diff options
author | Milan Broz <gmazyland@gmail.com> | 2019-05-27 09:44:14 +0200 |
---|---|---|
committer | The Plumber <50238977+systemd-rhel-bot@users.noreply.github.com> | 2019-07-26 10:51:52 +0200 |
commit | 7a597a091de83a861d81166b0e863bf2977c829c (patch) | |
tree | d4040e230ba268c87c8aedc8e77bb309a0ed0695 | |
parent | 788fb775f7deb8c456868362454e2a5f50c6068f (diff) | |
download | systemd-7a597a091de83a861d81166b0e863bf2977c829c.tar.gz |
cryptsetup: Add LUKS2 token support.
LUKS2 supports so-called tokens. The libcryptsetup internally
support keyring token (it tries to open device using specified
keyring entry).
Only if all token fails (or are not available), it uses a passphrase.
This patch aligns the functionality with the cryptsetup utility
(cryptsetup luksOpen tries tokens first) but does not replace
the systemd native ask-password function (can be used the same in
combination with this patch).
(cherry picked from commit 894bb3ca4c730cc9e9d46ef5004ba4ca5e201d8d)
Resolves: #1719153
-rw-r--r-- | src/cryptsetup/cryptsetup.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c index a0bd80ea65..4e1b3eff19 100644 --- a/src/cryptsetup/cryptsetup.c +++ b/src/cryptsetup/cryptsetup.c @@ -682,6 +682,18 @@ int main(int argc, char *argv[]) { if (r < 0) return log_error_errno(r, "Failed to set LUKS data device %s: %m", argv[3]); } +#ifdef CRYPT_ANY_TOKEN + /* Tokens are available in LUKS2 only, but it is ok to call (and fail) with LUKS1. */ + if (!key_file) { + r = crypt_activate_by_token(cd, argv[2], CRYPT_ANY_TOKEN, NULL, flags); + if (r >= 0) { + log_debug("Volume %s activated with LUKS token id %i.", argv[2], r); + return 0; + } + + log_debug_errno(r, "Token activation unsuccessful for device %s: %m", crypt_get_device_name(cd)); + } +#endif } for (tries = 0; arg_tries == 0 || tries < arg_tries; tries++) { |