summaryrefslogtreecommitdiff
path: root/src/cryptsetup
AgeCommit message (Collapse)Author
2013-09-11cryptsetup: Retry indefinitely if tries=0 option has been set.Thomas Bächler
When running from initrd, entering a wrong passphrase usually means that you cannot boot. Therefore, we allow trying indefinitely.
2013-08-14systemd-cryptsetup: makes “discard” a synonym for “allow-discards”Ondrej Balaz
systemd-cryptsetup recognizes option 'allow-discards' in /etc/crypttab to enable TRIM passthrough to underlying encrypted device. In Debian this option was changed to 'discard' to avoid hyphen in option name. (see: #648868 and `man crypttab`). [zj: update crypttab(5) too, making "discard" the default.]
2013-07-16cryptsetup: Add tcrypt supportJan Janssen
Tcrypt uses a different approach to passphrases/key files. The passphrase and all key files are incorporated into the "password" to open the volume. So, the idea of slots that provide a way to open the volume with different passphrases/key files that are independent from each other like with LUKS does not apply. Therefore, we use the key file from /etc/crypttab as the source for the passphrase. The actual key files that are combined with the passphrase into a password are provided as a new option in /etc/crypttab and can be given multiple times if more than one key file is used by a volume.
2013-07-16cryptsetup: Move attaching of the device out of mainJan Janssen
2013-07-16cryptsetup: Move password query out of mainJan Janssen
Also use _cleanup_free_ where possible.
2013-05-03cryptsetup: downgrade world-writable warning againLennart Poettering
This semi-reverts 8973790ee6f62132b1b57de15c4edaef2c097004.
2013-04-30cryptsetup: warn if keyfiles are world-readableLennart Poettering
2013-04-30cryptsetup: warn if /etc/crypttab is world-readableLennart Poettering
2013-04-24Standarize on one spelling of symlink error messageZbigniew Jędrzejewski-Szmek
It's polite to print the name of the link that wasn't created, and it makes little sense to print the target.
2013-04-19crypt-setup-generator: correctly check return of strdupLukas Nykryn
2013-04-18cryptsetup: ask for password, if key file cannot be accessedHarald Hoyer
If the key file cannot be accessed, we can at least ask for the password.
2013-04-18move _cleanup_ attribute in front of the typeHarald Hoyer
http://lists.freedesktop.org/archives/systemd-devel/2013-April/010510.html
2013-04-18cryptsetup-generator: add support for rd.luks.key=Harald Hoyer
Also clarify rd.luks.uuid and luks.uuid in the manual. https://bugzilla.redhat.com/show_bug.cgi?id=905683
2013-04-18cryptsetup: set the timeout to 0 by defaultHarald Hoyer
cryptsetup itself has no timeout as default from the beginning. So the default timeout has been "0" from the beginning. https://bugzilla.redhat.com/show_bug.cgi?id=949702
2013-04-05Use initalization instead of explicit zeroingZbigniew Jędrzejewski-Szmek
Before, we would initialize many fields twice: first by filling the structure with zeros, and then a second time with the real values. We can let the compiler do the job for us, avoiding one copy. A downside of this patch is that text gets slightly bigger. This is because all zero() calls are effectively inlined: $ size build/.libs/systemd text data bss dec hex filename before 897737 107300 2560 1007597 f5fed build/.libs/systemd after 897873 107300 2560 1007733 f6075 build/.libs/systemd … actually less than 1‰. A few asserts that the parameter is not null had to be removed. I don't think this changes much, because first, it is quite unlikely for the assert to fail, and second, an immediate SEGV is almost as good as an assert.
2013-04-04cryptsetup-generator: add JobTimeoutSec=0 for the decrypted crypt devicesHarald Hoyer
The password query for a crypto device currently times out after 90s, which is too short to grab a cup of coffee when a machine boots up. The resulting decrypted device /dev/mapper/luks-<uuid> might not be a mountpoint (but part of a LVM PV or raid array) and therefore the timeout cannot be controlled by the settings in /etc/fstab. For this reason this device should not carry its own timeout. Also the encrypted device /dev/disk/by-*/* already has a timeout and additionally the timeout for the password query is set in /etc/crypttab. This patch disables the timeout of the resulting decrypted devices by creating <device-unit>.d/50-job-timeout-sec-0.conf files with "JobTimeoutSec=0".
2013-04-03util: rename parse_usec() to parse_sec() sinds the default unit is secondsLennart Poettering
Internally we store all time values in usec_t, however parse_usec() actually was used mostly to parse values in seconds (unless explicit units were specified to define a different unit). Hence, be clear about this and name the function about what we pass into it, not what we get out of it.
2013-04-01cryptsetup: add RequiresMountsFor for keyfileThomas Weißschuh
This ensures that the keyfile is available during the opening of the encrypted device. Also dropped the explicit ordering Before=local-fs.target, as the containers are ordered implicitly by their content.
2013-04-01cryptsetup: RequiresMountsFor if source is a fileThomas Weißschuh
Fixes: https://bugzilla.novell.com/show_bug.cgi?id=730496 https://bugs.freedesktop.org/show_bug.cgi?id=60821
2013-03-26cryptsetup: when prompting for password use GPT partition labelLennart Poettering
If there's a GPT partition label set for a LUKS partition, then it's nicer to show that than the model number, when asking for a passphrase.
2013-03-25cryptsetup-generator: let's be a bit more efficient with strv_extend()Lennart Poettering
2013-03-25cryptsetup-generator: add a missing OOM checkLennart Poettering
2013-03-13cryptsetup-generator: use _cleanup_ where possibleHarald Hoyer
2013-03-01cryptsetup-generator: fix the kernel command line strategy for luks.uuidHarald Hoyer
If rd.luks.uuid or luks.uuid is specified on the kernel command, only generate units for these UUIDs. Additionally use the information in /etc/crypttab unless rd.luks.crypttab=0 or luks.crypttab=0 is specified.
2013-02-14added some missing include for a5c32cff1f56afe6f0c6c70d91a88a7a8238b2d7Harald Hoyer
2013-01-31cryptsetup: accept both "read-only" and "readonly" spellingsMichal Schmidt
Mukund Sivaraman pointed out that cryptsetup(5) mentions the "read-only" option, while the code understands "readonly". We could just fix the manpage, but for consistency in naming of multi-word options it would be prettier to have "read-only". So let's accept both spellings. BZ: https://bugzilla.redhat.com/show_bug.cgi?id=903463
2012-11-23cryptsetup-generator: state file name in error messagesMichal Schmidt
2012-11-23cryptsetup-generator: use log_oom() everywhereMichal Schmidt
2012-11-21cryptsetup: fix nofail supportTom Gundersen
This was documented in the man page and supported in the generator, but systemd-cryptestup itself would fail with this option. systemd-cryptsetup should ignore 'nofail', as it does with 'noauto'.
2012-11-06cryptsetup: fix inverted comparison in pass_volume_keyDave Reisner
2012-11-06cryptsetup: hash=plain means don't use a hashDave Reisner
"plain" is a semantic value that cryptsetup(8) uses to describe a plain dm-crypt volume that does not use a hash. Catch this value earlier and ensure that a NULL params.hash is passed to crypt_format to avoid passing an invalid hash type to the libcryptsetup backend. FDO bug #56593.
2012-08-08fix a couple of issues found with llvm-analyzeLennart Poettering
2012-08-03cryptsetup: add keyfile-size= supportTom Gundersen
This is useful e.g. if the keyfile is a raw device, where only parts of it should be read. It is typically used whenever the keyfile-offset= option is specified. Tested-by: Erik Westrup <erik.westrup@gmail.com>
2012-07-26log.h: new log_oom() -> int -ENOMEM, use itShawn Landden
also a number of minor fixups and bug fixes: spelling, oom errors that didn't print errors, not properly forwarding error codes, few more consistency issues, et cetera
2012-07-25use "Out of memory." consistantly (or with "\n")Shawn Landden
glibc/glib both use "out of memory" consistantly so maybe we should consider that instead of this. Eliminates one string out of a number of binaries. Also fixes extra newline in udev/scsi_id
2012-07-13unit: rename BindTo= to BindsTo=Lennart Poettering
all other dependencies are in 3rd person. Change BindTo= accordingly to BindsTo=. Of course, the dependency is widely used, hence we parse the old name too for compatibility.
2012-07-13util: rename join() to strjoin()Lennart Poettering
This is to match strappend() and the other string related functions.
2012-07-09cryptsetup: add keyfile-offset= supportTom Gundersen
This is useful if your keyfile is a block device, and you want to use a specific part of it, such as an area between the MBR and the first partition. This feature is documented in the Arch wiki[0], and has been supported by the Arch initscripts, so would be nice to get this into systemd. This requires libcryptsetup >= 1.4.2 (released 12.4.2012). Acked-by: Paul Menzel <paulepanter@users.sourceforge.net> [0]: <https://wiki.archlinux.org/index.php/System_Encryption_with_LUKS# Storing_the_key_between_MBR_and_1st_partition>
2012-06-27man: add reference to crypttab(5) from cryptsetup unitsLennart Poettering
2012-06-27man: document systemd-cryptsetupLennart Poettering
2012-06-25cryptsetup: fix escaping when generating cryptsetup unitsLennart Poettering
2012-06-25units: rename cryptsetup@.service to systemd-cryptsetup@.serviceLennart Poettering
It's also our own code, hence should have the prefix.
2012-06-22cryptsetup: allow configuration of LUKS disks via the kernel cmdlineLennart Poettering
This generalizes a bit of the functionality already available in dracut.
2012-05-31mkdir: append _label to all mkdir() calls that explicitly set the selinux ↵Kay Sievers
context
2012-05-23manager: rework generator logicLennart Poettering
Previously generated units were always placed at the end of the search path. With this change there will be three unit dirs instead of one, to place generated entries at the beginning, in the middle and at the end of the search path: beginning: for units that need to override all configuration, regardless of user or vendor. Example use: system-update-generator uses this to temporarily redirect default.target. middle: for units that need to override vendor configuration, but not vendor configuration. Example use: /etc/fstab should override vendor supplied configuration (think /tmp), but should not override native user configuration. end: does not override anything but is available as well. Possible usage might be to convert D-Bus bus service files to native units but allowing vendor supplied native units to win.
2012-05-22units: remove service sysv_path variable and replace it by generic unit_pathLennart Poettering
UnitPath= is also writable via native units and may be used by generators to clarify from which file a unit is generated. This patch also hooks up the cryptsetup and fstab generators to set UnitPath= accordingly.
2012-05-22log: make sure generators never log into the journal to avoid activation ↵Lennart Poettering
deadlocks This makes all generators log to kmsg by default.
2012-05-22mount: replace PID1 internal fstab parser with generatorLennart Poettering
Bit by bit we should remove non-unit parsing from PID 1 and move into generators, to clean up our code base a bit and clearly separate parsers.
2012-05-21cryptsetup: support discards (TRIM)Matthew Monaco
2012-05-21cryptsetup: a few simplificationsLennart Poettering