mirror of
https://gitlab.com/cryptsetup/cryptsetup.git
synced 2025-12-05 16:00:05 +01:00
5fc79f5627
Also cache its value in active context, so we run benchmark only once. The patch also changes calculated value for LUKS1 key digest to 125 miliseconds (it means that for full 8 used slots the additional slow-down is circa 1 second). Note that there is no need to have too high iteration count for key digest; if it is too computationally expensive, attacker will better decrypt of one sector with candidate key anyway. (Check for a known signature.) The reason to have some delay for key digest check was to complicate brute-force search for volume key with LUKS header only (and if RNG used to generate volumekey was flawed allowing such a search i reasonable time).
1314 lines
38 KiB
C
1314 lines
38 KiB
C
/*
|
|
* libcryptsetup - cryptsetup library
|
|
*
|
|
* Copyright (C) 2004, Jana Saout <jana@saout.de>
|
|
* Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
|
|
* Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
|
|
* Copyright (C) 2009-2017, Milan Broz
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License
|
|
* as published by the Free Software Foundation; either version 2
|
|
* of the License, or (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
*/
|
|
|
|
/**
|
|
* @file libcryptsetup.h
|
|
* @brief Public cryptsetup API
|
|
*
|
|
* For more verbose examples of LUKS related use cases,
|
|
* please read @ref index "examples".
|
|
*/
|
|
|
|
#ifndef _LIBCRYPTSETUP_H
|
|
#define _LIBCRYPTSETUP_H
|
|
#ifdef __cplusplus
|
|
extern "C" {
|
|
#endif
|
|
|
|
#include <stddef.h>
|
|
#include <stdint.h>
|
|
|
|
struct crypt_device; /* crypt device handle */
|
|
|
|
/**
|
|
* Initialize crypt device handle and check if provided device exists.
|
|
*
|
|
* @param cd Returns pointer to crypt device handle
|
|
* @param device Path to the backing device.
|
|
* If @e device is not a block device but a path to some file,
|
|
* the function will try to create a loopdevice and attach
|
|
* the file to the loopdevice with AUTOCLEAR flag set.
|
|
* If @e device is @e NULL function it will initialize dm backend only.
|
|
*
|
|
* @return @e 0 on success or negative errno value otherwise.
|
|
*
|
|
* @note Note that logging is not initialized here, possible messages uses
|
|
* default log function.
|
|
*/
|
|
int crypt_init(struct crypt_device **cd, const char *device);
|
|
|
|
/**
|
|
* Initialize crypt device handle from provided active device name,
|
|
* and, optionally, from separate metadata (header) device
|
|
* and check if provided device exists.
|
|
*
|
|
* @return @e 0 on success or negative errno value otherwise.
|
|
*
|
|
* @param cd returns crypt device handle for active device
|
|
* @param name name of active crypt device
|
|
* @param header_device optional device containing on-disk header
|
|
* (@e NULL if it the same as underlying device on there is no on-disk header)
|
|
*
|
|
* @post In case @e device points to active LUKS device but header load fails,
|
|
* context device type is set to @e NULL and @e 0 is returned as if it were successful.
|
|
* Context with @e NULL device type can only be deactivated by crypt_deactivate
|
|
*
|
|
* @note @link crypt_init_by_name @endlink is equivalent to calling
|
|
* crypt_init_by_name_and_header(cd, name, NULL);
|
|
*/
|
|
int crypt_init_by_name_and_header(struct crypt_device **cd,
|
|
const char *name,
|
|
const char *header_device);
|
|
|
|
/**
|
|
* This is equivalent to call
|
|
* @ref crypt_init_by_name_and_header "crypt_init_by_name_and_header(cd, name, NULL)"
|
|
*
|
|
* @sa crypt_init_by_name_and_header
|
|
*/
|
|
int crypt_init_by_name(struct crypt_device **cd, const char *name);
|
|
|
|
/**
|
|
* @defgroup loglevel Cryptsetup logging
|
|
*
|
|
* Set of functions and defines used in cryptsetup for
|
|
* logging purposes
|
|
*
|
|
*/
|
|
|
|
/**
|
|
* @addtogroup loglevel
|
|
* @{
|
|
*/
|
|
|
|
/** normal log level */
|
|
#define CRYPT_LOG_NORMAL 0
|
|
/** error log level */
|
|
#define CRYPT_LOG_ERROR 1
|
|
/** verbose log level */
|
|
#define CRYPT_LOG_VERBOSE 2
|
|
/** debug log level - always on stdout */
|
|
#define CRYPT_LOG_DEBUG -1
|
|
|
|
/**
|
|
* Set log function.
|
|
*
|
|
* @param cd crypt device handle (can be @e NULL to set default log function)
|
|
* @param log user defined log function reference
|
|
* @param usrptr provided identification in callback
|
|
* @param level log level below (debug messages can uses other levels)
|
|
* @param msg log message
|
|
*/
|
|
void crypt_set_log_callback(struct crypt_device *cd,
|
|
void (*log)(int level, const char *msg, void *usrptr),
|
|
void *usrptr);
|
|
|
|
/**
|
|
* Defines log function or use the default one otherwise.
|
|
*
|
|
* @see crypt_set_log_callback
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param level log level
|
|
* @param msg log message
|
|
*/
|
|
void crypt_log(struct crypt_device *cd, int level, const char *msg);
|
|
/** @} */
|
|
|
|
/**
|
|
* Set confirmation callback (yes/no).
|
|
*
|
|
* If code need confirmation (like resetting uuid or restoring LUKS header from file)
|
|
* this function is called. If not defined, everything is confirmed.
|
|
*
|
|
* Callback function @e confirm should return @e 0 if operation is declined,
|
|
* other values mean accepted.
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param confirm user defined confirm callback reference
|
|
* @param usrptr provided identification in callback
|
|
* @param msg Message for user to confirm
|
|
*
|
|
* @note Current version of cryptsetup API requires confirmation only when UUID is being changed
|
|
*/
|
|
void crypt_set_confirm_callback(struct crypt_device *cd,
|
|
int (*confirm)(const char *msg, void *usrptr),
|
|
void *usrptr);
|
|
|
|
/**
|
|
* Set how long should cryptsetup iterate in PBKDF2 function.
|
|
* Default value heads towards the iterations which takes around 1 second.
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param iteration_time_ms the time in ms
|
|
*/
|
|
void crypt_set_iteration_time(struct crypt_device *cd, uint64_t iteration_time_ms);
|
|
|
|
/**
|
|
* Set data device
|
|
* For LUKS it is encrypted data device when LUKS header is separated.
|
|
* For VERITY it is data device when hash device is separated.
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param device path to device
|
|
*
|
|
*/
|
|
int crypt_set_data_device(struct crypt_device *cd, const char *device);
|
|
|
|
/**
|
|
* @defgroup rng Cryptsetup RNG and PBKDF
|
|
*
|
|
* @addtogroup rng
|
|
* @{
|
|
*
|
|
*/
|
|
|
|
/** CRYPT_RNG_URANDOM - use /dev/urandom */
|
|
#define CRYPT_RNG_URANDOM 0
|
|
/** CRYPT_RNG_RANDOM - use /dev/random (waits if no entropy in system) */
|
|
#define CRYPT_RNG_RANDOM 1
|
|
|
|
/**
|
|
* Set which RNG (random number generator) is used for generating long term key
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param rng_type kernel random number generator to use
|
|
*
|
|
*/
|
|
void crypt_set_rng_type(struct crypt_device *cd, int rng_type);
|
|
|
|
/**
|
|
* Get which RNG (random number generator) is used for generating long term key.
|
|
*
|
|
* @param cd crypt device handle
|
|
* @return RNG type on success or negative errno value otherwise.
|
|
*
|
|
*/
|
|
int crypt_get_rng_type(struct crypt_device *cd);
|
|
|
|
/**
|
|
* PBKDF parameters.
|
|
*/
|
|
struct crypt_pbkdf_type {
|
|
const char *type; /**< PBKDF algorithm */
|
|
const char *hash; /**< Hash algorithm */
|
|
uint32_t time_ms; /**< Requested time cost [milliseconds] */
|
|
uint32_t iterations; /**< Iterations, 0 or benchmarked value. */
|
|
uint32_t max_memory_kb; /**< Requested or benchmarked memory cost [kilobytes] */
|
|
uint32_t parallel_threads;/**< Requested parallel cost [threads] */
|
|
};
|
|
|
|
/** PBKDF2 for LUKS1 and LUKS2 */
|
|
#define CRYPT_KDF_PBKDF2 "pbkdf2"
|
|
/** Argon2i according to RFC */
|
|
#define CRYPT_KDF_ARGON2I "argon2i"
|
|
/** Argon2id according to RFC */
|
|
#define CRYPT_KDF_ARGON2ID "argon2id"
|
|
|
|
/**
|
|
* Set default PBKDF (Password-Based Key Derivation Algorithm) for next keyslot
|
|
* about to get created with any crypt_keyslot_add_*() call. Works only with
|
|
* valid LUKSv2 device handles.
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param pbkdf PBKDF parameters
|
|
*
|
|
* @return 0 on success or negative errno value otherwise.
|
|
*
|
|
*/
|
|
int crypt_set_pbkdf_type(struct crypt_device *cd,
|
|
const struct crypt_pbkdf_type *pbkdf);
|
|
|
|
/**
|
|
* Get current default PBKDF (Password-Based Key Derivation Algorithm) for keyslots.
|
|
* Works only with LUKS device handles (both versions).
|
|
*
|
|
* @param cd crypt device handle
|
|
*
|
|
* @return struct on success or NULL value otherwise.
|
|
*
|
|
*/
|
|
const struct crypt_pbkdf_type *crypt_get_pbkdf_type(struct crypt_device *cd);
|
|
|
|
/** @} */
|
|
|
|
/**
|
|
* Helper to lock/unlock memory to avoid swap sensitive data to disk.
|
|
*
|
|
* @param cd crypt device handle, can be @e NULL
|
|
* @param lock 0 to unlock otherwise lock memory
|
|
*
|
|
* @returns Value indicating whether the memory is locked (function can be called multiple times).
|
|
*
|
|
* @note Only root can do this.
|
|
* @note It locks/unlocks all process memory, not only crypt context.
|
|
*/
|
|
int crypt_memory_lock(struct crypt_device *cd, int lock);
|
|
|
|
/**
|
|
* @defgroup crypt_type Cryptsetup on-disk format types
|
|
*
|
|
* Set of functions, \#defines and structs related
|
|
* to on-disk format types
|
|
*/
|
|
|
|
/**
|
|
* @addtogroup crypt_type
|
|
* @{
|
|
*/
|
|
|
|
/** plain crypt device, no on-disk header */
|
|
#define CRYPT_PLAIN "PLAIN"
|
|
/** LUKS version 1 header on-disk */
|
|
#define CRYPT_LUKS1 "LUKS1"
|
|
/** loop-AES compatibility mode */
|
|
#define CRYPT_LOOPAES "LOOPAES"
|
|
/** dm-verity mode */
|
|
#define CRYPT_VERITY "VERITY"
|
|
/** TCRYPT (TrueCrypt-compatible and VeraCrypt-compatible) mode */
|
|
#define CRYPT_TCRYPT "TCRYPT"
|
|
/** INTEGRITY dm-integrity device */
|
|
#define CRYPT_INTEGRITY "INTEGRITY"
|
|
|
|
/**
|
|
* Get device type
|
|
*
|
|
* @param cd crypt device handle
|
|
* @return string according to device type or @e NULL if not known.
|
|
*/
|
|
const char *crypt_get_type(struct crypt_device *cd);
|
|
|
|
/**
|
|
*
|
|
* Structure used as parameter for PLAIN device type.
|
|
*
|
|
* @see crypt_format
|
|
*/
|
|
struct crypt_params_plain {
|
|
const char *hash; /**< password hash function */
|
|
uint64_t offset; /**< offset in sectors */
|
|
uint64_t skip; /**< IV offset / initialization sector */
|
|
uint64_t size; /**< size of mapped device or @e 0 for autodetection */
|
|
};
|
|
|
|
/**
|
|
* Structure used as parameter for LUKS device type.
|
|
*
|
|
* @see crypt_format, crypt_load
|
|
*
|
|
* @note during crypt_format @e data_device attribute determines
|
|
* if the LUKS header is separated from encrypted payload device
|
|
*
|
|
*/
|
|
struct crypt_params_luks1 {
|
|
const char *hash; /**< hash used in LUKS header */
|
|
size_t data_alignment; /**< data alignment in sectors, data offset is multiple of this */
|
|
const char *data_device; /**< detached encrypted data device or @e NULL */
|
|
};
|
|
|
|
/**
|
|
*
|
|
* Structure used as parameter for loop-AES device type.
|
|
*
|
|
* @see crypt_format
|
|
*
|
|
*/
|
|
struct crypt_params_loopaes {
|
|
const char *hash; /**< key hash function */
|
|
uint64_t offset; /**< offset in sectors */
|
|
uint64_t skip; /**< IV offset / initialization sector */
|
|
};
|
|
|
|
/**
|
|
*
|
|
* Structure used as parameter for dm-verity device type.
|
|
*
|
|
* @see crypt_format, crypt_load
|
|
*
|
|
*/
|
|
struct crypt_params_verity {
|
|
const char *hash_name; /**< hash function */
|
|
const char *data_device; /**< data_device (CRYPT_VERITY_CREATE_HASH) */
|
|
const char *hash_device; /**< hash_device (output only) */
|
|
const char *fec_device; /**< fec_device (output only) */
|
|
const char *salt; /**< salt */
|
|
uint32_t salt_size; /**< salt size (in bytes) */
|
|
uint32_t hash_type; /**< in-kernel hashing type */
|
|
uint32_t data_block_size; /**< data block size (in bytes) */
|
|
uint32_t hash_block_size; /**< hash block size (in bytes) */
|
|
uint64_t data_size; /**< data area size (in data blocks) */
|
|
uint64_t hash_area_offset; /**< hash/header offset (in bytes) */
|
|
uint64_t fec_area_offset; /**< FEC/header offset (in bytes) */
|
|
uint32_t fec_roots; /**< Reed-Solomon FEC roots */
|
|
uint32_t flags; /**< CRYPT_VERITY* flags */
|
|
};
|
|
|
|
/** No on-disk header (only hashes) */
|
|
#define CRYPT_VERITY_NO_HEADER (1 << 0)
|
|
/** Verity hash in userspace before activation */
|
|
#define CRYPT_VERITY_CHECK_HASH (1 << 1)
|
|
/** Create hash - format hash device */
|
|
#define CRYPT_VERITY_CREATE_HASH (1 << 2)
|
|
|
|
/**
|
|
*
|
|
* Structure used as parameter for TCRYPT device type.
|
|
*
|
|
* @see crypt_load
|
|
*
|
|
*/
|
|
struct crypt_params_tcrypt {
|
|
const char *passphrase; /**< passphrase to unlock header (input only) */
|
|
size_t passphrase_size; /**< passphrase size (input only, max length is 64) */
|
|
const char **keyfiles; /**< keyfile paths to unlock header (input only) */
|
|
unsigned int keyfiles_count;/**< keyfiles count (input only) */
|
|
const char *hash_name; /**< hash function for PBKDF */
|
|
const char *cipher; /**< cipher chain c1[-c2[-c3]] */
|
|
const char *mode; /**< cipher block mode */
|
|
size_t key_size; /**< key size in bytes (the whole chain) */
|
|
uint32_t flags; /**< CRYPT_TCRYPT* flags */
|
|
uint32_t veracrypt_pim; /**< VeraCrypt Personal Iteration Multiplier */
|
|
};
|
|
|
|
/** Include legacy modes when scanning for header */
|
|
#define CRYPT_TCRYPT_LEGACY_MODES (1 << 0)
|
|
/** Try to load hidden header (describing hidden device) */
|
|
#define CRYPT_TCRYPT_HIDDEN_HEADER (1 << 1)
|
|
/** Try to load backup header */
|
|
#define CRYPT_TCRYPT_BACKUP_HEADER (1 << 2)
|
|
/** Device contains encrypted system (with boot loader) */
|
|
#define CRYPT_TCRYPT_SYSTEM_HEADER (1 << 3)
|
|
/** Include VeraCrypt modes when scanning for header,
|
|
* all other TCRYPT flags applies as well.
|
|
* VeraCrypt device is reported as TCRYPT type.
|
|
*/
|
|
#define CRYPT_TCRYPT_VERA_MODES (1 << 4)
|
|
|
|
/**
|
|
*
|
|
* Structure used as parameter for dm-integrity device type.
|
|
*
|
|
* @see crypt_format, crypt_load
|
|
*
|
|
*/
|
|
struct crypt_params_integrity {
|
|
uint64_t journal_size; /**< size of journal in bytes */
|
|
unsigned int journal_watermark; /**< journal flush watermark in percents */
|
|
unsigned int journal_commit_time; /**< journal commit time in ms */
|
|
uint32_t interleave_sectors; /**< number of interleave sectors (power of two) */
|
|
uint32_t tag_size; /**< tag size per-sector in bytes */
|
|
uint32_t sector_size; /**< sector size in bytes */
|
|
uint32_t buffer_sectors; /**< number of sectors in one buffer */
|
|
const char *integrity; /**< integrity algorithm */
|
|
uint32_t integrity_key_size; /**< integrity key size, info only */
|
|
|
|
const char *journal_integrity; /**< journal integrity algorithm */
|
|
const char *journal_integrity_key; /**< journal integrity key, only for crypt_load */
|
|
uint32_t journal_integrity_key_size; /**< journal integrity key size, only for crypt_load */
|
|
|
|
const char *journal_crypt; /**< journal encryption algorithm */
|
|
const char *journal_crypt_key; /**< journal crypt key, only for crypt_load */
|
|
uint32_t journal_crypt_key_size; /**< journal crypt key size, only for crypt_load */
|
|
};
|
|
|
|
/** @} */
|
|
|
|
/**
|
|
* Create (format) new crypt device (and possible header on-disk) but do not activate it.
|
|
*
|
|
* @pre @e cd contains initialized and not formatted device context (device type must @b not be set)
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param type type of device (optional params struct must be of this type)
|
|
* @param cipher (e.g. "aes")
|
|
* @param cipher_mode including IV specification (e.g. "xts-plain")
|
|
* @param uuid requested UUID or @e NULL if it should be generated
|
|
* @param volume_key pre-generated volume key or @e NULL if it should be generated (only for LUKS)
|
|
* @param volume_key_size size of volume key in bytes.
|
|
* @param params crypt type specific parameters (see @link crypt_type @endlink)
|
|
*
|
|
* @returns @e 0 on success or negative errno value otherwise.
|
|
*
|
|
* @note Note that crypt_format does not enable any keyslot (in case of work with LUKS device),
|
|
* but it stores volume key internally and subsequent crypt_keyslot_add_* calls can be used.
|
|
* @note For VERITY @link crypt_type @endlink, only uuid parameter is used, others paramaters
|
|
* are ignored and verity specific attributes are set through mandatory params option.
|
|
*/
|
|
int crypt_format(struct crypt_device *cd,
|
|
const char *type,
|
|
const char *cipher,
|
|
const char *cipher_mode,
|
|
const char *uuid,
|
|
const char *volume_key,
|
|
size_t volume_key_size,
|
|
void *params);
|
|
|
|
/**
|
|
* Set new UUID for already existing device.
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param uuid requested UUID or @e NULL if it should be generated
|
|
*
|
|
* @returns 0 on success or negative errno value otherwise.
|
|
*
|
|
* @note Currently, only LUKS device type are supported
|
|
*/
|
|
int crypt_set_uuid(struct crypt_device *cd,
|
|
const char *uuid);
|
|
|
|
/**
|
|
* Load crypt device parameters from on-disk header.
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param requested_type @link crypt_type @endlink or @e NULL for all known
|
|
* @param params crypt type specific parameters (see @link crypt_type @endlink)
|
|
*
|
|
* @returns 0 on success or negative errno value otherwise.
|
|
*
|
|
* @post In case LUKS header is read successfully but payload device is too small
|
|
* error is returned and device type in context is set to @e NULL
|
|
*
|
|
* @note Note that in current version load works only for LUKS and VERITY device type.
|
|
*
|
|
*/
|
|
int crypt_load(struct crypt_device *cd,
|
|
const char *requested_type,
|
|
void *params);
|
|
|
|
/**
|
|
* Try to repair crypt device on-disk header if invalid.
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param requested_type @link crypt_type @endlink or @e NULL for all known
|
|
* @param params crypt type specific parameters (see @link crypt_type @endlink)
|
|
*
|
|
* @returns 0 on success or negative errno value otherwise.
|
|
*
|
|
*/
|
|
int crypt_repair(struct crypt_device *cd,
|
|
const char *requested_type,
|
|
void *params);
|
|
|
|
/**
|
|
* Resize crypt device.
|
|
*
|
|
* @param cd - crypt device handle
|
|
* @param name - name of device to resize
|
|
* @param new_size - new device size in sectors or @e 0 to use all of the underlying device size
|
|
*
|
|
* @return @e 0 on success or negative errno value otherwise.
|
|
*/
|
|
int crypt_resize(struct crypt_device *cd,
|
|
const char *name,
|
|
uint64_t new_size);
|
|
|
|
/**
|
|
* Suspend crypt device.
|
|
*
|
|
* @param cd crypt device handle, can be @e NULL
|
|
* @param name name of device to suspend
|
|
*
|
|
* @return 0 on success or negative errno value otherwise.
|
|
*
|
|
* @note Only LUKS device type is supported
|
|
*
|
|
*/
|
|
int crypt_suspend(struct crypt_device *cd,
|
|
const char *name);
|
|
|
|
/**
|
|
* Resume crypt device using passphrase.
|
|
*
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param name name of device to resume
|
|
* @param keyslot requested keyslot or CRYPT_ANY_SLOT
|
|
* @param passphrase passphrase used to unlock volume key, @e NULL for query
|
|
* @param passphrase_size size of @e passphrase (binary data)
|
|
*
|
|
* @return unlocked key slot number or negative errno otherwise.
|
|
*
|
|
* @note Only LUKS device type is supported
|
|
*/
|
|
int crypt_resume_by_passphrase(struct crypt_device *cd,
|
|
const char *name,
|
|
int keyslot,
|
|
const char *passphrase,
|
|
size_t passphrase_size);
|
|
|
|
/**
|
|
* Resume crypt device using key file.
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param name name of device to resume
|
|
* @param keyslot requested keyslot or CRYPT_ANY_SLOT
|
|
* @param keyfile key file used to unlock volume key, @e NULL for passphrase query
|
|
* @param keyfile_size number of bytes to read from keyfile, 0 is unlimited
|
|
* @param keyfile_offset number of bytes to skip at start of keyfile
|
|
*
|
|
* @return unlocked key slot number or negative errno otherwise.
|
|
*/
|
|
int crypt_resume_by_keyfile_offset(struct crypt_device *cd,
|
|
const char *name,
|
|
int keyslot,
|
|
const char *keyfile,
|
|
size_t keyfile_size,
|
|
size_t keyfile_offset);
|
|
/**
|
|
* Backward compatible crypt_resume_by_keyfile_offset() (without offset).
|
|
*/
|
|
int crypt_resume_by_keyfile(struct crypt_device *cd,
|
|
const char *name,
|
|
int keyslot,
|
|
const char *keyfile,
|
|
size_t keyfile_size);
|
|
|
|
/**
|
|
* Release crypt device context and used memory.
|
|
*
|
|
* @param cd crypt device handle
|
|
*/
|
|
void crypt_free(struct crypt_device *cd);
|
|
|
|
/**
|
|
* @defgroup keyslot Cryptsetup LUKS keyslots
|
|
* @addtogroup keyslot
|
|
* @{
|
|
*
|
|
*/
|
|
|
|
/** iterate through all keyslots and find first one that fits */
|
|
#define CRYPT_ANY_SLOT -1
|
|
|
|
/**
|
|
* Add key slot using provided passphrase.
|
|
*
|
|
* @pre @e cd contains initialized and formatted LUKS device context
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param keyslot requested keyslot or @e CRYPT_ANY_SLOT
|
|
* @param passphrase passphrase used to unlock volume key, @e NULL for query
|
|
* @param passphrase_size size of passphrase (binary data)
|
|
* @param new_passphrase passphrase for new keyslot, @e NULL for query
|
|
* @param new_passphrase_size size of @e new_passphrase (binary data)
|
|
*
|
|
* @return allocated key slot number or negative errno otherwise.
|
|
*/
|
|
int crypt_keyslot_add_by_passphrase(struct crypt_device *cd,
|
|
int keyslot,
|
|
const char *passphrase,
|
|
size_t passphrase_size,
|
|
const char *new_passphrase,
|
|
size_t new_passphrase_size);
|
|
|
|
/**
|
|
* Change defined key slot using provided passphrase.
|
|
*
|
|
* @pre @e cd contains initialized and formatted LUKS device context
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param keyslot_old old keyslot or @e CRYPT_ANY_SLOT
|
|
* @param keyslot_new new keyslot (can be the same as old)
|
|
* @param passphrase passphrase used to unlock volume key, @e NULL for query
|
|
* @param passphrase_size size of passphrase (binary data)
|
|
* @param new_passphrase passphrase for new keyslot, @e NULL for query
|
|
* @param new_passphrase_size size of @e new_passphrase (binary data)
|
|
*
|
|
* @return allocated key slot number or negative errno otherwise.
|
|
*
|
|
* @note This function is just internal implementation of luksChange
|
|
* command to avoid reading of volume key outside libcryptsetup boundary
|
|
* in FIPS mode.
|
|
*/
|
|
int crypt_keyslot_change_by_passphrase(struct crypt_device *cd,
|
|
int keyslot_old,
|
|
int keyslot_new,
|
|
const char *passphrase,
|
|
size_t passphrase_size,
|
|
const char *new_passphrase,
|
|
size_t new_passphrase_size);
|
|
|
|
/**
|
|
* Add key slot using provided key file path.
|
|
*
|
|
* @pre @e cd contains initialized and formatted LUKS device context
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param keyslot requested keyslot or @e CRYPT_ANY_SLOT
|
|
* @param keyfile key file used to unlock volume key, @e NULL for passphrase query
|
|
* @param keyfile_size number of bytes to read from keyfile, @e 0 is unlimited
|
|
* @param keyfile_offset number of bytes to skip at start of keyfile
|
|
* @param new_keyfile keyfile for new keyslot, @e NULL for passphrase query
|
|
* @param new_keyfile_size number of bytes to read from @e new_keyfile, @e 0 is unlimited
|
|
* @param new_keyfile_offset number of bytes to skip at start of new_keyfile
|
|
*
|
|
* @return allocated key slot number or negative errno otherwise.
|
|
*/
|
|
int crypt_keyslot_add_by_keyfile_offset(struct crypt_device *cd,
|
|
int keyslot,
|
|
const char *keyfile,
|
|
size_t keyfile_size,
|
|
size_t keyfile_offset,
|
|
const char *new_keyfile,
|
|
size_t new_keyfile_size,
|
|
size_t new_keyfile_offset);
|
|
/**
|
|
* Backward compatible crypt_keyslot_add_by_keyfile_offset() (without offset).
|
|
*/
|
|
int crypt_keyslot_add_by_keyfile(struct crypt_device *cd,
|
|
int keyslot,
|
|
const char *keyfile,
|
|
size_t keyfile_size,
|
|
const char *new_keyfile,
|
|
size_t new_keyfile_size);
|
|
|
|
/**
|
|
* Add key slot using provided volume key.
|
|
*
|
|
* @pre @e cd contains initialized and formatted LUKS device context
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param keyslot requested keyslot or CRYPT_ANY_SLOT
|
|
* @param volume_key provided volume key or @e NULL if used after crypt_format
|
|
* @param volume_key_size size of volume_key
|
|
* @param passphrase passphrase for new keyslot, @e NULL for query
|
|
* @param passphrase_size size of passphrase
|
|
*
|
|
* @return allocated key slot number or negative errno otherwise.
|
|
*/
|
|
int crypt_keyslot_add_by_volume_key(struct crypt_device *cd,
|
|
int keyslot,
|
|
const char *volume_key,
|
|
size_t volume_key_size,
|
|
const char *passphrase,
|
|
size_t passphrase_size);
|
|
|
|
/**
|
|
* Destroy (and disable) key slot.
|
|
*
|
|
* @pre @e cd contains initialized and formatted LUKS device context
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param keyslot requested key slot to destroy
|
|
*
|
|
* @return @e 0 on success or negative errno value otherwise.
|
|
*
|
|
* @note Note that there is no passphrase verification used.
|
|
*/
|
|
int crypt_keyslot_destroy(struct crypt_device *cd, int keyslot);
|
|
|
|
/** @} */
|
|
|
|
/**
|
|
* @defgroup aflags Device runtime attributes
|
|
*
|
|
* Activation flags
|
|
*
|
|
* @addtogroup aflags
|
|
* @{
|
|
*
|
|
*/
|
|
/** device is read only */
|
|
#define CRYPT_ACTIVATE_READONLY (1 << 0)
|
|
/** only reported for device without uuid */
|
|
#define CRYPT_ACTIVATE_NO_UUID (1 << 1)
|
|
/** activate even if cannot grant exclusive access (DANGEROUS) */
|
|
#define CRYPT_ACTIVATE_SHARED (1 << 2)
|
|
/** enable discards aka TRIM */
|
|
#define CRYPT_ACTIVATE_ALLOW_DISCARDS (1 << 3)
|
|
/** skip global udev rules in activation ("private device"), input only */
|
|
#define CRYPT_ACTIVATE_PRIVATE (1 << 4)
|
|
/** corruption detected (verity), output only */
|
|
#define CRYPT_ACTIVATE_CORRUPTED (1 << 5)
|
|
/** use same_cpu_crypt option for dm-crypt */
|
|
#define CRYPT_ACTIVATE_SAME_CPU_CRYPT (1 << 6)
|
|
/** use submit_from_crypt_cpus for dm-crypt */
|
|
#define CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS (1 << 7)
|
|
/** dm-verity: ignore_corruption flag - ignore corruption, log it only */
|
|
#define CRYPT_ACTIVATE_IGNORE_CORRUPTION (1 << 8)
|
|
/** dm-verity: restart_on_corruption flag - restart kernel on corruption */
|
|
#define CRYPT_ACTIVATE_RESTART_ON_CORRUPTION (1 << 9)
|
|
/** dm-verity: ignore_zero_blocks - do not verify zero blocks */
|
|
#define CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS (1 << 10)
|
|
/** dm-integrity: direct writes, do not use journal */
|
|
#define CRYPT_ACTIVATE_NO_JOURNAL (1 << 12)
|
|
/** dm-integrity: recovery mode - no journal, no integrity checks */
|
|
#define CRYPT_ACTIVATE_RECOVERY (1 << 13)
|
|
|
|
/**
|
|
* Active device runtime attributes
|
|
*/
|
|
struct crypt_active_device {
|
|
uint64_t offset; /**< offset in sectors */
|
|
uint64_t iv_offset; /**< IV initialization sector */
|
|
uint64_t size; /**< active device size */
|
|
uint32_t flags; /**< activation flags */
|
|
};
|
|
|
|
/**
|
|
* Receive runtime attributes of active crypt device.
|
|
*
|
|
* @param cd crypt device handle (can be @e NULL)
|
|
* @param name name of active device
|
|
* @param cad preallocated active device attributes to fill
|
|
*
|
|
* @return @e 0 on success or negative errno value otherwise
|
|
*
|
|
*/
|
|
int crypt_get_active_device(struct crypt_device *cd,
|
|
const char *name,
|
|
struct crypt_active_device *cad);
|
|
|
|
/** @} */
|
|
|
|
/**
|
|
* Activate device or check passphrase.
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param name name of device to create, if @e NULL only check passphrase
|
|
* @param keyslot requested keyslot to check or @e CRYPT_ANY_SLOT
|
|
* @param passphrase passphrase used to unlock volume key, @e NULL for query
|
|
* @param passphrase_size size of @e passphrase
|
|
* @param flags activation flags
|
|
*
|
|
* @return unlocked key slot number or negative errno otherwise.
|
|
*/
|
|
int crypt_activate_by_passphrase(struct crypt_device *cd,
|
|
const char *name,
|
|
int keyslot,
|
|
const char *passphrase,
|
|
size_t passphrase_size,
|
|
uint32_t flags);
|
|
|
|
/**
|
|
* Activate device or check using key file.
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param name name of device to create, if @e NULL only check keyfile
|
|
* @param keyslot requested keyslot to check or CRYPT_ANY_SLOT
|
|
* @param keyfile key file used to unlock volume key
|
|
* @param keyfile_size number of bytes to read from keyfile, 0 is unlimited
|
|
* @param keyfile_offset number of bytes to skip at start of keyfile
|
|
* @param flags activation flags
|
|
*
|
|
* @return unlocked key slot number or negative errno otherwise.
|
|
*/
|
|
int crypt_activate_by_keyfile_offset(struct crypt_device *cd,
|
|
const char *name,
|
|
int keyslot,
|
|
const char *keyfile,
|
|
size_t keyfile_size,
|
|
size_t keyfile_offset,
|
|
uint32_t flags);
|
|
/**
|
|
* Backward compatible crypt_activate_by_keyfile_offset() (without offset).
|
|
*/
|
|
int crypt_activate_by_keyfile(struct crypt_device *cd,
|
|
const char *name,
|
|
int keyslot,
|
|
const char *keyfile,
|
|
size_t keyfile_size,
|
|
uint32_t flags);
|
|
|
|
/**
|
|
* Activate device using provided volume key.
|
|
*
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param name name of device to create, if @e NULL only check volume key
|
|
* @param volume_key provided volume key (or @e NULL to use internal)
|
|
* @param volume_key_size size of volume_key
|
|
* @param flags activation flags
|
|
*
|
|
* @return @e 0 on success or negative errno value otherwise.
|
|
*
|
|
* @note If @e NULL is used for volume_key, device has to be initialized
|
|
* by previous operation (like @ref crypt_format
|
|
* or @ref crypt_init_by_name)
|
|
* @note For VERITY the volume key means root hash required for activation.
|
|
* Because kernel dm-verity is always read only, you have to provide
|
|
* CRYPT_ACTIVATE_READONLY flag always.
|
|
* @note For TCRYPT the volume key should be always NULL and because master
|
|
* key from decrypted header is used instead.
|
|
*/
|
|
int crypt_activate_by_volume_key(struct crypt_device *cd,
|
|
const char *name,
|
|
const char *volume_key,
|
|
size_t volume_key_size,
|
|
uint32_t flags);
|
|
|
|
/** lazy deactivation - remove once last user releases it */
|
|
#define CRYPT_DEACTIVATE_DEFERRED (1 << 0)
|
|
/** force deactivation - if the device is busy, it is replaced by error device */
|
|
#define CRYPT_DEACTIVATE_FORCE (1 << 1)
|
|
|
|
/**
|
|
* Deactivate crypt device. This function tries to remove active device-mapper
|
|
* mapping from kernel. Also, sensitive data like the volume key are removed from
|
|
* memory
|
|
*
|
|
* @param cd crypt device handle, can be @e NULL
|
|
* @param name name of device to deactivate
|
|
* @param flags deactivation flags
|
|
*
|
|
* @return @e 0 on success or negative errno value otherwise.
|
|
*
|
|
*/
|
|
int crypt_deactivate_by_name(struct crypt_device *cd,
|
|
const char *name,
|
|
uint32_t flags);
|
|
|
|
/**
|
|
* Deactivate crypt device. See @ref crypt_deactivate_by_name with empty @e flags.
|
|
*/
|
|
int crypt_deactivate(struct crypt_device *cd, const char *name);
|
|
|
|
/**
|
|
* Get volume key from crypt device.
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param keyslot use this keyslot or @e CRYPT_ANY_SLOT
|
|
* @param volume_key buffer for volume key
|
|
* @param volume_key_size on input, size of buffer @e volume_key,
|
|
* on output size of @e volume_key
|
|
* @param passphrase passphrase used to unlock volume key
|
|
* @param passphrase_size size of @e passphrase
|
|
*
|
|
* @return unlocked key slot number or negative errno otherwise.
|
|
*
|
|
* @note For TCRYPT cipher chain is the volume key concatenated
|
|
* for all ciphers in chain.
|
|
*/
|
|
int crypt_volume_key_get(struct crypt_device *cd,
|
|
int keyslot,
|
|
char *volume_key,
|
|
size_t *volume_key_size,
|
|
const char *passphrase,
|
|
size_t passphrase_size);
|
|
|
|
/**
|
|
* Verify that provided volume key is valid for crypt device.
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param volume_key provided volume key
|
|
* @param volume_key_size size of @e volume_key
|
|
*
|
|
* @return @e 0 on success or negative errno value otherwise.
|
|
*/
|
|
int crypt_volume_key_verify(struct crypt_device *cd,
|
|
const char *volume_key,
|
|
size_t volume_key_size);
|
|
|
|
/**
|
|
* @defgroup devstat Crypt and Verity device status
|
|
* @addtogroup devstat
|
|
* @{
|
|
*/
|
|
|
|
/**
|
|
* Device status
|
|
*/
|
|
typedef enum {
|
|
CRYPT_INVALID, /**< device mapping is invalid in this context */
|
|
CRYPT_INACTIVE, /**< no such mapped device */
|
|
CRYPT_ACTIVE, /**< device is active */
|
|
CRYPT_BUSY /**< device is active and has open count > 0 */
|
|
} crypt_status_info;
|
|
|
|
/**
|
|
* Get status info about device name.
|
|
*
|
|
* @param cd crypt device handle, can be @e NULL
|
|
* @param name crypt device name
|
|
*
|
|
* @return value defined by crypt_status_info.
|
|
*
|
|
*/
|
|
crypt_status_info crypt_status(struct crypt_device *cd, const char *name);
|
|
|
|
/**
|
|
* Dump text-formatted information about crypt or verity device to log output.
|
|
*
|
|
* @param cd crypt device handle
|
|
*
|
|
* @return @e 0 on success or negative errno value otherwise.
|
|
*/
|
|
int crypt_dump(struct crypt_device *cd);
|
|
|
|
/**
|
|
* Get cipher used in device.
|
|
*
|
|
* @param cd crypt device handle
|
|
*
|
|
* @return used cipher, e.g. "aes" or @e NULL otherwise
|
|
*
|
|
*/
|
|
const char *crypt_get_cipher(struct crypt_device *cd);
|
|
|
|
/**
|
|
* Get cipher mode used in device.
|
|
*
|
|
* @param cd crypt device handle
|
|
*
|
|
* @return used cipher mode e.g. "xts-plain" or @e otherwise
|
|
*
|
|
*/
|
|
const char *crypt_get_cipher_mode(struct crypt_device *cd);
|
|
|
|
/**
|
|
* Get device UUID.
|
|
*
|
|
* @param cd crypt device handle
|
|
*
|
|
* @return device UUID or @e NULL if not set
|
|
*
|
|
*/
|
|
const char *crypt_get_uuid(struct crypt_device *cd);
|
|
|
|
/**
|
|
* Get path to underlaying device.
|
|
*
|
|
* @param cd crypt device handle
|
|
*
|
|
* @return path to underlaying device name
|
|
*
|
|
*/
|
|
const char *crypt_get_device_name(struct crypt_device *cd);
|
|
|
|
/**
|
|
* Get device offset in sectors where real data starts (on underlying device).
|
|
*
|
|
* @param cd crypt device handle
|
|
*
|
|
* @return device offset in sectors
|
|
*
|
|
*/
|
|
uint64_t crypt_get_data_offset(struct crypt_device *cd);
|
|
|
|
/**
|
|
* Get IV offset in sectors (skip).
|
|
*
|
|
* @param cd crypt device handle
|
|
*
|
|
* @return IV offset
|
|
*
|
|
*/
|
|
uint64_t crypt_get_iv_offset(struct crypt_device *cd);
|
|
|
|
/**
|
|
* Get size (in bytes) of volume key for crypt device.
|
|
*
|
|
* @param cd crypt device handle
|
|
*
|
|
* @return volume key size
|
|
*
|
|
*/
|
|
int crypt_get_volume_key_size(struct crypt_device *cd);
|
|
|
|
/**
|
|
* Get size (in bytes) of encryption sector for crypt device.
|
|
*
|
|
* @param cd crypt device handle
|
|
*
|
|
* @return sector size
|
|
*
|
|
*/
|
|
int crypt_get_sector_size(struct crypt_device *cd);
|
|
|
|
/**
|
|
* Get device parameters for VERITY device.
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param vp verity device info
|
|
*
|
|
* @e 0 on success or negative errno value otherwise.
|
|
*
|
|
*/
|
|
int crypt_get_verity_info(struct crypt_device *cd,
|
|
struct crypt_params_verity *vp);
|
|
|
|
/**
|
|
* Get device parameters for INTEGRITY device.
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param ip verity device info
|
|
*
|
|
* @e 0 on success or negative errno value otherwise.
|
|
*
|
|
*/
|
|
int crypt_get_integrity_info(struct crypt_device *cd,
|
|
struct crypt_params_integrity *ip);
|
|
/** @} */
|
|
|
|
/**
|
|
* @defgroup benchmark Benchmarking
|
|
*
|
|
* Benchmarking of algorithms
|
|
*
|
|
* @addtogroup benchmark
|
|
* @{
|
|
*
|
|
*/
|
|
|
|
/**
|
|
* Informational benchmark for ciphers.
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param cipher (e.g. "aes")
|
|
* @param cipher_mode (e.g. "xts"), IV generator is ignored
|
|
* @param volume_key_size size of volume key in bytes
|
|
* @param iv_size size of IV in bytes
|
|
* @param buffer_size size of encryption buffer in bytes used in test
|
|
* @param encryption_mbs measured encryption speed in MiB/s
|
|
* @param decryption_mbs measured decryption speed in MiB/s
|
|
*
|
|
* @return @e 0 on success or negative errno value otherwise.
|
|
*
|
|
* @note If encryption_buffer_size is too small and encryption time
|
|
* cannot be properly measured, -ERANGE is returned.
|
|
*/
|
|
int crypt_benchmark(struct crypt_device *cd,
|
|
const char *cipher,
|
|
const char *cipher_mode,
|
|
size_t volume_key_size,
|
|
size_t iv_size,
|
|
size_t buffer_size,
|
|
double *encryption_mbs,
|
|
double *decryption_mbs);
|
|
|
|
/**
|
|
* Informational benchmark for PBKDF.
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param pbkdf PBKDF parameters
|
|
* @param password password for benchmark
|
|
* @param password_size size of password
|
|
* @param salt salt for benchmark
|
|
* @param salt_size size of salt
|
|
* @param volume_key_size output volume key size
|
|
* @param iterations_sec returns measured PBKDF iterations per second
|
|
*
|
|
* @return @e 0 on success or negative errno value otherwise.
|
|
*/
|
|
int crypt_benchmark_pbkdf(struct crypt_device *cd,
|
|
struct crypt_pbkdf_type *pbkdf,
|
|
const char *password,
|
|
size_t password_size,
|
|
const char *salt,
|
|
size_t salt_size,
|
|
size_t volume_key_size,
|
|
int (*progress)(long time_ms, void *usrptr),
|
|
void *usrptr);
|
|
|
|
/** @} */
|
|
|
|
/**
|
|
* @addtogroup keyslot
|
|
* @{
|
|
*
|
|
*/
|
|
|
|
/**
|
|
* Crypt keyslot info
|
|
*/
|
|
typedef enum {
|
|
CRYPT_SLOT_INVALID, /**< invalid keyslot */
|
|
CRYPT_SLOT_INACTIVE, /**< keyslot is inactive (free) */
|
|
CRYPT_SLOT_ACTIVE, /**< keyslot is active (used) */
|
|
CRYPT_SLOT_ACTIVE_LAST /**< keylost is active (used)
|
|
* and last used at the same time */
|
|
} crypt_keyslot_info;
|
|
|
|
/**
|
|
* Get information about particular key slot.
|
|
*
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param keyslot requested keyslot to check or CRYPT_ANY_SLOT
|
|
*
|
|
* @return value defined by crypt_keyslot_info
|
|
*
|
|
*/
|
|
crypt_keyslot_info crypt_keyslot_status(struct crypt_device *cd, int keyslot);
|
|
/** @} */
|
|
|
|
/**
|
|
* Get number of keyslots supported for device type.
|
|
*
|
|
* @param type crypt device type
|
|
*
|
|
* @return slot count or negative errno otherwise if device
|
|
* doesn't not support keyslots.
|
|
*/
|
|
int crypt_keyslot_max(const char *type);
|
|
|
|
/**
|
|
* Get keyslot area pointers (relative to metadata device).
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param keyslot keyslot number
|
|
* @param offset offset on metadata device (in bytes)
|
|
* @param length length of keyslot area (in bytes)
|
|
*
|
|
* @return @e 0 on success or negative errno value otherwise.
|
|
*
|
|
*/
|
|
int crypt_keyslot_area(struct crypt_device *cd,
|
|
int keyslot,
|
|
uint64_t *offset,
|
|
uint64_t *length);
|
|
|
|
/**
|
|
* Backup header and keyslots to file.
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param requested_type @link crypt_type @endlink or @e NULL for all known
|
|
* @param backup_file file to backup header to
|
|
*
|
|
* @return @e 0 on success or negative errno value otherwise.
|
|
*
|
|
*/
|
|
int crypt_header_backup(struct crypt_device *cd,
|
|
const char *requested_type,
|
|
const char *backup_file);
|
|
|
|
/**
|
|
* Restore header and keyslots from backup file.
|
|
*
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param requested_type @link crypt_type @endlink or @e NULL for all known
|
|
* @param backup_file file to restore header from
|
|
*
|
|
* @return @e 0 on success or negative errno value otherwise.
|
|
*
|
|
*/
|
|
int crypt_header_restore(struct crypt_device *cd,
|
|
const char *requested_type,
|
|
const char *backup_file);
|
|
|
|
/**
|
|
* Get directory where mapped crypt devices are created
|
|
*
|
|
* @return the directory path
|
|
*/
|
|
const char *crypt_get_dir(void);
|
|
|
|
/**
|
|
* @defgroup dbg Library debug level
|
|
*
|
|
* Set library debug level
|
|
*
|
|
* @addtogroup dbg
|
|
* @{
|
|
*/
|
|
|
|
/** Debug all */
|
|
#define CRYPT_DEBUG_ALL -1
|
|
/** Debug none */
|
|
#define CRYPT_DEBUG_NONE 0
|
|
|
|
/**
|
|
* Set the debug level for library
|
|
*
|
|
* @param level debug level
|
|
*
|
|
*/
|
|
void crypt_set_debug_level(int level);
|
|
|
|
/** @} */
|
|
|
|
/**
|
|
* Read keyfile
|
|
*
|
|
*/
|
|
int crypt_keyfile_read(struct crypt_device *cd,
|
|
const char *keyfile,
|
|
char **key, size_t *key_size_read,
|
|
size_t keyfile_offset,
|
|
size_t keyfile_size_max,
|
|
uint32_t flags
|
|
);
|
|
/** No on-disk header (only hashes) */
|
|
#define CRYPT_KEYFILE_STOP_EOL (1 << 0)
|
|
|
|
/**
|
|
* @defgroup wipe Device wipe helper
|
|
*
|
|
* Wipe or fill a device with a pattern.
|
|
*
|
|
* @addtogroup wipe
|
|
* @{
|
|
*/
|
|
|
|
/**
|
|
* Wipe pattern
|
|
*/
|
|
typedef enum {
|
|
CRYPT_WIPE_ZERO, /**< Fill with zeroes */
|
|
CRYPT_WIPE_RANDOM, /**< Use RNG to fill data */
|
|
CRYPT_WIPE_ENCRYPTED_ZERO, /**< Add encryption and fill with zeroes as plaintext */
|
|
CRYPT_WIPE_SPECIAL, /**< Compatibility only, do not use (Gutmann method) */
|
|
} crypt_wipe_pattern;
|
|
|
|
/**
|
|
* Wipe/Fill (part of) a device with the selected pattern.
|
|
*
|
|
* @param cd crypt device handle
|
|
* @param dev_path path to device to wipe or @e NULL if data device should be used
|
|
* @param pattern selected wipe pattern
|
|
* @param offset offset on device (in bytes)
|
|
* @param length length of area to be wiped (in bytes)
|
|
* @param wipe_block_size used block for wiping (one step) (in bytes)
|
|
* @param flags wipe flags
|
|
* @param progress callback function called after each @e wipe_block_size or @e NULL
|
|
* @param usrptr provided identification in callback
|
|
*
|
|
* @return @e 0 on success or negative errno value otherwise.
|
|
*
|
|
* @note A @e progress callback can interrupt wipe process by returning non-zero code.
|
|
*
|
|
* @note If the error values is -EIO or -EINTR, some part of the device could
|
|
* be overwritten. Other error codes (-EINVAL, -ENOMEM) means that no IO was performed.
|
|
*/
|
|
int crypt_wipe(struct crypt_device *cd,
|
|
const char *dev_path, /* if null, use data device */
|
|
crypt_wipe_pattern pattern,
|
|
uint64_t offset,
|
|
uint64_t length,
|
|
size_t wipe_block_size,
|
|
uint32_t flags,
|
|
int (*progress)(uint64_t size, uint64_t offset, void *usrptr),
|
|
void *usrptr
|
|
);
|
|
|
|
/** Use direct-io */
|
|
#define CRYPT_WIPE_NO_DIRECT_IO (1 << 0)
|
|
|
|
/** @} */
|
|
|
|
#ifdef __cplusplus
|
|
}
|
|
#endif
|
|
#endif /* _LIBCRYPTSETUP_H */
|