summaryrefslogtreecommitdiff
path: root/src/cryptsetup
AgeCommit message (Collapse)Author
2014-02-08cryptsetup-generator: auto add deps for device as passwordDave Reisner
If the password is a device file, we can add Requires/After dependencies on the device rather than requiring the user to do so.
2014-01-26cryptsetup: Support key-slot optionChristian Seiler
Debian recently introduced the option key-slot to /etc/crypttab to specify the LUKS key slot to be used for decrypting the device. On systems where a keyfile is used and the key is not in the first slot, this can speed up the boot process quite a bit, since cryptsetup does not need to try all of the slots sequentially. (Unsuccessfully testing a key slot typically takes up to about 1 second.) This patch makes systemd aware of this option. Debian bug that introduced the feature: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704470
2013-11-06util: unify reading of /proc/cmdlineLennart Poettering
Instead of individually checking for containers in each user do this once in a new call proc_cmdline() that read the file only if we are not in a container.
2013-10-13Introduce udev object cleanup functionsZbigniew Jędrzejewski-Szmek
2013-10-03Introduce _cleanup_endmntent_Zbigniew Jędrzejewski-Szmek
2013-10-02cryptsetup: fix OOM handling when parsing mount optionsLennart Poettering
2013-09-29set IgnoreOnIsolate=true for systemd-cryptsetup@.serviceAndrey Borzenkov
When crypttab contains noauto, cryptsetup service does not have any explicit dependencies. If service is started later manually (directly or via mount dependency) it will be stopped on isolate. mount units already have IgnoreOnIsolate set by default. Set it by default for cryptsetup units as well.
2013-09-23Fix obsolete references to systemd-random-seed-load.serviceEelco Dolstra
This service was merged with systemd-random-seed-save.service in c35b956d34bbb8bb208e49e45de2c103ca11911c.
2013-09-13cryptsetup-generator: allow specifying options in /proc/cmdlineTom Gundersen
The main usecase for this is to make it possible to use cryptsetup in the initrd without it having to include a host-specific /etc/crypttab. Tested-by: Thomas Bächler <thomas@archlinux.org>
2013-09-13cryptsetup-generator: don't create tmp+swap unitsTom Gundersen
2013-09-11cryptsetup: Retry indefinitely if tries=0 option has been set.Thomas Bächler
When running from initrd, entering a wrong passphrase usually means that you cannot boot. Therefore, we allow trying indefinitely.
2013-08-14systemd-cryptsetup: makes “discard” a synonym for “allow-discards”Ondrej Balaz
systemd-cryptsetup recognizes option 'allow-discards' in /etc/crypttab to enable TRIM passthrough to underlying encrypted device. In Debian this option was changed to 'discard' to avoid hyphen in option name. (see: #648868 and `man crypttab`). [zj: update crypttab(5) too, making "discard" the default.]
2013-07-16cryptsetup: Add tcrypt supportJan Janssen
Tcrypt uses a different approach to passphrases/key files. The passphrase and all key files are incorporated into the "password" to open the volume. So, the idea of slots that provide a way to open the volume with different passphrases/key files that are independent from each other like with LUKS does not apply. Therefore, we use the key file from /etc/crypttab as the source for the passphrase. The actual key files that are combined with the passphrase into a password are provided as a new option in /etc/crypttab and can be given multiple times if more than one key file is used by a volume.
2013-07-16cryptsetup: Move attaching of the device out of mainJan Janssen
2013-07-16cryptsetup: Move password query out of mainJan Janssen
Also use _cleanup_free_ where possible.
2013-05-03cryptsetup: downgrade world-writable warning againLennart Poettering
This semi-reverts 8973790ee6f62132b1b57de15c4edaef2c097004.
2013-04-30cryptsetup: warn if keyfiles are world-readableLennart Poettering
2013-04-30cryptsetup: warn if /etc/crypttab is world-readableLennart Poettering
2013-04-24Standarize on one spelling of symlink error messageZbigniew Jędrzejewski-Szmek
It's polite to print the name of the link that wasn't created, and it makes little sense to print the target.
2013-04-19crypt-setup-generator: correctly check return of strdupLukas Nykryn
2013-04-18cryptsetup: ask for password, if key file cannot be accessedHarald Hoyer
If the key file cannot be accessed, we can at least ask for the password.
2013-04-18move _cleanup_ attribute in front of the typeHarald Hoyer
http://lists.freedesktop.org/archives/systemd-devel/2013-April/010510.html
2013-04-18cryptsetup-generator: add support for rd.luks.key=Harald Hoyer
Also clarify rd.luks.uuid and luks.uuid in the manual. https://bugzilla.redhat.com/show_bug.cgi?id=905683
2013-04-18cryptsetup: set the timeout to 0 by defaultHarald Hoyer
cryptsetup itself has no timeout as default from the beginning. So the default timeout has been "0" from the beginning. https://bugzilla.redhat.com/show_bug.cgi?id=949702
2013-04-05Use initalization instead of explicit zeroingZbigniew Jędrzejewski-Szmek
Before, we would initialize many fields twice: first by filling the structure with zeros, and then a second time with the real values. We can let the compiler do the job for us, avoiding one copy. A downside of this patch is that text gets slightly bigger. This is because all zero() calls are effectively inlined: $ size build/.libs/systemd text data bss dec hex filename before 897737 107300 2560 1007597 f5fed build/.libs/systemd after 897873 107300 2560 1007733 f6075 build/.libs/systemd … actually less than 1‰. A few asserts that the parameter is not null had to be removed. I don't think this changes much, because first, it is quite unlikely for the assert to fail, and second, an immediate SEGV is almost as good as an assert.
2013-04-04cryptsetup-generator: add JobTimeoutSec=0 for the decrypted crypt devicesHarald Hoyer
The password query for a crypto device currently times out after 90s, which is too short to grab a cup of coffee when a machine boots up. The resulting decrypted device /dev/mapper/luks-<uuid> might not be a mountpoint (but part of a LVM PV or raid array) and therefore the timeout cannot be controlled by the settings in /etc/fstab. For this reason this device should not carry its own timeout. Also the encrypted device /dev/disk/by-*/* already has a timeout and additionally the timeout for the password query is set in /etc/crypttab. This patch disables the timeout of the resulting decrypted devices by creating <device-unit>.d/50-job-timeout-sec-0.conf files with "JobTimeoutSec=0".
2013-04-03util: rename parse_usec() to parse_sec() sinds the default unit is secondsLennart Poettering
Internally we store all time values in usec_t, however parse_usec() actually was used mostly to parse values in seconds (unless explicit units were specified to define a different unit). Hence, be clear about this and name the function about what we pass into it, not what we get out of it.
2013-04-01cryptsetup: add RequiresMountsFor for keyfileThomas Weißschuh
This ensures that the keyfile is available during the opening of the encrypted device. Also dropped the explicit ordering Before=local-fs.target, as the containers are ordered implicitly by their content.
2013-04-01cryptsetup: RequiresMountsFor if source is a fileThomas Weißschuh
Fixes: https://bugzilla.novell.com/show_bug.cgi?id=730496 https://bugs.freedesktop.org/show_bug.cgi?id=60821
2013-03-26cryptsetup: when prompting for password use GPT partition labelLennart Poettering
If there's a GPT partition label set for a LUKS partition, then it's nicer to show that than the model number, when asking for a passphrase.
2013-03-25cryptsetup-generator: let's be a bit more efficient with strv_extend()Lennart Poettering
2013-03-25cryptsetup-generator: add a missing OOM checkLennart Poettering
2013-03-13cryptsetup-generator: use _cleanup_ where possibleHarald Hoyer
2013-03-01cryptsetup-generator: fix the kernel command line strategy for luks.uuidHarald Hoyer
If rd.luks.uuid or luks.uuid is specified on the kernel command, only generate units for these UUIDs. Additionally use the information in /etc/crypttab unless rd.luks.crypttab=0 or luks.crypttab=0 is specified.
2013-02-14added some missing include for a5c32cff1f56afe6f0c6c70d91a88a7a8238b2d7Harald Hoyer
2013-01-31cryptsetup: accept both "read-only" and "readonly" spellingsMichal Schmidt
Mukund Sivaraman pointed out that cryptsetup(5) mentions the "read-only" option, while the code understands "readonly". We could just fix the manpage, but for consistency in naming of multi-word options it would be prettier to have "read-only". So let's accept both spellings. BZ: https://bugzilla.redhat.com/show_bug.cgi?id=903463
2012-11-23cryptsetup-generator: state file name in error messagesMichal Schmidt
2012-11-23cryptsetup-generator: use log_oom() everywhereMichal Schmidt
2012-11-21cryptsetup: fix nofail supportTom Gundersen
This was documented in the man page and supported in the generator, but systemd-cryptestup itself would fail with this option. systemd-cryptsetup should ignore 'nofail', as it does with 'noauto'.
2012-11-06cryptsetup: fix inverted comparison in pass_volume_keyDave Reisner
2012-11-06cryptsetup: hash=plain means don't use a hashDave Reisner
"plain" is a semantic value that cryptsetup(8) uses to describe a plain dm-crypt volume that does not use a hash. Catch this value earlier and ensure that a NULL params.hash is passed to crypt_format to avoid passing an invalid hash type to the libcryptsetup backend. FDO bug #56593.
2012-08-08fix a couple of issues found with llvm-analyzeLennart Poettering
2012-08-03cryptsetup: add keyfile-size= supportTom Gundersen
This is useful e.g. if the keyfile is a raw device, where only parts of it should be read. It is typically used whenever the keyfile-offset= option is specified. Tested-by: Erik Westrup <erik.westrup@gmail.com>
2012-07-26log.h: new log_oom() -> int -ENOMEM, use itShawn Landden
also a number of minor fixups and bug fixes: spelling, oom errors that didn't print errors, not properly forwarding error codes, few more consistency issues, et cetera
2012-07-25use "Out of memory." consistantly (or with "\n")Shawn Landden
glibc/glib both use "out of memory" consistantly so maybe we should consider that instead of this. Eliminates one string out of a number of binaries. Also fixes extra newline in udev/scsi_id
2012-07-13unit: rename BindTo= to BindsTo=Lennart Poettering
all other dependencies are in 3rd person. Change BindTo= accordingly to BindsTo=. Of course, the dependency is widely used, hence we parse the old name too for compatibility.
2012-07-13util: rename join() to strjoin()Lennart Poettering
This is to match strappend() and the other string related functions.
2012-07-09cryptsetup: add keyfile-offset= supportTom Gundersen
This is useful if your keyfile is a block device, and you want to use a specific part of it, such as an area between the MBR and the first partition. This feature is documented in the Arch wiki[0], and has been supported by the Arch initscripts, so would be nice to get this into systemd. This requires libcryptsetup >= 1.4.2 (released 12.4.2012). Acked-by: Paul Menzel <paulepanter@users.sourceforge.net> [0]: <https://wiki.archlinux.org/index.php/System_Encryption_with_LUKS# Storing_the_key_between_MBR_and_1st_partition>
2012-06-27man: add reference to crypttab(5) from cryptsetup unitsLennart Poettering
2012-06-27man: document systemd-cryptsetupLennart Poettering