libcryptsetup.h 28 KB
Newer Older
Milan Broz's avatar
Milan Broz committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
/*
 * libcryptsetup - cryptsetup library
 *
 * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
 * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
 * Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * version 2 as published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */

22 23 24 25 26
/**
 * @file libcryptsetup.h
 * @brief Public cryptsetup API
 *
 * For more verbose examples of LUKS related use cases,
27
 * please read @ref index "examples".
28 29
 */

30 31
#ifndef _LIBCRYPTSETUP_H
#define _LIBCRYPTSETUP_H
32 33 34
#ifdef __cplusplus
extern "C" {
#endif
35 36 37

#include <stdint.h>

38 39
struct crypt_device; /* crypt device handle */

40
/**
41
 * Initialize crypt device handle and check if provided device exists.
42
 *
43 44 45 46 47 48
 * @param cd Returns pointer to crypt device handle
 * @param device Path to the backing device.
 * 	  If @e device is not a block device but a path to some file,
 * 	  the function will try to create a loopdevice and attach
 * 	  the file to the loopdevice with AUTOCLEAR flag set.
 * 	  If @e device is @e NULL function it will initialize dm backend only.
49
 *
50
 * @return @e 0 on success or negative errno value otherwise.
51
 *
52 53
 * @note Note that logging is not initialized here, possible messages uses
 * 	 default log function.
54 55
 */
int crypt_init(struct crypt_device **cd, const char *device);
56

57
/**
58
 * Initialize crypt device handle from provided active device name,
59
 * and, optionally, from separate metadata (header) device
60 61
 * and check if provided device exists.
 *
62 63 64 65 66 67
 * @return @e 0 on success or negative errno value otherwise.
 *
 * @param cd returns crypt device handle for active device
 * @param name name of active crypt device
 * @param header_device optional device containing on-disk header
 * 	  (@e NULL if it the same as underlying device on there is no on-disk header)
68
 *
69 70 71
 * @post In case @e device points to active LUKS device but header load fails,
 * context device type is set to @e NULL and @e 0 is returned as if it were successful.
 * Context with @e NULL device type can only be deactivated by crypt_deactivate
72
 *
73 74
 * @note @link crypt_init_by_name @endlink is equivalent to calling
 * 	 crypt_init_by_name_and_header(cd, name, NULL);
75
 */
76 77 78
int crypt_init_by_name_and_header(struct crypt_device **cd,
				  const char *name,
				  const char *header_device);
79 80 81 82 83 84 85

/**
 * This is equivalent to call
 * @ref crypt_init_by_name_and_header "crypt_init_by_name_and_header(cd, name, NULL)"
 *
 * @sa crypt_init_by_name_and_header
 */
86 87
int crypt_init_by_name(struct crypt_device **cd, const char *name);

88
/**
89
 * @defgroup loglevel "Cryptsetup logging"
90 91 92
 *
 * Set of functions and defines used in cryptsetup for
 * logging purposes
93 94
 *
 */
95 96 97 98 99 100 101

/**
 * @addtogroup loglevel
 * @{
 */

/** normal log level */
102
#define CRYPT_LOG_NORMAL 0
103
/** error log level */
104
#define CRYPT_LOG_ERROR  1
105
/** verbose log level */
106
#define CRYPT_LOG_VERBOSE  2
107 108 109 110 111 112 113 114 115 116 117 118
/** debug log level - always on stdout */
#define CRYPT_LOG_DEBUG -1

/**
 * Set log function.
 *
 * @param cd crypt device handle (can be @e NULL to set default log function)
 * @param log user defined log function reference
 * @param usrptr provided identification in callback
 * @param level log level below (debug messages can uses other levels)
 * @param msg log message
 */
119
void crypt_set_log_callback(struct crypt_device *cd,
120
	void (*log)(int level, const char *msg, void *usrptr),
121 122
	void *usrptr);

123
/**
124 125 126
 * Defines log function or use the default one otherwise.
 *
 * @see crypt_set_log_callback
127
 *
128 129 130
 * @param cd crypt device handle
 * @param level log level
 * @param msg log message
131
 */
132
void crypt_log(struct crypt_device *cd, int level, const char *msg);
133
/** @} */
134

135 136 137
/**
 * Set confirmation callback (yes/no)
 *
138 139
 * If code need confirmation (like resetting uuid or restoring LUKS header from file)
 * this function is called. If not defined, everything is confirmed.
140
 *
141 142
 * Callback function @e confirm should return @e 0 if operation is declined,
 * other values mean accepted.
143
 *
144 145 146 147 148 149
 * @param cd crypt device handle
 * @param confirm user defined confirm callback reference
 * @param usrptr provided identification in callback
 * @param msg Message for user to confirm
 *
 * @note Current version of cryptsetup API requires confirmation only when UUID is being changed
150 151 152 153 154 155 156 157
 */
void crypt_set_confirm_callback(struct crypt_device *cd,
	int (*confirm)(const char *msg, void *usrptr),
	void *usrptr);

/**
 * Set password query callback.
 *
158
 * If code need @e _interactive_ query for password, this callback is called.
159 160
 * If not defined, compiled-in default is called (uses terminal input).
 *
161
 * Callback should return length of password in buffer
Milan Broz's avatar
Milan Broz committed
162 163
 * or negative errno value in case of error.
 *
164
 * @param cd crypt device handle
165
 * @param password user defined password callback reference
166 167 168 169 170 171
 * @param usrptr provided identification in callback
 * @param msg Message for user
 * @param buf buffer for password
 * @param length size of buffer
 *
 * @note Note that if this function is defined, verify option is ignored
172
 *   (caller which provided callback is responsible for password verification)
173
 * @note Only zero terminated passwords can be entered this way, for complex
174
 *   use API functions directly.
175 176 177 178 179 180 181 182 183 184
 * @note Maximal length of password is limited to @e length @e - @e 1 (minimal 511 chars)
 *
 * @see Callback function is used in these call provided, that certain conditions are met:
 * @li crypt_keyslot_add_by_passphrase
 * @li crypt_activate_by_passphrase
 * @li crypt_resume_by_passphrase
 * @li crypt_resume_by_keyfile
 * @li crypt_keyslot_add_by_keyfile
 * @li crypt_keyslot_add_by_volume_key
 *
185 186 187 188 189 190
 */
void crypt_set_password_callback(struct crypt_device *cd,
	int (*password)(const char *msg, char *buf, size_t length, void *usrptr),
	void *usrptr);

/**
191 192
 * Set timeout for interactive password entry using default
 * password callback
193
 *
194 195
 * @param cd crypt device handle
 * @param timeout_sec timeout in seconds
196 197
 */
void crypt_set_timeout(struct crypt_device *cd, uint64_t timeout_sec);
198 199 200 201 202 203 204

/**
 * Set number of retries in case password input has been incorrect
 *
 * @param cd crypt device handle
 * @param tries the number
 */
205
void crypt_set_password_retry(struct crypt_device *cd, int tries);
206 207

/**
208
 * Set how long should cryptsetup iterate in PBKDF2 function.
209 210 211 212 213
 * Default value heads towards the iterations which takes around 1 second
 *
 * @param cd crypt device handle
 * @param iteration_time_ms the time in ms
 */
214 215
void crypt_set_iteration_time(struct crypt_device *cd, uint64_t iteration_time_ms);
/* Don't ask :-) */
216
void crypt_set_iterarion_time(struct crypt_device *cd, uint64_t iteration_time_ms);
217 218 219 220 221 222 223 224

/**
 * Set whether passphrase will be verified on input
 * (user has to input same passphrase twice)
 *
 * @param cd crypt device handle
 * @param password_verify @e 0 = false, @e !0 true
 */
225 226
void crypt_set_password_verify(struct crypt_device *cd, int password_verify);

227
/**
228 229 230 231 232 233
 * Set data device (encrypted payload area device) if LUKS header is separated
 *
 * @param cd crypt device handle
 * @param device path to device
 *
 * @pre context is of LUKS type
234
 * @pre unlike @ref crypt_init, in this function param @e device
235
 * 	has to be block device (at least 512B large)
236 237 238
 */
int crypt_set_data_device(struct crypt_device *cd, const char *device);

239
/**
240
 * @defgroup rng "Cryptsetup RNG"
241 242 243
 *
 * @addtogroup rng
 * @{
244 245
 *
 */
246 247

/** CRYPT_RNG_URANDOM - use /dev/urandom */
248
#define CRYPT_RNG_URANDOM 0
249
/** CRYPT_RNG_RANDOM  - use /dev/random (waits if no entropy in system) */
250
#define CRYPT_RNG_RANDOM  1
251 252 253 254 255 256 257 258

/**
 * Set which RNG (random number generator) is used for generating long term key
 *
 * @param cd crypt device handle
 * @param rng_type kernel random number generator to use
 *
 */
259 260 261 262 263
void crypt_set_rng_type(struct crypt_device *cd, int rng_type);

/**
 * Get which RNG (random number generator) is used for generating long term key
 *
264 265
 * @param cd crypt device handle
 * @return RNG type on success or negative errno value otherwise.
266 267 268 269
 *
 */
int crypt_get_rng_type(struct crypt_device *cd);

270 271
/** @} */

272
/**
273
 * Helper to lock/unlock memory to avoid swap sensitive data to disk
274
 *
275 276 277 278
 * @param cd crypt device handle, can be @e NULL
 * @param lock 0 to unlock otherwise lock memory
 *
 * @returns Value indicating whether the memory is locked (function can be called multiple times).
279
 *
280 281
 * @note Only root can do this.
 * @note It locks/unlocks all process memory, not only crypt context.
282 283 284
 */
int crypt_memory_lock(struct crypt_device *cd, int lock);

285 286 287 288 289 290 291 292 293 294 295 296
/**
 * @defgroup crypt_type "Cryptsetup on-disk format types"
 *
 * Set of functions, \#defines and structs related
 * to on-disk format types
 */

/**
 * @addtogroup crypt_type
 * @{
 */

297
/** plain crypt device, no on-disk header */
298 299 300 301 302
#define CRYPT_PLAIN "PLAIN"
/** LUKS version 1 header on-disk */
#define CRYPT_LUKS1 "LUKS1"
/** loop-AES compatibility mode */
#define CRYPT_LOOPAES "LOOPAES"
303

304 305 306
/**
 * Get device type
 *
307 308
 * @param cd crypt device handle
 * @return string according to device type or @e NULL if not known.
309 310 311
 */
const char *crypt_get_type(struct crypt_device *cd);

312 313 314 315 316 317
/**
 *
 * Structure used as parameter for PLAIN device type
 *
 * @see crypt_format
 */
318
struct crypt_params_plain {
319 320 321 322
	const char *hash; /**< password hash function */
	uint64_t offset; /**< offset in sectors */
	uint64_t skip; /**< IV offset / initialization sector */
	uint64_t size; /**< size of mapped device or @e 0 for autodetection */
323 324
};

325 326 327 328 329 330 331 332 333
/**
 * Structure used as parameter for LUKS device type
 *
 * @see crypt_format, crypt_load
 *
 * @note during crypt_format @e data_device attribute determines
 * 	 if the LUKS header is separated from encrypted payload device
 *
 */
334
struct crypt_params_luks1 {
335 336 337
	const char *hash; /**< hash used in LUKS header */
	size_t data_alignment; /**< data alignment in sectors, data offset is multiple of this */
	const char *data_device; /**< detached encrypted data device or @e NULL */
338 339
};

340 341 342 343 344 345 346
/**
 *
 * Structure used as parameter for loop-AES device type
 *
 * @see crypt_format
 *
 */
347
struct crypt_params_loopaes {
348 349 350
	const char *hash; /**< key hash function */
	uint64_t offset;  /**< offset in sectors */
	uint64_t skip;    /**< IV offset / initialization sector */
351
};
352 353 354

/** @} */

355 356 357
/**
 * Create (format) new crypt device (and possible header on-disk) but not activates it.
 *
358 359 360 361 362 363 364 365 366 367
 * @pre @e cd contains initialized and not formatted device context (device type must @b not be set)
 *
 * @param cd crypt device handle
 * @param type type of device (optional params struct must be of this type)
 * @param cipher (e.g. "aes")
 * @param cipher_mode including IV specification (e.g. "xts-plain")
 * @param uuid requested UUID or @e NULL if it should be generated
 * @param volume_key pre-generated volume key or @e NULL if it should be generated (only for LUKS)
 * @param volume_key_size size of volume key in bytes.
 * @param params crypt type specific parameters (see @link crypt_type @endlink)
368
 *
369
 * @returns @e 0 on success or negative errno value otherwise.
370
 *
371 372
 * @note Note that crypt_format does not enable any keyslot (in case of work with LUKS device), but it stores volume key internally
 * 	 and subsequent crypt_keyslot_add_* calls can be used.
373 374 375 376 377 378 379 380 381 382
 */
int crypt_format(struct crypt_device *cd,
	const char *type,
	const char *cipher,
	const char *cipher_mode,
	const char *uuid,
	const char *volume_key,
	size_t volume_key_size,
	void *params);

383
/**
384
 * Set new UUID for already existing device
385
 *
386 387
 * @param cd crypt device handle
 * @param uuid requested UUID or @e NULL if it should be generated
388
 *
389 390 391
 * @returns 0 on success or negative errno value otherwise.
 *
 * @note Currently, only LUKS device type are supported
392 393 394 395
 */
int crypt_set_uuid(struct crypt_device *cd,
		   const char *uuid);

396 397 398
/**
 * Load crypt device parameters from on-disk header
 *
399
 * @param cd crypt device handle
400
 * @param requested_type @link crypt_type @endlink or @e NULL for all known
401 402 403 404 405 406 407 408
 * @param params crypt type specific parameters (see @link crypt_type @endlink)
 *
 * @returns 0 on success or negative errno value otherwise.
 *
 * @post In case LUKS header is read successfully but payload device is too small
 * error is returned and device type in context is set to @e NULL
 *
 * @note Note that in current version load works only for LUKS device type
409 410 411 412 413 414
 *
 */
int crypt_load(struct crypt_device *cd,
	       const char *requested_type,
	       void *params);

415 416 417 418
/**
 * Try to repair crypt device on-disk header if invalid
 *
 * @param cd crypt device handle
419
 * @param requested_type @link crypt_type @endlink or @e NULL for all known
420 421 422 423 424 425 426
 * @param params crypt type specific parameters (see @link crypt_type @endlink)
 *
 * @returns 0 on success or negative errno value otherwise.
 *
 */
int crypt_repair(struct crypt_device *cd,
		 const char *requested_type,
427
		 void *params);
428

429 430 431
/**
 * Resize crypt device
 *
432 433 434
 * @param cd - crypt device handle
 * @param name - name of device to resize
 * @param new_size - new device size in sectors or @e 0 to use all of the underlying device size
435
 *
436
 * @return @e 0 on success or negative errno value otherwise.
437 438 439 440 441
 */
int crypt_resize(struct crypt_device *cd,
		 const char *name,
		 uint64_t new_size);

442 443 444
/**
 * Suspends crypt device.
 *
445 446 447 448 449 450
 * @param cd crypt device handle, can be @e NULL
 * @param name name of device to suspend
 *
 * @return 0 on success or negative errno value otherwise.
 *
 * @note Only LUKS device type is supported
451 452 453 454 455 456 457 458 459
 *
 */
int crypt_suspend(struct crypt_device *cd,
		  const char *name);

/**
 * Resumes crypt device using passphrase.
 *
 *
460 461 462 463 464 465 466 467 468
 * @param cd crypt device handle
 * @param name name of device to resume
 * @param keyslot requested keyslot or CRYPT_ANY_SLOT
 * @param passphrase passphrase used to unlock volume key, @e NULL for query
 * @param passphrase_size size of @e passphrase (binary data)
 *
 * @return unlocked key slot number or negative errno otherwise.
 *
 * @note Only LUKS device type is supported
469 470
 */
int crypt_resume_by_passphrase(struct crypt_device *cd,
471 472 473 474
	const char *name,
	int keyslot,
	const char *passphrase,
	size_t passphrase_size);
475 476 477 478

/**
 * Resumes crypt device using key file.
 *
479 480 481 482
 * @param cd crypt device handle
 * @param name name of device to resume
 * @param keyslot requested keyslot or CRYPT_ANY_SLOT
 * @param keyfile key file used to unlock volume key, @e NULL for passphrase query
483
 * @param keyfile_size number of bytes to read from keyfile, 0 is unlimited
484
 * @param keyfile_offset number of bytes to skip at start of keyfile
485
 *
486
 * @return unlocked key slot number or negative errno otherwise.
487
 */
488 489 490 491 492 493 494 495 496
int crypt_resume_by_keyfile_offset(struct crypt_device *cd,
	const char *name,
	int keyslot,
	const char *keyfile,
	size_t keyfile_size,
	size_t keyfile_offset);
/**
 * Backward compatible crypt_resume_by_keyfile_offset() (without offset).
 */
497
int crypt_resume_by_keyfile(struct crypt_device *cd,
498 499 500 501
	const char *name,
	int keyslot,
	const char *keyfile,
	size_t keyfile_size);
502

503 504 505
/**
 * Releases crypt device context and used memory.
 *
506
 * @param cd crypt device handle
507 508 509
 */
void crypt_free(struct crypt_device *cd);

510
/**
511
 * @defgroup keyslot "Cryptsetup LUKS keyslots"
512 513 514 515 516 517 518 519
 * @addtogroup keyslot
 * @{
 *
 */

/** iterate through all keyslots and find first one that fits */
#define CRYPT_ANY_SLOT -1

520 521 522
/**
 * Add key slot using provided passphrase
 *
523 524 525 526 527
 * @pre @e cd contains initialized and formatted LUKS device context
 *
 * @param cd crypt device handle
 * @param keyslot requested keyslot or @e CRYPT_ANY_SLOT
 * @param passphrase passphrase used to unlock volume key, @e NULL for query
528
 * @param passphrase_size size of passphrase (binary data)
529 530
 * @param new_passphrase passphrase for new keyslot, @e NULL for query
 * @param new_passphrase_size size of @e new_passphrase (binary data)
531
 *
532
 * @return allocated key slot number or negative errno otherwise.
533 534 535 536 537 538 539 540
 */
int crypt_keyslot_add_by_passphrase(struct crypt_device *cd,
	int keyslot,
	const char *passphrase,
	size_t passphrase_size,
	const char *new_passphrase,
	size_t new_passphrase_size);

541 542 543
/**
 * Get number of keyslots supported for device type.
 *
544
 * @param type crypt device type
545
 *
546 547
 * @return slot count or negative errno otherwise if device
 * doesn't not support keyslots.
548 549 550
 */
int crypt_keyslot_max(const char *type);

551 552 553
/**
* Add key slot using provided key file path
 *
554 555 556 557 558
 * @pre @e cd contains initialized and formatted LUKS device context
 *
 * @param cd crypt device handle
 * @param keyslot requested keyslot or @e CRYPT_ANY_SLOT
 * @param keyfile key file used to unlock volume key, @e NULL for passphrase query
559
 * @param keyfile_size number of bytes to read from keyfile, @e 0 is unlimited
560
 * @param keyfile_offset number of bytes to skip at start of keyfile
561 562
 * @param new_keyfile keyfile for new keyslot, @e NULL for passphrase query
 * @param new_keyfile_size number of bytes to read from @e new_keyfile, @e 0 is unlimited
563
 * @param new_keyfile_offset number of bytes to skip at start of new_keyfile
564
 *
565 566 567
 * @return allocated key slot number or negative errno otherwise.
 *
 * @note Note that @e keyfile can be "-" for STDIN
568 569
 *
 */
570 571 572 573 574 575 576 577 578 579 580
int crypt_keyslot_add_by_keyfile_offset(struct crypt_device *cd,
	int keyslot,
	const char *keyfile,
	size_t keyfile_size,
	size_t keyfile_offset,
	const char *new_keyfile,
	size_t new_keyfile_size,
	size_t new_keyfile_offset);
/**
 * Backward compatible crypt_keyslot_add_by_keyfile_offset() (without offset).
 */
581 582 583 584 585 586 587 588 589 590
int crypt_keyslot_add_by_keyfile(struct crypt_device *cd,
	int keyslot,
	const char *keyfile,
	size_t keyfile_size,
	const char *new_keyfile,
	size_t new_keyfile_size);

/**
 * Add key slot using provided volume key
 *
591 592 593 594 595
 * @pre @e cd contains initialized and formatted LUKS device context
 *
 * @param cd crypt device handle
 * @param keyslot requested keyslot or CRYPT_ANY_SLOT
 * @param volume_key provided volume key or @e NULL if used after crypt_format
596
 * @param volume_key_size size of volume_key
597
 * @param passphrase passphrase for new keyslot, @e NULL for query
598
 * @param passphrase_size size of passphrase
599 600
 *
 * @return allocated key slot number or negative errno otherwise.
601 602 603 604 605 606 607 608 609 610 611 612
 *
 */
int crypt_keyslot_add_by_volume_key(struct crypt_device *cd,
	int keyslot,
	const char *volume_key,
	size_t volume_key_size,
	const char *passphrase,
	size_t passphrase_size);

/**
 * Destroy (and disable) key slot
 *
613
 * @pre @e cd contains initialized and formatted LUKS device context
614
 *
615 616
 * @param cd crypt device handle
 * @param keyslot requested key slot to destroy
617
 *
618 619 620
 * @return @e 0 on success or negative errno value otherwise.
 *
 * @note Note that there is no passphrase verification used.
621 622 623
 */
int crypt_keyslot_destroy(struct crypt_device *cd, int keyslot);

624 625
/** @} */

626
/**
627 628
 * @defgroup aflags "Device runtime attributes"
 *
629
 * Activation flags
630 631 632 633
 *
 * @addtogroup aflags
 * @{
 *
634
 */
635
/** device is read only */
636
#define CRYPT_ACTIVATE_READONLY (1 << 0)
637
/** only reported for device without uuid */
638
#define CRYPT_ACTIVATE_NO_UUID  (1 << 1)
639
/** activate even if cannot grant exclusive access (DANGEROUS) */
640
#define CRYPT_ACTIVATE_SHARED   (1 << 2)
641 642
/** enable discards aka TRIM */
#define CRYPT_ACTIVATE_ALLOW_DISCARDS (1 << 3)
643 644
/** skip global udev rules in activation ("private device"), input only */
#define CRYPT_ACTIVATE_PRIVATE (1 << 4)
645

646 647 648 649
/**
 * Active device runtime attributes
 */
struct crypt_active_device {
650 651 652 653
	uint64_t offset; /**< offset in sectors */
	uint64_t iv_offset; /**< IV initialization sector */
	uint64_t size; /**< active device size */
	uint32_t flags; /**< activation flags */
654 655 656 657 658
};

/**
 * Receives runtime attributes of active crypt device
 *
659 660 661 662 663
 * @param cd crypt device handle (can be @e NULL)
 * @param name name of active device
 * @param cad preallocated active device attributes to fill
 *
 * @return @e 0 on success or negative errno value otherwise
664 665 666 667 668 669
 *
 */
int crypt_get_active_device(struct crypt_device *cd,
			    const char *name,
			    struct crypt_active_device *cad);

670 671
/** @} */

672 673 674
/**
 * Activate device or check passphrase
 *
675 676 677 678 679 680
 * @param cd crypt device handle
 * @param name name of device to create, if @e NULL only check passphrase
 * @param keyslot requested keyslot to check or @e CRYPT_ANY_SLOT
 * @param passphrase passphrase used to unlock volume key, @e NULL for query
 * @param passphrase_size size of @e passphrase
 * @param flags activation flags
681
 *
682
 * @return unlocked key slot number or negative errno otherwise.
683 684 685 686 687 688 689 690 691 692 693
 */
int crypt_activate_by_passphrase(struct crypt_device *cd,
	const char *name,
	int keyslot,
	const char *passphrase,
	size_t passphrase_size,
	uint32_t flags);

/**
 * Activate device or check using key file
 *
694 695 696 697
 * @param cd crypt device handle
 * @param name name of device to create, if @e NULL only check keyfile
 * @param keyslot requested keyslot to check or CRYPT_ANY_SLOT
 * @param keyfile key file used to unlock volume key
698
 * @param keyfile_size number of bytes to read from keyfile, 0 is unlimited
699
 * @param keyfile_offset number of bytes to skip at start of keyfile
700
 * @param flags activation flags
701
 *
702
 * @return unlocked key slot number or negative errno otherwise.
703
 */
704 705 706 707 708 709 710 711 712 713
int crypt_activate_by_keyfile_offset(struct crypt_device *cd,
	const char *name,
	int keyslot,
	const char *keyfile,
	size_t keyfile_size,
	size_t keyfile_offset,
	uint32_t flags);
/**
 * Backward compatible crypt_activate_by_keyfile_offset() (without offset).
 */
714 715 716 717 718 719 720 721 722 723 724
int crypt_activate_by_keyfile(struct crypt_device *cd,
	const char *name,
	int keyslot,
	const char *keyfile,
	size_t keyfile_size,
	uint32_t flags);

/**
 * Activate device using provided volume key
 *
 *
725 726 727
 * @param cd crypt device handle
 * @param name name of device to create, if @e NULL only check volume key
 * @param volume_key provided volume key (or @e NULL to use internal)
728
 * @param volume_key_size size of volume_key
729 730 731
 * @param flags activation flags
 *
 * @return @e 0 on success or negative errno value otherwise.
732
 *
733
 * @note If @e NULL is used for volume_key, device has to be initialized
734 735
 * 	 by previous operation (like @ref crypt_format
 * 	 or @ref crypt_init_by_name)
736 737 738 739 740 741 742 743
 */
int crypt_activate_by_volume_key(struct crypt_device *cd,
	const char *name,
	const char *volume_key,
	size_t volume_key_size,
	uint32_t flags);

/**
744 745 746
 * Deactivate crypt device. This function tries to remove active device-mapper
 * mapping from kernel. Also, sensitive data like the volume key are removed from
 * memory
747
 *
748 749 750 751 752 753
 * @param cd crypt device handle, can be @e NULL
 * @param name name of device to deactivate
 *
 * @return @e 0 on success or negative errno value otherwise.
 *
 */
754 755 756 757 758
int crypt_deactivate(struct crypt_device *cd, const char *name);

/**
 * Get volume key from of crypt device
 *
759 760 761 762 763 764 765
 * @param cd crypt device handle
 * @param keyslot use this keyslot or @e CRYPT_ANY_SLOT
 * @param volume_key buffer for volume key
 * @param volume_key_size on input, size of buffer @e volume_key,
 *        on output size of @e volume_key
 * @param passphrase passphrase used to unlock volume key
 * @param passphrase_size size of @e passphrase
766
 *
767
 * @return unlocked key slot number or negative errno otherwise.
768 769 770 771 772 773 774 775 776 777 778
 */
int crypt_volume_key_get(struct crypt_device *cd,
	int keyslot,
	char *volume_key,
	size_t *volume_key_size,
	const char *passphrase,
	size_t passphrase_size);

/**
 * Verify that provided volume key is valid for crypt device
 *
779 780 781
 * @param cd crypt device handle
 * @param volume_key provided volume key
 * @param volume_key_size size of @e volume_key
782
 *
783
 * @return @e 0 on success or negative errno value otherwise.
784 785 786 787 788
 */
int crypt_volume_key_verify(struct crypt_device *cd,
	const char *volume_key,
	size_t volume_key_size);

789 790 791 792 793 794 795

/*
 * @defgroup devstat "dmcrypt device status"
 * @addtogroup devstat
 * @{
 */

796 797 798
/**
 * Device status
 */
799 800 801 802 803 804 805
typedef enum {
	CRYPT_INVALID, /**< device mapping is invalid in this context */
	CRYPT_INACTIVE, /**< no such mapped device */
	CRYPT_ACTIVE, /**< device is active */
	CRYPT_BUSY /**< device is active and has open count > 0 */
} crypt_status_info;

806 807 808
/**
 * Get status info about device name
 *
809 810
 * @param cd crypt device handle, can be @e NULL
 * @param name crypt device name
811
 *
812
 * @return value defined by crypt_status_info.
813 814 815 816 817 818 819
 *
 */
crypt_status_info crypt_status(struct crypt_device *cd, const char *name);

/**
 * Dump text-formatted information about crypt device to log output
 *
820
 * @param cd crypt device handle
821
 *
822
 * @return @e 0 on success or negative errno value otherwise.
823 824 825 826
 */
int crypt_dump(struct crypt_device *cd);

/**
827
 * Get cipher used in device
828
 *
829 830 831
 * @param cd crypt device handle
 *
 * @return used cipher, e.g. "aes" or @e NULL otherwise
832 833 834
 *
 */
const char *crypt_get_cipher(struct crypt_device *cd);
835 836 837 838 839 840 841 842 843

/**
 * Get cipher mode used in device
 *
 * @param cd crypt device handle
 *
 * @return used cipher mode e.g. "xts-plain" or @e otherwise
 *
 */
844
const char *crypt_get_cipher_mode(struct crypt_device *cd);
845 846 847 848 849 850 851 852 853

/**
 * Get device UUID
 *
 * @param cd crypt device handle
 *
 * @return device UUID or @e NULL if not set
 *
 */
854
const char *crypt_get_uuid(struct crypt_device *cd);
855 856 857 858 859 860 861 862 863

/**
 * Get path to underlaying device
 *
 * @param cd crypt device handle
 *
 * @return path to underlaying device name
 *
 */
864
const char *crypt_get_device_name(struct crypt_device *cd);
865 866 867 868 869 870 871 872 873

/**
 * Get device offset in sectors where real data starts on underlying device)
 *
 * @param cd crypt device handle
 *
 * @return device offset in sectors
 *
 */
874
uint64_t crypt_get_data_offset(struct crypt_device *cd);
875 876 877 878 879 880 881 882 883

/**
 * Get IV offset in sectors (skip)
 *
 * @param cd crypt device handle
 *
 * @return IV offset
 *
 */
884
uint64_t crypt_get_iv_offset(struct crypt_device *cd);
885 886

/**
887
 * Get size (in bytes) of volume key for crypt device
888
 *
889 890 891 892 893 894 895 896 897 898
 * @param cd crypt device handle
 *
 * @return volume key size
 *
 */
int crypt_get_volume_key_size(struct crypt_device *cd);

/**
 * @addtogroup keyslot
 * @{
899 900
 *
 */
901 902 903 904

/**
 * Crypt keyslot info
 */
905
typedef enum {
906 907 908 909 910
	CRYPT_SLOT_INVALID, /**< invalid keyslot */
	CRYPT_SLOT_INACTIVE, /**< keyslot is inactive (free) */
	CRYPT_SLOT_ACTIVE, /**< keyslot is active (used) */
	CRYPT_SLOT_ACTIVE_LAST /**< keylost is active (used)
				*   and last used at the same time */
911
} crypt_keyslot_info;
912 913 914 915 916 917 918 919 920 921 922

/**
 * Get information about particular key slot
 *
 *
 * @param cd crypt device handle
 * @param keyslot requested keyslot to check or CRYPT_ANY_SLOT
 *
 * @return value defined by crypt_keyslot_info
 *
 */
923
crypt_keyslot_info crypt_keyslot_status(struct crypt_device *cd, int keyslot);
924
/** @} */
925

926 927 928
/**
 * Backup header and keyslots to file
 *
929
 * @param cd crypt device handle
930
 * @param requested_type @link crypt_type @endlink or @e NULL for all known
931 932 933
 * @param backup_file file to backup header to
 *
 * @return @e 0 on success or negative errno value otherwise.
934 935 936 937 938 939 940 941 942 943
 *
 */
int crypt_header_backup(struct crypt_device *cd,
	const char *requested_type,
	const char *backup_file);

/**
 * Restore header and keyslots from backup file
 *
 *
944
 * @param cd crypt device handle
945
 * @param requested_type @link crypt_type @endlink or @e NULL for all known
946 947 948 949
 * @param backup_file file to restore header from
 *
 * @return @e 0 on success or negative errno value otherwise.
 *
950 951 952 953 954
 */
int crypt_header_restore(struct crypt_device *cd,
	const char *requested_type,
	const char *backup_file);

955 956 957
/**
 * Receives last reported error
 *
958 959 960 961 962 963 964 965 966 967 968 969
 * @param cd crypt device handle
 * @param buf buffef for message
 * @param size size of buffer
 *
 * @note Note that this is old API function using global context.
 * All error messages are reported also through log callback.
 */
void crypt_last_error(struct crypt_device *cd, char *buf, size_t size);

/**
 * Receives last reported error, DEPRECATED
 *
970 971
 * @param buf buffef for message
 * @param size size of buffer
972
 *
973
 * @note Note that this is old API function using global context.
974 975 976 977 978 979
 * All error messages are reported also through log callback.
 */
void crypt_get_error(char *buf, size_t size);

/**
 * Get directory where mapped crypt devices are created
980 981
 *
 * @return the directory path
982 983 984 985
 */
const char *crypt_get_dir(void);

/**
986 987
 * @defgroup dbg "Library debug level"
 *
988
 * Set library debug level
989 990 991
 *
 * @addtogroup dbg
 * @{
992
 */
993 994

/** Debug all */
995
#define CRYPT_DEBUG_ALL  -1
996
/** Debug none */
997
#define CRYPT_DEBUG_NONE  0
998 999 1000 1001 1002 1003 1004

/**
 * Set the debug level for library
 *
 * @param level debug level
 *
 */
1005 1006
void crypt_set_debug_level(int level);

1007 1008
/** @} */

1009 1010 1011
#ifdef __cplusplus
}
#endif
1012
#endif /* _LIBCRYPTSETUP_H */