Commit 0c6129c5 authored by Ondrej Kozina's avatar Ondrej Kozina Committed by Milan Broz

Allow volume key store in a file with cryptsetup.

The --dump-master-key together with --master-key-file allows cryptsetup
to store the volume key to a file instead of standard output.
parent 1f01754e
......@@ -398,17 +398,19 @@ means the device is a LUKS device.
Dump the header information of a LUKS device.
If the \-\-dump\-master\-key option is used, the LUKS device master key is
dumped instead of the keyslot info. Beware that the master key cannot be
changed and can be used to decrypt the data stored in the LUKS container
without a passphrase and even without the LUKS header. This means
that if the master key is compromised, the whole device has to be
erased to prevent further access. Use this option carefully.
dumped instead of the keyslot info. Together with \-\-master\-key\-file option,
master key is dumped to a file instead of standard output. Beware that the
master key cannot be changed without reencryption and can be used to decrypt
the data stored in the LUKS container without a passphrase and even without the
LUKS header. This means that if the master key is compromised, the whole device
has to be erased to prevent further access. Use this option carefully.
To dump the master key, a passphrase has to be supplied,
either interactively or via \-\-key\-file.
\fB<options>\fR can be [\-\-dump\-master\-key, \-\-key\-file,
\-\-keyfile\-offset, \-\-keyfile\-size, \-\-header, \-\-disable\-locks].
\-\-keyfile\-offset, \-\-keyfile\-size, \-\-header, \-\-disable\-locks,
\-\-master\-key\-file].
\fBWARNING:\fR If \-\-dump\-master\-key is used with \-\-key\-file
and the argument to \-\-key\-file is '-', no validation question
......@@ -794,6 +796,10 @@ LUKS header and all other parameters are the same,
then the new header decrypts the data encrypted with the
header the master key was taken from.
Action \fIluksDump\fR together with \-\-dump\-master\-key
option: The volume (master) key is stored in a file instead of
being printed out to standard output.
\fBWARNING:\fR If you create your own master key, you
need to make sure to do it right. Otherwise, you can end
up with a low-entropy or otherwise partially predictable
......
......@@ -4,6 +4,7 @@ if CRYPTSETUP
cryptsetup_SOURCES = \
lib/utils_crypt.c \
lib/utils_loop.c \
lib/utils_io.c \
src/utils_tools.c \
src/utils_password.c \
src/cryptsetup.c \
......@@ -91,6 +92,7 @@ endif
if REENCRYPT
cryptsetup_reencrypt_SOURCES = \
lib/utils_crypt.c \
lib/utils_io.c \
src/utils_tools.c \
src/utils_password.c \
src/cryptsetup_reencrypt.c \
......
......@@ -1542,12 +1542,22 @@ static int luksDump_with_volume_key(struct crypt_device *cd)
if (r < 0)
goto out;
if (opt_master_key_file) {
r = tools_write_mk(opt_master_key_file, vk, vk_size);
if (r < 0)
goto out;
}
log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
log_std("UUID: \t%s\n", crypt_get_uuid(cd));
log_std("MK bits: \t%d\n", (int)vk_size * 8);
if (opt_master_key_file) {
log_std("Key stored to file %s.\n", opt_master_key_file);
goto out;
}
log_std("MK dump:\t");
for(i = 0; i < vk_size; i++) {
......
......@@ -43,6 +43,7 @@
#include "lib/utils_crypt.h"
#include "lib/utils_loop.h"
#include "lib/utils_fips.h"
#include "lib/utils_io.h"
#include "libcryptsetup.h"
......@@ -99,6 +100,7 @@ void tools_time_progress(uint64_t device_size, uint64_t bytes,
int tools_wipe_progress(uint64_t size, uint64_t offset, void *usrptr);
int tools_read_mk(const char *file, char **key, int keysize);
int tools_write_mk(const char *file, const char *key, int keysize);
/* Log */
#define log_dbg(x...) clogger(NULL, CRYPT_LOG_DEBUG, __FILE__, __LINE__, x)
......
......@@ -329,3 +329,22 @@ fail:
*key = NULL;
return -EINVAL;
}
int tools_write_mk(const char *file, const char *key, int keysize)
{
int fd, r = -EINVAL;
fd = open(file, O_WRONLY);
if (fd < 0) {
log_err(_("Cannot open keyfile %s for write.\n"), file);
return r;
}
if (write_buffer(fd, key, keysize) == keysize)
r = 0;
else
log_err(_("Cannot write to keyfile %s.\n"), file);
close(fd);
return r;
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment