Commit dc067454 authored by Milan Broz's avatar Milan Broz

Rename to crypsetup-reencrypt.

Add man page.
Add configure option.
parent 32c2bd42
......@@ -193,6 +193,11 @@ AC_ARG_ENABLE(veritysetup,
[disable veritysetup support]),[], [enable_veritysetup=yes])
AM_CONDITIONAL(VERITYSETUP, test x$enable_veritysetup = xyes)
AC_ARG_ENABLE([cryptsetup-reencrypt],
AS_HELP_STRING([--enable-cryptsetup-reencrypt],
[enable cryptsetup-reencrypt tool]))
AM_CONDITIONAL(REENCRYPT, test x$enable_cryptsetup_reencrypt = xyes)
AC_ARG_ENABLE(selinux,
AS_HELP_STRING([--disable-selinux],
[disable selinux support [default=auto]]),[], [])
......
......@@ -4,4 +4,8 @@ if VERITYSETUP
man8_MANS += veritysetup.8
endif
if REENCRYPT
man8_MANS += cryptsetup-reencrypt.8
endif
EXTRA_DIST = $(man8_MANS)
.TH CRYPTSETUP-REENCRYPT "8" "June 2012" "cryptsetup-reencrypt" "Maintenance Commands"
.SH NAME
cryptsetup-reencrypt - tool for offline LUKS device re-encryption
.SH SYNOPSIS
.B cryptsetup-reencrypt <options> <device>
.SH DESCRIPTION
.PP
Cryptsetup-reencrypt can be used to change reencryption parameters
which otherwise require full on-disk data change (re-encryption).
You can regenerate \fBvolume key\fR (the real key used in on-disk encryption
unclocked by passphrase), \fBcipher\fR, \fBcipher mode\fR.
Cryptsetup-reencrypt reencrypts data on LUKS device in-place. During
reencryption process the LUKS device is marked unavailable.
\fIWARNING\fR: The cryptsetup-reencrypt program is not resistant to hardware
or kernel failures during reencryption (you can lose you data in this case).
\fIALWAYS BE SURE YOU HAVE RELIABLE BACKUP BEFORE USING THIS TOOL.\fR
.br
\fITHIS TOOL IS EXPERIMENTAL.\fR
The reencryption can be temporarily suspended (by TERM signal or by
using ctrl+c) but you need to retain temporary files named LUKS-<uuid>.[log|org|new].
LUKS device is unavailable until reencryption is finished though.
For more info about LUKS see cryptsetup(8).
.PP
.SH OPTIONS
.TP
To start (or continue) re-encryption for <device> use:
.PP
\fIcryptsetup-reencrypt\fR <device>
\fB<options>\fR can be [\-\-block-size, \-\-cipher, \-\-hash, \-\-iter-time,
\-\-use-random | \-\-use-urandom, \-\-key-file, \-\-key-slot, \-\-keyfile-offset,
\-\-keyfile-size, \-\-tries, \-\-use-directio, \-\-use-fsync, \-\-write-log]
For detailed description of encryption and key file options see \fIcryptsetup(8)\fR
man page.
.TP
.B "\-\-verbose, \-v"
Print more information on command execution.
.TP
.B "\-\-debug"
Run in debug mode with full diagnostic logs. Debug output
lines are always prefixed by '#'.
.TP
.B "\-\-cipher, \-c" \fI<cipher-spec>\fR
Set the cipher specification string.
.TP
.B "\-\-hash, \-h \fI<hash-spec>\fR"
Specifies the hash used in the LUKS key setup scheme and volume key digest.
.TP
.B "\-\-iter-time, \-i \fI<milliseconds>\fR"
The number of milliseconds to spend with PBKDF2 passphrase processing for the
new LUKS header.
.TP
.B "\-\-use-random"
.TP
.B "\-\-use-urandom"
Define which kernel random number generator will be used to create the volume key.
.TP
.B "\-\-key-file, \-d \fIname\fR"
Read the passphrase from file.
.br
WARNING: \-\-key-file option can be used only if there only one active keyslot,
or alternatively, also if \-\-key-slot option is specified (then all other keyslots
will be disabled in new LUKS device).
If this option is not used, cryptswtup-reencrypt will ask for all active keyslot
passphrases.
.TP
.B "\-\-key-slot, \-S <0-7>"
Specify which key slot is used.
.br
WARNING: All other keyslots will be disabled if this option is used.
.TP
.B "\-\-keyfile-offset \fIvalue\fR"
Skip \fIvalue\fR bytes at the beginning of the key file.
.TP
.B "\-\-keyfile-size, \-l"
Read a maximum of \fIvalue\fR bytes from the key file.
Default is to read the whole file up to the compiled-in
maximum.
.TP
.B "\-\-tries, \-T"
Number of retries for invalid passphrase entry.
.TP
.B "\-\-block-size, \-B \fIvalue\fR"
Use re-encryption block size of <value> in MiB.
.br
Values can be between 1 and 64 MiB.
.TP
.B "\-\-use-directio"
Use direct-io (O_DIRECT) for all read/write data operations.
.br
Usefull if direct-io operations perform better than normal buffered
operations (e.g. in virtual environments).
.TP
.B "\-\-use-fsync"
Use fsync call after every written block.
.TP
.B "\-\-write-log"
Update log file after every block write. This can slow down reencryption
but will minimize data loss in the case of system crash.
.TP
.B "\-\-batch-mode, \-q"
Suppresses all warnings and reencryption progress output.
.TP
.B "\-\-version"
Show the program version.
.SH RETURN CODES
Cryptsetup-reencrypt returns 0 on success and a non-zero value on error.
Error codes are: 1 wrong parameters, 2 no permission,
3 out of memory, 4 wrong device specified, 5 device already exists
or device is busy.
.SH REPORTING BUGS
Report bugs, including ones in the documentation, on
the cryptsetup mailing list at <dm-crypt@saout.de>
or in the 'Issues' section on LUKS website.
Please attach the output of the failed command with the
\-\-debug option added.
.SH AUTHORS
Cryptsetup-reencrypt was written by Milan Broz <gmazyland@gmail.com>.
.SH COPYRIGHT
Copyright \(co 2012 Milan Broz
.br
Copyright \(co 2012 Red Hat, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
.SH SEE ALSO
The project website at \fBhttp://code.google.com/p/cryptsetup/\fR
......@@ -66,11 +66,25 @@ endif
endif
# reencrypt
crypt_reencrypt_SOURCES = \
if REENCRYPT
cryptsetup_reencrypt_SOURCES = \
$(top_builddir)/lib/utils_crypt.c \
crypt_reencrypt.c \
cryptsetup_reencrypt.c \
cryptsetup.h
crypt_reencrypt_LDADD = $(cryptsetup_LDADD)
crypt_reencrypt_CFLAGS = $(cryptsetup_CFLAGS)
sbin_PROGRAMS += crypt_reencrypt
cryptsetup_reencrypt_LDADD = $(cryptsetup_LDADD)
cryptsetup_reencrypt_CFLAGS = $(cryptsetup_CFLAGS)
sbin_PROGRAMS += cryptsetup-reencrypt
if STATIC_TOOLS
sbin_PROGRAMS += cryptsetup-reencrypt.static
cryptsetup_reencrypt_static_SOURCES = $(cryptsetup_reencrypt_SOURCES)
cryptsetup_reencrypt_static_CFLAGS = $(cryptsetup_reencrypt_CFLAGS)
cryptsetup_reencrypt_static_LDFLAGS = -all-static
cryptsetup_reencrypt_static_LDADD = $(cryptsetup_reencrypt_LDADD) \
@CRYPTO_STATIC_LIBS@ \
@DEVMAPPER_STATIC_LIBS@ \
@UUID_LIBS@
endif
endif
......@@ -151,8 +151,8 @@ static void _log(int level, const char *msg, void *usrptr __attribute__((unused)
static void _quiet_log(int level, const char *msg, void *usrptr)
{
if (!opt_verbose && (level == CRYPT_LOG_ERROR || level == CRYPT_LOG_NORMAL))
level = CRYPT_LOG_VERBOSE;
if (!opt_debug)
return;
_log(level, msg, usrptr);
}
......@@ -1122,8 +1122,12 @@ int main(int argc, const char **argv)
exit(EXIT_SUCCESS);
}
if (!opt_batch_mode)
log_err(_("WARNING: this is experimental code, it can completely break your data.\n"));
if (!opt_batch_mode) {
log_std(_("WARNING: this is experimental code, it can completely break your data.\n"));
log_verbose(_("Reencryption will change: volume key%s%s%s%s.\n"),
opt_hash ? _(", set hash to ") : "", opt_hash ?: "",
opt_cipher ? _(", set cipher to "): "", opt_cipher ?: "");
}
action_argv = poptGetArgs(popt_context);
if(!action_argv)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment