enc_datum,
validation->nested_struct_data + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE,
BITLK_VALIDATION_VMK_DATA_SIZE - BITLK_NONCE_SIZE - BITLK_VMK_MAC_TAG_SIZE);
return true;
}
void BITLK_bitlk_fvek_free(struct bitlk_fvek *fvek)
{
if (!fvek)
@@ -391,6 +463,7 @@ void BITLK_bitlk_metadata_free(struct bitlk_metadata *metadata)
free(metadata->guid);
free(metadata->description);
free(metadata->validation);
BITLK_bitlk_vmk_free(metadata->vmks);
BITLK_bitlk_fvek_free(metadata->fvek);
}
@@ -402,20 +475,25 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
struct bitlk_signature sig = {};
struct bitlk_superblock sb = {};
struct bitlk_fve_metadata fve = {};
struct bitlk_fve_metadata_validation validation = {};
struct bitlk_entry_vmk entry_vmk = {};
uint8_t *fve_entries = NULL;
uint8_t *fve_validated_block = NULL;
size_t fve_entries_size = 0;
uint32_t fve_metadata_size = 0;
uint32_t fve_size_real = 0;
int fve_offset = 0;
char guid_buf[UUID_STR_LEN] = {0};
uint16_t entry_size = 0;
uint16_t entry_type = 0;
int i = 0;
int r = 0;
int valid_fve_metadata_idx = -1;
int start = 0;
size_t key_size = 0;
const char *key = NULL;
char *description = NULL;
struct crypt_hash *hash;
struct bitlk_vmk *vmk = NULL;
struct bitlk_vmk *vmk_p = params->vmks;
@@ -490,15 +568,80 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
for (i = 0; i < 3; i++)
params->metadata_offset[i] = le64_to_cpu(sb.fve_offset[i]);
log_dbg(cd, "Reading BITLK FVE metadata of size %zu on device %s, offset %" PRIu64 ".",
sizeof(fve), device_path(device), params->metadata_offset[0]);
fve_validated_block = malloc(BITLK_FVE_METADATA_SIZE);
if (fve_validated_block == NULL) {
r = -ENOMEM;
goto out;
}
/* read FVE metadata from the first metadata area */
if (read_lseek_blockwise(devfd, device_block_size(cd, device),
device_alignment(device), &fve, sizeof(fve), params->metadata_offset[0]) != sizeof(fve) ||
memcmp(fve.signature, BITLK_SIGNATURE, sizeof(fve.signature)) ||
le16_to_cpu(fve.fve_version) != 2) {
log_err(cd, _("Failed to read BITLK FVE metadata from %s."), device_path(device));
for (i = 0; i < 3; i++) {
/* iterate over FVE metadata copies and pick the valid one */
log_dbg(cd, "Reading BITLK FVE metadata copy #%d of size %zu on device %s, offset %" PRIu64 ".",
i, sizeof(fve), device_path(device), params->metadata_offset[i]);
if (read_lseek_blockwise(devfd, device_block_size(cd, device),
device_alignment(device), &fve, sizeof(fve), params->metadata_offset[i]) != sizeof(fve) ||
!check_fve_metadata(&fve) ||
(fve_size_real = le16_to_cpu(fve.fve_size) << 4, read_lseek_blockwise(devfd, device_block_size(cd, device),
device_alignment(device), &validation, sizeof(validation), params->metadata_offset[i] + fve_size_real) != sizeof(validation)) ||
!check_fve_metadata_validation(&validation) ||
/* double-fetch is here, but we aren't validating MAC */
read_lseek_blockwise(devfd, device_block_size(cd, device), device_alignment(device), fve_validated_block, fve_size_real,
params->metadata_offset[i]) != fve_size_real ||
(crypt_crc32(~0, fve_validated_block, fve_size_real) ^ ~0) != le32_to_cpu(validation.fve_crc32)) {
/* found an invalid FVE metadata copy, log and skip */
log_dbg(cd, _("Failed to read or validate BITLK FVE metadata copy #%d from %s."), i, device_path(device));
} else {
/* found a valid FVE metadata copy, use it */
valid_fve_metadata_idx = i;
break;
}
}
if (valid_fve_metadata_idx < 0) {
/* all FVE metadata copies are invalid, fail */
log_err(cd, _("Failed to read and validate BITLK FVE metadata from %s."), device_path(device));
r = -EINVAL;
goto out;
}
/* check that a valid FVE metadata block is in its expected location */
if (params->metadata_offset[valid_fve_metadata_idx] != le64_to_cpu(fve.fve_offset[valid_fve_metadata_idx])) {
log_err(cd, _("Failed to validate the location of BITLK FVE metadata from %s."), device_path(device));
r = -EINVAL;
goto out;
}
/* update offsets from a valid FVE metadata copy */
for (i = 0; i < 3; i++)
params->metadata_offset[i] = le64_to_cpu(fve.fve_offset[i]);
/* check that the FVE metadata hasn't changed between reads, because we are preparing for the MAC check */
if (memcmp(&fve, fve_validated_block, sizeof(fve)) != 0) {
log_err(cd, _("BITLK FVE metadata changed between reads from %s."), device_path(device));
r = -EINVAL;
goto out;
}
crypt_backend_memzero(&params->sha256_fve, 32);
if (crypt_hash_init(&hash, "sha256")) {
log_err(cd, _("Failed to hash BITLK FVE metadata read from %s."), device_path(device));
r = -EINVAL;
goto out;
}
crypt_hash_write(hash, (const char *)fve_validated_block, fve_size_real);
crypt_hash_final(hash, (char *)&params->sha256_fve, 32);
crypt_hash_destroy(hash);
/* do some extended checks against FVE metadata, but not including MAC verification */
params->validation = malloc(sizeof(struct bitlk_validation));
if (!params->validation) {
r = -ENOMEM;
goto out;
}
if (!parse_fve_metadata_validation(params, &validation)) {
log_err(cd, _("Failed to parse BITLK FVE validation metadata from %s."), device_path(device));
r = -EINVAL;
goto out;
}
@@ -583,17 +726,18 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
}
memset(fve_entries, 0, fve_entries_size);
log_dbg(cd, "Reading BITLK FVE metadata entries of size %zu on device %s, offset %" PRIu64 ".",
fve_entries_size, device_path(device), params->metadata_offset[0] + BITLK_FVE_METADATA_HEADERS_LEN);
log_dbg(cd, "Getting BITLK FVE metadata entries of size %zu on device %s, offset %" PRIu64 ".",
fve_entries_size, device_path(device), params->metadata_offset[valid_fve_metadata_idx] + BITLK_FVE_METADATA_HEADERS_LEN);
if (read_lseek_blockwise(devfd, device_block_size(cd, device),
device_alignment(device), fve_entries, fve_entries_size,
params->metadata_offset[0] + BITLK_FVE_METADATA_HEADERS_LEN) != (ssize_t)fve_entries_size) {
log_err(cd, _("Failed to read BITLK metadata entries from %s."), device_path(device));
if (BITLK_FVE_METADATA_HEADERS_LEN + fve_entries_size > fve_size_real) {
log_err(cd, _("Failed to check BITLK metadata entries previously read from %s."), device_path(device));
r = -EINVAL;
goto out;
}
/* fetch these entries from validated buffer to avoid double-fetch */
memcpy(fve_entries, fve_validated_block + BITLK_FVE_METADATA_HEADERS_LEN, fve_entries_size);
while ((fve_entries_size - start) >= (sizeof(entry_size) + sizeof(entry_type))) {
/* size of this entry */
@@ -716,6 +860,8 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
}
out:
free(fve_entries);
free(fve_validated_block);
return r;
}
@@ -982,9 +1128,13 @@ static int bitlk_kdf(const char *password,
struct crypt_hash *hd = NULL;
int len = 0;
char16_t *utf16Password = NULL;
size_t utf16Len = 0;
int i = 0;
int r = 0;
if (!password)
return -EINVAL;
memcpy(kdf.salt, salt, 16);
r = crypt_hash_init(&hd, BITLK_KDF_HASH);
@@ -1007,7 +1157,8 @@ static int bitlk_kdf(const char *password,
if (r < 0)
goto out;
crypt_hash_write(hd, (char*)utf16Password, passwordLen * 2);
utf16Len = crypt_char16_strlen(utf16Password);
crypt_hash_write(hd, (char*)utf16Password, utf16Len * 2);
r = crypt_hash_final(hd, kdf.initial_sha256, len);
if (r < 0)
goto out;
@@ -1098,6 +1249,41 @@ out:
return r;
}
static int get_clear_key(struct crypt_device *cd, const struct bitlk_vmk *vmk, struct volume_key **vmk_dec_key)
{
struct volume_key *nested_key = vmk->vk;
if (!nested_key) {
log_dbg(cd, "Clearkey VMK structure incomplete - missing nested key");
return -ENOTSUP;
}
struct volume_key *encrypted_vmk = crypt_volume_key_next(nested_key);
if (!encrypted_vmk) {
log_dbg(cd, "Clearkey VMK structure incomplete - missing encrypted VMK");
return -ENOTSUP;
}
/**
* For clearkey protection, we need to decrypt the encrypted VMK using the nested key
* and return the decrypted VMK as vmk_dec_key
*/
struct volume_key *decrypted_vmk = NULL;
int r = decrypt_key(cd, &decrypted_vmk, encrypted_vmk, nested_key,
vmk->mac_tag, BITLK_VMK_MAC_TAG_SIZE,
vmk->nonce, BITLK_NONCE_SIZE, false);
if (r == 0 && decrypted_vmk) {
log_dbg(cd, "Successfully decrypted VMK using nested key");
*vmk_dec_key = decrypted_vmk;
return 0;
} else {
log_dbg(cd, "Failed to decrypt VMK using nested key (error: %d)", r);
return r;
}
}
int BITLK_get_volume_key(struct crypt_device *cd,
const char *password,
size_t passwordLen,
@@ -1108,10 +1294,12 @@ int BITLK_get_volume_key(struct crypt_device *cd,
struct volume_key *open_vmk_key = NULL;
struct volume_key *vmk_dec_key = NULL;
struct volume_key *recovery_key = NULL;
struct bitlk_validation_hash dec_hash = {};
const struct bitlk_vmk *next_vmk = NULL;
next_vmk = params->vmks;
while (next_vmk) {
bool is_decrypted = false;
if (next_vmk->protection == BITLK_PROTECTION_PASSPHRASE) {
r = bitlk_kdf(password, passwordLen, false, next_vmk->salt, &vmk_dec_key);
if (r) {
@@ -1146,8 +1334,18 @@ int BITLK_get_volume_key(struct crypt_device *cd,
continue;
}
log_dbg(cd, "Trying to use external key found in provided password.");
} else if (next_vmk->protection == BITLK_PROTECTION_CLEAR_KEY) {
r = get_clear_key(cd, next_vmk, &vmk_dec_key);
if (r) {
/* something wrong happened, but we still want to check other key slots */
next_vmk = next_vmk->next;
continue;
}
is_decrypted = true;
open_vmk_key = vmk_dec_key;
log_dbg(cd, "Extracted VMK using clearkey.");
} else {
/* only passphrase, recovery passphrase and startup key VMKs supported right now */
/* only passphrase, recovery passphrase, startup key and clearkey VMKs supported right now */
log_dbg(cd, "Skipping %s", get_vmk_protection_string(next_vmk->protection));
next_vmk = next_vmk->next;
if (r == 0)
@@ -1156,19 +1354,51 @@ int BITLK_get_volume_key(struct crypt_device *cd,
continue;
}
log_dbg(cd, "Trying to decrypt %s.", get_vmk_protection_string(next_vmk->protection));
r = decrypt_key(cd, &open_vmk_key, next_vmk->vk, vmk_dec_key,
next_vmk->mac_tag, BITLK_VMK_MAC_TAG_SIZE,
next_vmk->nonce, BITLK_NONCE_SIZE, false);
if (!is_decrypted) {
r = decrypt_key(cd, &open_vmk_key, next_vmk->vk, vmk_dec_key,
next_vmk->mac_tag, BITLK_VMK_MAC_TAG_SIZE,
next_vmk->nonce, BITLK_NONCE_SIZE, false);
crypt_free_volume_key(vmk_dec_key);
}
if (r < 0) {
log_dbg(cd, "Failed to decrypt VMK using provided passphrase.");
crypt_free_volume_key(vmk_dec_key);
if (r == -ENOTSUP)
return r;
next_vmk = next_vmk->next;
continue;
}
crypt_free_volume_key(vmk_dec_key);
log_dbg(cd, "Trying to decrypt validation metadata using VMK.");
r = crypt_bitlk_decrypt_key(crypt_volume_key_get_key(open_vmk_key),
crypt_volume_key_length(open_vmk_key),
(const char*)params->validation->enc_datum,
(char *)&dec_hash,
BITLK_VALIDATION_VMK_DATA_SIZE - BITLK_NONCE_SIZE - BITLK_VMK_MAC_TAG_SIZE,
(const char*)params->validation->nonce, BITLK_NONCE_SIZE,
(const char*)params->validation->mac_tag, BITLK_VMK_MAC_TAG_SIZE);
if (r < 0) {
log_dbg(cd, "Failed to decrypt validation metadata using VMK.");
crypt_free_volume_key(open_vmk_key);
if (r == -ENOTSUP)
return r;
break;
}
/* now, do the MAC validation */
if (le16_to_cpu(dec_hash.role) != 0 ||le16_to_cpu(dec_hash.type) != 1 ||
(le16_to_cpu(dec_hash.hash_type) != 0x2005)) {
log_dbg(cd, "Failed to parse decrypted validation metadata.");
crypt_free_volume_key(open_vmk_key);
return -ENOTSUP;
}
if (memcmp(dec_hash.hash, params->sha256_fve, sizeof(dec_hash.hash)) != 0) {
log_dbg(cd, "Failed MAC validation of BITLK FVE metadata.");
crypt_free_volume_key(open_vmk_key);
return -EINVAL;
}
r = decrypt_key(cd, open_fvek_key, params->fvek->vk, open_vmk_key,
params->fvek->mac_tag, BITLK_VMK_MAC_TAG_SIZE,
@@ -1197,8 +1427,6 @@ int BITLK_get_volume_key(struct crypt_device *cd,
static int _activate_check(struct crypt_device *cd,
const struct bitlk_metadata *params)
{
const struct bitlk_vmk *next_vmk = NULL;
if (!params->state) {
log_err(cd, _("This BITLK device is in an unsupported state and cannot be activated."));
return -ENOTSUP;
@@ -1209,15 +1437,6 @@ static int _activate_check(struct crypt_device *cd,
return -ENOTSUP;
}
next_vmk = params->vmks;
while (next_vmk) {
if (next_vmk->protection == BITLK_PROTECTION_CLEAR_KEY) {
log_err(cd, _("Activation of BITLK device with clear key protection is not supported."));
return -ENOTSUP;
}
next_vmk = next_vmk->next;
}
return 0;
}

11
lib/bitlk/bitlk.h
View File

@@ -21,6 +21,8 @@ struct volume_key;
#define BITLK_NONCE_SIZE 12
#define BITLK_SALT_SIZE 16
#define BITLK_VMK_MAC_TAG_SIZE 16
#define BITLK_VALIDATION_VMK_HEADER_SIZE 8
#define BITLK_VALIDATION_VMK_DATA_SIZE 72
#define BITLK_STATE_NORMAL 0x0004
@@ -85,6 +87,13 @@ struct bitlk_fvek {
struct volume_key *vk;
};
struct bitlk_validation {
uint8_t mac_tag[BITLK_VMK_MAC_TAG_SIZE];
uint8_t nonce[BITLK_NONCE_SIZE];
/* technically, this is not "VMK", but some sources call it this way */
uint8_t enc_datum[BITLK_VALIDATION_VMK_DATA_SIZE];
};
struct bitlk_metadata {
uint16_t sector_size;
uint64_t volume_size;
@@ -101,8 +110,10 @@ struct bitlk_metadata {
uint32_t metadata_version;
uint64_t volume_header_offset;
uint64_t volume_header_size;
const char *sha256_fve[32];
struct bitlk_vmk *vmks;
struct bitlk_fvek *fvek;
struct bitlk_validation *validation;
};
int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params);

2
lib/crypto_backend/base64.c
View File

@@ -19,7 +19,7 @@
/* https://tools.ietf.org/html/rfc4648#section-4 */
static char base64char(int x)
{
static const char table[64] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
static const char table[65] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz"
"0123456789+/";
return table[x & 63];

20
lib/crypto_backend/cipher_generic.c
View File

@@ -8,6 +8,8 @@
#include <errno.h>
#include <strings.h>
#include <unistd.h>
#include <fcntl.h>
#include "crypto_backend.h"
struct cipher_alg {
@@ -77,3 +79,21 @@ int crypt_cipher_wrapped_key(const char *name, const char *mode)
return ca ? (int)ca->wrapped_key : 0;
}
bool crypt_fips_mode_kernel(void)
{
int fd;
char buf = 0;
fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY);
if (fd < 0)
return false;
if (read(fd, &buf, 1) != 1)
buf = '0';
close(fd);
return (buf == '1');
}

6
lib/crypto_backend/crypto_backend.h
View File

@@ -30,7 +30,7 @@ struct crypt_hmac;
struct crypt_cipher;
struct crypt_storage;
int crypt_backend_init(bool fips);
int crypt_backend_init(void);
void crypt_backend_destroy(void);
#define CRYPT_BACKEND_KERNEL (1 << 0) /* Crypto uses kernel part, for benchmark */
@@ -93,6 +93,7 @@ int crypt_base64_decode(char **out, size_t *out_length, const char *in, size_t i
/* UTF8/16 */
int crypt_utf16_to_utf8(char **out, const char16_t *s, size_t length /* bytes! */);
int crypt_utf8_to_utf16(char16_t **out, const char *s, size_t length);
size_t crypt_char16_strlen(const char16_t *s);
/* Block ciphers */
int crypt_cipher_ivsize(const char *name, const char *mode);
@@ -147,6 +148,9 @@ int crypt_backend_memeq(const void *m1, const void *m2, size_t n);
/* crypto backend running in FIPS mode */
bool crypt_fips_mode(void);
/* kernel running in FIPS mode */
bool crypt_fips_mode_kernel(void);
# ifdef __cplusplus
}
# endif

16
lib/crypto_backend/crypto_cipher_kernel.c
View File

@@ -99,6 +99,20 @@ int crypt_cipher_init_kernel(struct crypt_cipher_kernel *ctx, const char *name,
return _crypt_cipher_init(ctx, key, key_length, 0, &sa);
}
/* musl has broken CMSG_NXTHDR macro in system headers */
static inline struct cmsghdr *_CMSG_NXTHDR(struct msghdr* mhdr, struct cmsghdr* cmsg)
{
#if !defined(__GLIBC__) && defined(__clang__)
#pragma clang diagnostic push
#pragma clang diagnostic ignored "-Wcast-align"
#pragma clang diagnostic ignored "-Wsign-compare"
return CMSG_NXTHDR(mhdr, cmsg);
#pragma clang diagnostic pop
#else
return CMSG_NXTHDR(mhdr, cmsg);
#endif
}
/* The in/out should be aligned to page boundary */
/* coverity[ -taint_source : arg-3 ] */
static int _crypt_cipher_crypt(struct crypt_cipher_kernel *ctx,
@@ -146,7 +160,7 @@ static int _crypt_cipher_crypt(struct crypt_cipher_kernel *ctx,
/* Set IV */
if (iv) {
header = CMSG_NXTHDR(&msg, header);
header = _CMSG_NXTHDR(&msg, header);
if (!header)
return -EINVAL;

4
lib/crypto_backend/crypto_gcrypt.c
View File

@@ -80,7 +80,7 @@ static void crypt_hash_test_whirlpool_bug(void)
crypto_backend_whirlpool_bug = 1;
}
int crypt_backend_init(bool fips __attribute__((unused)))
int crypt_backend_init(void)
{
int r;
@@ -684,7 +684,7 @@ bool crypt_fips_mode(void)
if (fips_checked)
return fips_mode;
if (crypt_backend_init(false /* ignored */))
if (crypt_backend_init())
return false;
fips_mode = gcry_fips_mode_active();

4
lib/crypto_backend/crypto_kernel.c
View File

@@ -103,7 +103,7 @@ static int crypt_kernel_socket_init(struct sockaddr_alg *sa, int *tfmfd, int *op
return 0;
}
int crypt_backend_init(bool fips __attribute__((unused)))
int crypt_backend_init(void)
{
struct utsname uts;
struct sockaddr_alg sa = {
@@ -408,5 +408,5 @@ int crypt_backend_memeq(const void *m1, const void *m2, size_t n)
bool crypt_fips_mode(void)
{
return false;
return crypt_fips_mode_kernel();
}

5
lib/crypto_backend/crypto_mbedtls.c
View File

@@ -69,16 +69,13 @@ static const mbedtls_md_info_t *crypt_get_hash(const char *name)
return NULL;
}
int crypt_backend_init(bool fips)
int crypt_backend_init(void)
{
int ret;
if (g_initialized)
return 0;
if (fips)
return -ENOTSUP;
mbedtls_version_get_string_full(g_backend_version);
mbedtls_entropy_init(&g_entropy);

2
lib/crypto_backend/crypto_nettle.c
View File

@@ -200,7 +200,7 @@ static struct hash_alg *_get_alg(const char *name)
return NULL;
}
int crypt_backend_init(bool fips __attribute__((unused)))
int crypt_backend_init(void)
{
return 0;
}

2
lib/crypto_backend/crypto_nss.c
View File

@@ -62,7 +62,7 @@ static struct hash_alg *_get_alg(const char *name)
return NULL;
}
int crypt_backend_init(bool fips __attribute__((unused)))
int crypt_backend_init(void)
{
int r;

4
lib/crypto_backend/crypto_openssl.c
View File

@@ -205,12 +205,12 @@ static const char *openssl_backend_version(void)
}
#endif
int crypt_backend_init(bool fips)
int crypt_backend_init(void)
{
if (crypto_backend_initialised)
return 0;
if (openssl_backend_init(fips))
if (openssl_backend_init(crypt_fips_mode()))
return -EINVAL;
crypto_backend_initialised = 1;

4
lib/crypto_backend/memutils.c
View File

@@ -9,11 +9,9 @@
#define ATTR_NOINLINE __attribute__ ((noinline))
#define ATTR_ZERO_REGS
#if defined __has_attribute
# if __has_attribute (zero_call_used_regs)
#if HAVE_ATTRIBUTE_ZEROCALLUSEDREGS
# undef ATTR_ZERO_REGS
# define ATTR_ZERO_REGS __attribute__ ((zero_call_used_regs("used")))
# endif
#endif
/* Workaround for https://github.com/google/sanitizers/issues/1507 */

17
lib/crypto_backend/utf8.c
View File

@@ -274,3 +274,20 @@ int crypt_utf8_to_utf16(char16_t **out, const char *s, size_t length)
*p = 0;
return 0;
}
/**
* crypt_char16_strlen()
* @s: string to get length of
*
* Returns: number of 16-bit words in the string
*/
size_t crypt_char16_strlen(const char16_t *s) {
size_t n = 0;
assert(s);
while (*s != 0)
n++, s++;
return n;
}

14
lib/integrity/integrity.c
View File

@@ -151,6 +151,12 @@ int INTEGRITY_key_size(const char *integrity, int required_key_size)
ks = required_key_size ?: 32;
else if (!strcmp(integrity, "hmac(sha512)"))
ks = required_key_size ?: 64;
else if (!strcmp(integrity, "phmac(sha1)"))
ks = required_key_size ?: -EINVAL;
else if (!strcmp(integrity, "phmac(sha256)"))
ks = required_key_size ?: -EINVAL;
else if (!strcmp(integrity, "phmac(sha512)"))
ks = required_key_size ?: -EINVAL;
else if (!strcmp(integrity, "poly1305"))
ks = 0;
else if (!strcmp(integrity, "none"))
@@ -180,6 +186,8 @@ int INTEGRITY_hash_tag_size(const char *integrity)
return 8;
r = sscanf(integrity, "hmac(%" MAX_CIPHER_LEN_STR "[^)]s", hash);
if (r != 1)
r = sscanf(integrity, "phmac(%" MAX_CIPHER_LEN_STR "[^)]s", hash);
if (r == 1)
r = crypt_hash_size(hash);
else
@@ -222,6 +230,12 @@ int INTEGRITY_tag_size(const char *integrity,
auth_tag_size = 32;
else if (!strcmp(integrity, "hmac(sha512)"))
auth_tag_size = 64;
else if (!strcmp(integrity, "phmac(sha1)"))
auth_tag_size = 20;
else if (!strcmp(integrity, "phmac(sha256)"))
auth_tag_size = 32;
else if (!strcmp(integrity, "phmac(sha512)"))
auth_tag_size = 64;
else if (!strcmp(integrity, "poly1305")) {
if (iv_tag_size)
iv_tag_size = 12;

2
lib/keyslot_context.c
View File

@@ -479,7 +479,7 @@ static int get_luks1_volume_key_by_keyring(struct crypt_device *cd,
int r;
assert(cd);
assert(kc && kc->type == CRYPT_KC_TYPE_PASSPHRASE);
assert(kc && kc->type == CRYPT_KC_TYPE_KEYRING);
assert(r_vk);
r = get_passphrase_by_keyring(cd, kc, CONST_CAST(const char **) &kc->i_passphrase,

42
lib/libcryptsetup.h
View File

@@ -980,7 +980,7 @@ int crypt_resume_by_keyfile(struct crypt_device *cd,
* @param cd crypt device handle
* @param name name of device to resume
* @param volume_key provided volume key
* @param volume_key_size size of volume_key
* @param volume_key_size size of volume_key in bytes
*
* @return @e 0 on success or negative errno value otherwise.
*/
@@ -1152,7 +1152,7 @@ int crypt_keyslot_add_by_keyfile(struct crypt_device *cd,
* @param cd crypt device handle
* @param keyslot requested keyslot or CRYPT_ANY_SLOT
* @param volume_key provided volume key or @e NULL if used after crypt_format
* @param volume_key_size size of volume_key
* @param volume_key_size size of volume_key in bytes
* @param passphrase passphrase for new keyslot
* @param passphrase_size size of passphrase
*
@@ -1182,7 +1182,7 @@ int crypt_keyslot_add_by_volume_key(struct crypt_device *cd,
* @param cd crypt device handle
* @param keyslot requested keyslot or CRYPT_ANY_SLOT
* @param volume_key provided volume key or @e NULL (see note below)
* @param volume_key_size size of volume_key
* @param volume_key_size size of volume_key in bytes
* @param passphrase passphrase for new keyslot
* @param passphrase_size size of passphrase
* @param flags key flags to set
@@ -1289,7 +1289,7 @@ int crypt_keyslot_context_init_by_token(struct crypt_device *cd,
*
* @param volume_key provided volume key or @e NULL if used after crypt_format
* or with CRYPT_VOLUME_KEY_NO_SEGMENT flag
* @param volume_key_size size of volume_key
* @param volume_key_size size of volume_key in bytes
* @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_KEY
*
* @return zero on success or negative errno otherwise.
@@ -1305,9 +1305,9 @@ int crypt_keyslot_context_init_by_volume_key(struct crypt_device *cd,
* @param cd crypt device handle initialized to device context
*
* @param volume_key provided volume key
* @param volume_key_size size of volume_key
* @param volume_key_size size of volume_key in bytes
* @param signature buffer with signature for the key
* @param signature_size bsize of signature buffer
* @param signature_size size of signature buffer
* @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_SIGNED_KEY
*
* @return zero on success or negative errno otherwise.
@@ -1753,7 +1753,7 @@ int crypt_activate_by_keyfile(struct crypt_device *cd,
* @param cd crypt device handle
* @param name name of device to create, if @e NULL only check volume key
* @param volume_key provided volume key (or @e NULL to use internal)
* @param volume_key_size size of volume_key
* @param volume_key_size size of volume_key in bytes
* @param flags activation flags
*
* @return @e 0 on success or negative errno value otherwise.
@@ -1782,9 +1782,9 @@ int crypt_activate_by_volume_key(struct crypt_device *cd,
* @param cd crypt device handle
* @param name name of device to create
* @param volume_key provided volume key
* @param volume_key_size size of volume_key
* @param volume_key_size size of volume_key in bytes
* @param signature buffer with signature for the key
* @param signature_size bsize of signature buffer
* @param signature_size size of signature buffer
* @param flags activation flags
*
* @return @e 0 on success or negative errno value otherwise.
@@ -1865,7 +1865,7 @@ int crypt_deactivate(struct crypt_device *cd, const char *name);
* @param keyslot use this keyslot or @e CRYPT_ANY_SLOT
* @param volume_key buffer for volume key
* @param volume_key_size on input, size of buffer @e volume_key,
* on output size of @e volume_key
* on output size of @e volume_key in bytes
* @param passphrase passphrase used to unlock volume key
* @param passphrase_size size of @e passphrase
*
@@ -1892,7 +1892,7 @@ int crypt_volume_key_get(struct crypt_device *cd,
* @param keyslot use this keyslot or @e CRYPT_ANY_SLOT
* @param volume_key buffer for volume key
* @param volume_key_size on input, size of buffer @e volume_key,
* on output size of @e volume_key
* on output size of @e volume_key in bytes
* @param kc keyslot context used to unlock volume key
*
* @return unlocked key slot number or negative errno otherwise.
@@ -1925,7 +1925,7 @@ int crypt_volume_key_get_by_keyslot_context(struct crypt_device *cd,
*
* @param cd crypt device handle
* @param volume_key provided volume key
* @param volume_key_size size of @e volume_key
* @param volume_key_size size of @e volume_key in bytes
*
* @return @e 0 on success or negative errno value otherwise.
*
@@ -2117,6 +2117,18 @@ int crypt_header_is_detached(struct crypt_device *cd);
int crypt_get_verity_info(struct crypt_device *cd,
struct crypt_params_verity *vp);
/**
* Get FEC repaired block count for VERITY device.
*
* @param cd crypt device handle
* @param name verity device name
* @param repaired FEC repaired blocks
*
* @return @e 0 on success or negative errno value otherwise.
*/
int crypt_get_verity_repaired(struct crypt_device *cd, const char *name,
uint64_t *repaired);
/**
* Get device parameters for INTEGRITY device.
*
@@ -2172,7 +2184,7 @@ int crypt_benchmark(struct crypt_device *cd,
* @param password_size size of password
* @param salt salt for benchmark
* @param salt_size size of salt
* @param volume_key_size output volume key size
* @param volume_key_size output volume key size in bytes
* @param progress callback function
* @param usrptr provided identification in callback
*
@@ -2409,8 +2421,8 @@ void crypt_set_debug_level(int level);
* @param cd crypt device handle
* @param keyfile keyfile to read
* @param key buffer for key
* @param key_size_read size of read key
* @param keyfile_offset key offset in keyfile
* @param key_size_read size of read key in bytes
* @param keyfile_offset key offset in bytes in keyfile
* @param key_size exact key length to read from file or 0
* @param flags keyfile read flags
*

5
lib/libcryptsetup.sym
View File

@@ -195,3 +195,8 @@ CRYPTSETUP_2.8 {
crypt_get_old_volume_key_size;
crypt_format_inline;
} CRYPTSETUP_2.7;
CRYPTSETUP_2.9 {
global:
crypt_get_verity_repaired;
} CRYPTSETUP_2.8;

34
lib/libdevmapper.c
View File

@@ -1992,6 +1992,40 @@ int dm_status_verity_ok(struct crypt_device *cd, const char *name)
return r;
}
int dm_status_verity_repaired(struct crypt_device *cd, const char *name, uint64_t *repaired)
{
int r;
struct dm_info dmi;
char *status_line = NULL, *p;
uint64_t val64;
if (dm_init_context(cd, DM_VERITY))
return -ENOTSUP;
r = dm_status_dmi(name, &dmi, DM_VERITY_TARGET, &status_line);
dm_exit_context();
if (r < 0 || !status_line || !*status_line) {
free(status_line);
return r;
}
p = status_line + 1;
while (*p == ' ')
p++;
if (!*p || *p == '-' || sscanf(p, "%" PRIu64, &val64) != 1) {
free(status_line);
return -ENOTSUP;
}
log_dbg(cd, "Verity volume %s status is %s.", name, status_line ?: "");
if (repaired)
*repaired = val64;
free(status_line);
return 0;
}
int dm_status_integrity_failures(struct crypt_device *cd, const char *name, uint64_t *count)
{
int r;

388
lib/luks2/hw_opal/hw_opal.c
View File

@@ -58,6 +58,12 @@ typedef enum OpalStatus {
_OPAL_STATUS_MAX = 0x13,
} OpalStatus;
/*
* Also defined in TCG Core spec Section 5.1.5 but
* do not inflate the opal_status_table below
*/
#define OPAL_STATUS_FAIL 0x3f
static const char* const opal_status_table[_OPAL_STATUS_MAX] = {
[OPAL_STATUS_SUCCESS] = "success",
[OPAL_STATUS_NOT_AUTHORIZED] = "not authorized",
@@ -85,9 +91,9 @@ static const char *opal_status_to_string(int t)
if (t < 0)
return strerror(-t);
/* Fail, as defined by specification */
if (t == 0x3f)
return "unknown failure";
/* This will be checked upon 'Reactivate' method */
if (t == OPAL_STATUS_FAIL)
return "FAIL status";
if (t >= _OPAL_STATUS_MAX)
return "unknown error";
@@ -236,6 +242,8 @@ static int opal_ioctl(struct crypt_device *cd, int fd, unsigned long rq, void *a
opal_ioctl_debug(cd, rq, args, false, 0);
r = ioctl(fd, rq, args);
if (r < 0)
r = -errno;
opal_ioctl_debug(cd, rq, args, true, r);
return r;
@@ -396,6 +404,194 @@ static int opal_enabled(struct crypt_device *cd, struct device *dev)
return opal_query_status(cd, dev, OPAL_FL_LOCKING_ENABLED);
}
static int opal_activate_lsp(struct crypt_device *cd, int fd,
const void *admin_key, size_t admin_key_len)
{
int r;
struct opal_lr_act *activate = crypt_safe_alloc(sizeof(*activate));
if (!activate)
return -ENOMEM;
*activate = (struct opal_lr_act) {
.key = {
.key_len = admin_key_len,
},
/* useless but due to kernel bug it requires (num_lrs > 0 && num_lrs <= 9) */
.num_lrs = 1,
};
crypt_safe_memcpy(activate->key.key, admin_key, admin_key_len);
r = opal_ioctl(cd, fd, IOC_OPAL_TAKE_OWNERSHIP, &activate->key);
if (r < 0) {
r = -ENOTSUP;
log_dbg(cd, "OPAL not supported on this kernel version, refusing.");
goto out;
}
if (r == OPAL_STATUS_NOT_AUTHORIZED) /* We'll try again with a different key. */ {
r = -EPERM;
log_dbg(cd, "Failed to take ownership of OPAL device '%s': permission denied",
crypt_get_device_name(cd));
goto out;
}
if (r != OPAL_STATUS_SUCCESS) {
log_dbg(cd, "Failed to take ownership of OPAL device '%s': %s",
crypt_get_device_name(cd), opal_status_to_string(r));
r = -EINVAL;
goto out;
}
r = opal_ioctl(cd, fd, IOC_OPAL_ACTIVATE_LSP, activate);
if (r < 0)
goto out;
if (r != OPAL_STATUS_SUCCESS) {
log_dbg(cd, "Failed to activate OPAL device '%s': %s",
crypt_get_device_name(cd), opal_status_to_string(r));
r = -EINVAL;
}
out:
crypt_safe_free(activate);
return r;
}
static int opal_reuse_active_lsp(struct crypt_device *cd, int fd,
uint32_t segment_number,
const void *admin_key, size_t admin_key_len)
{
int r;
struct opal_session_info *user_session = crypt_safe_alloc(sizeof(*user_session));
if (!user_session)
return -ENOMEM;
*user_session = (struct opal_session_info) {
.who = OPAL_ADMIN1, /* irrelevant in SUM */
.opal_key = {
.lr = segment_number,
.key_len = admin_key_len,
},
};
/* If it is already enabled, wipe the locking range first */
crypt_safe_memcpy(user_session->opal_key.key, admin_key, admin_key_len);
r = opal_ioctl(cd, fd, IOC_OPAL_SECURE_ERASE_LR, user_session);
if (r < 0)
goto out;
if (r != OPAL_STATUS_SUCCESS) {
log_dbg(cd, "Failed to reset (secure erase) OPAL locking range %u on device '%s': %s",
segment_number, crypt_get_device_name(cd), opal_status_to_string(r));
r = -EINVAL;
}
out:
crypt_safe_free(user_session);
return r;
}
static int opal_setup_range(struct crypt_device *cd, int fd, uint32_t segment_number,
uint64_t range_start_blocks, uint64_t range_length_blocks,
const void *admin_key, size_t admin_key_len)
{
int r;
struct opal_user_lr_setup *setup = crypt_safe_alloc(sizeof(*setup));
if (!setup)
return -ENOMEM;
*setup = (struct opal_user_lr_setup) {
.range_start = range_start_blocks,
.range_length = range_length_blocks,
/* Some drives do not enable Locking Ranges on setup. This have some
* interesting consequences: Lock command called later below will pass,
* but locking range will _not_ be locked at all.
*/
.RLE = 1,
.WLE = 1,
.session = {
.who = OPAL_ADMIN1,
.opal_key = {
.key_len = admin_key_len,
.lr = segment_number,
},
},
};
crypt_safe_memcpy(setup->session.opal_key.key, admin_key, admin_key_len);
r = opal_ioctl(cd, fd, IOC_OPAL_LR_SETUP, setup);
if (r < 0)
goto out;
if (r != OPAL_STATUS_SUCCESS) {
log_dbg(cd, "Failed to setup locking range of length %llu at offset %llu on OPAL device '%s': %s",
setup->range_length, setup->range_start, crypt_get_device_name(cd),
opal_status_to_string(r));
r = -EINVAL;
}
out:
crypt_safe_free(setup);
return r;
}
static int opal_setup_user(struct crypt_device *cd, int fd, uint32_t segment_number,
const void *admin_key, size_t admin_key_len)
{
int r;
struct opal_lock_unlock *user_add_to_lr = crypt_safe_alloc(sizeof(*user_add_to_lr));
if (!user_add_to_lr)
return -ENOMEM;
*user_add_to_lr = (struct opal_lock_unlock) {
.session = {
.who = segment_number + 1,
.opal_key = {
.lr = segment_number,
.key_len = admin_key_len,
},
},
.l_state = OPAL_RO,
};
crypt_safe_memcpy(user_add_to_lr->session.opal_key.key, admin_key, admin_key_len);
r = opal_ioctl(cd, fd, IOC_OPAL_ACTIVATE_USR, &user_add_to_lr->session);
if (r < 0)
goto out;
if (r != OPAL_STATUS_SUCCESS) {
log_dbg(cd, "Failed to activate OPAL user on device '%s': %s",
crypt_get_device_name(cd), opal_status_to_string(r));
r = -EINVAL;
goto out;
}
r = opal_ioctl(cd, fd, IOC_OPAL_ADD_USR_TO_LR, user_add_to_lr);
if (r < 0)
goto out;
if (r != OPAL_STATUS_SUCCESS) {
log_dbg(cd, "Failed to add OPAL user to locking range %u (RO) on device '%s': %s",
segment_number, crypt_get_device_name(cd), opal_status_to_string(r));
r = -EINVAL;
goto out;
}
user_add_to_lr->l_state = OPAL_RW;
r = opal_ioctl(cd, fd, IOC_OPAL_ADD_USR_TO_LR, user_add_to_lr);
if (r < 0)
goto out;
if (r != OPAL_STATUS_SUCCESS) {
log_dbg(cd, "Failed to add OPAL user to locking range %u (RW) on device '%s': %s",
segment_number, crypt_get_device_name(cd), opal_status_to_string(r));
r = -EINVAL;
}
out:
crypt_safe_free(user_add_to_lr);
return r;
}
/* requires opal lock */
int opal_setup_ranges(struct crypt_device *cd,
struct device *dev,
@@ -407,11 +603,8 @@ int opal_setup_ranges(struct crypt_device *cd,
const void *admin_key,
size_t admin_key_len)
{
struct opal_lr_act *activate = NULL;
struct opal_session_info *user_session = NULL;
struct opal_lock_unlock *user_add_to_lr = NULL, *lock = NULL;
struct opal_lock_unlock *lock = NULL;
struct opal_new_pw *new_pw = NULL;
struct opal_user_lr_setup *setup = NULL;
int r, fd;
assert(cd);
@@ -437,130 +630,16 @@ int opal_setup_ranges(struct crypt_device *cd,
return r;
/* If OPAL has never been enabled, we need to take ownership and do basic setup first */
if (r == 0) {
activate = crypt_safe_alloc(sizeof(struct opal_lr_act));
if (!activate) {
r = -ENOMEM;
goto out;
}
*activate = (struct opal_lr_act) {
.key = {
.key_len = admin_key_len,
},
.num_lrs = 8,
/* A max of 9 segments are supported, enable them all as there's no reason not to
* (0 is whole-volume)
*/
.lr = { 1, 2, 3, 4, 5, 6, 7, 8 },
};
crypt_safe_memcpy(activate->key.key, admin_key, admin_key_len);
r = opal_ioctl(cd, fd, IOC_OPAL_TAKE_OWNERSHIP, &activate->key);
if (r < 0) {
r = -ENOTSUP;
log_dbg(cd, "OPAL not supported on this kernel version, refusing.");
goto out;
}
if (r == OPAL_STATUS_NOT_AUTHORIZED) /* We'll try again with a different key. */ {
r = -EPERM;
log_dbg(cd, "Failed to take ownership of OPAL device '%s': permission denied",
crypt_get_device_name(cd));
goto out;
}
if (r != OPAL_STATUS_SUCCESS) {
log_dbg(cd, "Failed to take ownership of OPAL device '%s': %s",
crypt_get_device_name(cd), opal_status_to_string(r));
r = -EINVAL;
goto out;
}
r = opal_ioctl(cd, fd, IOC_OPAL_ACTIVATE_LSP, activate);
if (r != OPAL_STATUS_SUCCESS) {
log_dbg(cd, "Failed to activate OPAL device '%s': %s",
crypt_get_device_name(cd), opal_status_to_string(r));
r = -EINVAL;
goto out;
}
} else {
/* If it is already enabled, wipe the locking range first */
user_session = crypt_safe_alloc(sizeof(struct opal_session_info));
if (!user_session) {
r = -ENOMEM;
goto out;
}
*user_session = (struct opal_session_info) {
.who = OPAL_ADMIN1,
.opal_key = {
.lr = segment_number,
.key_len = admin_key_len,
},
};
crypt_safe_memcpy(user_session->opal_key.key, admin_key, admin_key_len);
r = opal_ioctl(cd, fd, IOC_OPAL_SECURE_ERASE_LR, user_session);
if (r != OPAL_STATUS_SUCCESS) {
log_dbg(cd, "Failed to reset (secure erase) OPAL locking range %u on device '%s': %s",
segment_number, crypt_get_device_name(cd), opal_status_to_string(r));
r = -EINVAL;
goto out;
}
}
crypt_safe_free(user_session);
user_session = crypt_safe_alloc(sizeof(struct opal_session_info));
if (!user_session) {
r = -ENOMEM;
if (r == 0)
r = opal_activate_lsp(cd, fd, admin_key, admin_key_len);
else
r = opal_reuse_active_lsp(cd, fd, segment_number, admin_key, admin_key_len);
if (r < 0)
goto out;
}
*user_session = (struct opal_session_info) {
.who = segment_number + 1,
.opal_key = {
.key_len = admin_key_len,
},
};
crypt_safe_memcpy(user_session->opal_key.key, admin_key, admin_key_len);
r = opal_ioctl(cd, fd, IOC_OPAL_ACTIVATE_USR, user_session);
if (r != OPAL_STATUS_SUCCESS) {
log_dbg(cd, "Failed to activate OPAL user on device '%s': %s",
crypt_get_device_name(cd), opal_status_to_string(r));
r = -EINVAL;
r = opal_setup_user(cd, fd, segment_number, admin_key, admin_key_len);
if (r < 0)
goto out;
}
user_add_to_lr = crypt_safe_alloc(sizeof(struct opal_lock_unlock));
if (!user_add_to_lr) {
r = -ENOMEM;
goto out;
}
*user_add_to_lr = (struct opal_lock_unlock) {
.session = {
.who = segment_number + 1,
.opal_key = {
.lr = segment_number,
.key_len = admin_key_len,
},
},
.l_state = OPAL_RO,
};
crypt_safe_memcpy(user_add_to_lr->session.opal_key.key, admin_key, admin_key_len);
r = opal_ioctl(cd, fd, IOC_OPAL_ADD_USR_TO_LR, user_add_to_lr);
if (r != OPAL_STATUS_SUCCESS) {
log_dbg(cd, "Failed to add OPAL user to locking range %u (RO) on device '%s': %s",
segment_number, crypt_get_device_name(cd), opal_status_to_string(r));
r = -EINVAL;
goto out;
}
user_add_to_lr->l_state = OPAL_RW;
r = opal_ioctl(cd, fd, IOC_OPAL_ADD_USR_TO_LR, user_add_to_lr);
if (r != OPAL_STATUS_SUCCESS) {
log_dbg(cd, "Failed to add OPAL user to locking range %u (RW) on device '%s': %s",
segment_number, crypt_get_device_name(cd), opal_status_to_string(r));
r = -EINVAL;
goto out;
}
new_pw = crypt_safe_alloc(sizeof(struct opal_new_pw));
if (!new_pw) {
@@ -588,6 +667,8 @@ int opal_setup_ranges(struct crypt_device *cd,
crypt_safe_memcpy(new_pw->session.opal_key.key, admin_key, admin_key_len);
r = opal_ioctl(cd, fd, IOC_OPAL_SET_PW, new_pw);
if (r < 0)
goto out;
if (r != OPAL_STATUS_SUCCESS) {
log_dbg(cd, "Failed to set OPAL user password on device '%s': (%d) %s",
crypt_get_device_name(cd), r, opal_status_to_string(r));
@@ -595,37 +676,10 @@ int opal_setup_ranges(struct crypt_device *cd,
goto out;
}
setup = crypt_safe_alloc(sizeof(struct opal_user_lr_setup));
if (!setup) {
r = -ENOMEM;
r = opal_setup_range(cd, fd, segment_number, range_start_blocks, range_length_blocks,
admin_key, admin_key_len);
if (r < 0)
goto out;
}
*setup = (struct opal_user_lr_setup) {
.range_start = range_start_blocks,
.range_length = range_length_blocks,
/* Some drives do not enable Locking Ranges on setup. This have some
* interesting consequences: Lock command called later below will pass,
* but locking range will _not_ be locked at all.
*/
.RLE = 1,
.WLE = 1,
.session = {
.who = OPAL_ADMIN1,
.opal_key = {
.key_len = admin_key_len,
.lr = segment_number,
},
},
};
crypt_safe_memcpy(setup->session.opal_key.key, admin_key, admin_key_len);
r = opal_ioctl(cd, fd, IOC_OPAL_LR_SETUP, setup);
if (r != OPAL_STATUS_SUCCESS) {
log_dbg(cd, "Failed to setup locking range of length %llu at offset %llu on OPAL device '%s': %s",
setup->range_length, setup->range_start, crypt_get_device_name(cd), opal_status_to_string(r));
r = -EINVAL;
goto out;
}
/* After setup an OPAL device is unlocked, but the expectation with cryptsetup is that it needs
* to be activated separately, so lock it immediately. */
@@ -648,6 +702,8 @@ int opal_setup_ranges(struct crypt_device *cd,
crypt_volume_key_length(vk));
r = opal_ioctl(cd, fd, IOC_OPAL_LOCK_UNLOCK, lock);
if (r < 0)
goto out;
if (r != OPAL_STATUS_SUCCESS) {
log_dbg(cd, "Failed to lock OPAL device '%s': %s",
crypt_get_device_name(cd), opal_status_to_string(r));
@@ -661,11 +717,7 @@ int opal_setup_ranges(struct crypt_device *cd,
&(uint64_t) {range_length_blocks * opal_block_bytes / SECTOR_SIZE},
&(bool) {true}, &(bool){true}, NULL, NULL);
out:
crypt_safe_free(activate);
crypt_safe_free(user_session);
crypt_safe_free(user_add_to_lr);
crypt_safe_free(new_pw);
crypt_safe_free(setup);
crypt_safe_free(lock);
return r;
@@ -737,6 +789,8 @@ static int opal_lock_unlock(struct crypt_device *cd,
unlock.flags = OPAL_SAVE_FOR_LOCK;
r = opal_ioctl(cd, fd, IOC_OPAL_SAVE, &unlock);
if (r < 0)
goto out;
if (r != OPAL_STATUS_SUCCESS) {
if (!lock)
log_std(cd, "Failed to prepare OPAL device '%s' for sleep resume, be aware before suspending: %s",
@@ -790,7 +844,11 @@ int opal_factory_reset(struct crypt_device *cd,
if (password_len > OPAL_KEY_MAX)
return -EINVAL;
fd = device_open(cd, dev, O_RDONLY);
/*
* Submit PSID reset on R/W file descriptor so it
* triggers blkid rescan after we close it.
*/
fd = device_open(cd, dev, O_RDWR);
if (fd < 0)
return -EIO;
@@ -860,6 +918,8 @@ int opal_reset_segment(struct crypt_device *cd,
}
r = opal_ioctl(cd, fd, IOC_OPAL_SECURE_ERASE_LR, user_session);
if (r < 0)
goto out;
if (r != OPAL_STATUS_SUCCESS) {
log_dbg(cd, "Failed to reset (secure erase) OPAL locking range %u on device '%s': %s",
segment_number, crypt_get_device_name(cd), opal_status_to_string(r));
@@ -883,6 +943,8 @@ int opal_reset_segment(struct crypt_device *cd,
};
r = opal_ioctl(cd, fd, IOC_OPAL_LR_SETUP, setup);
if (r < 0)
goto out;
if (r != OPAL_STATUS_SUCCESS) {
log_dbg(cd, "Failed to disable locking range on OPAL device '%s': %s",
crypt_get_device_name(cd), opal_status_to_string(r));

2
lib/luks2/luks2_disk_metadata.c
View File

@@ -15,7 +15,7 @@ static json_object *parse_json_len(struct crypt_device *cd, const char *json_are
uint64_t max_length, int *json_len)
{
json_object *jobj;
struct json_tokener *jtok;
json_tokener *jtok;
/* INT32_MAX is internal (json-c) json_tokener_parse_ex() limit */
if (!json_area || max_length > INT32_MAX)

2
lib/luks2/luks2_json_format.c
View File

@@ -203,7 +203,7 @@ int LUKS2_generate_hdr(
uint32_t opal_segment_number,
uint32_t opal_key_size)
{
struct json_object *jobj_segment, *jobj_keyslots, *jobj_segments, *jobj_config;
json_object *jobj_segment, *jobj_keyslots, *jobj_segments, *jobj_config;
uuid_t partitionUuid;
int r, digest;

14
lib/luks2/luks2_json_metadata.c
View File

@@ -49,9 +49,9 @@ void JSON_DBG(struct crypt_device *cd, json_object *jobj, const char *desc)
/*
* JSON array helpers
*/
struct json_object *LUKS2_array_jobj(struct json_object *array, const char *num)
json_object *LUKS2_array_jobj(json_object *array, const char *num)
{
struct json_object *jobj1;
json_object *jobj1;
int i;
for (i = 0; i < (int) json_object_array_length(array); i++) {
@@ -63,9 +63,9 @@ struct json_object *LUKS2_array_jobj(struct json_object *array, const char *num)
return NULL;
}
struct json_object *LUKS2_array_remove(struct json_object *array, const char *num)
json_object *LUKS2_array_remove(json_object *array, const char *num)
{
struct json_object *jobj1, *jobj_removing = NULL, *array_new;
json_object *jobj1, *jobj_removing = NULL, *array_new;
int i;
jobj_removing = LUKS2_array_jobj(array, num);
@@ -1272,7 +1272,11 @@ int LUKS2_hdr_uuid(struct crypt_device *cd, struct luks2_hdr *hdr, const char *u
int LUKS2_hdr_labels(struct crypt_device *cd, struct luks2_hdr *hdr,
const char *label, const char *subsystem, int commit)
{
//FIXME: check if the labels are the same and skip this.
if ((label && strlen(label) >= LUKS2_LABEL_L) ||
(subsystem && strlen(subsystem) >= LUKS2_LABEL_L)) {
log_err(cd, _("Label is too long."));
return -EINVAL;
}
memset(hdr->label, 0, LUKS2_LABEL_L);
if (label)

2
lib/luks2/luks2_keyslot.c
View File

@@ -165,7 +165,7 @@ int LUKS2_keyslot_cipher_incompatible(struct crypt_device *cd, const char *ciphe
{
char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
if (!cipher_spec || crypt_is_cipher_null(cipher_spec))
if (!cipher_spec)
return 1;
/*

4
lib/luks2/luks2_keyslot_luks2.c
View File

@@ -336,6 +336,10 @@ static int luks2_keyslot_get_key(struct crypt_device *cd,
if (r < 0)
return r;
/* Allow only empty passphrase with null cipher */
if (crypt_is_cipher_null(cipher) && passwordLen)
return -EPERM;
if (!json_object_object_get_ex(jobj_area, "key_size", &jobj2))
return -EINVAL;
keyslot_key_len = json_object_get_int(jobj2);

28
lib/luks2/luks2_luks1_convert.c
View File

@@ -45,11 +45,11 @@ out:
return r;
}
static int json_luks1_keyslot(const struct luks_phdr *hdr_v1, int keyslot, struct json_object **keyslot_object)
static int json_luks1_keyslot(const struct luks_phdr *hdr_v1, int keyslot, json_object **keyslot_object)
{
char *base64_str, cipher[LUKS_CIPHERNAME_L+LUKS_CIPHERMODE_L];
size_t base64_len;
struct json_object *keyslot_obj, *field, *jobj_kdf, *jobj_af, *jobj_area;
json_object *keyslot_obj, *field, *jobj_kdf, *jobj_af, *jobj_area;
uint64_t offset, area_size, length;
int r;
@@ -136,10 +136,10 @@ err:
return r;
}
static int json_luks1_keyslots(const struct luks_phdr *hdr_v1, struct json_object **keyslots_object)
static int json_luks1_keyslots(const struct luks_phdr *hdr_v1, json_object **keyslots_object)
{
int keyslot, r;
struct json_object *keyslot_obj, *field;
json_object *keyslot_obj, *field;
keyslot_obj = json_object_new_object();
if (!keyslot_obj)
@@ -165,11 +165,11 @@ static int json_luks1_keyslots(const struct luks_phdr *hdr_v1, struct json_objec
return 0;
}
static int json_luks1_segment(const struct luks_phdr *hdr_v1, struct json_object **segment_object)
static int json_luks1_segment(const struct luks_phdr *hdr_v1, json_object **segment_object)
{
const char *c;
char cipher[LUKS_CIPHERNAME_L+LUKS_CIPHERMODE_L];
struct json_object *segment_obj, *field;
json_object *segment_obj, *field;
uint64_t number;
segment_obj = json_object_new_object();
@@ -239,10 +239,10 @@ static int json_luks1_segment(const struct luks_phdr *hdr_v1, struct json_object
return 0;
}
static int json_luks1_segments(const struct luks_phdr *hdr_v1, struct json_object **segments_object)
static int json_luks1_segments(const struct luks_phdr *hdr_v1, json_object **segments_object)
{
int r;
struct json_object *segments_obj, *field;
json_object *segments_obj, *field;
segments_obj = json_object_new_object();
if (!segments_obj)
@@ -264,12 +264,12 @@ static int json_luks1_segments(const struct luks_phdr *hdr_v1, struct json_objec
return 0;
}
static int json_luks1_digest(const struct luks_phdr *hdr_v1, struct json_object **digest_object)
static int json_luks1_digest(const struct luks_phdr *hdr_v1, json_object **digest_object)
{
char keyslot_str[16], *base64_str;
int r, ks;
size_t base64_len;
struct json_object *digest_obj, *array, *field;
json_object *digest_obj, *array, *field;
digest_obj = json_object_new_object();
if (!digest_obj)
@@ -380,10 +380,10 @@ static int json_luks1_digest(const struct luks_phdr *hdr_v1, struct json_object
return 0;
}
static int json_luks1_digests(const struct luks_phdr *hdr_v1, struct json_object **digests_object)
static int json_luks1_digests(const struct luks_phdr *hdr_v1, json_object **digests_object)
{
int r;
struct json_object *digests_obj, *field;
json_object *digests_obj, *field;
digests_obj = json_object_new_object();
if (!digests_obj)
@@ -400,10 +400,10 @@ static int json_luks1_digests(const struct luks_phdr *hdr_v1, struct json_object
return 0;
}
static int json_luks1_object(struct luks_phdr *hdr_v1, struct json_object **luks1_object, uint64_t keyslots_size)
static int json_luks1_object(struct luks_phdr *hdr_v1, json_object **luks1_object, uint64_t keyslots_size)
{
int r;
struct json_object *luks1_obj, *field;
json_object *luks1_obj, *field;
uint64_t json_size;
luks1_obj = json_object_new_object();

47
lib/luks2/luks2_reencrypt.c
View File

@@ -34,7 +34,7 @@ struct luks2_reencrypt {
/* already running reencryption */
json_object *jobj_segs_hot;
struct json_object *jobj_segs_post;
json_object *jobj_segs_post;
/* backup segments */
json_object *jobj_segment_new;
@@ -54,6 +54,8 @@ struct luks2_reencrypt {
uint32_t wflags1;
uint32_t wflags2;
struct device *hotzone_device;
struct crypt_lock_handle *reenc_lock;
};
#if USE_LUKS2_REENCRYPTION
@@ -882,6 +884,8 @@ void LUKS2_reencrypt_free(struct crypt_device *cd, struct luks2_reencrypt *rh)
rh->cw1 = NULL;
crypt_storage_wrapper_destroy(rh->cw2);
rh->cw2 = NULL;
device_free(cd, rh->hotzone_device);
rh->hotzone_device = NULL;
free(rh->device_name);
free(rh->overlay_name);
@@ -2142,34 +2146,22 @@ static int reencrypt_make_targets(struct crypt_device *cd,
* 2) can't we derive hotzone device name from crypt context? (unlocked name, device uuid, etc?)
*/
static int reencrypt_load_overlay_device(struct crypt_device *cd, struct luks2_hdr *hdr,
const char *overlay, const char *hotzone, struct volume_key *vks, uint64_t size,
const char *overlay, struct device *hotzone_device, struct volume_key *vks, uint64_t size,
uint32_t flags)
{
char hz_path[PATH_MAX];
int r;
struct device *hz_dev = NULL;
struct crypt_dm_active_device dmd = {
.flags = flags,
};
log_dbg(cd, "Loading new table for overlay device %s.", overlay);
r = snprintf(hz_path, PATH_MAX, "%s/%s", dm_get_dir(), hotzone);
if (r < 0 || r >= PATH_MAX) {
r = -EINVAL;
goto out;
}
r = device_alloc(cd, &hz_dev, hz_path);
if (r)
goto out;
r = dm_targets_allocate(&dmd.segment, LUKS2_segments_count(hdr));
if (r)
goto out;
r = reencrypt_make_targets(cd, hdr, hz_dev, vks, &dmd.segment, size);
r = reencrypt_make_targets(cd, hdr, hotzone_device, vks, &dmd.segment, size);
if (r < 0)
goto out;
@@ -2178,7 +2170,6 @@ static int reencrypt_load_overlay_device(struct crypt_device *cd, struct luks2_h
/* what else on error here ? */
out:
dm_targets_free(cd, &dmd);
device_free(cd, hz_dev);
return r;
}
@@ -2305,9 +2296,13 @@ out:
}
static int reencrypt_init_device_stack(struct crypt_device *cd,
const struct luks2_reencrypt *rh)
struct luks2_reencrypt *rh)
{
int r;
char hz_path[PATH_MAX];
assert(rh);
assert(!rh->hotzone_device);
/* Activate hotzone device 1:1 linear mapping to data_device */
r = reencrypt_activate_hotzone_device(cd, rh->hotzone_name, rh->device_size, CRYPT_ACTIVATE_PRIVATE);
@@ -2316,6 +2311,18 @@ static int reencrypt_init_device_stack(struct crypt_device *cd,
return r;
}
r = snprintf(hz_path, PATH_MAX, "%s/%s", dm_get_dir(), rh->hotzone_name);
if (r < 0 || r >= PATH_MAX) {
r = -EINVAL;
goto err;
}
r = device_alloc(cd, &rh->hotzone_device, hz_path);
if (r) {
log_err(cd, _("Failed to allocate hotzone device %s."), rh->hotzone_name);
goto err;
}
/*
* Activate overlay device with exactly same table as original 'name' mapping.
* Note that within this step the 'name' device may already include a table
@@ -2395,11 +2402,12 @@ static int reencrypt_refresh_overlay_devices(struct crypt_device *cd,
struct luks2_hdr *hdr,
const char *overlay,
const char *hotzone,
struct device *hotzone_device,
struct volume_key *vks,
uint64_t device_size,
uint32_t flags)
{
int r = reencrypt_load_overlay_device(cd, hdr, overlay, hotzone, vks, device_size, flags);
int r = reencrypt_load_overlay_device(cd, hdr, overlay, hotzone_device, vks, device_size, flags);
if (r) {
log_err(cd, _("Failed to reload device %s."), overlay);
return REENC_ERR;
@@ -4083,7 +4091,8 @@ static reenc_status_t reencrypt_step(struct crypt_device *cd,
}
if (online) {
r = reencrypt_refresh_overlay_devices(cd, hdr, rh->overlay_name, rh->hotzone_name, rh->vks, rh->device_size, rh->flags);
r = reencrypt_refresh_overlay_devices(cd, hdr, rh->overlay_name, rh->hotzone_name,
rh->hotzone_device, rh->vks, rh->device_size, rh->flags);
/* Teardown overlay devices with dm-error. None bio shall pass! */
if (r != REENC_OK)
return r;

1
lib/luks2/luks2_token.c
View File

@@ -105,6 +105,7 @@ static void *token_dlvsym(struct crypt_device *cd,
log_dbg(cd, "Loading symbol %s@%s.", symbol, version);
sym = dlvsym(handle, symbol, version);
#else
UNUSED(version);
log_dbg(cd, "Loading default version of symbol %s.", symbol);
sym = dlsym(handle, symbol);
#endif

31
lib/setup.c
View File

@@ -267,7 +267,7 @@ int init_crypto(struct crypt_device *ctx)
return r;
}
r = crypt_backend_init(crypt_fips_mode());
r = crypt_backend_init();
if (r < 0)
log_err(ctx, _("Cannot initialize crypto backend."));
@@ -3007,6 +3007,12 @@ int crypt_format_inline(struct crypt_device *cd,
log_dbg(cd, "Formatting device %s as type %s with inline tags.", mdata_device_path(cd) ?: "(none)", type);
crypt_reset_null_type(cd);
r = init_crypto(cd);
if (r < 0)
return r;
if (isINTEGRITY(type)) {
lparams = NULL;
iparams = params;
@@ -3039,7 +3045,11 @@ int crypt_format_inline(struct crypt_device *cd,
iparams->journal_integrity_key_size))
return -EINVAL;
if (!device_is_nop_dif(idevice, &device_tag_size)) {
r = device_is_nop_dif(idevice, &device_tag_size);
if (r < 0)
return r;
if (!r) {
log_err(cd, _("Device %s does not provide inline integrity data fields."), mdata_device_path(cd));
return -EINVAL;
}
@@ -5440,6 +5450,9 @@ int crypt_activate_by_keyslot_context(struct crypt_device *cd,
return _activate_loopaes(cd, name, passphrase, passphrase_size, flags);
}
if (flags & CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF)
cd->memory_hard_pbkdf_lock_enabled = true;
/* acquire the volume key(s) */
r = -EINVAL;
if (isLUKS1(cd->type)) {
@@ -5911,7 +5924,7 @@ int crypt_volume_key_get_by_keyslot_context(struct crypt_device *cd,
struct volume_key *vk = NULL;
if (!cd || !volume_key || !volume_key_size ||
(!kc && !isLUKS(cd->type) && !isTCRYPT(cd->type) && !isVERITY(cd->type)))
(!kc && !isLUKS(cd->type) && !isTCRYPT(cd->type) && !isVERITY(cd->type) && !isBITLK(cd->type)))
return -EINVAL;
if (isLUKS2(cd->type) && keyslot != CRYPT_ANY_SLOT)
@@ -5971,6 +5984,8 @@ int crypt_volume_key_get_by_keyslot_context(struct crypt_device *cd,
} else if (isBITLK(cd->type)) {
if (kc && kc->get_bitlk_volume_key)
r = kc->get_bitlk_volume_key(cd, kc, &cd->u.bitlk.params, &vk);
else if (!kc)
r = BITLK_get_volume_key(cd, NULL, 0, &cd->u.bitlk.params, &vk);
if (r < 0)
log_err(cd, _("Cannot retrieve volume key for BITLK device."));
} else if (isFVAULT2(cd->type)) {
@@ -6780,6 +6795,16 @@ int crypt_get_verity_info(struct crypt_device *cd,
return 0;
}
int crypt_get_verity_repaired(struct crypt_device *cd, const char *name,
uint64_t *repaired)
{
if (!cd || !isVERITY(cd->type) || !name || !repaired)
return -EINVAL;
return dm_status_verity_repaired(cd, name, repaired);
}
int crypt_get_integrity_info(struct crypt_device *cd,
struct crypt_params_integrity *ip)
{

26
lib/tcrypt/tcrypt.c
View File

@@ -926,6 +926,26 @@ out:
return r;
}
static bool is_tcrypt_subdev(const char *dm_uuid, const char *base_uuid)
{
const char *base_uuid_name;
assert(base_uuid);
base_uuid_name = strchr(base_uuid, '-');
if (!dm_uuid || !base_uuid_name)
return false;
if (!strncmp(dm_uuid, "SUBDEV-", 7))
return !strncmp(dm_uuid + 6, base_uuid_name, strlen(base_uuid_name));
/*
* FIXME: Drop after shift to dependency based deactivation (CRYPT_SUBDEV)
* in later releases
*/
return !strncmp(dm_uuid, base_uuid, strlen(base_uuid));
}
static int TCRYPT_remove_one(struct crypt_device *cd, const char *name,
const char *base_uuid, int index, uint32_t flags)
{
@@ -941,9 +961,7 @@ static int TCRYPT_remove_one(struct crypt_device *cd, const char *name,
return r;
r = dm_query_device(cd, dm_name, DM_ACTIVE_UUID, &dmd);
if (!r &&
(!strncmp(dmd.uuid, base_uuid, strlen(base_uuid)) ||
!dm_uuid_cmp(dmd.uuid, strchr(base_uuid, '-'))))
if (!r && is_tcrypt_subdev(dmd.uuid, base_uuid))
r = dm_remove_device(cd, dm_name, flags);
free(CONST_CAST(void*)dmd.uuid);
@@ -1007,7 +1025,7 @@ static int TCRYPT_status_one(struct crypt_device *cd, const char *name,
r = 0;
if (!strncmp(dmd.uuid, base_uuid, strlen(base_uuid))) {
if (is_tcrypt_subdev(dmd.uuid, base_uuid)) {
if ((c = strchr(tgt->u.crypt.cipher, '-')))
*c = '\0';
strcat(cipher, "-");

15
lib/utils_crypt.c
View File

@@ -119,6 +119,21 @@ int crypt_parse_integrity_mode(const char *s, char *integrity,
} else if (!strcmp(s, "hmac-sha512")) {
strncpy(integrity, "hmac(sha512)", MAX_CIPHER_LEN);
ks = required_key_size ?: 64;
} else if (!strcmp(s, "phmac-sha1")) {
strncpy(integrity, "phmac(sha1)", MAX_CIPHER_LEN);
ks = required_key_size;
if (!required_key_size)
r = -EINVAL;
} else if (!strcmp(s, "phmac-sha256")) {
strncpy(integrity, "phmac(sha256)", MAX_CIPHER_LEN);
ks = required_key_size;
if (!required_key_size)
r = -EINVAL;
} else if (!strcmp(s, "phmac-sha512")) {
strncpy(integrity, "phmac(sha512)", MAX_CIPHER_LEN);
ks = required_key_size;
if (!required_key_size)
r = -EINVAL;
} else if (!strcmp(s, "cmac-aes")) {
strncpy(integrity, "cmac(aes)", MAX_CIPHER_LEN);
ks = 16;

16
lib/utils_device.c
View File

@@ -1004,12 +1004,26 @@ int device_is_zoned(struct device *device)
int device_is_nop_dif(struct device *device, uint32_t *tag_size)
{
char *base_device_path;
int r;
struct stat st;
if (!device)
return -EINVAL;
if (stat(device_path(device), &st) < 0)
/*
* For partition devices, check integrity profile on the base device.
* Partition device nodes don't advertise integrity profile directly
* via sysfs attributes.
*/
base_device_path = crypt_get_base_device(device_path(device));
if (base_device_path) {
r = stat(base_device_path, &st);
free(base_device_path);
} else
r = stat(device_path(device), &st);
if (r < 0)
return -EINVAL;
if (!S_ISBLK(st.st_mode))

1
lib/utils_dm.h
View File

@@ -205,6 +205,7 @@ int dm_status_device(struct crypt_device *cd, const char *name);
int dm_status_suspended(struct crypt_device *cd, const char *name);
int dm_status_verity_ok(struct crypt_device *cd, const char *name);
int dm_status_integrity_failures(struct crypt_device *cd, const char *name, uint64_t *count);
int dm_status_verity_repaired(struct crypt_device *cd, const char *name, uint64_t *repaired);
int dm_query_device(struct crypt_device *cd, const char *name,
uint64_t get_flags, struct crypt_dm_active_device *dmd);
int dm_device_deps(struct crypt_device *cd, const char *name, const char *prefix,

11
lib/utils_pbkdf.c
View File

@@ -169,6 +169,11 @@ int verify_pbkdf_params(struct crypt_device *cd,
log_err(cd, _("Requested maximum PBKDF memory cannot be zero."));
r = -EINVAL;
}
if (pbkdf->parallel_threads > pbkdf_limits.max_parallel) {
log_err(cd, _("Requested maximum PBKDF parallel cost is too high (maximum is %d)."),
pbkdf_limits.max_parallel);
r = -EINVAL;
}
if (!pbkdf->parallel_threads) {
log_err(cd, _("Requested PBKDF parallel threads cannot be zero."));
r = -EINVAL;
@@ -241,12 +246,6 @@ int init_pbkdf_type(struct crypt_device *cd,
cd_pbkdf->max_memory_kb = pbkdf->max_memory_kb;
cd_pbkdf->parallel_threads = pbkdf->parallel_threads;
if (cd_pbkdf->parallel_threads > pbkdf_limits.max_parallel) {
log_dbg(cd, "Maximum PBKDF threads is %d (requested %d).",
pbkdf_limits.max_parallel, cd_pbkdf->parallel_threads);
cd_pbkdf->parallel_threads = pbkdf_limits.max_parallel;
}
/* Do not limit threads by online CPUs if user forced values (no benchmark). */
if (cd_pbkdf->parallel_threads && !(cd_pbkdf->flags & CRYPT_PBKDF_NO_BENCHMARK)) {
cpus = crypt_cpusonline();

18
lib/utils_storage_wrappers.c
View File

@@ -327,24 +327,6 @@ ssize_t crypt_storage_wrapper_encrypt_write(struct crypt_storage_wrapper *cw,
cw->data_offset + offset);
}
ssize_t crypt_storage_wrapper_encrypt(struct crypt_storage_wrapper *cw,
off_t offset, void *buffer, size_t buffer_length)
{
if (cw->type == NONE)
return 0;
if (cw->type == DMCRYPT)
return -ENOTSUP;
if (crypt_storage_encrypt(cw->u.cb.s,
cw->u.cb.iv_start + (offset >> SECTOR_SHIFT),
buffer_length,
buffer))
return -EINVAL;
return 0;
}
void crypt_storage_wrapper_destroy(struct crypt_storage_wrapper *cw)
{
if (!cw)

2
lib/utils_storage_wrappers.h
View File

@@ -53,8 +53,6 @@ ssize_t crypt_storage_wrapper_write(struct crypt_storage_wrapper *cw,
off_t offset, void *buffer, size_t buffer_length);
ssize_t crypt_storage_wrapper_encrypt_write(struct crypt_storage_wrapper *cw,
off_t offset, void *buffer, size_t buffer_length);
ssize_t crypt_storage_wrapper_encrypt(struct crypt_storage_wrapper *cw,
off_t offset, void *buffer, size_t buffer_length);
int crypt_storage_wrapper_datasync(const struct crypt_storage_wrapper *cw);

2
lib/utils_wipe.c
View File

@@ -50,7 +50,7 @@ static void wipeSpecial(char *buffer, size_t buffer_size, unsigned int turn)
{
unsigned int i;
unsigned char write_modes[][3] = {
const unsigned char write_modes[27][4] = {
{"\x55\x55\x55"}, {"\xaa\xaa\xaa"}, {"\x92\x49\x24"},
{"\x49\x24\x92"}, {"\x24\x92\x49"}, {"\x00\x00\x00"},
{"\x11\x11\x11"}, {"\x22\x22\x22"}, {"\x33\x33\x33"},

10
man/common_footer.adoc
View File

@@ -1,17 +1,15 @@
== REPORTING BUGS
Report bugs at mailto:cryptsetup@lists.linux.dev[*cryptsetup mailing list*]
or in https://gitlab.com/cryptsetup/cryptsetup/-/issues/new[*Issues project section*].
Report bugs at mailto:cryptsetup@lists.linux.dev[cryptsetup mailing list] or in https://gitlab.com/cryptsetup/cryptsetup/-/issues/new[Issues project section].
Please attach output of the failed command with --debug option added.
Please attach the output of the failed command with --debug option added.
== SEE ALSO
https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions[*Cryptsetup FAQ*]
https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions[Cryptsetup FAQ]
*cryptsetup*(8), *integritysetup*(8) and *veritysetup*(8)
== CRYPTSETUP
Part of https://gitlab.com/cryptsetup/cryptsetup/[*cryptsetup project*].
Part of https://gitlab.com/cryptsetup/cryptsetup/[cryptsetup project].

1233
man/common_options.adoc
View File

File diff suppressed because it is too large Load Diff

24
man/cryptsetup-benchmark.8.adoc
View File

@@ -16,26 +16,20 @@ cryptsetup-benchmark - benchmarks ciphers and KDF
== DESCRIPTION
Benchmarks ciphers and KDF (key derivation function). Without
parameters, it tries to measure few common configurations.
Benchmarks, ciphers and KDF (key derivation function).
Without parameters, it tries to measure a few common configurations.
To benchmark other ciphers or modes, you need to specify *--cipher* and
*--key-size* options.
To benchmark other ciphers or modes, specify --cipher and --key-size options.
To benchmark PBKDF you need to specify *--pbkdf* or *--hash* with optional
cost parameters *--iter-time*, *--pbkdf-memory* or *--pbkdf-parallel*.
To benchmark PBKDF you need to specify --pbkdf or --hash with optional cost parameters --iter-time, --pbkdf-memory or --pbkdf-parallel.
*NOTE:* This benchmark uses memory only and is only informative. You
cannot directly predict real storage encryption speed from it.
This benchmark uses memory only and is only informative.
You cannot directly predict real storage encryption speed from it.
For testing block ciphers, this benchmark requires kernel userspace
crypto API to be available (introduced in Linux kernel 2.6.38). If you
are configuring kernel yourself, enable "User-space interface for
symmetric key cipher algorithms" in "Cryptographic API" section
(CRYPTO_USER_API_SKCIPHER .config option).
For testing block ciphers, this benchmark requires the kernel userspace crypto API to be available.
If you are configuring the kernel yourself, enable "User-space interface for symmetric key cipher algorithms" in "Cryptographic API" section (CRYPTO_USER_API_SKCIPHER .config option).
*<options>* can be [--cipher, --key-size, --hash, --pbkdf, --iter-time,
--pbkdf-memory, --pbkdf-parallel].
*<options>* can be [--cipher, --key-size, --hash, --pbkdf, --iter-time, --pbkdf-memory, --pbkdf-parallel].
include::man/common_options.adoc[]
include::man/common_footer.adoc[]

15
man/cryptsetup-bitlkDump.8.adoc
View File

@@ -18,17 +18,14 @@ cryptsetup-bitlkDump - dump the header information of a BITLK (BitLocker compati
Dump the header information of a BITLK (BitLocker compatible) device.
If the --dump-volume-key option is used, the BITLK device volume key
is dumped instead of header information. You have to provide password
or keyfile to dump volume key.
If the --dump-volume-key option is used, the BITLK device volume key is dumped instead of header information.
You have to provide a password or keyfile to dump the volume key.
Beware that the volume key can be used to decrypt the data stored in
the container without a passphrase.
This means that if the volume key is compromised, the whole device has
to be erased to prevent further access. Use this option carefully.
Beware that the volume key can be used to decrypt the data stored in the container without a passphrase.
This means that if the volume key is compromised, the whole device has to be erased to prevent further access.
Use this option carefully.
*<options>* can be [--dump-volume-key, --volume-key-file, --key-file,
--keyfile-offset, --keyfile-size, --timeout].
*<options>* can be [--dump-volume-key, --volume-key-file, --key-file, --keyfile-offset, --keyfile-size, --timeout].
include::man/common_options.adoc[]
include::man/common_footer.adoc[]

8
man/cryptsetup-close.8.adoc
View File

@@ -16,13 +16,9 @@ cryptsetup-close - removes the existing mapping <name> (and the associated key)
== DESCRIPTION
Removes the existing mapping <name> and wipes the key from kernel
memory.
Removes the existing mapping <name> and wipes the key from kernel memory.
For backward compatibility, there are *close* command aliases: *remove*,
*plainClose*, *luksClose*, *loopaesClose*, *tcryptClose*, *bitlkClose*
(all behave exactly the same, device type is determined automatically
from the active device).
For backward compatibility, there are *close* command aliases: *remove*, *plainClose*, *luksClose*, *loopaesClose*, *tcryptClose*, *bitlkClose* (all behave the same, device type is determined automatically from the active device).
*<options>* can be [--deferred, --cancel-deferred, --header, --disable-locks].

11
man/cryptsetup-config.8.adoc
View File

@@ -16,15 +16,12 @@ cryptsetup-config - set permanent configuration options (store to LUKS header)
== DESCRIPTION
Set permanent configuration options (store to LUKS header). The _config_
command is supported only for LUKS2.
Set permanent configuration options (store to LUKS header).
The _config_ command is supported only for LUKS2.
The permanent options can be _--priority_ to set priority (normal,
prefer, ignore) for keyslot (specified by _--key-slot_) or _--label_ and
_--subsystem_.
The permanent options can be --priority to set priority (normal, prefer, ignore) for keyslot (specified by --key-slot) or --label and --subsystem.
*<options>* can be [--priority, --label, --subsystem, --key-slot,
--header, --disable-locks].
*<options>* can be [--priority, --label, --subsystem, --key-slot, --header, --disable-locks].
include::man/common_options.adoc[]
include::man/common_footer.adoc[]

23
man/cryptsetup-convert.8.adoc
View File

@@ -16,26 +16,21 @@ cryptsetup-convert - converts the device between LUKS1 and LUKS2 format
== DESCRIPTION
Converts the device between LUKS1 and LUKS2 format (if possible). The
conversion will not be performed if there is an additional LUKS2 feature
or LUKS1 has unsupported header size.
Converts the device between LUKS1 and LUKS2 format (if possible).
The conversion will not be performed if there is an additional LUKS2 feature or LUKS1 has an unsupported header size.
For conversion from LUKS2 to LUKS1, all active keyslots must use the PBKDF2
key-derivation function. The PBKDF2 and anti-forensic filter (AF) hash must
be the same as the hash used in the digest.
For conversion from LUKS2 to LUKS1, all active keyslots must use the PBKDF2 key-derivation function.
The PBKDF2 and anti-forensic filter (AF) hash must be the same as the hash used in the digest.
All keyslot numbers must be lower than 8 (LUKS1 maximum slot number).
There must be at least one active keyslot and no unbound or reencryption keyslots.
Conversion (both directions) must be performed on inactive device. There
must not be active dm-crypt mapping established for LUKS header
requested for conversion.
Conversion (both directions) must be performed on an inactive device.
There must not be an active dm-crypt mapping established for the LUKS header requested for conversion.
The *--type* option is mandatory with the following accepted values: _luks1_ or
_luks2_.
The *--type* option is mandatory with the following accepted values: _luks1_ or _luks2_.
*WARNING:* The _convert_ action can destroy the LUKS header in the case
of a crash during conversion or if a media error occurs. Always create a
header backup before performing this operation!
*WARNING:* The _convert_ action can destroy the LUKS header in the case of a crash during conversion or if a media error occurs.
Always create a header backup before performing this operation!
*<options>* can be [--header, --type, --disable-locks].

18
man/cryptsetup-erase.8.adoc
View File

@@ -17,16 +17,18 @@ cryptsetup-erase, cryptsetup-luksErase - erase all keyslots
== DESCRIPTION
Erase all keyslots and make the LUKS container permanently inaccessible.
Unless the device is configured with HW OPAL support you do not need to
provide any password for this operation.
Erase all keyslots, removing the volume key.
Unless the device is configured with OPAL self-encrypting drive support, you do not need to provide any password for this operation.
*WARNING:* This operation is irreversible.
This operation is irreversible.
Unless you have a header backup, all old encrypted data in the container will be permanently irretrievable.
Header backup cannot be used to recover data from OPAL self-encrypting drives, as the keys are permanently removed from hardware.
*WARNING:* with *--hw-opal-factory-reset* ALL data is lost on the device,
regardless of the partition it is ran on, if any, and regardless of any LUKS2
header backup, and does not require a valid LUKS2 header to be present on the
device to run.
The *erase* does not wipe or overwrite the data area.
It only removes all active keyslots from the LUKS device.
See the cryptsetup FAQ for more information on how to wipe the whole device, including encrypted data.
Note that the --hw-opal-factory-reset option for OPAL self-encrypting drive will erase ALL data on the drive, regardless of the partition it is run on.
*<options>* can be [--header, --disable-locks, --hw-opal-factory-reset, --key-file].

15
man/cryptsetup-fvault2Dump.8.adoc
View File

@@ -18,17 +18,14 @@ cryptsetup-fvault2Dump - dump the header information of a FVAULT2 (FileVault2 co
Dump the header information of a FVAULT2 (FileVault2 compatible) device.
If the --dump-volume-key option is used, the FVAULT2 device volume key
is dumped instead of header information. You have to provide password
or keyfile to dump volume key.
If the --dump-volume-key option is used, the FVAULT2 device volume key is dumped instead of header information.
You have to provide a password or keyfile to dump the volume key.
Beware that the volume key can be used to decrypt the data stored in
the container without a passphrase.
This means that if the volume key is compromised, the whole device has
to be erased to prevent further access. Use this option carefully.
Beware that the volume key can be used to decrypt the data stored in the container without a passphrase.
This means that if the volume key is compromised, the whole device has to be erased to prevent further access.
Use this option carefully.
*<options>* can be [--dump-volume-key, --volume-key-file, --key-file,
--keyfile-offset, --keyfile-size, --timeout].
*<options>* can be [--dump-volume-key, --volume-key-file, --key-file, --keyfile-offset, --keyfile-size, --timeout].
include::man/common_options.adoc[]
include::man/common_footer.adoc[]

4
man/cryptsetup-isLuks.8.adoc
View File

@@ -16,12 +16,12 @@ cryptsetup-isLuks - check if a device is a LUKS device
== DESCRIPTION
Returns true, if <device> is a LUKS device, false otherwise.
Returns true if <device> is a LUKS device, false otherwise.
Use option -v to get human-readable feedback.
'Command successful.' means the device is a LUKS device.
By specifying --type you may query for specific LUKS version.
By specifying --type, you may query for a specific LUKS version.
*<options>* can be [--header, --type, --disable-locks].

40
man/cryptsetup-luksAddKey.8.adoc
View File

@@ -16,41 +16,32 @@ cryptsetup-luksAddKey - add a new passphrase
== DESCRIPTION
Adds a keyslot protected by a new passphrase. An existing passphrase
must be supplied interactively, via --key-file or LUKS2 token (plugin).
Alternatively to existing passphrase user may pass directly volume key
(via --volume-key-file or --volume-key-keyring). The new passphrase to be added
can be specified interactively, read from the file given as the positional
argument (also via --new-keyfile parameter) or via LUKS2 token.
Adds a keyslot protected by a new passphrase.
An existing passphrase must be supplied interactively, via --key-file or LUKS2 token (plugin).
Alternatively to the existing passphrase, the user may pass directly the volume key (via --volume-key-file or --volume-key-keyring).
The new passphrase to be added can be specified interactively, read from the file given as the positional argument (also via --new-keyfile parameter) or via LUKS2 token.
*NOTE:* with --unbound option the action creates new unbound LUKS2
keyslot. The keyslot cannot be used for device activation. If you don't
pass new key via --volume-key-file option, new random key is generated.
Existing passphrase for any active keyslot is not required.
The --unbound option creates a new unbound LUKS2 keyslot.
An unbound keyslot stores an independent key that cannot be used for device activation.
A new random key is generated if you don't pass a new key via the --volume-key-file option.
The existing passphrase for any active keyslot is not required.
*NOTE:* some parameters are effective only if used with LUKS2 format
that supports per-keyslot parameters. For LUKS1, PBKDF type and hash
algorithm is always the same for all keyslots.
Some parameters are effective only if used with the LUKS2 format that supports per-keyslot parameters.
For LUKS1, the PBKDF type and hash algorithm are always the same for all keyslots.
*<options>* can be [--key-file, --keyfile-offset, --keyfile-size,
--new-keyfile, --new-keyfile-offset, --new-keyfile-size, --key-slot,
--new-key-slot, --volume-key-file, --volume-key-keyring, --force-password,
--hash, --header, --disable-locks, --iter-time, --pbkdf,
--pbkdf-force-iterations, --pbkdf-memory, --pbkdf-parallel, --unbound, --type,
--keyslot-cipher, --keyslot-key-size, --key-size, --timeout, --token-id,
--token-type, --token-only, --new-token-id, --verify-passphrase, --external-tokens-path].
*<options>* can be [--key-file, --keyfile-offset, --keyfile-size, --new-keyfile, --new-keyfile-offset, --new-keyfile-size, --key-slot, --new-key-slot, --volume-key-file, --volume-key-keyring, --force-password, --hash, --header, --disable-locks, --iter-time, --pbkdf, --pbkdf-force-iterations, --pbkdf-memory, --pbkdf-parallel, --unbound, --type, --keyslot-cipher, --keyslot-key-size, --key-size, --timeout, --token-id, --token-type, --token-only, --new-token-id, --verify-passphrase, --external-tokens-path].
include::man/common_options.adoc[]
== EXAMPLES
*NOTE*: When not specified otherwise interactive passphrase prompt is always default method.
The interactive passphrase prompt is always the default method when not specified otherwise.
Add new keyslot using interactive passphrase prompt for both existing and new passphrase:
Add new keyslot using interactive passphrase prompt for both existing and new passphrases:
*cryptsetup luksAddKey /dev/device*
Add new keyslot using LUKS2 tokens to unlock existing keyslot with interactive passphrase prompt for new passphrase:
Add a new keyslot using LUKS2 tokens to unlock the existing keyslot with an interactive passphrase prompt for the new passphrase:
*cryptsetup luksAddKey --token-only /dev/device*
@@ -63,8 +54,7 @@ Add new keyslot using interactive passphrase prompt for existing keyslot, readin
*cryptsetup luksAddKey --new-keyfile key_file /dev/device* or
*cryptsetup luksAddKey /dev/device key_file*
Add new keyslot using volume stored in volume_key_file and LUKS2 token in slot 5 to get new keyslot passphrase (token in slot 5 must exist
and respective token plugin must be available):
Add new keyslot using volume stored in volume_key_file and LUKS2 token in slot 5 to get new keyslot passphrase (token in slot 5 must exist and respective token plugin must be available):
*cryptsetup luksAddKey --volume-key-file volume_key_file --new-token-id 5 /dev/device*

38
man/cryptsetup-luksChangeKey.8.adoc
View File

@@ -16,37 +16,23 @@ cryptsetup-luksChangeKey - change an existing passphrase
== DESCRIPTION
Changes an existing passphrase. The passphrase to be changed must be
supplied interactively or via --key-file. The new passphrase can be
supplied interactively or in a file given as the positional argument.
Changes an existing passphrase.
The passphrase to be changed must be supplied interactively or via --key-file.
The new passphrase can be supplied interactively or in a file given as the positional argument.
If a key-slot is specified (via --key-slot), the passphrase for that
key-slot must be given and the new passphrase will overwrite the
specified key-slot. If no key-slot is specified and there is still a
free key-slot, then the new passphrase will be put into a free key-slot
before the key-slot containing the old passphrase is purged. If there is
no free key-slot, then the key-slot with the old passphrase is
overwritten directly.
If a keyslot is specified (via --key-slot), the passphrase for that keyslot must be given, and the new passphrase will overwrite the specified keyslot.
If no keyslot is specified and there is still a free keyslot, then the new passphrase will be put into a free keyslot before the keyslot containing the old passphrase is purged.
If there is no free keyslot, then the keyslot with the old passphrase is overwritten directly.
*WARNING:* If a key-slot is overwritten, a media failure during this
operation can cause the overwrite to fail after the old passphrase has
been wiped and make the LUKS container inaccessible. LUKS2 mitigates
that by never overwriting existing keyslot area as long as there's
a free space in keyslots area at least for one more LUKS2 keyslot.
*WARNING:* If a keyslot is overwritten, a media failure during this operation can cause the overwrite to fail after the old passphrase has been wiped, making the LUKS container inaccessible.
LUKS2 mitigates that by never overwriting the existing keyslot area as long as there's a free space in the keyslots area at least for one more LUKS2 keyslot.
*WARNING:* If you need to use both luksChangeKey and reencrypt (e.g.
to recover from a leak) you need to use them in that order to not leak
the new volume key.
If you need to use both luksChangeKey and reencrypt (e.g., to recover from a key leak), you need to use them in that order to avoid leaking the new volume key.
*NOTE:* some parameters are effective only if used with LUKS2 format
that supports per-keyslot parameters. For LUKS1, PBKDF type and hash
algorithm is always the same for all keyslots.
Some parameters are effective only if used with the LUKS2 format that supports per-keyslot parameters.
For LUKS1, the PBKDF type and hash algorithm are always the same for all keyslots.
*<options>* can be [--key-file, --keyfile-offset, --keyfile-size,
--new-keyfile-offset, --iter-time, --pbkdf, --pbkdf-force-iterations,
--pbkdf-memory, --pbkdf-parallel, --new-keyfile-size, --key-slot,
--force-password, --hash, --header, --disable-locks, --type,
--keyslot-cipher, --keyslot-key-size, --timeout, --verify-passphrase].
*<options>* can be [--key-file, --keyfile-offset, --keyfile-size, --new-keyfile-offset, --iter-time, --pbkdf, --pbkdf-force-iterations, --pbkdf-memory, --pbkdf-parallel, --new-keyfile-size, --key-slot, --force-password, --hash, --header, --disable-locks, --type, --keyslot-cipher, --keyslot-key-size, --timeout, --verify-passphrase].
include::man/common_options.adoc[]
include::man/common_footer.adoc[]

25
man/cryptsetup-luksConvertKey.8.adoc
View File

@@ -16,26 +16,17 @@ cryptsetup-luksConvertKey - converts an existing LUKS2 keyslot to new PBKDF para
== DESCRIPTION
Converts an existing LUKS2 keyslot to new PBKDF parameters. The
passphrase for keyslot to be converted must be supplied interactively or
via --key-file. If no --pbkdf parameters are specified LUKS2 default
PBKDF values will apply.
Converts an existing LUKS2 keyslot to new PBKDF parameters.
The passphrase for the keyslot to be converted must be supplied interactively or via --key-file.
If no --pbkdf parameters are specified LUKS2 default PBKDF values will apply.
If a keyslot is specified (via --key-slot), the passphrase for that
keyslot must be given. If no keyslot is specified and there is still a
free keyslot, then the new parameters will be put into a free keyslot
before the keyslot containing the old parameters is purged. If there is
no free keyslot, then the keyslot with the old parameters is overwritten
directly.
If a keyslot is specified (via --key-slot), the passphrase for that keyslot must be given.
If no keyslot is specified and there is still a free keyslot, the new parameters will be put into a free keyslot before the keyslot containing the old parameters is purged.
If there is no free keyslot, the keyslot with the old parameters is directly overwritten.
*WARNING:* If a keyslot is overwritten, a media failure during this
operation can cause the overwrite to fail after the old parameters have
been wiped and make the LUKS container inaccessible.
*WARNING:* If a keyslot is overwritten, a media failure during this operation can cause the overwrite to fail after the old parameters have been wiped, making the LUKS container inaccessible.
*<options>* can be [--key-file, --keyfile-offset, --keyfile-size,
--key-slot, --hash, --header, --disable-locks, --iter-time, --pbkdf,
--pbkdf-force-iterations, --pbkdf-memory, --pbkdf-parallel,
--keyslot-cipher, --keyslot-key-size, --timeout, --verify-passphrase].
*<options>* can be [--key-file, --keyfile-offset, --keyfile-size, --key-slot, --hash, --header, --disable-locks, --iter-time, --pbkdf, --pbkdf-force-iterations, --pbkdf-memory, --pbkdf-parallel, --keyslot-cipher, --keyslot-key-size, --timeout, --verify-passphrase].
include::man/common_options.adoc[]
include::man/common_footer.adoc[]

33
man/cryptsetup-luksDump.8.adoc
View File

@@ -18,33 +18,22 @@ cryptsetup-luksDump - dump the header information of a LUKS device
Dump the header information of a LUKS device.
If the --dump-volume-key option is used, the LUKS device volume key is
dumped instead of the keyslot info. Together with the --volume-key-file
option, volume key is dumped to a file instead of standard output.
Beware that the volume key cannot be changed without reencryption and
can be used to decrypt the data stored in the LUKS container without a
passphrase and even without the LUKS header. This means that if the
volume key is compromised, the whole device has to be erased or
reencrypted to prevent further access. Use this option carefully.
If the --dump-volume-key option is used, the LUKS device volume key is dumped instead of the keyslot info.
With the --volume-key-file option, the volume key is dumped to a file instead of standard output.
Beware that the volume key cannot be changed without reencryption and can be used to decrypt the data stored in the LUKS container without a passphrase and even without the LUKS header.
This means that if the volume key is compromised, the whole device has to be erased or reencrypted to prevent further access.
Use this option carefully.
To dump the volume key, a passphrase has to be supplied, either
interactively or via --key-file.
A passphrase must be supplied to dump the volume key, either interactively or via --key-file.
To dump unbound key (LUKS2 format only), --unbound parameter, specific
--key-slot id and proper passphrase has to be supplied, either
interactively or via --key-file. Optional --volume-key-file parameter
enables unbound keyslot dump to a file.
To dump an unbound key (LUKS2 format only), --unbound parameter, specific --key-slot id and proper passphrase must be supplied, interactively or via --key-file.
Optional --volume-key-file parameter enables unbound keyslot dump to a file.
To dump LUKS2 JSON metadata (without basic header information like UUID)
use --dump-json-metadata option.
To dump LUKS2 JSON metadata (without basic header information like UUID), use the --dump-json-metadata option.
*<options>* can be [--dump-volume-key, --dump-json-metadata, --key-file,
--keyfile-offset, --keyfile-size, --header, --disable-locks,
--volume-key-file, --type, --unbound, --key-slot, --timeout, --external-tokens-path].
If --dump-volume-key is used with --key-file and the argument to --key-file is '-', no validation question will be asked and no warning given.
*WARNING:* If --dump-volume-key is used with --key-file and the argument
to --key-file is '-', no validation question will be asked and no
warning given.
*<options>* can be [--dump-volume-key, --dump-json-metadata, --key-file, --keyfile-offset, --keyfile-size, --header, --disable-locks, --volume-key-file, --type, --unbound, --key-slot, --timeout, --external-tokens-path].
include::man/common_options.adoc[]
include::man/common_footer.adoc[]

47
man/cryptsetup-luksFormat.8.adoc
View File

@@ -16,42 +16,29 @@ cryptsetup-luksFormat - initialize a LUKS partition and set the initial passphra
== DESCRIPTION
Initializes a LUKS partition and sets the initial passphrase (for
key-slot 0), either via prompting or via <key file>. Note that if the
second argument is present, then the passphrase is taken from the file
given there, without the need to use the --key-file option. Also note
that for both forms of reading the passphrase from a file you can give
'-' as file name, which results in the passphrase being read from stdin
and the safety-question being skipped.
Initializes a LUKS partition and sets the passphrase via prompting or <key file>.
Note that if the second argument is present, the passphrase is taken from the file given there, without using the --key-file option.
Also note that for both forms of reading the passphrase from a file, you can give '-' as a file name, which results in the passphrase being read from stdin and the safety question being skipped.
You cannot call luksFormat on a device or filesystem that is mapped or
in use, e.g., mounted filesystem, used in LVM, active RAID member, etc. The
device or filesystem has to be un-mounted in order to call luksFormat.
You cannot call luksFormat on a device or filesystem that is mapped or in use, e.g., a mounted filesystem, used in LVM, active RAID member, etc.
The device or filesystem has to be unmounted in order to call luksFormat.
To use specific version of LUKS format, use _--type luks1_ or _type luks2_.
To enforce a specific version of LUKS format, use _--type luks1_ or _type luks2_.
The default format is LUKS2.
To use OPAL hardware encryption on a self-encrypting drive, use
_--hw-opal_ or _--hw-opal-only_. Note that some OPAL drives can require
a PSID reset (with deletion of data) before using the LUKS format
with OPAL options.
See _--hw-opal-factory-reset_ option in cryptsetup _erase_ command.
To use hardware encryption on an OPAL self-encrypting drive, use --hw-opal or --hw-opal-only.
Note that some OPAL drives can require a PSID reset (with deletion of data) before using the LUKS format with OPAL options.
See --hw-opal-factory-reset option in cryptsetup _erase_ command.
*<options>* can be [--hash, --cipher, --verify-passphrase, --key-size,
--key-slot, --key-file (takes precedence over optional second argument),
--keyfile-offset, --keyfile-size, --use-random, --use-urandom, --uuid,
--volume-key-file, --iter-time, --header, --pbkdf-force-iterations,
--force-password, --disable-locks, --timeout, --type, --offset,
--align-payload (deprecated)].
Doing a luksFormat on an existing LUKS container will regenerate the volume key.
Unless you have a header backup, all old encrypted data in the container will be permanently irretrievable.
Note that luksFormat does not wipe or overwrite the data area.
It only creates a new LUKS header with fresh keyslots.
See cryptsetup FAQ for more info on how to wipe the whole device, including encrypted data.
For LUKS2, additional *<options>* can be [--integrity,
--integrity-no-wipe, --sector-size, --label, --subsystem, --pbkdf,
--pbkdf-memory, --pbkdf-parallel, --disable-locks, --disable-keyring,
--luks2-metadata-size, --luks2-keyslots-size, --keyslot-cipher,
--keyslot-key-size, --integrity-legacy-padding, --hw-opal, --hw-opal-only].
*<options>* can be [--hash, --cipher, --verify-passphrase, --key-size, --key-slot, --key-file (takes precedence over optional second argument), --keyfile-offset, --keyfile-size, --use-random, --use-urandom, --uuid, --volume-key-file, --iter-time, --header, --pbkdf-force-iterations, --force-password, --disable-locks, --timeout, --type, --offset, --align-payload (DEPRECATED)].
*WARNING:* Doing a luksFormat on an existing LUKS container will make
all data in the old container permanently irretrievable unless you have a
header backup.
For LUKS2, additional *<options>* can be [--integrity, --integrity-no-wipe, --sector-size, --label, --subsystem, --pbkdf, --pbkdf-memory, --pbkdf-parallel, --disable-locks, --disable-keyring, --luks2-metadata-size, --luks2-keyslots-size, --keyslot-cipher, --keyslot-key-size, --integrity-legacy-padding, --hw-opal, --hw-opal-only].
include::man/common_options.adoc[]
include::man/common_footer.adoc[]

19
man/cryptsetup-luksHeaderBackup.8.adoc
View File

@@ -16,20 +16,15 @@ cryptsetup-luksHeaderBackup - store a binary backup of the LUKS header and keysl
== DESCRIPTION
Stores a binary backup of the LUKS header and keyslot area. +
*NOTE:* Using '-' as filename writes the header backup to a file named
'-'.
Stores a binary backup of the LUKS header and keyslot area.
Using '-' as a filename writes the header backup to a file named '-'.
The backup file and a passphrase valid at the time of backup allow decryption of the LUKS data area, even if the passphrase was later changed or removed from the LUKS device.
Note that with a header backup, you lose the ability to wipe the LUKS device securely by just overwriting the header and keyslots.
You must either securely erase all header backups or overwrite the encrypted data area.
*<options>* can be [--header, --header-backup-file, --disable-locks].
*WARNING:* This backup file and a passphrase valid at the time of backup
allows decryption of the LUKS data area, even if the passphrase was
later changed or removed from the LUKS device. Also note that with a
header backup you lose the ability to securely wipe the LUKS device by
just overwriting the header and key-slots. You either need to securely
erase all header backups in addition or overwrite the encrypted data
area as well. The second option is less secure, as some sectors can
survive, e.g., due to defect management.
include::man/common_options.adoc[]
include::man/common_footer.adoc[]

19
man/cryptsetup-luksHeaderRestore.8.adoc
View File

@@ -16,19 +16,16 @@ cryptsetup-luksHeaderRestore - restore a binary backup of the LUKS header and ke
== DESCRIPTION
Restores a binary backup of the LUKS header and keyslot area from the
specified file. +
*NOTE:* Using '-' as filename reads the header backup from a file named '-'.
Restores a binary backup of the LUKS header and keyslot area from the specified file.
Using '-' as a filename reads the header backup from a file named '-'.
All keyslots will be replaced; only the passphrases from the backup will work afterward.
This command requires that the volume key size and data offset of the LUKS header and backup match.
Alternatively, the backup will also be written if the device has no LUKS header.
*<options>* can be [--header, --header-backup-file, --disable-locks].
*WARNING:* Header and keyslots will be replaced, only the passphrases
from the backup will work afterward.
This command requires that the volume key size and data offset of the
LUKS header already on the device and of the header backup match.
Alternatively, if there is no LUKS header on the device, the backup will
also be written to it.
include::man/common_options.adoc[]
include::man/common_footer.adoc[]

31
man/cryptsetup-luksKillSlot.8.adoc
View File

@@ -8,33 +8,28 @@
== Name
cryptsetup-luksKillSlot - wipe a key-slot from the LUKS device
cryptsetup-luksKillSlot - wipe a keyslot from the LUKS device
== SYNOPSIS
*cryptsetup _luksKillSlot_ [<options>] <device> <key slot number>*
*cryptsetup _luksKillSlot_ [<options>] <device> <number>*
== DESCRIPTION
Wipe the key-slot number <key slot> from the LUKS device. Except running
in batch-mode (-q) a remaining passphrase must be supplied, either
interactively or via --key-file. This command can remove the last
remaining key-slot, but requires an interactive confirmation when doing
so. Removing the last passphrase makes a LUKS container permanently
inaccessible.
Wipe the keyslot with the number from the LUKS device.
*<options>* can be [--key-file, --keyfile-offset, --keyfile-size,
--header, --disable-locks, --type, --verify-passphrase, --timeout].
Except running in batch-mode (-q), a remaining passphrase must be supplied, either interactively or via --key-file.
This command can remove the last remaining keyslot, but requires an interactive confirmation when doing so.
Removing the last passphrase makes a LUKS container permanently inaccessible.
*WARNING:* If you read the passphrase from stdin (without further
argument or with '-' as an argument to --key-file), batch-mode (-q) will
be implicitly switched on and no warning will be given when you remove
the last remaining passphrase from a LUKS container. Removing the last
passphrase makes the LUKS container permanently inaccessible.
If you read the passphrase from stdin (without further argument or with '-' as an argument to --key-file), batch-mode (-q) will be implicitly switched on and no warning will be given when you remove the last remaining passphrase from a LUKS container.
Removing the last passphrase makes the LUKS container permanently inaccessible.
*NOTE:* If there is no passphrase provided (on stdin or through
--key-file argument) and batch-mode (-q) is active, the key-slot is
removed without any other warning.
If no passphrase is provided (on stdin or through --key-file argument) and batch-mode (-q) is active, the keyslot is removed without any other warning.
This operation removes only the key in a particular keyslot; it does not wipe any encrypted data.
*<options>* can be [--key-file, --keyfile-offset, --keyfile-size, --header, --disable-locks, --type, --verify-passphrase, --timeout].
include::man/common_options.adoc[]
include::man/common_footer.adoc[]

17
man/cryptsetup-luksRemoveKey.8.adoc
View File

@@ -16,18 +16,15 @@ cryptsetup-luksRemoveKey - remove the supplied passphrase from the LUKS device
== DESCRIPTION
Removes the supplied passphrase from the LUKS device. The passphrase to
be removed can be specified interactively, as the positional argument or
via --key-file.
Removes the supplied passphrase from the LUKS device.
The passphrase to be removed can be specified interactively, as the positional argument or via --key-file.
*<options>* can be [--key-file, --keyfile-offset, --keyfile-size,
--header, --disable-locks, --type, --timeout, --verify-passphrase].
If you read the passphrase from stdin (without further argument or with '-' as an argument to --key-file), batch-mode (-q) will be implicitly switched on and no warning will be given when you remove the last remaining passphrase from a LUKS container.
Removing the last passphrase makes the LUKS container permanently inaccessible.
*WARNING:* If you read the passphrase from stdin (without further
argument or with '-' as an argument to --key-file), batch-mode (-q) will
be implicitly switched on and no warning will be given when you remove
the last remaining passphrase from a LUKS container. Removing the last
passphrase makes the LUKS container permanently inaccessible.
This operation removes only the key in a particular keyslot; it does not wipe any encrypted data.
*<options>* can be [--key-file, --keyfile-offset, --keyfile-size, --header, --disable-locks, --type, --timeout, --verify-passphrase].
include::man/common_options.adoc[]
include::man/common_footer.adoc[]

11
man/cryptsetup-luksResume.8.adoc
View File

@@ -16,15 +16,10 @@ cryptsetup-luksResume - resume a suspended device and reinstate the key
== DESCRIPTION
Resumes a suspended device and reinstates the encryption key. Prompts
interactively for a passphrase if no token is usable (LUKS2 only) or
--key-file is not given.
Resumes a suspended device and reinstates the encryption key.
Prompts interactively for a passphrase if no token is usable (LUKS2 only) or --key-file is not given.
*<options>* can be [--key-file, --keyfile-size, --keyfile-offset,
--key-slot, --header, --disable-keyring, --disable-locks, --token-id,
--token-only, --token-type, --disable-external-tokens, --type, --tries,
--timeout, --verify-passphrase, --volume-key-keyring, --link-vk-to-keyring,
--external-tokens-path].
*<options>* can be [--key-file, --keyfile-size, --keyfile-offset, --key-slot, --header, --disable-keyring, --disable-locks, --token-id, --token-only, --token-type, --disable-external-tokens, --type, --tries, --timeout, --verify-passphrase, --volume-key-keyring, --link-vk-to-keyring, --external-tokens-path].
include::man/common_options.adoc[]
include::man/common_footer.adoc[]

17
man/cryptsetup-luksSuspend.8.adoc
View File

@@ -16,22 +16,15 @@ cryptsetup-luksSuspend - suspends an active device and wipes the key
== DESCRIPTION
Suspends an active device (all IO operations will block and accesses to
the device will wait indefinitely) and wipes the encryption key from
kernel memory. Needs kernel 2.6.19 or later.
Suspends an active device (all IO operations will block and accesses to the device will wait indefinitely) and wipes the encryption key from kernel memory.
While the _luksSuspend_ operation wipes encryption keys from memory,
it does not remove possible plaintext data in various caches or in-kernel
metadata for mounted filesystems.
While the _luksSuspend_ operation wipes encryption keys from memory, it does not remove possible plaintext data in various caches or in-kernel metadata for mounted filesystems.
After this operation, you have to use _luksResume_ to reinstate the
encryption key and unblock the device or _close_ to remove the mapped
device.
After this operation, you must use _luksResume_ to reinstate the encryption key and unblock the device or _close_ to remove the mapped device.
*WARNING:* To avoid deadlock, never suspend the device on which the cryptsetup binary resides.
*<options>* can be [--header, --disable-locks].
*WARNING:* Never suspend the device on which the cryptsetup binary
resides.
include::man/common_options.adoc[]
include::man/common_footer.adoc[]

5
man/cryptsetup-luksUUID.8.adoc
View File

@@ -16,8 +16,9 @@ cryptsetup-luksUUID - print or set the UUID of a LUKS device
== DESCRIPTION
Print the UUID of a LUKS device. +
Set new UUID if _--uuid_ option is specified.
Print the UUID of a LUKS device.
Set new UUID if --uuid option is specified.
*<options>* can be [--header, --uuid, --type, --disable-locks].

150
man/cryptsetup-open.8.adoc
View File

@@ -17,10 +17,9 @@ cryptsetup-open, cryptsetup-create, cryptsetup-plainOpen, cryptsetup-luksOpen, c
== DESCRIPTION
Opens (creates a mapping with) <name> backed by device <device>.
Device type can be _plain_, _luks_ (default), _luks1_, _luks2_,
_loopaes_ or _tcrypt_.
Device type can be _plain_, _luks_ (default), _luks1_, _luks2_, _loopaes_ or _tcrypt_.
For backward compatibility there are *open* command aliases:
For backward compatibility, there are *open* command aliases:
*create* (argument-order <name> <device>): open --type plain +
*plainOpen*: open --type plain +
@@ -29,44 +28,34 @@ For backward compatibility there are *open* command aliases:
*tcryptOpen*: open --type tcrypt +
*bitlkOpen*: open --type bitlk
*<options>* are type specific and are described below for individual
device types. For *create*, the order of the <name> and <device> options
is inverted for historical reasons, all other aliases use the standard
*<device> <name>* order.
*<options>* are type-specific and are described below for individual device types.
For *create*, the order of the <name> and <device> options is inverted for historical reasons; all other aliases use the standard *<device> <name>* order.
=== PLAIN
*open --type plain <device> <name>* --cipher <spec> --key-size <bits> --hash <alg> +
plainOpen <device> <name> (*old syntax*) +
create <name> <device> (*OBSOLETE syntax*)
plainOpen <device> <name> (old syntax) +
create <name> <device> (OBSOLETE syntax)
Opens (creates a mapping with) <name> backed by device <device>.
*WARNING:* You should always specify options *--cipher*, *--key-size* and
(if no keyfile or keyring is used) then also *--hash* to avoid incompatibility as
default values can be different in older cryptsetup versions. +
You should always specify options --cipher, --key-size and (if no keyfile or keyring is used) then also --hash to avoid incompatibility, as default values can differ in older cryptsetup versions.
The plain format also allows retrieving a volume key from a kernel keyring
specified by *--volume-key-keyring*. Key in kernel keyring must be configured
before issuing cryptsetup commands, as cryptsetup does not upload any keys to
the keyring in plain mode. For subsequent commands (like resize), the user must
ensure that the key in the keyring is unchanged. Otherwise, reloading the key
can cause data corruption after an unexpected key change.
The plain format also allows retrieving a volume key from a kernel keyring specified by --volume-key-keyring.
The key in the kernel keyring must be configured before issuing cryptsetup commands, as cryptsetup does not upload any keys to the keyring in plain mode.
For subsequent commands (like resize), the user must ensure that the key in the keyring is unchanged.
Otherwise, reloading the key can cause data corruption after an unexpected key change.
*<options>* can be [--hash, --cipher, --sector-size,
--key-file, --keyfile-size, --keyfile-offset, --key-size, --offset,
--skip, --device-size, --size, --readonly, --shared, --allow-discards,
--refresh, --timeout, --verify-passphrase, --iv-large-sectors, --volume-key-keyring].
*<options>* can be [--hash, --cipher, --sector-size, --key-file, --keyfile-size, --keyfile-offset, --key-size, --offset, --skip, --device-size, --size, --readonly, --shared, --allow-discards, --refresh, --timeout, --verify-passphrase, --iv-large-sectors, --volume-key-keyring].
*EXAMPLES:*
To map the encrypted device /dev/sda10 to the decrypted device /dev/mapper/e1, you can use
To map the encrypted device /dev/sda10 to the decrypted device /dev/mapper/e1, you can use:
*cryptsetup open --type plain --cipher aes-cbc-essiv:sha256 --key-size 256 --hash sha256 /dev/sda10 e1*
The decrypted device can then be used as a normal block device to mount a filesystem.
To map a device with a volume key in the preconfigured trusted or encrypted keyring, you need to specify
keyring with the key and remove hash specification, for example, to use *%trusted:mykey*:
To map a device with a volume key in the preconfigured trusted or encrypted keyring, you need to specify the keyring with the key and remove the hash specification, for example, to use *%trusted:mykey*:
*cryptsetup open --type plain /dev/sda10 e1 --volume-key-keyring=%trusted:mykey --cipher aes-xts-plain64 --key-size 256*
@@ -74,119 +63,82 @@ Note that the key size must match the preconfigured key in the keyring.
=== LUKS
*open <device> <name>* +
open --type <luks1|luks2> <device> <name> (*explicit version request*) +
luksOpen <device> <name> (*old syntax*)
open --type <luks1|luks2> <device> <name> (explicit version request) +
luksOpen <device> <name> (old syntax)
Opens the LUKS device <device> and sets up a mapping <name> after
successful verification of the supplied passphrase.
Opens the LUKS device <device> and sets up a mapping <name> after successful verification of the supplied passphrase.
First, the passphrase is searched in LUKS2 tokens unprotected by PIN.
If such token does not exist (or fails to unlock keyslot) and
also the passphrase is not supplied via --key-file, the command
prompts for passphrase interactively.
If such a token does not exist (or fails to unlock keyslot) and the passphrase is not supplied via --key-file, the command prompts for passphrase interactively.
If there is valid LUKS2 token but it requires PIN to unlock assigned keyslot,
it is not used unless one of following options is added: --token-only,
--token-type where type matches desired PIN protected token or --token-id with id
matching PIN protected token.
If there is a valid LUKS2 token but it requires a PIN to unlock the assigned keyslot, it is not used unless one of the following options is added: --token-only,
--token-type where type matches the desired PIN-protected token or --token-id with id matching the PIN-protected token.
*<options>* can be [--key-file, --keyfile-offset, --keyfile-size,
--readonly, --test-passphrase, --allow-discards, --header, --key-slot,
--volume-key-file, --token-id, --token-only, --token-type,
--disable-external-tokens, --disable-keyring, --disable-locks, --type,
--refresh, --serialize-memory-hard-pbkdf, --unbound, --tries, --timeout,
--verify-passphrase, --persistent, --volume-key-keyring, --link-vk-to-keyring,
--external-tokens-path].
*<options>* can be [--key-file, --keyfile-offset, --keyfile-size, --readonly, --test-passphrase, --allow-discards, --header, --key-slot, --volume-key-file, --token-id, --token-only, --token-type, --disable-external-tokens, --disable-keyring, --disable-locks, --type, --refresh, --serialize-memory-hard-pbkdf, --unbound, --tries, --timeout, --verify-passphrase, --persistent, --volume-key-keyring, --link-vk-to-keyring, --external-tokens-path].
=== loopAES
*open --type loopaes <device> <name> --key-file <keyfile>* +
loopaesOpen <device> <name> --key-file <keyfile> (*old syntax*)
loopaesOpen <device> <name> --key-file <keyfile> (old syntax)
Opens the loop-AES <device> and sets up a mapping <name>.
If the key file is encrypted with GnuPG, then you have to use
--key-file=- and decrypt it before use, e.g., like this: +
gpg --decrypt <keyfile> | cryptsetup loopaesOpen --key-file=- <device>
<name>
If the key file is encrypted with GnuPG, then you have to use --key-file=- and decrypt it before use, e.g., like this:
*gpg --decrypt <keyfile> | cryptsetup loopaesOpen --key-file=- <device> <name>*.
*WARNING:* The loop-AES extension cannot use the direct input of the key
file on the real terminal because the keys are separated by end-of-line and
only part of the multi-key file would be read. +
If you need it in script, just use the pipe redirection: +
echo $keyfile | cryptsetup loopaesOpen --key-file=- <device> <name>
The loop-AES extension cannot use the direct input of the key file on the real terminal because the keys are separated by end-of-line, and only part of the multi-key file would be read.
If you need it in script, just use the pipe redirection: *echo $keyfile | cryptsetup loopaesOpen --key-file=- <device> <name>*.
Use *--keyfile-size* to specify the proper key length if needed.
Use --keyfile-size to specify the proper key length if needed.
Use *--offset* to specify device offset. Note that the units need to be
specified in number of 512 byte sectors.
Use --offset to specify device offset.
Note that the units need to be specified in terms of 512-byte sectors.
Use *--skip* to specify the IV offset. If the original device used an
offset and but did not use it in IV sector calculations, you have to
explicitly use *--skip 0* in addition to the offset parameter.
Use --skip to specify the IV offset.
If the original device used an offset but did not use it in IV sector calculations, you must explicitly use --skip 0 in addition to the offset parameter.
Use *--hash* to override the default hash function for passphrase
hashing (otherwise it is detected according to key size).
Use --hash to override the default hash function for passphrase hashing (otherwise it is detected according to key size).
*<options>* can be [--cipher, --key-file, --keyfile-size, --keyfile-offset,
--key-size, --offset, --skip, --hash, --readonly, --allow-discards, --refresh].
*<options>* can be [--cipher, --key-file, --keyfile-size, --keyfile-offset, --key-size, --offset, --skip, --hash, --readonly, --allow-discards, --refresh].
=== TrueCrypt and VeraCrypt
*open --type tcrypt <device> <name>* +
tcryptOpen <device> <name> (*old syntax*)
tcryptOpen <device> <name> (old syntax)
Opens the TCRYPT (TrueCrypt and VeraCrypt compatible) <device> and sets
up a mapping <name>.
*<options>* can be [--key-file, --tcrypt-hidden, --tcrypt-system,
--tcrypt-backup, --readonly, --test-passphrase, --allow-discards,
--veracrypt (ignored), --disable-veracrypt, --veracrypt-pim,
--veracrypt-query-pim, --header,
--cipher, --hash, --tries, --timeout, --verify-passphrase].
The --key-file option allows a combination of file content with the passphrase
The --key-file option can be repeated.
Note that using keyfiles differs from LUKS keyfile logic.
The keyfile parameter allows a combination of file content with the
passphrase and can be repeated. Note that using keyfiles is compatible
with TCRYPT and is different from LUKS keyfile logic.
If --cipher or --hash options are used, only cipher chains or PBKDF2 variants with the specified hash algorithms are checked.
This could speed up unlocking the device (but also reveals some information about the container).
If *--cipher* or *--hash* options are used, only cipher chains or PBKDF2
variants with the specified hash algorithms are checked. This could
speed up unlocking the device (but also it reveals some information
about the container).
If you use --header in combination with hidden or system options, the header file must contain specific headers in the same positions as the original encrypted container.
If you use *--header* in combination with hidden or system options, the
header file must contain specific headers on the same positions as the
original encrypted container.
Option --allow-discards cannot be combined with option --tcrypt-hidden.
For normal mapping, it can cause the destruction of hidden volume (hidden volume appears as unused space for outer volume, so this space can be discarded).
*WARNING:* Option *--allow-discards* cannot be combined with option
*--tcrypt-hidden*. For normal mapping, it can cause the *destruction of
hidden volume* (hidden volume appears as unused space for outer volume
so this space can be discarded).
*<options>* can be [--key-file, --tcrypt-hidden, --tcrypt-system, --tcrypt-backup, --readonly, --test-passphrase, --allow-discards, --veracrypt (ignored), --disable-veracrypt, --veracrypt-pim, --veracrypt-query-pim, --header, --cipher, --hash, --tries, --timeout, --verify-passphrase].
=== BitLocker
*open --type bitlk <device> <name>* +
bitlkOpen <device> <name> (*old syntax*)
bitlkOpen <device> <name> (old syntax)
Opens the BITLK (a BitLocker compatible) <device> and sets up a mapping
<name>.
Opens the BITLK (a BitLocker compatible) <device> and sets up a mapping <name>.
*<options>* can be [--key-file, --keyfile-offset, --keyfile-size, --key-size,
--readonly, --test-passphrase, --allow-discards --volume-key-file, --tries,
--timeout, --verify-passphrase].
Note that --test-passphrase doesn't work with --volume-key-file because we cannot check whether the provided volume key is correct for this device.
When using --volume-key-file, the device will be opened even if the provided key is incorrect.
Note that *--test-passphrase* doesn't work with *--volume-key-file* because
we cannot check whether the provided volume key is correct for this device
or not. When using *--volume-key-file* the device will be opened even if
the provided key is not correct.
*<options>* can be [--key-file, --keyfile-offset, --keyfile-size, --key-size, --readonly, --test-passphrase, --allow-discards --volume-key-file, --tries, --timeout, --verify-passphrase].
=== FileVault2
*open --type fvault2 <device> <name>* +
fvault2Open <device> <name> (*old syntax*)
fvault2Open <device> <name> (old syntax)
Opens the FVAULT2 (a FileVault2 compatible) <device> and sets up a mapping
<name>.
Opens the FVAULT2 (a FileVault2 compatible) <device> and sets up a mapping <name>.
*<options>* can be [--key-file, --keyfile-offset, --keyfile-size, --key-size,
--readonly, --test-passphrase, --allow-discards --volume-key-file, --tries,
--timeout, --verify-passphrase].
*<options>* can be [--key-file, --keyfile-offset, --keyfile-size, --key-size, --readonly, --test-passphrase, --allow-discards --volume-key-file, --tries, --timeout, --verify-passphrase].
include::man/common_options.adoc[]
include::man/common_footer.adoc[]

91
man/cryptsetup-reencrypt.8.adoc
View File

@@ -26,28 +26,20 @@ There are 3 basic modes of operation:
<device> or --active-name <name> (LUKS2 only) is mandatory parameter.
Cryptsetup _reencrypt_ action can be used to change reencryption parameters
which otherwise require full on-disk data change (re-encryption). The
_reencrypt_ action reencrypts data on LUKS device in-place.
Cryptsetup _reencrypt_ action can be used to change reencryption parameters, which otherwise require full on-disk data change (re-encryption).
The _reencrypt_ action reencrypts data on the LUKS device in-place.
You can regenerate *volume key* (the real key used in on-disk encryption
unlocked by passphrase), *cipher*, *cipher mode* or *encryption sector size*
(LUKS2 only).
You can regenerate *volume key* (the real key used in on-disk encryption unlocked by passphrase), *cipher*, *cipher mode* or *encryption sector size* (LUKS2 only).
*WARNING:* If you need to use both luksChangeKey and reencrypt (e.g. to recover
from a leak) you need to use them in that order to not leak the new volume key.
If you need to use both luksChangeKey and reencrypt (e.g., to recover from a leak), you need to use them in that order to avoid leaking the new volume key.
Reencryption process may be safely interrupted by a user via SIGINT
signal (ctrl+c). Same applies to SIGTERM signal (i.e. issued by systemd
during system shutdown).
The reencryption process may be safely interrupted by a user via SIGINT signal (ctrl+c).
The same applies to the SIGTERM signal (i.e., issued by systemd during system shutdown).
For in-place encryption mode, the _reencrypt_ action additionally takes all
options available for _luksFormat_ action for respective LUKS version (see
cryptsetup-luksFormat man page for more details). See *cryptsetup-luksFormat*(8).
For in-place encryption mode, the _reencrypt_ action additionally takes all options available for the _luksFormat_ action for the respective LUKS version (see cryptsetup-luksFormat man page for more details).
See *cryptsetup-luksFormat*(8).
*NOTE* that for encrypt and decrypt mode, the whole device must be
treated as unencrypted -- there are no guarantees of confidentiality as
part of the device contains plaintext.
Note that for encrypt and decrypt mode, the whole device must be treated as unencrypted -- there are no guarantees of confidentiality as part of the device contains plaintext.
*ALWAYS BE SURE YOU HAVE RELIABLE BACKUP BEFORE USING THIS ACTION ON LUKS DEVICE.*
@@ -96,60 +88,45 @@ part of the device contains plaintext.
== LUKS2 REENCRYPTION
With <device> parameter cryptsetup looks up active <device> dm mapping.
If no active mapping is detected, it starts offline LUKS2 reencryption
otherwise online reencryption takes place.
With the <device> parameter, cryptsetup looks up the active <device> dm mapping.
If no active mapping is detected, it starts offline LUKS2 reencryption; otherwise, online reencryption occurs.
To resume already initialized or interrupted reencryption, just run the
cryptsetup _reencrypt_ command again to continue the reencryption
operation. Reencryption may be resumed with different --resilience or
--hotzone-size unless implicit datashift resilience mode is used: either
encrypt mode with --reduce-device-size option or decrypt mode with
original LUKS2 header exported in --header file.
To resume already initialized or interrupted reencryption, just run the cryptsetup _reencrypt_ command again to continue the reencryption operation.
Reencryption may be resumed with different --resilience or --hotzone-size unless implicit datashift resilience mode is used: either encrypt mode with --reduce-device-size option or decrypt mode with original LUKS2 header exported in --header file.
If the reencryption process was interrupted abruptly (reencryption
process crash, system crash, poweroff) it may require recovery. The
recovery is currently run automatically on next activation (action
_open_) when needed or explicitly by user (action _repair_).
If the reencryption process was interrupted abruptly (reencryption process crash, system crash, or power off), it may require recovery.
The recovery is run automatically on next activation (action _open_) when needed or explicitly by the user (action _repair_).
Optional parameter <new_name> takes effect only with encrypt option
and it activates device <new_name> immediately after encryption
initialization gets finished. That's useful when device needs to be
ready as soon as possible and mounted (used) before full data area
encryption is completed.
The optional parameter <new_name> takes effect only with the encrypt option, and it activates device <new_name> immediately after encryption initialization is finished.
That's useful when the device needs to be ready as soon as possible and mounted (used) before full data area encryption is completed.
== LUKS1 REENCRYPTION
Current working directory must be writable and temporary files created during
reencryption must be present. During reencryption process the LUKS1 device is
marked unavailable and must be offline (no dm-crypt mapping or mounted
filesystem).
The current working directory must be writable, and temporary files created during reencryption must be present.
During reencryption, the LUKS1 device is marked unavailable and must be offline (no dm-crypt mapping or mounted filesystem).
*WARNING*: The LUKS1 reencryption code is not resistant to hardware
or kernel failures during reencryption (you can lose your data in this case).
*WARNING*: The LUKS1 reencryption code is not resistant to hardware or kernel failures during reencryption (you can lose your data in this case).
include::man/common_options.adoc[]
== EXAMPLES
*NOTE*: You may drop *--type luks2* option as long as LUKS2 format is
default.
You may drop *--type luks2* option as long as LUKS2 format is default.
=== LUKS2 ENCRYPTION EXAMPLES
Encrypt LUKS2 device (in-place). Make sure last 32 MiB on _/dev/plaintext_
is unused (e.g.: does not contain filesystem data):
Encrypt LUKS2 device (in-place).
Make sure the last 32 MiB on _/dev/plaintext_ is unused (e.g., does not contain filesystem data):
*cryptsetup reencrypt --encrypt --type luks2 --reduce-device-size 32m /dev/plaintext_device*
Encrypt LUKS2 device (in-place). Only the initial 1 GiB of original
_/dev/plaintext_ data is encrypted while being shifted backwards.
Make sure last 32 MiB (tail) on the data device is unused (e.g.: does
not contain any data):
Encrypt LUKS2 device (in-place).
Only the initial 1 GiB of original _/dev/plaintext_ data is encrypted while being shifted backwards.
Make sure the last 32 MiB (tail) on the data device is unused (e.g., does not contain any data):
*cryptsetup reencrypt --encrypt --type luks2 --device-size 1g --reduce-device-size 32m /dev/plaintext_device*
Encrypt LUKS2 device (in-place) with detached header put in a file:
Encrypt LUKS2 device (in-place) with detached header, put in a file:
*cryptsetup reencrypt --encrypt --type luks2 --header my_luks2_header /dev/plaintext_device*
@@ -157,7 +134,7 @@ Initialize LUKS2 in-place encryption operation only and activate the device (not
*cryptsetup reencrypt --encrypt --type luks2 --init-only --reduce-device-size 32m /dev/plaintext_device my_future_luks_device*
Resume online encryption on device initialized in example above:
Resume online encryption on the device initialized in the example above:
*cryptsetup reencrypt --resume-only /dev/plaintext_device* or
*cryptsetup reencrypt --active-name my_future_luks_device*
@@ -168,9 +145,19 @@ Reencrypt LUKS2 device (refresh volume key only):
*cryptsetup reencrypt /dev/encrypted_device*
Reencrypt LUKS2 device using keyslot(s) associated with the token 3.
All other keyslots will be removed after the reencryption finishes.
*cryptsetup reencrypt --token-id 3 /dev/encrypted_device*
Reencrypt LUKS2 device using keyslots associated with all 'systemd-tpm2' tokens.
All other keyslots will be removed after the reencryption finishes.
*cryptsetup reencrypt --token-type systemd-tpm2 /dev/encrypted_device*
=== LUKS2 DECRYPTION EXAMPLES
Decrypt LUKS2 device with header put in head of data device (header file does not exist):
Decrypt LUKS2 device with header put in the head of the data device (header file does not exist):
*cryptsetup reencrypt --decrypt --header /export/header/to/file /dev/encrypted_device*

30
man/cryptsetup-refresh.8.adoc
View File

@@ -18,36 +18,24 @@ cryptsetup-refresh - refresh parameters of an active mapping
Refreshes parameters of active mapping <name>.
Updates parameters of active device <name> without the need to deactivate
the device (and umount filesystem). Currently, it supports parameters
refresh on following devices: LUKS1, LUKS2 (including authenticated
encryption), plain crypt and loop-AES.
Update parameters of active device <name> without the need to deactivate the device (and unmount the filesystem).
Currently, it supports parameter refresh on the following devices: LUKS1, LUKS2 (including authenticated encryption), plain crypt and loop-AES.
Mandatory parameters are identical to those of an open action for
the respective device type.
Mandatory parameters are identical to those of an open action for the respective device type.
You may change following parameters on all devices
--perf-same_cpu_crypt, --perf-submit_from_crypt_cpus,
--perf-no_read_workqueue, --perf-no_write_workqueue and
--allow-discards.
You may change the following parameters on all devices --perf-same_cpu_crypt, --perf-submit_from_crypt_cpus, --perf-no_read_workqueue, --perf-no_write_workqueue and --allow-discards.
Refreshing the device without any optional parameter will refresh the device
with default setting (respective to device type).
Refreshing the device without any optional parameter will refresh the device with the default setting (respective to device type).
*LUKS2 only:*
The --integrity-no-journal parameter affects only LUKS2 devices with
the underlying dm-integrity device.
The --integrity-no-journal parameter affects only LUKS2 devices with the underlying dm-integrity device.
Adding option --persistent stores any combination of device parameters
above in LUKS2 metadata (only after successful refresh operation).
Adding option --persistent stores any combination of device parameters above in LUKS2 metadata (only after successful refresh operation).
The --disable-keyring parameter refreshes a device with volume key passed in
dm-crypt driver.
The --disable-keyring parameter refreshes a device with the volume key passed in the dm-crypt driver.
*<options>* can be [--allow-discards, --perf-same_cpu_crypt, --perf-submit_from_crypt_cpus,
--perf-no_read_workqueue, --perf-no_write_workqueue, --header, --disable-keyring,
--disable-locks, --persistent, --integrity-no-journal].
*<options>* can be [--allow-discards, --perf-same_cpu_crypt, --perf-submit_from_crypt_cpus, --perf-no_read_workqueue, --perf-no_write_workqueue, --header, --disable-keyring, --disable-locks, --persistent, --integrity-no-journal].
include::man/common_options.adoc[]
include::man/common_footer.adoc[]

52
man/cryptsetup-repair.8.adoc
View File

@@ -16,47 +16,37 @@ cryptsetup-repair - repair the device metadata
== DESCRIPTION
Tries to repair the device metadata if possible. Currently supported
only for LUKS device type.
Tries to repair the device metadata if possible.
Currently supported only for LUKS device type.
This command is useful to fix some known benign LUKS metadata header
corruptions. Only basic corruptions of unused keyslot are fixable. This
command will only change the LUKS header, not any key-slot data. You may
enforce LUKS version by adding --type option.
This command is useful for fixing some known benign LUKS metadata header corruptions.
Only basic corruptions of unused keyslot are fixable.
This command will only change the LUKS header, not any keyslot data.
You may enforce LUKS version by adding --type option.
It also repairs (upgrades) LUKS2 reencryption metadata by adding
a metadata digest that protects it against malicious changes.
It also repairs (upgrades) LUKS2 reencryption metadata by adding a metadata digest that protects it against malicious changes.
If LUKS2 reencryption was interrupted in the middle of writing
reencryption segment the repair command can be used to perform
reencryption recovery so that reencryption can continue later.
Repairing reencryption requires verification of reencryption
keyslot so passphrase or keyfile is needed.
If LUKS2 reencryption was interrupted while writing the reencryption segment, the repair command can perform reencryption recovery so that reencryption can continue later.
Repairing reencryption requires verification of the reencryption keyslot, so a passphrase or keyfile is needed.
*WARNING:* Always create a binary backup of the original header before calling this command.
=== LUKS keyslots corruption detection
The repair command also checks for detectable corruption of keyslot
content. Corruption of a keyslot results in a situation when a known
password is no longer accepted. It can happen due to storage media
failure or overwriting the keyslot area by some other data.
Only certain corruptions, usually only a low-entropy area
(like zeroed blocks), can be detected.
The repair command also checks for detectable corruption of keyslot content.
Corruption of a keyslot results in a situation where a known password is no longer accepted.
It can happen due to storage media failure or overwriting the keyslot area with other data.
Only certain corruptions, usually only a low-entropy area (like zeroed blocks), can be detected.
The detection prints only warnings. It does not modify keyslots.
It can also print more specific offsets on the device for detailed
manual inspection.
The detection prints only warnings.
It does not modify keyslots.
It can also print more specific offsets on the device for detailed manual inspection.
Please note that the warning can be a false positive
(no real corruption happened).
Please note that the warning can be a false positive (no real corruption happened).
Conversely, if the keyslot is corrupted, no recovery is possible.
You have to use LUKS header backup.
You have to use the LUKS header backup.
*<options>* can be [--timeout, --verify-passphrase, --disable-locks,
--type, --header, --key-file, --keyfile-size, --keyfile-offset, --key-slot].
*WARNING:* Always create a binary backup of the original header before
calling this command.
*<options>* can be [--timeout, --verify-passphrase, --disable-locks, --type, --header, --key-file, --keyfile-size, --keyfile-offset, --key-slot].
include::man/common_options.adoc[]
include::man/common_footer.adoc[]

24
man/cryptsetup-resize.8.adoc
View File

@@ -18,25 +18,17 @@ cryptsetup-resize - resize an active mapping
Resizes an active mapping <name>.
If --size (in 512-bytes sectors) or --device-size are not specified, the
size is computed from the underlying device. For LUKS it is the size of
the underlying device without the area reserved for LUKS header (see
data payload offset in *luksDump* command). For plain crypt device, the
whole device size is used.
If --size (in 512-byte sectors) or --device-size is not specified, the size is computed from the underlying device.
For LUKS, it is the size of the underlying device without the area reserved for the LUKS header (see data payload offset in the *luksDump* command).
For a plain crypt device, the whole device size is used.
Note that this does not change the raw device geometry, it just changes
how many sectors of the raw device are represented in the mapped device.
Note that this does not change the raw device geometry; it just changes how many sectors of the raw device are represented in the mapped device.
If cryptsetup detected volume key for active device loaded in kernel
keyring service, resize action would first try to retrieve the key using
a token. Only if it failed, it'd ask for a passphrase to unlock a
keyslot (LUKS) or to derive a volume key again (plain mode). The kernel
keyring is used by default for LUKS2 devices.
If cryptsetup detected a volume key for the active device loaded in the kernel keyring service, the resize action would first try to retrieve the key using a token.
Only if it failed, it'd ask for a passphrase to unlock a keyslot (LUKS) or to derive a volume key again (plain mode).
The kernel keyring is used by default for LUKS2 devices.
*<options>* can be [--size, --device-size, --token-id, --token-only,
--token-type, --key-slot, --key-file, --keyfile-size, --keyfile-offset,
--timeout, --disable-external-tokens, --disable-locks, --disable-keyring,
--volume-key-keyring, --verify-passphrase, --timeout, --external-tokens-path].
*<options>* can be [--size, --device-size, --token-id, --token-only, --token-type, --key-slot, --key-file, --keyfile-size, --keyfile-offset, --timeout, --disable-external-tokens, --disable-locks, --disable-keyring, --volume-key-keyring, --verify-passphrase, --timeout, --external-tokens-path].
include::man/common_options.adoc[]
include::man/common_footer.adoc[]

42
man/cryptsetup-ssh.8.adoc
View File

@@ -14,12 +14,10 @@ cryptsetup-ssh - manage LUKS2 SSH token
== DESCRIPTION
Experimental cryptsetup plugin for unlocking LUKS2 devices with token
connected to an SSH server.
Experimental cryptsetup plugin for unlocking LUKS2 devices with a token connected to an SSH server.
This plugin currently allows only adding a token to an existing key
slot. See *cryptsetup(8)* for instructions on how to remove, import or
export the token.
This plugin currently allows only adding a token to an existing keyslot.
See *cryptsetup*(8) for instructions on how to remove, import or export the token.
=== Add operation
@@ -27,13 +25,10 @@ export the token.
Adds the SSH token to *<device>*.
The specified SSH server must contain a key file on the specified path with
a passphrase for an existing key slot on the device. Provided
credentials will be used by cryptsetup to get the password when opening
the device using the token.
The specified SSH server must contain a key file on the specified path with a passphrase for an existing keyslot on the device.
Provided credentials will be used by cryptsetup to get the password when opening the device using the token.
Options --ssh-server, --ssh-user, --ssh-keypath and --ssh-path are
required for this operation.
Options --ssh-server, --ssh-user, --ssh-keypath and --ssh-path are required for this operation.
== OPTIONS
@@ -43,35 +38,34 @@ Show debug messages
*--debug-json*::
Show debug messages including JSON metadata
*--help, -?*::
*--help*, *-?*::
Show help
**--key-slot**=_NUM_::
Keyslot to assign the token to. If not specified, the token will be
assigned to the first key slot matching provided passphrase.
*--key-slot* _number_::
Keyslot to assign the token to.
If not specified, the token will be assigned to the first keyslot matching the provided passphrase.
**--ssh-keypath**=_STRING_::
*--ssh-keypath* _string_::
Path to the SSH key for connecting to the remote server.
**--ssh-path**=_STRING_::
*--ssh-path* _string_::
Path to the key file on the remote server.
**--ssh-server**=_STRING_::
*--ssh-server* _string_::
IP address/URL of the remote server for this token.
**--ssh-user**=_STRING_::
Username used for the remote server.
*--ssh-user* _string_::
The username used for the remote server.
*--verbose, -v*::
*--verbose*, *-v*::
Shows more detailed error messages
*--version, -V*::
*--version*, *-V*::
Print program version
== NOTES
The information provided when adding the token (SSH server address, user
and paths) will be stored in the LUKS2 header in plaintext.
The information provided when adding the token (SSH server address, user and paths) will be stored in the LUKS2 header in plaintext.
== AUTHORS

20
man/cryptsetup-tcryptDump.8.adoc
View File

@@ -18,20 +18,16 @@ cryptsetup-tcryptDump - dump the header information of a TCRYPT (TrueCrypt or Ve
Dump the header information of a TCRYPT (TrueCrypt or VeraCrypt compatible) device.
If the --dump-volume-key option is used, the TCRYPT device volume key is
dumped instead of TCRYPT header info. Beware that the volume key (or
concatenated volume keys if cipher chain is used) can be used to decrypt
the data stored in the TCRYPT container without a passphrase. This means
that if the volume key is compromised, the whole device has to be erased
to prevent further access. Use this option carefully.
If the --dump-volume-key option is used, the TCRYPT device volume key is dumped instead of the TCRYPT header info.
Beware that the volume key (or concatenated volume keys if a cipher chain is used) can be used to decrypt the data stored in the TCRYPT container without a passphrase.
This means that if the volume key is compromised, the whole device has to be erased to prevent further access.
Use this option carefully.
*<options>* can be [--dump-volume-key, --key-file, --tcrypt-hidden,
--tcrypt-system, --tcrypt-backup, --veracrypt (ignored), --disable-veracrypt,
--veracrypt-pim, --veracrypt-query-pim, --cipher, --hash, --header,
--verify-passphrase, --timeout].
The --key-file option allows a combination of file content with the passphrase
The --key-file option can be repeated.
Note that using keyfiles differs from LUKS keyfile logic.
The keyfile parameter allows a combination of file content with the
passphrase and can be repeated.
*<options>* can be [--dump-volume-key, --key-file, --tcrypt-hidden, --tcrypt-system, --tcrypt-backup, --veracrypt (ignored), --disable-veracrypt, --veracrypt-pim, --veracrypt-query-pim, --cipher, --hash, --header, --verify-passphrase, --timeout].
include::man/common_options.adoc[]
include::man/common_footer.adoc[]

42
man/cryptsetup-token.8.adoc
View File

@@ -16,40 +16,30 @@ cryptsetup-token - manage LUKS2 tokens
== DESCRIPTION
Action _add_ creates a new keyring token to enable auto-activation of the
device. For the auto-activation, the passphrase must be stored in
keyring with the specified description. Usually, the passphrase should
be stored in _user_ or _user-session_ keyring. The _token_ command is
supported only for LUKS2.
Action _add_ creates a new keyring token to enable auto-activation of the device.
For the auto-activation, the passphrase must be stored in the keyring with the specified description.
Usually, the passphrase should be stored in the _user_ or _user-session_ keyring.
The _token_ command is supported only for LUKS2.
For adding new keyring token, option --key-description is mandatory.
Also, new token is assigned to key slot specified with --key-slot option
or to all active key slots in the case --key-slot option is omitted.
For adding a new keyring token, the option --key-description is mandatory.
Also, a new token is assigned to the keyslot specified with --key-slot option or to all active keyslots if the --key-slot option is omitted.
To remove existing token, specify the token ID which should be removed
with --token-id option.
To remove an existing token, specify the token ID that should be removed with --token-id option.
*WARNING:* The action _token remove_ removes any token type, not just
_keyring_ type from token slot specified by --token-id option.
*WARNING:* The action _token remove_ removes any token type, not just _keyring_ type from token slot specified by --token-id option.
Action _import_ can store arbitrary valid token json in LUKS2 header. It
may be passed via standard input or via file passed in --json-file
option. If you specify --key-slot then successfully imported token is
also assigned to the key slot.
Action _import_ can store an arbitrary valid JSON data in the LUKS2 token.
It may be passed via standard input or a file passed in --json-file option.
If you specify --key-slot, a successfully imported token is also assigned to the keyslot.
Action _export_ writes requested token JSON to a file passed with
--json-file or to standard output.
Action _export_ writes requested token JSON to a file passed with --json-file or to standard output.
Action _unassign_ removes token binding to specified keyslot. Both token
and keyslot must be specified by --token-id and --key-slot parameters.
Action _unassign_ removes token binding to specified keyslot.
Both token and keyslot must be specified by --token-id and --key-slot parameters.
If --token-id is used with action _add_ or action _import_ and a token
with that ID already exists, option --token-replace can be used to
replace the existing token.
If --token-id is used with action _add_ or action _import_ and a token with that ID already exists, option --token-replace can replace the existing token.
*<options>* can be [--header, --token-id, --key-slot, --key-description,
--disable-external-tokens, --disable-locks, --disable-keyring,
--json-file, --token-replace, --unbound, --external-tokens-path].
*<options>* can be [--header, --token-id, --key-slot, --key-description, --disable-external-tokens, --disable-locks, --disable-keyring, --json-file, --token-replace, --unbound, --external tokens-path].
include::man/common_options.adoc[]
include::man/common_footer.adoc[]

644
man/cryptsetup.8.adoc
View File

@@ -6,7 +6,7 @@
== Name
cryptsetup - manage plain dm-crypt, LUKS, and other encrypted volumes
cryptsetup - utility for configuring and managing encrypted storage devices
== SYNOPSIS
@@ -14,19 +14,21 @@ cryptsetup - manage plain dm-crypt, LUKS, and other encrypted volumes
== DESCRIPTION
cryptsetup is used to conveniently setup dm-crypt managed device-mapper
mappings. These include plain dm-crypt volumes and LUKS volumes. The
difference is that LUKS uses a metadata header and can hence offer more
features than plain dm-crypt. On the other hand, the header is visible
and vulnerable to damage.
*Cryptsetup* is a utility for configuring and managing full-disk encryption on storage devices.
It can encrypt block devices (such as hard drives or partitions) and containers (disk images stored as files).
In addition, cryptsetup provides limited support for the use of loop-AES
volumes, TrueCrypt, VeraCrypt, BitLocker and FileVault2 compatible volumes,
and for hardware-based encryption on OPAL capable drives.
When you unlock an encrypted volume, *cryptsetup* creates a new device mapping that applications can access like any regular storage device.
The actual encryption and decryption work is performed transparently by the kernel's device-mapper dm-crypt driver.
For more information about specific cryptsetup action see
*cryptsetup-<action>*(8), where *<action>* is the name of the
cryptsetup action.
*Cryptsetup* works with two main volume types: plain encrypted volumes and LUKS (Linux Unified Key Setup) volumes.
Plain volumes provide basic encryption, while LUKS volumes include a metadata header that enables advanced features like multiple keyslots and key management.
Additionally, LUKS can be used to manage hardware-based encryption on OPAL-capable storage drives.
*Cryptsetup* also provides limited support for volumes created by other encryption systems, including *loop-AES*, *TrueCrypt*, *VeraCrypt*, *BitLocker*, and *FileVault2*.
For more information about a specific cryptsetup action, see *cryptsetup-<action>*(8), where *<action>* is the name of the cryptsetup action.
Cryptsetup devices can be activated during boot through *crypttab*(5), which is part of *systemd*(1) or other system init scripts.
== BASIC ACTIONS
@@ -35,47 +37,46 @@ The following are valid actions for all supported device types.
=== OPEN
*open <device> <name> --type <device_type>*
Opens (creates a mapping with) <name> backed by device <device>. +
Opens (creates a mapping with) <name> backed by device <device>.
See *cryptsetup-open*(8).
=== CLOSE
*close <name>*
Removes the existing mapping <name> and wipes the key from kernel memory. +
Removes the existing mapping <name> and wipes the key from kernel memory.
See *cryptsetup-close*(8).
=== STATUS
*status <name>*
Reports the status for the mapping <name>. +
Reports the status for the mapping <name>.
See *cryptsetup-status*(8).
=== RESIZE
*resize <name>*
Resizes an active mapping <name>. +
Resizes an active mapping <name>.
See *cryptsetup-resize*(8).
=== REFRESH
*refresh <name>*
Refreshes parameters of active mapping <name>. +
Refreshes parameters of active mapping <name>.
See *cryptsetup-refresh*(8).
=== REENCRYPT
*reencrypt <device> or --active-name <name> [<new_name>]*
Run LUKS device reencryption. +
Run LUKS device reencryption.
See *cryptsetup-reencrypt*(8).
== PLAIN MODE
Plain dm-crypt encrypts the device sector-by-sector with a single,
non-salted hash of the passphrase. No checks are performed, no metadata
is used. There is no formatting operation. When the raw device is mapped
(opened), the usual device operations can be used on the mapped device,
including filesystem creation. Mapped devices usually reside in
/dev/mapper/<name>.
Plain dm-crypt encrypts the device sector-by-sector with a single, non-salted hash of the passphrase.
No checks are performed, and no metadata is used.
There is no formatting operation.
When the raw device is mapped (opened), the usual device operations can be used on the mapped device, including filesystem creation.
Mapped devices usually reside in /dev/mapper/<name>.
The following are valid plain device type actions:
@@ -83,282 +84,229 @@ The following are valid plain device type actions:
*open --type plain <device> <name>* +
create <name> <device> (*OBSOLETE syntax*)
Opens (creates a mapping with) <name> backed by device <device>. +
Opens (creates a mapping with) <name> backed by device <device>.
See *cryptsetup-open*(8).
== LUKS EXTENSION
LUKS, the Linux Unified Key Setup, is a standard for disk encryption. It
adds a standardized header at the start of the device, a key-slot area
directly behind the header and the bulk data area behind that. The whole
set is called a 'LUKS container'. The device that a LUKS container
resides on is called a 'LUKS device'. For most purposes, both terms can
be used interchangeably. But note that when the LUKS header is at a
nonzero offset in a device, then the device is not a LUKS device
anymore, but has a LUKS container stored in it at an offset.
LUKS, the Linux Unified Key Setup, is a standard for disk encryption.
It adds a standardized header at the start of the device, a keyslot area directly behind the header and the bulk data area behind that.
The whole set is called a 'LUKS container'.
The device that a LUKS container resides on is called a 'LUKS device'.
For most purposes, both terms can be used interchangeably.
LUKS can manage multiple passphrases that can be individually revoked or
changed and that can be securely scrubbed from persistent media due to
the use of anti-forensic stripes. Passphrases are protected against
brute-force and dictionary attacks by Password-Based Key Derivation
Function (PBKDF).
LUKS can manage multiple passphrases that can be individually revoked or changed.
Each passphrase uses an individual keyslot containing a volume key for data encryption.
Keyslots can be securely scrubbed from persistent media due to the use of anti-forensic stripes.
Passphrases are protected against brute-force attacks by the Password-Based Key Derivation Function (PBKDF).
A passphrase stored in a file is called a key file.
The only difference between a passphrase and a key file is that a key file can contain binary data.
Both are processed the same.
LUKS2 is a new version of header format that allows additional
extensions like different PBKDF algorithm or authenticated encryption.
You can format device with LUKS2 header if you specify *--type luks2* in
*luksFormat* command. For activation, the format is already recognized
automatically.
LUKS version 1 (or LUKS1) is the original metadata format, while LUKS2 is a new version that allows additional extensions like different PBKDF algorithms or authenticated encryption.
You can format the device with a specific LUKS version with *--type luks1* or *--type luks2* in the *luksFormat* command.
Normally, you do not need to specify any version as it is recognized automatically.
The default format is LUKS2.
Each passphrase, also called a *key* in this document, is associated
with one of 8 key-slots. Key operations that do not specify a slot
affect the first slot that matches the supplied passphrase or the first
empty slot if a new passphrase is added.
The *<device>* parameter can also be specified by a LUKS UUID in the format UUID=<uuid>.
The *<device>* parameter can also be specified by a LUKS UUID in the
format UUID=<uuid>. Translation to real device name uses symlinks in
/dev/disk/by-uuid directory.
To specify a detached header, the *--header* parameter can be used in
all LUKS commands and always takes precedence over the positional
*<device>* parameter.
The LUKS header can be detached from data (stored separately).
To specify a detached header, the --header parameter can be used in all LUKS commands and always takes precedence over the positional *<device>* parameter.
The following are valid LUKS actions:
=== FORMAT
*luksFormat <device> [<key file>]*
Initializes a LUKS partition and sets the initial passphrase (for key-slot 0). +
Initializes a LUKS partition and sets the initial passphrase (for keyslot 0).
See *cryptsetup-luksFormat*(8).
=== OPEN
*open --type luks <device> <name>* +
luksOpen <device> <name> (*old syntax*)
Opens the LUKS device <device> and sets up a mapping <name> after
successful verification of the supplied passphrase. +
Opens the LUKS device <device> and sets up a mapping <name> after successful verification of the supplied passphrase.
See *cryptsetup-open*(8).
=== SUSPEND
*luksSuspend <name>*
Suspends an active device (all IO operations will block and accesses to
the device will wait indefinitely) and wipes the encryption key from
kernel memory. +
Suspends an active device (all IO operations will block and accesses to the device will wait indefinitely) and wipes the encryption key from kernel memory.
See *cryptsetup-luksSuspend*(8).
=== RESUME
*luksResume <name>*
Resumes a suspended device and reinstates the encryption key. +
Resumes a suspended device and reinstates the encryption key.
See *cryptsetup-luksResume*(8).
=== ADD KEY
*luksAddKey <device> [<key file with new key>]*
Adds a new passphrase using an existing passphrase. +
Adds a new passphrase using an existing passphrase.
See *cryptsetup-luksAddKey*(8).
=== REMOVE KEY
*luksRemoveKey <device> [<key file with passphrase to be removed>]*
Removes the supplied passphrase from the LUKS device. +
Removes the supplied passphrase from the LUKS device.
See *cryptsetup-luksRemoveKey*(8).
=== CHANGE KEY
*luksChangeKey <device> [<new key file>]*
Changes an existing passphrase. +
Changes an existing passphrase.
See *cryptsetup-luksChangeKey*(8).
=== CONVERT KEY
*luksConvertKey <device>*
Converts an existing LUKS2 keyslot to new PBKDF parameters. +
Converts an existing LUKS2 keyslot to new PBKDF parameters.
See *cryptsetup-luksConvertKey*(8).
=== KILL SLOT
*luksKillSlot <device> <key slot number>*
*luksKillSlot <device> <number>*
Wipe the key-slot number <key slot> from the LUKS device. +
Wipe the keyslot with the <number> from the LUKS device.
See *cryptsetup-luksKillSlot*(8).
=== ERASE
*erase <device>* +
luksErase <device> (*old syntax*)
Erase all keyslots and make the LUKS container permanently inaccessible. +
Erase all keyslots and make the LUKS container permanently inaccessible.
See *cryptsetup-erase*(8).
=== UUID
*luksUUID <device>*
Print or set the UUID of a LUKS device. +
Print or set the UUID of a LUKS device.
See *cryptsetup-luksUUID*(8).
=== IS LUKS
*isLuks <device>*
Returns true, if <device> is a LUKS device, false otherwise. +
Returns true, if <device> is a LUKS device, false otherwise.
See *cryptsetup-isLuks*(8).
=== DUMP
*luksDump <device>*
Dump the header information of a LUKS device. +
Dump the header information of a LUKS device.
See *cryptsetup-luksDump*(8).
=== HEADER BACKUP
*luksHeaderBackup <device> --header-backup-file <file>*
Stores a binary backup of the LUKS header and keyslot area. +
Stores a binary backup of the LUKS header and keyslot area.
See *cryptsetup-luksHeaderBackup*(8).
=== HEADER RESTORE
*luksHeaderRestore <device> --header-backup-file <file>*
Restores a binary backup of the LUKS header and keyslot area from the
specified file. +
Restores a binary backup of the LUKS header and keyslot area from the specified file.
See *cryptsetup-luksHeaderRestore*(8).
=== TOKEN
*token <add|remove|import|export> <device>*
Manipulate token objects used for obtaining passphrases. +
Manipulate token objects used for obtaining passphrases.
See *cryptsetup-token*(8).
=== CONVERT
*convert <device> --type <format>*
Converts the device between LUKS1 and LUKS2 format (if possible). +
Converts the device between LUKS1 and LUKS2 format (if possible).
See *cryptsetup-convert*(8).
=== CONFIG
*config <device>*
Set permanent configuration options (store to LUKS header). +
Set permanent configuration options (store to LUKS header).
See *cryptsetup-config*(8).
== loop-AES EXTENSION
cryptsetup supports mapping loop-AES encrypted partition using a
compatibility mode.
Cryptsetup supports mapping a loop-AES encrypted partition using a compatibility mode.
=== OPEN
*open --type loopaes <device> <name> --key-file <keyfile>* +
loopaesOpen <device> <name> --key-file <keyfile> (*old syntax*)
Opens the loop-AES <device> and sets up a mapping <name>. +
Opens the loop-AES <device> and sets up a mapping <name>.
See *cryptsetup-open*(8).
See also section 7 of the FAQ and http://loop-aes.sourceforge.net[loop-AES]
for more information regarding loop-AES.
See also section 7 of the FAQ and http://loop-aes.sourceforge.net[loop-AES] for more information regarding loop-AES.
== TCRYPT (TrueCrypt and VeraCrypt compatible) EXTENSION
cryptsetup supports mapping of TrueCrypt, tcplay or VeraCrypt encrypted
partition using a native Linux kernel API. Header formatting and TCRYPT
header change is not supported, cryptsetup never changes TCRYPT header
on-device.
Cryptsetup supports mapping of TrueCrypt, tcplay, or VeraCrypt encrypted partitions using a native Linux kernel API.
Header formatting and TCRYPT header change are not supported; cryptsetup never changes the TCRYPT header on-device.
TCRYPT extension requires kernel userspace crypto API to be available
(introduced in Linux kernel 2.6.38). If you are configuring kernel
yourself, enable "User-space interface for symmetric key cipher
algorithms" in "Cryptographic API" section
(CRYPTO_USER_API_SKCIPHER .config option).
TCRYPT extension requires the kernel userspace crypto API to be available.
If you are configuring the kernel yourself, enable "User-space interface for symmetric key cipher algorithms" in "Cryptographic API" section (CRYPTO_USER_API_SKCIPHER .config option).
Because TCRYPT header is encrypted, you have to always provide valid
passphrase and keyfiles.
Because the TCRYPT header is encrypted, you must always provide a valid passphrase and keyfiles.
Cryptsetup should recognize all header variants, except legacy cipher
chains using LRW encryption mode with 64 bits encryption block (namely
Blowfish in LRW mode is not recognized, this is limitation of kernel
crypto API).
Cryptsetup should recognize all header variants, except legacy cipher chains using LRW encryption mode with a 64-bit encryption block (namely, Blowfish in LRW mode is not recognized; this is a limitation of the kernel crypto API).
VeraCrypt is extension of TrueCrypt header with increased iteration
count so unlocking can take quite a lot of time.
VeraCrypt is an extension of TrueCrypt with an increased iteration count, so unlocking can take quite a lot of time.
To open a VeraCrypt device with a custom Personal Iteration Multiplier
(PIM) value, use either the *--veracrypt-pim=<PIM>* option to directly
specify the PIM on the command- line or use *--veracrypt-query-pim* to
be prompted for the PIM.
To open a VeraCrypt device with a custom Personal Iteration Multiplier (PIM) value, use either the --veracrypt-pim PIM option to directly specify the PIM on the command line or use --veracrypt-query-pim to be prompted for the PIM.
The PIM value affects the number of iterations applied during key
derivation. Please refer to
https://www.veracrypt.fr/en/Personal%20Iterations%20Multiplier%20%28PIM%29.html[PIM]
for more detailed information.
The PIM value affects the number of iterations applied during key derivation.
Please refer to https://veracrypt.io/en/Personal%20Iterations%20Multiplier%20(PIM).html[PIM] for more detailed information.
If you need to disable VeraCrypt device support, use
*--disable-veracrypt* option.
If you need to disable VeraCrypt device support, use --disable-veracrypt option.
*NOTE:* Activation with *tcryptOpen* is supported only for cipher chains
using LRW or XTS encryption modes.
Activation with *tcryptOpen* is supported only for cipher chains using LRW or XTS encryption modes.
The *tcryptDump* command should work for all recognized TCRYPT devices
and doesn't require superuser privilege.
The *tcryptDump* command should work for all recognized TCRYPT devices and doesn't require superuser privilege.
To map system device (device with boot loader where the whole encrypted
system resides) use *--tcrypt-system* option.
Please read specific info in *cryptsetup-tcryptOpen*(8) *--tcrypt-system*
option section as mapping system-encrypted device is tricky.
To map the system device (device with boot loader where the whole encrypted system resides), use --tcrypt-system option.
Please read specific info in *cryptsetup-tcryptOpen*(8) --tcrypt-system option section as mapping system-encrypted device is tricky.
To use hidden header (and map hidden device, if available), use
*--tcrypt-hidden* option.
To use a hidden header (and map hidden device, if available), use --tcrypt-hidden option.
To explicitly use backup (secondary) header, use *--tcrypt-backup*
option.
To explicitly use the backup (secondary) header, use --tcrypt-backup option.
*NOTE:* There is no protection for a hidden volume if the outer volume
is mounted. The reason is that if there were any protection, it would
require some metadata describing what to protect in the outer volume and
the hidden volume would become detectable.
There is no protection for a hidden volume if the outer volume is mounted.
The reason is that if there were any protection, it would require some metadata describing what to protect in the outer volume, and the hidden volume would become detectable.
=== OPEN
*open --type tcrypt <device> <name>* +
tcryptOpen_ <device> <name> (*old syntax*)
Opens the TCRYPT (a TrueCrypt-compatible) <device> and sets up a mapping
<name>. +
Opens the TCRYPT (a TrueCrypt-compatible) <device> and sets up a mapping <name>.
See *cryptsetup-open*(8).
=== DUMP
*tcryptDump <device>*
Dump the header information of a TCRYPT device. +
Dump the header information of a TCRYPT device.
See *cryptsetup-tcryptDump*(8).
See also https://en.wikipedia.org/wiki/TrueCrypt[*TrueCrypt*] and
https://en.wikipedia.org/wiki/VeraCrypt[*VeraCrypt*] pages for more information.
See also https://en.wikipedia.org/wiki/TrueCrypt[TrueCrypt] and https://en.wikipedia.org/wiki/VeraCrypt[VeraCrypt] pages for more information.
Please note that cryptsetup does not use TrueCrypt or VeraCrypt code, please
report all problems related to this compatibility extension to the cryptsetup
project.
Please note that cryptsetup does not use TrueCrypt or VeraCrypt code; please report all problems related to this compatibility extension to the cryptsetup project.
== BITLK (Windows BitLocker compatible) EXTENSION
cryptsetup supports mapping of BitLocker and BitLocker to Go encrypted
partition using a native Linux kernel API. Header formatting and BITLK
header changes are not supported, cryptsetup never changes BITLK header
on-device.
Cryptsetup supports mapping of BitLocker and BitLocker to Go encrypted partitions using a native Linux kernel API.
Header formatting and BITLK header changes are not supported; cryptsetup never changes the BITLK header on-device.
BITLK extension requires kernel userspace crypto API to be available
(for details see TCRYPT section).
BITLK extension requires the kernel userspace crypto API to be available (for details, see the TCRYPT section).
Cryptsetup should recognize all BITLK header variants, except legacy
header used in Windows Vista systems and partially decrypted BitLocker
devices. Activation of legacy devices encrypted in CBC mode requires at
least Linux kernel version 5.3 and for devices using Elephant diffuser
kernel 5.6.
Cryptsetup should recognize all BITLK header variants, except the legacy header used in Windows Vista systems and partially decrypted BitLocker devices.
Activation of legacy devices encrypted in CBC mode requires at least a Linux kernel version 5.3, and for devices using the Elephant diffuser, kernel 5.6.
The *bitlkDump* command should work for all recognized BITLK devices and
doesn't require superuser privilege.
The *bitlkDump* command should work for all recognized BITLK devices and doesn't require superuser privilege.
For unlocking with the *open* a password or a recovery passphrase or a
startup key must be provided.
For unlocking with the *open*, a password, a recovery passphrase, or a startup key must be provided.
Additionally unlocking using volume key is supported. You must provide
BitLocker Full Volume Encryption Key (FVEK) using the --volume-key-file
option. The key must be decrypted and without the header (only
128/256/512 bits of key data depending on used cipher and mode).
Additionally, unlocking using the volume key is supported.
You must provide BitLocker Full Volume Encryption Key (FVEK) using the --volume-key-file option.
The key must be decrypted and without the header (only 128/256/512 bits of key data depending on the used cipher and mode).
Other unlocking methods (TPM, SmartCard) are not supported.
@@ -366,42 +314,31 @@ Other unlocking methods (TPM, SmartCard) are not supported.
*open --type bitlk <device> <name>* +
bitlkOpen <device> <name> (*old syntax*)
Opens the BITLK (a BitLocker-compatible) <device> and sets up a mapping
<name>. +
Opens the BITLK (a BitLocker-compatible) <device> and sets up a mapping <name>.
See *cryptsetup-open*(8).
=== DUMP
*bitlkDump <device>*
Dump the header information of a BITLK device. +
Dump the header information of a BITLK device.
See *cryptsetup-bitlkDump*(8).
Please note that cryptsetup does not use any Windows BitLocker code,
please report all problems related to this compatibility extension to
the cryptsetup project.
Please note that cryptsetup does not use any Windows BitLocker code; please report all problems related to this compatibility extension to the cryptsetup project.
== FVAULT2 (Apple macOS FileVault2 compatible) EXTENSION
cryptsetup supports the mapping of FileVault2 (FileVault2 full-disk
encryption) by Apple for the macOS operating system using a native Linux
kernel API.
Cryptsetup supports the mapping of FileVault2 (FileVault2 full-disk encryption) by Apple for the macOS operating system using a native Linux kernel API.
*NOTE:* cryptsetup supports only FileVault2 based on Core Storage and HFS+
filesystem (introduced in MacOS X 10.7 Lion).
It does NOT support the new version of FileVault based on the APFS
filesystem used in recent macOS versions.
Cryptsetup supports only FileVault2 based on Core Storage and HFS+ filesystem (introduced in MacOS X 10.7 Lion).
It does NOT support the new version of FileVault based on the APFS filesystem used in recent macOS versions.
Header formatting and FVAULT2 header changes are not supported;
cryptsetup never changes the FVAULT2 header on-device.
Header formatting and FVAULT2 header changes are not supported; cryptsetup never changes the FVAULT2 header on-device.
FVAULT2 extension requires kernel userspace crypto API to be available
(for details, see TCRYPT section) and kernel driver for HFS+ (hfsplus)
filesystem.
FVAULT2 extension requires the kernel userspace crypto API to be available (for details, see the TCRYPT section) and a kernel driver for the HFS+ (hfsplus) filesystem.
Cryptsetup should recognize the basic configuration for portable drives.
The *fvault2Dump* command should work for all recognized FVAULT2 devices
and doesn't require superuser privilege.
The *fvault2Dump* command should work for all recognized FVAULT2 devices and doesn't require superuser privilege.
For unlocking with the *open*, a password must be provided.
Other unlocking methods are not supported.
@@ -410,129 +347,102 @@ Other unlocking methods are not supported.
*open --type fvault2 <device> <name>* +
fvault2Open <device> <name> (*old syntax*)
Opens the FVAULT2 (a FileVault2-compatible) <device> (usually the second
partition on the device) and sets up a mapping <name>. +
Opens the FVAULT2 (a FileVault2-compatible) <device> (usually the second partition on the device) and sets up a mapping <name>.
See *cryptsetup-open*(8).
== SED (Self Encrypting Drive) OPAL EXTENSION
cryptsetup supports using native hardware encryption on drives that provide an
*OPAL* interface, both nested with *dm-crypt* and standalone. Passphrases,
tokens and metadata are stored using the LUKS2 header format, and are thus
compatible with any software or system that uses LUKS2 (e.g.: tokens).
Cryptsetup supports using native hardware encryption on drives that provide an *OPAL* interface, both nested with *dm-crypt* and standalone.
Passphrases, tokens and metadata are stored using the LUKS2 header format, and are thus compatible with any software or system that uses LUKS2 (e.g., tokens).
*WARNING:* this support is new and experimental, and requires at least kernel
v6.4. Resizing devices is not supported.
OPAL support requires at least kernel v6.4.
Resizing devices is not supported.
*--hw-opal* can be specified for OPAL + dm-crypt, and
*--hw-opal-only* can be specified to use OPAL only, without a dm-crypt layer.
The --hw-opal can be specified for OPAL + dm-crypt, and --hw-opal-only can be specified to use OPAL only, without a dm-crypt layer.
Opening, closing and enrolling tokens work in the same way as with LUKS2 and
dm-crypt. The new parameters are only necessary when formatting, the LUKS2
metadata will ensure the right setup is performed when opening or closing. If
no *subsystem* is specified, it will be automatically set to *HW-OPAL* so that
it is immediately apparent when a device uses OPAL.
Opening, closing and enrolling tokens work the same way as with LUKS2 and dm-crypt.
The new parameters are only necessary when formatting; the LUKS2 metadata will ensure the right setup is performed when opening or closing.
If no *subsystem* label is specified, it will be automatically set to *HW-OPAL* so that it is immediately apparent when a device uses OPAL.
=== FORMAT
*luksFormat --type luks2 --hw-opal <device> [<key file>]*
Additionally specify *--hw-opal-only* instead of *--hw-opal* to avoid the
dm-crypt layer. Other than the usual passphrase, an admin password will have
to be specified when formatting the first partition of the drive, and will have
to be re-supplied when formatting any other partition until a factory reset
is performed.
Additionally specify --hw-opal-only instead of --hw-opal to avoid the dm-crypt layer.
Other than the usual passphrase, an admin password will have to be specified when formatting the drive's first partition, and will have to be re-supplied when formatting any other partition until a factory reset is performed.
=== ERASE
*erase <device>*
Securely erase a partition or device. Requires admin password.
Additionally specify *--hw-opal-factory-reset* for a FULL factory reset of the
drive, using the drive's *PSID* (typically printed on the label) instead of the
admin password.
Securely erase a partition or device.
Requires admin password.
Additionally specify --hw-opal-factory-reset for a FULL factory reset of the drive, using the drive's *PSID* (typically printed on the label) instead of the admin password.
*NOTE*: PSID must be entered without any dashes, spaces or underscores.
PSID must be entered without dashes, spaces or underscores.
*WARNING*: a factory reset will cause ALL data on the device to be lost,
regardless of the partition it is ran on, if any, and regardless of any LUKS2
header backup.
*WARNING*: A factory reset will cause ALL data on the device to be lost, regardless of the partition it is run on, if any, and regardless of any LUKS2 header backup.
== MISCELLANEOUS ACTIONS
=== REPAIR
*repair <device>*
Tries to repair the device metadata if possible. Currently supported
only for LUKS device type. +
Tries to repair the device metadata if possible.
Currently supported only for LUKS device type.
See *cryptsetup-repair*(8).
=== BENCHMARK
*benchmark <options>*
Benchmarks ciphers and KDF (key derivation function). +
Benchmarks, ciphers and KDF (key derivation function).
See *cryptsetup-benchmark*(8).
== PLAIN DM-CRYPT OR LUKS?
== PLAIN MODE OR LUKS?
Unless you understand the cryptographic background well, use LUKS. With
plain dm-crypt there are a number of possible user errors that massively
decrease security. While LUKS cannot fix them all, it can lessen the
impact for many of them.
Unless you understand the cryptographic background well, use LUKS.
With plain mode, there are a number of possible user errors that massively decrease security.
While LUKS cannot fix them all, it can lessen the impact for many of them.
== WARNINGS
A lot of good information on the risks of using encrypted storage, on
handling problems and on security aspects can be found in the
Cryptsetup FAQ. Read it. Nonetheless, some risks deserve to be
mentioned here.
A lot of good information on the risks of using encrypted storage, on handling problems and on security aspects can be found in the Cryptsetup FAQ.
Read it.
Nonetheless, some risks deserve to be mentioned here.
*Backup:* Storage media die. Encryption has no influence on that. Backup
is mandatory for encrypted data as well, if the data has any worth. See
the Cryptsetup FAQ for advice on how to do a backup of an encrypted
volume.
*Backup:* Storage media die.
Encryption has no influence on that.
Backup is mandatory for encrypted data as well, if the data has any worth.
See the Cryptsetup FAQ for advice on how to back up an encrypted volume.
*Character encoding:* If you enter a passphrase with special symbols,
the passphrase can change depending on character encoding. Keyboard
settings can also change, which can make blind input hard or impossible.
For example, switching from some ASCII 8-bit variant to UTF-8 can lead
to a different binary encoding and hence different passphrase seen by
cryptsetup, even if what you see on the terminal is exactly the same. It
is therefore highly recommended to select passphrase characters only
from 7-bit ASCII, as the encoding for 7-bit ASCII stays the same for all
ASCII variants and UTF-8.
*Character encoding:* If you enter a passphrase with special symbols, the passphrase can change depending on character encoding.
Keyboard settings can also be changed, which can make blind input hard or impossible.
For example, switching from some ASCII 8-bit variant to UTF-8 can lead to a different binary encoding and hence a different passphrase seen by cryptsetup, even if what you see on the terminal is exactly the same.
It is therefore highly recommended to select passphrase characters only from 7-bit ASCII, as the encoding for 7-bit ASCII stays the same for all ASCII variants and UTF-8.
*LUKS header:* If the header of a LUKS volume gets damaged, all data is
permanently lost unless you have a header-backup. If a key-slot is
damaged, it can only be restored from a header-backup or if another
active key-slot with known passphrase is undamaged. Damaging the LUKS
header is something people manage to do with surprising frequency. This
risk is the result of a trade-off between security and safety, as LUKS
is designed for fast and secure wiping by just overwriting header and
key-slot area.
*LUKS header:* If the header of a LUKS volume gets damaged, all data is permanently lost unless you have a header backup.
If a keyslot is damaged, it can only be restored from a header backup or if another active keyslot with a known passphrase is undamaged.
This risk is the result of a trade-off between security and safety, as LUKS is designed for fast and secure wiping by just overwriting the header and keyslot area.
*Previously used partitions:* If a partition was previously used, it is
a very good idea to wipe filesystem signatures, data, etc. before
creating a LUKS or plain dm-crypt container on it. For a quick removal
of filesystem signatures, use *wipefs*(8). Take care though that this may
not remove everything. In particular, MD RAID signatures at the end of a
device may survive. It also does not remove data. For a full wipe,
overwrite the whole partition before container creation. If you do not
know how to do that, the cryptsetup FAQ describes several options.
*Previously used partitions:* If a partition was previously used, it is a very good idea to wipe filesystem signatures, data, etc., before creating a LUKS or plain dm-crypt container.
For a quick removal of filesystem signatures, use *wipefs*(8) with the --all option.
Note that it does not remove data; it only invalidates known format signatures.
For a full wipe, overwrite the whole partition before creating a container.
If you do not know how to do that, the cryptsetup FAQ describes several options.
== EXAMPLES
Example 1: Create LUKS 2 container on block device /dev/sdX.::
sudo cryptsetup --type luks2 luksFormat /dev/sdX
Example 2: Add an additional passphrase to key slot 5.::
Example 2: Add an additional passphrase to keyslot 5.::
sudo cryptsetup luksAddKey --key-slot 5 /dev/sdX
Example 3: Create LUKS header backup and save it to file.::
Example 3: Create LUKS header backup and save it to a file.::
sudo cryptsetup luksHeaderBackup /dev/sdX --header-backup-file
/var/tmp/NameOfBackupFile
Example 4: Open LUKS container on /dev/sdX and map it to sdX_crypt.::
sudo cryptsetup open /dev/sdX sdX_crypt
*WARNING: The command in example 5 will erase all key slots.*::
Your cannot use your LUKS container afterward anymore unless you have
a backup to restore.
Example 5: Erase all key slots on /dev/sdX.::
*WARNING: The command in example 5 will erase all keyslots.*::
You cannot use your LUKS container afterward anymore unless you have a backup to restore.
Example 5: Erase all keyslots on /dev/sdX.::
sudo cryptsetup erase /dev/sdX
Example 6: Restore LUKS header from backup file.::
sudo cryptsetup luksHeaderRestore /dev/sdX --header-backup-file
@@ -542,213 +452,157 @@ Example 6: Restore LUKS header from backup file.::
Cryptsetup returns *0* on success and a non-zero value on error.
Error codes are: *1* wrong parameters, *2* no permission (bad passphrase),
*3* out of memory, *4* wrong device specified, *5* device already exists
or device is busy.
Error codes are: *1* wrong parameters, *2* no permission (bad passphrase), *3* out of memory, *4* wrong device specified, *5* device already exists or device is busy.
== NOTES
=== Passphrase processing for PLAIN mode
Note that no iterated hashing or salting is done in plain mode. If
hashing is done, it is a single direct hash. This means that low-entropy
passphrases are easy to attack in plain mode.
Note that no iterated hashing or salting is done in plain mode.
If hashing is done, it is a single direct hash.
This means that low-entropy passphrases are easy to attack in plain mode.
*From a terminal*: The passphrase is read until the first newline, i.e.
'\n'. The input without the newline character is processed with the
default hash or the hash specified with --hash. The hash result will be
truncated to the key size of the used cipher, or the size specified with
-s.
*From a terminal*: The passphrase is read until the first newline, i.e., '\n'.
The input without the newline character is processed with the default hash or the hash specified with --hash.
The hash result will be truncated to the key size of the used cipher, or the size specified with -s.
*From stdin*: Reading will continue until a newline (or until the
maximum input size is reached), with the trailing newline stripped. The
maximum input size is defined by the same compiled-in default as for the
maximum key file size and can be overwritten using --keyfile-size
option.
*From stdin*: Reading will continue until a newline (or until the maximum input size is reached), with the trailing newline stripped.
The maximum input size is defined by the same compiled-in default as the maximum key file size and can be overwritten using the --keyfile-size option.
The data read will be hashed with the default hash or the hash specified
with --hash. The hash result will be truncated to the key size of the
used cipher, or the size specified with -s.
The data read will be hashed with the default hash or the hash specified with --hash.
The hash result will be truncated to the key size of the used cipher, or the size specified with -s.
Note that if --key-file=- is used for reading the key from stdin,
trailing newlines are not stripped from the input.
Note that if --key-file=- is used for reading the key from stdin, trailing newlines are not stripped from the input.
If "plain" is used as argument to --hash, the input data will not be
hashed. Instead, it will be zero padded (if shorter than the key size)
or truncated (if longer than the key size) and used directly as the
binary key. This is useful for directly specifying a binary key. No
warning will be given if the amount of data read from stdin is less than
the key size.
If "plain" is used as an argument to --hash, the input data will not be hashed.
Instead, it will be zero-padded (if shorter than the key size) or truncated (if longer than the key size) and used directly as the binary key.
This is useful for directly specifying a binary key.
No warning will be given if the amount of data read from stdin is less than the key size.
*From a key file*: It will be truncated to the key size of the used
cipher or the size given by -s and directly used as a binary key.
*From a key file*: It will be truncated to the key size of the used cipher or the size given by -s and directly used as a binary key.
*WARNING*: The --hash argument is being ignored. The --hash option is
usable only for stdin input in plain mode.
The --hash argument is being ignored.
The --hash option is usable only for stdin input in plain mode.
If the key file is shorter than the key, cryptsetup will quit with an
error. The maximum input size is defined by the same compiled-in default
as for the maximum key file size and can be overwritten using
--keyfile-size option.
If the key file is shorter than the key, cryptsetup will quit with an error.
The maximum input size is defined by the same compiled-in default as the maximum key file size and can be overwritten using the --keyfile-size option.
=== Passphrase processing for LUKS
LUKS uses PBKDF to protect against dictionary attacks and to give some
protection to low-entropy passphrases (see cryptsetup FAQ).
*From a terminal*: The passphrase is read until the first newline and then processed by PBKDF2 without the newline character.
*From a terminal*: The passphrase is read until the first newline and
then processed by PBKDF2 without the newline character.
*From stdin*: LUKS will read passphrases from stdin up to the first newline character or the compiled-in maximum key file length.
If --keyfile-size is given, it is ignored.
*From stdin*: LUKS will read passphrases from stdin up to the first
newline character or the compiled-in maximum key file length. If
--keyfile-size is given, it is ignored.
*From key file*: The complete keyfile is read up to the compiled-in maximum size.
Newline characters do not terminate the input.
The --keyfile-size option can be used to limit what is read.
*From key file*: The complete keyfile is read up to the compiled-in
maximum size. Newline characters do not terminate the input. The
--keyfile-size option can be used to limit what is read.
LUKS uses *Password-Based Key Derivation Function* (PBKDF) to protect against brute-force attacks and to give some protection to low-entropy passphrases (see cryptsetup FAQ).
LUKS1 supports the PBKDF2 algorithm only, while LUKS2 also supports memory-hard Argon2.
PBKDFs are configured with costs: how long the iteration should run (CPU cost or iteration count), how much memory is used (memory cost), and how many parallel processes are used (parallel cost).
PBKDF2 supports only iteration count.
Cryptsetup uses PBKDF benchmarking to calculate optimal costs based on the computer where the new passphrase is being initialized.
If needed, these costs can also be overwritten.
Note that there are some hardcoded limits, for details see *MINIMAL AND MAXIMAL PBKDF COSTS* section in --pbkdf option description.
*Passphrase processing*: Whenever a passphrase is added to a LUKS header
(luksAddKey, luksFormat), the user may specify how much the time the
passphrase processing should consume. The time is used to determine the
iteration count for PBKDF2 and higher times will offer better protection
for low-entropy passphrases, but open will take longer to complete. For
passphrases that have entropy higher than the used key length, higher
iteration times will not increase security.
Whenever a passphrase is added to a LUKS header (luksAddKey, luksFormat), the user may specify how much time the passphrase processing should consume.
The time is used to determine the iteration count for PBKDF2, and higher times will offer better protection for low-entropy passphrases, but the open command will take longer to complete.
For passphrases that have entropy higher than the used key length, higher iteration times will not increase security.
The default setting of one or two seconds is sufficient for most
practical cases. The only exception is a low-entropy passphrase used on
a device with a slow CPU, as this will result in a low iteration count.
On a slow device, it may be advisable to increase the iteration time
using the --iter-time option in order to obtain a higher iteration
count. This does slow down all later luksOpen operations accordingly.
The default setting of one or two seconds is sufficient for most practical cases.
The only exception is a low-entropy passphrase used on a device with a slow CPU, as this will result in a low iteration count.
On a slow device, it may be advisable to increase the iteration time using the --iter-time option to obtain a higher iteration count.
This does slow down all later luksOpen operations accordingly.
=== Incoherent behavior for invalid passphrases/keys
LUKS checks for a valid passphrase when an encrypted partition is
unlocked. The behavior of plain dm-crypt is different. It will always
decrypt with the passphrase given. If the given passphrase is wrong, the
device mapped by plain dm-crypt will essentially still contain encrypted
data and will be unreadable.
LUKS checks for a valid passphrase when a keyslot is decrypted.
The behavior of plain dm-crypt is different.
It will always unlock the device with the passphrase given.
If the given passphrase is wrong, the device mapped by plain dm-crypt will use the wrong encryption key, and the data will be unreadable.
=== Supported ciphers, modes, hashes and key sizes
The available combinations of ciphers, modes, hashes and key sizes
depend on kernel support. See /proc/crypto for a list of available
options. You might need to load additional kernel crypto modules in
order to get more options.
The available combinations of ciphers, modes, hashes and key sizes depend on kernel support.
See /proc/crypto for a list of available options.
You might need to load additional kernel crypto modules to get more options.
For the --hash option, if the crypto backend is libgcrypt, then all
algorithms supported by the gcrypt library are available. For other
crypto backends, some algorithms may be missing.
Cryptsetup processes many operations outside of the kernel, so the configured cryptographic library must also support selected algorithms.
Some algorithms may be missing as cryptsetup can be compiled with various cryptographic backends (libraries).
=== Notes on passphrases
Mathematics can't be bribed. Make sure you keep your passphrases safe.
There are a few nice tricks for constructing a fallback, when suddenly
out of the blue, your brain refuses to cooperate. These fallbacks need
LUKS, as it's only possible with LUKS to have multiple passphrases.
Still, if your attacker model does not prevent it, storing your
passphrase in a sealed envelope somewhere may be a good idea as well.
Mathematics can't be bribed.
Make sure you keep your passphrases safe.
There are a few nice tricks for constructing a fallback when suddenly, out of the blue, your brain refuses to cooperate.
These fallbacks need LUKS, as it's only possible with LUKS to have multiple passphrases.
Still, if your attacker model does not prevent it, storing your passphrase in a sealed envelope somewhere may be a good idea as well.
=== Notes on Random Number Generators
Random Number Generators (RNG) used in cryptsetup are always the kernel
RNGs without any modifications or additions to data stream produced.
Random Number Generators (RNGs) used in cryptsetup are always the kernel RNGs without any modifications or additions to the data stream produced.
There are two types of randomness cryptsetup/LUKS needs. One type (which
always uses /dev/urandom) is used for salts, the AF splitter and for
wiping deleted keyslots.
There are two types of randomness that cryptsetup/LUKS needs.
One type is used for salts, the AF splitter and for wiping deleted keyslots.
The second type is used for the volume key.
The second type is used for the volume key. You can switch between using
/dev/random and /dev/urandom here, see *--use-random* and
*--use-urandom* options. Using /dev/random on a system without enough
entropy sources can cause *luksFormat* to block until the requested
amount of random data is gathered. In a low-entropy situation (embedded
system), this can take a very long time and potentially forever. At the
same time, using /dev/urandom in a low-entropy situation will produce
low-quality keys. This is a serious problem, but solving it is out of
scope for a mere man-page. See *urandom(4)* for more information.
With recent kernels (Linux kernel 5.6), you do not need to worry about selecting RNG (/dev/random or /dev/urandom).
In a low-entropy situation (embedded system), initialization of the kernel RNG can take a very long time, but this happens before cryptsetup can even be started.
Use _cryptsetup --help_ to show the compiled-in default random number generator.
See *urandom*(4) for more information.
=== Authenticated disk encryption (EXPERIMENTAL)
Since Linux kernel version 4.12 dm-crypt supports authenticated disk
encryption.
Normal disk encryption modes are length-preserving (the plaintext sector is the same size as a ciphertext sector) and can provide only confidentiality protection, not cryptographically sound data integrity protection.
Normal disk encryption modes are length-preserving (plaintext sector is
of the same size as a ciphertext sector) and can provide only
confidentiality protection, but not cryptographically sound data
integrity protection.
Authenticated modes require additional space per-sector for the authentication tag and use Authenticated Encryption with Additional Data (AEAD) algorithms.
Authenticated modes require additional space per-sector for
authentication tag and use Authenticated Encryption with Additional Data
(AEAD) algorithms.
If you configure LUKS2 device with data integrity protection, there will
be an underlying dm-integrity device, which provides additional
per-sector metadata space and also provide data journal protection to
ensure atomicity of data and metadata update. Because there must be
additional space for metadata and journal, the available space for the
device will be smaller than for length-preserving modes.
If you configure a LUKS2 device with data integrity protection, there will be an underlying dm-integrity device, which provides additional per-sector metadata space and data journal protection to ensure atomicity of data and metadata updates.
Because there must be additional space for metadata and journal, the available space for the device will be smaller than for length-preserving modes.
The dm-crypt device then resides on top of such a dm-integrity device.
All activation and deactivation of this device stack is performed by
cryptsetup, there is no difference in using *luksOpen* for integrity
protected devices. If you want to format LUKS2 device with data
integrity protection, use *--integrity* option (see *cryptsetup-luksFormat(8)*).
All activation and deactivation of this device stack is performed by cryptsetup; there is no difference in using *luksOpen* for integrity-protected devices.
If you want to format a LUKS2 device with data integrity protection, use --integrity option (see *cryptsetup-luksFormat*(8)).
Albeit Linux kernel 5.7 added TRIM support for standalone dm-integrity devices,
*cryptsetup(8)* can't offer support for discards (TRIM) in authenticated
encryption mode, because the underlying dm-crypt kernel module does not support
this functionality when dm-integrity is used as auth tag space allocator
(see *--allow-discards* in *cryptsetup-open(8)*).
Albeit Linux kernel 5.7 added TRIM support for standalone dm-integrity devices, *cryptsetup*(8) can't offer support for discards (TRIM) in authenticated encryption mode, because the underlying dm-crypt kernel module does not support this functionality when dm-integrity is used as auth tag space allocator (see --allow-discards in *cryptsetup-open*(8)).
Some integrity modes requires two independent keys (key for encryption
and for authentication). Both these keys are stored in one LUKS keyslot.
Some integrity modes require two independent keys (a key for encryption and authentication).
Both these keys are stored in one LUKS keyslot.
*WARNING:* All support for authenticated modes is experimental and there
are only some modes available for now. Note that there are a very few
authenticated encryption algorithms that are suitable for disk
encryption. You also cannot use CRC32 or any other non-cryptographic
checksums (other than the special integrity mode "none"). If for some
reason you want to have integrity control without using authentication
mode, then you should separately configure dm-integrity independently of
LUKS2.
Support for authenticated modes is experimental, and only some modes are available now.
Note that very few authenticated encryption algorithms are suitable for disk encryption.
You also cannot use CRC32 or other non-cryptographic checksums (other than the special integrity mode "none").
If, for some reason, you want to have integrity control without using authentication mode, then you should separately configure dm-integrity independently of LUKS2.
=== Notes on loopback device use
Cryptsetup is usually used directly on a block device (disk partition or
LVM volume). However, if the device argument is a file, cryptsetup tries
to allocate a loopback device and map it into this file. This mode
requires Linux kernel 2.6.25 or more recent which supports the loop
autoclear flag (loop device is cleared on the last close automatically).
Of course, you can always map a file to a loop-device manually. See the
cryptsetup FAQ for an example.
Cryptsetup is usually used directly on a block device (disk partition or LVM volume).
However, if the device argument is a file, cryptsetup tries to allocate a loopback device and map it into this file.
Of course, you can always map a file to a loop device manually.
See the cryptsetup FAQ for an example.
When device mapping is active, you can see the loop backing file in the
status command output. Also see losetup(8).
When device mapping is active, you can see the loop backing file in the status command output.
Also see losetup(8).
=== LUKS2 header locking
The LUKS2 on-disk metadata is updated in several steps and to achieve
proper atomic update, there is a locking mechanism. For an image in
file, code uses *flock(2)* system call. For a block device, lock is
performed over a special file stored in a locking directory (by default
*/run/cryptsetup*). The locking directory should be created with the
proper security context by the distribution during the boot-up phase.
Only LUKS2 uses locks, other formats do not use this mechanism.
The LUKS2 on-disk metadata is updated in several steps, and to achieve a proper atomic update, there is a locking mechanism.
For an image in a file, the code uses the *flock*(2) system call.
For a block device, lock is performed over a special file stored in a locking directory (by default */run/cryptsetup*).
The locking directory should be created with the proper security context by the distribution during the boot-up phase.
Only LUKS2 uses locks; other formats do not use this mechanism.
=== LUKS on-disk format specification
For LUKS on-disk metadata specification see
https://gitlab.com/cryptsetup/cryptsetup/wikis/Specification[*LUKS1*] and
https://gitlab.com/cryptsetup/LUKS2-docs[*LUKS2*].
For LUKS on-disk metadata specification, see https://gitlab.com/cryptsetup/cryptsetup/wikis/Specification[LUKS1] and https://gitlab.com/cryptsetup/LUKS2-docs[LUKS2].
== AUTHORS
Cryptsetup is originally written by mailto:jana@saout.de[Jana Saout]. +
The LUKS extensions and original man page were written by
mailto:clemens@endorphin.org[Clemens Fruhwirth]. +
Man page extensions by mailto:gmazyland@gmail.com[Milan Broz]. +
Cryptsetup was originally written by mailto:jana@saout.de[Jana Saout].
The LUKS extensions and original man page were written by mailto:clemens@endorphin.org[Clemens Fruhwirth].
Man page extensions by mailto:gmazyland@gmail.com[Milan Broz].
Man page rewrite and extension by mailto:arno@wagner.name[Arno Wagner].
include::man/common_footer.adoc[]

277
man/integritysetup.8.adoc
View File

@@ -6,7 +6,7 @@
== NAME
integritysetup - manage dm-integrity (block level integrity) volumes
integritysetup - utility for configuring and managing dm-integrity devices
== SYNOPSIS
@@ -14,14 +14,15 @@ integritysetup - manage dm-integrity (block level integrity) volumes
== DESCRIPTION
Integritysetup is used to configure dm-integrity managed device-mapper
mappings.
*Integritysetup* is a utility for configuring and managing kernel dm-integrity devices.
Device-mapper integrity target provides read-write transparent integrity
checking of block devices. The dm-integrity target emulates an additional
data integrity field per-sector. You can use this additional field
directly with integritysetup utility, or indirectly (for authenticated
encryption) through cryptsetup.
Kernel device-mapper *dm-integrity* target emulates an additional data integrity tag per disk sector and provides transparent data integrity protection of block devices.
You can configure these additional integrity tags directly with *integritysetup*, or indirectly (for authenticated encryption) through *LUKS2* and *cryptsetup*(8).
Unlike *dm-verity*, *dm-integrity* devices support both read and write operations.
The kernel performs data integrity checking transparently using a selected checksum or cryptographic hash algorithm.
Integrity devices can be activated during boot through *integritytab*(5), which is part of *systemd*(1).
== BASIC ACTIONS
@@ -30,38 +31,28 @@ Integritysetup supports these operations:
=== FORMAT
*format <device>*
Formats <device> (calculates space and dm-integrity superblock and wipes
the device).
Formats <device> (calculates space and dm-integrity superblock and wipes the device).
*<options>* can be [--data-device, --batch-mode, --no-wipe,
--journal-size, --interleave-sectors, --tag-size, --integrity,
--integrity-key-size, --integrity-key-file, --sector-size,
--progress-frequency, --progress-json].
*<options>* can be [--data-device, --batch-mode, --no-wipe, --journal-size, --interleave-sectors, --tag-size, --integrity, --integrity-key-size, --integrity-key-file, --sector-size, --progress-frequency, --progress-json].
=== OPEN
*open <device> <name>* +
create <name> <device> (*OBSOLETE syntax*)
create <name> <device> (OBSOLETE syntax)
Open a mapping with <name> backed by device <device>.
If the integrity algorithm of the device is non-default,
then the algorithm should be specified with the *--integrity* option.
If the integrity algorithm of the device is non-default, then the algorithm should be specified with the --integrity option.
This will not be detected from the device.
*<options>* can be [--data-device, --batch-mode, --journal-watermark,
--journal-commit-time, --buffer-sectors, --integrity,
--integrity-key-size, --integrity-key-file, --integrity-no-journal,
--integrity-recalculate,
--integrity-recalculate-reset,--integrity-recovery-mode,
--allow-discards].
*<options>* can be [--data-device, --batch-mode, --journal-watermark, --journal-commit-time, --buffer-sectors, --integrity, --integrity-key-size, --integrity-key-file, --integrity-no-journal, --integrity-recalculate, --integrity-recalculate-reset,--integrity-recovery-mode, --allow-discards].
=== CLOSE
*close <name>* +
remove <name> (*OBSOLETE syntax*)
remove <name> (OBSOLETE syntax)
Removes existing mapping <name>.
*<options>* can be [--deferred] or [--cancel-deferred]
*<options>* can be [--deferred] or [--cancel-deferred].
=== STATUS
*status <name>*
@@ -71,178 +62,163 @@ Reports status for the active integrity mapping <name>.
=== DUMP
*dump <device>*
Reports parameters from on-disk stored superblock.
Report parameters from the on-disk stored superblock.
=== RESIZE
*resize <name>*
Resizes an active mapping <name>.
If --size (in 512-bytes sectors) or --device-size are not specified, the
size is computed from the underlying device. After resize, the
*recalculating* flag is set. If --wipe flag is set and the size of the
device is increased, the newly added section will be wiped.
If --size (in 512-byte sectors) or --device-size is not specified, the size is computed from the underlying device.
After resize, the *recalculating* flag is set.
If --wipe flag is set and the size of the device is increased, the newly added section will be wiped.
Increasing the size of integrity volumes is available since the Linux
kernel version 5.7, shrinking should work on older kernels too.
Increasing the size of integrity volumes has been possible since the Linux kernel version 5.7; shrinking should work on older kernels, too.
*<options>* can be [--size, --device-size, --wipe].
== OPTIONS
*--allow-discards*::
Allow the use of discard (TRIM) requests for the device. This option
is available since the Linux kernel version 5.7.
Allow the use of discard (TRIM) requests for the device.
This option is available since the Linux kernel version 5.7.
*--batch-mode, -q*::
*--batch-mode*, *-q*::
Do not ask for confirmation.
*--bitmap-flush-time MS*::
*--bitmap-flush-time* _ms_::
Bitmap flush time in milliseconds.
+
*WARNING:*
In case of a crash, it is possible that the data and integrity tag
doesn't match if the journal is disabled.
In case of a crash, it is possible that the data and integrity tag don't match if the journal is disabled.
*--bitmap-sectors-per-bit SECTORS*::
Number of 512-byte sectors per bitmap bit, the value must be power of
two.
*--bitmap-sectors-per-bit* _sectors_::
The number of 512-byte sectors per bitmap bit must be a power of two.
*--buffer-sectors SECTORS*::
*--buffer-sectors* _sectors_::
The number of sectors in one buffer.
+
The tag area is accessed using buffers, the large buffer size means that
the I/O size will be larger, but there could be less I/Os issued.
The tag area is accessed using buffers; the large buffer size means the I/O size will be larger, but there could be less I/Os issued.
*--cancel-deferred*::
Removes a previously configured deferred device removal in *close*
command.
Removes a previously configured deferred device removal in the *close* command.
*--data-device <data_device>*::
Specify a separate data device that contains existing data. The
<device> then will contain calculated integrity tags and journal for
data on <data_device>.
*--data-device* _<data_device>_::
Specify a separate data device that contains existing data.
The <device> will then contain calculated integrity tags and a journal for data on <data_device>.
+
*NOTE:* To not wipe the data device after initial format, also specify
--no-wipe option and activate with --integrity-recalculate to
automatically recalculate integrity tags.
To not wipe the data device after initial format, also specify --no-wipe option and activate with --integrity-recalculate to recalculate integrity tags automatically.
*--debug*::
Run in debug mode with full diagnostic logs. Debug output lines are
always prefixed by *#*.
Run in debug mode with full diagnostic logs.
Debug output lines are always prefixed by *#*.
*--deferred*::
Defers device removal in *close* command until the last user closes
it.
Defers device removal in the *close* command until the last user closes it.
*--help, -?*::
*--help*, *-?*::
Show help text and default parameters.
*--integrity, -I ALGORITHM*::
Use internal integrity calculation (standalone mode). The integrity
algorithm can be CRC (crc32c/crc32), non-cryptographic hash function
(xxhash64) or hash function (sha1, sha256).
*--integrity*, *-I* _algorithm_::
Use internal integrity calculation (standalone mode).
The integrity algorithm can be CRC (crc32c/crc32), a non-cryptographic hash function (xxhash64) or a hash function (sha1, sha256).
+
For HMAC (hmac-sha256) you have also to specify an integrity key and its
size.
For HMAC (hmac-sha256), you must specify an integrity key and its size.
*--integrity-bitmap-mode. -B*::
Use alternate bitmap mode (available since Linux kernel 5.2) where
dm-integrity uses bitmap instead of a journal. If a bit in the bitmap
is 1, the corresponding region's data and integrity tags are not
synchronized - if the machine crashes, the unsynchronized regions will
be recalculated. The bitmap mode is faster than the journal mode,
because we don't have to write the data twice, but it is also less
reliable, because if data corruption happens when the machine crashes,
it may not be detected.
*--integrity-bitmap-mode*, *-B*::
Use alternate bitmap mode (available since Linux kernel 5.2), where dm-integrity uses a bitmap instead of a journal.
If a bit in the bitmap is 1, the corresponding region's data and integrity tags are not synchronized - if the machine crashes, the unsynchronized regions will be recalculated.
The bitmap mode is faster than the journal mode because we don't have to write the data twice.
However, it is also less reliable because if data corruption happens when the machine crashes, it may not be detected.
*--integrity-inline*::
Store integrity tags to hardware sector integrity fields.
The device must support sectors with additional protection information
(PI, also known as DIF - data integrity field) of the requested size.
Another storage subsystem must not use the additional field
(the device must present a "nop" profile in the kernel).
Note that some devices must be reformatted at a low level to support
this option; for NVMe devices, see nvme(1) id-ns LBA profiles.
Store integrity tags in hardware sector integrity fields.
The device must support sectors with additional protection information (PI, also known as DIF - data integrity field) of the requested size.
Another storage subsystem must not use the additional field (the device must present a "nop" profile in the kernel).
Note that some devices must be reformatted at a low level to support this option; for NVMe devices, see nvme(1) id-ns LBA profiles.
+
No journal or bitmap is used in this mode.
The device should operate with native speed (without any overhead).
+
No journal or bitmap is used in this mode. The device should operate
with native speed (without any overhead).
This option is available since the Linux kernel version 6.11.
*--integrity-key-file FILE*::
*--integrity-key-file* _file_::
The file with the integrity key.
*--integrity-key-size BYTES*::
The size of the data integrity key. Maximum is 4096 bytes.
*--integrity-key-size* _bytes_::
The size of the data integrity key.
Maximum is 4096 bytes.
*--integrity-no-journal, -D*::
Disable journal for integrity device.
*--integrity-no-journal*, *-D*::
Disable the journal for the integrity device.
*--integrity-recalculate*::
Automatically recalculate integrity tags in kernel on activation. The
device can be used during automatic integrity recalculation but
becomes fully integrity protected only after the background operation
is finished. This option is available since the Linux kernel version
4.19.
Automatically recalculate integrity tags in the kernel on activation.
The device can be used during automatic integrity recalculation, but becomes fully integrity protected only after the background operation is finished.
+
The primary intended use case is to skip initialization (wiping) of the data device after the initial format (see --no-wipe option).
This parameter can be used for activation, then the kernel will recalculate integrity tags in the background.
The integrity superblock contains a device offset that indicates the boundary to which the integrity tags are already updated.
You can check this offset with the dump command.
*--integrity-recalculate-reset*::
Restart recalculation from the beginning of the device. It can be used
to change the integrity checksum function. Note it does not change the
tag length. This option is available since the Linux kernel version
5.13.
Restart recalculation from the beginning of the device.
It can be used to change the integrity checksum function.
Note, it does not change the tag length.
This option is available since the Linux kernel version 5.13.
*--integrity-recovery-mode. -R*::
*--integrity-recovery-mode*, *-R*::
Recovery mode (no journal, no tag checking).
*--interleave-sectors SECTORS*::
*--interleave-sectors* _sectors_::
The number of interleaved sectors.
*--journal-commit-time MS*::
Commit time in milliseconds. When this time passes (and no explicit
flush operation was issued), the journal is written.
*--journal-commit-time* _ms_::
Commit time in milliseconds.
The journal is written when this time passes (and no explicit flush operation was issued).
*--journal-crypt ALGORITHM*::
Encryption algorithm for journal data area. You can use a block cipher
here such as cbc-aes or a stream cipher, for example, chacha20 or
ctr-aes.
*--journal-crypt* _algorithm_::
Encryption algorithm for the journal data area.
You can use a block cipher here, such as cbc-aes or a stream cipher, for example, chacha20 or ctr-aes.
+
*NOTE:* The journal encryption options are only intended for testing.
The journal encryption options are only intended for testing.
Using journal encryption does not make sense without encryption of the data.
*--journal-crypt-key-file FILE*::
*--journal-crypt-key-file* _file_::
The file with the journal encryption key.
*--journal-crypt-key-size BYTES*::
The size of the journal encryption key. Maximum is 4096 bytes.
*--journal-crypt-key-size* _bytes_::
The size of the journal encryption key.
Maximum is 4096 bytes.
*--journal-integrity ALGORITHM*::
Integrity algorithm for journal area. See --integrity option for
detailed specification.
*--journal-integrity* _algorithm_::
Integrity algorithm for the journal area.
See --integrity option for detailed specification.
*--journal-integrity-key-file FILE*::
*--journal-integrity-key-file* _file_::
The file with the integrity key.
*--journal-integrity-key-size BYTES*::
The size of the journal integrity key. Maximum is 4096 bytes.
*--journal-integrity-key-size* _bytes_::
The size of the journal integrity key.
Maximum is 4096 bytes.
*--journal-size, -j BYTES*::
*--journal-size*, *-j* _bytes_::
Size of the journal.
*--journal-watermark PERCENT*::
Journal watermark in percents. When the size of the journal exceeds
this watermark, the journal flush will be started.
*--journal-watermark* _percent_::
Journal watermark in percent.
When the journal size exceeds this watermark, the journal flush will be started.
*--no-wipe*::
Do not wipe the device after format. A device that is not initially
wiped will contain invalid checksums.
Do not wipe the device after formatting.
A device that is not initially wiped will contain invalid checksums.
*--progress-frequency <seconds>*::
Print separate line every <seconds> with wipe progress.
*--progress-frequency* _seconds_::
Print a separate line every <seconds> with wipe progress.
*--progress-json*::
Prints wipe progress data in json format suitable mostly for machine
processing. It prints separate line every half second (or based on
--progress-frequency value). The JSON output looks as follows during
wipe progress (except it's compact single line):
Prints wipe progress data in JSON format, which is suitable mostly for machine processing.
It prints a separate line every half second (or based on --progress-frequency value).
The JSON output looks as follows during wipe progress (except it's a compact single line):
+
....
{
@@ -255,39 +231,32 @@ wipe progress (except it's compact single line):
}
....
+
Note on numbers in JSON output: Due to JSON parsers limitations all
numbers are represented in a string format due to need of full 64bit
unsigned integers.
Note on numbers in JSON output: Due to JSON parsers' limitations, all numbers are represented in a string format due to the need for full 64-bit unsigned integers.
*--sector-size, -s BYTES*::
*--sector-size*, *-s* _bytes_::
Sector size (power of two: 512, 1024, 2048, 4096).
*--tag-size, -t BYTES*::
Size of the integrity tag per-sector (here the integrity function will
store authentication tag).
*--tag-size*, *-t* _bytes_::
Size of the integrity tag per-sector (here, the integrity function will store the authentication tag).
+
*NOTE:* The size can be smaller that output size of the hash function,
in that case only part of the hash will be stored.
The size can be smaller than the output size of the hash function; in that case, only part of the hash will be stored.
*--usage*::
Show short option help.
*--verbose, -v*::
*--verbose*, *-v*::
Print more information on command execution.
*--version, -V*::
*--version*, *-V*::
Show the program version.
*--wipe*::
Wipe the newly allocated area after resize to bigger size. If this
flag is not set, checksums will be calculated for the data previously
stored in the newly allocated area.
Wipe the newly allocated area after resizing to a bigger size.
If this flag is not set, checksums will be calculated for previously stored data in the newly allocated area.
== LEGACY COMPATIBILITY OPTIONS
*WARNING:*::
Do not use these options until you need compatibility with specific
old kernel.
Do not use these options until you need compatibility with a specific old kernel.
*--integrity-legacy-padding*::
Use inefficient legacy padding.
@@ -296,22 +265,17 @@ Use inefficient legacy padding.
Use old flawed HMAC calculation (also does not protect superblock).
*--integrity-legacy-recalculate*::
Allow insecure recalculating of volumes with HMAC keys (recalculation
offset in superblock is not protected).
Allow insecure recalculating of volumes with HMAC keys (recalculation offset in superblock is not protected).
== RETURN CODES
Integritysetup returns *0* on success and a non-zero value on error.
Error codes are: *1* wrong parameters, *2* no permission, *3* out of memory,
*4* wrong device specified, *5* device already exists or device is busy.
Error codes are: *1* wrong parameters, *2* no permission, *3* out of memory, *4* wrong device specified, *5* device already exists or device is busy.
== NOTES
The dm-integrity target is available since Linux kernel version 4.12.
Format and activation of an integrity device always require superuser
privilege because the superblock is calculated and handled in
dm-integrity kernel target.
Format and activation of an integrity device always require superuser privilege because the superblock is calculated and handled in the dm-integrity kernel target.
== EXAMPLES
@@ -325,13 +289,11 @@ Open the device with default parameters:
Format the device in standalone mode for use with HMAC(SHA256):
*integritysetup format <device> --tag-size 32 --integrity hmac-sha256
--integrity-key-file <keyfile> --integrity-key-size <key_bytes>*
*integritysetup format <device> --tag-size 32 --integrity hmac-sha256 --integrity-key-file <keyfile> --integrity-key-size <key_bytes>*
Open (activate) the device with HMAC(SHA256) and HMAC key in file:
*integritysetup open <device> test --integrity hmac-sha256
--integrity-key-file <keyfile> --integrity-key-size <key_bytes>*
*integritysetup open <device> test --integrity hmac-sha256 --integrity-key-file <keyfile> --integrity-key-size <key_bytes>*
Dump dm-integrity superblock information:
@@ -339,8 +301,7 @@ Dump dm-integrity superblock information:
== DM-INTEGRITY ON-DISK FORMAT
The on-disk format specification available at
https://gitlab.com/cryptsetup/cryptsetup/wikis/DMIntegrity[*DMIntegrity*] page.
The on-disk format specification is available on the https://gitlab.com/cryptsetup/cryptsetup/wikis/DMIntegrity[DMIntegrity] page.
== AUTHORS

1
man/meson.build
View File

@@ -23,6 +23,7 @@ cryptsetup_manpages = [
'cryptsetup-loopaesOpen.8',
'cryptsetup-tcryptOpen.8',
'cryptsetup-bitlkOpen.8',
'cryptsetup-fvault2Open.8',
],
],
[

281
man/veritysetup.8.adoc
View File

@@ -6,7 +6,7 @@
== NAME
veritysetup - manage dm-verity (block level verification) volumes
veritysetup - utility for configuring and managing dm-verity devices
== SYNOPSIS
@@ -14,13 +14,15 @@ veritysetup - manage dm-verity (block level verification) volumes
== DESCRIPTION
Veritysetup is used to configure dm-verity managed device-mapper
mappings.
*Veritysetup* is a utility for configuring and managing kernel *dm-verity* devices.
Device-mapper verity target provides read-only transparent integrity
checking of block devices using kernel crypto API.
Kernel device-mapper *dm-verity* target provides read-only transparent data integrity protection of block devices.
The dm-verity devices are always read-only.
When you configure the *dm-verity* device, veritysetup creates a new mapping that applications can access like any regular storage device.
The kernel performs the verification transparently by comparing each block against pre-computed cryptographic hashes.
The verification uses a Merkle tree and happens transparently at the kernel level without affecting applications.
Verity devices can be activated during boot through *veritytab*(5), which is part of *systemd*(1).
== BASIC ACTIONS
@@ -29,69 +31,55 @@ Veritysetup supports these operations:
=== FORMAT
*format <data_device> <hash_device>*
Calculates and permanently stores hash verification data for
data_device. Hash area can be located on the same device after data if
specified by --hash-offset option.
Calculates and permanently stores hash verification data for the data_device.
Hash area can be located on the same device after data, if specified by --hash-offset option.
Note you need to provide root hash string for device verification or
activation. Root hash must be trusted.
You need to provide the root hash string for device verification or activation.
Root hash must be trusted.
The data or hash device argument can be block device or file image. If
hash device path doesn't exist, it will be created as file.
The data or hash device argument can be a block device or a file image.
If the hash device path doesn't exist, it will be created as a file.
*<options>* can be [--hash, --no-superblock, --format,
--data-block-size, --hash-block-size, --data-blocks, --hash-offset,
--salt, --uuid, --root-hash-file].
*<options>* can be [--hash, --no-superblock, --format, --data-block-size, --hash-block-size, --data-blocks, --hash-offset, --salt, --uuid, --root-hash-file].
If option --root-hash-file is used, the root hash is stored in
hex-encoded text format in <path>.
If option --root-hash-file is used, the root hash is stored in hex-encoded text format in <path>.
=== OPEN
*open <data_device> <name> <hash_device> <root_hash>* +
*open <data_device> <name> <hash_device> --root-hash-file <path>* +
create <name> <data_device> <hash_device> <root_hash> (*OBSOLETE syntax*)
create <name> <data_device> <hash_device> <root_hash> (OBSOLETE syntax)
Creates a mapping with <name> backed by device <data_device> and using
<hash_device> for in-kernel verification.
Creates a mapping with <name> backed by device <data_device> and using <hash_device> for in-kernel verification.
The <root_hash> is a hexadecimal string.
*<options>* can be [--hash-offset, --no-superblock, --ignore-corruption
or --restart-on-corruption, --panic-on-corruption, --ignore-zero-blocks,
--check-at-most-once, --root-hash-signature, --root-hash-file, --use-tasklets,
--shared].
*<options>* can be [--hash-offset, --no-superblock, --ignore-corruption or --restart-on-corruption, --panic-on-corruption, --ignore-zero-blocks, --check-at-most-once, --root-hash-signature, --root-hash-file, --use-tasklets, --shared].
If option --root-hash-file is used, the root hash is read from <path>
instead of from the command line parameter. Expects hex-encoded text,
without terminating newline.
If option --root-hash-file is used, the root hash is read from <path> instead of the command line parameter.
Expects hex-encoded text, without a terminating newline.
If option --no-superblock is used, you have to use as the same options
as in initial format operation.
If --no-superblock is used, you must use the same options as in the initial format operation.
=== VERIFY
*verify <data_device> <hash_device> <root_hash>* +
*verify <data_device> <hash_device> --root-hash-file <path>*
Verifies data on data_device with use of hash blocks stored on
hash_device.
Verifies data on data_device using hash blocks stored on hash_device.
This command performs userspace verification, no kernel device is
created.
This command performs userspace verification; no kernel device is created.
The <root_hash> is a hexadecimal string.
If option --root-hash-file is used, the root hash is read from <path>
instead of from the command line parameter. Expects hex-encoded text,
without terminating newline.
If option --root-hash-file is used, the root hash is read from <path> instead of the command line parameter.
Expects hex-encoded text, without a terminating newline.
*<options>* can be [--hash-offset, --no-superblock, --root-hash-file].
If option --no-superblock is used, you have to use as the same options
as in initial format operation.
If --no-superblock is used, you must use the same options as in the initial format operation.
=== CLOSE
*close <name>* +
remove <name> (*OBSOLETE syntax*)
remove <name> (OBSOLETE syntax)
Removes existing mapping <name>.
@@ -105,216 +93,187 @@ Reports status for the active verity mapping <name>.
=== DUMP
*dump <hash_device>*
Reports parameters of verity device from on-disk stored superblock.
Report parameters of the verity device from the on-disk stored superblock.
*<options>* can be [--hash-offset].
== OPTIONS
*--batch-mode, -q*::
*--batch-mode*, *-q*::
Do not ask for confirmation.
*--cancel-deferred*::
Removes a previously configured deferred device removal in *close*
command.
Cancels a previously configured deferred device removal in the *close* command.
*--check-at-most-once*::
Instruct kernel to verify blocks only the first time they are read
from the data device, rather than every time.
Instruct the kernel to verify blocks only once they are read from the data device, rather than every time.
+
*WARNING:* It provides a reduced level of security because only offline
tampering of the data device's content will be detected, not online
tampering. This option is available since Linux kernel version 4.17.
*WARNING:* It provides a reduced level of security because only offline tampering of the data device's content will be detected, not online tampering.
*--data-blocks=blocks*::
Size of data device used in verification. If not specified, the whole
device is used.
*--data-blocks* _blocks_::
Size of the data device used in verification.
If not specified, the whole device is used.
*--data-block-size=bytes*::
Used block size for the data device. (Note kernel supports only
page-size as maximum here.)
*--data-block-size* _bytes_::
Used block size for the data device.
Maximum is the page size used by the kernel.
*--debug*::
Run in debug mode with full diagnostic logs. Debug output lines are
always prefixed by *#*.
Run in debug mode with full diagnostic logs.
Debug output lines are always prefixed by *#*.
*--deferred*::
Defers device removal in *close* command until the last user closes
it.
Defers device removal in the *close* command until the last user closes it.
*--error-as-corruption*::
Handle device I/O errors the same as data corruption. This option must
be combined with --restart-on-corruption or --panic-on-corruption.
Handle device I/O errors the same as data corruption.
This option must be combined with --restart-on-corruption or --panic-on-corruption.
*--fec-device=fec_device*::
Use forward error correction (FEC) to recover from corruption if hash
verification fails. Use encoding data from the specified device.
*--fec-device* _device_::
Use forward error correction (FEC) to recover from corruption if hash verification fails.
Use encoding data from the specified device.
+
The fec device argument can be block device or file image. For format,
if fec device path doesn't exist, it will be created as file.
The FEC device argument can be a block device or a file image.
For format, if the FEC device path doesn't exist, it will be created as a file.
+
Block sizes for data and hash devices must match. Also, if the verity
data_device is encrypted the fec_device should be too.
Block sizes for data and hash devices must match.
Also, if the verity data_device is encrypted, the fec_device should be too.
+
FEC calculation covers data, hash area, and optional foreign metadata
stored on the same device with the hash tree (additional space after
hash area). Size of this optional additional area protected by FEC is
calculated from image sizes, so you must be sure that you use the same
images for activation.
FEC calculation covers data, hash area, and optional foreign metadata stored on the same device as the hash tree (additional space after the hash area).
The size of this optional additional area protected by FEC is calculated from image sizes, so you must use the same images for activation.
+
If the hash device is in a separate image, metadata covers the whole
rest of the image after the hash area.
If the hash device is in a separate image, metadata covers the entire image after the hash area.
+
If hash and FEC device is in the image, metadata ends on the FEC area
offset.
The metadata ends on the FEC area offset if the hash and FEC device are in the image.
*--fec-offset=bytes*::
This is the offset, in bytes, from the start of the FEC device to the
beginning of the encoding data.
*--fec-offset* _bytes_::
This is the offset, in bytes, from the start of the FEC device to the beginning of the encoding data.
*--fec-roots=num*::
Number of generator roots. This equals to the number of parity bytes
in the encoding data. In RS(M, N) encoding, the number of roots is
M-N. M is 255 and M-N is between 2 and 24 (including).
*--fec-roots* _number_::
Number of generator roots.
This equals the number of parity bytes in the encoding data.
In RS(M, N) encoding, the number of roots is M-N.
M is 255, and M-N is between 2 and 24 (including).
*--format=number*::
Specifies the hash version type. Format type 0 is original Chrome OS
version. Format type 1 is current version.
*--format* _number_::
Specifies the hash version type.
Format type 0 is the original Chrome OS version.
Format type 1 is the current version.
*--hash=hash*::
Hash algorithm for dm-verity. For default see --help option.
*--hash* _hash_::
Hash algorithm for dm-verity.
For default, see --help option.
*--hash-block-size=bytes*::
Used block size for the hash device. (Note kernel supports only
page-size as maximum here.)
*--hash-block-size* _bytes_::
Used block size for the hash device.
Maximum is the page size used by the kernel.
*--hash-offset=bytes*::
Offset of hash area/superblock on hash_device. Value must be aligned
to disk sector offset.
*--hash-offset* _bytes_::
Offset of hash area/superblock on hash_device.
Value must be aligned with the disk sector offset.
*--help, -?*::
*--help*, *-?*::
Show help text and default parameters.
*--ignore-corruption, --restart-on-corruption, --panic-on-corruption*::
Defines what to do if data integrity problem is detected (data
corruption).
*--ignore-corruption*, *--restart-on-corruption*, *--panic-on-corruption*::
Defines what to do if a data integrity problem (data corruption) is detected.
+
Without these options kernel fails the IO operation with I/O error. With
--ignore-corruption option the corruption is only logged. With
--restart-on-corruption or --panic-on-corruption the kernel is restarted
(panicked) immediately. (You have to provide way how to avoid restart
loops.)
Without these options, the kernel fails the I/O operation with an I/O error.
With --ignore-corruption option, the corruption is only logged.
With --restart-on-corruption or --panic-on-corruption, the kernel is restarted (panicked) immediately.
(You have to provide a way to avoid restart loops.)
+
*WARNING:* Use these options only for very specific cases. These options
are available since Linux kernel version 4.1.
Use these options only for very specific cases.
*--ignore-zero-blocks*::
Instruct kernel to not verify blocks that are expected to contain
zeroes and always directly return zeroes instead.
Instruct the kernel not to verify blocks expected to contain zeroes and always directly return zeroes instead.
+
*WARNING:* Use this option only in very specific cases. This option is
available since Linux kernel version 4.5.
Use this option only in very specific cases.
*--no-superblock*::
Create or use dm-verity without permanent on-disk superblock.
Create or use dm-verity without a permanent on-disk superblock.
*--root-hash-file=FILE*::
*--root-hash-file* _file_*::
Path to file with stored root hash in hex-encoded text.
*--root-hash-signature=FILE*::
Path to root hash signature file used to verify the root hash (in
kernel). This feature requires Linux kernel version 5.4 or more
recent.
*--root-hash-signature* _file_*::
A path to the root hash signature file used to verify the root hash (in kernel).
This feature requires a Linux kernel version 5.4 or more recent.
*--salt=hex string*::
Salt used for format or verification. Format is a hexadecimal string.
Salt used for formatting or verification.
Format is a hexadecimal string.
*--shared*::
Allows data device to be used in shared mode. The data device is not checked
for exclusive access in-before the device activation and may be mapped in multiple
verity mappings.
Allows the data device to be used in shared mode.
The data device is not checked for exclusive access before the device activation and may be mapped in multiple verity mappings.
*--usage*::
Show short option help.
*--use-tasklets*::
Try to use kernel tasklets in dm-verity driver for performance reasons.
Try to use kernel tasklets in the dm-verity driver for performance reasons.
This option is available since Linux kernel version 6.0.
*--uuid=UUID*::
Use the provided UUID for format command instead of generating new
one.
*--uuid* _UUID_::
Use the provided UUID for the format command instead of generating a new one.
+
The UUID must be provided in standard UUID format, e.g.
12345678-1234-1234-1234-123456789abc.
The UUID must be provided in standard UUID format, e.g., 12345678-1234-1234-1234-123456789abc.
*--verbose, -v*::
*--verbose*, *-v*::
Print more information on command execution.
*--version, -V*::
*--version*, *-V*::
Show the program version.
== RETURN CODES
Veritysetup returns *0* on success and a non-zero value on error.
Error codes are: *1* wrong parameters, *2* no permission, *3* out of memory,
*4* wrong device specified, *5* device already exists or device is busy.
Error codes are: *1* wrong parameters, *2* no permission, *3* out of memory, *4* wrong device specified, *5* device already exists or device is busy.
== EXAMPLES
*veritysetup --data-blocks=256 format <data_device> <hash_device>*
Calculates and stores verification data on hash_device for the first 256
blocks (of block-size). If hash_device does not exist, it is created (as
file image).
Calculates and stores verification data on hash_device for the first 256 blocks (of block size).
If hash_device does not exist, it is created (as a file image).
*veritysetup format --root-hash-file <path> <data_device> <hash_device>*
Calculates and stores verification data on hash_device for the whole
data_device, and store the root hash as hex-encoded text in <path>.
Calculates and stores verification data on hash_device for the whole data_device, and stores the root hash as hex-encoded text in <path>.
*veritysetup --data-blocks=256 --hash-offset=1052672 format <device>
<device>*
*veritysetup --data-blocks=256 --hash-offset=1052672 format <device> <device>*
Verification data (hashes) is stored on the same device as data
(starting at hash-offset). Hash-offset must be greater than number of
blocks in data-area.
Verification data (hashes) is stored on the same device as data (starting at hash-offset).
Hash offset must be greater than the number of blocks in the data area.
*veritysetup --data-blocks=256 --hash-offset=1052672 create test-device
<device> <device> <root_hash>*
*veritysetup --data-blocks=256 --hash-offset=1052672 create test-device <device> <device> <root_hash>*
Activates the verity device named test-device. Options --data-blocks and
--hash-offset are the same as in the format command. The <root_hash> was
calculated in format command.
Activates the verity device named test-device.
Options --data-blocks and --hash-offset are the same as in the format command.
The <root_hash> was calculated in the format command.
*veritysetup --data-blocks=256 --hash-offset=1052672 verify
<data_device> <hash_device> <root_hash>*
*veritysetup --data-blocks=256 --hash-offset=1052672 verify <data_device> <hash_device> <root_hash>*
Verifies device without activation (in userspace).
*veritysetup --data-blocks=256 --hash-offset=1052672 --root-hash-file
<path> verify <data_device> <hash_device>*
*veritysetup --data-blocks=256 --hash-offset=1052672 --root-hash-file <path> verify <data_device> <hash_device>*
Verifies device without activation (in userspace). Root hash passed via
a file rather than inline.
Verifies device without activation (in userspace).
Root hash is passed via file rather than inline.
*veritysetup --fec-device=<fec_device> --fec-roots=10 format
<data_device> <hash_device>*
*veritysetup --fec-device=<fec_device> --fec-roots=10 format <data_device> <hash_device>*
Calculates and stores verification and encoding data for data_device.
Calculates and stores verification and encoding data for the data_device.
== DM-VERITY ON-DISK SPECIFICATION
The on-disk format specification is available at
https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity[*DMVerity*] page.
The on-disk format specification is available on the https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity[DMVerity] page.
== AUTHORS
The first implementation of veritysetup was written by Chrome OS
authors.
The first implementation of veritysetup was written by Chrome OS authors.
This version is based on verification code written by
mailto:mpatocka@redhat.com[Mikulas Patocka] and rewritten for libcryptsetup
by mailto:gmazyland@gmail.com[Milan Broz].
This version is based on verification code written by mailto:mpatocka@redhat.com[Mikulas Patocka] and rewritten for libcryptsetup by mailto:gmazyland@gmail.com[Milan Broz].
include::man/common_footer.adoc[]

28
meson.build
View File

@@ -2,7 +2,7 @@ project('cryptsetup',
'c',
default_options: [ 'prefix=/usr' ],
meson_version: '>=0.64',
version: '2.8.0-rc1')
version: '2.9.0-git')
libcryptsetup_version = '12.11.0'
@@ -31,7 +31,6 @@ default_string_options = [
'default-luks1-cipher',
'default-luks1-hash',
'default-luks1-mode',
'default-luks2-external-tokens-path',
'default-luks2-keyslot-cipher',
'default-luks2-lock-path',
'default-luks2-pbkdf',
@@ -698,6 +697,21 @@ if cc.links(
description: 'Define to 1 to use __attribute__((symver))')
endif
# ==========================================================================
# Check compiler support for zero_called_used_regs("used") function attribute
if cc.links(
'''void _test_fn(void);
__attribute__((zero_call_used_regs("used"))) void _test_fn(void) {
volatile int *i; volatile int j = 0; if (j) *i = 0;
}
int main(void) { _test_fn(); return 0; }''',
args: ['-O0', '-Werror' ],
name: 'for zero_call_used_regs("used") attribute support')
conf.set10('HAVE_ATTRIBUTE_ZEROCALLUSEDREGS', true,
description: 'Define to 1 to use __attribute__((zero_call_used_regs("used")))')
endif
# ==========================================================================
if get_option('dev-random')
@@ -712,7 +726,9 @@ if tmpfilesdir == ''
method: 'pkg-config',
required: false)
if systemd.found()
tmpfilesdir = systemd.get_variable(pkgconfig: 'tmpfilesdir', default_value: '')
tmpfilesdir = systemd.get_variable('tmpfilesdir',
pkgconfig_define: ['prefix', get_option('prefix')],
default_value: '')
endif
endif
@@ -731,12 +747,12 @@ endif
assert(get_option('default-luks2-lock-path').startswith('/'),
'default-luks2-lock-path has to be an absolute path')
luks2_external_tokens_path = get_option('default-luks2-external-tokens-path')
if luks2_external_tokens_path == 'LIBDIR/cryptsetup'
luks2_external_tokens_path = get_option('luks2-external-tokens-path')
if luks2_external_tokens_path == ''
luks2_external_tokens_path = join_paths(get_option('prefix'), get_option('libdir'), 'cryptsetup')
endif
assert(luks2_external_tokens_path.startswith('/'),
'default-luks2-external-tokens-path has to be an absolute path')
'luks2-external-tokens-path has to be an absolute path')
conf.set_quoted('EXTERNAL_LUKS2_TOKENS_PATH', luks2_external_tokens_path,
description: 'path to directory with LUKSv2 external token handlers (plugins)')

2
meson_options.txt
View File

@@ -12,7 +12,6 @@ option('default-luks1-hash', type : 'string', description : 'hash function for L
option('default-luks1-iter-time', type : 'integer', description : 'PBKDF2 iteration time for LUKS1 (in ms)', value : 2000)
option('default-luks1-keybits', type : 'integer', description : 'key length in bits for LUKS1', value : 256)
option('default-luks1-mode', type : 'string', description : 'cipher mode for LUKS1', value : 'xts-plain64')
option('default-luks2-external-tokens-path', type : 'string', description : 'path to directory with LUKSv2 external token handlers (plugins)', value : 'LIBDIR/cryptsetup')
option('default-luks2-iter-time', type : 'integer', description : 'Argon2 PBKDF iteration time for LUKS2 (in ms)', value : 2000)
option('default-luks2-keyslot-cipher', type : 'string', description : 'fallback cipher for LUKS2 keyslot (if data encryption is incompatible)', value : 'aes-xts-plain64')
option('default-luks2-keyslot-keybits', type : 'integer', description : 'fallback key size for LUKS2 keyslot (if data encryption is incompatible)', value : 512)
@@ -45,6 +44,7 @@ option('integritysetup', type : 'boolean', description : 'integritysetup Support
option('internal-sse-argon2', type : 'boolean', description : 'use internal SSE implementation of Argon2 PBKDF', value : false)
option('kernel_crypto', type : 'boolean', description : 'kernel userspace crypto (no benchmark and tcrypt)', value : true)
option('keyring', type : 'boolean', description : 'kernel keyring support and builtin kernel keyring token', value : true)
option('luks2-external-tokens-path', type : 'string', description : 'path to directory with LUKSv2 external token handlers (plugins)')
option('luks2-reencryption', type : 'boolean', description : 'LUKS2 online reencryption extension', value : true)
option('luks_adjust_xts_keysize', type : 'boolean', description : 'XTS mode requires two keys, double default LUKS keysize if needed', value : true)
option('nls', type : 'boolean', description : 'use Native Language Support', value : true)

2
misc/fedora/cryptsetup.spec
View File

@@ -2,7 +2,7 @@
Summary: Utility for setting up encrypted disks
Name: cryptsetup
Version: 2.8.0-rc1
Version: 2.8.1
Release: 1%{?dist}
License: GPL-2.0-or-later WITH cryptsetup-OpenSSL-exception AND LGPL-2.1-or-later WITH cryptsetup-OpenSSL-exception
URL: https://gitlab.com/cryptsetup/cryptsetup

187
po/cryptsetup.pot
View File

@@ -5,9 +5,9 @@
#, fuzzy
msgid ""
msgstr ""
"Project-Id-Version: cryptsetup 2.8.0-rc1\n"
"Project-Id-Version: cryptsetup 2.8.1\n"
"Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
"POT-Creation-Date: 2025-06-16 13:51+0200\n"
"POT-Creation-Date: 2025-08-19 10:38+0200\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
@@ -151,7 +151,7 @@ msgstr ""
msgid "Cannot determine device type. Incompatible activation of device?"
msgstr ""
#: lib/setup.c:395 lib/setup.c:4139
#: lib/setup.c:395 lib/setup.c:4145
msgid "This operation is supported only for LUKS device."
msgstr ""
@@ -173,7 +173,7 @@ msgstr ""
msgid "Key slot %d is full, please select another one."
msgstr ""
#: lib/setup.c:531 lib/setup.c:3854
#: lib/setup.c:531 lib/setup.c:3860
msgid "Device size is not aligned to device logical block size."
msgstr ""
@@ -182,7 +182,7 @@ msgstr ""
msgid "Header detected but device %s is too small."
msgstr ""
#: lib/setup.c:669 lib/setup.c:3739 lib/setup.c:5206
#: lib/setup.c:669 lib/setup.c:3745 lib/setup.c:5212
#: lib/luks2/luks2_reencrypt.c:3937 lib/luks2/luks2_reencrypt.c:4425
msgid "This operation is not supported for this device type."
msgstr ""
@@ -215,8 +215,8 @@ msgstr ""
msgid "No known cipher specification pattern detected for active device %s."
msgstr ""
#: lib/setup.c:1515 lib/setup.c:3486 lib/setup.c:3578 lib/setup.c:3590
#: lib/setup.c:3762 lib/setup.c:5781
#: lib/setup.c:1515 lib/setup.c:3492 lib/setup.c:3584 lib/setup.c:3596
#: lib/setup.c:3768 lib/setup.c:5787
#, c-format
msgid "Device %s is not active."
msgstr ""
@@ -247,7 +247,7 @@ msgstr ""
msgid "Unsupported encryption sector size."
msgstr ""
#: lib/setup.c:1647 lib/setup.c:1916 lib/setup.c:3848
#: lib/setup.c:1647 lib/setup.c:1916 lib/setup.c:3854
msgid "Device size is not aligned to requested sector size."
msgstr ""
@@ -366,7 +366,7 @@ msgid ""
"alignment granularity."
msgstr ""
#: lib/setup.c:2528 lib/setup.c:4222 lib/setup.c:4411 lib/utils_wipe.c:356
#: lib/setup.c:2528 lib/setup.c:4228 lib/setup.c:4417 lib/utils_wipe.c:356
#: lib/luks2/luks2_json_metadata.c:2720 lib/luks2/luks2_json_metadata.c:2988
#, c-format
msgid "Failed to acquire OPAL lock on device %s."
@@ -445,320 +445,320 @@ msgid ""
"bytes).\n"
msgstr ""
#: lib/setup.c:3031 lib/setup.c:3129
#: lib/setup.c:3037 lib/setup.c:3135
#, c-format
msgid "Unknown or unsupported device type %s requested."
msgstr ""
#: lib/setup.c:3043
#: lib/setup.c:3049
#, c-format
msgid "Device %s does not provide inline integrity data fields."
msgstr ""
#: lib/setup.c:3049
#: lib/setup.c:3055
#, c-format
msgid ""
"Inline tag size %<PRIu32> [bytes] is larger than %<PRIu32> provided by "
"device %s."
msgstr ""
#: lib/setup.c:3064
#: lib/setup.c:3070
#, c-format
msgid "Sector must be the same as device hardware sector (%zu bytes)."
msgstr ""
#: lib/setup.c:3494 lib/setup.c:3583 lib/setup.c:3596
#: lib/setup.c:3500 lib/setup.c:3589 lib/setup.c:3602
#, c-format
msgid "Unsupported parameters on device %s."
msgstr ""
#: lib/setup.c:3500 lib/setup.c:3603 lib/luks2/luks2_reencrypt.c:2920
#: lib/setup.c:3506 lib/setup.c:3609 lib/luks2/luks2_reencrypt.c:2920
#: lib/luks2/luks2_reencrypt.c:3189 lib/luks2/luks2_reencrypt.c:3583
#, c-format
msgid "Mismatching parameters on device %s."
msgstr ""
#: lib/setup.c:3626
#: lib/setup.c:3632
msgid "Crypt devices mismatch."
msgstr ""
#: lib/setup.c:3658 lib/setup.c:3663 lib/luks2/luks2_reencrypt.c:2404
#: lib/setup.c:3664 lib/setup.c:3669 lib/luks2/luks2_reencrypt.c:2404
#: lib/luks2/luks2_reencrypt.c:2936 lib/luks2/luks2_reencrypt.c:4224
#, c-format
msgid "Failed to reload device %s."
msgstr ""
#: lib/setup.c:3669 lib/setup.c:3675 lib/luks2/luks2_reencrypt.c:2375
#: lib/setup.c:3675 lib/setup.c:3681 lib/luks2/luks2_reencrypt.c:2375
#: lib/luks2/luks2_reencrypt.c:2382 lib/luks2/luks2_reencrypt.c:2950
#, c-format
msgid "Failed to suspend device %s."
msgstr ""
#: lib/setup.c:3681 lib/luks2/luks2_reencrypt.c:2389
#: lib/setup.c:3687 lib/luks2/luks2_reencrypt.c:2389
#: lib/luks2/luks2_reencrypt.c:2971 lib/luks2/luks2_reencrypt.c:4137
#: lib/luks2/luks2_reencrypt.c:4228
#, c-format
msgid "Failed to resume device %s."
msgstr ""
#: lib/setup.c:3696
#: lib/setup.c:3702
#, c-format
msgid "Fatal error while reloading device %s (on top of device %s)."
msgstr ""
#: lib/setup.c:3699 lib/setup.c:3701
#: lib/setup.c:3705 lib/setup.c:3707
#, c-format
msgid "Failed to switch device %s to dm-error."
msgstr ""
#: lib/setup.c:3744
#: lib/setup.c:3750
msgid "Can not resize LUKS2 device with static size."
msgstr ""
#: lib/setup.c:3749
#: lib/setup.c:3755
msgid "Resize of LUKS2 device with integrity protection is not supported."
msgstr ""
#: lib/setup.c:3795
#: lib/setup.c:3801
msgid "Cannot resize loop device."
msgstr ""
#: lib/setup.c:3839
#: lib/setup.c:3845
msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
msgstr ""
#: lib/setup.c:3905
#: lib/setup.c:3911
msgid "Resize failed, the kernel doesn't support it."
msgstr ""
#: lib/setup.c:3937
#: lib/setup.c:3943
msgid "Do you really want to change UUID of device?"
msgstr ""
#: lib/setup.c:4029
#: lib/setup.c:4035
msgid "Header backup file does not contain compatible LUKS header."
msgstr ""
#: lib/setup.c:4122
#: lib/setup.c:4128
#, c-format
msgid "Volume %s is not active."
msgstr ""
#: lib/setup.c:4177
#: lib/setup.c:4183
#, c-format
msgid "Volume %s is already suspended."
msgstr ""
#: lib/setup.c:4203
#: lib/setup.c:4209
#, c-format
msgid "Suspend is not supported for device %s."
msgstr ""
#: lib/setup.c:4205 lib/setup.c:4213
#: lib/setup.c:4211 lib/setup.c:4219
#, c-format
msgid "Error during suspending device %s."
msgstr ""
#: lib/setup.c:4228
#: lib/setup.c:4234
#, c-format
msgid "Device %s was suspended but hardware OPAL device cannot be locked."
msgstr ""
#: lib/setup.c:4259 lib/setup.c:4436
#: lib/setup.c:4265 lib/setup.c:4442
#, c-format
msgid "Resume is not supported for device %s."
msgstr ""
#: lib/setup.c:4261 lib/setup.c:4426 lib/setup.c:4438
#: lib/setup.c:4267 lib/setup.c:4432 lib/setup.c:4444
#, c-format
msgid "Error during resuming device %s."
msgstr ""
#: lib/setup.c:4280
#: lib/setup.c:4286
msgid "Failed to unlink volume key from user specified keyring."
msgstr ""
#: lib/setup.c:4402 lib/setup.c:5568
#: lib/setup.c:4408 lib/setup.c:5574
msgid "Failed to link volume key in user defined keyring."
msgstr ""
#: lib/setup.c:4500 src/cryptsetup.c:2714
#: lib/setup.c:4506 src/cryptsetup.c:2714
#, c-format
msgid "Volume %s is not suspended."
msgstr ""
#: lib/setup.c:4601 lib/setup.c:7233 lib/setup.c:7255 lib/setup.c:7309
#: lib/setup.c:4607 lib/setup.c:7239 lib/setup.c:7261 lib/setup.c:7315
#: src/cryptsetup.c:1849 src/cryptsetup.c:2253 src/cryptsetup.c:2271
#: src/utils_reencrypt.c:305 src/utils_reencrypt.c:1965
msgid "Volume key does not match the volume."
msgstr ""
#: lib/setup.c:4755
#: lib/setup.c:4761
msgid "Failed to swap new key slot."
msgstr ""
#: lib/setup.c:4853
#: lib/setup.c:4859
#, c-format
msgid "Key slot %d is invalid."
msgstr ""
#: lib/setup.c:4859 src/cryptsetup.c:1970 src/cryptsetup.c:2430
#: lib/setup.c:4865 src/cryptsetup.c:1970 src/cryptsetup.c:2430
#: src/cryptsetup.c:3114 src/cryptsetup.c:3174
#, c-format
msgid "Keyslot %d is not active."
msgstr ""
#: lib/setup.c:4878
#: lib/setup.c:4884
msgid "Device header overlaps with data area."
msgstr ""
#: lib/setup.c:5099
#: lib/setup.c:5105
msgid "Reencryption in-progress. Cannot activate device."
msgstr ""
#: lib/setup.c:5101 lib/luks2/luks2_json_metadata.c:2884
#: lib/setup.c:5107 lib/luks2/luks2_json_metadata.c:2884
#: lib/luks2/luks2_reencrypt.c:3714
msgid "Failed to get reencryption lock."
msgstr ""
#: lib/setup.c:5123
#: lib/setup.c:5129
msgid "LUKS2 reencryption recovery using volume key(s) failed."
msgstr ""
#: lib/setup.c:5259
#: lib/setup.c:5265
#, c-format
msgid "Device %s already exists."
msgstr ""
#: lib/setup.c:5266
#: lib/setup.c:5272
#, c-format
msgid "Cannot use device %s, name is invalid or still in use."
msgstr ""
#: lib/setup.c:5278
#: lib/setup.c:5284
msgid "Reencryption volume keys do not match the volume."
msgstr ""
#: lib/setup.c:5295
#: lib/setup.c:5301
msgid "Incorrect volume key specified for plain device."
msgstr ""
#: lib/setup.c:5321 lib/setup.c:5382
#: lib/setup.c:5327 lib/setup.c:5388
msgid "Device type is not properly initialized."
msgstr ""
#: lib/setup.c:5420
#: lib/setup.c:5426
msgid "Kernel keyring is not supported by the kernel."
msgstr ""
#: lib/setup.c:5424
#: lib/setup.c:5430
msgid "Kernel keyring missing: required for passing signature to kernel."
msgstr ""
#: lib/setup.c:5476
#: lib/setup.c:5482
#, c-format
msgid "Cannot use keyring key %s."
msgstr ""
#: lib/setup.c:5689
#: lib/setup.c:5695
msgid "Incorrect root hash specified for verity device."
msgstr ""
#: lib/setup.c:5730 lib/setup.c:5755
#: lib/setup.c:5736 lib/setup.c:5761
msgid "OPAL does not support deferred deactivation."
msgstr ""
#: lib/setup.c:5745 lib/setup.c:5776 lib/luks2/luks2_json_metadata.c:2949
#: lib/setup.c:5751 lib/setup.c:5782 lib/luks2/luks2_json_metadata.c:2949
#: src/utils_reencrypt.c:89
#, c-format
msgid "Device %s is still in use."
msgstr ""
#: lib/setup.c:5763
#: lib/setup.c:5769
#, c-format
msgid "Could not cancel deferred remove from device %s."
msgstr ""
#: lib/setup.c:5785
#: lib/setup.c:5791
#, c-format
msgid "Invalid device %s."
msgstr ""
#: lib/setup.c:5926
#: lib/setup.c:5932
msgid "Volume key buffer too small."
msgstr ""
#: lib/setup.c:5937
#: lib/setup.c:5943
msgid "Cannot retrieve volume key for LUKS2 device."
msgstr ""
#: lib/setup.c:5946
#: lib/setup.c:5952
msgid "Cannot retrieve volume key for LUKS1 device."
msgstr ""
#: lib/setup.c:5960
#: lib/setup.c:5966
msgid "Cannot retrieve volume key for plain device."
msgstr ""
#: lib/setup.c:5968
#: lib/setup.c:5974
msgid "Cannot retrieve root hash for verity device."
msgstr ""
#: lib/setup.c:5975
#: lib/setup.c:5981
msgid "Cannot retrieve volume key for BITLK device."
msgstr ""
#: lib/setup.c:5980
#: lib/setup.c:5986
msgid "Cannot retrieve volume key for FVAULT2 device."
msgstr ""
#: lib/setup.c:5982
#: lib/setup.c:5988
#, c-format
msgid "This operation is not supported for %s crypt device."
msgstr ""
#: lib/setup.c:6167 lib/setup.c:6178
#: lib/setup.c:6173 lib/setup.c:6184
msgid "Dump operation is not supported for this device type."
msgstr ""
#: lib/setup.c:6558
#: lib/setup.c:6564
#, c-format
msgid "Data offset is not multiple of %u bytes."
msgstr ""
#: lib/setup.c:6866
#: lib/setup.c:6872
#, c-format
msgid "Cannot convert device %s which is still in use."
msgstr ""
#: lib/setup.c:7174 lib/setup.c:7318
#: lib/setup.c:7180 lib/setup.c:7324
#, c-format
msgid "Failed to assign keyslot %u as the new volume key."
msgstr ""
#: lib/setup.c:7198
#: lib/setup.c:7204
msgid "Failed to initialize default LUKS2 keyslot parameters."
msgstr ""
#: lib/setup.c:7204
#: lib/setup.c:7210
#, c-format
msgid "Failed to assign keyslot %d to digest."
msgstr ""
#: lib/setup.c:7435
#: lib/setup.c:7441
msgid "Cannot add key slot, all slots disabled and no volume key provided."
msgstr ""
#: lib/setup.c:7508 lib/verity/verity.c:333
#: lib/setup.c:7514 lib/verity/verity.c:333
msgid "Failed to load key in kernel keyring."
msgstr ""
#: lib/setup.c:7699
#: lib/setup.c:7705
#, c-format
msgid "Could not find keyring described by \"%s\"."
msgstr ""
#: lib/setup.c:7764
#: lib/setup.c:7770
msgid "Failed to acquire global memory-hard access serialization lock."
msgstr ""
@@ -904,10 +904,15 @@ msgid "Requested maximum PBKDF memory cannot be zero."
msgstr ""
#: lib/utils_pbkdf.c:173
#, c-format
msgid "Requested maximum PBKDF parallel cost is too high (maximum is %d)."
msgstr ""
#: lib/utils_pbkdf.c:178
msgid "Requested PBKDF parallel threads cannot be zero."
msgstr ""
#: lib/utils_pbkdf.c:193
#: lib/utils_pbkdf.c:198
msgid "Only PBKDF2 is supported in FIPS mode."
msgstr ""
@@ -1273,7 +1278,7 @@ msgstr ""
msgid "Kernel does not support TCRYPT compatible mapping."
msgstr ""
#: lib/tcrypt/tcrypt.c:1126
#: lib/tcrypt/tcrypt.c:1144
msgid "This function is not supported without TCRYPT header load."
msgstr ""
@@ -1366,52 +1371,52 @@ msgstr ""
msgid "Unexpected metadata entry found when parsing startup key."
msgstr ""
#: lib/bitlk/bitlk.c:1067
#: lib/bitlk/bitlk.c:1069
msgid "This operation is not supported."
msgstr ""
#: lib/bitlk/bitlk.c:1075
#: lib/bitlk/bitlk.c:1077
msgid "Unexpected key data size."
msgstr ""
#: lib/bitlk/bitlk.c:1203
#: lib/bitlk/bitlk.c:1205
msgid "This BITLK device is in an unsupported state and cannot be activated."
msgstr ""
#: lib/bitlk/bitlk.c:1208
#: lib/bitlk/bitlk.c:1210
#, c-format
msgid "BITLK devices with type '%s' cannot be activated."
msgstr ""
#: lib/bitlk/bitlk.c:1215
#: lib/bitlk/bitlk.c:1217
msgid "Activation of BITLK device with clear key protection is not supported."
msgstr ""
#: lib/bitlk/bitlk.c:1256
#: lib/bitlk/bitlk.c:1258
#, c-format
msgid ""
"WARNING: BitLocker volume size %<PRIu64> does not match the underlying "
"device size %<PRIu64>"
msgstr ""
#: lib/bitlk/bitlk.c:1383
#: lib/bitlk/bitlk.c:1385
msgid ""
"Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
msgstr ""
#: lib/bitlk/bitlk.c:1387
#: lib/bitlk/bitlk.c:1389
msgid ""
"Cannot activate device, kernel dm-crypt is missing support for BITLK "
"Elephant diffuser."
msgstr ""
#: lib/bitlk/bitlk.c:1391
#: lib/bitlk/bitlk.c:1393
msgid ""
"Cannot activate device, kernel dm-crypt is missing support for large sector "
"size."
msgstr ""
#: lib/bitlk/bitlk.c:1395
#: lib/bitlk/bitlk.c:1397
msgid "Cannot activate device, kernel dm-zero module is missing."
msgstr ""
@@ -1780,13 +1785,13 @@ msgstr ""
msgid "Not enough memory for keyslot key derivation."
msgstr ""
#: lib/luks2/luks2_keyslot_luks2.c:276 lib/luks2/luks2_keyslot_luks2.c:401
#: lib/luks2/luks2_keyslot_luks2.c:276 lib/luks2/luks2_keyslot_luks2.c:405
#: lib/luks2/luks2_keyslot_reenc.c:434 lib/luks2/luks2_reencrypt.c:2725
#, c-format
msgid "Hash algorithm %s is not available."
msgstr ""
#: lib/luks2/luks2_keyslot_luks2.c:518
#: lib/luks2/luks2_keyslot_luks2.c:522
msgid "No space for new keyslot."
msgstr ""

190
po/cs.po
View File

@@ -33,10 +33,10 @@
#
msgid ""
msgstr ""
"Project-Id-Version: cryptsetup 2.8.0-rc0\n"
"Project-Id-Version: cryptsetup 2.8.1-rc0\n"
"Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
"POT-Creation-Date: 2025-06-03 09:23+0200\n"
"PO-Revision-Date: 2025-06-08 12:56+02:00\n"
"POT-Creation-Date: 2025-08-13 13:45+0200\n"
"PO-Revision-Date: 2025-08-14 21:32+02:00\n"
"Last-Translator: Petr Pisar <petr.pisar@atlas.cz>\n"
"Language-Team: Czech <translation-team-cs@lists.sourceforge.net>\n"
"Language: cs\n"
@@ -183,7 +183,7 @@ msgstr "Chyba zpracování klíče (za použití haše %s)."
msgid "Cannot determine device type. Incompatible activation of device?"
msgstr "Druh zařízení nelze určit. Nekompatibilní aktivace zařízení?"
#: lib/setup.c:395 lib/setup.c:4139
#: lib/setup.c:395 lib/setup.c:4145
msgid "This operation is supported only for LUKS device."
msgstr "Tato operace je podporována jen u zařízení LUKS."
@@ -205,7 +205,7 @@ msgstr "Pozice klíče %d není platná, prosím, vyberte číslo mezi 0 a %d."
msgid "Key slot %d is full, please select another one."
msgstr "Pozice klíče %d je obsazena, prosím, vyberte jinou."
#: lib/setup.c:531 lib/setup.c:3854
#: lib/setup.c:531 lib/setup.c:3860
msgid "Device size is not aligned to device logical block size."
msgstr "Velikost zařízení není zarovnaná na velikost logického sektoru zařízení."
@@ -214,7 +214,7 @@ msgstr "Velikost zařízení není zarovnaná na velikost logického sektoru za
msgid "Header detected but device %s is too small."
msgstr "Nalezena hlavička, ale zařízení %s je příliš malé."
#: lib/setup.c:669 lib/setup.c:3739 lib/setup.c:5206
#: lib/setup.c:669 lib/setup.c:3745 lib/setup.c:5212
#: lib/luks2/luks2_reencrypt.c:3937 lib/luks2/luks2_reencrypt.c:4425
msgid "This operation is not supported for this device type."
msgstr "Tato operace není na zařízení tohoto typu podporována."
@@ -247,8 +247,8 @@ msgstr "Nepodporovaná verze LUKS %d."
msgid "No known cipher specification pattern detected for active device %s."
msgstr "Na aktivním zařízení %s nebyl nalezen žádný známý vzorek určující šifrování."
#: lib/setup.c:1515 lib/setup.c:3486 lib/setup.c:3578 lib/setup.c:3590
#: lib/setup.c:3762 lib/setup.c:5781
#: lib/setup.c:1515 lib/setup.c:3492 lib/setup.c:3584 lib/setup.c:3596
#: lib/setup.c:3768 lib/setup.c:5787
#, c-format
msgid "Device %s is not active."
msgstr "Zařízení %s není aktivní."
@@ -279,7 +279,7 @@ msgstr "Zařízení s oddělenými metadaty není na šifře tohoto typu podpor
msgid "Unsupported encryption sector size."
msgstr "Nepodporovaná velikost šifrovaného sektoru."
#: lib/setup.c:1647 lib/setup.c:1916 lib/setup.c:3848
#: lib/setup.c:1647 lib/setup.c:1916 lib/setup.c:3854
msgid "Device size is not aligned to requested sector size."
msgstr "Velikost zařízení není zarovnaná na požadovanou velikost sektoru."
@@ -390,7 +390,7 @@ msgstr "Požadované zarovnání dat nesplňuje požadavky na zarovnání uzamyk
msgid "Compensating device size by %<PRIu64> sectors to align it with OPAL alignment granularity."
msgstr "Velikost zařízení byla dorovnána %<PRIu64> sektory, aby lícovala s granularitou zarovnání Opal."
#: lib/setup.c:2528 lib/setup.c:4222 lib/setup.c:4411 lib/utils_wipe.c:356
#: lib/setup.c:2528 lib/setup.c:4228 lib/setup.c:4417 lib/utils_wipe.c:356
#: lib/luks2/luks2_json_metadata.c:2720 lib/luks2/luks2_json_metadata.c:2988
#, c-format
msgid "Failed to acquire OPAL lock on device %s."
@@ -464,320 +464,320 @@ msgstr "Velikost klíče integrity neodpovídá."
msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
msgstr "POZOR: Požadovaná velikost značky %d bajtů se liší od výstupu velikosti %s (%d bajtů).\n"
#: lib/setup.c:3031 lib/setup.c:3129
#: lib/setup.c:3037 lib/setup.c:3135
#, c-format
msgid "Unknown or unsupported device type %s requested."
msgstr "Požadován neznámý nebo nepodporovaný typ zařízení %s."
#: lib/setup.c:3043
#: lib/setup.c:3049
#, c-format
msgid "Device %s does not provide inline integrity data fields."
msgstr "Zařízení %s neposkytuje položky pro inline integritu dat."
#: lib/setup.c:3049
#: lib/setup.c:3055
#, c-format
msgid "Inline tag size %<PRIu32> [bytes] is larger than %<PRIu32> provided by device %s."
msgstr "Velikost inline značky %<PRIu32> bajtů je větší než %<PRIu32> poskytovaných zařízením %s."
#: lib/setup.c:3064
#: lib/setup.c:3070
#, c-format
msgid "Sector must be the same as device hardware sector (%zu bytes)."
msgstr "Sektor musí být stejný jako hardwarový sektor zařízení (%zu bajtů)."
#: lib/setup.c:3494 lib/setup.c:3583 lib/setup.c:3596
#: lib/setup.c:3500 lib/setup.c:3589 lib/setup.c:3602
#, c-format
msgid "Unsupported parameters on device %s."
msgstr "Nepodporované parametry na zařízení %s."
#: lib/setup.c:3500 lib/setup.c:3603 lib/luks2/luks2_reencrypt.c:2920
#: lib/setup.c:3506 lib/setup.c:3609 lib/luks2/luks2_reencrypt.c:2920
#: lib/luks2/luks2_reencrypt.c:3189 lib/luks2/luks2_reencrypt.c:3583
#, c-format
msgid "Mismatching parameters on device %s."
msgstr "Neodpovídající parametry na zařízení %s."
#: lib/setup.c:3626
#: lib/setup.c:3632
msgid "Crypt devices mismatch."
msgstr "Zařízení dmcryptu si neodpovídají."
#: lib/setup.c:3658 lib/setup.c:3663 lib/luks2/luks2_reencrypt.c:2404
#: lib/setup.c:3664 lib/setup.c:3669 lib/luks2/luks2_reencrypt.c:2404
#: lib/luks2/luks2_reencrypt.c:2936 lib/luks2/luks2_reencrypt.c:4224
#, c-format
msgid "Failed to reload device %s."
msgstr "Zařízení %s nebylo možné znovu zavést."
#: lib/setup.c:3669 lib/setup.c:3675 lib/luks2/luks2_reencrypt.c:2375
#: lib/setup.c:3675 lib/setup.c:3681 lib/luks2/luks2_reencrypt.c:2375
#: lib/luks2/luks2_reencrypt.c:2382 lib/luks2/luks2_reencrypt.c:2950
#, c-format
msgid "Failed to suspend device %s."
msgstr "Zařízení %s nebylo možné pozastavit."
#: lib/setup.c:3681 lib/luks2/luks2_reencrypt.c:2389
#: lib/setup.c:3687 lib/luks2/luks2_reencrypt.c:2389
#: lib/luks2/luks2_reencrypt.c:2971 lib/luks2/luks2_reencrypt.c:4137
#: lib/luks2/luks2_reencrypt.c:4228
#, c-format
msgid "Failed to resume device %s."
msgstr "Zařízení %s nebylo možné probudit."
#: lib/setup.c:3696
#: lib/setup.c:3702
#, c-format
msgid "Fatal error while reloading device %s (on top of device %s)."
msgstr "Nepřekonatelná chyba při zavádění zařízení %s (nad zařízením %s)."
#: lib/setup.c:3699 lib/setup.c:3701
#: lib/setup.c:3705 lib/setup.c:3707
#, c-format
msgid "Failed to switch device %s to dm-error."
msgstr "Zařízení %s nebylo možné přepnout do dm-error."
#: lib/setup.c:3744
#: lib/setup.c:3750
msgid "Can not resize LUKS2 device with static size."
msgstr "Zařízení LUKS2 se statickou velikostí nelze změnit velikost."
#: lib/setup.c:3749
#: lib/setup.c:3755
msgid "Resize of LUKS2 device with integrity protection is not supported."
msgstr "Změna velikosti zařízení LUKS2s ochranou integrity není podporována."
#: lib/setup.c:3795
#: lib/setup.c:3801
msgid "Cannot resize loop device."
msgstr "Zařízení zpětné smyčky nelze změnit velikost."
#: lib/setup.c:3839
#: lib/setup.c:3845
msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
msgstr ""
"POZOR: Maximální velikost je již nastavena nebo změna velikosti není jádrem\n"
"podporována.\n"
#: lib/setup.c:3905
#: lib/setup.c:3911
msgid "Resize failed, the kernel doesn't support it."
msgstr "Změna velikosti selhala, jádro ji nepodporuje."
#: lib/setup.c:3937
#: lib/setup.c:3943
msgid "Do you really want to change UUID of device?"
msgstr "Opravdu chcete změnit UUID zařízení?"
#: lib/setup.c:4029
#: lib/setup.c:4035
msgid "Header backup file does not contain compatible LUKS header."
msgstr "Soubor se zálohou hlavičky neobsahuje kompatibilní hlavičku LUKS."
#: lib/setup.c:4122
#: lib/setup.c:4128
#, c-format
msgid "Volume %s is not active."
msgstr "Svazek %s není aktivní."
#: lib/setup.c:4177
#: lib/setup.c:4183
#, c-format
msgid "Volume %s is already suspended."
msgstr "Svazek %s je již uspán."
#: lib/setup.c:4203
#: lib/setup.c:4209
#, c-format
msgid "Suspend is not supported for device %s."
msgstr "Uspání není na zařízení %s podporováno."
#: lib/setup.c:4205 lib/setup.c:4213
#: lib/setup.c:4211 lib/setup.c:4219
#, c-format
msgid "Error during suspending device %s."
msgstr "Chyba při uspávání zařízení %s."
#: lib/setup.c:4228
#: lib/setup.c:4234
#, c-format
msgid "Device %s was suspended but hardware OPAL device cannot be locked."
msgstr "Zařízení %s bylo uspáno, ale hardwarové zařízení Opal nelze uzamknout."
#: lib/setup.c:4259 lib/setup.c:4436
#: lib/setup.c:4265 lib/setup.c:4442
#, c-format
msgid "Resume is not supported for device %s."
msgstr "Probuzení není na zařízení %s podporováno."
#: lib/setup.c:4261 lib/setup.c:4426 lib/setup.c:4438
#: lib/setup.c:4267 lib/setup.c:4432 lib/setup.c:4444
#, c-format
msgid "Error during resuming device %s."
msgstr "Chyba při probouzení zařízení %s."
#: lib/setup.c:4280
#: lib/setup.c:4286
msgid "Failed to unlink volume key from user specified keyring."
msgstr "Z klíčenky zadané uživatelem se nepodařilo odpojit klíč svazku."
#: lib/setup.c:4402 lib/setup.c:5568
#: lib/setup.c:4408 lib/setup.c:5574
msgid "Failed to link volume key in user defined keyring."
msgstr "Do uživatelem zadané klíčenky se nepodařilo přidat klíč svazku."
#: lib/setup.c:4500 src/cryptsetup.c:2714
#: lib/setup.c:4506 src/cryptsetup.c:2714
#, c-format
msgid "Volume %s is not suspended."
msgstr "Svazek %s není uspán."
#: lib/setup.c:4601 lib/setup.c:7233 lib/setup.c:7255 lib/setup.c:7309
#: lib/setup.c:4607 lib/setup.c:7239 lib/setup.c:7261 lib/setup.c:7315
#: src/cryptsetup.c:1849 src/cryptsetup.c:2253 src/cryptsetup.c:2271
#: src/utils_reencrypt.c:305 src/utils_reencrypt.c:1965
msgid "Volume key does not match the volume."
msgstr "Heslo svazku neodpovídá svazku."
#: lib/setup.c:4755
#: lib/setup.c:4761
msgid "Failed to swap new key slot."
msgstr "Záměna novou pozicí klíče se nezdařila."
#: lib/setup.c:4853
#: lib/setup.c:4859
#, c-format
msgid "Key slot %d is invalid."
msgstr "Pozice klíče %d je neplatná."
#: lib/setup.c:4859 src/cryptsetup.c:1970 src/cryptsetup.c:2430
#: lib/setup.c:4865 src/cryptsetup.c:1970 src/cryptsetup.c:2430
#: src/cryptsetup.c:3114 src/cryptsetup.c:3174
#, c-format
msgid "Keyslot %d is not active."
msgstr "Pozice klíče %d není aktivní."
#: lib/setup.c:4878
#: lib/setup.c:4884
msgid "Device header overlaps with data area."
msgstr "Hlavička zařízení se překrývá s datovou oblastí."
#: lib/setup.c:5099
#: lib/setup.c:5105
msgid "Reencryption in-progress. Cannot activate device."
msgstr "Přešifrování již probíhá. Zařízení nelze aktivovat."
#: lib/setup.c:5101 lib/luks2/luks2_json_metadata.c:2884
#: lib/setup.c:5107 lib/luks2/luks2_json_metadata.c:2884
#: lib/luks2/luks2_reencrypt.c:3714
msgid "Failed to get reencryption lock."
msgstr "Získání zámku pro přešifrování selhalo."
#: lib/setup.c:5123
#: lib/setup.c:5129
msgid "LUKS2 reencryption recovery using volume key(s) failed."
msgstr "Obnova přešifrování LUKS2 pomocí klíčů svazku selhala."
#: lib/setup.c:5259
#: lib/setup.c:5265
#, c-format
msgid "Device %s already exists."
msgstr "Zařízení %s již existuje."
#: lib/setup.c:5266
#: lib/setup.c:5272
#, c-format
msgid "Cannot use device %s, name is invalid or still in use."
msgstr "Zařízení %s nelze použít. Název není platný nebo zařízení se stále používá."
#: lib/setup.c:5278
#: lib/setup.c:5284
msgid "Reencryption volume keys do not match the volume."
msgstr "Klíče pro přešifrování svazku neodpovídají svazku."
#: lib/setup.c:5295
#: lib/setup.c:5301
msgid "Incorrect volume key specified for plain device."
msgstr "Byl zadán neplatný klíč svazku."
#: lib/setup.c:5321 lib/setup.c:5382
#: lib/setup.c:5327 lib/setup.c:5388
msgid "Device type is not properly initialized."
msgstr "Typ zařízení není řádně inicializován."
#: lib/setup.c:5420
#: lib/setup.c:5426
msgid "Kernel keyring is not supported by the kernel."
msgstr "Jaderná klíčenka není jádrem podporována."
#: lib/setup.c:5424
#: lib/setup.c:5430
msgid "Kernel keyring missing: required for passing signature to kernel."
msgstr "Jaderná klíčenka chybí: je potřeba pro předání podpisu do jádra."
#: lib/setup.c:5476
#: lib/setup.c:5482
#, c-format
msgid "Cannot use keyring key %s."
msgstr "Klíčem klíčenky %s nelze použít."
#: lib/setup.c:5689
#: lib/setup.c:5695
msgid "Incorrect root hash specified for verity device."
msgstr "K zařízení VERITY byl zadán neplatný kořenový haš."
#: lib/setup.c:5730 lib/setup.c:5755
#: lib/setup.c:5736 lib/setup.c:5761
msgid "OPAL does not support deferred deactivation."
msgstr "Opal nepodporuje odloženou deaktivaci."
#: lib/setup.c:5745 lib/setup.c:5776 lib/luks2/luks2_json_metadata.c:2949
#: lib/setup.c:5751 lib/setup.c:5782 lib/luks2/luks2_json_metadata.c:2949
#: src/utils_reencrypt.c:89
#, c-format
msgid "Device %s is still in use."
msgstr "Zařízení %s se stále používá."
#: lib/setup.c:5763
#: lib/setup.c:5769
#, c-format
msgid "Could not cancel deferred remove from device %s."
msgstr "Odložené odebrání zařízení %s nebylo možné zrušit."
#: lib/setup.c:5785
#: lib/setup.c:5791
#, c-format
msgid "Invalid device %s."
msgstr "Neplatné zařízení %s."
#: lib/setup.c:5926
#: lib/setup.c:5932
msgid "Volume key buffer too small."
msgstr "Vyhrazená paměť pro klíč svazku je příliš malá."
#: lib/setup.c:5937
#: lib/setup.c:5943
msgid "Cannot retrieve volume key for LUKS2 device."
msgstr "Nelze získat klíč svazku pro zařízení LUKS2."
#: lib/setup.c:5946
#: lib/setup.c:5952
msgid "Cannot retrieve volume key for LUKS1 device."
msgstr "Nelze získat klíč svazku pro zařízení LUKS1."
#: lib/setup.c:5960
#: lib/setup.c:5966
msgid "Cannot retrieve volume key for plain device."
msgstr "Nelze získat klíč svazku pro otevřené zařízení."
#: lib/setup.c:5968
#: lib/setup.c:5974
msgid "Cannot retrieve root hash for verity device."
msgstr "K zařízení VERITY nelze získat kořenový otisk."
#: lib/setup.c:5975
#: lib/setup.c:5981
msgid "Cannot retrieve volume key for BITLK device."
msgstr "Nelze získat klíč svazku pro zařízení BITLK."
#: lib/setup.c:5980
#: lib/setup.c:5986
msgid "Cannot retrieve volume key for FVAULT2 device."
msgstr "Nelze získat klíč svazku pro zařízení FVAULT2."
#: lib/setup.c:5982
#: lib/setup.c:5988
#, c-format
msgid "This operation is not supported for %s crypt device."
msgstr "Na šifrovaném zařízení %s není tato operace podporována."
#: lib/setup.c:6167 lib/setup.c:6178
#: lib/setup.c:6173 lib/setup.c:6184
msgid "Dump operation is not supported for this device type."
msgstr "Operace výpisu není na zařízení tohoto typu podporována."
#: lib/setup.c:6558
#: lib/setup.c:6564
#, c-format
msgid "Data offset is not multiple of %u bytes."
msgstr "Počátek dat není násobkem %u bajtů."
#: lib/setup.c:6866
#: lib/setup.c:6872
#, c-format
msgid "Cannot convert device %s which is still in use."
msgstr "Zařízení %s, které se stále používá, nelze konvertovat."
#: lib/setup.c:7174 lib/setup.c:7318
#: lib/setup.c:7180 lib/setup.c:7324
#, c-format
msgid "Failed to assign keyslot %u as the new volume key."
msgstr "Přiřazení pozice klíče %u jakožto nového klíče svazku se nezdařilo."
#: lib/setup.c:7198
#: lib/setup.c:7204
msgid "Failed to initialize default LUKS2 keyslot parameters."
msgstr "Inicializace parametrů výchozí pozice klíče LUKS2 selhala."
#: lib/setup.c:7204
#: lib/setup.c:7210
#, c-format
msgid "Failed to assign keyslot %d to digest."
msgstr "Přiřazení pozice klíče %d k otisku se nezdařilo."
#: lib/setup.c:7435
#: lib/setup.c:7441
msgid "Cannot add key slot, all slots disabled and no volume key provided."
msgstr "Nelze přidat pozici klíče, všechny pozice jsou zakázány a klíč svazku nebyl poskytnut."
#: lib/setup.c:7508 lib/verity/verity.c:333
#: lib/setup.c:7514 lib/verity/verity.c:333
msgid "Failed to load key in kernel keyring."
msgstr "Klíč se nepodařilo přidat do jaderné klíčenky."
#: lib/setup.c:7699
#: lib/setup.c:7705
#, c-format
msgid "Could not find keyring described by \"%s\"."
msgstr "Klíčenku zadanou jako „%s“ nebylo možné nalézt."
#: lib/setup.c:7764
#: lib/setup.c:7770
msgid "Failed to acquire global memory-hard access serialization lock."
msgstr "Získání zámku pro tvrdý přístup do globální paměti selhalo."
@@ -919,10 +919,15 @@ msgid "Requested maximum PBKDF memory cannot be zero."
msgstr "Požadované maximum paměti PBKDF nemůže být nula."
#: lib/utils_pbkdf.c:173
#, c-format
msgid "Requested maximum PBKDF parallel cost is too high (maximum is %d)."
msgstr "Požadovaná maximální cena paralelizace PBKDF je příliš vysoká (maximum je %d)."
#: lib/utils_pbkdf.c:178
msgid "Requested PBKDF parallel threads cannot be zero."
msgstr "Požadovaný počet souběžných vláken PBKDF nemůže být nula."
#: lib/utils_pbkdf.c:193
#: lib/utils_pbkdf.c:198
msgid "Only PBKDF2 is supported in FIPS mode."
msgstr "V režimu FIPS je podporován jen PBKDF2."
@@ -1281,7 +1286,7 @@ msgstr "Polohu systémového oddílu TCRYPT nelze určit. Zařízení se aktivuj
msgid "Kernel does not support TCRYPT compatible mapping."
msgstr "Jádro nepodporuje mapování kompatibilní s TCRYPT."
#: lib/tcrypt/tcrypt.c:1126
#: lib/tcrypt/tcrypt.c:1144
msgid "This function is not supported without TCRYPT header load."
msgstr "Bez dat s hlavičkou TCRYPT není tato funkce podporována."
@@ -1369,45 +1374,45 @@ msgstr "Nečekaná velikost metadat BEK %<PRIu32> neodpovídá délce souboru BE
msgid "Unexpected metadata entry found when parsing startup key."
msgstr "Při rozboru startovacího klíče byla v metadatech nalezena nečekaná položka."
#: lib/bitlk/bitlk.c:1067
#: lib/bitlk/bitlk.c:1069
msgid "This operation is not supported."
msgstr "Tato operace není podporována."
#: lib/bitlk/bitlk.c:1075
#: lib/bitlk/bitlk.c:1077
msgid "Unexpected key data size."
msgstr "Nečekaná velikost údajů o klíči."
#: lib/bitlk/bitlk.c:1203
#: lib/bitlk/bitlk.c:1205
msgid "This BITLK device is in an unsupported state and cannot be activated."
msgstr "Toto zařízení BITLK je v nepodporovaném stavu a nelze jej aktivovat."
#: lib/bitlk/bitlk.c:1208
#: lib/bitlk/bitlk.c:1210
#, c-format
msgid "BITLK devices with type '%s' cannot be activated."
msgstr "Zařízení BITLK s typem „%s“ nelze aktivovat."
#: lib/bitlk/bitlk.c:1215
#: lib/bitlk/bitlk.c:1217
msgid "Activation of BITLK device with clear key protection is not supported."
msgstr "Aktivace zařízení BITLK s ochranou pomocí nešifrovaného klíče není podporována."
#: lib/bitlk/bitlk.c:1256
#: lib/bitlk/bitlk.c:1258
#, c-format
msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
msgstr "POZOR: Velikost svazku BitLockeru %<PRIu64> neodpovídá velikosti zařízení ve zpod %<PRIu64>"
#: lib/bitlk/bitlk.c:1383
#: lib/bitlk/bitlk.c:1385
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
msgstr "Zařízení nelze aktivovat. Jaderný dm-crypt postrádá podporu inicializačního vektoru BITLK."
#: lib/bitlk/bitlk.c:1387
#: lib/bitlk/bitlk.c:1389
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
msgstr "Zařízení nelze aktivovat. Jaderný dm-crypt postrádá podporu difuzéru Elephant BITLK."
#: lib/bitlk/bitlk.c:1391
#: lib/bitlk/bitlk.c:1393
msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
msgstr "Zařízení nelze aktivovat. Jaderný dm-crypt postrádá podporu velikostí velkých sektorů."
#: lib/bitlk/bitlk.c:1395
#: lib/bitlk/bitlk.c:1397
msgid "Cannot activate device, kernel dm-zero module is missing."
msgstr "Zařízení nelze aktivovat. Chybí jaderný modul dm-zero."
@@ -3315,12 +3320,15 @@ msgstr ""
"Pro zachování datového zařízení použije přepínač --no-wipe (a pak jej\n"
"aktivujte pomocí --integrity-recalculate)."
# TODO: Internationalize second argument.
#: src/integritysetup.c:213
#, c-format
msgid "Formatted with tag size %u%s, internal integrity %s.\n"
msgstr "Formátováno s velikostí značky %u%s, vnitřní integrita %s.\n"
#: src/integritysetup.c:214
msgid " (inline hw tags)"
msgstr " (inline hardwarové značky)"
#: src/integritysetup.c:297
msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
msgstr "Nastavení příznaku přepočtu není podporováno, místo toho zvažte použití --wipe."

189
po/de.po
View File

@@ -5,10 +5,10 @@
#
msgid ""
msgstr ""
"Project-Id-Version: cryptsetup 2.8.0-rc0\n"
"Project-Id-Version: cryptsetup 2.8.1-rc0\n"
"Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
"POT-Creation-Date: 2025-06-03 09:23+0200\n"
"PO-Revision-Date: 2025-06-03 23:06+0200\n"
"POT-Creation-Date: 2025-08-13 13:45+0200\n"
"PO-Revision-Date: 2025-08-15 00:30+0200\n"
"Last-Translator: Roland Illig <roland.illig@gmx.de>\n"
"Language-Team: German <translation-team-de@lists.sourceforge.net>\n"
"Language: de\n"
@@ -155,7 +155,7 @@ msgstr "Fehler beim Verarbeiten des Schlüssels (mit Hash-Algorithmus »%s«)."
msgid "Cannot determine device type. Incompatible activation of device?"
msgstr "Geräte-Art kann nicht bestimmt werden. Inkompatible Aktivierung des Geräts?"
#: lib/setup.c:395 lib/setup.c:4139
#: lib/setup.c:395 lib/setup.c:4145
msgid "This operation is supported only for LUKS device."
msgstr "Diese Operation wird nur für LUKS-Geräte unterstützt."
@@ -177,7 +177,7 @@ msgstr "Schlüsselfach %d ist ungültig, bitte wählen Sie eins zwischen 0 und %
msgid "Key slot %d is full, please select another one."
msgstr "Schlüsselfach %d ist voll, bitte wählen Sie ein anderes."
#: lib/setup.c:531 lib/setup.c:3854
#: lib/setup.c:531 lib/setup.c:3860
msgid "Device size is not aligned to device logical block size."
msgstr "Gerätegröße ist nicht an logischer Sektorgröße ausgerichtet."
@@ -186,7 +186,7 @@ msgstr "Gerätegröße ist nicht an logischer Sektorgröße ausgerichtet."
msgid "Header detected but device %s is too small."
msgstr "Header gefunden, aber Gerät »%s« ist zu klein."
#: lib/setup.c:669 lib/setup.c:3739 lib/setup.c:5206
#: lib/setup.c:669 lib/setup.c:3745 lib/setup.c:5212
#: lib/luks2/luks2_reencrypt.c:3937 lib/luks2/luks2_reencrypt.c:4425
msgid "This operation is not supported for this device type."
msgstr "Diese Operation wird für diese Geräteart nicht unterstützt."
@@ -219,8 +219,8 @@ msgstr "Nicht unterstützte LUKS-Version %d."
msgid "No known cipher specification pattern detected for active device %s."
msgstr "Kein bekanntes Verschlüsselungsmuster für aktives Gerät »%s« entdeckt."
#: lib/setup.c:1515 lib/setup.c:3486 lib/setup.c:3578 lib/setup.c:3590
#: lib/setup.c:3762 lib/setup.c:5781
#: lib/setup.c:1515 lib/setup.c:3492 lib/setup.c:3584 lib/setup.c:3596
#: lib/setup.c:3768 lib/setup.c:5787
#, c-format
msgid "Device %s is not active."
msgstr "Gerät »%s« ist nicht aktiv."
@@ -251,7 +251,7 @@ msgstr "Gerät für separierte Metadaten wird für diese Verschlüsselungsart ni
msgid "Unsupported encryption sector size."
msgstr "Nicht unterstützte Sektorengröße für Verschlüsselung."
#: lib/setup.c:1647 lib/setup.c:1916 lib/setup.c:3848
#: lib/setup.c:1647 lib/setup.c:1916 lib/setup.c:3854
msgid "Device size is not aligned to requested sector size."
msgstr "Gerätegröße ist nicht an verlangter Sektorgröße ausgerichtet."
@@ -360,7 +360,7 @@ msgstr "Die gewünschte Datenausrichtung erfüllt die Anforderungen an die Ausri
msgid "Compensating device size by %<PRIu64> sectors to align it with OPAL alignment granularity."
msgstr "Gerätegröße wird um %<PRIu64> Sektoren angepasst, um zur Granularität der OPAL-Ausrichtung zu passen."
#: lib/setup.c:2528 lib/setup.c:4222 lib/setup.c:4411 lib/utils_wipe.c:356
#: lib/setup.c:2528 lib/setup.c:4228 lib/setup.c:4417 lib/utils_wipe.c:356
#: lib/luks2/luks2_json_metadata.c:2720 lib/luks2/luks2_json_metadata.c:2988
#, c-format
msgid "Failed to acquire OPAL lock on device %s."
@@ -434,318 +434,318 @@ msgstr "Größen der Integritätsschlüssel passen nicht zusammen."
msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
msgstr "WARNUNG: Angeforderte Taggröße mit %d Bytes unterscheidet sich von der Ausgabe der Größe %s (%d Bytes).\n"
#: lib/setup.c:3031 lib/setup.c:3129
#: lib/setup.c:3037 lib/setup.c:3135
#, c-format
msgid "Unknown or unsupported device type %s requested."
msgstr "Unbekannte oder nicht unterstützte Art des Verschlüsselungsgeräts »%s« verlangt."
#: lib/setup.c:3043
#: lib/setup.c:3049
#, c-format
msgid "Device %s does not provide inline integrity data fields."
msgstr "Gerät »%s« bietet keine Datenfelder für Inline-Integrität."
#: lib/setup.c:3049
#: lib/setup.c:3055
#, c-format
msgid "Inline tag size %<PRIu32> [bytes] is larger than %<PRIu32> provided by device %s."
msgstr "Die Inline-Tag-Größe %<PRIu32> [Bytes] ist größer als die %<PRIu32> vom Gerät %s bereitgestellte."
#: lib/setup.c:3064
#: lib/setup.c:3070
#, c-format
msgid "Sector must be the same as device hardware sector (%zu bytes)."
msgstr "Der Sektor muss mit dem Hardware-Sektor des Geräts übereinstimmen (%zu Bytes)."
#: lib/setup.c:3494 lib/setup.c:3583 lib/setup.c:3596
#: lib/setup.c:3500 lib/setup.c:3589 lib/setup.c:3602
#, c-format
msgid "Unsupported parameters on device %s."
msgstr "Nicht unterstützte Parameter für Gerät %s."
#: lib/setup.c:3500 lib/setup.c:3603 lib/luks2/luks2_reencrypt.c:2920
#: lib/setup.c:3506 lib/setup.c:3609 lib/luks2/luks2_reencrypt.c:2920
#: lib/luks2/luks2_reencrypt.c:3189 lib/luks2/luks2_reencrypt.c:3583
#, c-format
msgid "Mismatching parameters on device %s."
msgstr "Parameter für Gerät %s sind durcheinander."
#: lib/setup.c:3626
#: lib/setup.c:3632
msgid "Crypt devices mismatch."
msgstr "Verschlüsselungsgeräte passen nicht zusammen."
#: lib/setup.c:3658 lib/setup.c:3663 lib/luks2/luks2_reencrypt.c:2404
#: lib/setup.c:3664 lib/setup.c:3669 lib/luks2/luks2_reencrypt.c:2404
#: lib/luks2/luks2_reencrypt.c:2936 lib/luks2/luks2_reencrypt.c:4224
#, c-format
msgid "Failed to reload device %s."
msgstr "Gerät »%s« konnte nicht neugeladen werden."
#: lib/setup.c:3669 lib/setup.c:3675 lib/luks2/luks2_reencrypt.c:2375
#: lib/setup.c:3675 lib/setup.c:3681 lib/luks2/luks2_reencrypt.c:2375
#: lib/luks2/luks2_reencrypt.c:2382 lib/luks2/luks2_reencrypt.c:2950
#, c-format
msgid "Failed to suspend device %s."
msgstr "Gerät »%s« konnte nicht stillgelegt werden."
#: lib/setup.c:3681 lib/luks2/luks2_reencrypt.c:2389
#: lib/setup.c:3687 lib/luks2/luks2_reencrypt.c:2389
#: lib/luks2/luks2_reencrypt.c:2971 lib/luks2/luks2_reencrypt.c:4137
#: lib/luks2/luks2_reencrypt.c:4228
#, c-format
msgid "Failed to resume device %s."
msgstr "Gerät »%s« konnte nicht fortgesetzt werden."
#: lib/setup.c:3696
#: lib/setup.c:3702
#, c-format
msgid "Fatal error while reloading device %s (on top of device %s)."
msgstr "Schwerwiegender Fehler beim Neuladen von Gerät »%s« (über Gerät »%s«)."
#: lib/setup.c:3699 lib/setup.c:3701
#: lib/setup.c:3705 lib/setup.c:3707
#, c-format
msgid "Failed to switch device %s to dm-error."
msgstr "Gerät »%s« konnte nicht auf dm-error umgeschaltet werden."
#: lib/setup.c:3744
#: lib/setup.c:3750
msgid "Can not resize LUKS2 device with static size."
msgstr "Größe des LUKS2-Geräts kann nicht geändert werden, da sie statisch ist."
#: lib/setup.c:3749
#: lib/setup.c:3755
msgid "Resize of LUKS2 device with integrity protection is not supported."
msgstr "Die Größenänderung eines LUKS2-Geräts mit Integritätsschutz wird nicht unterstützt."
#: lib/setup.c:3795
#: lib/setup.c:3801
msgid "Cannot resize loop device."
msgstr "Fehler beim Ändern der Größe des Loopback-Geräts."
#: lib/setup.c:3839
#: lib/setup.c:3845
msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
msgstr "WARNUNG: Die maximale Größe ist bereits eingestellt oder der Kernel unterstützt die Größenänderung nicht.\n"
#: lib/setup.c:3905
#: lib/setup.c:3911
msgid "Resize failed, the kernel doesn't support it."
msgstr "Fehler bei Größenänderung, der Kernel unterstützt sie nicht."
#: lib/setup.c:3937
#: lib/setup.c:3943
msgid "Do you really want to change UUID of device?"
msgstr "Wollen Sie wirklich die UUID des Geräts ändern?"
#: lib/setup.c:4029
#: lib/setup.c:4035
msgid "Header backup file does not contain compatible LUKS header."
msgstr "Header-Backupdatei enthält keinen kompatiblen LUKS-Header."
#: lib/setup.c:4122
#: lib/setup.c:4128
#, c-format
msgid "Volume %s is not active."
msgstr "Laufwerk »%s« ist nicht aktiv."
#: lib/setup.c:4177
#: lib/setup.c:4183
#, c-format
msgid "Volume %s is already suspended."
msgstr "Laufwerk »%s« ist bereits im Ruhezustand."
#: lib/setup.c:4203
#: lib/setup.c:4209
#, c-format
msgid "Suspend is not supported for device %s."
msgstr "Das Gerät »%s« unterstützt keinen Ruhezustand."
#: lib/setup.c:4205 lib/setup.c:4213
#: lib/setup.c:4211 lib/setup.c:4219
#, c-format
msgid "Error during suspending device %s."
msgstr "Das Gerät »%s« kann nicht in den Ruhezustand versetzt werden."
#: lib/setup.c:4228
#: lib/setup.c:4234
#, c-format
msgid "Device %s was suspended but hardware OPAL device cannot be locked."
msgstr "Gerät »%s« ist im Ruhezustand, aber das Hardware-OPAL-Gerät kann nicht gesperrt werden."
#: lib/setup.c:4259 lib/setup.c:4436
#: lib/setup.c:4265 lib/setup.c:4442
#, c-format
msgid "Resume is not supported for device %s."
msgstr "Das Gerät »%s« kann nicht aus dem Ruhezustand aufgeweckt werden."
#: lib/setup.c:4261 lib/setup.c:4426 lib/setup.c:4438
#: lib/setup.c:4267 lib/setup.c:4432 lib/setup.c:4444
#, c-format
msgid "Error during resuming device %s."
msgstr "Fehler beim Aufwecken von Gerät »%s« aus dem Ruhezustand."
#: lib/setup.c:4280
#: lib/setup.c:4286
msgid "Failed to unlink volume key from user specified keyring."
msgstr "Fehler beim Ablösen des Laufwerkschlüssels vom benutzerspezifischen Schlüsselbund."
#: lib/setup.c:4402 lib/setup.c:5568
#: lib/setup.c:4408 lib/setup.c:5574
msgid "Failed to link volume key in user defined keyring."
msgstr "Fehler beim Verknüpfen des Laufwerkschlüssels im benutzerspezifischen Schlüsselbund."
#: lib/setup.c:4500 src/cryptsetup.c:2714
#: lib/setup.c:4506 src/cryptsetup.c:2714
#, c-format
msgid "Volume %s is not suspended."
msgstr "Laufwerk »%s« ist nicht im Ruhezustand."
#: lib/setup.c:4601 lib/setup.c:7233 lib/setup.c:7255 lib/setup.c:7309
#: lib/setup.c:4607 lib/setup.c:7239 lib/setup.c:7261 lib/setup.c:7315
#: src/cryptsetup.c:1849 src/cryptsetup.c:2253 src/cryptsetup.c:2271
#: src/utils_reencrypt.c:305 src/utils_reencrypt.c:1965
msgid "Volume key does not match the volume."
msgstr "Der Laufwerksschlüssel passt nicht zum Laufwerk."
#: lib/setup.c:4755
#: lib/setup.c:4761
msgid "Failed to swap new key slot."
msgstr "Neues Schlüsselfach konnte nicht ausgewechselt werden."
#: lib/setup.c:4853
#: lib/setup.c:4859
#, c-format
msgid "Key slot %d is invalid."
msgstr "Schlüsselfach %d ist ungültig."
#: lib/setup.c:4859 src/cryptsetup.c:1970 src/cryptsetup.c:2430
#: lib/setup.c:4865 src/cryptsetup.c:1970 src/cryptsetup.c:2430
#: src/cryptsetup.c:3114 src/cryptsetup.c:3174
#, c-format
msgid "Keyslot %d is not active."
msgstr "Schlüsselfach %d ist nicht aktiv."
#: lib/setup.c:4878
#: lib/setup.c:4884
msgid "Device header overlaps with data area."
msgstr "Geräteheader und Datenbereich überlappen sich."
#: lib/setup.c:5099
#: lib/setup.c:5105
msgid "Reencryption in-progress. Cannot activate device."
msgstr "Wiederverschlüsselung läuft bereits. Das Gerät kann nicht aktiviert werden."
#: lib/setup.c:5101 lib/luks2/luks2_json_metadata.c:2884
#: lib/setup.c:5107 lib/luks2/luks2_json_metadata.c:2884
#: lib/luks2/luks2_reencrypt.c:3714
msgid "Failed to get reencryption lock."
msgstr "Fehler beim Zugriff auf die Sperre zur Wiederverschlüsselung."
#: lib/setup.c:5123
#: lib/setup.c:5129
msgid "LUKS2 reencryption recovery using volume key(s) failed."
msgstr "Fehler beim Wiederherstellen der LUKS2-Wiederverschlüsselung mittels Laufwerksschlüssel(n)."
#: lib/setup.c:5259
#: lib/setup.c:5265
#, c-format
msgid "Device %s already exists."
msgstr "Das Gerät »%s« existiert bereits."
#: lib/setup.c:5266
#: lib/setup.c:5272
#, c-format
msgid "Cannot use device %s, name is invalid or still in use."
msgstr "Gerät »%s« kann nicht verwendet werden, da es gerade benutzt wird oder der Name ungültig ist."
#: lib/setup.c:5278
#: lib/setup.c:5284
msgid "Reencryption volume keys do not match the volume."
msgstr "Die Laufwerksschlüssel für die Wiederverschlüsselung passen nicht zum Laufwerk."
#: lib/setup.c:5295
#: lib/setup.c:5301
msgid "Incorrect volume key specified for plain device."
msgstr "Falscher Laufwerksschlüssel für Plain-Gerät angegeben."
#: lib/setup.c:5321 lib/setup.c:5382
#: lib/setup.c:5327 lib/setup.c:5388
msgid "Device type is not properly initialized."
msgstr "Geräteart ist nicht richtig initialisiert."
#: lib/setup.c:5420
#: lib/setup.c:5426
msgid "Kernel keyring is not supported by the kernel."
msgstr "Der Kernel-Schlüsselbund wird vom Kernel nicht unterstützt."
#: lib/setup.c:5424
#: lib/setup.c:5430
msgid "Kernel keyring missing: required for passing signature to kernel."
msgstr "Der Kernel-Schlüsselbund fehlt. Wird benötigt, um die Signatur zum Kernel zu übergeben."
#: lib/setup.c:5476
#: lib/setup.c:5482
#, c-format
msgid "Cannot use keyring key %s."
msgstr "Schlüsselringschlüssel »%s« kann nicht verwendet werden."
#: lib/setup.c:5689
#: lib/setup.c:5695
msgid "Incorrect root hash specified for verity device."
msgstr "Falscher Root-Hash-Schlüssel für VERITY-Gerät angegeben."
#: lib/setup.c:5730 lib/setup.c:5755
#: lib/setup.c:5736 lib/setup.c:5761
msgid "OPAL does not support deferred deactivation."
msgstr "OPAL unterstützt verzögertes Deaktivieren nicht."
#: lib/setup.c:5745 lib/setup.c:5776 lib/luks2/luks2_json_metadata.c:2949
#: lib/setup.c:5751 lib/setup.c:5782 lib/luks2/luks2_json_metadata.c:2949
#: src/utils_reencrypt.c:89
#, c-format
msgid "Device %s is still in use."
msgstr "Gerät »%s« wird gerade benutzt."
#: lib/setup.c:5763
#: lib/setup.c:5769
#, c-format
msgid "Could not cancel deferred remove from device %s."
msgstr "Fehler beim Abbrechen des verzögerten Löschens von Gerät »%s«."
#: lib/setup.c:5785
#: lib/setup.c:5791
#, c-format
msgid "Invalid device %s."
msgstr "Ungültiges Gerät »%s«."
#: lib/setup.c:5926
#: lib/setup.c:5932
msgid "Volume key buffer too small."
msgstr "Laufwerks-Schlüsselpuffer zu klein."
#: lib/setup.c:5937
#: lib/setup.c:5943
msgid "Cannot retrieve volume key for LUKS2 device."
msgstr "Fehler beim Ermitteln des Laufwerksschlüssels für LUKS2-Gerät."
#: lib/setup.c:5946
#: lib/setup.c:5952
msgid "Cannot retrieve volume key for LUKS1 device."
msgstr "Fehler beim Ermitteln des Laufwerksschlüssels für LUKS1-Gerät."
#: lib/setup.c:5960
#: lib/setup.c:5966
msgid "Cannot retrieve volume key for plain device."
msgstr "Fehler beim Ermitteln des Laufwerksschlüssels für Plain-Gerät."
#: lib/setup.c:5968
#: lib/setup.c:5974
msgid "Cannot retrieve root hash for verity device."
msgstr "Root-Hash für Verity-Gerät kann nicht ermittelt werden."
#: lib/setup.c:5975
#: lib/setup.c:5981
msgid "Cannot retrieve volume key for BITLK device."
msgstr "Fehler beim Ermitteln des Laufwerksschlüssels für BITLK-Gerät."
#: lib/setup.c:5980
#: lib/setup.c:5986
msgid "Cannot retrieve volume key for FVAULT2 device."
msgstr "Fehler beim Ermitteln des Laufwerksschlüssels für FVAULT2-Gerät."
#: lib/setup.c:5982
#: lib/setup.c:5988
#, c-format
msgid "This operation is not supported for %s crypt device."
msgstr "Diese Operation wird für Kryptogerät »%s« nicht unterstützt."
#: lib/setup.c:6167 lib/setup.c:6178
#: lib/setup.c:6173 lib/setup.c:6184
msgid "Dump operation is not supported for this device type."
msgstr "Die Dump-Operation wird für diese Geräteart nicht unterstützt."
#: lib/setup.c:6558
#: lib/setup.c:6564
#, c-format
msgid "Data offset is not multiple of %u bytes."
msgstr "Datenoffset ist kein Vielfaches von %u Bytes."
#: lib/setup.c:6866
#: lib/setup.c:6872
#, c-format
msgid "Cannot convert device %s which is still in use."
msgstr "Gerät »%s« kann nicht konvertiert werden, da es gerade benutzt wird."
#: lib/setup.c:7174 lib/setup.c:7318
#: lib/setup.c:7180 lib/setup.c:7324
#, c-format
msgid "Failed to assign keyslot %u as the new volume key."
msgstr "Schlüsselfach %u konnte nicht dem Laufwerksschlüssel zugeordnet werden."
#: lib/setup.c:7198
#: lib/setup.c:7204
msgid "Failed to initialize default LUKS2 keyslot parameters."
msgstr "Fehler beim Initialisieren der LUKS2-Schlüsselfach-Parameter."
#: lib/setup.c:7204
#: lib/setup.c:7210
#, c-format
msgid "Failed to assign keyslot %d to digest."
msgstr "Schlüsselfach %d konnte nicht dem Digest zugeordnet werden."
#: lib/setup.c:7435
#: lib/setup.c:7441
msgid "Cannot add key slot, all slots disabled and no volume key provided."
msgstr "Schlüsselfach kann nicht hinzugefügt werden, da alle Fächer deaktiviert sind und kein Laufwerksschlüssel angegeben wurde."
#: lib/setup.c:7508 lib/verity/verity.c:333
#: lib/setup.c:7514 lib/verity/verity.c:333
msgid "Failed to load key in kernel keyring."
msgstr "Fehler beim Laden des Schlüssels im Kernel-Schlüsselbund."
#: lib/setup.c:7699
#: lib/setup.c:7705
#, c-format
msgid "Could not find keyring described by \"%s\"."
msgstr "Schlüsselbund mit der Beschreibung »%s« nicht gefunden."
#: lib/setup.c:7764
#: lib/setup.c:7770
msgid "Failed to acquire global memory-hard access serialization lock."
msgstr "Globale Speicherzugriffsserialisierungssperre konnte nicht angefordert werden."
@@ -886,10 +886,15 @@ msgid "Requested maximum PBKDF memory cannot be zero."
msgstr "Der verlangte PBKDF-Speicherbedarf darf nicht 0 sein."
#: lib/utils_pbkdf.c:173
#, c-format
msgid "Requested maximum PBKDF parallel cost is too high (maximum is %d)."
msgstr "Das verlangte Maximum für PBKDF-Parallelitätskosten ist zu hoch (maximal %d)."
#: lib/utils_pbkdf.c:178
msgid "Requested PBKDF parallel threads cannot be zero."
msgstr "Die Anzahl der verlangten parallelen Threads für PBKDF darf nicht 0 sein."
#: lib/utils_pbkdf.c:193
#: lib/utils_pbkdf.c:198
msgid "Only PBKDF2 is supported in FIPS mode."
msgstr "Im FIPS-Modus wird ausschließlich PBKDF2 unterstützt."
@@ -1250,7 +1255,7 @@ msgstr "Offset der TCRYPT-Systempartition kann nicht bestimmt werden, daher wird
msgid "Kernel does not support TCRYPT compatible mapping."
msgstr "Kernel unterstützt TCRYPT-kompatibles Mapping nicht."
#: lib/tcrypt/tcrypt.c:1126
#: lib/tcrypt/tcrypt.c:1144
msgid "This function is not supported without TCRYPT header load."
msgstr "Diese Funktionalität braucht einen geladenen TCRYPT-Header."
@@ -1338,45 +1343,45 @@ msgstr "Unerwartete BEK-Metadatengröße %<PRIu32> stimmt nicht mit BEK-Dateilä
msgid "Unexpected metadata entry found when parsing startup key."
msgstr "Unerwartete Art »%u« des Metadaten-Eintrags beim Einlesen des Startschlüssels gefunden."
#: lib/bitlk/bitlk.c:1067
#: lib/bitlk/bitlk.c:1069
msgid "This operation is not supported."
msgstr "Diese Operation wird nicht unterstützt."
#: lib/bitlk/bitlk.c:1075
#: lib/bitlk/bitlk.c:1077
msgid "Unexpected key data size."
msgstr "Unerwartete Größe des Datenschlüssels."
#: lib/bitlk/bitlk.c:1203
#: lib/bitlk/bitlk.c:1205
msgid "This BITLK device is in an unsupported state and cannot be activated."
msgstr "Dieses BITLK-Gerät ist in einem nicht unterstützten Zustand und kann daher nicht aktiviert werden."
#: lib/bitlk/bitlk.c:1208
#: lib/bitlk/bitlk.c:1210
#, c-format
msgid "BITLK devices with type '%s' cannot be activated."
msgstr "BITLK-Geräte der Art »%s« können nicht aktiviert werden."
#: lib/bitlk/bitlk.c:1215
#: lib/bitlk/bitlk.c:1217
msgid "Activation of BITLK device with clear key protection is not supported."
msgstr "Die Aktivierung eines BITLK-Geräts mit klarem Schlüsselschutz wird nicht unterstützt."
#: lib/bitlk/bitlk.c:1256
#: lib/bitlk/bitlk.c:1258
#, c-format
msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
msgstr "WARNUNG: BitLocker-Datenträgergröße %<PRIu64> stimmt nicht mit der zugrunde liegenden Gerätegröße %<PRIu64> überein"
#: lib/bitlk/bitlk.c:1383
#: lib/bitlk/bitlk.c:1385
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
msgstr "Gerät kann nicht aktiviert werden, dem Kernelmodul dm-crypt fehlt die Unterstützung für BITLK-IV."
#: lib/bitlk/bitlk.c:1387
#: lib/bitlk/bitlk.c:1389
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
msgstr "Gerät kann nicht aktiviert werden, da dem Kernelmodul dm-crypt die Unterstützung für BITLK-Elephant-Verschleierer fehlt."
#: lib/bitlk/bitlk.c:1391
#: lib/bitlk/bitlk.c:1393
msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
msgstr "Gerät kann nicht aktiviert werden, dem Kernelmodul dm-crypt fehlt die Unterstützung für große Sektoren."
#: lib/bitlk/bitlk.c:1395
#: lib/bitlk/bitlk.c:1397
msgid "Cannot activate device, kernel dm-zero module is missing."
msgstr "Gerät kann nicht aktiviert werden, das Kernelmodul dm-crypt existiert nicht."
@@ -3282,6 +3287,10 @@ msgstr ""
msgid "Formatted with tag size %u%s, internal integrity %s.\n"
msgstr "Formatiert mit Etikettgröße %u%s und interner Integrität %s.\n"
#: src/integritysetup.c:214
msgid " (inline hw tags)"
msgstr " (Inline-Hardware-Etiketten)"
#: src/integritysetup.c:297
msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
msgstr "Das Setzen der Option »recalculate« wird nicht unterstützt, Sie können stattdessen »--wipe« erwägen."

189
po/es.po
View File

@@ -73,10 +73,10 @@
#
msgid ""
msgstr ""
"Project-Id-Version: cryptsetup 2.8.0-rc0\n"
"Project-Id-Version: cryptsetup 2.8.1-rc0\n"
"Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
"POT-Creation-Date: 2025-06-03 09:23+0200\n"
"PO-Revision-Date: 2025-06-06 08:29+0200\n"
"POT-Creation-Date: 2025-08-13 13:45+0200\n"
"PO-Revision-Date: 2025-08-15 16:37+0200\n"
"Last-Translator: Antonio Ceballos <aceballos@gmail.com>\n"
"Language-Team: Spanish <es@tp.org.es>\n"
"Language: es\n"
@@ -222,7 +222,7 @@ msgstr "Error de procesamiento de la clave (usando «hash» %s)."
msgid "Cannot determine device type. Incompatible activation of device?"
msgstr "No se puede determinar el tipo de dispositivo. ¿Es incompatible la activación del dispositivo?"
#: lib/setup.c:395 lib/setup.c:4139
#: lib/setup.c:395 lib/setup.c:4145
msgid "This operation is supported only for LUKS device."
msgstr "Esta operación solamente está disponible para dispositivos LUKS."
@@ -244,7 +244,7 @@ msgstr "La ranura de claves %d no es válida; seleccione un número entre 0 y %d
msgid "Key slot %d is full, please select another one."
msgstr "La ranura de claves %d está llena; seleccione otra."
#: lib/setup.c:531 lib/setup.c:3854
#: lib/setup.c:531 lib/setup.c:3860
msgid "Device size is not aligned to device logical block size."
msgstr "El tamaño del dispositivo no está alineado con el tamaño de bloque lógico del dispositivo."
@@ -253,7 +253,7 @@ msgstr "El tamaño del dispositivo no está alineado con el tamaño de bloque l
msgid "Header detected but device %s is too small."
msgstr "Cabecera detectada pero el dispositivo %s es demasiado pequeño."
#: lib/setup.c:669 lib/setup.c:3739 lib/setup.c:5206
#: lib/setup.c:669 lib/setup.c:3745 lib/setup.c:5212
#: lib/luks2/luks2_reencrypt.c:3937 lib/luks2/luks2_reencrypt.c:4425
msgid "This operation is not supported for this device type."
msgstr "Esta operación no está disponible para este tipo de dispositivo."
@@ -286,8 +286,8 @@ msgstr "Versión LUKS no disponible %d."
msgid "No known cipher specification pattern detected for active device %s."
msgstr "No se ha detectado ningún patrón conocido de especificación de cifrado para el dispositivo activo %s."
#: lib/setup.c:1515 lib/setup.c:3486 lib/setup.c:3578 lib/setup.c:3590
#: lib/setup.c:3762 lib/setup.c:5781
#: lib/setup.c:1515 lib/setup.c:3492 lib/setup.c:3584 lib/setup.c:3596
#: lib/setup.c:3768 lib/setup.c:5787
#, c-format
msgid "Device %s is not active."
msgstr "El dispositivo %s no está activo."
@@ -318,7 +318,7 @@ msgstr "El dispositivo de metadatos separado no está disponible para este tipo
msgid "Unsupported encryption sector size."
msgstr "Tamaño de sector de cifrado no admitido."
#: lib/setup.c:1647 lib/setup.c:1916 lib/setup.c:3848
#: lib/setup.c:1647 lib/setup.c:1916 lib/setup.c:3854
msgid "Device size is not aligned to requested sector size."
msgstr "El tamaño del dispositivo no está alineado con el tamaño del sector solicitado."
@@ -427,7 +427,7 @@ msgstr "El alineamiento de datos solicitado no satisface los requisitos de aline
msgid "Compensating device size by %<PRIu64> sectors to align it with OPAL alignment granularity."
msgstr "Compensando el tamaño de dispositivo con %<PRIu64> sectores para alinearlo con la granularidad de alienamiento OPAL."
#: lib/setup.c:2528 lib/setup.c:4222 lib/setup.c:4411 lib/utils_wipe.c:356
#: lib/setup.c:2528 lib/setup.c:4228 lib/setup.c:4417 lib/utils_wipe.c:356
#: lib/luks2/luks2_json_metadata.c:2720 lib/luks2/luks2_json_metadata.c:2988
#, c-format
msgid "Failed to acquire OPAL lock on device %s."
@@ -501,318 +501,318 @@ msgstr "Tamaño de la clave de integridad discordante."
msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
msgstr "ATENCIÓN: El tamaño de etiqueta de %d bytes solicitado difiere del tamaño de salida de %s (%d bytes).\n"
#: lib/setup.c:3031 lib/setup.c:3129
#: lib/setup.c:3037 lib/setup.c:3135
#, c-format
msgid "Unknown or unsupported device type %s requested."
msgstr "El tipo de dispositivo %s solicitado es desconocido o no está disponible."
#: lib/setup.c:3043
#: lib/setup.c:3049
#, c-format
msgid "Device %s does not provide inline integrity data fields."
msgstr "El dispositivo %s no ofrece campos de datos de integridad en línea."
#: lib/setup.c:3049
#: lib/setup.c:3055
#, c-format
msgid "Inline tag size %<PRIu32> [bytes] is larger than %<PRIu32> provided by device %s."
msgstr "El tamaño de etiqueta en línea %<PRIu32> [bytes] es mayor que %<PRIu32> proporcionado por el dispositivo %s."
#: lib/setup.c:3064
#: lib/setup.c:3070
#, c-format
msgid "Sector must be the same as device hardware sector (%zu bytes)."
msgstr "El sector tiene que ser el mismo que el sector hardware del dispositivo (%zu bytes)."
#: lib/setup.c:3494 lib/setup.c:3583 lib/setup.c:3596
#: lib/setup.c:3500 lib/setup.c:3589 lib/setup.c:3602
#, c-format
msgid "Unsupported parameters on device %s."
msgstr "Parámetros no admitidos para el dispositivo %s."
#: lib/setup.c:3500 lib/setup.c:3603 lib/luks2/luks2_reencrypt.c:2920
#: lib/setup.c:3506 lib/setup.c:3609 lib/luks2/luks2_reencrypt.c:2920
#: lib/luks2/luks2_reencrypt.c:3189 lib/luks2/luks2_reencrypt.c:3583
#, c-format
msgid "Mismatching parameters on device %s."
msgstr "Parámetros discordantes en el dispositivo %s."
#: lib/setup.c:3626
#: lib/setup.c:3632
msgid "Crypt devices mismatch."
msgstr "Los dispositivos de cifrado no concuerdan."
#: lib/setup.c:3658 lib/setup.c:3663 lib/luks2/luks2_reencrypt.c:2404
#: lib/setup.c:3664 lib/setup.c:3669 lib/luks2/luks2_reencrypt.c:2404
#: lib/luks2/luks2_reencrypt.c:2936 lib/luks2/luks2_reencrypt.c:4224
#, c-format
msgid "Failed to reload device %s."
msgstr "No se ha podido recargar el dispositivo %s."
#: lib/setup.c:3669 lib/setup.c:3675 lib/luks2/luks2_reencrypt.c:2375
#: lib/setup.c:3675 lib/setup.c:3681 lib/luks2/luks2_reencrypt.c:2375
#: lib/luks2/luks2_reencrypt.c:2382 lib/luks2/luks2_reencrypt.c:2950
#, c-format
msgid "Failed to suspend device %s."
msgstr "No se ha podido suspender el dispositivo %s."
#: lib/setup.c:3681 lib/luks2/luks2_reencrypt.c:2389
#: lib/setup.c:3687 lib/luks2/luks2_reencrypt.c:2389
#: lib/luks2/luks2_reencrypt.c:2971 lib/luks2/luks2_reencrypt.c:4137
#: lib/luks2/luks2_reencrypt.c:4228
#, c-format
msgid "Failed to resume device %s."
msgstr "No se ha podido reanudar el dispositivo %s."
#: lib/setup.c:3696
#: lib/setup.c:3702
#, c-format
msgid "Fatal error while reloading device %s (on top of device %s)."
msgstr "Error grave durante la recarga del dispositivo %s (por encima del dispositivo %s)."
#: lib/setup.c:3699 lib/setup.c:3701
#: lib/setup.c:3705 lib/setup.c:3707
#, c-format
msgid "Failed to switch device %s to dm-error."
msgstr "No se ha podido conmutar el dispositivo %s a dm-error."
#: lib/setup.c:3744
#: lib/setup.c:3750
msgid "Can not resize LUKS2 device with static size."
msgstr "No se ha podido cambiar el tamaño del dispositivo LUKS2 con un tamaño estático."
#: lib/setup.c:3749
#: lib/setup.c:3755
msgid "Resize of LUKS2 device with integrity protection is not supported."
msgstr "Redimensionar el dispositivo LUKS2 con protección de integridad no está disponible."
#: lib/setup.c:3795
#: lib/setup.c:3801
msgid "Cannot resize loop device."
msgstr "No se ha podido cambiar el tamaño del dispositivo de bucle."
#: lib/setup.c:3839
#: lib/setup.c:3845
msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
msgstr "ATENCIÓN: ya se ha puesto el tamaño máximo o el núcleo no permite cambiarlo.\n"
#: lib/setup.c:3905
#: lib/setup.c:3911
msgid "Resize failed, the kernel doesn't support it."
msgstr "El cambio de tamaño ha fallado; el núcleo no admite el cambio."
#: lib/setup.c:3937
#: lib/setup.c:3943
msgid "Do you really want to change UUID of device?"
msgstr "¿Está seguro de que quiere cambiar el UUID del dispositivo?"
#: lib/setup.c:4029
#: lib/setup.c:4035
msgid "Header backup file does not contain compatible LUKS header."
msgstr "El fichero de copia de seguridad de la cabecera no contiene una cabecera LUKS compatible."
#: lib/setup.c:4122
#: lib/setup.c:4128
#, c-format
msgid "Volume %s is not active."
msgstr "El volumen %s no está activo."
#: lib/setup.c:4177
#: lib/setup.c:4183
#, c-format
msgid "Volume %s is already suspended."
msgstr "El volumen %s ya está suspendido."
#: lib/setup.c:4203
#: lib/setup.c:4209
#, c-format
msgid "Suspend is not supported for device %s."
msgstr "La suspensión no está disponible para el dispositivo %s."
#: lib/setup.c:4205 lib/setup.c:4213
#: lib/setup.c:4211 lib/setup.c:4219
#, c-format
msgid "Error during suspending device %s."
msgstr "Error durante la suspensión del dispositivo %s."
#: lib/setup.c:4228
#: lib/setup.c:4234
#, c-format
msgid "Device %s was suspended but hardware OPAL device cannot be locked."
msgstr "Se ha suspendido el dispositivo %s pero el dispositivo OPAL hardware no puede bloquearse."
#: lib/setup.c:4259 lib/setup.c:4436
#: lib/setup.c:4265 lib/setup.c:4442
#, c-format
msgid "Resume is not supported for device %s."
msgstr "La reanudación no está disponible para el dispositivo %s."
#: lib/setup.c:4261 lib/setup.c:4426 lib/setup.c:4438
#: lib/setup.c:4267 lib/setup.c:4432 lib/setup.c:4444
#, c-format
msgid "Error during resuming device %s."
msgstr "Error durante la reanudación del dispositivo %s."
#: lib/setup.c:4280
#: lib/setup.c:4286
msgid "Failed to unlink volume key from user specified keyring."
msgstr "No se ha podido desvincular la clave del volumen del llavero de usuario especificado."
#: lib/setup.c:4402 lib/setup.c:5568
#: lib/setup.c:4408 lib/setup.c:5574
msgid "Failed to link volume key in user defined keyring."
msgstr "No se ha podido vincular la clave del volumne en el llavero de usuario especificado."
#: lib/setup.c:4500 src/cryptsetup.c:2714
#: lib/setup.c:4506 src/cryptsetup.c:2714
#, c-format
msgid "Volume %s is not suspended."
msgstr "EL volumen %s no está suspendido."
#: lib/setup.c:4601 lib/setup.c:7233 lib/setup.c:7255 lib/setup.c:7309
#: lib/setup.c:4607 lib/setup.c:7239 lib/setup.c:7261 lib/setup.c:7315
#: src/cryptsetup.c:1849 src/cryptsetup.c:2253 src/cryptsetup.c:2271
#: src/utils_reencrypt.c:305 src/utils_reencrypt.c:1965
msgid "Volume key does not match the volume."
msgstr "La clave de volumen no corresponde a este volumen."
#: lib/setup.c:4755
#: lib/setup.c:4761
msgid "Failed to swap new key slot."
msgstr "No se ha logrado intercambiar la nueva ranura de claves."
#: lib/setup.c:4853
#: lib/setup.c:4859
#, c-format
msgid "Key slot %d is invalid."
msgstr "La ranura de claves %d no es válida."
#: lib/setup.c:4859 src/cryptsetup.c:1970 src/cryptsetup.c:2430
#: lib/setup.c:4865 src/cryptsetup.c:1970 src/cryptsetup.c:2430
#: src/cryptsetup.c:3114 src/cryptsetup.c:3174
#, c-format
msgid "Keyslot %d is not active."
msgstr "La ranura de claves %d no está activa."
#: lib/setup.c:4878
#: lib/setup.c:4884
msgid "Device header overlaps with data area."
msgstr "La cabecera del dispositivo se solapa con la zona de datos."
#: lib/setup.c:5099
#: lib/setup.c:5105
msgid "Reencryption in-progress. Cannot activate device."
msgstr "Recifrado en curso. No se puede activar el dispositivo."
#: lib/setup.c:5101 lib/luks2/luks2_json_metadata.c:2884
#: lib/setup.c:5107 lib/luks2/luks2_json_metadata.c:2884
#: lib/luks2/luks2_reencrypt.c:3714
msgid "Failed to get reencryption lock."
msgstr "No se ha podido conseguir el bloqueo de recifrado."
#: lib/setup.c:5123
#: lib/setup.c:5129
msgid "LUKS2 reencryption recovery using volume key(s) failed."
msgstr "La recuperación del recifrado LUKS2 utilizando la(s) clave(s) de volumen ha fallado."
#: lib/setup.c:5259
#: lib/setup.c:5265
#, c-format
msgid "Device %s already exists."
msgstr "El dispositivo %s ya existe."
#: lib/setup.c:5266
#: lib/setup.c:5272
#, c-format
msgid "Cannot use device %s, name is invalid or still in use."
msgstr "No se puede utilizar el dispositivo %s; el nombre no es válido o todavía está en uso."
#: lib/setup.c:5278
#: lib/setup.c:5284
msgid "Reencryption volume keys do not match the volume."
msgstr "Las claves de volumen de recifrado no corresponden a este volumen."
#: lib/setup.c:5295
#: lib/setup.c:5301
msgid "Incorrect volume key specified for plain device."
msgstr "Clave de volumen incorrecta para dispositivo no cifrado."
#: lib/setup.c:5321 lib/setup.c:5382
#: lib/setup.c:5327 lib/setup.c:5388
msgid "Device type is not properly initialized."
msgstr "Este tipo de dispositivo no se ha inicializado adecuadamente."
#: lib/setup.c:5420
#: lib/setup.c:5426
msgid "Kernel keyring is not supported by the kernel."
msgstr "El llavero de núcleo no está admitido en el núcleo."
#: lib/setup.c:5424
#: lib/setup.c:5430
msgid "Kernel keyring missing: required for passing signature to kernel."
msgstr "El llavero de núcleo está ausente: se necesita para pasar la firma al núcleo."
#: lib/setup.c:5476
#: lib/setup.c:5482
#, c-format
msgid "Cannot use keyring key %s."
msgstr "No se puede la clave %s del llavero."
#: lib/setup.c:5689
#: lib/setup.c:5695
msgid "Incorrect root hash specified for verity device."
msgstr "«Hash» raíz incorrecta para dispositivo «verity»."
#: lib/setup.c:5730 lib/setup.c:5755
#: lib/setup.c:5736 lib/setup.c:5761
msgid "OPAL does not support deferred deactivation."
msgstr "OPAL no dispone de desactivación diferida."
#: lib/setup.c:5745 lib/setup.c:5776 lib/luks2/luks2_json_metadata.c:2949
#: lib/setup.c:5751 lib/setup.c:5782 lib/luks2/luks2_json_metadata.c:2949
#: src/utils_reencrypt.c:89
#, c-format
msgid "Device %s is still in use."
msgstr "El dispositivo %s todavía se está utilizando."
#: lib/setup.c:5763
#: lib/setup.c:5769
#, c-format
msgid "Could not cancel deferred remove from device %s."
msgstr "No se ha podido cancelar la eliminación diferida en el dispositivo %s."
#: lib/setup.c:5785
#: lib/setup.c:5791
#, c-format
msgid "Invalid device %s."
msgstr "Dispositivo inválido %s."
#: lib/setup.c:5926
#: lib/setup.c:5932
msgid "Volume key buffer too small."
msgstr "El «buffer» de la clave del volumen es demasiado pequeño."
#: lib/setup.c:5937
#: lib/setup.c:5943
msgid "Cannot retrieve volume key for LUKS2 device."
msgstr "No se puede recuperar la clave del volumen para el dispositivo LUKS2."
#: lib/setup.c:5946
#: lib/setup.c:5952
msgid "Cannot retrieve volume key for LUKS1 device."
msgstr "No se puede recuperar la clave del volumen para el dispositivo LUKS1."
#: lib/setup.c:5960
#: lib/setup.c:5966
msgid "Cannot retrieve volume key for plain device."
msgstr "No se puede recuperar la clave para el dispositivo no cifrado."
#: lib/setup.c:5968
#: lib/setup.c:5974
msgid "Cannot retrieve root hash for verity device."
msgstr "No se puede recuperar el «hash» raíz para dispositivo «verity»."
#: lib/setup.c:5975
#: lib/setup.c:5981
msgid "Cannot retrieve volume key for BITLK device."
msgstr "No se puede recuperar la clave del volumen para el dispositivo BITLK."
#: lib/setup.c:5980
#: lib/setup.c:5986
msgid "Cannot retrieve volume key for FVAULT2 device."
msgstr "No se puede recuperar la clave del volumen para el dispositivo FVAULT2."
#: lib/setup.c:5982
#: lib/setup.c:5988
#, c-format
msgid "This operation is not supported for %s crypt device."
msgstr "Esta operación no está disponible para el dispositivo cifrado %s."
#: lib/setup.c:6167 lib/setup.c:6178
#: lib/setup.c:6173 lib/setup.c:6184
msgid "Dump operation is not supported for this device type."
msgstr "Operación de volcado no deisponible para este tipo de dispositivo."
#: lib/setup.c:6558
#: lib/setup.c:6564
#, c-format
msgid "Data offset is not multiple of %u bytes."
msgstr "El desplazamiento de datos no es múltiplo de %u bytes."
#: lib/setup.c:6866
#: lib/setup.c:6872
#, c-format
msgid "Cannot convert device %s which is still in use."
msgstr "No se puede convertir el dispositivo %s que todavía está en uso."
#: lib/setup.c:7174 lib/setup.c:7318
#: lib/setup.c:7180 lib/setup.c:7324
#, c-format
msgid "Failed to assign keyslot %u as the new volume key."
msgstr "No se ha logrado asignar la ranura de claves %u como nueva clave del volumen."
#: lib/setup.c:7198
#: lib/setup.c:7204
msgid "Failed to initialize default LUKS2 keyslot parameters."
msgstr "No se han podido inicializar los parámetros predefinidos de la ranura de claves LUKS2."
#: lib/setup.c:7204
#: lib/setup.c:7210
#, c-format
msgid "Failed to assign keyslot %d to digest."
msgstr "No se ha logrado asignar la ranura de claves %d al resumen."
#: lib/setup.c:7435
#: lib/setup.c:7441
msgid "Cannot add key slot, all slots disabled and no volume key provided."
msgstr "No se puede añadir ranura de claves; todas las ranuras están desactivadas y no se ha proporcionado una clave para el volumen."
#: lib/setup.c:7508 lib/verity/verity.c:333
#: lib/setup.c:7514 lib/verity/verity.c:333
msgid "Failed to load key in kernel keyring."
msgstr "No se ha podido cargar la clave en el llavero del núcleo."
#: lib/setup.c:7699
#: lib/setup.c:7705
#, c-format
msgid "Could not find keyring described by \"%s\"."
msgstr "No se ha podido encontrar el llavero descrito por «%s»."
#: lib/setup.c:7764
#: lib/setup.c:7770
msgid "Failed to acquire global memory-hard access serialization lock."
msgstr "No se ha podido adquirir el bloqueo de la serialización de acceso duro de memoria global."
@@ -953,10 +953,15 @@ msgid "Requested maximum PBKDF memory cannot be zero."
msgstr "La memoria máxima solicitada de PBKDF no puede ser cero."
#: lib/utils_pbkdf.c:173
#, c-format
msgid "Requested maximum PBKDF parallel cost is too high (maximum is %d)."
msgstr "El coste paralelo de PBKDF máximo solicitado es demasiado alto (el máximo es %d)."
#: lib/utils_pbkdf.c:178
msgid "Requested PBKDF parallel threads cannot be zero."
msgstr "Los hilos paralelos solicitados de PBKDF no pueden ser cero."
#: lib/utils_pbkdf.c:193
#: lib/utils_pbkdf.c:198
msgid "Only PBKDF2 is supported in FIPS mode."
msgstr "Solo se admite PBKDF2 en el modo FIPS."
@@ -1315,7 +1320,7 @@ msgstr "No se puede determinar el desplazamiento de la partición del sistema TC
msgid "Kernel does not support TCRYPT compatible mapping."
msgstr "El núcleo no admite asignación compatible con TCRYPT."
#: lib/tcrypt/tcrypt.c:1126
#: lib/tcrypt/tcrypt.c:1144
msgid "This function is not supported without TCRYPT header load."
msgstr "Esta función no está disponible sin carga de cabecera TCRYPT."
@@ -1403,45 +1408,45 @@ msgstr "Tamaño %<PRIu32> de metadatos BEK no esperado, no coincide con la longi
msgid "Unexpected metadata entry found when parsing startup key."
msgstr "Entrada de metadatos encontrada inesperadamente mientras se analizaba clave de inicio."
#: lib/bitlk/bitlk.c:1067
#: lib/bitlk/bitlk.c:1069
msgid "This operation is not supported."
msgstr "Esta operación no está disponible."
#: lib/bitlk/bitlk.c:1075
#: lib/bitlk/bitlk.c:1077
msgid "Unexpected key data size."
msgstr "Tamaño de datos de la clave no esperado."
#: lib/bitlk/bitlk.c:1203
#: lib/bitlk/bitlk.c:1205
msgid "This BITLK device is in an unsupported state and cannot be activated."
msgstr "Este dispositivo BITLK se encuentra en un estado en el que no puede activarse."
#: lib/bitlk/bitlk.c:1208
#: lib/bitlk/bitlk.c:1210
#, c-format
msgid "BITLK devices with type '%s' cannot be activated."
msgstr "Los dispositivos BITLK con tipo '%s' no puede activarse."
#: lib/bitlk/bitlk.c:1215
#: lib/bitlk/bitlk.c:1217
msgid "Activation of BITLK device with clear key protection is not supported."
msgstr "La activación del dispositivo BITLK con protección de clave en claro no está disponible."
#: lib/bitlk/bitlk.c:1256
#: lib/bitlk/bitlk.c:1258
#, c-format
msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
msgstr "ATENCIÓN: el tamaño del volumen «bitlocker» %<PRIu64> no coincide con el tamaño del dispositivo subyacente %<PRIu64>"
#: lib/bitlk/bitlk.c:1383
#: lib/bitlk/bitlk.c:1385
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
msgstr "No se puede activar el dispositivo; el dm-crypt del núcleo no sirve para BITLK IV."
#: lib/bitlk/bitlk.c:1387
#: lib/bitlk/bitlk.c:1389
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
msgstr "No se puede activar el dispositivo; el dm-crypt del núcleo no sirve para difusor BITLK «Elephant»."
#: lib/bitlk/bitlk.c:1391
#: lib/bitlk/bitlk.c:1393
msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
msgstr "No se puede activar el dispositivo; el dm-crypt del núcleo no sirve para tamaño de sector grande."
#: lib/bitlk/bitlk.c:1395
#: lib/bitlk/bitlk.c:1397
msgid "Cannot activate device, kernel dm-zero module is missing."
msgstr "No se puede activar el dispositivo; falta el módulo dm-zero del núcleo."
@@ -3338,6 +3343,10 @@ msgstr ""
msgid "Formatted with tag size %u%s, internal integrity %s.\n"
msgstr "Formato dado con tamaño de etiqueta %u%s, integridad interna %s.\n"
#: src/integritysetup.c:214
msgid " (inline hw tags)"
msgstr " (etiquetas hw en línea)"
#: src/integritysetup.c:297
msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
msgstr "No se puede poner la opción de recalcular; valore la alternativa de utilizar --wipe."

189
po/fr.po
View File

@@ -7,10 +7,10 @@
# Frédéric Marchal <fmarchal@perso.be>, 2025.
msgid ""
msgstr ""
"Project-Id-Version: cryptsetup 2.8.0-rc0\n"
"Project-Id-Version: cryptsetup 2.8.1-rc0\n"
"Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
"POT-Creation-Date: 2025-06-03 09:23+0200\n"
"PO-Revision-Date: 2025-06-03 17:13+0200\n"
"POT-Creation-Date: 2025-08-13 13:45+0200\n"
"PO-Revision-Date: 2025-08-14 15:50+0200\n"
"Last-Translator: Frédéric Marchal <fmarchal@perso.be>\n"
"Language-Team: French <traduc@traduc.org>\n"
"Language: fr\n"
@@ -156,7 +156,7 @@ msgstr "Erreur de traitement de clé (valeur hachage %s)."
msgid "Cannot determine device type. Incompatible activation of device?"
msgstr "Impossible de déterminer le type de périphérique. Activation du périphérique incompatible ?"
#: lib/setup.c:395 lib/setup.c:4139
#: lib/setup.c:395 lib/setup.c:4145
msgid "This operation is supported only for LUKS device."
msgstr "Cette opération n'est possible que pour les périphériques LUKS."
@@ -178,7 +178,7 @@ msgstr "L'emplacement de clé %d n'est pas valide, merci d'en choisir un entre 0
msgid "Key slot %d is full, please select another one."
msgstr "L'emplacement de clé %d est utilisé, merci d'en sélectionner un autre."
#: lib/setup.c:531 lib/setup.c:3854
#: lib/setup.c:531 lib/setup.c:3860
msgid "Device size is not aligned to device logical block size."
msgstr "La taille du périphérique n'est pas alignée avec la taille d'un bloc logique du périphérique."
@@ -187,7 +187,7 @@ msgstr "La taille du périphérique n'est pas alignée avec la taille d'un bloc
msgid "Header detected but device %s is too small."
msgstr "En-tête détecté mais le périphérique %s est trop petit."
#: lib/setup.c:669 lib/setup.c:3739 lib/setup.c:5206
#: lib/setup.c:669 lib/setup.c:3745 lib/setup.c:5212
#: lib/luks2/luks2_reencrypt.c:3937 lib/luks2/luks2_reencrypt.c:4425
msgid "This operation is not supported for this device type."
msgstr "Cette opération n'est pas supportée pour ce type de périphérique."
@@ -220,8 +220,8 @@ msgstr "La version %d de LUKS n'est pas supportée."
msgid "No known cipher specification pattern detected for active device %s."
msgstr "Aucun motif connu d'algorithme de chiffrement n'a été détecté pour le périphérique actif %s."
#: lib/setup.c:1515 lib/setup.c:3486 lib/setup.c:3578 lib/setup.c:3590
#: lib/setup.c:3762 lib/setup.c:5781
#: lib/setup.c:1515 lib/setup.c:3492 lib/setup.c:3584 lib/setup.c:3596
#: lib/setup.c:3768 lib/setup.c:5787
#, c-format
msgid "Device %s is not active."
msgstr "Le périphérique %s n'est pas activé."
@@ -252,7 +252,7 @@ msgstr "Un périphérique avec des métadonnées détachées n'est pas supporté
msgid "Unsupported encryption sector size."
msgstr "Taille de secteur de chiffrement non supportée."
#: lib/setup.c:1647 lib/setup.c:1916 lib/setup.c:3848
#: lib/setup.c:1647 lib/setup.c:1916 lib/setup.c:3854
msgid "Device size is not aligned to requested sector size."
msgstr "La taille du périphérique n'est pas alignée avec la taille de secteur demandée."
@@ -361,7 +361,7 @@ msgstr "L'alignement de données demandé les exigences de la plage d'alignement
msgid "Compensating device size by %<PRIu64> sectors to align it with OPAL alignment granularity."
msgstr "La taille du périphérique est compensée avec %<PRIu64> secteurs pour l'aligner avec la granularité de l'alignement de OPAL."
#: lib/setup.c:2528 lib/setup.c:4222 lib/setup.c:4411 lib/utils_wipe.c:356
#: lib/setup.c:2528 lib/setup.c:4228 lib/setup.c:4417 lib/utils_wipe.c:356
#: lib/luks2/luks2_json_metadata.c:2720 lib/luks2/luks2_json_metadata.c:2988
#, c-format
msgid "Failed to acquire OPAL lock on device %s."
@@ -435,318 +435,318 @@ msgstr "Désaccord avec la taille de la clé."
msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
msgstr "ATTENTION : La taille %d demandée pour l'étiquette est différente de la taille de sortie de %s (%d octets).\n"
#: lib/setup.c:3031 lib/setup.c:3129
#: lib/setup.c:3037 lib/setup.c:3135
#, c-format
msgid "Unknown or unsupported device type %s requested."
msgstr "Type de périphérique %s demandé inconnu ou non supporté."
#: lib/setup.c:3043
#: lib/setup.c:3049
#, c-format
msgid "Device %s does not provide inline integrity data fields."
msgstr "Le périphérique %s ne fourni pas de champs de données d'intégrité en ligne."
#: lib/setup.c:3049
#: lib/setup.c:3055
#, c-format
msgid "Inline tag size %<PRIu32> [bytes] is larger than %<PRIu32> provided by device %s."
msgstr "La taille d'étiquette en ligne %<PRIu32> [octets] est plus grande que %<PRIu32> fournie par le périphérique %s."
#: lib/setup.c:3064
#: lib/setup.c:3070
#, c-format
msgid "Sector must be the same as device hardware sector (%zu bytes)."
msgstr "Le secteur doit être le même que le secteur matériel du périphérique (%zu octets)."
#: lib/setup.c:3494 lib/setup.c:3583 lib/setup.c:3596
#: lib/setup.c:3500 lib/setup.c:3589 lib/setup.c:3602
#, c-format
msgid "Unsupported parameters on device %s."
msgstr "Paramètres non supportés sur le périphérique %s."
#: lib/setup.c:3500 lib/setup.c:3603 lib/luks2/luks2_reencrypt.c:2920
#: lib/setup.c:3506 lib/setup.c:3609 lib/luks2/luks2_reencrypt.c:2920
#: lib/luks2/luks2_reencrypt.c:3189 lib/luks2/luks2_reencrypt.c:3583
#, c-format
msgid "Mismatching parameters on device %s."
msgstr "Paramètres non concordants sur le périphérique %s."
#: lib/setup.c:3626
#: lib/setup.c:3632
msgid "Crypt devices mismatch."
msgstr "Désaccord entre les périphériques crypt."
#: lib/setup.c:3658 lib/setup.c:3663 lib/luks2/luks2_reencrypt.c:2404
#: lib/setup.c:3664 lib/setup.c:3669 lib/luks2/luks2_reencrypt.c:2404
#: lib/luks2/luks2_reencrypt.c:2936 lib/luks2/luks2_reencrypt.c:4224
#, c-format
msgid "Failed to reload device %s."
msgstr "Impossible de recharger le périphérique %s."
#: lib/setup.c:3669 lib/setup.c:3675 lib/luks2/luks2_reencrypt.c:2375
#: lib/setup.c:3675 lib/setup.c:3681 lib/luks2/luks2_reencrypt.c:2375
#: lib/luks2/luks2_reencrypt.c:2382 lib/luks2/luks2_reencrypt.c:2950
#, c-format
msgid "Failed to suspend device %s."
msgstr "Impossible de suspendre le périphérique %s."
#: lib/setup.c:3681 lib/luks2/luks2_reencrypt.c:2389
#: lib/setup.c:3687 lib/luks2/luks2_reencrypt.c:2389
#: lib/luks2/luks2_reencrypt.c:2971 lib/luks2/luks2_reencrypt.c:4137
#: lib/luks2/luks2_reencrypt.c:4228
#, c-format
msgid "Failed to resume device %s."
msgstr "Impossible de redémarrer le périphérique %s."
#: lib/setup.c:3696
#: lib/setup.c:3702
#, c-format
msgid "Fatal error while reloading device %s (on top of device %s)."
msgstr "Erreur fatale en rechargeant le périphérique %s (au dessus du périphérique %s)"
#: lib/setup.c:3699 lib/setup.c:3701
#: lib/setup.c:3705 lib/setup.c:3707
#, c-format
msgid "Failed to switch device %s to dm-error."
msgstr "Impossible de basculer le périphérique %s en dm-error."
#: lib/setup.c:3744
#: lib/setup.c:3750
msgid "Can not resize LUKS2 device with static size."
msgstr "Impossible de redimensionner le périphérique LUKS2 avec une taille statique."
#: lib/setup.c:3749
#: lib/setup.c:3755
msgid "Resize of LUKS2 device with integrity protection is not supported."
msgstr "Le redimensionnement d'un périphérique LUKS2 avec un protection d'intégrité n'est pas supporté."
#: lib/setup.c:3795
#: lib/setup.c:3801
msgid "Cannot resize loop device."
msgstr "Impossible de redimensionner le périphérique loopback."
#: lib/setup.c:3839
#: lib/setup.c:3845
msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
msgstr "ATTENTION: La taille maximale est déjà définie ou le noyau ne supporte pas le redimensionnement.\n"
#: lib/setup.c:3905
#: lib/setup.c:3911
msgid "Resize failed, the kernel doesn't support it."
msgstr "Le redimensionnement a échoué, le noyau ne le supporte pas."
#: lib/setup.c:3937
#: lib/setup.c:3943
msgid "Do you really want to change UUID of device?"
msgstr "Voulez vous réellement changer l'UUID du périphérique ?"
#: lib/setup.c:4029
#: lib/setup.c:4035
msgid "Header backup file does not contain compatible LUKS header."
msgstr "Le fichier de sauvegarde de l'en-tête ne contient pas d'en-tête compatible LUKS."
#: lib/setup.c:4122
#: lib/setup.c:4128
#, c-format
msgid "Volume %s is not active."
msgstr "Le volume %s n'est pas actif."
#: lib/setup.c:4177
#: lib/setup.c:4183
#, c-format
msgid "Volume %s is already suspended."
msgstr "Le volume %s est déjà suspendu."
#: lib/setup.c:4203
#: lib/setup.c:4209
#, c-format
msgid "Suspend is not supported for device %s."
msgstr "Le périphérique %s ne supporte pas la suspension."
#: lib/setup.c:4205 lib/setup.c:4213
#: lib/setup.c:4211 lib/setup.c:4219
#, c-format
msgid "Error during suspending device %s."
msgstr "Erreur lors de la suspension du périphérique %s."
#: lib/setup.c:4228
#: lib/setup.c:4234
#, c-format
msgid "Device %s was suspended but hardware OPAL device cannot be locked."
msgstr "Le périphérique %s a été suspendu mais le périphérique matériel OPAL ne sait pas être verrouillé."
#: lib/setup.c:4259 lib/setup.c:4436
#: lib/setup.c:4265 lib/setup.c:4442
#, c-format
msgid "Resume is not supported for device %s."
msgstr "Le périphérique %s ne supporte pas la remise en service."
#: lib/setup.c:4261 lib/setup.c:4426 lib/setup.c:4438
#: lib/setup.c:4267 lib/setup.c:4432 lib/setup.c:4444
#, c-format
msgid "Error during resuming device %s."
msgstr "Erreur lors de la remise en service du périphérique %s."
#: lib/setup.c:4280
#: lib/setup.c:4286
msgid "Failed to unlink volume key from user specified keyring."
msgstr "Impossible de délier la clé du porte-clé utilisateur spécifié."
#: lib/setup.c:4402 lib/setup.c:5568
#: lib/setup.c:4408 lib/setup.c:5574
msgid "Failed to link volume key in user defined keyring."
msgstr "Impossible de lier la clé de volume dans le porte-clé utilisateur."
#: lib/setup.c:4500 src/cryptsetup.c:2714
#: lib/setup.c:4506 src/cryptsetup.c:2714
#, c-format
msgid "Volume %s is not suspended."
msgstr "Le volume %s n'est pas suspendu."
#: lib/setup.c:4601 lib/setup.c:7233 lib/setup.c:7255 lib/setup.c:7309
#: lib/setup.c:4607 lib/setup.c:7239 lib/setup.c:7261 lib/setup.c:7315
#: src/cryptsetup.c:1849 src/cryptsetup.c:2253 src/cryptsetup.c:2271
#: src/utils_reencrypt.c:305 src/utils_reencrypt.c:1965
msgid "Volume key does not match the volume."
msgstr "Ceci n'est pas la clé du volume."
#: lib/setup.c:4755
#: lib/setup.c:4761
msgid "Failed to swap new key slot."
msgstr "Nouvel emplacement de clé impossible à échanger."
#: lib/setup.c:4853
#: lib/setup.c:4859
#, c-format
msgid "Key slot %d is invalid."
msgstr "L'emplacement de clé %d n'est pas valide."
#: lib/setup.c:4859 src/cryptsetup.c:1970 src/cryptsetup.c:2430
#: lib/setup.c:4865 src/cryptsetup.c:1970 src/cryptsetup.c:2430
#: src/cryptsetup.c:3114 src/cryptsetup.c:3174
#, c-format
msgid "Keyslot %d is not active."
msgstr "L'emplacement de clé %d n'est pas actif."
#: lib/setup.c:4878
#: lib/setup.c:4884
msgid "Device header overlaps with data area."
msgstr "L'en-tête du périphérique recouvre la zone de données."
#: lib/setup.c:5099
#: lib/setup.c:5105
msgid "Reencryption in-progress. Cannot activate device."
msgstr "Re-chiffrement en cours. Impossible d'activer le périphérique."
#: lib/setup.c:5101 lib/luks2/luks2_json_metadata.c:2884
#: lib/setup.c:5107 lib/luks2/luks2_json_metadata.c:2884
#: lib/luks2/luks2_reencrypt.c:3714
msgid "Failed to get reencryption lock."
msgstr "Impossible d'obtenir le verrou de re-chiffrement."
#: lib/setup.c:5123
#: lib/setup.c:5129
msgid "LUKS2 reencryption recovery using volume key(s) failed."
msgstr "La récupération du rechiffrement LUKS2 avec la/les clé(s) de volume a échoué."
#: lib/setup.c:5259
#: lib/setup.c:5265
#, c-format
msgid "Device %s already exists."
msgstr "Le périphérique %s existe déjà."
#: lib/setup.c:5266
#: lib/setup.c:5272
#, c-format
msgid "Cannot use device %s, name is invalid or still in use."
msgstr "Impossible d'utiliser le périphérique %s, le nom est invalide ou est toujours utilisé."
#: lib/setup.c:5278
#: lib/setup.c:5284
msgid "Reencryption volume keys do not match the volume."
msgstr "Les clés de rechiffrement du volume ne correspondent pas au volume."
#: lib/setup.c:5295
#: lib/setup.c:5301
msgid "Incorrect volume key specified for plain device."
msgstr "Clé de volume incorrecte pour le périphérique en clair."
#: lib/setup.c:5321 lib/setup.c:5382
#: lib/setup.c:5327 lib/setup.c:5388
msgid "Device type is not properly initialized."
msgstr "Type de périphérique improprement initialisé."
#: lib/setup.c:5420
#: lib/setup.c:5426
msgid "Kernel keyring is not supported by the kernel."
msgstr "Le porte-clé du noyau n'est pas supporté par ce noyau."
#: lib/setup.c:5424
#: lib/setup.c:5430
msgid "Kernel keyring missing: required for passing signature to kernel."
msgstr "Le porte-clé du noyau est manquant : il est requis pour passer une signature au noyau."
#: lib/setup.c:5476
#: lib/setup.c:5482
#, c-format
msgid "Cannot use keyring key %s."
msgstr "Impossible d'utiliser la clé %s du porte clé."
#: lib/setup.c:5689
#: lib/setup.c:5695
msgid "Incorrect root hash specified for verity device."
msgstr "Hachage racine incorrect spécifié pour le périphérique verity."
#: lib/setup.c:5730 lib/setup.c:5755
#: lib/setup.c:5736 lib/setup.c:5761
msgid "OPAL does not support deferred deactivation."
msgstr "OPAL ne supporte pas la désactivation différée."
#: lib/setup.c:5745 lib/setup.c:5776 lib/luks2/luks2_json_metadata.c:2949
#: lib/setup.c:5751 lib/setup.c:5782 lib/luks2/luks2_json_metadata.c:2949
#: src/utils_reencrypt.c:89
#, c-format
msgid "Device %s is still in use."
msgstr "Le périphérique %s est toujours occupé."
#: lib/setup.c:5763
#: lib/setup.c:5769
#, c-format
msgid "Could not cancel deferred remove from device %s."
msgstr "Impossible d'annuler la suppression différée du périphérique %s."
#: lib/setup.c:5785
#: lib/setup.c:5791
#, c-format
msgid "Invalid device %s."
msgstr "Le périphérique %s n'est pas valide."
#: lib/setup.c:5926
#: lib/setup.c:5932
msgid "Volume key buffer too small."
msgstr "Le tampon de la clé du volume est trop petit."
#: lib/setup.c:5937
#: lib/setup.c:5943
msgid "Cannot retrieve volume key for LUKS2 device."
msgstr "Impossible de récupérer la clé du volume pour le périphérique LUKS2."
#: lib/setup.c:5946
#: lib/setup.c:5952
msgid "Cannot retrieve volume key for LUKS1 device."
msgstr "Impossible de récupérer la clé du volume pour le périphérique LUKS1."
#: lib/setup.c:5960
#: lib/setup.c:5966
msgid "Cannot retrieve volume key for plain device."
msgstr "Impossible de récupérer la clé du volume pour ce périphérique de type « plain »."
#: lib/setup.c:5968
#: lib/setup.c:5974
msgid "Cannot retrieve root hash for verity device."
msgstr "Impossible de récupérer le hachage racine pour le périphérique verity."
#: lib/setup.c:5975
#: lib/setup.c:5981
msgid "Cannot retrieve volume key for BITLK device."
msgstr "Impossible de récupérer la clé du volume pour le périphérique BITLK."
#: lib/setup.c:5980
#: lib/setup.c:5986
msgid "Cannot retrieve volume key for FVAULT2 device."
msgstr "Impossible de récupérer la clé du volume pour le périphérique FVAULT2."
#: lib/setup.c:5982
#: lib/setup.c:5988
#, c-format
msgid "This operation is not supported for %s crypt device."
msgstr "Cette opération n'est pas possible pour le périphérique chiffré %s."
#: lib/setup.c:6167 lib/setup.c:6178
#: lib/setup.c:6173 lib/setup.c:6184
msgid "Dump operation is not supported for this device type."
msgstr "L'opération de vidage n'est pas supportée pour ce type de périphérique."
#: lib/setup.c:6558
#: lib/setup.c:6564
#, c-format
msgid "Data offset is not multiple of %u bytes."
msgstr "Le décalage des données n'est pas un multiple de %u octets."
#: lib/setup.c:6866
#: lib/setup.c:6872
#, c-format
msgid "Cannot convert device %s which is still in use."
msgstr "Impossible de convertir le périphérique %s qui est toujours en cours d'utilisation."
#: lib/setup.c:7174 lib/setup.c:7318
#: lib/setup.c:7180 lib/setup.c:7324
#, c-format
msgid "Failed to assign keyslot %u as the new volume key."
msgstr "Échec de l'affectation de l'emplacement de clé %u pour la nouvelle clé de volume."
#: lib/setup.c:7198
#: lib/setup.c:7204
msgid "Failed to initialize default LUKS2 keyslot parameters."
msgstr "Échec de l'initialisation des paramètres par défaut des emplacement de clé LUKS2."
#: lib/setup.c:7204
#: lib/setup.c:7210
#, c-format
msgid "Failed to assign keyslot %d to digest."
msgstr "Échec de l'affectation de l'emplacement de clé %d aux résumé."
#: lib/setup.c:7435
#: lib/setup.c:7441
msgid "Cannot add key slot, all slots disabled and no volume key provided."
msgstr "Impossible d'ajouter un emplacement de clé, tous les emplacements sont désactivés et aucune clé n'a été fournie pour ce volume."
#: lib/setup.c:7508 lib/verity/verity.c:333
#: lib/setup.c:7514 lib/verity/verity.c:333
msgid "Failed to load key in kernel keyring."
msgstr "Impossible de charger la clé dans le porte-clé du noyau."
#: lib/setup.c:7699
#: lib/setup.c:7705
#, c-format
msgid "Could not find keyring described by \"%s\"."
msgstr "Impossible de trouver le porte-clé décrit par « %s »."
#: lib/setup.c:7764
#: lib/setup.c:7770
msgid "Failed to acquire global memory-hard access serialization lock."
msgstr "Erreur lors de l'acquisition du verrou global de sérialisation des accès strictes à la mémoire"
@@ -887,10 +887,15 @@ msgid "Requested maximum PBKDF memory cannot be zero."
msgstr "La mémoire PBKDF maximum demandée ne peut pas être zéro."
#: lib/utils_pbkdf.c:173
#, c-format
msgid "Requested maximum PBKDF parallel cost is too high (maximum is %d)."
msgstr "Le coût parallèle PBKDF maximum demandé est trop grand (maximum est %d)."
#: lib/utils_pbkdf.c:178
msgid "Requested PBKDF parallel threads cannot be zero."
msgstr "Le nombre de threads parallèles PBKDF demandé ne peut pas être zéro."
#: lib/utils_pbkdf.c:193
#: lib/utils_pbkdf.c:198
msgid "Only PBKDF2 is supported in FIPS mode."
msgstr "Seul PBKDF2 est supporté en mode FIPS."
@@ -1249,7 +1254,7 @@ msgstr "Impossible de déterminer le décalage de la partition système TCRYPT,
msgid "Kernel does not support TCRYPT compatible mapping."
msgstr "Le noyau ne supporte pas les associations de type TCRYPT."
#: lib/tcrypt/tcrypt.c:1126
#: lib/tcrypt/tcrypt.c:1144
msgid "This function is not supported without TCRYPT header load."
msgstr "Cette fonction n'est pas supportée sans le chargement de l'en-tête TCRYPT."
@@ -1337,45 +1342,45 @@ msgstr "La taille inattendue des métadonnées BEK %<PRIu32> ne correspond pas
msgid "Unexpected metadata entry found when parsing startup key."
msgstr "Une entrée de méta-donnée inattendue a été trouvée en analysant la clé de démarrage."
#: lib/bitlk/bitlk.c:1067
#: lib/bitlk/bitlk.c:1069
msgid "This operation is not supported."
msgstr "Cette opération n'est pas supportée."
#: lib/bitlk/bitlk.c:1075
#: lib/bitlk/bitlk.c:1077
msgid "Unexpected key data size."
msgstr "Taille inattendue pour les données de la clé."
#: lib/bitlk/bitlk.c:1203
#: lib/bitlk/bitlk.c:1205
msgid "This BITLK device is in an unsupported state and cannot be activated."
msgstr "Ce périphérique BITLK est dans un état non supporté et ne peut pas être activé."
#: lib/bitlk/bitlk.c:1208
#: lib/bitlk/bitlk.c:1210
#, c-format
msgid "BITLK devices with type '%s' cannot be activated."
msgstr "Les périphériques BITLK avec le type « %s » ne peuvent pas être activés."
#: lib/bitlk/bitlk.c:1215
#: lib/bitlk/bitlk.c:1217
msgid "Activation of BITLK device with clear key protection is not supported."
msgstr "L'activation d'un périphérique BITLK avec une protection par une clé en clair n'est pas supporté."
#: lib/bitlk/bitlk.c:1256
#: lib/bitlk/bitlk.c:1258
#, c-format
msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
msgstr "AVERTISSEMENT: La taille %<PRIu64> du volume BitLocker ne correspond pas à la taille %<PRIu64> du périphérique sous-jacent"
#: lib/bitlk/bitlk.c:1383
#: lib/bitlk/bitlk.c:1385
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
msgstr "Impossible d'activer le périphérique car dm-crypt dans le noyau ne supporte pas BITLK IV."
#: lib/bitlk/bitlk.c:1387
#: lib/bitlk/bitlk.c:1389
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
msgstr "Impossible d'activer le périphérique car dm-crypt dans le noyau ne supporte pas le diffuseur BITLK Elephant."
#: lib/bitlk/bitlk.c:1391
#: lib/bitlk/bitlk.c:1393
msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
msgstr "Impossible d'activer le périphérique car dm-crypt dans le noyau ne supporte pas une grande taille de secteur."
#: lib/bitlk/bitlk.c:1395
#: lib/bitlk/bitlk.c:1397
msgid "Cannot activate device, kernel dm-zero module is missing."
msgstr "Impossible d'activer le périphérique car le module dm-zero est manquant dans le noyau."
@@ -3272,6 +3277,10 @@ msgstr ""
msgid "Formatted with tag size %u%s, internal integrity %s.\n"
msgstr "Formaté avec une taille de balise de %u%s, intégrité interne %s.\n"
#: src/integritysetup.c:214
msgid " (inline hw tags)"
msgstr " (étiquettes HW en ligne)"
#: src/integritysetup.c:297
msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
msgstr "Définir le fanion pour le recalcul n'est pas supporté, envisagez plutôt d'utiliser --wipe."

189
po/ja.po
View File

@@ -5,10 +5,10 @@
#
msgid ""
msgstr ""
"Project-Id-Version: cryptsetup 2.8.0-rc0\n"
"Project-Id-Version: cryptsetup 2.8.1-rc0\n"
"Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
"POT-Creation-Date: 2025-06-03 09:23+0200\n"
"PO-Revision-Date: 2025-06-04 08:39+0900\n"
"POT-Creation-Date: 2025-08-13 13:45+0200\n"
"PO-Revision-Date: 2025-08-14 12:22+0900\n"
"Last-Translator: Hiroshi Takekawa <sian@big.or.jp>\n"
"Language-Team: Japanese <translation-team-ja@lists.sourceforge.net>\n"
"Language: ja\n"
@@ -153,7 +153,7 @@ msgstr "鍵の処理でエラー (ハッシュ %s を使用)。"
msgid "Cannot determine device type. Incompatible activation of device?"
msgstr "デバイスタイプがわかりません。互換性のないデバイスのアクティベーションをしようとしていませんか?"
#: lib/setup.c:395 lib/setup.c:4139
#: lib/setup.c:395 lib/setup.c:4145
msgid "This operation is supported only for LUKS device."
msgstr "この操作は LUKS デバイスでしかサポートされていません。"
@@ -175,7 +175,7 @@ msgstr "キースロット %d は不正です。0 から %d の間を選んで
msgid "Key slot %d is full, please select another one."
msgstr "キースロット %d は使われています。別の番号を選んでください。"
#: lib/setup.c:531 lib/setup.c:3854
#: lib/setup.c:531 lib/setup.c:3860
msgid "Device size is not aligned to device logical block size."
msgstr "デバイスサイズが論理ブロックサイズのアライメントに合いません。"
@@ -184,7 +184,7 @@ msgstr "デバイスサイズが論理ブロックサイズのアライメント
msgid "Header detected but device %s is too small."
msgstr "ヘッダが検出されましたがデバイス %s が小さすぎます。"
#: lib/setup.c:669 lib/setup.c:3739 lib/setup.c:5206
#: lib/setup.c:669 lib/setup.c:3745 lib/setup.c:5212
#: lib/luks2/luks2_reencrypt.c:3937 lib/luks2/luks2_reencrypt.c:4425
msgid "This operation is not supported for this device type."
msgstr "この操作はこのデバイスタイプではサポートされていません。"
@@ -217,8 +217,8 @@ msgstr "LUKS バージョン %d はサポートされていません。"
msgid "No known cipher specification pattern detected for active device %s."
msgstr "アクティブなデバイス %s に既知の暗号スペックパターンが検出されませんでした。"
#: lib/setup.c:1515 lib/setup.c:3486 lib/setup.c:3578 lib/setup.c:3590
#: lib/setup.c:3762 lib/setup.c:5781
#: lib/setup.c:1515 lib/setup.c:3492 lib/setup.c:3584 lib/setup.c:3596
#: lib/setup.c:3768 lib/setup.c:5787
#, c-format
msgid "Device %s is not active."
msgstr "デバイス %s はアクティブではありません。"
@@ -249,7 +249,7 @@ msgstr "分離したメタデータデバイスはこの暗号タイプではサ
msgid "Unsupported encryption sector size."
msgstr "サポートされていない暗号化セクタサイズです。"
#: lib/setup.c:1647 lib/setup.c:1916 lib/setup.c:3848
#: lib/setup.c:1647 lib/setup.c:1916 lib/setup.c:3854
msgid "Device size is not aligned to requested sector size."
msgstr "デバイスサイズが要求されたセクタサイズのアライメントに合いません。"
@@ -358,7 +358,7 @@ msgstr "要求されたデータアライメントはロックレンジアライ
msgid "Compensating device size by %<PRIu64> sectors to align it with OPAL alignment granularity."
msgstr "OPAL のアライメント粒度に合わせるためにデバイスサイズが %<PRIu64> セクタ少なくなります。"
#: lib/setup.c:2528 lib/setup.c:4222 lib/setup.c:4411 lib/utils_wipe.c:356
#: lib/setup.c:2528 lib/setup.c:4228 lib/setup.c:4417 lib/utils_wipe.c:356
#: lib/luks2/luks2_json_metadata.c:2720 lib/luks2/luks2_json_metadata.c:2988
#, c-format
msgid "Failed to acquire OPAL lock on device %s."
@@ -432,318 +432,318 @@ msgstr "整合性キーのサイズが一致しません。"
msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
msgstr "警告: 指定されたタグのサイズ %d バイトが %s の出力サイズと異なります (%d バイト)。\n"
#: lib/setup.c:3031 lib/setup.c:3129
#: lib/setup.c:3037 lib/setup.c:3135
#, c-format
msgid "Unknown or unsupported device type %s requested."
msgstr "不明もしくはサポートされていないデバイスタイプ %s が指定されました。"
#: lib/setup.c:3043
#: lib/setup.c:3049
#, c-format
msgid "Device %s does not provide inline integrity data fields."
msgstr "デバイス %s はインライン整合性データフィールドを提供しません。"
#: lib/setup.c:3049
#: lib/setup.c:3055
#, c-format
msgid "Inline tag size %<PRIu32> [bytes] is larger than %<PRIu32> provided by device %s."
msgstr "インラインタグサイズ %<PRIu32> [bytes] が %<PRIu32> (デバイス %s より取得)より大きいです。"
#: lib/setup.c:3064
#: lib/setup.c:3070
#, c-format
msgid "Sector must be the same as device hardware sector (%zu bytes)."
msgstr "セクタはデバイスハードウェアセクタ (%zu bytes) と同じでなければなりません。"
#: lib/setup.c:3494 lib/setup.c:3583 lib/setup.c:3596
#: lib/setup.c:3500 lib/setup.c:3589 lib/setup.c:3602
#, c-format
msgid "Unsupported parameters on device %s."
msgstr "デバイス %s のパラメータはサポートしていません。"
#: lib/setup.c:3500 lib/setup.c:3603 lib/luks2/luks2_reencrypt.c:2920
#: lib/setup.c:3506 lib/setup.c:3609 lib/luks2/luks2_reencrypt.c:2920
#: lib/luks2/luks2_reencrypt.c:3189 lib/luks2/luks2_reencrypt.c:3583
#, c-format
msgid "Mismatching parameters on device %s."
msgstr "デバイス %s のパラメータがミスマッチしています。"
#: lib/setup.c:3626
#: lib/setup.c:3632
msgid "Crypt devices mismatch."
msgstr "Crypt デバイスが一致しません。"
#: lib/setup.c:3658 lib/setup.c:3663 lib/luks2/luks2_reencrypt.c:2404
#: lib/setup.c:3664 lib/setup.c:3669 lib/luks2/luks2_reencrypt.c:2404
#: lib/luks2/luks2_reencrypt.c:2936 lib/luks2/luks2_reencrypt.c:4224
#, c-format
msgid "Failed to reload device %s."
msgstr "デバイス %s のリロードに失敗しました。"
#: lib/setup.c:3669 lib/setup.c:3675 lib/luks2/luks2_reencrypt.c:2375
#: lib/setup.c:3675 lib/setup.c:3681 lib/luks2/luks2_reencrypt.c:2375
#: lib/luks2/luks2_reencrypt.c:2382 lib/luks2/luks2_reencrypt.c:2950
#, c-format
msgid "Failed to suspend device %s."
msgstr "デバイス %s のサスペンドに失敗しました。"
#: lib/setup.c:3681 lib/luks2/luks2_reencrypt.c:2389
#: lib/setup.c:3687 lib/luks2/luks2_reencrypt.c:2389
#: lib/luks2/luks2_reencrypt.c:2971 lib/luks2/luks2_reencrypt.c:4137
#: lib/luks2/luks2_reencrypt.c:4228
#, c-format
msgid "Failed to resume device %s."
msgstr "デバイス %s のリジュームに失敗しました。"
#: lib/setup.c:3696
#: lib/setup.c:3702
#, c-format
msgid "Fatal error while reloading device %s (on top of device %s)."
msgstr "デバイス %s のリロード中に致命的なエラー(デバイス %s の上で)。"
#: lib/setup.c:3699 lib/setup.c:3701
#: lib/setup.c:3705 lib/setup.c:3707
#, c-format
msgid "Failed to switch device %s to dm-error."
msgstr "デバイス %s を dm-error にスイッチできません。"
#: lib/setup.c:3744
#: lib/setup.c:3750
msgid "Can not resize LUKS2 device with static size."
msgstr "静的サイズの LUKS2 デバイスはリサイズできません。"
#: lib/setup.c:3749
#: lib/setup.c:3755
msgid "Resize of LUKS2 device with integrity protection is not supported."
msgstr "整合性プロテクションつきのLUKS2デバイスのリサイズはサポートされていません。"
#: lib/setup.c:3795
#: lib/setup.c:3801
msgid "Cannot resize loop device."
msgstr "ループデバイスはリサイズできません。"
#: lib/setup.c:3839
#: lib/setup.c:3845
msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
msgstr "警告: 最大サイズが既に設定済かカーネルがリサイズをサポートしていません。\n"
#: lib/setup.c:3905
#: lib/setup.c:3911
msgid "Resize failed, the kernel doesn't support it."
msgstr "リサイズに失敗しました。カーネルがサポートしていません。"
#: lib/setup.c:3937
#: lib/setup.c:3943
msgid "Do you really want to change UUID of device?"
msgstr "デバイスの UUID を本当に変更してもいいですか?"
#: lib/setup.c:4029
#: lib/setup.c:4035
msgid "Header backup file does not contain compatible LUKS header."
msgstr "ヘッダのバックアップファイルの中味が LUKS ヘッダと互換性がありません。"
#: lib/setup.c:4122
#: lib/setup.c:4128
#, c-format
msgid "Volume %s is not active."
msgstr "ボリューム %s はアクティブではありません。"
#: lib/setup.c:4177
#: lib/setup.c:4183
#, c-format
msgid "Volume %s is already suspended."
msgstr "ボリューム %s は既に停止されています。"
#: lib/setup.c:4203
#: lib/setup.c:4209
#, c-format
msgid "Suspend is not supported for device %s."
msgstr "デバイス %s の停止はサポートされていません。"
#: lib/setup.c:4205 lib/setup.c:4213
#: lib/setup.c:4211 lib/setup.c:4219
#, c-format
msgid "Error during suspending device %s."
msgstr "デバイス %s 停止中にエラー。"
#: lib/setup.c:4228
#: lib/setup.c:4234
#, c-format
msgid "Device %s was suspended but hardware OPAL device cannot be locked."
msgstr "デバイス %s は停止されましたが、ハードウェア OPAL デバイスはロックできません。"
#: lib/setup.c:4259 lib/setup.c:4436
#: lib/setup.c:4265 lib/setup.c:4442
#, c-format
msgid "Resume is not supported for device %s."
msgstr "デバイス %s は再開をサポートしていません。"
#: lib/setup.c:4261 lib/setup.c:4426 lib/setup.c:4438
#: lib/setup.c:4267 lib/setup.c:4432 lib/setup.c:4444
#, c-format
msgid "Error during resuming device %s."
msgstr "デバイス %s の再開中にエラー。"
#: lib/setup.c:4280
#: lib/setup.c:4286
msgid "Failed to unlink volume key from user specified keyring."
msgstr "ボリュームキーを指定されたキーリングからアンリンクできません。"
#: lib/setup.c:4402 lib/setup.c:5568
#: lib/setup.c:4408 lib/setup.c:5574
msgid "Failed to link volume key in user defined keyring."
msgstr "ボリュームキーを指定されたキーリングにリンクできません。"
#: lib/setup.c:4500 src/cryptsetup.c:2714
#: lib/setup.c:4506 src/cryptsetup.c:2714
#, c-format
msgid "Volume %s is not suspended."
msgstr "ボリューム %s は停止されていません。"
#: lib/setup.c:4601 lib/setup.c:7233 lib/setup.c:7255 lib/setup.c:7309
#: lib/setup.c:4607 lib/setup.c:7239 lib/setup.c:7261 lib/setup.c:7315
#: src/cryptsetup.c:1849 src/cryptsetup.c:2253 src/cryptsetup.c:2271
#: src/utils_reencrypt.c:305 src/utils_reencrypt.c:1965
msgid "Volume key does not match the volume."
msgstr "ボリュームキーがボリュームに合いません。"
#: lib/setup.c:4755
#: lib/setup.c:4761
msgid "Failed to swap new key slot."
msgstr "新しいキースロットを交換できませんでした。"
#: lib/setup.c:4853
#: lib/setup.c:4859
#, c-format
msgid "Key slot %d is invalid."
msgstr "キースロット %d は不正です。"
#: lib/setup.c:4859 src/cryptsetup.c:1970 src/cryptsetup.c:2430
#: lib/setup.c:4865 src/cryptsetup.c:1970 src/cryptsetup.c:2430
#: src/cryptsetup.c:3114 src/cryptsetup.c:3174
#, c-format
msgid "Keyslot %d is not active."
msgstr "キースロット %d は非アクティブです。"
#: lib/setup.c:4878
#: lib/setup.c:4884
msgid "Device header overlaps with data area."
msgstr "デバイスヘッダがデータ領域に重なっています。"
#: lib/setup.c:5099
#: lib/setup.c:5105
msgid "Reencryption in-progress. Cannot activate device."
msgstr "既に再暗号化中です。デバイスをアクティベートできません。"
#: lib/setup.c:5101 lib/luks2/luks2_json_metadata.c:2884
#: lib/setup.c:5107 lib/luks2/luks2_json_metadata.c:2884
#: lib/luks2/luks2_reencrypt.c:3714
msgid "Failed to get reencryption lock."
msgstr "再暗号化ロックを取得できません。"
#: lib/setup.c:5123
#: lib/setup.c:5129
msgid "LUKS2 reencryption recovery using volume key(s) failed."
msgstr "ボリュームキーを使った LUKS2 の再暗号化のリカバリに失敗しました。"
#: lib/setup.c:5259
#: lib/setup.c:5265
#, c-format
msgid "Device %s already exists."
msgstr "デバイス %s は既に存在します。"
#: lib/setup.c:5266
#: lib/setup.c:5272
#, c-format
msgid "Cannot use device %s, name is invalid or still in use."
msgstr "デバイス %s を使えません。名前が不正か使用中です。"
#: lib/setup.c:5278
#: lib/setup.c:5284
msgid "Reencryption volume keys do not match the volume."
msgstr "再暗号化ボリュームキーがボリュームに合いません。"
#: lib/setup.c:5295
#: lib/setup.c:5301
msgid "Incorrect volume key specified for plain device."
msgstr "正しくないボリュームキーがプレーンデバイスに指定されました。"
#: lib/setup.c:5321 lib/setup.c:5382
#: lib/setup.c:5327 lib/setup.c:5388
msgid "Device type is not properly initialized."
msgstr "デバイスタイプが正しく初期化されていません。"
#: lib/setup.c:5420
#: lib/setup.c:5426
msgid "Kernel keyring is not supported by the kernel."
msgstr "カーネルがカーネルキーリングをサポートしていません。"
#: lib/setup.c:5424
#: lib/setup.c:5430
msgid "Kernel keyring missing: required for passing signature to kernel."
msgstr "署名をカーネルに渡すのに必要なカーネルキーリングをカーネルがサポートしていません。"
#: lib/setup.c:5476
#: lib/setup.c:5482
#, c-format
msgid "Cannot use keyring key %s."
msgstr "キーリングキー %s が使えません。"
#: lib/setup.c:5689
#: lib/setup.c:5695
msgid "Incorrect root hash specified for verity device."
msgstr "正しくないルートハッシュが verity デバイスに指定されました。"
#: lib/setup.c:5730 lib/setup.c:5755
#: lib/setup.c:5736 lib/setup.c:5761
msgid "OPAL does not support deferred deactivation."
msgstr "OPAL は遅延デアクティベーションをサポートしていません。"
#: lib/setup.c:5745 lib/setup.c:5776 lib/luks2/luks2_json_metadata.c:2949
#: lib/setup.c:5751 lib/setup.c:5782 lib/luks2/luks2_json_metadata.c:2949
#: src/utils_reencrypt.c:89
#, c-format
msgid "Device %s is still in use."
msgstr "デバイス %s は使用中です。"
#: lib/setup.c:5763
#: lib/setup.c:5769
#, c-format
msgid "Could not cancel deferred remove from device %s."
msgstr "デバイス %s からの遅延削除をキャンセルできませんでした。"
#: lib/setup.c:5785
#: lib/setup.c:5791
#, c-format
msgid "Invalid device %s."
msgstr "デバイス %s は不正です。"
#: lib/setup.c:5926
#: lib/setup.c:5932
msgid "Volume key buffer too small."
msgstr "ボリュームキーのバッファが小さすぎます。"
#: lib/setup.c:5937
#: lib/setup.c:5943
msgid "Cannot retrieve volume key for LUKS2 device."
msgstr "LUKS2 デバイス向けのボリュームキーが取得できません。"
#: lib/setup.c:5946
#: lib/setup.c:5952
msgid "Cannot retrieve volume key for LUKS1 device."
msgstr "LUKS1 デバイス向けのボリュームキーが取得できません。"
#: lib/setup.c:5960
#: lib/setup.c:5966
msgid "Cannot retrieve volume key for plain device."
msgstr "プレーンデバイス向けのボリュームキーが取得できません。"
#: lib/setup.c:5968
#: lib/setup.c:5974
msgid "Cannot retrieve root hash for verity device."
msgstr "verity デバイスのルートハッシュが読み出せません。"
#: lib/setup.c:5975
#: lib/setup.c:5981
msgid "Cannot retrieve volume key for BITLK device."
msgstr "BITLK デバイス向けのボリュームキーが取得できません。"
#: lib/setup.c:5980
#: lib/setup.c:5986
msgid "Cannot retrieve volume key for FVAULT2 device."
msgstr "FVAULT2 デバイス向けのボリュームキーが取得できません。"
#: lib/setup.c:5982
#: lib/setup.c:5988
#, c-format
msgid "This operation is not supported for %s crypt device."
msgstr "この操作は %s 暗号化デバイスではサポートされていません。"
#: lib/setup.c:6167 lib/setup.c:6178
#: lib/setup.c:6173 lib/setup.c:6184
msgid "Dump operation is not supported for this device type."
msgstr "このデバイスタイプはダンプ操作をサポートしていません。"
#: lib/setup.c:6558
#: lib/setup.c:6564
#, c-format
msgid "Data offset is not multiple of %u bytes."
msgstr "データオフセットが %u バイトの倍数である必要があります。"
#: lib/setup.c:6866
#: lib/setup.c:6872
#, c-format
msgid "Cannot convert device %s which is still in use."
msgstr "使用中のデバイス %s を変換できません。"
#: lib/setup.c:7174 lib/setup.c:7318
#: lib/setup.c:7180 lib/setup.c:7324
#, c-format
msgid "Failed to assign keyslot %u as the new volume key."
msgstr "新しいボリュームキー向けのキースロット %u を確保できません。"
#: lib/setup.c:7198
#: lib/setup.c:7204
msgid "Failed to initialize default LUKS2 keyslot parameters."
msgstr "デフォルト LUKS2 キースロットパラメータを初期化できません。"
#: lib/setup.c:7204
#: lib/setup.c:7210
#, c-format
msgid "Failed to assign keyslot %d to digest."
msgstr "ダイジェストするためのキースロット %d が確保できません。"
#: lib/setup.c:7435
#: lib/setup.c:7441
msgid "Cannot add key slot, all slots disabled and no volume key provided."
msgstr "キースロットを追加できません。全てのスロットが無効でボリュームキーが渡されませんでした。"
#: lib/setup.c:7508 lib/verity/verity.c:333
#: lib/setup.c:7514 lib/verity/verity.c:333
msgid "Failed to load key in kernel keyring."
msgstr "キーをカーネルキーリングにロードできません。"
#: lib/setup.c:7699
#: lib/setup.c:7705
#, c-format
msgid "Could not find keyring described by \"%s\"."
msgstr "キーリング \"%s\" が見つかりませんでした。"
#: lib/setup.c:7764
#: lib/setup.c:7770
msgid "Failed to acquire global memory-hard access serialization lock."
msgstr "グローバル memory-hard アクセス直列化ロックが取れません。"
@@ -884,10 +884,15 @@ msgid "Requested maximum PBKDF memory cannot be zero."
msgstr "PBKDF メモリは 0 ではいけません。"
#: lib/utils_pbkdf.c:173
#, c-format
msgid "Requested maximum PBKDF parallel cost is too high (maximum is %d)."
msgstr "指定された PBKDF 並列コストが大きすぎます (最大 %d)。"
#: lib/utils_pbkdf.c:178
msgid "Requested PBKDF parallel threads cannot be zero."
msgstr "要求された PBKDF 並列スレッド数は 0 ではいけません。"
#: lib/utils_pbkdf.c:193
#: lib/utils_pbkdf.c:198
msgid "Only PBKDF2 is supported in FIPS mode."
msgstr "FIPS モードでは PBKDF2 しかサポートしていません。"
@@ -1245,7 +1250,7 @@ msgstr "TCRYPT システムパーティションのオフセットがわから
msgid "Kernel does not support TCRYPT compatible mapping."
msgstr "カーネルが TCRYPT 互換のマッピングをサポートしていません。"
#: lib/tcrypt/tcrypt.c:1126
#: lib/tcrypt/tcrypt.c:1144
msgid "This function is not supported without TCRYPT header load."
msgstr "この機能は TCRYPT ヘッダの読み込みなしではサポートしません。"
@@ -1333,45 +1338,45 @@ msgstr "予期しない BEK メタデータサイズ %<PRIu32> は BEK ファイ
msgid "Unexpected metadata entry found when parsing startup key."
msgstr "スタートアップキーを解釈中に予期しないメタデータエントリが見つかりました。"
#: lib/bitlk/bitlk.c:1067
#: lib/bitlk/bitlk.c:1069
msgid "This operation is not supported."
msgstr "この操作はサポートされていません。"
#: lib/bitlk/bitlk.c:1075
#: lib/bitlk/bitlk.c:1077
msgid "Unexpected key data size."
msgstr "予期しないキーデータサイズです。"
#: lib/bitlk/bitlk.c:1203
#: lib/bitlk/bitlk.c:1205
msgid "This BITLK device is in an unsupported state and cannot be activated."
msgstr "この BITLK デバイスはサポートされてない状態にあるためアクティベートできません。"
#: lib/bitlk/bitlk.c:1208
#: lib/bitlk/bitlk.c:1210
#, c-format
msgid "BITLK devices with type '%s' cannot be activated."
msgstr "タイプ '%s' の BITLK デバイスはアクティベートできません。"
#: lib/bitlk/bitlk.c:1215
#: lib/bitlk/bitlk.c:1217
msgid "Activation of BITLK device with clear key protection is not supported."
msgstr "平文キープロテクションのBITLKのデバイスのアクティベーションはサポートされていません。"
#: lib/bitlk/bitlk.c:1256
#: lib/bitlk/bitlk.c:1258
#, c-format
msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
msgstr "警告: BitLocker ボリュームサイズ %<PRIu64> がデバイスサイズ %<PRIu64> と一致しません"
#: lib/bitlk/bitlk.c:1383
#: lib/bitlk/bitlk.c:1385
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
msgstr "カーネルの dm-crypt が BITLK IV をサポートしていないためデバイスをアクティベートできません。"
#: lib/bitlk/bitlk.c:1387
#: lib/bitlk/bitlk.c:1389
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
msgstr "カーネルの dm-crypt が BITLK Elephant diffuser をサポートしていないためデバイスをアクティベートできません。"
#: lib/bitlk/bitlk.c:1391
#: lib/bitlk/bitlk.c:1393
msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
msgstr "カーネルの dm-crypt がラージセクタサイズをサポートしていないためデバイスをアクティベートできません。"
#: lib/bitlk/bitlk.c:1395
#: lib/bitlk/bitlk.c:1397
msgid "Cannot activate device, kernel dm-zero module is missing."
msgstr "カーネルの dm-zero モジュールがないためデバイスをアクティベートできません。"
@@ -3266,6 +3271,10 @@ msgstr ""
msgid "Formatted with tag size %u%s, internal integrity %s.\n"
msgstr "タグサイズ %u%s、内部整合性は %s でフォーマットされました。\n"
#: src/integritysetup.c:214
msgid " (inline hw tags)"
msgstr " (インラインHWタグ)"
#: src/integritysetup.c:297
msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
msgstr "再計算フラグの設定はサポートされていません。代わりに --wipe を使うことを検討してください。"

2377
po/ka.po
View File

File diff suppressed because it is too large Load Diff

1879
po/pl.po
View File

File diff suppressed because it is too large Load Diff

193
po/ro.po
View File

@@ -14,14 +14,16 @@
# Actualizare a traducerii pentru versiunea 2.7.1-rc0, făcută de R-GC, mar-2024.
# Actualizare a traducerii pentru versiunea 2.7.3-rc0, făcută de R-GC, iun-2024.
# Actualizare a traducerii pentru versiunea 2.8.0-rc0, făcută de R-GC, iun-2025.
# Actualizare a traducerii pentru versiunea 2.8.0-rc1, făcută de R-GC, iun-2025.
# Actualizare a traducerii pentru versiunea 2.8.1-rc0, făcută de R-GC, aug-2025.
# Actualizare a traducerii pentru versiunea Y, făcută de X, Y(luna-anul).
#
msgid ""
msgstr ""
"Project-Id-Version: cryptsetup 2.8.0-rc0\n"
"Project-Id-Version: cryptsetup 2.8.1-rc0\n"
"Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
"POT-Creation-Date: 2025-06-03 09:23+0200\n"
"PO-Revision-Date: 2025-06-03 23:24+0200\n"
"POT-Creation-Date: 2025-08-13 13:45+0200\n"
"PO-Revision-Date: 2025-08-14 13:29+0200\n"
"Last-Translator: Remus-Gabriel Chelu <remusgabriel.chelu@disroot.org>\n"
"Language-Team: Romanian <translation-team-ro@lists.sourceforge.net>\n"
"Language: ro\n"
@@ -30,7 +32,7 @@ msgstr ""
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=3; plural=(n==1 ? 0 : (n==0 || ((n%100) > 0 && (n%100) < 20)) ? 1 : 2);\n"
"X-Bugs: Report translation errors to the Language-Team address.\n"
"X-Generator: Poedit 3.5\n"
"X-Generator: Poedit 3.6\n"
#: lib/libdevmapper.c:419
msgid "Cannot initialize device-mapper, running as non-root user."
@@ -168,7 +170,7 @@ msgstr "Eroare de procesare a cheii (folosind suma de control %s)."
msgid "Cannot determine device type. Incompatible activation of device?"
msgstr "Nu se poate determina tipul de dispozitiv. Activare a dispozitivului incompatibilă?"
#: lib/setup.c:395 lib/setup.c:4139
#: lib/setup.c:395 lib/setup.c:4145
msgid "This operation is supported only for LUKS device."
msgstr "Această operație este acceptată doar pentru dispozitive LUKS."
@@ -190,7 +192,7 @@ msgstr "Slotul de cheie %d este nu este valid, selectați între 0 și %d."
msgid "Key slot %d is full, please select another one."
msgstr "Slotul pentru chei %d este ocupat, selectați altul."
#: lib/setup.c:531 lib/setup.c:3854
#: lib/setup.c:531 lib/setup.c:3860
msgid "Device size is not aligned to device logical block size."
msgstr "Dimensiunea dispozitivului nu este aliniată la dimensiunea blocului logic al dispozitivului."
@@ -199,7 +201,7 @@ msgstr "Dimensiunea dispozitivului nu este aliniată la dimensiunea blocului log
msgid "Header detected but device %s is too small."
msgstr "Antet detectat, dar dispozitivul %s este prea mic."
#: lib/setup.c:669 lib/setup.c:3739 lib/setup.c:5206
#: lib/setup.c:669 lib/setup.c:3745 lib/setup.c:5212
#: lib/luks2/luks2_reencrypt.c:3937 lib/luks2/luks2_reencrypt.c:4425
msgid "This operation is not supported for this device type."
msgstr "Această operație nu este suportată pentru acest tip de dispozitiv."
@@ -232,8 +234,8 @@ msgstr "Versiunea %d de LUKS nu este acceptată."
msgid "No known cipher specification pattern detected for active device %s."
msgstr "Nu a fost detectat niciun model cunoscut de specificație de cifrare pentru dispozitivul activ %s."
#: lib/setup.c:1515 lib/setup.c:3486 lib/setup.c:3578 lib/setup.c:3590
#: lib/setup.c:3762 lib/setup.c:5781
#: lib/setup.c:1515 lib/setup.c:3492 lib/setup.c:3584 lib/setup.c:3596
#: lib/setup.c:3768 lib/setup.c:5787
#, c-format
msgid "Device %s is not active."
msgstr "Dispozitivul %s nu este activ."
@@ -264,7 +266,7 @@ msgstr "Dispozitivul cu metadate detașate nu este acceptat pentru acest tip de
msgid "Unsupported encryption sector size."
msgstr "Dimensiunea sectorului de criptare nu este acceptată."
#: lib/setup.c:1647 lib/setup.c:1916 lib/setup.c:3848
#: lib/setup.c:1647 lib/setup.c:1916 lib/setup.c:3854
msgid "Device size is not aligned to requested sector size."
msgstr "Dimensiunea dispozitivului nu este aliniată la dimensiunea sectorului solicitată."
@@ -373,7 +375,7 @@ msgstr "Alinierea datelor solicitată nu satisface cerințele de aliniere a inte
msgid "Compensating device size by %<PRIu64> sectors to align it with OPAL alignment granularity."
msgstr "Compensarea dimensiunii dispozitivului cu %<PRIu64> sectoare pentru a-l alinia cu gradul de finețe al alinierii OPAL."
#: lib/setup.c:2528 lib/setup.c:4222 lib/setup.c:4411 lib/utils_wipe.c:356
#: lib/setup.c:2528 lib/setup.c:4228 lib/setup.c:4417 lib/utils_wipe.c:356
#: lib/luks2/luks2_json_metadata.c:2720 lib/luks2/luks2_json_metadata.c:2988
#, c-format
msgid "Failed to acquire OPAL lock on device %s."
@@ -447,318 +449,318 @@ msgstr "Dimensiunea cheii de integritate nu coincide."
msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
msgstr "AVERTISMENT: Dimensiunea solicitată a etichetei %d octeți diferă de dimensiunea %s de ieșire (%d octeți).\n"
#: lib/setup.c:3031 lib/setup.c:3129
#: lib/setup.c:3037 lib/setup.c:3135
#, c-format
msgid "Unknown or unsupported device type %s requested."
msgstr "A fost solicitat un tip de dispozitiv %s necunoscut sau neacceptat."
#: lib/setup.c:3043
#: lib/setup.c:3049
#, c-format
msgid "Device %s does not provide inline integrity data fields."
msgstr "Dispozitivul %s nu furnizează câmpuri de date de integritate în linie „inline”."
#: lib/setup.c:3049
#: lib/setup.c:3055
#, c-format
msgid "Inline tag size %<PRIu32> [bytes] is larger than %<PRIu32> provided by device %s."
msgstr "Dimensiunea etichetei în linie %<PRIu32> [ cteți] este mai mare decât %<PRIu32> furnizată de dispozitivul %s."
#: lib/setup.c:3064
#: lib/setup.c:3070
#, c-format
msgid "Sector must be the same as device hardware sector (%zu bytes)."
msgstr "Sectorul trebuie să fie la fel ca sectorul hardware al dispozitivului (%zu octeți)."
#: lib/setup.c:3494 lib/setup.c:3583 lib/setup.c:3596
#: lib/setup.c:3500 lib/setup.c:3589 lib/setup.c:3602
#, c-format
msgid "Unsupported parameters on device %s."
msgstr "Parametri neacceptați pentru dispozitivul %s."
#: lib/setup.c:3500 lib/setup.c:3603 lib/luks2/luks2_reencrypt.c:2920
#: lib/setup.c:3506 lib/setup.c:3609 lib/luks2/luks2_reencrypt.c:2920
#: lib/luks2/luks2_reencrypt.c:3189 lib/luks2/luks2_reencrypt.c:3583
#, c-format
msgid "Mismatching parameters on device %s."
msgstr "Parametrii nepotriviți în dispozitivul %s."
#: lib/setup.c:3626
#: lib/setup.c:3632
msgid "Crypt devices mismatch."
msgstr "Dispozitivele de criptare nu se potrivesc."
#: lib/setup.c:3658 lib/setup.c:3663 lib/luks2/luks2_reencrypt.c:2404
#: lib/setup.c:3664 lib/setup.c:3669 lib/luks2/luks2_reencrypt.c:2404
#: lib/luks2/luks2_reencrypt.c:2936 lib/luks2/luks2_reencrypt.c:4224
#, c-format
msgid "Failed to reload device %s."
msgstr "Nu s-a putut reîncărca dispozitivul %s."
#: lib/setup.c:3669 lib/setup.c:3675 lib/luks2/luks2_reencrypt.c:2375
#: lib/setup.c:3675 lib/setup.c:3681 lib/luks2/luks2_reencrypt.c:2375
#: lib/luks2/luks2_reencrypt.c:2382 lib/luks2/luks2_reencrypt.c:2950
#, c-format
msgid "Failed to suspend device %s."
msgstr "Nu s-a putut suspenda dispozitivul %s."
#: lib/setup.c:3681 lib/luks2/luks2_reencrypt.c:2389
#: lib/setup.c:3687 lib/luks2/luks2_reencrypt.c:2389
#: lib/luks2/luks2_reencrypt.c:2971 lib/luks2/luks2_reencrypt.c:4137
#: lib/luks2/luks2_reencrypt.c:4228
#, c-format
msgid "Failed to resume device %s."
msgstr "Nu s-a putut reîncărca dispozitivul %s."
#: lib/setup.c:3696
#: lib/setup.c:3702
#, c-format
msgid "Fatal error while reloading device %s (on top of device %s)."
msgstr "Eroare fatală la reîncărcarea dispozitivului %s (în partea superioară a dispozitivului %s)."
#: lib/setup.c:3699 lib/setup.c:3701
#: lib/setup.c:3705 lib/setup.c:3707
#, c-format
msgid "Failed to switch device %s to dm-error."
msgstr "Nu s-a putut comuta dispozitivul %s la dm-error."
#: lib/setup.c:3744
#: lib/setup.c:3750
msgid "Can not resize LUKS2 device with static size."
msgstr "Nu se poate redimensiona dispozitivul LUKS2 cu o dimensiune statică."
#: lib/setup.c:3749
#: lib/setup.c:3755
msgid "Resize of LUKS2 device with integrity protection is not supported."
msgstr "Redimensionarea dispozitivului LUKS2 cu protecție de integritate nu este acceptată."
#: lib/setup.c:3795
#: lib/setup.c:3801
msgid "Cannot resize loop device."
msgstr "Nu se poate redimensiona dispozitivul de buclă."
#: lib/setup.c:3839
#: lib/setup.c:3845
msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
msgstr "AVERTISMENT: Dimensiunea maximă a fost deja stabilită sau nucleul nu acceptă redimensionarea.\n"
#: lib/setup.c:3905
#: lib/setup.c:3911
msgid "Resize failed, the kernel doesn't support it."
msgstr "Redimensionarea nu a reușit, nucleul nu acceptă redimensionarea."
#: lib/setup.c:3937
#: lib/setup.c:3943
msgid "Do you really want to change UUID of device?"
msgstr "Chiar doriți să schimbați UUID-ul dispozitivului?"
#: lib/setup.c:4029
#: lib/setup.c:4035
msgid "Header backup file does not contain compatible LUKS header."
msgstr "Fișierul de copie de rezervă pentru antet nu conține un antet LUKS compatibil."
#: lib/setup.c:4122
#: lib/setup.c:4128
#, c-format
msgid "Volume %s is not active."
msgstr "Volumul %s nu este activ."
#: lib/setup.c:4177
#: lib/setup.c:4183
#, c-format
msgid "Volume %s is already suspended."
msgstr "Volumul %s este deja suspendat."
#: lib/setup.c:4203
#: lib/setup.c:4209
#, c-format
msgid "Suspend is not supported for device %s."
msgstr "Suspendarea nu este acceptată pentru dispozitivul %s."
#: lib/setup.c:4205 lib/setup.c:4213
#: lib/setup.c:4211 lib/setup.c:4219
#, c-format
msgid "Error during suspending device %s."
msgstr "Eroare la suspendarea dispozitivului %s."
#: lib/setup.c:4228
#: lib/setup.c:4234
#, c-format
msgid "Device %s was suspended but hardware OPAL device cannot be locked."
msgstr "Dispozitivul %s a fost suspendat, dar dispozitivul hardware OPAL nu poate fi blocat."
#: lib/setup.c:4259 lib/setup.c:4436
#: lib/setup.c:4265 lib/setup.c:4442
#, c-format
msgid "Resume is not supported for device %s."
msgstr "Reluarea activității nu este acceptată pentru dispozitivul %s."
#: lib/setup.c:4261 lib/setup.c:4426 lib/setup.c:4438
#: lib/setup.c:4267 lib/setup.c:4432 lib/setup.c:4444
#, c-format
msgid "Error during resuming device %s."
msgstr "Eroare la reluarea activității dispozitivului %s."
#: lib/setup.c:4280
#: lib/setup.c:4286
msgid "Failed to unlink volume key from user specified keyring."
msgstr "Nu s-a putut dezlega cheia de volum de la inelul de chei specificat de utilizator."
#: lib/setup.c:4402 lib/setup.c:5568
#: lib/setup.c:4408 lib/setup.c:5574
msgid "Failed to link volume key in user defined keyring."
msgstr "Nu s-a putut leg cheia de volum la inelul de chei specificat de utilizator."
#: lib/setup.c:4500 src/cryptsetup.c:2714
#: lib/setup.c:4506 src/cryptsetup.c:2714
#, c-format
msgid "Volume %s is not suspended."
msgstr "Volumul %s nu este suspendat."
#: lib/setup.c:4601 lib/setup.c:7233 lib/setup.c:7255 lib/setup.c:7309
#: lib/setup.c:4607 lib/setup.c:7239 lib/setup.c:7261 lib/setup.c:7315
#: src/cryptsetup.c:1849 src/cryptsetup.c:2253 src/cryptsetup.c:2271
#: src/utils_reencrypt.c:305 src/utils_reencrypt.c:1965
msgid "Volume key does not match the volume."
msgstr "Cheia de volum nu se potrivește cu volumul."
#: lib/setup.c:4755
#: lib/setup.c:4761
msgid "Failed to swap new key slot."
msgstr "Nu s-a putut efectua interschimbarea cu noul slot pentru cheie."
#: lib/setup.c:4853
#: lib/setup.c:4859
#, c-format
msgid "Key slot %d is invalid."
msgstr "Slotul de cheie %d nu este valid."
#: lib/setup.c:4859 src/cryptsetup.c:1970 src/cryptsetup.c:2430
#: lib/setup.c:4865 src/cryptsetup.c:1970 src/cryptsetup.c:2430
#: src/cryptsetup.c:3114 src/cryptsetup.c:3174
#, c-format
msgid "Keyslot %d is not active."
msgstr "Slotul de cheie %d nu este activ."
#: lib/setup.c:4878
#: lib/setup.c:4884
msgid "Device header overlaps with data area."
msgstr "Antetul dispozitivului se suprapune cu zona de date."
#: lib/setup.c:5099
#: lib/setup.c:5105
msgid "Reencryption in-progress. Cannot activate device."
msgstr "Recriptare în curs. Nu se poate activa dispozitivul."
#: lib/setup.c:5101 lib/luks2/luks2_json_metadata.c:2884
#: lib/setup.c:5107 lib/luks2/luks2_json_metadata.c:2884
#: lib/luks2/luks2_reencrypt.c:3714
msgid "Failed to get reencryption lock."
msgstr "Nu s-a putut obține blocarea pentru recriptare."
#: lib/setup.c:5123
#: lib/setup.c:5129
msgid "LUKS2 reencryption recovery using volume key(s) failed."
msgstr "Recuperarea recriptării LUKS2 utilizând cheia (cheile) de volum a eșuat."
#: lib/setup.c:5259
#: lib/setup.c:5265
#, c-format
msgid "Device %s already exists."
msgstr "Dispozitivul %s există deja."
#: lib/setup.c:5266
#: lib/setup.c:5272
#, c-format
msgid "Cannot use device %s, name is invalid or still in use."
msgstr "Nu se poate folosi dispozitivul %s, numele este nevalid sau este încă în uz."
#: lib/setup.c:5278
#: lib/setup.c:5284
msgid "Reencryption volume keys do not match the volume."
msgstr "Cheile de recriptare a volumului nu se potrivesc cu volumul."
#: lib/setup.c:5295
#: lib/setup.c:5301
msgid "Incorrect volume key specified for plain device."
msgstr "Este specificată o cheie de volum incorectă pentru un dispozitiv cu criptare normală."
#: lib/setup.c:5321 lib/setup.c:5382
#: lib/setup.c:5327 lib/setup.c:5388
msgid "Device type is not properly initialized."
msgstr "Tipul de dispozitiv nu este inițializat corect."
#: lib/setup.c:5420
#: lib/setup.c:5426
msgid "Kernel keyring is not supported by the kernel."
msgstr "Inelul de chei pentru nucleu nu este acceptat de nucleu actual."
#: lib/setup.c:5424
#: lib/setup.c:5430
msgid "Kernel keyring missing: required for passing signature to kernel."
msgstr "Lipsește inelul de chei pentru nucleu: este necesar pentru transmiterea semnăturii către nucleu."
#: lib/setup.c:5476
#: lib/setup.c:5482
#, c-format
msgid "Cannot use keyring key %s."
msgstr "Nu se poate utiliza cheia inelului de chei %s."
#: lib/setup.c:5689
#: lib/setup.c:5695
msgid "Incorrect root hash specified for verity device."
msgstr "Sumă de control rădăcină incorectă specificată pentru dispozitivul verity."
#: lib/setup.c:5730 lib/setup.c:5755
#: lib/setup.c:5736 lib/setup.c:5761
msgid "OPAL does not support deferred deactivation."
msgstr "OPAL nu acceptă dezactivarea amânată."
#: lib/setup.c:5745 lib/setup.c:5776 lib/luks2/luks2_json_metadata.c:2949
#: lib/setup.c:5751 lib/setup.c:5782 lib/luks2/luks2_json_metadata.c:2949
#: src/utils_reencrypt.c:89
#, c-format
msgid "Device %s is still in use."
msgstr "Dispozitivul %s este încă în uz."
#: lib/setup.c:5763
#: lib/setup.c:5769
#, c-format
msgid "Could not cancel deferred remove from device %s."
msgstr "Nu s-a putut anula eliminarea întârziată din dispozitivul %s."
#: lib/setup.c:5785
#: lib/setup.c:5791
#, c-format
msgid "Invalid device %s."
msgstr "Dispozitiv nevalid %s."
#: lib/setup.c:5926
#: lib/setup.c:5932
msgid "Volume key buffer too small."
msgstr "Memoria tampon a cheii de volum este prea mică."
#: lib/setup.c:5937
#: lib/setup.c:5943
msgid "Cannot retrieve volume key for LUKS2 device."
msgstr "Nu se poate recupera cheia de volum pentru dispozitivul LUKS2."
#: lib/setup.c:5946
#: lib/setup.c:5952
msgid "Cannot retrieve volume key for LUKS1 device."
msgstr "Nu se poate recupera cheia de volum pentru dispozitivul LUKS1."
#: lib/setup.c:5960
#: lib/setup.c:5966
msgid "Cannot retrieve volume key for plain device."
msgstr "Nu se poate recupera tasta de volum pentru dispozitivul normal."
#: lib/setup.c:5968
#: lib/setup.c:5974
msgid "Cannot retrieve root hash for verity device."
msgstr "Nu se poate recupera suma de control rădăcină pentru dispozitivul verity."
#: lib/setup.c:5975
#: lib/setup.c:5981
msgid "Cannot retrieve volume key for BITLK device."
msgstr "Nu se poate recupera cheia de volum pentru dispozitivul BITLK."
#: lib/setup.c:5980
#: lib/setup.c:5986
msgid "Cannot retrieve volume key for FVAULT2 device."
msgstr "Nu se poate recupera cheia de volum pentru dispozitivul FVAULT2."
#: lib/setup.c:5982
#: lib/setup.c:5988
#, c-format
msgid "This operation is not supported for %s crypt device."
msgstr "Această operație nu este acceptată pentru dispozitivul criptat %s."
#: lib/setup.c:6167 lib/setup.c:6178
#: lib/setup.c:6173 lib/setup.c:6184
msgid "Dump operation is not supported for this device type."
msgstr "Operația de descărcare nu este acceptată pentru acest tip de dispozitiv."
#: lib/setup.c:6558
#: lib/setup.c:6564
#, c-format
msgid "Data offset is not multiple of %u bytes."
msgstr "Decalajul datelor nu este multiplu de %u octeți."
#: lib/setup.c:6866
#: lib/setup.c:6872
#, c-format
msgid "Cannot convert device %s which is still in use."
msgstr "Nu se poate converti dispozitivul %s care este încă în uz."
#: lib/setup.c:7174 lib/setup.c:7318
#: lib/setup.c:7180 lib/setup.c:7324
#, c-format
msgid "Failed to assign keyslot %u as the new volume key."
msgstr "Nu s-a putut atribui slotul %u ca nouă cheie de volum."
#: lib/setup.c:7198
#: lib/setup.c:7204
msgid "Failed to initialize default LUKS2 keyslot parameters."
msgstr "Nu s-au putut inițializa parametrii impliciți pentru slotul de cheie LUKS2."
#: lib/setup.c:7204
#: lib/setup.c:7210
#, c-format
msgid "Failed to assign keyslot %d to digest."
msgstr "Nu s-a putut aloca slotul de cheie %d pentru a digera."
#: lib/setup.c:7435
#: lib/setup.c:7441
msgid "Cannot add key slot, all slots disabled and no volume key provided."
msgstr "Nu se poate adăuga slotul pentru cheie, toate sloturile sunt dezactivate și nu este furnizată nicio cheie pentru volum."
#: lib/setup.c:7508 lib/verity/verity.c:333
#: lib/setup.c:7514 lib/verity/verity.c:333
msgid "Failed to load key in kernel keyring."
msgstr "Nu s-a putut încărca cheia în inelul de chei al nucleului."
#: lib/setup.c:7699
#: lib/setup.c:7705
#, c-format
msgid "Could not find keyring described by \"%s\"."
msgstr "Nu s-a putut găsi inelul de chei descris de „%s”."
#: lib/setup.c:7764
#: lib/setup.c:7770
msgid "Failed to acquire global memory-hard access serialization lock."
msgstr "Nu s-a putut obține blocarea de serializare a accesului la memoria-hardwarw globală."
@@ -899,10 +901,15 @@ msgid "Requested maximum PBKDF memory cannot be zero."
msgstr "Memoria PBKDF maximă solicitată nu poate fi zero."
#: lib/utils_pbkdf.c:173
#, c-format
msgid "Requested maximum PBKDF parallel cost is too high (maximum is %d)."
msgstr "Costul paralel maxim PBKDF solicitat este prea mare (maximul este %d)."
#: lib/utils_pbkdf.c:178
msgid "Requested PBKDF parallel threads cannot be zero."
msgstr "Firele paralele de execuție PBKDF solicitate nu pot fi zero."
#: lib/utils_pbkdf.c:193
#: lib/utils_pbkdf.c:198
msgid "Only PBKDF2 is supported in FIPS mode."
msgstr "Doar PBKDF2 este acceptat în modul FIPS."
@@ -1260,7 +1267,7 @@ msgstr "Nu se poate determina decalajul partiției de sistem TCRYPT, se activeaz
msgid "Kernel does not support TCRYPT compatible mapping."
msgstr "Nucleul nu acceptă asocierea compatibilă cu TCRYPT."
#: lib/tcrypt/tcrypt.c:1126
#: lib/tcrypt/tcrypt.c:1144
msgid "This function is not supported without TCRYPT header load."
msgstr "Această funcție nu este acceptată fără încărcarea antetului TCRYPT."
@@ -1348,45 +1355,45 @@ msgstr "Dimensiune neașteptată a metadatelor BEK %<PRIu32>, nu se potrivește
msgid "Unexpected metadata entry found when parsing startup key."
msgstr "Intrare neașteptată de metadate găsită la analizarea cheii de pornire."
#: lib/bitlk/bitlk.c:1067
#: lib/bitlk/bitlk.c:1069
msgid "This operation is not supported."
msgstr "Această operație nu este acceptată."
#: lib/bitlk/bitlk.c:1075
#: lib/bitlk/bitlk.c:1077
msgid "Unexpected key data size."
msgstr "Dimensiune neașteptată a datelor cheii."
#: lib/bitlk/bitlk.c:1203
#: lib/bitlk/bitlk.c:1205
msgid "This BITLK device is in an unsupported state and cannot be activated."
msgstr "Acest dispozitiv BITLK este într-o stare neacceptată și nu poate fi activat."
#: lib/bitlk/bitlk.c:1208
#: lib/bitlk/bitlk.c:1210
#, c-format
msgid "BITLK devices with type '%s' cannot be activated."
msgstr "Dispozitivele BITLK de tip „%s” nu pot fi activate."
#: lib/bitlk/bitlk.c:1215
#: lib/bitlk/bitlk.c:1217
msgid "Activation of BITLK device with clear key protection is not supported."
msgstr "Activarea dispozitivului BITLK cu protecție de cheie în clar nu este acceptată."
#: lib/bitlk/bitlk.c:1256
#: lib/bitlk/bitlk.c:1258
#, c-format
msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
msgstr "AVERTISMENT: dimensiunea volumului BitLocker %<PRIu64> nu se potrivește cu dimensiunea dispozitivului subiacent %<PRIu64>"
#: lib/bitlk/bitlk.c:1383
#: lib/bitlk/bitlk.c:1385
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
msgstr "Nu se poate activa dispozitivul, modulul nucleului «dm-crypt» nu are suport pentru BITLK IV."
#: lib/bitlk/bitlk.c:1387
#: lib/bitlk/bitlk.c:1389
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
msgstr "Dispozitivul nu poate fi activat, modulul nucleului «dm-crypt» nu are suport pentru difuzorul BITLK Elephant."
#: lib/bitlk/bitlk.c:1391
#: lib/bitlk/bitlk.c:1393
msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
msgstr "Dispozitivul nu poate fi activat, nucleul dm-crypt nu are suport pentru dimensiune mare a sectorului."
#: lib/bitlk/bitlk.c:1395
#: lib/bitlk/bitlk.c:1397
msgid "Cannot activate device, kernel dm-zero module is missing."
msgstr "Dispozitivul nu se poate activa, modulul nucleului, «dm-zero», lipsește."
@@ -3287,6 +3294,10 @@ msgstr ""
msgid "Formatted with tag size %u%s, internal integrity %s.\n"
msgstr "Formatat cu dimensiunea etichetei %u%s, integritate internă %s.\n"
#: src/integritysetup.c:214
msgid " (inline hw tags)"
msgstr "(etichete hw în linie „inline”)"
#: src/integritysetup.c:297
msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
msgstr "Utilizarea fanionului pentru recalculare(...-recalculate) nu este acceptată, luați în considerare utilizarea opțiunii „--wipe” în schimb."

207
po/sk.po
View File

@@ -4,29 +4,29 @@
# Marián Haburaj <hajkomajko5@gmail.com>, 2025.
#
# hash - hash
# kernel - jadro
# keyslot - miesto pre kľúč / miesto s kľúčom
# plain - plain
# keyring - zväzok kľúčov
# volume key - kľúč zväzku
# offset - odsadenie / miesto / pozícia
# reencryption - prešifrovanie / opätovné šifrovanie
# log file - protokol
# inline - inline
# kernel - jadro
# keyring - zväzok kľúčov
# keyslot - miesto pre kľúč / miesto s kľúčom
# log file - protokol
# offset - odsadenie / miesto / pozícia
# plain - plain
# reencryption - prešifrovanie / opätovné šifrovanie
# volume key - kľúč zväzku
#
msgid ""
msgstr ""
"Project-Id-Version: cryptsetup 2.8.0-rc0\n"
"Project-Id-Version: cryptsetup 2.8.1-rc0\n"
"Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
"POT-Creation-Date: 2025-06-03 09:23+0200\n"
"PO-Revision-Date: 2025-06-04 15:49+0200\n"
"POT-Creation-Date: 2025-08-13 13:45+0200\n"
"PO-Revision-Date: 2025-08-18 10:38+0200\n"
"Last-Translator: Marián Haburaj <hajkomajko5@gmail.com>\n"
"Language-Team: Slovak <sk-i18n@lists.linux.sk>\n"
"Language: sk\n"
"X-Bugs: Report translation errors to the Language-Team address.\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Bugs: Report translation errors to the Language-Team address.\n"
"X-Generator: Poedit 3.6\n"
#: lib/libdevmapper.c:419
@@ -165,7 +165,7 @@ msgstr "Chyba pri spracovaní kľúča (používa sa hash %s)."
msgid "Cannot determine device type. Incompatible activation of device?"
msgstr "Neviem určiť typ zariadenia. Nekompatibilná aktivácia zariadenia?"
#: lib/setup.c:395 lib/setup.c:4139
#: lib/setup.c:395 lib/setup.c:4145
msgid "This operation is supported only for LUKS device."
msgstr "Táto operácie je podporované len pre LUKS zariadenie."
@@ -187,7 +187,7 @@ msgstr "Miesto pre kľúč %d je neplatné, prosím vyberte číslo medzi 0 a %d
msgid "Key slot %d is full, please select another one."
msgstr "Miesto pre kľúč %d je obsadené, prosím vyberte iné."
#: lib/setup.c:531 lib/setup.c:3854
#: lib/setup.c:531 lib/setup.c:3860
msgid "Device size is not aligned to device logical block size."
msgstr "Veľkosť zariadenia nie je zarovnaná na veľkosť logického bloku zariadenia."
@@ -196,7 +196,7 @@ msgstr "Veľkosť zariadenia nie je zarovnaná na veľkosť logického bloku zar
msgid "Header detected but device %s is too small."
msgstr "Hlavička bola nájdená, ale zariadenie %s je veľmi malé."
#: lib/setup.c:669 lib/setup.c:3739 lib/setup.c:5206
#: lib/setup.c:669 lib/setup.c:3745 lib/setup.c:5212
#: lib/luks2/luks2_reencrypt.c:3937 lib/luks2/luks2_reencrypt.c:4425
msgid "This operation is not supported for this device type."
msgstr "Táto operácie nie je podporovaná pre tento typ zariadenia."
@@ -229,8 +229,8 @@ msgstr "Nepodporovaná LUKS verzia %d."
msgid "No known cipher specification pattern detected for active device %s."
msgstr "Žiadna známa špecifikácia šifry nebola nájdená pre aktívne zariadenie %s."
#: lib/setup.c:1515 lib/setup.c:3486 lib/setup.c:3578 lib/setup.c:3590
#: lib/setup.c:3762 lib/setup.c:5781
#: lib/setup.c:1515 lib/setup.c:3492 lib/setup.c:3584 lib/setup.c:3596
#: lib/setup.c:3768 lib/setup.c:5787
#, c-format
msgid "Device %s is not active."
msgstr "Zariadenie %s nie je aktívne."
@@ -261,7 +261,7 @@ msgstr "Zariadenie s oddelenými metadátami nie je podporované pre tento typ
msgid "Unsupported encryption sector size."
msgstr "Nepodporovaná veľkosť šifrovaného sektoru."
#: lib/setup.c:1647 lib/setup.c:1916 lib/setup.c:3848
#: lib/setup.c:1647 lib/setup.c:1916 lib/setup.c:3854
msgid "Device size is not aligned to requested sector size."
msgstr "Veľkosť zariadenia nie je zarovnaná k vyžadovanej veľkosti sektoru."
@@ -370,7 +370,7 @@ msgstr "Požadované zarovnanie údajov nespĺňa požiadavky na zarovnanie uzam
msgid "Compensating device size by %<PRIu64> sectors to align it with OPAL alignment granularity."
msgstr "Kompenzovanie veľkosti zariadenia o %<PRIu64> sektorov na jeho zarovnanie s granualitou zarovnania OPAL."
#: lib/setup.c:2528 lib/setup.c:4222 lib/setup.c:4411 lib/utils_wipe.c:356
#: lib/setup.c:2528 lib/setup.c:4228 lib/setup.c:4417 lib/utils_wipe.c:356
#: lib/luks2/luks2_json_metadata.c:2720 lib/luks2/luks2_json_metadata.c:2988
#, c-format
msgid "Failed to acquire OPAL lock on device %s."
@@ -444,318 +444,318 @@ msgstr "Nesúlad vo veľkosti kľúča integrity."
msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
msgstr "VAROVANIE: Požadovaná veľkosť príznaku %d bajtov sa líši od %s veľkosti výstupu (%d bajtov).\n"
#: lib/setup.c:3031 lib/setup.c:3129
#: lib/setup.c:3037 lib/setup.c:3135
#, c-format
msgid "Unknown or unsupported device type %s requested."
msgstr "Vyžadovaný neznámy alebo nepodporovaný typ šifrovaného zariadenia %s."
#: lib/setup.c:3043
#: lib/setup.c:3049
#, c-format
msgid "Device %s does not provide inline integrity data fields."
msgstr "Zariadenie %s neposkytuje dátové polia pre inline integritu."
#: lib/setup.c:3049
#: lib/setup.c:3055
#, c-format
msgid "Inline tag size %<PRIu32> [bytes] is larger than %<PRIu32> provided by device %s."
msgstr "Veľkosť príznaku inline %<PRIu32> [bajtov] je väčšia ako %<PRIu32> poskytnutá zariadením %s."
#: lib/setup.c:3064
#: lib/setup.c:3070
#, c-format
msgid "Sector must be the same as device hardware sector (%zu bytes)."
msgstr "Sektor musí byť rovnaký ako hardvérový sektor zariadenia (%zu bajtov)."
#: lib/setup.c:3494 lib/setup.c:3583 lib/setup.c:3596
#: lib/setup.c:3500 lib/setup.c:3589 lib/setup.c:3602
#, c-format
msgid "Unsupported parameters on device %s."
msgstr "Nepodporované parametre na zariadení %s."
#: lib/setup.c:3500 lib/setup.c:3603 lib/luks2/luks2_reencrypt.c:2920
#: lib/setup.c:3506 lib/setup.c:3609 lib/luks2/luks2_reencrypt.c:2920
#: lib/luks2/luks2_reencrypt.c:3189 lib/luks2/luks2_reencrypt.c:3583
#, c-format
msgid "Mismatching parameters on device %s."
msgstr "Neodpovedajúce parametre na zariadení %s."
#: lib/setup.c:3626
#: lib/setup.c:3632
msgid "Crypt devices mismatch."
msgstr "Nesúlad v šifrovaných zariadeniach."
#: lib/setup.c:3658 lib/setup.c:3663 lib/luks2/luks2_reencrypt.c:2404
#: lib/setup.c:3664 lib/setup.c:3669 lib/luks2/luks2_reencrypt.c:2404
#: lib/luks2/luks2_reencrypt.c:2936 lib/luks2/luks2_reencrypt.c:4224
#, c-format
msgid "Failed to reload device %s."
msgstr "Nepodarilo sa znovu načítať zariadenie %s."
#: lib/setup.c:3669 lib/setup.c:3675 lib/luks2/luks2_reencrypt.c:2375
#: lib/setup.c:3675 lib/setup.c:3681 lib/luks2/luks2_reencrypt.c:2375
#: lib/luks2/luks2_reencrypt.c:2382 lib/luks2/luks2_reencrypt.c:2950
#, c-format
msgid "Failed to suspend device %s."
msgstr "Zlyhalo pozastavenie zariadenia %s."
#: lib/setup.c:3681 lib/luks2/luks2_reencrypt.c:2389
#: lib/setup.c:3687 lib/luks2/luks2_reencrypt.c:2389
#: lib/luks2/luks2_reencrypt.c:2971 lib/luks2/luks2_reencrypt.c:4137
#: lib/luks2/luks2_reencrypt.c:4228
#, c-format
msgid "Failed to resume device %s."
msgstr "Zlyhalo prebudenie zariadenia %s."
#: lib/setup.c:3696
#: lib/setup.c:3702
#, c-format
msgid "Fatal error while reloading device %s (on top of device %s)."
msgstr "Fatálna chyba počas opätovného načítavania zariadenia %s (nad zariadením %s)."
#: lib/setup.c:3699 lib/setup.c:3701
#: lib/setup.c:3705 lib/setup.c:3707
#, c-format
msgid "Failed to switch device %s to dm-error."
msgstr "Zlyhalo prepnutie zariadenia %s na dm-error."
#: lib/setup.c:3744
#: lib/setup.c:3750
msgid "Can not resize LUKS2 device with static size."
msgstr "Nedá sa zmeniť veľkosť LUKS2 zariadenia so statickou veľkosťou."
#: lib/setup.c:3749
#: lib/setup.c:3755
msgid "Resize of LUKS2 device with integrity protection is not supported."
msgstr "Zmena veľkosti zariadenia s ochranou integrity nie je podporovaná."
#: lib/setup.c:3795
#: lib/setup.c:3801
msgid "Cannot resize loop device."
msgstr "Nie je možné zmeniť veľkosť loop zariadenia."
#: lib/setup.c:3839
#: lib/setup.c:3845
msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
msgstr "VAROVANIE: Maximálna veľkosť je už dosiahnutá alebo jadro nepodporuje zmenu veľkosti.\n"
#: lib/setup.c:3905
#: lib/setup.c:3911
msgid "Resize failed, the kernel doesn't support it."
msgstr "Zmena veľkosti zlyhala, jadro toto nepodporuje."
#: lib/setup.c:3937
#: lib/setup.c:3943
msgid "Do you really want to change UUID of device?"
msgstr "Naozaj chcete zmeniť UUID zariadenia?"
#: lib/setup.c:4029
#: lib/setup.c:4035
msgid "Header backup file does not contain compatible LUKS header."
msgstr "Záložný súbor s hlavičkou neobsahuje kompatibilnú LUKS hlavičku."
#: lib/setup.c:4122
#: lib/setup.c:4128
#, c-format
msgid "Volume %s is not active."
msgstr "Zväzok %s nie je aktívny."
#: lib/setup.c:4177
#: lib/setup.c:4183
#, c-format
msgid "Volume %s is already suspended."
msgstr "Zväzok %s už je pozastavený."
#: lib/setup.c:4203
#: lib/setup.c:4209
#, c-format
msgid "Suspend is not supported for device %s."
msgstr "Pozastavenie nie je podporované pre zariadenie %s."
#: lib/setup.c:4205 lib/setup.c:4213
#: lib/setup.c:4211 lib/setup.c:4219
#, c-format
msgid "Error during suspending device %s."
msgstr "Chyba počas pozastavovania zariadenia %s."
#: lib/setup.c:4228
#: lib/setup.c:4234
#, c-format
msgid "Device %s was suspended but hardware OPAL device cannot be locked."
msgstr "Zariadenie %s bolo pozastavené, ale hardvérové zariadenie OPAL nemôže byť uzamknuté."
#: lib/setup.c:4259 lib/setup.c:4436
#: lib/setup.c:4265 lib/setup.c:4442
#, c-format
msgid "Resume is not supported for device %s."
msgstr "Prebudenie nie je podporované pre zariadenie %s."
#: lib/setup.c:4261 lib/setup.c:4426 lib/setup.c:4438
#: lib/setup.c:4267 lib/setup.c:4432 lib/setup.c:4444
#, c-format
msgid "Error during resuming device %s."
msgstr "Chyba počas prebúdzania zariadenia %s."
#: lib/setup.c:4280
#: lib/setup.c:4286
msgid "Failed to unlink volume key from user specified keyring."
msgstr "Zlyhalo odpojenie kľúča zväzku od používateľom zadaného zväzku kľúčov."
#: lib/setup.c:4402 lib/setup.c:5568
#: lib/setup.c:4408 lib/setup.c:5574
msgid "Failed to link volume key in user defined keyring."
msgstr "Zlyhalo pripojenie kľúča zväzku do používateľom zadaného zväzku kľúčov."
#: lib/setup.c:4500 src/cryptsetup.c:2714
#: lib/setup.c:4506 src/cryptsetup.c:2714
#, c-format
msgid "Volume %s is not suspended."
msgstr "Zväzok %s nie je pozastavený."
#: lib/setup.c:4601 lib/setup.c:7233 lib/setup.c:7255 lib/setup.c:7309
#: lib/setup.c:4607 lib/setup.c:7239 lib/setup.c:7261 lib/setup.c:7315
#: src/cryptsetup.c:1849 src/cryptsetup.c:2253 src/cryptsetup.c:2271
#: src/utils_reencrypt.c:305 src/utils_reencrypt.c:1965
msgid "Volume key does not match the volume."
msgstr "Kľúč zväzku nezodpovedá zväzku."
#: lib/setup.c:4755
#: lib/setup.c:4761
msgid "Failed to swap new key slot."
msgstr "Zlyhala výmena nového miesta pre kľúč."
#: lib/setup.c:4853
#: lib/setup.c:4859
#, c-format
msgid "Key slot %d is invalid."
msgstr "Miesto pre kľúč %d je neplatné."
#: lib/setup.c:4859 src/cryptsetup.c:1970 src/cryptsetup.c:2430
#: lib/setup.c:4865 src/cryptsetup.c:1970 src/cryptsetup.c:2430
#: src/cryptsetup.c:3114 src/cryptsetup.c:3174
#, c-format
msgid "Keyslot %d is not active."
msgstr "Miesto pre kľúč %d nie je aktívne."
#: lib/setup.c:4878
#: lib/setup.c:4884
msgid "Device header overlaps with data area."
msgstr "Hlavička zariadenia zasahuje do oblasti údajov."
#: lib/setup.c:5099
#: lib/setup.c:5105
msgid "Reencryption in-progress. Cannot activate device."
msgstr "Prebieha prešifrovanie. Nie je možné aktivovať zariadenie."
#: lib/setup.c:5101 lib/luks2/luks2_json_metadata.c:2884
#: lib/setup.c:5107 lib/luks2/luks2_json_metadata.c:2884
#: lib/luks2/luks2_reencrypt.c:3714
msgid "Failed to get reencryption lock."
msgstr "Zlyhalo získanie zámku pre prešifrovanie."
#: lib/setup.c:5123
#: lib/setup.c:5129
msgid "LUKS2 reencryption recovery using volume key(s) failed."
msgstr "Obnova prešifrovaním LUKS2 s použitím kľúču(ov) zväzku zlyhala."
#: lib/setup.c:5259
#: lib/setup.c:5265
#, c-format
msgid "Device %s already exists."
msgstr "Zariadenie %s už existuje."
#: lib/setup.c:5266
#: lib/setup.c:5272
#, c-format
msgid "Cannot use device %s, name is invalid or still in use."
msgstr "Nie je možné použiť zariadenie %s, názov je neplatný alebo sa stále používa."
#: lib/setup.c:5278
#: lib/setup.c:5284
msgid "Reencryption volume keys do not match the volume."
msgstr "Kľúče zväzku na prešifrovanie sa líšia od zväzku."
#: lib/setup.c:5295
#: lib/setup.c:5301
msgid "Incorrect volume key specified for plain device."
msgstr "Zadaný nesprávny kľúč zväzku pre plain zariadenie."
#: lib/setup.c:5321 lib/setup.c:5382
#: lib/setup.c:5327 lib/setup.c:5388
msgid "Device type is not properly initialized."
msgstr "Typ zariadenia nie je riadne inicializovaný."
#: lib/setup.c:5420
#: lib/setup.c:5426
msgid "Kernel keyring is not supported by the kernel."
msgstr "Zväzok kľúčov jadra nie je jadrom podporovaný."
#: lib/setup.c:5424
#: lib/setup.c:5430
msgid "Kernel keyring missing: required for passing signature to kernel."
msgstr "Zväzok kľúčov jadra chýba: vyžadované pre odovzdanie podpisu jadru."
#: lib/setup.c:5476
#: lib/setup.c:5482
#, c-format
msgid "Cannot use keyring key %s."
msgstr "Nedá sa použiť kľúč %s zo zväzku kľúčov."
#: lib/setup.c:5689
#: lib/setup.c:5695
msgid "Incorrect root hash specified for verity device."
msgstr "Nesprávny koreňový hash zadaný pre verity zariadenie."
#: lib/setup.c:5730 lib/setup.c:5755
#: lib/setup.c:5736 lib/setup.c:5761
msgid "OPAL does not support deferred deactivation."
msgstr "OPAL nepodporuje odloženú deaktiváciu."
#: lib/setup.c:5745 lib/setup.c:5776 lib/luks2/luks2_json_metadata.c:2949
#: lib/setup.c:5751 lib/setup.c:5782 lib/luks2/luks2_json_metadata.c:2949
#: src/utils_reencrypt.c:89
#, c-format
msgid "Device %s is still in use."
msgstr "Zariadenie %s sa stále používa."
#: lib/setup.c:5763
#: lib/setup.c:5769
#, c-format
msgid "Could not cancel deferred remove from device %s."
msgstr "Nedá sa zrušiť odložené odstránenie zo zariadenia %s."
#: lib/setup.c:5785
#: lib/setup.c:5791
#, c-format
msgid "Invalid device %s."
msgstr "Neplatné zariadenie %s."
#: lib/setup.c:5926
#: lib/setup.c:5932
msgid "Volume key buffer too small."
msgstr "Vyhradená pamäť pre kľúč zväzku je príliš malá."
#: lib/setup.c:5937
#: lib/setup.c:5943
msgid "Cannot retrieve volume key for LUKS2 device."
msgstr "Nedá sa získať kľúč zväzku pre LUKS2 zariadenie."
#: lib/setup.c:5946
#: lib/setup.c:5952
msgid "Cannot retrieve volume key for LUKS1 device."
msgstr "Nedá sa získať kľúč zväzku pre LUKS1 zariadenie."
#: lib/setup.c:5960
#: lib/setup.c:5966
msgid "Cannot retrieve volume key for plain device."
msgstr "Nedá sa získať kľúč zväzku pre plain zariadenie."
#: lib/setup.c:5968
#: lib/setup.c:5974
msgid "Cannot retrieve root hash for verity device."
msgstr "Nedá sa získať koreňový hash pre verity zariadenie."
#: lib/setup.c:5975
#: lib/setup.c:5981
msgid "Cannot retrieve volume key for BITLK device."
msgstr "Nedá sa získať kľúč zväzku pre BITLK zariadenie."
#: lib/setup.c:5980
#: lib/setup.c:5986
msgid "Cannot retrieve volume key for FVAULT2 device."
msgstr "Nedá sa získať kľúč zväzku pre FVAULT2 zariadenie."
#: lib/setup.c:5982
#: lib/setup.c:5988
#, c-format
msgid "This operation is not supported for %s crypt device."
msgstr "Táto operácia nie je podporovaná pre %s šifrované zariadenie."
#: lib/setup.c:6167 lib/setup.c:6178
#: lib/setup.c:6173 lib/setup.c:6184
msgid "Dump operation is not supported for this device type."
msgstr "Operácia výpisu nie je podporovaná pre tento typ zariadenia."
#: lib/setup.c:6558
#: lib/setup.c:6564
#, c-format
msgid "Data offset is not multiple of %u bytes."
msgstr "Odsadenie údajov nie je násobkom %u bajtov."
#: lib/setup.c:6866
#: lib/setup.c:6872
#, c-format
msgid "Cannot convert device %s which is still in use."
msgstr "Nedá sa konvertovať zariadenie %s, ktoré sa stále používa."
#: lib/setup.c:7174 lib/setup.c:7318
#: lib/setup.c:7180 lib/setup.c:7324
#, c-format
msgid "Failed to assign keyslot %u as the new volume key."
msgstr "Za nový kľúč zväzku sa nepodarilo priradiť miesto s kľúčom %u."
#: lib/setup.c:7198
#: lib/setup.c:7204
msgid "Failed to initialize default LUKS2 keyslot parameters."
msgstr "Zlyhala inicializácia predvolených parametrov LUKS2 miesta na kľúč."
#: lib/setup.c:7204
#: lib/setup.c:7210
#, c-format
msgid "Failed to assign keyslot %d to digest."
msgstr "Zlyhalo priradenie miesta pre kľúč %d k otlačku (digest)."
#: lib/setup.c:7435
#: lib/setup.c:7441
msgid "Cannot add key slot, all slots disabled and no volume key provided."
msgstr "Nedá sa pridať miesto pre kľúč, všetky miesta sú vypnuté a nie je poskytnutý žiaden kľúč zväzku."
#: lib/setup.c:7508 lib/verity/verity.c:333
#: lib/setup.c:7514 lib/verity/verity.c:333
msgid "Failed to load key in kernel keyring."
msgstr "Zlyhalo načítanie kľúča zo zväzku kľúčov jadra."
#: lib/setup.c:7699
#: lib/setup.c:7705
#, c-format
msgid "Could not find keyring described by \"%s\"."
msgstr "Nedá sa nájsť zväzok kľúčov opísaný podľa \"%s\"."
#: lib/setup.c:7764
#: lib/setup.c:7770
msgid "Failed to acquire global memory-hard access serialization lock."
msgstr "Zlyhalo získanie zámku pre tvrdý prístup ku globálnej pamäti."
@@ -896,10 +896,15 @@ msgid "Requested maximum PBKDF memory cannot be zero."
msgstr "Požadovaná maximálna pamäť PBKDF nemôže byť nula."
#: lib/utils_pbkdf.c:173
#, c-format
msgid "Requested maximum PBKDF parallel cost is too high (maximum is %d)."
msgstr "Požadovaný maximálny počet paralelných vlákien PBKDF je veľmi vysoký (maximum je %d)."
#: lib/utils_pbkdf.c:178
msgid "Requested PBKDF parallel threads cannot be zero."
msgstr "Požadovaný počet paralelných vlákien PBKDF nemôže byť nula."
#: lib/utils_pbkdf.c:193
#: lib/utils_pbkdf.c:198
msgid "Only PBKDF2 is supported in FIPS mode."
msgstr "Iba PBKDF2 je podporavané v režime FIPS."
@@ -1257,7 +1262,7 @@ msgstr "Nedá sa zistiť odsadenie systémového oddielu TCRYPT, aktivuje sa zar
msgid "Kernel does not support TCRYPT compatible mapping."
msgstr "Jadro nepodporuje mapovanie kompatibilné s TCRYPT."
#: lib/tcrypt/tcrypt.c:1126
#: lib/tcrypt/tcrypt.c:1144
msgid "This function is not supported without TCRYPT header load."
msgstr "Táto funkcia nie je podporovaná bez načítania hlavičky TCRYPT."
@@ -1345,45 +1350,45 @@ msgstr "Neočakávaná veľkosť BEK metadát %<PRIu32> sa nezhoduje s veľkosť
msgid "Unexpected metadata entry found when parsing startup key."
msgstr "Neočakávaný záznam metadát nájdený počas rozboru kľúča pri spúšťaní."
#: lib/bitlk/bitlk.c:1067
#: lib/bitlk/bitlk.c:1069
msgid "This operation is not supported."
msgstr "Táto operácia nie je podporovaná."
#: lib/bitlk/bitlk.c:1075
#: lib/bitlk/bitlk.c:1077
msgid "Unexpected key data size."
msgstr "Neočakávaná veľkosť údajov o kľúči."
#: lib/bitlk/bitlk.c:1203
#: lib/bitlk/bitlk.c:1205
msgid "This BITLK device is in an unsupported state and cannot be activated."
msgstr "Toto zariadenie BITLK je v nepodporovanom stave a nemôže byť aktivované."
#: lib/bitlk/bitlk.c:1208
#: lib/bitlk/bitlk.c:1210
#, c-format
msgid "BITLK devices with type '%s' cannot be activated."
msgstr "Zariadenie BITLK s typom \"%s\" nemôže byť aktivované."
#: lib/bitlk/bitlk.c:1215
#: lib/bitlk/bitlk.c:1217
msgid "Activation of BITLK device with clear key protection is not supported."
msgstr "Aktivácia zariadenia BITLK s ochranou čistého kľúča nie je podporovaná."
#: lib/bitlk/bitlk.c:1256
#: lib/bitlk/bitlk.c:1258
#, c-format
msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
msgstr "VAROVANIE: Veľkosť zväzku BitLocker %<PRIu64> sa nezhoduje s veľkosťou prislúchajúceho zariadenia %<PRIu64>"
#: lib/bitlk/bitlk.c:1383
#: lib/bitlk/bitlk.c:1385
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
msgstr "Nedá sa aktivovať zariadenie, jadru dm-crypt chýba podpora pre BITLK IV."
#: lib/bitlk/bitlk.c:1387
#: lib/bitlk/bitlk.c:1389
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
msgstr "Nedá sa aktivovať zariadenie, jadru dm-crypt chýba podpora pre difuzér BITLK Elephant."
#: lib/bitlk/bitlk.c:1391
#: lib/bitlk/bitlk.c:1393
msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
msgstr "Nedá sa aktivovať zariadenie, jadru dm-crypt chýba podpora pre veľké veľkosti sektorov."
#: lib/bitlk/bitlk.c:1395
#: lib/bitlk/bitlk.c:1397
msgid "Cannot activate device, kernel dm-zero module is missing."
msgstr "Nedá sa aktivovať zariadenie, modul jadra dm-zero chýba."
@@ -3278,6 +3283,10 @@ msgstr ""
msgid "Formatted with tag size %u%s, internal integrity %s.\n"
msgstr "Naformátované s veľkosťou príznaku %u %s, interná integrita %s.\n"
#: src/integritysetup.c:214
msgid " (inline hw tags)"
msgstr " (hardvérové inline príznaky)"
#: src/integritysetup.c:297
msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
msgstr "Nastavenie príznaku prepočítania nie je podporované, môžete zvážiť použitie --wipe namiesto toho."

Some files were not shown because too many files have changed in this diff Show More